Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuration Management and IaC practice sets

DOP-C02 Configuration Management and IaC • Complete Question Bank

DOP-C02 Configuration Management and IaC — All Questions With Answers

Complete DOP-C02 Configuration Management and IaC question bank — all 0 questions with answers and detailed explanations.

281
Questions
Free
No signup
Certifications/DOP-C02/Practice Test/Configuration Management and IaC/All Questions
Question 1mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a multi-tier web application. The template includes a nested stack for the database layer. When updating the stack, the database stack fails with a 'CREATE_FAILED' status, but the parent stack continues updating other resources. What is the most likely cause and best practice to prevent this?

Question 2hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer manages infrastructure using Terraform. The team needs to store secrets such as database passwords in a secure manner and reference them in Terraform configurations. They have configured AWS Secrets Manager. What is the recommended approach to reference secrets in Terraform without exposing them in state files?

Question 3easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks to manage a set of EC2 instances. They need to ensure that a custom recipe runs on all instances during the 'Configure' lifecycle event. What is the correct way to achieve this?

Question 4mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS CodePipeline to automate deployments. The pipeline has a Deploy stage that uses AWS CloudFormation to create or update a stack. Recently, a stack update failed because the template referenced an AMI that was deprecated. The team wants to automatically roll back the stack to the last known good state if a deployment fails. What should they do?

Question 5hardmultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS Elastic Beanstalk for application deployments. They want to implement immutable updates to minimize downtime and ensure that if the new environment fails health checks, the old environment remains intact. Which deployment policy should they choose?

Question 6easymultiple choice
Read the full Configuration Management and IaC explanation →

A developer wants to use AWS CloudFormation to create an Amazon RDS DB instance. The template includes a DB instance resource. Which property is required for the DB instance to be created successfully?

Question 7mediummulti select
Read the full Configuration Management and IaC explanation →

A DevOps team is designing a CI/CD pipeline using AWS CodeBuild and CodePipeline. They want to use infrastructure as code to define the build environment. Which TWO options are valid approaches to define the build environment in CodeBuild?

Question 8mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company manages its infrastructure using AWS CloudFormation. They have a production stack that includes an Amazon RDS Multi-AZ DB instance. The stack was created using the 'aws cloudformation create-stack' command with default settings. The DB instance uses a custom DB parameter group. A DevOps engineer needs to modify a parameter in the DB parameter group and update the stack. The engineer updates the template to change the parameter value and runs 'aws cloudformation update-stack'. The update fails with a 'ROLLBACK_IN_PROGRESS' status. The engineer checks the CloudFormation console and sees that the DB instance was successfully modified, but the stack is rolling back. The rollback fails because the DB instance cannot be reverted to the original parameter value. The stack is now in 'UPDATE_ROLLBACK_FAILED' state. What should the engineer do to resolve this situation and apply the desired parameter change?

Question 9easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The operations team needs to update a stack that includes an RDS database. The update requires changing the DB instance class, which will cause a replacement of the database. The team wants to minimize downtime and ensure that data is not lost. Which CloudFormation stack update policy should they use?

Question 10mediummulti select
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing an AWS CloudFormation template to deploy a three-tier web application. The application must be highly available across multiple Availability Zones. The engineer needs to ensure that the database layer uses a Multi-AZ deployment. Which TWO options should the engineer implement to meet these requirements? (Choose TWO.)

Question 11hardmultiple choice
Review the full subnetting walkthrough →

A DevOps engineer receives the error shown in the exhibit when attempting to update an existing CloudFormation stack that deploys a VPC with subnets. The stack was created successfully earlier using the same template. What is the most likely cause of this error?

Exhibit

Refer to the exhibit.

Error log from AWS CloudFormation stack update:

"Resource handler returned message: 'User: arn:aws:sts::123456789012:assumed-role/AdminRole/UpdateUser is not authorized to perform: ec2:DescribeSubnets on resource: arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0bb1c79de3EXAMPLE' (Service: Ec2, Status Code: 403, Request ID: ...)"
Question 12mediumdrag order
Read the full Configuration Management and IaC explanation →

Drag and drop the steps to set up an AWS CodePipeline with a source stage from CodeCommit and a deploy stage to Elastic Beanstalk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediumdrag order
Read the full Configuration Management and IaC explanation →

Drag and drop the steps to set up an AWS Lambda function triggered by an S3 event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full Configuration Management and IaC explanation →

Match each AWS service to its primary function in a DevOps pipeline.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Continuous delivery service for release pipelines

Fully managed continuous integration build service

Automates code deployments to any instance

Unified user interface for managing software development activities

Fully managed source control service hosting Git repositories

Question 15mediummatching
Read the full Configuration Management and IaC explanation →

Match each AWS Config rule to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks that resources have specified tags

Ensures EBS volumes are encrypted

Prevents public read access on S3 buckets

Verifies CloudTrail is enabled

Checks for IAM policies granting full admin access

Question 16mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodePipeline with a multi-branch strategy. The pipeline deploys a Lambda function using CloudFormation. The DevOps engineer notices that when a new branch is created, the pipeline executes but the CloudFormation stack fails because the stack name already exists. What is the MOST efficient way to resolve this issue?

Question 17hardmultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS OpsWorks for configuration management. They want to migrate to AWS Systems Manager to reduce costs and improve flexibility. Their current stack includes custom Chef recipes that manage package installations and service configurations. What is the MOST effective migration strategy?

Question 18easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CloudFormation to manage a multi-tier application. They want to ensure that when an update to the stack causes a resource replacement, the replacement occurs only after the new resource is fully created and tested. Which CloudFormation feature should they use?

Question 19mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses Terraform with an S3 backend to manage infrastructure. The DevOps engineer notices that after a colleague runs 'terraform apply' locally, the state file in S3 becomes corrupted and subsequent runs fail. What is the BEST way to prevent this issue?

Question 20hardmultiple choice
Read the full Configuration Management and IaC explanation →

A large enterprise uses AWS CloudFormation StackSets to deploy resources across multiple accounts and regions. They need to update a stack set that contains a custom resource backed by a Lambda function. The update changes the Lambda function code. What is the CORRECT approach to ensure the Lambda function is updated without manual intervention?

Question 21easymultiple choice
Read the full Ansible explanation →

A DevOps team uses Ansible for configuration management of EC2 instances. They want to ensure that the Ansible control node can connect to managed nodes securely without storing SSH keys in plaintext. Which AWS service should they integrate with Ansible to securely manage SSH keys?

Question 22mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeCommit and CodePipeline. The pipeline triggers on commits to the main branch. The DevOps engineer wants to add a stage that runs unit tests in a build environment. After the tests pass, the pipeline should deploy to a staging environment. If the tests fail, the pipeline should stop and notify the team. Which AWS service should be used to implement this workflow?

Question 23hardmultiple choice
Read the full Configuration Management and IaC explanation →

A financial services company uses Chef for configuration management. They need to enforce security compliance across thousands of EC2 instances. The compliance requirements include specific file permissions, firewall rules, and user account settings. They want to automatically remediate non-compliant instances. Which approach is MOST effective?

Question 24mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk for a web application. The DevOps engineer needs to ensure that environment configuration changes (e.g., instance type, environment variables) are version-controlled and can be rolled back quickly. Which approach should they use?

Question 25mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy infrastructure. They want to implement a change management process that requires approval before any stack update is executed. Which TWO approaches can achieve this? (Choose TWO.)

Question 26hardmulti select
Read the full Configuration Management and IaC explanation →

A DevOps team manages hundreds of EC2 instances using AWS Systems Manager State Manager. They need to ensure that a specific configuration (e.g., a custom firewall rule) is applied to all instances and remains enforced. Which THREE steps should they take? (Choose THREE.)

Question 27easymulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeBuild to run tests as part of their CI/CD pipeline. They want to store build artifacts in an S3 bucket and ensure that only the latest successful build artifacts are retained. Which TWO actions should they take? (Choose TWO.)

Question 28mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The security team requires that all S3 buckets have versioning enabled. A DevOps engineer needs to enforce this policy across all accounts in an AWS Organization. Which solution is MOST operationally efficient?

Question 29hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management with Chef. They are migrating to AWS Systems Manager to reduce complexity. The operations team needs to run custom scripts on a fleet of EC2 instances on a schedule, with the ability to target instances based on tags. Which Systems Manager capability should the engineer use?

Question 30easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to ensure that infrastructure changes are reviewed and approved before deployment. The code is stored in AWS CodeCommit, and the pipeline uses AWS CodePipeline and AWS CloudFormation. What is the BEST way to implement an approval process for infrastructure changes?

Question 31mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is running behind an Application Load Balancer. The DevOps team notices that during deployments, the new application version fails health checks and the deployment rolls back. The team wants to reduce deployment time while maintaining safety. Which configuration change should the engineer recommend?

Question 32hardmultiple choice
Review the full subnetting walkthrough →

A company uses a central CloudFormation template to create VPCs with a standard CIDR block of 10.0.0.0/16. The template is used across multiple accounts and regions. The team needs to ensure that the VPC CIDR does not overlap with other VPCs in the same account. Which approach should the engineer take to dynamically assign a unique /16 subnet from a larger pool?

Question 33easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is implementing AWS Config rules to enforce tagging standards on resources. The rule should trigger a remediation action via AWS Systems Manager Automation to apply the correct tags if a resource is non-compliant. What is the correct way to set up this remediation?

Question 34mediummultiple choice
Read the full VPN explanation →

A company uses AWS CloudFormation StackSets to deploy a common security group across multiple accounts in an AWS Organization. The security group must allow inbound traffic from the organization's central VPN CIDR range. The VPN CIDR range is stored in AWS Systems Manager Parameter Store. How should the engineer reference this parameter in the StackSet template to ensure the value is resolved at deployment time?

Question 35hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack that fails to create. The error message indicates a 'circular dependency' between two resources: a security group and an EC2 instance. The security group contains an ingress rule that references the instance's private IP address, which is not known until the instance is created. The instance's network interface uses the security group. What change should the engineer make to resolve the circular dependency?

Question 36easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeBuild to run unit tests and package a Java application. The build environment needs to have a specific version of Java installed that is not available in the standard build images. The team wants to minimize build time. How should the engineer configure the build environment?

Question 37mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage a production environment with multiple stacks. The DevOps team needs to implement a change management process that requires approval for any changes to the production stack. Which approaches meet this requirement? (Choose TWO.)

Question 38hardmulti select
Read the full Configuration Management and IaC explanation →

A company is using AWS Elastic Beanstalk with a custom platform. The DevOps team wants to automate the creation of a new platform version whenever changes are pushed to a Git repository. The pipeline should run tests, build the platform, and then update the Elastic Beanstalk environment to use the new platform version. Which services should be used together to achieve this? (Choose THREE.)

Question 39easymulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for Chef to manage its configuration. The company is planning to migrate to AWS Systems Manager. Which AWS Systems Manager capabilities can replace OpsWorks Chef functionalities? (Choose THREE.)

Question 40mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer creates the IAM policy shown in the exhibit to restrict EC2 instance types. However, users are still able to launch instances of type 't2.large'. What is the reason for this behavior?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t2.micro",
            "t2.small",
            "t2.medium"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "*"
    }
  ]
}
Question 41hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer creates the CloudFormation template shown in the exhibit. When the stack is created, the EC2 instance is launched but the security group is not applied to the instance. What is the likely cause?

Exhibit

Refer to the exhibit.

{
  "Resources": {
    "MyInstance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-0abcdef1234567890",
        "InstanceType": "t2.micro",
        "Tags": [
          {
            "Key": "Name",
            "Value": "MyServer"
          }
        ]
      },
      "DependsOn": "MySecurityGroup"
    },
    "MySecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Security group for MyServer",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}
Question 42mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer runs the command shown in the exhibit to view stack events. The stack update failed. What is the most likely cause of the failure?

Network Topology
$ aws cloudformation describe-stack-eventsstack-name my-stackRefer to the exhibit."StackEvents": ["StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/abcd1234-...","EventId": "Event-1","StackName": "my-stack","LogicalResourceId": "my-stack","PhysicalResourceId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/abcd1234-...","ResourceType": "AWS::CloudFormation::Stack","Timestamp": "2023-01-15T10:00:00.000Z","ResourceStatus": "UPDATE_IN_PROGRESS","ResourceProperties": "{\"TemplateURL\":\"https://s3.amazonaws.com/my-bucket/template.yaml\"}","ResourceStatusReason": "User Initiated"},"EventId": "Event-2","LogicalResourceId": "MyLambdaFunction","PhysicalResourceId": "my-stack-MyLambdaFunction-ABC123","ResourceType": "AWS::Lambda::Function","Timestamp": "2023-01-15T10:01:00.000Z","ResourceStatusReason": "Resource creation initiated""EventId": "Event-3","Timestamp": "2023-01-15T10:02:00.000Z","ResourceStatus": "UPDATE_FAILED",Status Code: 400Error Code: InvalidParameterValueException...)"
Question 43mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that critical resources, such as an RDS database, are not accidentally deleted when a stack is updated or deleted. Which CloudFormation feature should be used to prevent this?

Question 44hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline to deploy a serverless application. The application uses AWS Lambda functions and Amazon API Gateway. The engineer wants to implement a canary deployment strategy for the Lambda functions to reduce risk. Which AWS service or feature should be used to achieve this?

Question 45easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS OpsWorks for configuration management. The DevOps team wants to automate the patching of operating system updates on a set of EC2 instances managed by OpsWorks. Which OpsWorks feature should be used?

Question 46mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack creation failure. The stack includes an EC2 instance with a UserData script that installs software. The stack creation fails with the error: 'The following resource(s) failed: EC2Instance (AWS::EC2::Instance) – Resource creation cancelled'. What is the most likely cause?

Question 47easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy web applications. The DevOps team wants to implement a blue/green deployment strategy to minimize downtime. Which Elastic Beanstalk feature should be used?

Question 48mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a configuration management solution for a fleet of EC2 instances. The instances are ephemeral and frequently replaced by an Auto Scaling group. The engineer needs to ensure that newly launched instances are automatically configured with the latest software packages and settings. Which AWS service should be used?

Question 49mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes a parameter for the instance type of EC2 instances. The DevOps team wants to restrict the allowed values to a specific set of instance types. Which CloudFormation section should be used?

Question 50easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer needs to manage the configuration of a large number of EC2 instances that are part of a cluster. The instances should have consistent software packages, services, and settings. The engineer wants to use a configuration management tool that integrates with AWS and supports a push-based model. Which service should be used?

Question 51hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage a stack that includes an Auto Scaling group with a LaunchTemplate. The DevOps team wants to update the LaunchTemplate with a new AMI. The stack update fails with the error 'Launch template version does not exist'. What is the most likely cause?

Question 52easymultiple choice
Review the full subnetting walkthrough →

A DevOps engineer is using AWS CloudFormation to deploy a stack that includes a VPC with public and private subnets. The engineer wants to ensure that the public subnets automatically get a public IP address assigned to instances launched in them. Which property should be set?

Question 53hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. The DevOps team wants to implement a change management process where all stack updates must be reviewed before execution. Which AWS feature should be used?

Question 54hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy infrastructure across multiple accounts. They want to reuse a set of resource definitions for a standard VPC configuration. Which approach minimizes duplication and maintains centralized control?

Question 55easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS CodePipeline to deploy a web application. They notice that the deployment stage fails intermittently due to a missing configuration file. Which troubleshooting step should they take first?

Question 56mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization manages multiple AWS accounts using AWS Organizations. They want to enforce that all Amazon S3 buckets across accounts have versioning enabled. Which approach is the most scalable and least error-prone?

Question 57hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk for application deployments. They want to integrate infrastructure-as-code practices using AWS CloudFormation. Which approach allows them to manage the Elastic Beanstalk environment and underlying resources as part of a CloudFormation stack?

Question 58easymultiple choice
Read the full Configuration Management and IaC explanation →

A developer wants to provision AWS resources using AWS Cloud Development Kit (CDK) and ensure that the infrastructure can be version-controlled and reviewed. Which practice should they follow?

Question 59mediummultiple choice
Read the full NAT/PAT explanation →

An operations team manages a fleet of Amazon EC2 instances that require periodic software updates. They want to use AWS Systems Manager to apply patches automatically while ensuring that patches are tested before production deployment. Which approach meets these requirements?

Question 60hardmultiple choice
Read the full Configuration Management and IaC explanation →

A team uses AWS CloudFormation to manage a multi-tier application. They update the stack and receive this error: 'UPDATE_ROLLBACK_FAILED'. The stack is in a state where some resources were updated, then rollback failed. What is the best course of action?

Question 61easymultiple choice
Read the full NAT/PAT explanation →

A company wants to use AWS OpsWorks for configuration management of their EC2 instances. They need to ensure that the instances are automatically configured with the latest security patches upon boot. Which OpsWorks feature should they use?

Question 62mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a CI/CD pipeline for a containerized application using AWS CodePipeline and Amazon ECS. The pipeline should build a Docker image, push it to Amazon ECR, and deploy it to an ECS service. Which deployment action should they use in the pipeline?

Question 63hardmulti select
Review the full subnetting walkthrough →

A company uses AWS CloudFormation to manage infrastructure. They have a stack that includes a VPC, subnets, and EC2 instances. They want to update the AMI ID of an EC2 instance without causing downtime. Which TWO approaches meet this requirement?

Question 64mediummulti select
Read the full Configuration Management and IaC explanation →

A team is using AWS CodeDeploy to deploy a web application to EC2 instances. They want to ensure that rollbacks occur automatically if the deployment fails. Which THREE configurations are necessary?

Question 65easymulti select
Review the full subnetting walkthrough →

A company uses AWS CloudFormation to deploy a VPC with public and private subnets. They want to ensure that the VPC has internet access for the public subnets. Which THREE resources must be included in the template?

Question 66hardmultiple choice
Read the full Configuration Management and IaC explanation →

An administrator attaches the IAM policy shown in the exhibit to an IAM user. What is the effect on the user's ability to launch an EC2 instance in eu-west-1?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "eu-west-1"]
        }
      }
    }
  ]
}
Question 67mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer updated an EC2 instance's InstanceType in a CloudFormation stack and received the stack events shown in the exhibit. What is the most likely cause of the failure?

Network Topology
$ aws cloudformation describe-stack-eventsstack-name my-stackRefer to the exhibit."StackEvents": ["EventId": "...","StackName": "my-stack","LogicalResourceId": "my-stack","ResourceType": "AWS::CloudFormation::Stack","Timestamp": "2023-03-15T12:00:00.000Z","ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS",},"LogicalResourceId": "MyEC2Instance","ResourceType": "AWS::EC2::Instance","Timestamp": "2023-03-15T11:59:00.000Z","ResourceStatus": "UPDATE_FAILED",
Question 68easymultiple choice
Read the full Configuration Management and IaC explanation →

A team creates the CloudFormation template shown in the exhibit. What is a potential security concern with this configuration?

Exhibit

Refer to the exhibit.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-unique-bucket-123
      VersioningConfiguration:
        Status: Enabled
  MyBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action: s3:GetObject
            Resource: !Sub "${MyBucket.Arn}/*"
            Principal: "*"
Question 69easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CloudFormation to manage infrastructure. They need to ensure that stack updates are reviewed and approved by a senior engineer before being executed. Which feature should they implement?

Question 70mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses OpsWorks to manage application stacks. They notice that custom cookbooks are not being executed during the lifecycle events. What is the most likely cause?

Question 71hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager to manage hybrid servers. They want to automate the patching of Windows servers using Patch Manager. However, some servers are not showing up in the compliance reporting. What should the DevOps engineer check first?

Question 72mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses Elastic Beanstalk to deploy a web application. They want to configure environment variables without modifying the application code. Where should they define these variables?

Question 73easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeBuild to build and test code. They need to securely store sensitive parameters, such as database passwords, and inject them into the build process. Which AWS service should they use?

Question 74hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Config to evaluate compliance of their AWS resources. They have a custom rule that checks whether EC2 instances have a specific tag. They notice that the rule is not triggering on existing instances. What is a possible reason?

Question 75mediummultiple choice
Read the full Configuration Management and IaC explanation →

A team uses CloudFormation to deploy a multi-container Docker environment on Amazon ECS. They need to pass environment variables to the containers from Parameter Store. How should they reference these values in the CloudFormation template?

Question 76easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. They want to ensure that a custom recipe runs on all instances in a layer every 30 minutes. What should they do?

Question 77hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack that is in UPDATE_ROLLBACK_FAILED state. The stack attempted to update an Auto Scaling group but failed due to insufficient capacity in the Availability Zone. What is the recommended next step?

Question 78easymulti select
Read the full Configuration Management and IaC explanation →

A company is designing a CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. They need to ensure that the pipeline can deploy to multiple environments (dev, test, prod) with manual approval gates. Which TWO actions should they take? (Choose TWO.)

Question 79mediummulti select
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS Elastic Beanstalk to deploy a web application. They need to customize the software configuration on the EC2 instances that are part of the Elastic Beanstalk environment. Which THREE methods can they use? (Choose THREE.)

Question 80hardmulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation StackSets to deploy resources across multiple accounts and regions. They need to ensure that updates to the stack set are rolled out in a controlled manner, with the ability to roll back if errors occur. Which THREE strategies should they implement? (Choose THREE.)

Question 81easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CloudFormation to manage infrastructure. They need to update a stack that includes an EC2 instance with a security group. The update requires changing a security group rule. Which method should the team use to perform this update with minimal disruption?

Question 82mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS Systems Manager to manage a fleet of EC2 instances. They want to ensure that all instances have a specific software package installed. Which approach should they take?

Question 83hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company is using AWS CodePipeline for CI/CD with CloudFormation as the deployment action. The pipeline fails intermittently with the error 'Rate exceeded' when creating or updating stacks. What is the most likely cause and solution?

Question 84easymultiple choice
Read the full Configuration Management and IaC explanation →

A developer is writing an AWS CloudFormation template to create an Amazon S3 bucket. The bucket name must be unique across all AWS accounts. Which property should the developer use to ensure the name is unique?

Question 85mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a web application. They want to ensure that configuration changes (e.g., environment variables, instance type) are version-controlled and can be rolled back. Which strategy should they use?

Question 86hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting an AWS CloudFormation stack that failed to create. The error message indicates that a resource 'AWS::Lambda::Function' timed out while being created. The Lambda function code is packaged as a ZIP file in Amazon S3. What is the most likely cause?

Question 87easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. They want to automate the installation of a custom agent on new EC2 instances. Which OpsWorks feature should they use?

Question 88mediummultiple choice
Read the full Configuration Management and IaC explanation →

A team is using AWS CodeDeploy to deploy an application to EC2 instances. They want to ensure that if a deployment fails, the instances are automatically rolled back to the previous version. What should they configure?

Question 89hardmultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS CloudFormation StackSets to deploy resources across multiple accounts. They notice that a stack instance in one account is in a 'FAILED' status because of a permissions issue. After fixing the permissions, what is the most efficient way to retry the stack instance operation?

Question 90easymulti select
Read the full Configuration Management and IaC explanation →

Which TWO are benefits of using AWS CloudFormation for infrastructure as code? (Select TWO.)

Question 91mediummulti select
Read the full Configuration Management and IaC explanation →

Which THREE are valid AWS Systems Manager capabilities for configuration management? (Select THREE.)

Question 92hardmulti select
Read the full Configuration Management and IaC explanation →

Which TWO are correct about using AWS CloudFormation to manage infrastructure across multiple AWS accounts? (Select TWO.)

Question 93easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CloudFormation to manage infrastructure. They want to reuse the same template across multiple environments (dev, test, prod) with minor parameter variations. Which CloudFormation feature should they use to pass environment-specific values without modifying the template?

Question 94hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Systems Manager to manage a fleet of EC2 instances. They need to run a custom script on all instances every time the instance is started. The script is stored in an S3 bucket. Which approach ensures the script runs automatically on every instance start with minimal administrative overhead?

Question 95mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS Elastic Beanstalk to deploy a web application. They need to ensure that configuration changes (e.g., environment variables, instance types) are version-controlled and can be rolled back. Which approach meets these requirements?

Question 96hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a CI/CD pipeline for a microservices architecture on AWS. They want to use AWS CodeDeploy to deploy applications to an Auto Scaling group. The pipeline must ensure that only a small percentage of instances are updated at a time, and if health checks fail, the deployment is automatically rolled back. Which deployment configuration should be used?

Question 97easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. They need to automate the installation of a custom package on all instances in a layer. Which OpsWorks feature should they use?

Question 98mediummultiple choice
Review the full subnetting walkthrough →

A team uses AWS CloudFormation to manage a VPC with multiple subnets. They want to ensure that when a stack is updated, the update does not accidentally replace the VPC or any subnet. Which CloudFormation property should they set on the resources?

Question 99hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodePipeline to orchestrate a multi-stage CI/CD pipeline. The build stage uses AWS CodeBuild and the deploy stage uses AWS CodeDeploy. The pipeline includes a manual approval step between build and deploy. The team wants to automatically trigger the pipeline when changes are pushed to a Git repository hosted in AWS CodeCommit. Which pipeline configuration is required for automatic triggers?

Question 100easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer needs to manage configuration files for multiple applications across several EC2 instances. The configuration values are sensitive (e.g., database passwords) and must be encrypted at rest and in transit. Which AWS service should be used to store and retrieve these configuration values?

Question 101mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The database password is stored in AWS Secrets Manager. The CloudFormation template needs to reference the secret value dynamically during stack creation. How should the template retrieve the secret?

Question 102hardmulti select
Read the full Configuration Management and IaC explanation →

A company is using AWS Elastic Beanstalk for a production environment. They have observed that during deployments, the environment's health status intermittently becomes 'Severe' even though the application is functioning correctly. The deployment uses rolling updates with a batch size of 50%. Which TWO configuration changes would improve deployment stability without completely redesigning the deployment process? (Select TWO.)

Question 103mediummulti select
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CodeBuild to run unit tests and package a Java application. They want to cache the Maven local repository (~/.m2) between builds to improve build times. Which TWO steps are necessary to enable caching in CodeBuild? (Select TWO.)

Question 104mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation StackSets to deploy a common network infrastructure across multiple AWS accounts. They need to ensure that all StackSet operations are audited and any failed stack instances are automatically retried. Which THREE configurations should be implemented? (Select THREE.)

Question 105hardmultiple choice
Read the full Configuration Management and IaC explanation →

A CloudFormation stack creation failed. The engineer runs the describe-stack-events command and sees the output above. What is the root cause of the failure?

Network Topology
$ aws cloudformation describe-stack-eventsstack-name my-stackRefer to the exhibit."StackEvents": ["StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/abc123","EventId": "Event-1","StackName": "my-stack","LogicalResourceId": "my-stack","PhysicalResourceId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/abc123","ResourceType": "AWS::CloudFormation::Stack","Timestamp": "2024-01-15T10:00:00.000Z","ResourceStatus": "ROLLBACK_IN_PROGRESS","ResourceProperties": "...","ClientRequestToken": "abc123"},"EventId": "Event-2","LogicalResourceId": "MyEC2Instance","PhysicalResourceId": "i-1234567890abcdef0","ResourceType": "AWS::EC2::Instance","Timestamp": "2024-01-15T09:59:30.000Z","ResourceStatus": "CREATE_FAILED","ResourceProperties": "{\"ImageId\":\"ami-0abcdef1234567890\",\"InstanceType\":\"t2.micro\"}",
Question 106mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer creates the IAM policy above for an instance role. The role is attached to an EC2 instance that runs an application. The application starts and stops EC2 instances and reads a database password from Systems Manager Parameter Store. However, the application fails to retrieve the parameter. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters"
      ],
      "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/MyApp/DBPassword"
    }
  ]
}
Question 107easymultiple choice
Read the full NAT/PAT explanation →

A CloudFormation template includes the above snippet. The stack creation fails with the error 'Unable to validate the following destination configurations'. What is the most likely cause?

Exhibit

Refer to the exhibit.

Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-unique-bucket-12345
      VersioningConfiguration:
        Status: Enabled
  MyBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: s3:GetObject
            Resource: !Sub "${MyBucket.Arn}/*"
Question 108easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer uses AWS CodeBuild to build a Java application. The build fails with an error indicating that the build environment does not have the required Java version. What is the MOST efficient way to ensure the correct Java version is installed for all future builds?

Question 109mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. After updating a stack, a resource fails to update because it requires a physical replacement. The stack update is set to 'Rollback on failure'. The engineer wants to test the effect of the change without affecting the production environment. Which approach should the engineer use?

Question 110hardmultiple choice
Read the full NAT/PAT explanation →

A DevOps team manages a multi-account AWS environment using AWS Organizations. They need to enforce a mandatory tag (e.g., 'CostCenter') on all resources created across accounts. Which combination of services should be used to automatically remediate non-compliant resources?

Question 111mediummultiple choice
Read the full Configuration Management and IaC explanation →

An engineer uses AWS Elastic Beanstalk to deploy a web application. The application needs to read from an S3 bucket. The engineer has configured an instance profile with the necessary S3 permissions. However, the application returns an access denied error. What is the MOST likely cause?

Question 112easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. The operations team needs to apply a configuration change to all instances in a layer without downtime. Which approach should they use?

Question 113hardmultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS CloudFormation StackSets to deploy resources across multiple accounts and regions. They need to update a stack set with a new template version. The update fails in some accounts due to a resource conflict. What is the BEST way to resolve the conflict and complete the update?

Question 114mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer uses AWS Secrets Manager to rotate database credentials. The rotation fails because the Lambda function used for rotation does not have network access to the database. The database is in a private VPC. How should the engineer fix this?

Question 115easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodePipeline with a GitHub source action. The pipeline triggers on changes to the master branch. However, the pipeline does not trigger when changes are pushed to the master branch. What is the MOST likely cause?

Question 116hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses AWS System Manager Patch Manager to patch EC2 instances. The patches are not being applied to some instances. The instances are running Amazon Linux 2 and have the SSM Agent installed. What is the MOST likely reason for the failure?

Question 117mediummulti select
Read the full Configuration Management and IaC explanation →

A company wants to implement a configuration management strategy for their EC2 instances that are part of an Auto Scaling group. They need to ensure that new instances are automatically configured with the latest software packages and settings without manual intervention. Which TWO approaches meet these requirements? (Choose TWO.)

Question 118hardmulti select
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS CloudFormation to deploy a web application stack. The stack includes an EC2 instance, an RDS database, and an Application Load Balancer. After a successful deployment, they notice that the database security group does not allow inbound traffic from the instance security group. The team wants to enforce that the database security group always allows traffic only from the instance security group, even if the stack is updated. Which TWO methods should the team use? (Choose TWO.)

Question 119mediummulti select
Read the full Configuration Management and IaC explanation →

An organization uses AWS Elastic Beanstalk to manage a production web application. The application uses a custom AMI that needs to be updated periodically. The team wants to automate the process of updating the AMI and deploying it to the environment with zero downtime. Which THREE steps should the team include in the automation? (Choose THREE.)

Question 120hardmultiple choice
Read the full Configuration Management and IaC explanation →

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to stop an EC2 instance in us-east-1. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
    }
  ]
}
Question 121hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company runs a production e-commerce platform on AWS. The architecture includes an Application Load Balancer (ALB) distributing traffic across EC2 instances in an Auto Scaling group. The application uses a custom configuration stored in an S3 bucket. The DevOps team uses AWS CodeDeploy to deploy application updates. Recently, a deployment failed because new instances launched by the Auto Scaling group did not have the latest configuration from S3. The team had manually updated the configuration in S3 but the deployment did not pull the new version. The team wants to ensure that all instances always have the latest configuration at launch. Current setup: The Auto Scaling group uses a launch template that specifies an IAM instance profile with permissions to read from S3. The user data script runs at launch to download configuration from S3. However, the user data script is static and does not account for configuration updates. The team wants a solution that automatically applies configuration changes to both existing and new instances without manual intervention.

Question 122mediummultiple choice
Read the full Configuration Management and IaC explanation →

A financial services company uses AWS CloudFormation to deploy a three-tier web application. The stack includes an Amazon RDS for PostgreSQL database. The database master password is stored in AWS Secrets Manager, and the CloudFormation template uses a dynamic reference to retrieve it during stack creation. The team recently rotated the database password in Secrets Manager. When they attempt to update the stack to change other parameters, the update fails with the error: 'Value of property MasterUserPassword must be a string.' The team is using the following template snippet for the password: 'MasterUserPassword': '{{resolve:secretsmanager:MySecret:SecretString:password}}'. The stack was originally created with AWS CloudFormation. What is the most likely cause of the failure?

Question 123mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack that fails to create an EC2 instance with a custom AMI. The error message indicates that the AMI ID does not exist. The engineer is using a mapping in the template to select the AMI based on the region. However, the stack is being created in a region not covered by the mapping. What is the most efficient way to resolve this issue?

Question 124hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is using this IAM policy to allow a CI/CD pipeline to launch EC2 instances and retrieve parameters. However, the pipeline is failing with an 'AccessDenied' error when trying to create an instance. The pipeline uses a role with this policy attached. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ssm:GetParameter"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}
Question 125easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS OpsWorks for configuration management. They want to ensure that whenever a new instance is added to a layer, it automatically installs the latest security patches and joins a central logging system. What is the most efficient way to achieve this?

Question 126mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS Elastic Beanstalk for deploying a web application. They have a custom platform extension that modifies the nginx configuration. After a recent deployment, the custom configuration is not applied. The environment logs show that the platform extension script ran successfully. What should the engineer check first?

Question 127hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses CloudFormation to manage infrastructure. They have a nested stack that creates an Amazon RDS instance. When updating the parent stack, the RDS instance is unexpectedly replaced even though no changes were made to its properties. The engineer suspects a 'Drift' detection issue. What is the most likely reason for the replacement?

Question 128mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a Git-based workflow for Infrastructure as Code using AWS CodeCommit and CodePipeline. The pipeline should deploy infrastructure changes to a test environment automatically when a pull request is merged to the 'main' branch. What is the minimal set of resources required?

Question 129easymultiple choice
Read the full Ansible explanation →

A company uses Ansible for configuration management on EC2 instances. They want to ensure that only instances with a specific tag (Environment: Production) are targeted by their playbooks. What is the best way to achieve this?

Question 130hardmultiple choice
Read the full Configuration Management and IaC explanation →

A team uses Terraform to manage AWS infrastructure. After a recent update, a state file shows that a security group rule was created, but the rule does not exist in AWS. Running 'terraform plan' shows no changes. What is the most likely cause?

Question 131mediummulti select
Read the full Configuration Management and IaC explanation →

A company is designing a CI/CD pipeline for a microservices architecture using AWS CodePipeline. They want to use infrastructure as code to manage the pipeline itself. Which TWO services can be used together to achieve this?

Question 132hardmulti select
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack that creates an Auto Scaling group with a launch configuration. The stack creation fails with the error 'Resource handler returned message: "Invalid IAM Instance Profile name" (Service: AutoScaling, Status Code: 400)'. Which TWO are possible causes?

Question 133mediummulti select
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager to manage patching of EC2 instances. They want to ensure that instances in a specific Auto Scaling group are patched before being allowed to serve traffic. Which THREE steps should be part of the solution?

Question 134mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer runs these commands to investigate a failed CloudFormation stack creation. The stack status is ROLLBACK_COMPLETE and the most recent event shows CREATE_FAILED. What should the engineer do next to identify the root cause?

Network Topology
$ aws cloudformation describe-stacksstack-name my-stackquery "Stacks[0].StackStatus"$ aws cloudformation describe-stack-eventsquery "StackEvents[0].ResourceStatus"Refer to the exhibit."ROLLBACK_COMPLETE""CREATE_FAILED"
Question 135hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses Terraform to manage a multi-account AWS environment. The Terraform state files are stored in an S3 bucket with DynamoDB locking. Recently, a DevOps engineer ran 'terraform apply' from a CI/CD pipeline, and it failed with the error: 'Error acquiring the state lock. Lock ID: "abc123". Possible causes: Another process has the lock; or a previous process crashed.' The engineer checks DynamoDB and sees that the lock item exists but there is no active Terraform process. The engineer needs to proceed with the deployment urgently. What should the engineer do?

Question 136mediummultiple choice
Review the full subnetting walkthrough →

A company uses AWS CloudFormation StackSets to deploy a VPC with subnets across multiple accounts and regions. Recently, a new account was added to the organization, and the DevOps team wants to deploy the stack set to this new account without affecting existing stacks. The stack set has self-managed permissions. The engineer creates a new stack instance for the account and region, but the operation fails with an 'Access Denied' error when CloudFormation tries to create resources in the new account. The engineer has verified that the stack set's IAM roles exist in the new account. What is the most likely cause?

Question 137mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS CodeCommit to store CloudFormation templates. They have a requirement that all templates must pass a series of validation checks before being merged to the main branch. The checks include syntax validation, IAM policy linting, and compliance rules. The DevOps team wants to implement this validation using AWS services with minimal operational overhead. They already use AWS CodePipeline for CI/CD. What should the team do?

Question 138hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company manages a fleet of EC2 instances using AWS Systems Manager State Manager. They have a State Manager association that ensures a specific software package is installed on all instances. Recently, they noticed that some instances are reporting the association as 'Success' even though the software is not installed. The association uses a custom document that runs a script to install the package. The engineer checks the association execution history and sees that the script exited with code 0 on those instances. What is the most likely cause?

Question 139easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer runs this command to list resources of a CloudFormation stack. The stack status is 'CREATE_COMPLETE'. However, the EC2 instance 'i-0abcd1234efgh5678' was manually terminated by another team. The engineer wants to restore the stack to its intended state without deleting the stack. What should the engineer do?

Network Topology
$ aws cloudformation list-stack-resourcesstack-name my-stackRefer to the exhibit."StackResourceSummaries": ["LogicalResourceId": "MyEC2Instance","PhysicalResourceId": "i-0abcd1234efgh5678","ResourceType": "AWS::EC2::Instance","ResourceStatus": "CREATE_COMPLETE","ResourceStatusReason": null
Question 140mediummulti select
Read the full Configuration Management and IaC explanation →

A DevOps team is designing a CI/CD pipeline for a microservices application deployed on Amazon ECS. The application uses multiple AWS services including RDS, ElastiCache, and SQS. Which TWO strategies should the team implement to ensure secure and auditable configuration management across environments?

Question 141hardmulti select
Read the full Configuration Management and IaC explanation →

A company manages multiple AWS accounts using AWS Organizations. The DevOps team needs to enforce that all newly created S3 buckets in any account automatically have versioning enabled and are encrypted with SSE-S3. Which THREE steps should the team take to achieve this using Infrastructure as Code and policy-based controls?

Question 142easymultiple choice
Read the full Configuration Management and IaC explanation →

A startup uses AWS CloudFormation to manage its infrastructure. The team stores stack templates in an S3 bucket and creates stacks using the AWS CLI. Recently, a developer accidentally deleted a CloudFormation stack, causing a production outage. The team wants to prevent accidental stack deletions while allowing authorized users to delete stacks after approval. What is the MOST effective solution?

Question 143easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management of a fleet of EC2 instances running a legacy application. The operations team needs to deploy a new version of the application across all instances without causing downtime. The application runs on each instance and requires a rolling update. Which approach should the team use?

Question 144mediummultiple choice
Read the full Configuration Management and IaC explanation →

A financial services company uses AWS CloudFormation to deploy a multi-tier application. The security team mandates that all data at rest must be encrypted using KMS CMKs. The CloudFormation template creates an RDS instance with encryption enabled using a KMS key. After deployment, the security team reports that the RDS instance is not using the specified KMS key. The DevOps engineer checks the template and finds the KMS Key ID is correct. What is the MOST likely cause?

Question 145mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team manages AWS Lambda functions using the Serverless Application Model (SAM). They need to deploy a new version of a function that requires an increased memory allocation from 128 MB to 256 MB. The team updates the SAM template and runs sam deploy. The deployment succeeds, but the function's memory remains at 128 MB. What is the MOST likely reason?

Question 146hardmultiple choice
Read the full Configuration Management and IaC explanation →

A large enterprise uses AWS Systems Manager to manage configuration drift on thousands of EC2 instances. The compliance team requires that instances must have a specific security configuration enforced by a Systems Manager State Manager association. The association is configured to run every 30 minutes. However, some instances consistently report a status of 'Failed' in the association compliance dashboard. The instances are running and have the SSM Agent installed. What is the MOST likely cause of the failures?

Question 147hardmultiple choice
Study the full ACL explanation →

A company uses AWS CodePipeline to deploy a static website to an S3 bucket. The pipeline has a Source stage (GitHub), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The deployment fails intermittently with the error: 'Bucket does not allow ACLs'. The S3 bucket is configured to use the 'bucket-owner-enforced' setting for Object Ownership. The team wants to resolve the failure while maintaining security best practices. What should the team do?

Question 148easymultiple choice
Read the full Configuration Management and IaC explanation →

A gaming company uses AWS Elastic Beanstalk to deploy a web application. The operations team needs to update environment configuration variables (e.g., database URL) without causing downtime. They want to change the value of an environment property. What is the CORRECT way to apply this change?

Question 149hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The stack creation recently failed because an IAM role resource was created before the AWS Lambda function that depends on it. The template has no DependsOn clauses. What is the most likely reason for this failure and how can it be fixed?

Question 150mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer is designing a configuration management strategy for a fleet of EC2 instances running Amazon Linux 2. The instances must be bootstrapped with custom software and continuously managed to ensure desired state compliance. Which combination of services should the engineer use?

Question 151easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeCommit to store its infrastructure as code templates. The DevOps team wants to automatically validate CloudFormation templates before merging changes to the main branch. Which service should be used to implement this validation?

Question 152hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack that failed to update. The error message indicates a circular dependency among resources. The template includes an Auto Scaling group, a launch template, and an IAM instance profile. The launch template references the IAM instance profile, and the Auto Scaling group references the launch template. The IAM instance profile's role references the Auto Scaling group name in its trust policy. How can the engineer resolve the circular dependency?

Question 153mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Machine Image (AMI) for its EC2 instances. The DevOps team updates the AMI monthly. What is the most efficient way to update the Elastic Beanstalk environment to use the new AMI?

Question 154easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is writing an AWS CloudFormation template that creates an Amazon S3 bucket with versioning enabled. The engineer wants to ensure that the bucket cannot be deleted accidentally. What should the engineer add to the template?

Question 155mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodePipeline to deploy a serverless application with AWS Lambda and Amazon API Gateway. The pipeline includes a beta and a production stage. The DevOps team wants to automatically promote the application from beta to production after successful testing. Which action should be taken in the pipeline?

Question 156hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation StackSets to deploy a VPC across multiple AWS accounts in AWS Organizations. The StackSet is created with self-managed permissions. The deployment fails in some accounts with the error: 'Insufficient IAM permissions to create resources'. What is the most likely cause of this failure?

Question 157easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is managing the lifecycle of a CloudFormation stack. The engineer needs to update a stack that contains an Auto Scaling group. The update requires a replacement of the Auto Scaling group. What will happen to the existing instances during the update?

Question 158easymulti select
Read the full NAT/PAT explanation →

A DevOps engineer is writing an AWS CloudFormation template to create a VPC with public and private subnets. The engineer wants to ensure that the private subnets can access the internet through a NAT gateway. Which resources must be included in the template? (Choose TWO.)

Question 159mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeCommit as a source repository and AWS CodeBuild for building artifacts. The DevOps team wants to ensure that all commits to the main branch trigger a build. Which steps should be taken? (Choose THREE.)

Question 160hardmulti select
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing an infrastructure as code solution for a microservices application that runs on Amazon ECS with Fargate. The application requires a shared Application Load Balancer (ALB) and multiple ECS services. Which CloudFormation resources are required to expose each service behind the ALB? (Choose THREE.)

Question 161easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team notices that stack updates sometimes fail because of resource conflicts. The team wants to prevent concurrent updates to the same stack. What should they do?

Question 162mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment'. The engineer checks the logs and finds that the application installation script exits with a non-zero exit code. What should the engineer do to troubleshoot?

Question 163hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company is using AWS Elastic Beanstalk with a custom platform. The platform is based on Amazon Linux 2 and includes a pre-installed application. The DevOps team needs to inject environment-specific configuration files into the EC2 instances during deployment. Which approach should be used?

Question 164mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is creating a CloudFormation template that includes an AWS Lambda function. The function code is stored in an S3 bucket. The engineer wants to ensure that the Lambda function is updated whenever the code in S3 changes. What should the engineer do?

Question 165easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. The DevOps team wants to deploy a new application version to a stack of EC2 instances. What should the team use to perform the deployment?

Question 166hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage a production environment. The DevOps team wants to implement a change management process where any changes to the stack must be reviewed before execution. Which feature should the team use?

Question 167mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS CodeCommit and AWS CodePipeline for CI/CD. They need to ensure that sensitive configuration parameters such as database passwords are not stored in plaintext in the source code repository. Which solution meets these requirements with minimal operational overhead?

Question 168hardmultiple choice
Review the full subnetting walkthrough →

An organization manages multiple AWS accounts using AWS Organizations. They want to use AWS CloudFormation StackSets to deploy a standard VPC configuration across all accounts. However, some accounts require specific CIDR blocks that differ from the default. What is the most efficient way to handle this variation?

Question 169easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a web application. The operations team wants to ensure that the environment's configuration (e.g., instance type, scaling limits) is version-controlled and reproducible. Which practice should they adopt?

Question 170easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is using AWS OpsWorks for configuration management. They need to ensure that custom recipes are applied to all instances in a layer in a specific order. What should the engineer do?

Question 171mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. They have a production stack that creates an Auto Scaling group. They want to update the launch configuration to use a new Amazon Machine Image (AMI) ID without causing downtime. Which update policy should they set on the Auto Scaling group?

Question 172hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. During a deployment, the new instances fail the health check and are terminated. The deployment fails. The team wants to automatically roll back to the previous working version. What should they do?

Question 173easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer needs to manage configuration files across a fleet of Amazon EC2 instances running Amazon Linux. The configuration files must be updated whenever they change in an S3 bucket. Which AWS service is most suitable for this task?

Question 174hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation with a template that creates an Amazon RDS DB instance. The password for the master user is stored in AWS Secrets Manager. The CloudFormation stack creation fails with the error: 'Value of property MasterUserPassword must be of type String'. How should the DevOps engineer resolve this issue?

Question 175mediummultiple choice
Read the full Configuration Management and IaC explanation →

A team uses AWS CodePipeline to orchestrate deployments. They want to integrate a manual approval step before deploying to production. Which action should they take?

Question 176mediummulti select
Read the full Configuration Management and IaC explanation →

A company is using AWS CloudFormation to manage its infrastructure. The DevOps team wants to implement drift detection to identify resources that have been modified outside of CloudFormation. Which TWO of the following are correct statements about CloudFormation drift detection?

Question 177hardmulti select
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CodeDeploy to deploy a web application. The deployment group consists of an Auto Scaling group with a minimum of 2 instances. They want to ensure high availability during the deployment. Which THREE of the following deployment configurations support zero-downtime deployments?

Question 178easymulti select
Read the full Configuration Management and IaC explanation →

A company is adopting Infrastructure as Code (IaC) using AWS CloudFormation. They want to ensure that stack updates are safe and minimize the risk of resource replacement. Which TWO of the following strategies should they use?

Question 179mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a three-tier web application. The deployment includes an Application Load Balancer (ALB), an Auto Scaling group, and an Amazon RDS database. The operations team reports that updates to the database security group rules are not being applied correctly during stack updates. The CloudFormation template uses AWS::RDS::DBInstance and AWS::EC2::SecurityGroup resources. What is the most likely cause of this issue?

Question 180hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting an AWS OpsWorks for Chef Automate deployment. The Chef server is configured with a custom run list that includes a recipe to install and configure an application. The test environment works correctly, but in the production environment, the application fails to start. The Chef client logs show that the recipe executed successfully, but the application process is not running. What is the most likely cause of this issue?

Question 181easymultiple choice
Read the full Configuration Management and IaC explanation →

A company is using AWS Elastic Beanstalk to deploy a web application. The development team wants to ensure that environment variables are set consistently across all environments (development, staging, production) without manual intervention. Which AWS service or feature should be used to manage these environment variables?

Question 182hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon S3 bucket with a bucket policy that restricts access to a specific IAM role. During a recent security audit, it was discovered that the bucket policy was modified manually via the AWS Management Console, and the change was not reflected in the CloudFormation template. The security team wants to detect and remediate such drift automatically. Which combination of steps should be taken to achieve this?

Question 183mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is using AWS CodePipeline to automate deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The team wants to add a manual approval step before the deploy stage to ensure that only authorized personnel can approve production deployments. Which action should be taken to implement this requirement?

Question 184easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager to manage a fleet of EC2 instances. The operations team needs to run a script on all instances that are missing a specific security patch. Which Systems Manager capability should be used to accomplish this?

Question 185hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The CloudFormation template includes a custom resource backed by an AWS Lambda function that validates a condition and returns a value. During a stack update, the custom resource fails, and the stack rolls back. The DevOps engineer needs to debug the issue. Which steps should be taken to troubleshoot the custom resource failure?

Question 186mediummultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS Elastic Beanstalk to deploy a Node.js application. The application requires access to an Amazon RDS database. The database credentials are stored in AWS Secrets Manager. How should the Elastic Beanstalk environment be configured to securely retrieve the database credentials at runtime?

Question 187easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeBuild to compile and test code. The build process requires a specific version of a library that is not available in the default build environment. Which approach should be used to include this library in the build process?

Question 188mediummulti select
Read the full Configuration Management and IaC explanation →

Which TWO approaches can be used to manage configuration files (e.g., application.properties) across multiple AWS accounts and regions using AWS Systems Manager? (Select TWO.)

Question 189hardmulti select
Read the full Configuration Management and IaC explanation →

Which THREE actions should be taken to ensure that an AWS CloudFormation stack update does not cause downtime for a production application that runs on an Auto Scaling group behind an Application Load Balancer? (Select THREE.)

Question 190mediummulti select
Read the full Configuration Management and IaC explanation →

Which TWO approaches can be used to automate the creation of an AWS CloudFormation stack that includes IAM resources? (Select TWO.)

Question 191hardmultiple choice
Read the full Configuration Management and IaC explanation →

An IAM policy is attached to a user who needs to create a CloudFormation stack that provisions an EC2 instance and an S3 bucket. The user receives an 'Access Denied' error when running the 'aws cloudformation create-stack' command. Which additional permission is required?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudformation:CreateStack",
      "Resource": "arn:aws:cloudformation:us-east-1:123456789012:stack/*"
    }
  ]
}
Question 192mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer attempted to create a CloudFormation stack and it failed. The engineer runs the 'describe-stack-events' command and sees the output above. What is the most likely cause of the failure?

Network Topology
aws cloudformation describe-stack-eventsstack-name my-stackRefer to the exhibit."StackEvents": ["StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/abc123","EventId": "Event-1","StackName": "my-stack","LogicalResourceId": "my-stack","PhysicalResourceId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/abc123","ResourceType": "AWS::CloudFormation::Stack","Timestamp": "2023-01-01T00:00:00.000Z","ResourceStatus": "ROLLBACK_COMPLETE",},"EventId": "Event-2","LogicalResourceId": "MyEC2Instance","PhysicalResourceId": "i-1234567890abcdef0","ResourceType": "AWS::EC2::Instance","ResourceStatus": "CREATE_FAILED",
Question 193easymultiple choice
Read the full Configuration Management and IaC explanation →

A CloudFormation template snippet is shown. An engineer attempts to create a stack with this template and receives an error: 'Bucket my-unique-bucket-name already exists'. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
    "Resources": {
        "MyBucket": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "BucketName": "my-unique-bucket-name",
                "VersioningConfiguration": {
                    "Status": "Enabled"
                }
            }
        },
        "MyBucketPolicy": {
            "Type": "AWS::S3::BucketPolicy",
            "Properties": {
                "Bucket": {"Ref": "MyBucket"},
                "PolicyDocument": {
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": "*",
                            "Action": "s3:GetObject",
                            "Resource": "arn:aws:s3:::my-unique-bucket-name/*"
                        }
                    ]
                }
            }
        }
    }
}
Question 194mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The pipeline includes a build stage using AWS CodeBuild. Developers notice that the deployed application occasionally crashes due to missing environment variables that were configured in the Elastic Beanstalk environment but not passed from CodeBuild. What is the MOST efficient way to ensure the environment variables are consistently applied?

Question 195hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer uses AWS CloudFormation to manage infrastructure. The stack creation fails with the error: 'Circular dependency between resources'. The template includes an EC2 instance, an Elastic IP, and an internet gateway. The instance is associated with the Elastic IP, and the Elastic IP uses the internet gateway for the VPC. Which resource relationship is MOST likely causing the circular dependency?

Question 196easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS OpsWorks for configuration management. They want to run a custom recipe on all instances in a layer during the setup lifecycle event. What should they do?

Question 197hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails because the new instances cannot connect to the database. The previous deployment succeeded. The DevOps engineer checks the CodeDeploy deployment configuration and finds that the deployment uses the 'CodeDeployDefault.AllAtOnce' configuration. What is the MOST likely cause of the failure?

Question 198easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is implementing infrastructure as code using AWS CloudFormation. They need to ensure that the stack can be updated to modify a resource's property that requires replacement. Which CloudFormation stack policy should they use?

Question 199mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company is using AWS Elastic Beanstalk with a custom platform. They need to install a third-party agent on all instances. The agent requires a configuration file that contains sensitive credentials. How should the DevOps engineer provide the configuration file to the agent?

Question 200mediummultiple choice
Review the full subnetting walkthrough →

A DevOps engineer is creating a CloudFormation template to deploy a VPC with public and private subnets. The template uses the 'AWS::EC2::VPC' resource and two 'AWS::EC2::Subnet' resources. The engineer wants to ensure that the subnets are created in different Availability Zones. What is the best approach?

Question 201easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team needs to deploy a stack that includes a Lambda function and an S3 bucket. The Lambda function's code is stored in the S3 bucket. How can the team ensure that the Lambda function is created after the S3 bucket and the code is uploaded?

Question 202hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company has a multi-account AWS environment using AWS Organizations. The DevOps team wants to enforce a policy that prevents creating S3 buckets with public read access. They plan to use AWS CloudFormation StackSets to deploy a stack across all accounts. What is the BEST way to enforce this policy?

Question 203mediummulti select
Read the full Configuration Management and IaC explanation →

Which TWO actions should a DevOps engineer take to implement a GitFlow branching strategy for infrastructure as code using AWS CodeCommit and CodePipeline? (Choose two.)

Question 204hardmulti select
Read the full Configuration Management and IaC explanation →

Which THREE actions are best practices for managing secrets in AWS CloudFormation templates? (Choose three.)

Question 205easymulti select
Read the full Configuration Management and IaC explanation →

Which TWO tools can be used to manage configuration drift detection for AWS resources? (Choose two.)

Question 206mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team wants to enforce that all EC2 instances launched in an AWS account have a specific tag 'Environment' with value 'Production' or 'Development'. The team uses AWS CloudFormation to provision resources. Which approach should the team use to enforce tagging compliance at launch?

Question 207easymultiple choice
Read the full NAT/PAT explanation →

An organization uses AWS OpsWorks for configuration management of their EC2 instances. They need to ensure that all instances have the latest security patches applied automatically. Which action should the team take?

Question 208hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires environment-specific configuration values (database URL, API keys) that must be stored securely and rotated automatically. The team uses AWS Secrets Manager. Which configuration management strategy should the team implement to securely inject secrets into the Elastic Beanstalk environment?

Question 209mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is responsible for managing infrastructure as code for multiple microservices. The team uses AWS CloudFormation and wants to reuse common resource definitions across multiple stacks. Which approach should the engineer use to promote reusability and reduce code duplication?

Question 210mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeDeploy for application deployments to EC2 instances. The team recently noticed that deployments are failing because some instances do not have the CodeDeploy agent installed. Which configuration management approach should the team implement to ensure the CodeDeploy agent is installed and running on all instances before deployment?

Question 211hardmultiple choice
Read the full Configuration Management and IaC explanation →

A team manages a large fleet of EC2 instances using AWS Systems Manager. They want to enforce a consistent configuration across all instances, including installed software packages, firewall rules, and user accounts. The team also needs to audit configuration changes and remediate drift automatically. Which AWS service should the team use?

Question 212mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. The team wants to ensure that all stack updates are reviewed and approved before execution. Which mechanism should the team implement?

Question 213easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer needs to deploy a configuration management solution that can manage both Windows and Linux servers across on-premises and AWS environments. The solution must support a Git-based workflow for version control of configurations. Which AWS service should the engineer choose?

Question 214mediummultiple choice
Review the full subnetting walkthrough →

A company uses AWS CloudFormation to deploy a multi-tier application. The network team manages the VPC and subnets using a separate CloudFormation stack. The application team needs to reference the VPC ID and subnet IDs from the network stack. Which approach should the application team use to obtain these values?

Question 215hardmulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeBuild to build and test their application. They want to integrate Infrastructure as Code (IaC) scanning into their build pipeline to detect security misconfigurations in CloudFormation templates before deployment. Which TWO tools or services can be used for this purpose? (Choose TWO.)

Question 216easymulti select
Read the full Configuration Management and IaC explanation →

A DevOps team wants to manage EC2 instance configurations using AWS Systems Manager. Which THREE capabilities of Systems Manager can be used to ensure instances are in a desired state? (Choose THREE.)

Question 217mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy infrastructure. They want to enforce mandatory tags on all resources created by CloudFormation. Which TWO approaches can achieve this? (Choose TWO.)

Question 218easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a microservices architecture. The Operations team needs to update a stack that contains a Lambda function and an API Gateway REST API. They want to ensure that the Lambda function code is updated without downtime. Which update policy should be used for the Lambda function in the CloudFormation template?

Question 219mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is designing a CI/CD pipeline for an application that runs on Amazon ECS. The pipeline should automatically build a Docker image from source code, push it to Amazon ECR, and deploy it to the ECS service. The engineer wants to use AWS CodePipeline with Amazon ECR as a source. Which action provider should be used for the deploy stage?

Question 220hardmultiple choice
Read the full Configuration Management and IaC explanation →

An organization uses AWS OpsWorks for configuration management. They have a stack with multiple layers, including a PHP application layer and a MySQL database layer. The operations team needs to deploy a custom configuration file to all PHP application instances. How should this be accomplished using OpsWorks?

Question 221mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS DB instance and an EC2 instance that connects to it. The DB instance has a deletion policy of 'Retain'. The stack fails to delete because the DB instance is retained and still exists. Which TWO actions would allow the stack to be deleted successfully? (Select TWO.)

Question 222hardmulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a web application. The application experiences high traffic during business hours and low traffic at night. The company wants to configure automatic scaling based on CPU utilization. Which THREE steps are required to achieve this? (Select THREE.)

Question 223easymulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeCommit to store source code. The development team wants to automatically trigger a build in AWS CodeBuild whenever a pull request is created or updated. Which TWO resources must be configured to accomplish this? (Select TWO.)

Question 224easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer needs to create an IAM policy that allows a user to start and stop EC2 instances, but only for instances that have a specific tag 'Environment=Production'. The current policy allows all actions on all instances. Which modification must be made to enforce the tag-based restriction?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    }
  ]
}
Question 225mediummultiple choice
Read the full Configuration Management and IaC explanation →

A CloudFormation stack update failed with the error shown. What is the most likely cause?

Network Topology
$ aws cloudformation describe-stack-eventsstack-name my-stackRefer to the exhibit."StackEvents": ["StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/...","EventId": "...","StackName": "my-stack","LogicalResourceId": "MyInstance","PhysicalResourceId": "i-0abcd1234efgh5678","ResourceType": "AWS::EC2::Instance","Timestamp": "2025-02-10T12:00:00.000Z","ResourceStatus": "UPDATE_FAILED","ResourceProperties": "{\"ImageId\":\"ami-0abcdef1234567890\",\"InstanceType\":\"t2.micro\"}",
Question 226hardmultiple choice
Read the full Configuration Management and IaC explanation →

An organization wants to ensure that all objects stored in the S3 bucket are encrypted at rest using server-side encryption with S3 managed keys (SSE-S3). The bucket policy above is intended to enforce this. However, a user reported that they can still upload unencrypted objects. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

AWS CloudFormation template snippet:
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-data-${AWS::AccountId}"
      VersioningConfiguration:
        Status: Enabled
      LifecycleConfiguration:
        Rules:
          - Id: ExpireOldVersions
            Status: Enabled
            NoncurrentVersionExpirationInDays: 30
  MyBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action: s3:GetObject
            Principal: "*"
            Resource: !Sub "${MyBucket.Arn}/*"
            Condition:
              StringEquals:
                s3:x-amz-server-side-encryption: "AES256"
Question 227easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Systems Manager to manage a fleet of EC2 instances. They need to run a script on all instances that have a specific tag 'Environment:Development'. Which Systems Manager capability should be used?

Question 228mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses Chef for configuration management of their EC2 instances. They want to use AWS OpsWorks for Chef Automate to manage the Chef server. What is the primary benefit of using OpsWorks for Chef Automate compared to running a self-managed Chef server?

Question 229hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation StackSets to deploy a common security baseline across multiple AWS accounts. They have a new account that needs to be added to the StackSet. The StackSet is configured with self-service permissions and uses a service-managed IAM role. What must be done to include the new account?

Question 230mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a failed AWS CloudFormation stack creation. The stack creates an EC2 instance with a user data script that runs a configuration management tool. The instance launches successfully, but the user data script fails. How can the engineer retrieve the user data execution logs to debug the issue?

Question 231hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Elastic Beanstalk with a custom platform. They need to update the platform version to include a new security patch. Which approach should be used to create a new custom platform version?

Question 232mediummultiple choice
Review the full subnetting walkthrough →

A CloudFormation template includes the following resource:

MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: My security group SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0

MyInstance: Type: AWS::EC2::Instance Properties: ImageId: ami-0abcdef1234567890 InstanceType: t2.micro SecurityGroupIds: !Ref MySecurityGroup

The stack creation fails with the error shown. What is the cause?

Exhibit

Refer to the exhibit.

Error log from CloudFormation stack creation:
"Property validation failure: The value for parameter "SecurityGroupIds" is not a list."
Question 233mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a web application across multiple AWS accounts using StackSets. The DevOps team notices that stack instance updates are failing in some accounts with the error: 'Insufficient IAM permissions to perform the action'. The team has already verified that the StackSet IAM role has the necessary permissions. What is the most likely cause of this issue?

Question 234hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is designing a configuration management solution for a microservices architecture running on Amazon ECS. The team wants to ensure that container configurations are automatically updated when a new version of a parameter is stored in AWS Systems Manager Parameter Store. Which approach best meets this requirement with minimal operational overhead?

Question 235easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS OpsWorks for configuration management of its EC2 instances. The DevOps team wants to apply a new security patch to all instances in a specific layer. What is the most efficient way to accomplish this?

Question 236hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that when a stack update fails, the stack automatically rolls back to its previous state. However, they also want to preserve any resources that were created outside of CloudFormation (drift). What should they do?

Question 237mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS Elastic Beanstalk to deploy a web application. They want to implement a blue/green deployment strategy to minimize downtime. Which configuration change should they make?

Question 238hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes an Amazon RDS DB instance. The DevOps team wants to update the DB instance class without downtime. What should they do?

Question 239easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager to manage configuration compliance. They want to ensure that all EC2 instances have a specific security patch installed. Which Systems Manager capability should they use?

Question 240mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is troubleshooting a CloudFormation stack creation failure. The error message states: 'CREATE_FAILED: Resource handler returned message: "You have attempted to create more resources than the current AWS account limit"'. Which step should the team take to resolve this issue?

Question 241hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeDeploy for application deployments. They want to ensure that if a deployment fails, the system automatically rolls back to the previous version. Which configuration should they set?

Question 242mediummulti select
Read the full Configuration Management and IaC explanation →

Which TWO options are valid approaches for managing configuration drift in an AWS environment? (Choose two.)

Question 243hardmulti select
Read the full Configuration Management and IaC explanation →

Which THREE actions should a DevOps engineer take to ensure that AWS CloudFormation stacks are securely managed? (Choose three.)

Question 244easymulti select
Read the full Configuration Management and IaC explanation →

Which TWO AWS services can be used to automate the configuration of EC2 instances at launch? (Choose two.)

Question 245hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team is troubleshooting a CloudFormation stack creation failure. The stack uses a service role with the trust policy shown in the exhibit. The error message states: 'Insufficient permissions to create the resource'. Which action should the team take to resolve this issue?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Question 246easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer runs the command shown in the exhibit. The output shows the stack status as ROLLBACK_COMPLETE. Which statement best describes the current state of the stack?

Network Topology
$ aws cloudformation describe-stack-eventsstack-name my-stackRefer to the exhibit."StackEvents": ["StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/1a2b3c4d","EventId": "e1","StackName": "my-stack","LogicalResourceId": "my-stack","PhysicalResourceId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack/1a2b3c4d","ResourceType": "AWS::CloudFormation::Stack","Timestamp": "2024-03-15T10:00:00.000Z","ResourceStatus": "ROLLBACK_COMPLETE","ResourceStatusReason": ""
Question 247mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer deploys the CloudFormation snippet shown in the exhibit. After the stack is deleted, the engineer checks for the S3 bucket. Which statement best describes the outcome?

Exhibit

Refer to the exhibit.

Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-mybucket-${AWS::Region}"
      VersioningConfiguration:
        Status: Enabled
    DeletionPolicy: Retain
Question 248mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The Operations team needs to update a stack that contains an EC2 instance. They want to change the instance type from t2.micro to t2.small without recreating the instance. Which CloudFormation stack update policy should they use?

Question 249hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting an AWS CodeDeploy deployment that fails during the 'BeforeInstall' lifecycle event. The deployment group uses an in-place deployment to an Auto Scaling group. The engineer reviews the logs on the instance and sees that the 'BeforeInstall' script exits with code 1. The script is a shell script that compiles application code. What is the most likely cause of the failure?

Question 250easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager to manage its EC2 instances at scale. The DevOps team wants to ensure that all instances are patched with the latest security updates. Which Systems Manager capability should they use to automate patching?

Question 251mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. They have a stack with a layer that includes several EC2 instances. The DevOps engineer needs to deploy a custom configuration file to all instances in the layer. What is the recommended approach?

Question 252hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses Terraform to manage AWS infrastructure. They have a state file stored in an S3 bucket with DynamoDB locking. After a failed 'terraform apply', the state file is locked. The DevOps engineer tries to run 'terraform plan' but gets an error: 'Error acquiring the state lock'. What should the engineer do to resolve this issue?

Question 253easymultiple choice
Read the full Configuration Management and IaC explanation →

A company wants to use AWS Elastic Beanstalk to deploy a web application. They need to ensure that the application can be updated with zero downtime. Which deployment policy should they use?

Question 254mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy a multi-tier application. The stack includes an Application Load Balancer (ALB), an Auto Scaling group, and an RDS database. The DevOps engineer needs to update the stack to change the DB instance type. The engineer wants to minimize downtime. Which strategy should they use?

Question 255hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The DevOps engineer notices that the pipeline fails intermittently during the deploy stage with the error: 'The deployment failed because the deployment group does not exist'. What is the most likely cause?

Question 256easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeBuild to compile and test code. The buildspec.yml file includes commands that require access to a private S3 bucket. The DevOps engineer wants to securely provide AWS credentials to the build project. What is the recommended approach?

Question 257mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. They have a nested stack that creates an ECS cluster. The parent stack fails with the error: 'The following resource(s) failed to create: [ECSCluster]'. Which TWO are possible causes? (Choose TWO.)

Question 258hardmulti select
Read the full Ansible explanation →

A DevOps team uses Ansible for configuration management of EC2 instances. They want to ensure that the latest security patches are applied to all instances. Which THREE steps should they include in their Ansible playbook? (Choose THREE.)

Question 259mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS Config to evaluate resource compliance. They have a custom AWS Config rule that checks whether EC2 instances have a specific tag. The rule is triggered by configuration changes. The DevOps engineer notices that the rule evaluation results show 'NON_COMPLIANT' for some instances that actually have the tag. Which TWO could be causes? (Choose TWO.)

Question 260hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to deploy its infrastructure. They have a production stack that includes an RDS PostgreSQL instance with a read replica. The stack update to modify the DB instance class fails with the error: 'The parameter group cannot be changed during a read replica update.' The DevOps engineer needs to update the DB instance class while minimizing downtime and without losing the read replica. The current configuration: the RDS instance is using a custom parameter group. The read replica is using the same parameter group. The update changes the DBInstanceClass property from db.r5.large to db.r5.xlarge. What should the engineer do to successfully update the stack?

Question 261mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for Chef Automate. They have a stack that includes a PHP application layer. The application requires a custom PHP configuration file. The DevOps engineer creates a custom Chef cookbook with a recipe that deploys the configuration file. The recipe is assigned to the layer's Setup lifecycle event. The engineer notices that the configuration file is not being created on new instances when they are added to the layer. The cookbook is stored in a private S3 bucket. The engineer has verified that the cookbook is correctly associated with the stack. What should the engineer do to fix the issue?

Question 262mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that stack updates do not accidentally delete critical resources like a database. Which CloudFormation stack policy should they apply to protect the database resource?

Question 263hardmultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer is troubleshooting a CloudFormation stack creation failure. The stack includes an AWS::EC2::Instance with a UserData script. The stack creation fails with the error: 'The following resource(s) failed to create: [EC2Instance]. The requested configuration is currently not supported. Please check the documentation for supported configurations.' The engineer suspects the instance type is not supported in the selected Availability Zone. Which action should the engineer take to resolve this issue and ensure successful stack creation?

Question 264easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to deploy a Java web application. The DevOps team wants to ensure that configuration changes are tracked and can be rolled back if needed. Which Elastic Beanstalk feature should they use?

Question 265hardmultiple choice
Read the full Configuration Management and IaC explanation →

Refer to the exhibit. A DevOps engineer is troubleshooting an issue where an IAM user is unable to stop an EC2 instance with the tag 'Environment: Development'. The attached IAM policy is shown. Which statement explains the failure?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:ResourceTag/Environment": "Production"
        }
      }
    }
  ]
}
Question 266mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. During a deployment, the deployment fails because the target instances are not passing the health checks. The DevOps engineer notices that the CodeDeploy agent logs show 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which step should the engineer take to diagnose the issue?

Question 267hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS OpsWorks for configuration management. The DevOps team wants to run a custom recipe on all instances in a layer during stack updates. Which OpsWorks lifecycle event should they hook the recipe into?

Question 268mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company is using AWS Systems Manager to manage configuration drift on EC2 instances. They want to automatically apply a baseline configuration to instances that have drifted from the desired state. Which Systems Manager capability should they use?

Question 269easymultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps engineer wants to ensure that all EC2 instances launched in an AWS account automatically have a specific set of tags applied for cost allocation. Which AWS service should they use to enforce this?

Question 270mediummulti select
Read the full Configuration Management and IaC explanation →

A company is using AWS CloudFormation to deploy a multi-tier application. The DevOps team wants to ensure that the database password is not exposed in the template or the console. Which two methods should they use to securely manage the password? (Choose TWO.)

Question 271hardmulti select
Read the full Configuration Management and IaC explanation →

A DevOps team is designing a CI/CD pipeline for a microservices application using AWS CodePipeline. They want to incorporate infrastructure as code (IaC) using AWS CloudFormation. Which three practices should they follow to ensure reliable and repeatable deployments? (Choose THREE.)

Question 272mediummulti select
Read the full Configuration Management and IaC explanation →

A company uses AWS Elastic Beanstalk to manage its web application. The DevOps team wants to customize the Amazon EC2 instances launched by Elastic Beanstalk. Which two methods can they use to achieve this? (Choose TWO.)

Question 273hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company runs a critical web application on AWS using an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application is deployed using AWS CodeDeploy with a blue/green deployment configuration. The DevOps team is responsible for configuration management using AWS Systems Manager State Manager. They have set up a State Manager association to ensure that the instances have a specific security configuration (e.g., firewall rules). Recently, after a new deployment, the team noticed that the security configuration is missing on some new instances. The old instances still have the correct configuration. The association is configured to apply the configuration only at instance launch (using the AWS-RunShellScript document). The team suspects that the new instances are not being targeted by the association. Upon investigation, they find that the association is set to target instances based on tags, and the new instances do have the required tags. However, the association status shows 'Success' for the old instances but no status for the new instances. Which of the following is the MOST likely cause of this issue?

Question 274mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team has a template that creates an Amazon RDS DB instance and an EC2 instance that runs a web application. The EC2 instance needs to connect to the RDS instance using the database endpoint and password. The team currently passes the endpoint and password as CloudFormation parameters, which are then stored in the EC2 instance's user data. However, security audit has flagged this as a security risk because the password is visible in the user data. The team wants to securely pass the database credentials to the EC2 instance without exposing them in the template or user data. The EC2 instance has an IAM role that allows it to read from AWS Secrets Manager. Which solution should the team implement?

Question 275easymultiple choice
Read the full Configuration Management and IaC explanation →

A company is using AWS OpsWorks for configuration management of their application stack. The stack includes a PHP application layer and a MySQL database layer. The DevOps team wants to automate the deployment of a new PHP version across all instances in the PHP layer. The team has created a custom Chef recipe that updates PHP. They want to run this recipe on all instances in the PHP layer in a rolling update fashion to avoid downtime. Which OpsWorks feature should they use?

Question 276mediummultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeCommit to store infrastructure as code templates. The DevOps team has set up an AWS CodePipeline that automatically deploys a CloudFormation stack when changes are pushed to the main branch. The pipeline includes a deployment action that uses the CloudFormation create/update stack action. Recently, a developer pushed a change that caused the CloudFormation stack update to fail because the change would have deleted a critical resource. The pipeline did not catch this issue, and the stack update failed midway, leaving the stack in a partially updated state. The team wants to implement a safety mechanism to prevent such issues in the future. Which solution should they implement?

Question 277easymulti select
Read the full Configuration Management and IaC explanation →

A company is using AWS CloudFormation to manage its infrastructure. The DevOps team wants to implement a strategy that allows for rollback in case a stack update fails. Which TWO approaches should the team consider? (Choose TWO.)

Question 278mediummulti select
Read the full Configuration Management and IaC explanation →

A DevOps engineer is creating an AWS Elastic Beanstalk environment and needs to ensure that configuration changes are tracked and can be reverted. Which THREE steps should the engineer take to achieve this? (Choose THREE.)

Question 279easymultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. The deployment fails because the new version of the application crashes the instances. The DevOps engineer needs the Auto Scaling group to automatically replace the unhealthy instances with the previous working version. Which deployment configuration should the engineer use?

Question 280mediummultiple choice
Read the full Configuration Management and IaC explanation →

A DevOps team uses AWS OpsWorks for configuration management. They have a stack with a custom cookbook that installs and configures an application. After updating the cookbook on GitHub, they need to apply the changes to existing instances without creating new ones. What should the team do?

Question 281hardmultiple choice
Read the full Configuration Management and IaC explanation →

A company uses AWS CloudFormation to manage infrastructure. They have a template that creates an Amazon RDS DB instance. The template includes a 'DeletionPolicy' attribute set to 'Retain' on the DB instance resource. The DevOps team deletes the stack. Later, they notice that the DB instance still exists and is incurring costs. What is the MOST cost-effective way to remove the DB instance?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

DOP-C02 Practice Test 1 — 10 Questions→DOP-C02 Practice Test 2 — 10 Questions→DOP-C02 Practice Test 3 — 10 Questions→DOP-C02 Practice Test 4 — 10 Questions→DOP-C02 Practice Test 5 — 10 Questions→DOP-C02 Practice Exam 1 — 20 Questions→DOP-C02 Practice Exam 2 — 20 Questions→DOP-C02 Practice Exam 3 — 20 Questions→DOP-C02 Practice Exam 4 — 20 Questions→Free DOP-C02 Practice Test 1 — 30 Questions→Free DOP-C02 Practice Test 2 — 30 Questions→Free DOP-C02 Practice Test 3 — 30 Questions→DOP-C02 Practice Questions 1 — 50 Questions→DOP-C02 Practice Questions 2 — 50 Questions→DOP-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuration Management and IaCResilient Cloud SolutionsMonitoring and LoggingIncident and Event ResponseSecurity and ComplianceSDLC Automation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuration Management and IaC setsAll Configuration Management and IaC questionsDOP-C02 Practice Hub