CCNA Deployment Questions

75 of 378 questions · Page 3/6 · Deployment · Answers revealed

151
Multi-Selecteasy

A developer is using AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls code from an Amazon S3 bucket. Which TWO actions can the developer take to automatically start the pipeline when new code is uploaded to the S3 bucket? (Choose TWO.)

Select 2 answers
A.Configure the pipeline to use a periodic poll of the S3 bucket
B.Use Amazon CloudWatch Events to listen for S3 PutObject events and target the pipeline
C.Configure an S3 event notification to invoke an AWS Lambda function that starts the pipeline
D.Configure an S3 event notification to trigger an AWS CodeBuild build
E.Configure the S3 bucket to send events to an Amazon SQS queue, and configure the pipeline to poll the queue
AnswersB, C

CloudWatch Events can start a pipeline.

Why this answer

Options A and D are correct. S3 events can trigger Lambda or directly start a pipeline via CloudWatch Events. Option B is incorrect because CodeBuild is used for build, not trigger.

Option C is incorrect because SQS is not a direct trigger for CodePipeline. Option E is incorrect because polling is not automatic.

152
MCQhard

A company uses AWS CodeDeploy to deploy an application to EC2 instances. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment group consists of 4 EC2 instances. The deployment configuration is 'CodeDeployDefault.OneAtATime'. The CodeDeploy agent logs on the failed instance show: 'Error: Script at specified location: scripts/install_dependencies.sh failed with exit code 1.' What should the developer do to resolve this issue?

A.Change the deployment configuration to 'CodeDeployDefault.AllAtOnce'.
B.Review the install_dependencies.sh script for errors and correct them.
C.Reinstall the CodeDeploy agent on the failed instance.
D.Increase the number of EC2 instances in the deployment group.
AnswerB

The script failed, causing the instance deployment to fail; fixing the script resolves the issue.

Why this answer

Option A is correct. The script failed with exit code 1, indicating a bug in the script. The developer should fix the script based on the logs.

Option B is wrong because the deployment configuration is already OneAtATime; changing to AllAtOnce would make it worse. Option C is wrong because increasing instance count does not fix the script error. Option D is wrong because the error is in the script, not the agent.

153
MCQmedium

A team uses AWS Elastic Beanstalk with a Docker platform. They want to deploy a multi-container Docker application. What file is required to define the container configuration?

A.docker-compose.yml
B.Dockerrun.aws.json
C.Dockerfile
D.env.yaml
AnswerB

This is the required file for multi-container Docker environments.

Why this answer

AWS Elastic Beanstalk uses the `Dockerrun.aws.json` file to define the configuration for multi-container Docker environments. This JSON file specifies the images to use, port mappings, links between containers, and volumes, and it is required when deploying a multi-container Docker application on Elastic Beanstalk.

Exam trap

The trap here is that candidates familiar with Docker Compose might assume `docker-compose.yml` is the required file, but Elastic Beanstalk specifically requires `Dockerrun.aws.json` for multi-container deployments, and using the wrong file will cause the deployment to fail.

How to eliminate wrong answers

Option A is wrong because `docker-compose.yml` is used by Docker Compose for local multi-container orchestration, but Elastic Beanstalk does not natively support this file for deployment; it requires `Dockerrun.aws.json`. Option C is wrong because a `Dockerfile` defines how to build a single container image, not the orchestration of multiple containers in a multi-container environment. Option D is wrong because `env.yaml` is used in Elastic Beanstalk to define environment properties and configuration options, not container definitions.

154
Multi-Selecteasy

A developer is deploying an application using AWS Elastic Beanstalk. The developer wants to ensure that the application is highly available and can recover from an AZ failure. Which TWO configurations should be applied? (Choose TWO.)

Select 2 answers
A.Configure the environment to use multiple Availability Zones.
B.Select a larger EC2 instance type.
C.Enable Multi-AZ for the application's Amazon RDS database.
D.Attach an Elastic Load Balancer to the environment.
E.Use a single EC2 instance for simplicity.
AnswersA, D

Distributes instances across AZs.

Why this answer

Options A and D are correct. A: Deploying to multiple AZs ensures that if one AZ fails, the application remains available. D: A load balancer distributes traffic across instances in multiple AZs.

Option B is wrong because a single instance is not highly available. Option C is wrong because a larger instance type does not provide AZ redundancy. Option E is wrong because an RDS Multi-AZ database is for database availability, not application.

155
MCQeasy

A developer wants to deploy a serverless application using AWS CloudFormation. The application consists of an API Gateway, Lambda functions, and DynamoDB tables. The developer wants to ensure that the stack can be updated without resource interruption when possible. Which CloudFormation feature should the developer use?

A.Use a Lambda alias with a DeploymentPreference update policy
B.Use a ChangeSet to review changes before applying them
C.Use a StackPolicy to protect critical resources
D.Use a Custom Resource to manage updates
AnswerA

This enables traffic shifting between old and new Lambda versions, ensuring zero downtime during updates.

Why this answer

Option A is correct because the `DeploymentPreference` update policy on a Lambda alias enables canary, linear, or all-at-once traffic shifting during stack updates. This allows the developer to update Lambda function versions without interrupting existing invocations, as traffic is gradually routed to the new version while the old version continues to serve requests until the transition completes.

Exam trap

The trap here is that candidates often confuse ChangeSets (which only preview changes) with the actual update mechanism, or they mistakenly think StackPolicies or Custom Resources can control update behavior, when in fact only the `DeploymentPreference` update policy on a Lambda alias provides the traffic-shifting capability needed for uninterrupted updates.

How to eliminate wrong answers

Option B is wrong because a ChangeSet only provides a preview of the changes that will be applied to the stack; it does not prevent resource interruption during the update itself. Option C is wrong because a StackPolicy is used to prevent accidental updates or deletions of specific resources by denying update/delete actions, but it does not control how updates are rolled out to avoid interruption. Option D is wrong because a Custom Resource is used to handle provisioning of resources not natively supported by CloudFormation, not to manage update strategies for Lambda functions.

156
Multi-Selecteasy

A developer is using AWS CodePipeline to automate deployments. The pipeline has a Source stage using Amazon S3 and a Deploy stage using AWS Elastic Beanstalk. The developer notices that the pipeline fails at the Deploy stage with the error 'The deployment failed because the version of the application to be deployed could not be found.' Which TWO actions should the developer take to resolve this issue?

Select 2 answers
A.Ensure that the S3 bucket and the Elastic Beanstalk environment are in the same AWS region.
B.Make sure the source artifact is a valid zip file containing the application code and environment configuration.
C.Confirm that the S3 object key does not contain special characters.
D.Verify that the S3 bucket name is exactly as specified in the pipeline.
E.Check that the IAM role for CodePipeline has permissions to read from the S3 bucket and deploy to Elastic Beanstalk.
AnswersA, E

Cross-region deployments require additional configuration.

Why this answer

Option B (Ensure the S3 bucket is in the same region) is correct because cross-region access requires explicit configuration. Option D (Check that the source artifact is a zip file) is correct because Elastic Beanstalk expects a zip. Option A is wrong because the bucket name is not an issue.

Option C is wrong because it's a separate service. Option E is wrong because the S3 key is typically correct.

157
Multi-Selecthard

Which THREE steps are required to set up a continuous delivery pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy? (Select THREE.)

Select 3 answers
A.Set up an Amazon RDS database to store deployment logs.
B.Create a deploy stage with CodeDeploy to deploy the artifacts.
C.Configure an AWS Lambda function to trigger the pipeline.
D.Create a build stage with CodeBuild to compile and test the code.
E.Create a source stage that retrieves code from a repository.
AnswersB, D, E

Required for deployment.

Why this answer

Option B is correct because CodeDeploy is the AWS service that automates application deployments to compute services like EC2, Lambda, or on-premises instances. In a CodePipeline continuous delivery workflow, the deploy stage uses CodeDeploy to take the build artifacts from the previous stage and deploy them to the target environment, ensuring a repeatable and automated release process.

Exam trap

The trap here is that candidates often think a database or a Lambda trigger is a required component, but the core pipeline only needs source, build, and deploy stages; additional services like RDS or Lambda are optional and not part of the minimal setup.

158
MCQmedium

A team is using AWS CodeBuild to compile and test code. The build takes longer than expected. The team wants to reduce build times by caching dependencies. Which option should the team use to cache dependencies in CodeBuild?

A.Amazon DynamoDB
B.Amazon EFS
C.Amazon ECR
D.Local caching or Amazon S3 caching
AnswerD

CodeBuild supports local caching and S3 caching to speed up builds.

Why this answer

Option B is correct because CodeBuild supports local caching and S3 caching; local caching stores dependencies on the build instance. Option A is wrong because EFS is not supported for caching in CodeBuild. Option C is wrong because ECR is for container images, not general dependency caching.

Option D is wrong because DynamoDB is not used for caching in CodeBuild.

159
MCQmedium

A developer is setting up an IAM role for a CI/CD pipeline. The above IAM policy is attached to the role. The pipeline needs to deploy a revision to an Amazon S3 bucket and then trigger a CodeDeploy deployment. The deployment fails with an access denied error. What is the missing permission?

A.codedeploy:UpdateDeploymentGroup
B.codedeploy:RegisterApplicationRevision
C.s3:ListBucket
D.s3:GetObjectVersion
AnswerB

Required to register the revision in S3 with CodeDeploy.

Why this answer

Option C is correct because to trigger a CodeDeploy deployment, the 'codedeploy:RegisterApplicationRevision' permission is required when using S3 as the revision location. Option A is wrong because 's3:ListBucket' is not needed for uploading. Option B is wrong because 'codedeploy:UpdateDeploymentGroup' is for updating configuration, not deployment.

Option D is wrong because 's3:GetObjectVersion' is for versioning, not required.

160
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway endpoint backed by a Lambda function. The developer wants to enable canary deployments to shift 10% of traffic to the new version for 5 minutes before routing all traffic. Which configuration should the developer add to the SAM template?

A.DeploymentPreference with Type: Canary10Percent5Minutes
B.Add a CodeDeploy application and deployment group manually
C.DeploymentPreference with Type: Linear10PercentEvery1Minute
D.DeploymentPreference with Type: AllAtOnce
AnswerA

Canary10Percent5Minutes sends 10% traffic for 5 minutes then all.

Why this answer

SAM supports canary deployments using the DeploymentPreference property with a canary type. Option A is correct because it specifies a 10% canary for 5 minutes. Option B is linear, not canary.

Option C is all-at-once. Option D is a custom traffic shifting method.

161
Multi-Selecteasy

Which TWO strategies can be used to reduce the risk of a failed deployment when using AWS CodeDeploy? (Select TWO.)

Select 2 answers
A.Configure automatic rollback based on CloudWatch alarms.
B.Use a canary deployment to shift traffic gradually.
C.Disable health checks to prevent false positives.
D.Require a manual approval step before deployment.
E.Deploy to all instances at once to ensure consistency.
AnswersA, B

Automatic rollback reduces downtime and impact of failed deployments.

Why this answer

Options B and D are correct. Gradual traffic shifting (canary or linear) and automatic rollback based on CloudWatch alarms reduce risk. Option A is wrong because deploying to all instances at once increases risk.

Option C is wrong because skipping health checks increases risk. Option E is wrong because manual approval gate introduces delay but does not reduce risk of failure; it can help catch issues but not specifically reduce deployment failure risk.

162
MCQeasy

A developer wants to deploy a serverless application using AWS SAM. The application consists of multiple Lambda functions, an API Gateway REST API, and a DynamoDB table. The developer wants to define the application in a single template and deploy it using the AWS CLI. Which command should the developer use to package and deploy the application?

A.sam build and sam deploy
B.sam package and sam deploy
C.aws cloudformation package and aws cloudformation deploy
D.aws s3 cp and aws cloudformation create-stack
AnswerB

These are the SAM CLI commands to package and deploy.

Why this answer

Option B is correct because 'sam package' uploads the artifacts to S3 and generates a packaged template, and 'sam deploy' deploys it. Option A is wrong because 'aws cloudformation package' requires manual deploy. Option C is wrong because 'sam build' is for building locally but not for packaging.

Option D is wrong because 'aws s3 cp' only uploads files, not a template.

163
Multi-Selecthard

A company is implementing a CI/CD pipeline for a containerized application using Amazon ECS and AWS CodePipeline. The team wants to ensure zero-downtime deployments. Which THREE strategies should the team implement? (Choose THREE.)

Select 3 answers
A.Use a blue/green deployment strategy with an Application Load Balancer.
B.Use a rolling update with a fixed batch size of 100% of tasks.
C.Use ECS service auto scaling to maintain desired count during deployment.
D.Configure the ECS service with health check grace period.
E.Stop all existing tasks before starting new tasks.
AnswersA, C, D

Blue/green deployments allow traffic to be shifted gradually, ensuring zero downtime.

Why this answer

Options A, B, and D are correct. Using a blue/green deployment with a load balancer, configuring health checks, and using ECS service auto scaling ensure zero-downtime. Option C is incorrect because stopping all tasks causes downtime.

Option E is incorrect because a rolling update with a fixed batch size can cause downtime if not managed carefully, but it is not the best practice; the question asks for three correct strategies.

164
MCQeasy

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway endpoint and a Lambda function. The developer wants to ensure that the Lambda function can be invoked only by the API Gateway and not directly. Which configuration should be used?

A.Configure a VPC endpoint policy that allows only API Gateway.
B.Add a resource-based policy with 'aws:SourceAccount' condition.
C.Add a resource-based policy with 'aws:SourceVpce' condition set to the API Gateway VPC endpoint ID.
D.Add a resource-based policy with 'aws:SourceArn' condition set to the API Gateway ARN.
AnswerD

This restricts invocation to the specific API Gateway.

Why this answer

Option B is correct because the resource-based policy statement with 'aws:SourceArn' condition restricts invocation to the specific API Gateway ARN. Option A is wrong because 'aws:SourceAccount' alone does not restrict to API Gateway. Option C is wrong because VPC endpoint policies control access to the VPC endpoint, not Lambda invocation.

Option D is wrong because Lambda resource policies cannot use 'aws:SourceVpce'.

165
Matchingmedium

Match each HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OK

Created

Bad Request

Forbidden

Internal Server Error

Why these pairings

Understanding HTTP status codes is essential for API development.

166
MCQhard

Refer to the exhibit. A developer tried to create a CloudFormation stack that includes an EC2 instance. The stack creation failed and rolled back. What should the developer do to get more details about the failure?

A.Review the CloudFormation template syntax.
B.Use the `detect-stack-drift` command.
C.Run `aws cloudformation describe-stack-events` for the stack.
D.Update the stack with the same template to see the error.
AnswerC

Stack events provide detailed error messages.

Why this answer

Option B is correct because the `describe-stack-events` command shows detailed events including resource status reasons. Option A is wrong because the template itself is not the issue. Option C is wrong because the stack has rolled back.

Option D is wrong because there is no drift on a failed creation.

167
Multi-Selecthard

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy. Recently, deployments have been failing because the CodeBuild project cannot download dependencies from the internet. The build environment does not have internet access due to VPC settings. Which THREE steps should a developer take to resolve this issue? (Choose THREE.)

Select 3 answers
A.Configure a NAT gateway in the public subnet to allow outbound internet access.
B.Move the source stage to use S3 instead of CodeCommit.
C.Place the CodeBuild project in a private subnet of the VPC.
D.Assign a public IP address to the CodeBuild project.
E.Create VPC endpoints for Amazon S3 to allow access to dependencies in S3.
AnswersA, C, E

NAT enables internet from private subnet.

Why this answer

Option B, C, and D are correct because placing CodeBuild in a private subnet with VPC endpoints for S3 and using a NAT gateway allows internet access for dependencies. Option A is wrong because CodeBuild does not need public IP. Option E is wrong because CodeCommit is not the issue.

168
MCQmedium

A CodePipeline source stage should start when code is pushed to a repository, without scheduled polling. Which integration pattern should be used?

A.Manual approval only
B.Event-based trigger from the source provider/EventBridge integration
C.A cron job on an EC2 instance
D.CloudWatch Logs Insights
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because AWS CodePipeline can integrate with Amazon EventBridge to listen for repository events (e.g., push events from CodeCommit, GitHub, or Bitbucket) and automatically start the pipeline. This event-driven pattern eliminates the need for scheduled polling, providing near-instantaneous execution when code changes are detected.

Exam trap

The trap here is that candidates may confuse manual approval (a pipeline action) with a trigger mechanism, or assume that CloudWatch Logs Insights can initiate pipeline executions, when in fact only EventBridge or webhook-based integrations provide the required event-driven, polling-free source trigger.

How to eliminate wrong answers

Option A is wrong because manual approval is a gate that pauses pipeline execution for human review, not a mechanism to trigger the pipeline on code push. Option C is wrong because a cron job on an EC2 instance would require custom scripting, polling the repository periodically, and introduces unnecessary complexity, latency, and maintenance overhead compared to a native event-driven integration. Option D is wrong because CloudWatch Logs Insights is a query tool for analyzing log data, not a trigger mechanism for CodePipeline source stages.

169
Multi-Selecteasy

Which TWO are valid deployment strategies supported by AWS CodeDeploy? (Choose TWO.)

Select 2 answers
A.Immutable deployment
B.In-place deployment
C.Canary deployment
D.All at once deployment
E.Blue/Green deployment
AnswersB, E

In-place is a CodeDeploy deployment type.

Why this answer

Options A and D are correct. CodeDeploy supports In-place (rolling) and Blue/Green deployments. Option B is incorrect because canary is not a CodeDeploy deployment type (it is for Lambda).

Option C is incorrect because immutable is not a CodeDeploy type (it is for Elastic Beanstalk). Option E is incorrect because all-at-once is not a CodeDeploy type (it is for Elastic Beanstalk).

170
Multi-Selecthard

A company uses AWS CodeDeploy to manage deployments to an Amazon EC2 Auto Scaling group. The deployment group is configured with a blue/green deployment type. The developer notices that after a deployment, the old instances (blue environment) are terminated immediately after the new instances (green environment) pass health checks. The company wants to keep the old instances running for 30 minutes to allow for quick rollback if issues are detected. Which TWO configuration changes should the developer make to achieve this? (Choose TWO.)

Select 2 answers
A.Set the 'terminateBlueInstancesOnDeploymentSuccess' action to 'KEEP_ALIVE'.
B.Set the 'blueInstanceTermination' property to 'WAIT'.
C.Set the 'terminationWaitTimeInMinutes' to 30.
D.Set the 'blueInstanceTermination' property to 'originalSettings'.
E.Set the 'waitTimeForBlueTermination' to 30.
AnswersA, C

This tells CodeDeploy not to terminate the blue instances immediately.

Why this answer

Options A and E are correct. To retain the old instances for a period, the developer must set the 'terminateBlueInstancesOnDeploymentSuccess' action to 'KEEP_ALIVE' (option A) and specify a 'terminationWaitTimeInMinutes' value of 30 (option E). Option B is incorrect because 'originalSettings' is not a valid retention type.

Option C is incorrect because 'blueInstanceTermination' setting is not a property; the correct property is 'terminateBlueInstancesOnDeploymentSuccess'. Option D is incorrect because 'waitTimeForBlueTermination' is not a valid property name.

171
Multi-Selecthard

A developer is deploying a new version of an AWS Lambda function. The function is behind an API Gateway endpoint. The developer wants to use canary deployments to gradually shift traffic to the new version. Which TWO steps should the developer perform?

Select 2 answers
A.Create a Lambda alias that points to the current version and configure routing to shift a percentage of traffic to the new version.
B.Configure Amazon CloudFront to distribute traffic between two API Gateway endpoints.
C.Update the API Gateway integration to point to the Lambda alias instead of a specific version.
D.Update the Lambda function code and publish a new version.
E.Create a new API Gateway stage for the new version and update DNS.
AnswersA, C

Alias routing enables canary deployments.

Why this answer

Options B and D are correct because creating a Lambda alias with routing configuration and updating the API Gateway to point to the alias enables canary deployments. Option A is wrong because updating the function code does not shift traffic. Option C is wrong because creating a new API Gateway stage is unnecessary.

Option E is wrong because CloudFront is not needed.

172
MCQhard

A developer is deploying an AWS Lambda function that processes data from an Amazon Kinesis stream. The function must be idempotent and handle duplicate records. The developer notices that the same record is being processed multiple times. What is the most likely cause of this issue?

A.The Kinesis data stream's retention period is too long, causing old records to be reprocessed.
B.The function's reserved concurrency is set too low, causing invocations to be throttled and retried.
C.The batch size is set too high, causing the function to process records in multiple batches.
D.The Kinesis stream's iterator age is too low, causing the function to reprocess records after a failure.
AnswerD

Low iterator age means the function may fall behind and reprocess records.

Why this answer

Option D is correct because a low iterator age can cause the Lambda function to reprocess records if the function fails or times out, leading to duplicates. Option A is wrong because the batch size affects how many records are sent per invocation, not duplicates. Option B is wrong because the concurrency limit throttles invocations but does not cause duplicates.

Option C is wrong because the retention period determines how long records are available, not duplicates.

173
Drag & Dropmedium

Drag and drop the steps to set up a custom domain for an API Gateway API in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First have a domain, get a certificate, create custom domain in API Gateway, map to stage, and update DNS.

174
MCQeasy

An e-commerce platform uses AWS CodePipeline to deploy a web application to an Auto Scaling group behind an Application Load Balancer. The deployment strategy must minimize downtime and allow immediate rollback if the new version fails health checks. Which deployment configuration meets these requirements?

A.Use blue/green deployment with an immutable infrastructure.
B.Use all-at-once deployment to the Auto Scaling group.
C.Use canary deployment shifting 10% traffic for 5 minutes.
D.Use in-place rolling update with a batch size of 50%.
AnswerA

Creates a new environment, switches traffic when healthy, and retains the old environment for instant rollback.

Why this answer

Blue/green deployment with immutable infrastructure minimizes downtime by running the new version (green) alongside the old (blue) and switching traffic only after health checks pass. If the new version fails, rollback is immediate by routing traffic back to the blue environment without redeploying. AWS CodePipeline supports this via CodeDeploy with a blue/green configuration, ensuring zero-downtime deployments and instant rollback capability.

Exam trap

The trap here is that candidates confuse canary or rolling updates with immediate rollback capability, but only blue/green provides an instant traffic switch without redeployment, as the old environment remains intact.

How to eliminate wrong answers

Option B is wrong because all-at-once deployment replaces all instances simultaneously, causing downtime during the deployment and no ability to rollback without redeploying the old version. Option C is wrong because canary deployment shifts only 10% traffic for 5 minutes, which does not guarantee immediate rollback of the entire fleet if the new version fails; it requires manual or automated traffic shifting back, which is not instantaneous. Option D is wrong because in-place rolling update with a batch size of 50% replaces instances gradually but still causes partial downtime and requires a full redeployment to rollback, as the old instances are terminated during the update.

175
Multi-Selectmedium

Which TWO actions can be taken to enable automatic rollback for an AWS CloudFormation stack update that fails? (Select TWO.)

Select 2 answers
A.Set the '--on-failure' parameter to 'ROLLBACK' during stack update.
B.Specify a CloudWatch alarm in the '--rollback-configuration' parameter during stack update.
C.Use a change set to review the changes before updating.
D.Apply a stack policy that denies updates to critical resources.
E.Set the '--disable-rollback' parameter to 'false' during stack update.
AnswersB, E

This allows CloudFormation to monitor the alarm and rollback if it triggers.

Why this answer

Options A and C are correct. The '--rollback-configuration' parameter can specify CloudWatch alarm thresholds that trigger rollback. Option C: Setting '--disable-rollback' to false (i.e., not disabling rollback) means rollback is enabled.

Option B is wrong because '--on-failure' is only for stack creation, not update. Option D is wrong because a stack policy does not control rollback behavior. Option E is wrong because change sets do not enable automatic rollback.

176
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an EC2 instance. The deployment fails with the error 'ScriptMissing' during the BeforeInstall lifecycle event. What is the most likely cause?

A.The BeforeInstall lifecycle event is not defined in the appspec.yml
B.The script file specified in the appspec.yml for the BeforeInstall hook is not present on the instance
C.The CodeDeploy agent on the instance is not running
D.The instance does not have the necessary permissions to execute the script
AnswerB

ScriptMissing error means the script file is missing.

Why this answer

The 'ScriptMissing' error in AWS CodeDeploy indicates that the deployment failed because a script file referenced in the appspec.yml for a lifecycle event (in this case, BeforeInstall) could not be found on the EC2 instance. CodeDeploy expects the script to be present at the specified path after the archive is extracted; if the file is missing or the path is incorrect, the agent reports this error. Option B correctly identifies that the script file is not present on the instance.

Exam trap

The trap here is that candidates confuse 'ScriptMissing' with permission issues or agent connectivity problems, but AWS CodeDeploy has distinct error codes for each failure mode, and 'ScriptMissing' specifically points to a missing file, not execution or agent status.

How to eliminate wrong answers

Option A is wrong because if the BeforeInstall lifecycle event is not defined in the appspec.yml, CodeDeploy would simply skip that event and not produce a 'ScriptMissing' error — the error specifically occurs when a hook is defined but its script is absent. Option C is wrong because if the CodeDeploy agent were not running, the deployment would fail with an 'AgentNotRunning' or 'InstanceUnreachable' error, not a 'ScriptMissing' error. Option D is wrong because insufficient permissions to execute the script would result in a 'ScriptFailed' error (e.g., exit code 126 or 127), not a 'ScriptMissing' error — the agent first checks for the file's existence before attempting execution.

177
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance with user data. The user data script installs software and configures the application. The developer wants to ensure that the stack creation waits for the user data script to complete before marking the stack as CREATE_COMPLETE. What should the developer do?

A.Add a DependsOn attribute to the EC2 instance resource.
B.Use a CloudFormation WaitCondition and a WaitConditionHandle.
C.Add a CreationPolicy with a timeout to the EC2 instance resource and use cfn-signal in the user data.
D.Configure the EC2 instance to run the user data script as a service.
AnswerC

CreationPolicy waits for cfn-signal before completing.

Why this answer

Option A is correct because a cfn-signal sent from the user data and a CreationPolicy on the EC2 resource cause CloudFormation to wait for the signal. Option B is wrong because DependsOn only affects order, not wait for completion. Option C is wrong because WaitCondition is legacy and requires a separate handle; CreationPolicy is simpler.

Option D is wrong because user data runs as root; the script can send signals.

178
MCQeasy

A developer is deploying a new version of a Lambda function using an AWS CodePipeline pipeline. The deployment fails during the 'Deploy' stage with an error indicating that the function's code is too large. What should the developer do to resolve this issue?

A.Upload the Lambda deployment package to Amazon S3 and reference it from the function
B.Increase the Lambda function's timeout setting
C.Use Amazon CloudFront to distribute the Lambda code
D.Enable AWS X-Ray tracing on the Lambda function
AnswerA

S3 allows larger packages.

Why this answer

Option C is correct because Lambda has a deployment package size limit of 50 MB for direct upload via the console or API. For larger packages, developers should upload the deployment package to Amazon S3 and reference it. Option A is incorrect because increasing the Lambda timeout does not affect code size.

Option B is incorrect because Lambda does not support X-Ray for code size issues. Option D is incorrect because CloudFront is a CDN, not a solution for Lambda package size.

179
Multi-Selecteasy

A company uses AWS CodeBuild to compile and test a Java application. The build process takes a long time because dependencies are downloaded every time. Which TWO actions can reduce build time? (Choose TWO.)

Select 2 answers
A.Increase the compute type of the build environment to have more CPU and memory.
B.Change the build runtime to a language that compiles faster.
C.Configure the build project to run builds in parallel.
D.Enable local caching in the CodeBuild project to reuse dependency files between builds.
E.Use Amazon S3 to cache dependencies and restore them at the start of each build.
AnswersD, E

Local cache stores files on the build instance for subsequent builds.

Why this answer

Options A and D are correct: Caching dependencies in a local cache or in S3 reduces download time. Option B (increase compute) does not reduce dependency download. Option C (parallel builds) is for multiple builds.

Option E (change runtime) is not relevant.

180
Multi-Selecteasy

Which TWO deployment methods can be used to update an AWS Lambda function with no downtime? (Select TWO.)

Select 2 answers
A.Update the function code using update-function-code.
B.Use a weighted alias to gradually shift traffic to a new version.
C.Create a new version and update the alias to point to the new version.
D.Create a new Lambda function and delete the old one.
E.Update the function configuration to increase memory.
AnswersB, C

Canary deployment with no downtime.

Why this answer

Option B is correct because a weighted alias allows you to route a small percentage of traffic to a new Lambda version while keeping the majority on the current version, enabling canary deployments with zero downtime. Option C is correct because creating a new version and updating the alias to point to it performs an instant, atomic switch, ensuring all traffic is served by the new version without any interruption.

Exam trap

The trap here is that candidates often think update-function-code is a safe deployment method, but it modifies the mutable $LATEST version, which can cause downtime if an alias points to $LATEST and the update is not atomic.

181
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group of EC2 instances. The developer wants to minimize the number of instances that are taken out of service at any given time during the deployment. Which predefined deployment configuration should the developer use?

A.AllAtOnce
B.OneAtATime
C.HalfAtATime
D.Custom with 50% at a time
AnswerB

OneAtATime updates only one instance at a time, keeping the rest serving traffic, thus minimizing the number of instances out of service.

Why this answer

The OneAtATime deployment configuration shifts traffic to one new instance at a time, ensuring that only a single instance is taken out of service during the deployment. This minimizes the number of instances removed from the Auto Scaling group at any given moment, which directly meets the developer's requirement to reduce service disruption.

Exam trap

The trap here is that candidates might confuse 'HalfAtATime' with a predefined configuration, but AWS CodeDeploy does not offer 'HalfAtATime' as a predefined option; the predefined options are 'AllAtOnce', 'OneAtATime', and 'Custom', so the correct choice is the one that minimizes instances taken out of service—OneAtATime.

How to eliminate wrong answers

Option A (AllAtOnce) is wrong because it deploys to all instances simultaneously, taking the entire fleet out of service at once, which maximizes disruption. Option C (HalfAtATime) is wrong because it is not a predefined deployment configuration in AWS CodeDeploy; the correct predefined option for deploying to half the instances is 'HalfAtATime' but it would take 50% of instances out of service at a time, which is more than the single instance the developer wants. Option D (Custom with 50% at a time) is wrong because while custom configurations are possible, the developer specifically asked for a predefined configuration, and using a custom one would not be the simplest or most direct solution; moreover, deploying 50% at a time would still take more instances out of service than the desired minimum.

182
MCQmedium

A developer is deploying a new version of a web application to an EC2 Auto Scaling group using AWS CodeDeploy with a blue/green deployment strategy. The Auto Scaling group is associated with an Application Load Balancer (ALB). The developer wants to ensure that the new instances are registered with the ALB and pass health checks before any traffic is routed to them. Which CodeDeploy configuration should the developer use?

A.Set the 'Reroute traffic to replacement instances' to 'Immediately'.
B.Set the 'Reroute traffic to replacement instances' to 'Wait for time' and specify a wait time.
C.Set the 'Reroute traffic to replacement instances' to 'Wait for health check' and specify the ELB health check.
D.Set the deployment to terminate the original instances before rerouting traffic.
AnswerC

This configuration ensures that new instances must pass the ELB health check before traffic is rerouted, meeting the requirement of routing traffic only to healthy instances.

Why this answer

Option C is correct because setting 'Reroute traffic to replacement instances' to 'Wait for health check' and specifying the ELB health check ensures that CodeDeploy waits for the new instances to pass the ALB health checks before rerouting traffic. This aligns with the requirement that new instances must be registered and healthy before receiving traffic, preventing downtime or routing to unhealthy targets.

Exam trap

The trap here is that candidates may confuse 'Wait for time' (a simple delay) with 'Wait for health check' (which actually verifies instance health), leading them to choose Option B, but only Option C guarantees that health checks pass before traffic is rerouted.

How to eliminate wrong answers

Option A is wrong because setting 'Reroute traffic to replacement instances' to 'Immediately' would route traffic to new instances as soon as they are registered, without waiting for health checks, risking traffic being sent to unhealthy instances. Option B is wrong because 'Wait for time' only introduces a fixed delay, not a health check verification, so traffic could be routed before instances are healthy if the wait time is too short. Option D is wrong because terminating original instances before rerouting traffic would cause downtime, as there would be no healthy instances to serve traffic during the transition.

183
MCQhard

A company uses AWS Elastic Beanstalk to deploy a PHP application. The application requires write access to the /tmp directory on the EC2 instances. The deployment uses a custom platform. After a recent deployment, the application fails to write to /tmp. The operations team verifies that the instance security group and NACLs allow all outbound traffic. What is the MOST likely cause?

A.The application is running as an unprivileged user without write access to /tmp.
B.The security group is blocking outbound traffic to the S3 bucket.
C.The custom platform has a read-only root filesystem.
D.The instance profile does not have permissions to write to the S3 bucket.
AnswerC

Custom platforms can have read-only root filesystems; /tmp may be on root and thus read-only.

Why this answer

Option B is correct: Elastic Beanstalk uses instance profiles; if the profile lacks permissions to write to /tmp (though /tmp is local filesystem, but if using EFS or similar, it might be an issue; however, /tmp is typically writable by default. But the question implies a permissions issue: the instance profile might not have permissions to mount or access certain resources. Actually, /tmp is local, so permissions are OS-level.

The likely cause is that the custom platform has read-only root filesystem or the application user does not have write permission. Option B (instance profile) is plausible if /tmp is mounted from an external source. But a better answer: Option C (read-only root filesystem) is a common Elastic Beanstalk custom platform issue.

However, standard Elastic Beanstalk environments have writable /tmp. Given the custom platform, the most likely is that the platform configuration sets root filesystem as read-only. So Option C is correct.

184
MCQmedium

A developer is deploying a static website to Amazon S3. The website uses client-side JavaScript to make API calls to an AWS Lambda function via Amazon API Gateway. The developer wants to enable cross-origin resource sharing (CORS) on the API Gateway to allow the S3 website to make requests. After enabling CORS on the API Gateway and redeploying the API, the browser still reports CORS errors. The developer checks the API Gateway configuration and sees that the OPTIONS method is not defined. The developer has already enabled CORS via the API Gateway console, which should have created the OPTIONS method. However, it did not appear. What should the developer do to resolve the issue?

A.Update the JavaScript in the website to use a different HTTP method.
B.Update the S3 bucket policy to allow cross-origin requests from any origin.
C.Modify the Lambda function to return CORS headers in its response.
D.Manually add an OPTIONS method to the API Gateway resource and configure the CORS headers in the integration response.
AnswerD

If the automated CORS enablement didn't create the OPTIONS method, manual creation is required.

Why this answer

Option B is correct because enabling CORS via the console should automatically create an OPTIONS method; if it didn't, manually adding it is the next step. Option A is wrong because the S3 bucket policy is not the cause of CORS errors. Option C is wrong because the Lambda function does not handle OPTIONS requests; API Gateway does.

Option D is wrong because the browser's CORS check is based on the server response, not the client code.

185
Multi-Selecteasy

Which TWO are benefits of using AWS CloudFormation for infrastructure deployment? (Choose two.)

Select 2 answers
A.Infrastructure is provisioned consistently across environments.
B.Automatically enforces compliance rules.
C.Automatically rolls back changes if stack creation fails.
D.Replaces the need for a CI/CD pipeline.
E.Provides real-time monitoring of deployed resources.
AnswersA, C

Infrastructure as code ensures consistency.

Why this answer

Options A and D are correct. CloudFormation provides consistent provisioning (infrastructure as code) and automated rollback on failure. Option B is wrong because it is not a compliance service.

Option C is wrong because it does not replace CI/CD. Option E is wrong because it does not provide real-time monitoring.

186
MCQhard

A company uses AWS CodePipeline to automate deployments. The pipeline source stage uses Amazon S3. The developer wants to automatically trigger the pipeline when a new version of the source file is uploaded. The developer has configured S3 event notifications to invoke a Lambda function that starts the pipeline. However, the pipeline is not triggering. What is the most likely cause?

A.S3 versioning is not enabled on the bucket.
B.The pipeline execution role does not have permission to read from the S3 bucket.
C.The Lambda function does not have permission to start the pipeline.
D.The S3 bucket does not have a bucket policy that allows S3 to invoke Lambda.
AnswerA

Event notifications for object creation work without versioning, but if the pipeline expects a specific version, versioning is needed. However, the most likely cause is that the event notification configuration is missing or the Lambda function is not properly invoked. But given the options, versioning is a common requirement for pipeline triggers.

Why this answer

Option D is correct because S3 event notifications require explicit versioning to be enabled on the bucket to detect object version changes. Option A is wrong because the Lambda function can start the pipeline without a version ID. Option B is wrong because bucket policy can be set to allow, not block.

Option C is wrong because the pipeline execution role is for pipeline actions, not the trigger.

187
Multi-Selectmedium

A developer is deploying an application using AWS CloudFormation. The stack includes an Amazon RDS DB instance. To ensure secure credential management, which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Use AWS Systems Manager Parameter Store with a SecureString parameter for the password.
B.Use AWS Secrets Manager to store the master password and reference it dynamically.
C.Hardcode the master password in the CloudFormation template.
D.Use IAM database authentication to manage credentials.
E.Leave the master password empty so that CloudFormation generates a random password.
AnswersA, B

Parameter Store with SecureString provides encrypted storage for the password.

Why this answer

Options B and D are correct. Using AWS Secrets Manager or Systems Manager Parameter Store to store database credentials securely is a best practice. Option A is incorrect because hardcoding credentials in the template is insecure.

Option C is incorrect because the default password is not automatically randomized; it must be explicitly set. Option E is incorrect because IAM database authentication is separate from credential storage.

188
MCQhard

Refer to the exhibit. A developer is troubleshooting a failed CodeDeploy deployment to an EC2 Auto Scaling group. The instance logs show that the 'BeforeInstall' script failed with exit code 1. What should the developer do to resolve the issue?

A.Review the BeforeInstall script for errors and fix them.
B.Ensure the CodeDeploy agent is installed and running on the instance.
C.Verify that the scripts location in the AppSpec file is correct.
D.Check that the instance's IAM role has permissions to download the revision.
AnswerA

Exit code 1 indicates script error.

Why this answer

Option C is correct because the BeforeInstall hook script failed, and the developer should review the script's logic and fix any errors. Option A is wrong because the scripts location is correct if the error is exit code 1. Option B is wrong because the IAM role likely has sufficient permissions if the script runs.

Option D is wrong because the CodeDeploy agent is running if it executes scripts.

189
Multi-Selecthard

A developer is deploying a serverless application using AWS SAM. The application includes an Amazon DynamoDB table and a Lambda function that reads from the table. The developer wants to ensure that the Lambda function has the minimum required permissions to read from the table. Which THREE statements about SAM policy templates are correct? (Choose THREE.)

Select 3 answers
A.SAM policy templates are AWS-managed policies that can be applied to Lambda function roles
B.SAM policy templates can be applied in the Globals section of the SAM template
C.SAM policy templates allow fine-grained resource-level permissions by specifying ARNs
D.SAM policy templates can be used to grant permissions to custom resources
E.The DynamoDBReadPolicy template grants read access to a DynamoDB table
AnswersA, B, E

Templates are managed policies.

Why this answer

Options A, D, and E are correct. SAM policy templates provide managed policies, can be used in the Globals section, and DynamoDBReadPolicy grants read access. Option B is incorrect because policy templates do not support custom resources.

Option C is incorrect because templates are for common use cases, not fine-grained resource-level permissions.

190
Multi-Selectmedium

Which THREE are best practices for deploying applications with AWS Elastic Beanstalk? (Choose THREE.)

Select 3 answers
A.Manually update EC2 instances in the environment.
B.Use environment configuration files (.ebextensions) to manage settings.
C.Use a blue/green deployment to minimize downtime.
D.Deploy to a staging environment before production.
E.Always use the default Elastic Beanstalk domain for production.
AnswersB, C, D

Configuration files ensure consistent deployments.

Why this answer

Options A, C, and D are correct. Using environment configurations as code, deploying to a staging environment, and using a blue/green deployment process are best practices. Option B is incorrect because manual changes should be discouraged.

Option E is incorrect because using the default domain is not a best practice; custom domains should be used.

191
MCQeasy

A developer is using AWS CodeBuild to compile and package a Java application. The build process takes longer than expected. The developer wants to speed up the build by reusing dependencies that have not changed between builds. Which feature should the developer enable?

A.Configure the build project to run builds concurrently
B.Enable build artifacts in the CodeBuild project
C.Enable caching for the CodeBuild project by specifying an S3 bucket for cache storage
D.Store the build's output artifacts in an S3 bucket
AnswerC

Caching reuses unchanged dependencies.

Why this answer

Option D is correct because caching in CodeBuild allows reusing previously downloaded dependencies. Option A is incorrect because build artifacts are outputs, not dependencies. Option B is incorrect because S3 is used for artifacts, not dependencies.

Option C is incorrect because concurrent builds run separate builds, not reuse dependencies.

192
MCQeasy

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway REST API and a Lambda function. The developer wants to set up a custom domain name for the API in the production stage. Which resource should the developer define in the SAM template to achieve this with minimal effort?

A.AWS::ApiGateway::DomainName
B.AWS::Serverless::Api
C.AWS::ApiGateway::BasePathMapping
D.AWS::Route53::RecordSet
AnswerB

The AWS::Serverless::Api resource has a Domain property that allows you to specify a custom domain name, certificate ARN, and other settings. SAM handles the creation of the necessary DomainName and BasePathMapping resources automatically.

Why this answer

The AWS::Serverless::Api resource in an AWS SAM template provides a high-level abstraction that simplifies the configuration of API Gateway REST APIs, including the ability to set up a custom domain name via the Domain property. This approach requires minimal effort because SAM automatically creates the underlying AWS::ApiGateway::DomainName and AWS::ApiGateway::BasePathMapping resources, handles the TLS certificate association, and manages the stage deployment. Defining a raw AWS::ApiGateway::DomainName would require additional manual configuration for base path mapping and stage integration, making the Serverless::Api the most efficient choice.

Exam trap

The trap here is that candidates often think they must define the low-level AWS::ApiGateway::DomainName resource directly, overlooking that AWS SAM's AWS::Serverless::Api provides a built-in Domain property that automates the entire custom domain setup with minimal code.

How to eliminate wrong answers

Option A is wrong because AWS::ApiGateway::DomainName only defines the custom domain name and its TLS certificate; it does not automatically create the base path mapping or integrate with the API stage, so additional resources and manual wiring are needed. Option C is wrong because AWS::ApiGateway::BasePathMapping maps a base path to an API stage but does not create the custom domain name itself; it must be used in conjunction with a DomainName resource, increasing complexity. Option D is wrong because AWS::Route53::RecordSet creates a DNS record (e.g., CNAME or A alias) to point a custom domain to the API Gateway endpoint, but it does not configure the API Gateway custom domain name or TLS termination; it is a DNS-only resource and cannot replace the DomainName configuration.

193
Multi-Selecteasy

A company is deploying a web application on AWS Elastic Beanstalk. The application uses an Amazon RDS database. The company wants to ensure that database credentials are not exposed in the application code or environment variables. Which TWO methods are secure ways to manage credentials? (Choose TWO.)

Select 2 answers
A.Store credentials in AWS Secrets Manager and retrieve them at runtime.
B.Store credentials in an Amazon S3 bucket with server-side encryption.
C.Hardcode credentials in the application configuration file.
D.Store credentials in AWS Systems Manager Parameter Store with SecureString parameter type.
E.Store credentials as environment variables in the Elastic Beanstalk environment.
AnswersA, D

Secrets Manager is designed for secrets.

Why this answer

Option A and Option C are correct. AWS Secrets Manager and AWS Systems Manager Parameter Store are both secure services for storing secrets. Option B is wrong because environment variables can be exposed.

Option D is wrong because hardcoding is insecure. Option E is wrong because storing in S3 without encryption is insecure.

194
MCQhard

A company wants to deploy a microservices application on Amazon ECS. They need to update services with zero downtime and automatic rollback on failure. Which deployment controller should they use?

A.Rolling update (ECS default)
B.External deployment controller
C.Daemon scheduling strategy
D.Blue/green deployment
AnswerA

Supports zero downtime and rollback.

Why this answer

The correct answer is B. ECS supports rolling update (default) which gradually replaces tasks. With minimum healthy percent and maximum percent settings, zero downtime is possible, and rollback can be configured via CloudWatch alarms.

Option A (Blue/green) is available via CodeDeploy, not native ECS controller. Option C (External) is for external deployments. Option D (Daemon) runs one task per instance.

195
MCQmedium

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage that uses S3 deployment action. The website is served via Amazon CloudFront. After a successful pipeline run, the updated files are in S3, but CloudFront still serves old content. What is the MOST efficient solution?

A.Manually create a CloudFront invalidation after each deployment.
B.Reduce the CloudFront distribution's default TTL to 0.
C.Add a post-deploy invalidation step in CodePipeline to create a CloudFront invalidation.
D.Update the S3 bucket policy to allow public read access.
AnswerC

This automates cache invalidation after each deployment, ensuring fresh content.

Why this answer

Option C is correct. The easiest and most efficient way is to add a CloudFront invalidation step in the pipeline to invalidate the cache after the S3 deploy. Option A is wrong because reducing TTL is not immediate and still may serve stale content.

Option B is wrong because updating the S3 bucket policy does not affect CloudFront cache. Option D is wrong because manually invalidating is one-time but not automated for future deployments.

196
MCQhard

A developer is using AWS CodeDeploy with a blue/green deployment strategy for an EC2 Auto Scaling group. The deployment must automatically roll back if any of the new instances fail a health check within the first 10 minutes after deployment. Which configuration should the developer set?

A.Set the deployment configuration to 'CodeDeployDefault.EC2AllAtOnce'
B.Configure the deployment group to use an alarm-based rollback with a CloudWatch alarm on the ELB health check
C.Enable automatic rollback in the deployment group configuration and set the event to 'DEPLOYMENT_FAILURE' or 'DEPLOYMENT_STOP_ON_REQUEST'
D.Configure the deployment group with a 'LoadBalancerInfo' and enable 'originalInstanceTermination' for rollback
AnswerB

Alarm-based rollback allows you to define a CloudWatch alarm that triggers a rollback if the new instances are unhealthy. This meets the requirement.

Why this answer

Option B is correct because the requirement is to automatically roll back based on health check failures within a specific time window after deployment. AWS CodeDeploy supports alarm-based rollbacks where you can configure a CloudWatch alarm that monitors the ELB health check status of the new instances. When the alarm triggers within the configured monitoring period (e.g., 10 minutes), CodeDeploy automatically rolls back the deployment to the previous version, meeting the exact condition described.

Exam trap

The trap here is that candidates often confuse deployment configuration settings (like traffic shifting speed) with rollback triggers, or assume that enabling automatic rollback for deployment failures alone will cover post-deployment health check failures, but CodeDeploy requires a separate alarm-based rollback configuration to monitor health after instances are in service.

How to eliminate wrong answers

Option A is wrong because 'CodeDeployDefault.EC2AllAtOnce' is a deployment configuration that controls the traffic shifting speed (all instances at once), not a rollback mechanism based on health checks. Option C is wrong because enabling automatic rollback for 'DEPLOYMENT_FAILURE' or 'DEPLOYMENT_STOP_ON_REQUEST' only triggers rollback on deployment failures or manual stops, not on post-deployment health check failures within a time window. Option D is wrong because 'LoadBalancerInfo' and 'originalInstanceTermination' are used to configure traffic routing and instance termination behavior in blue/green deployments, not to trigger automatic rollbacks based on health checks.

197
MCQhard

A company uses AWS CodePipeline to deploy a containerized application to Amazon ECS with Fargate. The pipeline consists of a source stage (Amazon ECR), a build stage (CodeBuild), and a deploy stage (CodeDeploy with ECS Blue/Green). Recently, after a successful build, the deploy stage fails with the error 'Service deployment failed because the task definition is not compatible with the target group.' The task definition uses the 'awsvpc' network mode and specifies a port mapping of 80. The target group is configured to use port 80. What is the MOST likely cause of the failure?

A.The task definition port mapping does not match the target group port.
B.The task definition does not include a logging configuration for CloudWatch Logs.
C.The task definition uses the 'awsvpc' network mode, which is not supported for Blue/Green deployments.
D.The target group health check path is not configured correctly.
AnswerD

Health check failures cause deployment failure.

Why this answer

The error 'Service deployment failed because the task definition is not compatible with the target group' typically occurs when the target group's health check configuration is invalid or unreachable. In an ECS Blue/Green deployment with CodeDeploy, the target group health check path must be configured to return a valid HTTP response from the container; if the path is incorrect (e.g., missing or pointing to a non-existent endpoint), the target group marks instances as unhealthy, causing the deployment to fail even though the port mapping and network mode are correct.

Exam trap

The trap here is that candidates often assume the error is about port mismatches or network mode restrictions, but the real issue is the health check path configuration, which is a subtle but common cause of deployment failures in Blue/Green deployments.

How to eliminate wrong answers

Option A is wrong because the task definition port mapping (80) matches the target group port (80), so there is no mismatch. Option B is wrong because a logging configuration for CloudWatch Logs is optional and not required for task definition compatibility with a target group. Option C is wrong because the 'awsvpc' network mode is fully supported for ECS Blue/Green deployments with CodeDeploy; it is actually required for Fargate tasks.

198
Multi-Selecteasy

A developer is using AWS SAM to deploy a serverless application. The developer wants to enable canary deployments for the Lambda function. Which TWO resources must be configured in the SAM template? (Choose TWO.)

Select 2 answers
A.DeploymentPreference property on the AWS::Serverless::Function resource.
B.AutoPublishAlias property on the AWS::Serverless::Function resource.
C.The function's CodeUri property pointing to the deployment package.
D.An event source mapping for the function.
E.The function's alias resource with a routing configuration.
AnswersA, B

This property defines the canary traffic shifting and rollback behavior.

Why this answer

Options A and B are correct. The AutoPublishAlias property enables canary deployments by creating a new version and updating the alias. The DeploymentPreference property specifies the canary configuration.

Option C is incorrect because the alias can be used for canary, but the deployment preference is required. Option D is incorrect because the function's code URI is always needed but not specific to canary. Option E is incorrect because the event source mapping is not related to canary deployment.

199
Multi-Selectmedium

Which TWO actions should a developer take to minimize downtime when deploying a new version of a production application running on Amazon ECS with Fargate?

Select 2 answers
A.Delete the existing service and recreate it with the new task definition
B.Configure the ECS service to use a blue/green deployment with CodeDeploy
C.Update the target group health check settings to a more lenient threshold
D.Stop all running tasks and then start new tasks with the updated image
E.Update the ECS service with a new task definition and set minimum healthy percent to 100 and maximum percent to 200
AnswersB, E

Blue/green deployments switch traffic after new version is ready.

Why this answer

Using a blue/green deployment (A) and updating the ECS service with a new task definition while setting the minimum healthy percent to 100% and maximum percent to 200% (B) both reduce downtime. Option C (delete and recreate) causes downtime. Option D (update target group) is part of blue/green but not a complete action.

Option E (stop all tasks) causes downtime.

200
MCQmedium

A DevOps engineer is troubleshooting a failed AWS CodeBuild build. The build project uses a custom Docker image stored in Amazon ECR. The build logs show: 'Error: Cannot pull Docker image: repository does not exist or may require 'docker login'.' The engineer has verified that the ECR repository exists and the IAM role used by CodeBuild has the 'ecr:GetDownloadUrlForLayer', 'ecr:BatchGetImage', and 'ecr:GetAuthorizationToken' permissions. What is the MOST likely cause?

A.The ECR repository is in a different AWS account and the IAM role does not have cross-account trust.
B.The CodeBuild project's environment image override is set to the wrong image name.
C.The image tag specified in the buildspec does not exist in the ECR repository.
D.The CodeBuild project is configured with a VPC that does not have a NAT gateway.
AnswerC

If the tag is missing, CodeBuild cannot pull the image, resulting in 'repository does not exist' error.

Why this answer

Option B is correct: The image tag or digest in the buildspec might be incorrect or not exist in the repository. Option A (VPC) would cause network timeout, not repository does not exist error. Option C (cross-account) would need different permissions.

Option D (image name) is plausible but the error explicitly says 'repository does not exist', indicating issue with repository name or tag.

201
MCQhard

A company is deploying a containerized application on Amazon EKS. The developer wants to automate the deployment process using a CI/CD pipeline that builds a Docker image, pushes it to Amazon ECR, and updates the Kubernetes deployment. Which tool should the developer use to update the Kubernetes deployment?

A.kubectl set image command
B.AWS Systems Manager Automation
C.AWS CloudFormation with a custom resource
D.AWS CodeBuild with a buildspec that runs kubectl commands
AnswerA

Directly updates the deployment image.

Why this answer

Option B is correct because `kubectl set image` can update the image of a deployment. Option A is wrong because AWS CodeBuild can build and push the image but not update the deployment directly. Option C is wrong because AWS CloudFormation is for infrastructure provisioning.

Option D is wrong because AWS Systems Manager is for management, not Kubernetes updates.

202
Multi-Selectmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application requires a custom platform that is not provided by Elastic Beanstalk. The developer has created a custom platform using the Packer tool and has stored the platform artifacts in an Amazon S3 bucket. Which TWO steps are necessary to use this custom platform in Elastic Beanstalk? (Choose TWO.)

Select 2 answers
A.Define a custom platform version in the Elastic Beanstalk environment's configuration using a platform definition file.
B.Set the environment's platform to 'Custom' and provide the S3 URL of the platform artifacts.
C.Create a Dockerfile in the application source bundle to define the custom platform.
D.Specify the custom platform ARN in the environment's configuration.
E.Upload the Packer template to the Elastic Beanstalk console.
AnswersA, D

This is necessary to register the custom platform.

Why this answer

Options A and D are correct. First, the developer must create a platform version resource in the Elastic Beanstalk environment configuration (option A). Then, the developer must specify the platform ARN in the environment's configuration (option D).

Option B is incorrect because the platform is defined by the platform version, not the environment name. Option C is incorrect because the Packer template is used to build the platform, but the platform version resource points to the artifacts in S3. Option E is incorrect because the custom platform does not require a Dockerfile; it uses a custom AMI or other artifacts.

203
Multi-Selecthard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The stack creation fails because the DB instance creation takes longer than the CloudFormation timeout. Which THREE steps can the developer take to resolve this issue? (Choose THREE.)

Select 3 answers
A.Use a CloudFormation wait condition or a waiter to pause the stack creation until the DB instance is ready.
B.Change the DB instance class to a smaller size.
C.Reduce the stack creation timeout to trigger a rollback faster.
D.Increase the CloudFormation stack creation timeout.
E.Use a custom resource backed by an AWS Lambda function to create the DB instance and handle the creation asynchronously.
AnswersA, D, E

Waits for the resource to become available.

Why this answer

Options A, C, and E are correct. A: Increasing the timeout gives more time for the resource creation. C: A waiter can poll until the DB instance is available.

E: A custom resource with a Lambda function can handle the creation asynchronously. Option B is wrong because changing the instance class might not speed up creation; it could even take longer. Option D is wrong because reducing the timeout would make it fail sooner.

204
Multi-Selecthard

Which THREE actions are required to set up a blue/green deployment for an Amazon ECS service using AWS CodeDeploy? (Choose three.)

Select 3 answers
A.Create a second ECS service for the green environment.
B.Create an ECS application and deployment group in CodeDeploy.
C.Create a new Application Load Balancer for the green environment.
D.Specify the task definition and container images in the AppSpec file.
E.Configure the ECS service to use the CodeDeploy deployment controller.
AnswersB, D, E

This is required to define the deployment settings.

Why this answer

Option B is correct because CodeDeploy requires an ECS application and deployment group to manage the deployment lifecycle, including traffic shifting and rollback. The deployment group defines the ECS service, target groups, and load balancer listener for routing traffic between blue and green environments.

Exam trap

The trap here is that candidates mistakenly think they need to create a second ECS service or a new ALB for the green environment, but CodeDeploy handles the green infrastructure automatically within the same service and ALB.

205
MCQmedium

A developer needs different configuration values for dev, test, and prod in the same SAM template. Which feature is suitable?

A.Parameters and environment-specific parameter overrides
B.Hardcoded ARNs in every function
C.One AWS root account per environment
D.Disabling stack updates
AnswerA

Correct for the stated requirement.

Why this answer

AWS SAM supports Parameters and environment-specific parameter overrides, allowing you to define a single template and supply different configuration values (e.g., database URLs, API keys) for dev, test, and prod environments at deployment time. This is achieved by passing a JSON or YAML file with the `--parameter-overrides` flag in the `sam deploy` command, or by using the `parameters` section in a `samconfig.toml` file. This approach avoids duplicating templates and keeps infrastructure-as-code DRY and maintainable.

Exam trap

The trap here is that candidates may think hardcoding ARNs or using separate root accounts is simpler, but the exam tests knowledge of AWS-recommended patterns like parameter overrides and multi-account strategies using AWS Organizations, not root accounts.

How to eliminate wrong answers

Option B is wrong because hardcoding ARNs in every function violates the principle of environment isolation and requires manual changes for each environment, increasing the risk of misconfiguration and deployment errors. Option C is wrong because using one AWS root account per environment is an anti-pattern; it introduces unnecessary administrative overhead, security risks, and violates the AWS Well-Architected Framework's recommendation to use separate AWS accounts (not root accounts) for environment isolation. Option D is wrong because disabling stack updates prevents any future changes to the stack, making it impossible to update configuration values or deploy new features, which is impractical for ongoing development and deployment.

206
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails during the BeforeInstall lifecycle event. What should the developer do to troubleshoot the issue?

A.Check the deployment group configuration.
B.Verify the build output from CodeBuild.
C.Check the appspec.yml file for errors in the BeforeInstall hook.
D.Review the deployment configuration settings.
AnswerC

Lifecycle hooks are defined in appspec.yml.

Why this answer

Option D is correct because the BeforeInstall hook scripts are in the appspec.yml file. Option A is wrong because the deployment group configuration is not the issue. Option B is wrong because the build output is already successful.

Option C is wrong because the deployment configuration settings are not related.

207
MCQhard

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of several Lambda functions and an API Gateway. The developer wants to enable gradual deployment of Lambda function versions with automatic rollback based on CloudWatch alarms. What should the developer add to the SAM template?

A.Use 'AWS::Lambda::Version' and 'AWS::Lambda::Alias' resources to manually shift traffic and set up CloudWatch alarms to revert the alias if needed.
B.Add a 'DeploymentPreference' property with 'Type' set to 'Linear' and specify a 'Alarms' list for rollback.
C.Add 'AutoPublishAlias' and 'DeploymentPreference' properties to the Lambda function resource, specifying a canary deployment with a CloudWatch alarm for rollback.
D.Add a 'CodeDeployLambdaAlias' resource to the template and configure the deployment group with a canary deployment configuration.
AnswerC

SAM natively supports canary deployments using these properties.

Why this answer

Option B is correct because SAM supports canary deployments through the 'AutoPublishAlias' property combined with 'DeploymentPreference' that specifies a canary percent and interval, along with alarms for rollback. Option A is wrong because 'CodeDeployLambdaAlias' is not a SAM resource. Option C is wrong because 'DeploymentPreference' with 'Linear' shifts traffic linearly, but the question asks for gradual deployment with automatic rollback, which canary also provides; but canary is more commonly used for gradual.

Option D is wrong because 'Version' and 'Alias' alone do not provide automatic rollback.

208
MCQhard

A developer is deploying a serverless application using AWS SAM. The application consists of multiple Lambda functions and an Amazon API Gateway. The developer wants to enable canary deployments for the API Gateway stage to gradually shift traffic. Which SAM resource attribute should the developer use?

A.DeploymentPreference
B.CanarySetting
C.StageName
D.MethodSettings
AnswerA

The DeploymentPreference attribute in SAM is used to define traffic shifting and canary deployment settings for Lambda and API Gateway.

Why this answer

Option A is correct because the `DeploymentPreference` attribute in AWS SAM's `AWS::Serverless::Api` resource enables canary deployments for API Gateway stages. This attribute allows you to configure traffic shifting patterns, such as linear or canary, by specifying settings like `Type` (e.g., `Canary10Percent5Minutes`) and `Alarms` to automatically roll back on failures. It directly integrates with AWS CodeDeploy to manage the gradual traffic shift without manual intervention.

Exam trap

The trap here is that candidates confuse `CanarySetting` (a direct CloudFormation property for API Gateway stages) with the SAM-specific `DeploymentPreference` attribute, which is the correct abstraction for canary deployments in SAM templates.

How to eliminate wrong answers

Option B is wrong because `CanarySetting` is a property of the API Gateway `Stage` resource in AWS CloudFormation, not a SAM-specific attribute; SAM abstracts this into `DeploymentPreference` for simplicity. Option C is wrong because `StageName` is a property that defines the stage name (e.g., 'prod') but does not control traffic shifting or canary deployments. Option D is wrong because `MethodSettings` configures per-method settings like throttling or caching, not deployment strategies like canary releases.

209
MCQeasy

A developer is deploying a new version of a web application on AWS Elastic Beanstalk. The application currently runs in a single environment with an Auto Scaling group. The developer wants to ensure zero downtime during the deployment and that the new version can be fully tested before receiving any traffic. Which Elastic Beanstalk deployment policy should the developer use?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

This creates a completely new Auto Scaling group with the new version, allowing full testing, and then swaps CNAME, achieving zero downtime.

Why this answer

Immutable deployment is the correct choice because it launches a completely new Auto Scaling group with the new application version, fully tests it before shifting any traffic, and then swaps the environment's instances in a single atomic action, ensuring zero downtime. This policy meets the requirement for full testing of the new version before it receives traffic, as traffic is only routed to the new instances after they pass health checks.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' with immutable deployments, mistakenly thinking the extra batch allows full testing, but in reality, the new version still receives traffic incrementally during the rolling update.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing downtime during the deployment process. Option B is wrong because 'Rolling' updates instances in batches, but traffic continues to flow to instances being updated, and the new version is not fully tested before receiving traffic. Option C is wrong because 'Rolling with additional batch' adds a temporary batch of instances to maintain capacity, but the new version still receives traffic incrementally during the deployment, preventing full pre-traffic testing.

210
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The developer wants to update the environment's configuration, such as instance type and environment variables, without causing downtime. Which deployment policy should the developer use?

A.All at once
B.Blue/green
C.Immutable
D.Rolling
AnswerD

Rolling updates batches of instances.

Why this answer

Option B is correct because rolling updates update instances in batches, avoiding downtime. Option A is wrong because 'All at once' causes downtime. Option C is wrong because immutable updates create a new environment.

Option D is wrong because blue/green deployment is a separate environment swap.

211
MCQeasy

A developer runs the AWS CLI command shown in the exhibit. The deployment is created successfully, but the CodeDeploy agent on the target instances does not download the revision. What is the most likely cause?

A.The bundle type should be 'tar' instead of 'zip'.
B.The bucket name is incorrect.
C.The deployment group name is misspelled.
D.The S3 object version is not specified.
AnswerD

If versioning is enabled, the version ID may be required.

Why this answer

Option B is correct. The command does not specify the 'etag' or 'version' parameter. If the S3 bucket has versioning enabled, the revision might be ambiguous.

Option A is incorrect; the command creates a deployment, which is correct. Option C is incorrect; the bundle type is specified. Option D is incorrect; the bucket name is provided.

212
MCQmedium

A company uses AWS CodeBuild to run tests and build artifacts for a Java application. The build process is taking longer than expected. The developer wants to speed up the build by caching dependencies. What should the developer do?

A.Use a CodeCommit repository to store dependencies.
B.Store dependencies in an S3 bucket and download them in each build.
C.Enable local caching in the CodeBuild project configuration.
D.Mount an Amazon EFS file system to the build environment and store dependencies there.
AnswerC

Local caching speeds up builds by reusing cached dependencies.

Why this answer

Option C is correct because CodeBuild's local caching feature allows the build environment to cache dependencies (e.g., Maven local repository) in a local directory that persists across build runs for the same project. This eliminates the need to re-download dependencies on every build, significantly reducing build time. The cache is stored on the build instance's local storage and is automatically managed by CodeBuild.

Exam trap

The trap here is that candidates often assume external storage (S3 or EFS) is required for caching, but CodeBuild's built-in local caching is specifically designed for this purpose and avoids the latency of network-based storage.

How to eliminate wrong answers

Option A is wrong because CodeCommit is a Git-based source control service, not a dependency cache; storing dependencies there would require manual management and does not integrate with CodeBuild's caching mechanism. Option B is wrong because downloading dependencies from S3 in each build still incurs network latency and download time, negating the performance benefit of caching. Option D is wrong because mounting an EFS file system adds network filesystem overhead and latency, and EFS is designed for shared file storage across multiple instances, not for low-latency build caching within a single build environment.

213
Multi-Selecthard

A company is deploying a critical application using AWS CloudFormation. The stack contains a resource that, if deleted accidentally, would cause data loss. The company wants to protect this resource from being deleted during stack updates or deletions. Which THREE strategies can achieve this? (Choose THREE.)

Select 3 answers
A.Wrap the resource in a nested stack.
B.Enable termination protection on the CloudFormation stack.
C.Set the UpdateReplacePolicy attribute to 'Retain' on the resource.
D.Use a stack policy to deny delete actions on the resource.
E.Set the DeletionPolicy attribute to 'Retain' on the resource.
AnswersB, D, E

Termination protection prevents accidental stack deletion.

Why this answer

Options A, C, and D are correct. DeletionPolicy Retain, TerminationProtection, and StackPolicy can prevent deletion. Option B is wrong because it does not prevent deletion.

Option E is wrong because NestedStacks do not protect individual resources.

214
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment group has a minimum of 2 instances and a maximum of 4. The deployment configuration is CodeDeployDefault.OneAtATime. What is the most likely cause of the failure?

A.The deployment group's maximum instances is set to 4, which exceeds the number of instances in the Auto Scaling group.
B.The Auto Scaling group has only 2 instances, and one instance fails during deployment, leaving less than the required healthy instances.
C.The IAM role attached to the instances does not have sufficient permissions to download the revision from Amazon S3.
D.The revision is not properly zipped or the AppSpec file is missing.
AnswerB

Correct because the deployment configuration requires one instance at a time, and with only 2 instances, a failure reduces healthy count below threshold.

Why this answer

Option A is correct because the deployment configuration specifies one instance at a time, but the Auto Scaling group may have only 2 instances, which is the minimum. If one instance fails, the healthy count drops below the required threshold, causing the deployment to fail. Option B is wrong because the IAM role typically does not cause such errors.

Option C is wrong because the deployment group size is not the issue. Option D is wrong because the revision is uploaded, not the cause.

215
MCQeasy

A developer needs to deploy a new version of a Lambda function that uses environment variables for database credentials. Which AWS service should be used to securely store and retrieve the credentials?

A.Amazon DynamoDB with encryption at rest
B.Amazon S3 with server-side encryption
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager securely stores and rotates credentials.

Why this answer

AWS Secrets Manager is designed to securely store secrets such as database credentials and can automatically rotate them. Option B is correct because it provides encryption and access control. Option A (SSM Parameter Store) can store secrets but lacks automatic rotation.

Option C (S3) is not secure for secrets. Option D (DynamoDB) is not intended for secret storage.

216
MCQeasy

A developer is using AWS Elastic Beanstalk to deploy a web application. The developer needs to update the environment's configuration to use a larger instance type. What is the most efficient way to apply this change with minimal downtime?

A.Update the environment configuration through the Elastic Beanstalk console or CLI, and use a rolling update strategy to apply the change to instances in batches.
B.Perform a blue/green deployment by creating a new environment with the larger instance type, then swap the environment URLs.
C.Modify the Auto Scaling group launch configuration directly to use the larger instance type, then manually terminate each instance.
D.Terminate the current environment and create a new one with the larger instance type.
AnswerA

Rolling updates minimize downtime by updating instances one batch at a time.

Why this answer

Option C is correct because Elastic Beanstalk supports rolling updates and rolling deployments that can update the instance type without downtime by updating instances in batches. Option A is wrong because terminating and recreating causes downtime. Option B is wrong because Blue/green deployment requires creating a new environment and swapping URLs, which is more effort.

Option D is wrong because modifying the Auto Scaling group directly is not recommended as Elastic Beanstalk manages the resources; changes may be overwritten.

217
MCQhard

A developer is troubleshooting a deployment failure in AWS CodePipeline. The deploy stage uses the above IAM policy for the service role. The pipeline fails when trying to update the Elastic Beanstalk environment. What is the most likely cause?

A.The policy restricts the UpdateEnvironment action to a specific environment ARN, but the pipeline is updating a different environment.
B.The policy does not allow DescribeEnvironmentResources, which is required for the deployment.
C.The policy denies all actions on the environment, preventing the update.
D.The policy denies DeleteEnvironment, which is required for the update.
AnswerA

The resource ARN must match the environment being updated.

Why this answer

Option C is correct because the policy allows 'UpdateEnvironment' only on a specific environment ARN, but the pipeline may be trying to update a different environment (e.g., if the environment name changed). Option A is wrong because 'DeleteEnvironment' is denied but not used. Option B is wrong because 'DescribeEnvironmentResources' is allowed.

Option D is wrong because 'DeleteEnvironment' denial does not affect updates.

218
MCQeasy

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon S3 bucket with a bucket policy that grants public read access. The stack creation fails with the error 'Access Denied for bucket: bucket-policy does not allow access.' The developer has full administrative permissions in AWS. The developer verifies that the bucket policy is correctly formatted. What is the most likely cause of the failure?

A.The developer does not have permissions to create S3 buckets.
B.The S3 bucket name is already in use by another account.
C.The S3 Block Public Access settings are enabled at the account level, preventing the bucket policy from granting public access.
D.The S3 bucket is encrypted with AWS KMS, and the bucket policy does not include kms:Decrypt permissions.
AnswerC

S3 Block Public Access settings override bucket policies that grant public access.

Why this answer

Option A is correct because S3 bucket policies that grant public access require the S3 Block Public Access settings to be disabled at the account or bucket level. Option B is wrong because the bucket name is not the issue. Option C is wrong because KMS is not involved.

Option D is wrong because the policy is correct.

219
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an AWS Lambda function and an Amazon API Gateway REST API. The developer runs 'sam deploy' but the deployment fails with the error: 'Error: Security Constraints Not Satisfied'. The developer checks the IAM policies and confirms that the Lambda function has the necessary permissions. What is the most likely cause?

A.The Lambda function is not configured to run inside a VPC.
B.The SAM template does not specify an S3 bucket for the deployment artifacts.
C.The API Gateway endpoint is configured with 'OPEN' access without any authorization.
D.The Lambda function's memory size is set too high.
AnswerC

SAM requires authorization for APIs.

Why this answer

Option A is correct because SAM enforces security constraints, and if the API is configured with open access (e.g., no authorization), SAM deployment will fail. Option B is wrong because SAM does not require a VPC. Option C is wrong because SAM manages S3 buckets.

Option D is wrong because the error is about security constraints.

220
MCQmedium

Refer to the exhibit. A developer created this CloudFormation template to host a static website. After deployment, the website returns 403 Forbidden errors. What is the most likely cause?

A.The bucket has versioning enabled, which blocks public access.
B.The bucket name is not unique.
C.The bucket policy does not allow public access.
D.The bucket does not have static website hosting enabled.
AnswerD

Static website hosting must be enabled for the bucket to serve content.

Why this answer

Option B is correct because the bucket policy allows GetObject but the bucket does not have 'Static website hosting' enabled. For S3 static website hosting, the bucket must have the static website hosting property configured. Option A is incorrect because the bucket policy allows public access.

Option C is incorrect because the bucket name is valid. Option D is incorrect because versioning does not affect access.

221
Multi-Selecteasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an Amazon DynamoDB table and a Lambda function that reads from the table. The developer wants to define the DynamoDB table and the Lambda function in the SAM template. Which THREE resource types should the developer include in the template? (Choose THREE.)

Select 3 answers
A.AWS::DynamoDB::Table
B.AWS::Lambda::Function
C.AWS::Serverless::DynamoDB
D.AWS::Serverless::SimpleTable
E.AWS::Serverless::Function
AnswersA, D, E

Also defines a DynamoDB table, but with more configuration options.

Why this answer

Options A, B, and D are correct. In a SAM template, 'AWS::Serverless::Function' (option A) defines a Lambda function, 'AWS::Serverless::SimpleTable' (option B) defines a DynamoDB table, and 'AWS::DynamoDB::Table' (option D) can also be used for more advanced configurations. Option C, 'AWS::Serverless::DynamoDB', is not a valid SAM resource type (the correct one is 'AWS::Serverless::SimpleTable' or 'AWS::DynamoDB::Table').

Option E, 'AWS::Lambda::Function', is a CloudFormation resource, but SAM templates typically use 'AWS::Serverless::Function' for simplicity, though both are valid. However, since the question asks for SAM template, the recommended approach is to use serverless types.

222
MCQeasy

A startup is deploying a Node.js application using AWS Elastic Beanstalk. They have configured the environment to use a load-balanced, auto-scaled environment with a minimum of 2 instances and a maximum of 4. The application connects to an Amazon RDS MySQL database. After a successful deployment, users report that the application is intermittently returning errors. The developer checks the Elastic Beanstalk logs and finds that the application is timing out when connecting to the database. The developer also notices that the database connection string is hardcoded in the application code. What is the most likely cause of the intermittent errors?

A.The security group for the RDS instance does not allow inbound traffic from the Elastic Beanstalk environment's security group.
B.The RDS instance has reached its maximum number of concurrent connections because the application instances are not using connection pooling.
C.The application code has a bug that causes the database connection to be closed prematurely.
D.The RDS instance is not configured for Multi-AZ deployment, causing failover issues.
AnswerB

Hardcoded connections without pooling can exhaust RDS connections.

Why this answer

Option C is correct because when using a hardcoded connection string, each instance tries to connect using the same credentials, but RDS has a limit on the number of concurrent connections. As instances scale up, they may exceed the limit, causing intermittent timeouts. Option A is wrong because the security group is likely correct.

Option B is wrong because RDS Multi-AZ is for failover, not connection limits. Option D is wrong because the errors are database-related, not application logic.

223
MCQeasy

A developer wants to deploy a static website to AWS. The website consists of HTML, CSS, and JavaScript files. Which combination of services provides the most cost-effective and scalable solution?

A.Amazon S3 and Amazon CloudFront
B.Amazon Lightsail
C.Amazon EC2 and Application Load Balancer
D.AWS Elastic Beanstalk
AnswerA

S3 hosts static files, CloudFront caches globally.

Why this answer

Amazon S3 can host static websites, and CloudFront provides CDN for low latency and scalability. Option A is correct. Option B (EC2) is more expensive and requires management.

Option C (Elastic Beanstalk) is overkill. Option D (Lightsail) is a VPS but not as scalable for static content.

224
MCQmedium

A developer is deploying an application to Amazon ECS using AWS CodeDeploy with a blue/green deployment strategy. After the new task set is created, it fails health checks. The developer wants to immediately route traffic back to the original task set without waiting for CodeDeploy to complete the rollback process. Which action should the developer take?

A.Update the ECS service to set the desired count of the new task set to zero.
B.Use the CodeDeploy console to stop the deployment and then choose to reroute traffic.
C.Delete the new task set.
D.Update the Application Load Balancer listener rule to forward traffic to the original target group.
AnswerB

Correct. CodeDeploy allows you to stop the deployment and reroute traffic to the original task set.

Why this answer

Option B is correct because CodeDeploy's blue/green deployments for ECS include a built-in 'Reroute traffic' option that allows you to immediately redirect traffic back to the original task set when a deployment fails health checks. This action bypasses the normal rollback process, which would wait for the deployment to complete or for the configured rollback triggers to fire, giving the developer instant control over traffic routing.

Exam trap

The trap here is that candidates often assume deleting the new task set or scaling it to zero will automatically restore traffic, but they overlook that the ALB listener rule remains pointed at the new (now empty or deleted) target group, causing a complete outage until the listener is manually updated.

How to eliminate wrong answers

Option A is wrong because setting the desired count of the new task set to zero does not automatically reroute traffic to the original task set; the Application Load Balancer (ALB) listener rules would still point to the new target group, causing a service disruption until the listener is manually updated. Option C is wrong because deleting the new task set does not revert the ALB listener rules, so traffic would continue to be sent to the deleted target group, resulting in 503 errors. Option D is wrong because manually updating the ALB listener rule is an indirect workaround that bypasses CodeDeploy's orchestration and lifecycle hooks, potentially causing state inconsistencies and violating the deployment's intended rollback mechanism.

225
MCQeasy

A development team needs to deploy a containerized web application on AWS. The deployment must be automated, scalable, and minimize manual intervention. Which AWS service should the team use to orchestrate the deployment of containers across a cluster of Amazon EC2 instances?

A.AWS Lambda
B.AWS CloudFormation
C.Amazon ECS
D.Amazon S3
AnswerC

ECS orchestrates containers on EC2 instances.

Why this answer

Option C is correct because Amazon ECS is a fully managed container orchestration service that integrates with EC2 to run containers. Option A is wrong because S3 is object storage. Option B is wrong because Lambda is for serverless functions.

Option D is wrong because CloudFormation is for infrastructure as code.

← PreviousPage 3 of 6 · 378 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deployment questions.