CCNA Deployment Questions

75 of 378 questions · Page 4/6 · Deployment · Answers revealed

226
MCQhard

A company has a production environment running on AWS. The environment includes an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application is deployed using AWS CodeDeploy with a blue/green deployment strategy. Recently, the deployment started failing because the new instances do not pass the health checks configured on the ALB. The health check path is '/health'. The developer has verified that the application starts correctly and responds to the health check on the new instances when accessed directly via the instance's private IP. However, the health checks from the ALB are failing. The security group for the ALB allows inbound traffic on port 80 from 0.0.0.0/0, and the security group for the EC2 instances allows inbound traffic on port 80 from the ALB's security group. The VPC has both public and private subnets. The Auto Scaling group launches instances in private subnets. The ALB is in public subnets. What is the MOST likely cause of the health check failure?

A.The application is not listening on port 80 on the new instances.
B.The health check path is configured incorrectly in the ALB target group.
C.The ALB is not in the same VPC as the instances.
D.The network ACL on the private subnets is blocking inbound traffic from the ALB's subnets.
AnswerD

Network ACLs are stateless and can block traffic even if security groups allow it.

Why this answer

Option A is correct because the ALB's health checks originate from its own IP addresses, which are in the public subnets. The instance security group must allow traffic from the ALB's security group, which it does. However, the issue might be that the instances have a restrictive network ACL on the private subnets that blocks inbound traffic from the ALB's subnet.

Option B is wrong because the application works when accessed directly. Option C is wrong because the health check path is correct. Option D is wrong because the ALB is in public subnets and can reach private instances via NAT if needed.

227
MCQhard

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error message 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The developer checks the deployment logs and finds that the ApplicationStop hook failed on some instances. What is the most likely cause of this failure?

A.The ValidateService hook script is failing.
B.The BeforeInstall hook script is incorrectly configured.
C.The Auto Scaling group does not have enough capacity to perform the deployment.
D.The ApplicationStop script is not compatible with the instance operating system or is missing.
AnswerD

Incompatible or missing scripts cause hook failures.

Why this answer

Option A is correct because the ApplicationStop hook fails if the script attempts to stop a process that is not running or the script has a bug. Option B is wrong because the BeforeInstall hook runs after ApplicationStop. Option C is wrong because the ValidateService hook runs after deployment.

Option D is wrong because insufficient capacity would cause a different error.

228
MCQeasy

A developer is using AWS CodeBuild to compile and test code. The build phase fails with the error: 'BUILD_FAILED: Error: No such file or directory.' What is the most likely cause?

A.The build environment has a network timeout when accessing external dependencies.
B.The buildspec.yml file references a file or directory that does not exist in the source code.
C.The IAM role for CodeBuild does not have permissions to access the source repository.
D.The build environment does not have the required environment variables set.
AnswerB

The error 'No such file or directory' indicates the build process cannot find a specified file.

Why this answer

Option C is correct because the error indicates that a file referenced in the buildspec.yml does not exist, often due to an incorrect path. Options A and B are incorrect: missing environment variables cause different errors, and insufficient permissions cause access denied errors. Option D is incorrect because network timeout errors are not related to file not found.

229
MCQeasy

A developer is deploying a static website to Amazon S3. The developer wants to enable versioning to easily roll back to a previous version if the new deployment has issues. After enabling versioning on the bucket, the developer uploads the new files. How can the developer roll back to the previous version?

A.Copy the previous version of the object to the same key, making it the current version.
B.Delete the current version of the object from the bucket.
C.Use the S3 console 'Restore' action on the bucket.
D.Enable 'Show versions' and then select the previous version to make it current.
AnswerA

This replaces the current version with the previous one.

Why this answer

Option B is correct because with versioning enabled, you can restore a previous version by copying it to the same key, making it the current version. Option A is wrong because deleting the current version does not restore the previous one. Option C is wrong because there is no 'Restore' action like in RDS.

Option D is wrong because you cannot simply 'enable' a previous version; you must copy it.

230
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an Amazon ECS service using the Fargate launch type. The developer wants to ensure that the deployment rolls back automatically if the new task set fails health checks. Which configuration should the developer set?

A.Set the deployment type to in-place.
B.Enable rollback in the deployment group settings.
C.Set the deployment configuration to CodeDeployDefault.OneAtATime.
D.Configure CloudWatch alarms to trigger a rollback.
AnswerB

Correct. Configuring the deployment group to roll back on health check failures triggers an automatic rollback when the new task set fails health checks.

Why this answer

Option B is correct because enabling rollback in the deployment group settings allows CodeDeploy to automatically revert the deployment to the previous working task set if the new task set fails health checks. This is a native feature of CodeDeploy that monitors the health of the ECS service and triggers a rollback without manual intervention.

Exam trap

The trap here is that candidates often confuse CloudWatch alarms as the only way to trigger a rollback, but CodeDeploy's built-in rollback feature directly responds to health check failures without needing an alarm.

How to eliminate wrong answers

Option A is wrong because in-place deployments are not supported for Amazon ECS with the Fargate launch type; ECS deployments using CodeDeploy must use blue/green deployments. Option C is wrong because CodeDeployDefault.OneAtATime is a deployment configuration for Lambda or EC2/On-Premises, not for ECS; ECS deployments use a different set of configurations like CodeDeployDefault.ECSAllAtOnce. Option D is wrong because CloudWatch alarms can be configured to trigger a rollback, but they are an additional optional feature, not the primary mechanism to ensure automatic rollback on health check failure; the core requirement is enabling rollback in the deployment group settings.

231
Multi-Selecteasy

A developer is using AWS Elastic Beanstalk to deploy a Python web application. The developer wants to run database migrations before the application starts. Which TWO methods can the developer use to achieve this? (Choose TWO.)

Select 2 answers
A.Use an AWS Lambda function that triggers on deployment.
B.Use an .ebextensions configuration file with container_commands.
C.Add a pre-deployment hook to the application source code.
D.Use a Procfile to define a web process that runs migrations before starting the application.
E.Add a cron.yaml file to schedule the migration.
AnswersB, D

container_commands run during deployment before the application starts.

Why this answer

Options B and D are correct. Option B: .ebextensions with container_commands can run commands during deployment. Option D: A Procfile can define a command that runs migrations as part of the web process.

Option A is wrong because cron.yaml is for scheduled tasks. Option C is wrong because an AWS Lambda function is not automatically integrated. Option E is wrong because it is not a standard Elastic Beanstalk mechanism.

232
MCQhard

A developer is using AWS CodePipeline with a two-stage pipeline: Source (CodeCommit) and Deploy (Elastic Beanstalk). The developer wants to add a test stage that runs unit tests using AWS CodeBuild. The test stage should run only when a specific branch (development) is pushed. Which approach should the developer use?

A.Create a separate pipeline for the development branch and configure it with the test stage.
B.Add a test stage in the pipeline and configure a 'branch' filter on the source action to only trigger for the development branch.
C.Add a test stage in the pipeline and configure a 'branch' condition on the test action using a Lambda function.
D.Add a test stage in the pipeline and use a 'Manual approval' action that requires a human to verify the branch.
AnswerB

This is the recommended approach. The source action's 'Branch' field can be set to 'development', so the pipeline only executes when changes are pushed to that branch. The test stage will then run as part of that execution.

Why this answer

Option B is correct because AWS CodePipeline allows you to configure a 'branch' filter directly on the source action (CodeCommit) to restrict which branch triggers the pipeline execution. By adding a test stage with a CodeBuild action and setting the source action's 'Branch' filter to 'development', the pipeline will only run the test stage when changes are pushed to that specific branch. This is the simplest and most native approach, requiring no additional compute or manual intervention.

Exam trap

The trap here is that candidates often overcomplicate the solution by considering Lambda functions or separate pipelines, when AWS CodePipeline natively supports branch filtering directly on the source action, which is the simplest and most correct approach.

How to eliminate wrong answers

Option A is wrong because creating a separate pipeline for the development branch duplicates infrastructure and management overhead, whereas a single pipeline with a branch filter achieves the same goal more efficiently. Option C is wrong because using a Lambda function to check the branch condition on the test action is unnecessarily complex and not a native feature of CodePipeline; branch filtering is designed to be configured at the source stage, not on individual actions. Option D is wrong because a manual approval action does not automatically restrict execution to a specific branch; it only pauses the pipeline for human verification, which is not a branch-based trigger and adds unnecessary delay.

233
MCQeasy

A developer wants to deploy a new version of an application to an EC2 Auto Scaling group using AWS CodeDeploy. The developer wants to minimize downtime and ensure that if the deployment fails, it automatically rolls back to the previous version. Which deployment type should the developer choose?

A.In-place
B.Blue/green
C.Canary
D.Linear
AnswerB

Blue/green deployments minimize downtime by routing traffic to a new set of instances and allow easy rollback by reverting traffic.

Why this answer

Blue/green deployment is the correct choice because it creates a separate, new Auto Scaling group (green) alongside the existing one (blue), allowing traffic to be shifted to the new environment after validation. This minimizes downtime by keeping the old environment fully operational during the deployment, and CodeDeploy can automatically roll back by redirecting traffic to the blue environment if the deployment fails.

Exam trap

The trap here is that candidates often confuse deployment types across compute platforms, mistakenly applying canary or linear (which are valid for Lambda/ECS) to EC2 Auto Scaling groups, where only in-place or blue/green are supported by CodeDeploy.

How to eliminate wrong answers

Option A is wrong because in-place deployment updates instances in the existing Auto Scaling group one at a time, which can cause partial downtime and does not support automatic rollback to a previous version without manual intervention or a separate rollback configuration. Option C is wrong because canary is a traffic-shifting pattern used in AWS CodeDeploy for Lambda or ECS deployments, not for EC2 Auto Scaling groups, and it does not inherently provide automatic rollback. Option D is wrong because linear is also a traffic-shifting pattern for Lambda or ECS, not applicable to EC2 Auto Scaling groups, and it lacks built-in automatic rollback behavior.

234
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Python web application. After a recent deployment, the environment health turns 'Severe' and the application becomes unresponsive. The developer checks the logs and finds multiple '502 Bad Gateway' errors from the nginx proxy. The application was working before the deployment. What is the MOST likely cause?

A.The new application code has a bug that causes the application to crash.
B.The Procfile is missing from the application source.
C.The environment's load balancer is not configured correctly.
D.The environment variables are not set correctly.
AnswerA

Crashing application causes nginx to return 502.

Why this answer

A 502 Bad Gateway error from nginx means the reverse proxy cannot communicate with the application backend. Since the application was working before the deployment and became unresponsive immediately after, the most likely cause is a bug in the new code that causes the application process to crash or hang. Elastic Beanstalk's nginx proxy expects a healthy response from the application on the designated port; if the application fails to start or crashes repeatedly, nginx returns 502 errors.

Exam trap

The trap here is that candidates often confuse a 502 error with a load balancer misconfiguration or environment variable issue, but the key clue is that the problem started immediately after a code deployment, pointing directly to a bug in the new application code.

How to eliminate wrong answers

Option B is wrong because a missing Procfile would cause the environment to fail at the platform initialization stage, not produce intermittent 502 errors after a successful deployment. Option C is wrong because the load balancer configuration did not change between deployments; if it were misconfigured, the application would have been unhealthy before the deployment as well. Option D is wrong because environment variables are managed separately from the application source code and are not typically altered during a code deployment; incorrect variables would likely cause application logic errors, not a complete crash leading to 502 responses.

235
MCQhard

A company is using AWS CodeDeploy with an in-place deployment to an Auto Scaling group. The deployment fails with the error 'Deployment failed because the deployment group does not have enough instances to deploy to'. The Auto Scaling group has a minimum size of 2, maximum size of 5, and desired capacity of 2. The deployment configuration is CodeDeployDefault.AllAtOnce. What is the most likely cause?

A.The Auto Scaling group needs to have at least 3 instances to use AllAtOnce.
B.The deployment configuration is not compatible with Auto Scaling groups.
C.The instances in the Auto Scaling group are not passing health checks.
D.The deployment group has only 2 instances, and the deployment failed on one instance, causing the minimum healthy hosts threshold to be violated.
AnswerD

With AllAtOnce, all instances are deployed simultaneously; if one fails, the deployment fails because the minimum healthy hosts is not met.

Why this answer

The error 'Deployment failed because the deployment group does not have enough instances to deploy to' occurs when the number of healthy instances in the deployment group falls below the minimum required by the deployment configuration. With CodeDeployDefault.AllAtOnce, the minimum healthy hosts threshold is 0, but the deployment still requires at least one healthy instance to succeed. In this scenario, the Auto Scaling group has a desired capacity of 2, and if one instance fails during deployment, the remaining healthy instance count drops to 1, which violates the implicit requirement that the deployment must complete on all instances without exceeding the failure threshold.

The error message is misleading but points to the fact that the deployment failed on one instance, leaving the group with insufficient healthy hosts to meet the deployment's success criteria.

Exam trap

The trap here is that candidates misinterpret the error message 'does not have enough instances' as a sizing or configuration issue, when it actually indicates that the deployment failed on one or more instances, reducing the healthy instance count below what is needed to complete the deployment.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce does not require a minimum of 3 instances; it deploys to all instances simultaneously and the minimum healthy hosts threshold is 0, meaning it can work with any number of instances as long as at least one remains healthy. Option B is wrong because CodeDeployDefault.AllAtOnce is fully compatible with Auto Scaling groups; in-place deployments to Auto Scaling groups are a standard use case for CodeDeploy. Option C is wrong because the error message specifically indicates a lack of instances to deploy to, not a health check failure; while health check failures could cause instances to be terminated, the error here is about the deployment group size, not instance health status.

236
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The build succeeds locally but fails in CodeBuild with the error 'BUILD FAILED: Unable to find a Java installation.' The buildspec.yml file includes a 'runtime-versions' section specifying Java 11. The CodeBuild project uses the 'aws/codebuild/amazonlinux2-x86_64-standard:4.0' image. What is the MOST likely cause of the failure?

A.The runtime-versions section in buildspec.yml is not correctly formatted.
B.The CodeBuild project does not have sufficient permissions to download Java.
C.The buildspec.yml file is not in the root of the source directory.
D.The build commands reference a non-existent Maven dependency.
AnswerA

Incorrect formatting can cause Java not to be installed.

Why this answer

The error 'Unable to find a Java installation' indicates that the CodeBuild environment does not have Java available at runtime. When using a standard managed image like 'aws/codebuild/amazonlinux2-x86_64-standard:4.0', Java must be explicitly declared in the 'runtime-versions' section of buildspec.yml. The most likely cause is that the 'runtime-versions' section is incorrectly formatted (e.g., using 'java: 11' instead of the correct 'java: corretto11'), causing CodeBuild to skip installing Java.

Exam trap

The trap here is that candidates assume 'java: 11' is a valid runtime identifier, but CodeBuild requires the exact runtime name (e.g., 'corretto11' or 'openjdk11'), and a formatting error in runtime-versions leads to a missing Java installation rather than a syntax error.

How to eliminate wrong answers

Option B is wrong because CodeBuild managed images already include the necessary package repositories and permissions to download and install runtimes specified in 'runtime-versions'; insufficient permissions would cause a different error (e.g., access denied to S3 artifacts). Option C is wrong because if the buildspec.yml were not in the root directory, CodeBuild would fail with a 'buildspec.yml not found' error, not a Java installation error. Option D is wrong because a non-existent Maven dependency would produce a Maven build error (e.g., 'Could not resolve dependency'), not a missing Java installation error.

237
MCQhard

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to deploy updates to the production environment gradually and automatically roll back if health checks fail. Which AWS service and deployment configuration should the engineer use?

A.Use AWS CloudFormation with a blue/green deployment and a CloudWatch alarm to trigger rollback.
B.Use AWS Elastic Beanstalk with a rolling update and a CloudWatch alarm to trigger rollback.
C.Use AWS CodeDeploy with a canary deployment and a CloudWatch alarm to trigger automatic rollback.
D.Use AWS CodePipeline with a manual approval step and a CloudWatch alarm to trigger rollback.
AnswerC

CodeDeploy canary shifts traffic in increments and automatically rolls back if the alarm triggers.

Why this answer

Option B is correct because AWS CodeDeploy with a canary deployment allows gradual traffic shifting and automatic rollback on CloudWatch alarm failure. Option A is incorrect because CloudFormation with a blue/green deployment requires manual rollback. Option C is incorrect because Elastic Beanstalk with rolling updates does not support canary-based traffic shifting.

Option D is incorrect because CodePipeline alone does not handle deployment strategies or health check-based rollbacks.

238
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The developer wants the deployment to automatically roll back if any of the new instances fail a health check within the first 10 minutes after deployment. Which configuration should the developer set in the CodeDeploy deployment group?

A.Configure a CloudWatch alarm and enable alarm-based automatic rollback in the AutoRollbackConfiguration.
B.Set the DeploymentStyle to 'BLUE_GREEN' and configure the 'LoadBalancerInfo' with the target group.
C.Create a lifecycle hook for the Auto Scaling group to trigger a rollback script.
D.Set a TriggerConfiguration in the deployment group to send notifications on deployment failure.
AnswerA

The AutoRollbackConfiguration in the deployment group allows you to specify events that trigger an automatic rollback, including alarm (CloudWatch alarm). The developer can set an alarm that monitors health check metrics and configure the deployment group to roll back if that alarm is in the ALARM state.

Why this answer

Option A is correct because CodeDeploy's AutoRollbackConfiguration allows you to specify CloudWatch alarms as triggers for automatic rollback. By creating a CloudWatch alarm that monitors the EC2 Auto Scaling group's health check failures and setting the alarm's evaluation period to 10 minutes, the deployment will automatically roll back if any new instance fails a health check within that window. This directly meets the requirement without custom scripting or manual intervention.

Exam trap

The trap here is that candidates confuse event-based notifications (TriggerConfiguration) with automated rollback actions (AutoRollbackConfiguration), or mistakenly think lifecycle hooks or deployment style settings inherently provide health-check-based rollback.

How to eliminate wrong answers

Option B is wrong because setting DeploymentStyle to 'BLUE_GREEN' and configuring LoadBalancerInfo with a target group only defines the deployment strategy and traffic routing; it does not enable automatic rollback based on health check failures. Option C is wrong because Auto Scaling lifecycle hooks are designed to pause instance launch or termination to run custom actions (e.g., install software), not to trigger rollback logic in CodeDeploy; they cannot directly initiate a deployment rollback. Option D is wrong because TriggerConfiguration in a deployment group is used to send Amazon SNS notifications on deployment events (e.g., success, failure), not to automatically roll back a deployment based on health checks.

239
Multi-Selectmedium

A company is using AWS CloudFormation to deploy and manage infrastructure. The developer wants to implement a CI/CD pipeline that automatically deploys CloudFormation stacks. The pipeline should be able to create, update, and delete stacks. Which THREE AWS services should the developer use together?

Select 3 answers
A.AWS CodeBuild
B.AWS CodeDeploy
C.AWS Lambda
D.AWS CloudFormation
E.AWS CodePipeline
AnswersA, D, E

Can run validation and packaging.

Why this answer

Options A, B, and E are correct because CodePipeline orchestrates the pipeline, CodeBuild can run scripts or validate templates, and CloudFormation performs the stack operations. Option C is wrong because CodeDeploy is for application deployment, not CloudFormation. Option D is wrong because Lambda can be used but is not required.

240
MCQeasy

A developer is using AWS CodeDeploy to deploy a revision to an EC2/On-Premises deployment group. The deployment fails because the specified deployment configuration requires a minimum of 1 healthy host, but the deployment group has 0 instances. What is the most likely cause?

A.The deployment group is not associated with any Auto Scaling group.
B.The deployment configuration requires too many healthy hosts.
C.The CodeDeploy agent is not installed on the instances.
D.The deployment group does not have any Amazon EC2 instances registered.
AnswerD

No instances means no healthy hosts.

Why this answer

Option A is correct because if the deployment group has no instances, there are no healthy hosts to meet the minimum. Option B is wrong because the deployment group can exist without instances, but deployment will fail. Option C is wrong because the deployment configuration settings are correct.

Option D is wrong because CodeDeploy agent not running would cause instance failure, not group failure.

241
MCQmedium

A developer is deploying a containerized application to Amazon ECS with the Fargate launch type using AWS CodeDeploy for blue/green deployments. The application is behind an Application Load Balancer (ALB). What is the minimum number of ALB target groups required for a blue/green deployment?

A.1
B.2
C.3
D.4
AnswerB

Two target groups are needed—one for the running task set and one for the new task set. CodeDeploy shifts traffic between them.

Why this answer

In a blue/green deployment with Amazon ECS (Fargate) and AWS CodeDeploy, the deployment process requires two distinct target groups: one for the 'blue' (current) environment and one for the 'green' (new) environment. CodeDeploy shifts traffic from the blue target group to the green target group during the deployment, allowing for instant rollback by switching back. A single target group cannot differentiate between the two environments, and three or more are unnecessary because the blue/green model only needs two active target groups at any time.

Exam trap

The trap here is that candidates often assume a single target group is sufficient because they think of the ALB as handling traffic routing on its own, but they miss that blue/green deployments require two separate target groups to isolate the old and new environments for traffic shifting and rollback.

How to eliminate wrong answers

Option A is wrong because a single target group cannot support blue/green deployments; it would force an in-place update, which defeats the purpose of having separate environments for traffic shifting and rollback. Option C is wrong because three target groups are not required; the blue/green model only needs one for the current version and one for the new version, with no third group needed for routing or testing. Option D is wrong because four target groups are excessive and would add unnecessary complexity; the standard blue/green deployment with ECS and CodeDeploy uses exactly two target groups.

242
MCQmedium

A company uses AWS CodePipeline with a source stage from Amazon S3. The pipeline triggers on changes to the S3 bucket. However, the pipeline does not trigger when a new object is uploaded. What is the MOST likely cause?

A.The S3 bucket policy denies access to CodePipeline.
B.The S3 bucket does not have an event notification configured for the pipeline.
C.The pipeline is not configured with a webhook.
D.The object is encrypted and CodePipeline cannot read it.
AnswerB

Event notifications are needed to trigger the pipeline.

Why this answer

Option A is correct because S3 event notifications must be configured to invoke the pipeline. Option B is wrong because the bucket policy is not related. Option C is wrong because the pipeline is not triggered by S3 events directly.

Option D is wrong because encryption does not affect triggering.

243
MCQeasy

A developer is deploying an application using AWS Elastic Beanstalk. The application requires a custom Amazon Machine Image (AMI) that includes specific software packages not available in the standard Elastic Beanstalk platform. Which approach should the developer use to ensure the custom AMI is used for all EC2 instances in the environment?

A.Create a custom platform using the Packer tool and specify it in the environment configuration.
B.Use the Elastic Beanstalk console to change the AMI ID in the environment configuration after creation.
C.Modify the .ebextensions configuration file to specify the custom AMI ID.
D.Launch a new environment with a different platform version that includes the required software.
AnswerA

This is the correct method to use a custom AMI in Elastic Beanstalk by defining a custom platform.

Why this answer

Option A is correct because AWS Elastic Beanstalk allows you to create a custom platform using Packer, which can include a custom AMI with specific software packages. You then specify this custom platform in the environment configuration, ensuring all EC2 instances in the environment use that AMI. This approach is the only supported method for using a custom AMI that is not part of the standard Elastic Beanstalk platform.

Exam trap

The trap here is that candidates often think .ebextensions can override the AMI, but .ebextensions only configures the instance after launch, not the base image itself.

How to eliminate wrong answers

Option B is wrong because you cannot change the AMI ID in the Elastic Beanstalk console after environment creation; the AMI is tied to the platform version and cannot be directly modified. Option C is wrong because .ebextensions configuration files cannot specify a custom AMI ID; they are used for additional configuration like packages, files, and services, not for overriding the base AMI. Option D is wrong because launching a new environment with a different platform version that includes the required software is not feasible if the software is not available in any standard platform; custom platforms are required for such cases.

244
Multi-Selectmedium

A company is deploying a critical application using AWS CodeDeploy. To minimize downtime, they want to perform a blue/green deployment. Which TWO strategies should they implement?

Select 2 answers
A.Create an Elastic Load Balancer to route traffic between the blue and green environments.
B.Use an Amazon Route 53 weighted routing policy to gradually shift traffic.
C.Configure an AWS Lambda function to perform A/B testing during deployment.
D.Use an Amazon CloudFront distribution with multiple origins.
E.Ensure the new instances are registered with the target group before switching traffic.
AnswersA, E

ELB is required for traffic shifting.

Why this answer

Option B (use an Elastic Load Balancer) is correct because blue/green deployments require traffic switching between environments. Option D (register instances with the ELB) is correct because the new instance group must be registered to receive traffic. Option A is wrong because a 'swap' is not a standard approach.

Option C is wrong because DNS changes are not typically used with CodeDeploy. Option E is wrong because CodeDeploy does not support A/B testing natively.

245
MCQeasy

A company uses AWS CodePipeline to automate releases. The pipeline includes a source stage from CodeCommit, a build stage with CodeBuild, and a deploy stage with CodeDeploy. The build stage fails intermittently due to insufficient memory. What should the developer do to resolve this?

A.Increase the compute type of the CodeBuild project.
B.Change the deployment configuration to CodeDeploy.Default.AllAtOnce.
C.Switch the source to an S3 bucket.
D.Modify the buildspec.yml to use less memory.
AnswerA

Larger compute type provides more memory.

Why this answer

The correct answer is D. CodeBuild allows you to increase the compute type to provide more memory. Option A (change buildspec) does not change memory.

Option B (change source) is irrelevant. Option C (change deployment config) is for deploy stage.

246
MCQeasy

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The deployment must ensure zero downtime. Which ECS deployment configuration should be used?

A.Rolling update with a minimum healthy percent of 50% and maximum percent of 200%
B.Set the task placement strategy to REPLICA
C.Use the DAEMON scheduling strategy with a deployment circuit breaker
D.Blue/green deployment using AWS CodeDeploy
AnswerD

Blue/green deployment with CodeDeploy allows you to test new version before shifting traffic, ensuring zero downtime.

Why this answer

Option D is correct. Blue/green deployment with CodeDeploy allows you to shift traffic gradually and automatically roll back if issues arise, ensuring zero downtime. Option A is wrong because rolling update can cause downtime if not configured properly? Actually rolling update can also achieve zero downtime if you have enough capacity, but the question asks for config that ensures zero downtime, and blue/green is more reliable.

Option B is wrong because 'DAEMON' scheduling strategy is for running one task per instance, not for zero-downtime deployment. Option C is wrong because 'REPLICA' is a task placement strategy, not a deployment type.

247
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The developer wants to ensure that the Lambda function's environment variables are encrypted at rest. What is the most straightforward way to achieve this?

A.No action needed; SAM automatically encrypts environment variables at rest using a default KMS key.
B.Enable encryption in the SAM template using the 'Encrypt' property.
C.Modify the Lambda function's code to encrypt environment variables before deployment.
D.Create a customer managed KMS key and specify it in the SAM template.
AnswerA

SAM uses AWS managed keys to encrypt environment variables by default.

Why this answer

Option A is correct because SAM automatically enables encryption at rest for environment variables using AWS KMS. Option B is wrong because the encryption is done by default. Option C is wrong because manual KMS key creation is not required for default encryption.

Option D is wrong because the serverless function handler does not affect encryption.

248
MCQmedium

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a build stage that compiles the website and a deploy stage that syncs the build output to an S3 bucket. After a recent change, the pipeline succeeds but the website does not show the updated content. What is the most likely cause?

A.Amazon CloudFront is caching the old content and needs an invalidation.
B.The build output is empty because the build failed silently.
C.The deploy action is configured to skip if the source content has not changed.
D.The S3 bucket policy does not allow public read access.
AnswerA

CloudFront caches content; invalidation forces update.

Why this answer

Option B is correct because S3 static websites often use CloudFront for caching; an invalidation is needed after updates. Option A is wrong because if the bucket policy blocked uploads, the deploy stage would fail. Option C is wrong because if the build output was empty, the deploy would still sync (maybe nothing changes).

Option D is wrong because CodePipeline would have failed if the deploy action failed.

249
MCQhard

A developer is deploying a serverless application using AWS SAM. The developer wants to run integration tests against the deployed API Gateway endpoints before promoting the deployment to production. The developer uses AWS CodePipeline with a canary deployment strategy. How can the developer implement testing in the pipeline?

A.Use AWS CloudFormation stack outputs to get the endpoint URL and manually test.
B.Add a Lambda function as a test action in CodePipeline that runs after the deploy stage and before the final promote.
C.Use API Gateway stage variables to route a percentage of traffic to the new version and monitor.
D.Configure CodeBuild to run tests after deployment.
AnswerB

Lambda can run integration tests against the canary.

Why this answer

Option A is correct because CodePipeline can invoke a Lambda function as a test action after the canary deployment. This allows running tests against the canary before full rollout. Option B is wrong because it requires manual step.

Option C is wrong because CodeBuild is for build, not test after deployment. Option D is wrong because API Gateway stage variables are not designed for canary testing in this context.

250
MCQmedium

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CloudFormation. The deploy stage often fails because CloudFormation change sets are not being created. What is the most likely cause?

A.The CodeBuild project is not producing the expected output artifacts.
B.The CloudFormation deploy action is configured to use the 'CREATE_AND_EXECUTE' change set mode, but the stack does not exist yet.
C.The CloudFormation service role is missing.
D.The source stage is not configured to detect changes in the S3 bucket.
AnswerB

If the stack does not exist, the action should be configured to create a stack directly.

Why this answer

Option B is correct because when a CloudFormation deploy action in CodePipeline is configured with the 'CREATE_AND_EXECUTE' change set mode, it requires the stack to already exist. If the stack does not exist, CloudFormation cannot create a change set (since change sets compare changes against an existing stack), causing the deploy stage to fail. This is a common misconfiguration when deploying a new stack for the first time via CodePipeline.

Exam trap

The trap here is that candidates often assume 'CREATE_AND_EXECUTE' works for both new and existing stacks, but it only works for existing stacks because change sets require a current stack to diff against.

How to eliminate wrong answers

Option A is wrong because if the CodeBuild project were not producing expected output artifacts, the pipeline would likely fail at the build stage or the deploy stage would fail due to missing input artifacts, not specifically because change sets are not being created. Option C is wrong because a missing CloudFormation service role would cause a different error (e.g., 'Access Denied' or 'Unable to assume role') when CloudFormation attempts to perform stack operations, not a failure specific to change set creation. Option D is wrong because the source stage not detecting changes would mean the pipeline does not trigger at all, but the question states the deploy stage fails during execution, implying the pipeline has already triggered and progressed to the deploy stage.

251
MCQmedium

A developer is deploying a Lambda function that processes images uploaded to an S3 bucket. The function is triggered by S3 events. After deployment, the function does not execute when new images are uploaded. What is the MOST likely cause?

A.The S3 bucket does not have an event notification configured for the Lambda function.
B.The Lambda function memory is set too low.
C.The Lambda function does not have permission to read from the S3 bucket.
D.The Lambda function is not in the same region as the S3 bucket.
AnswerA

Notification is needed to trigger Lambda.

Why this answer

The most likely cause is that the S3 bucket does not have an event notification configured to invoke the Lambda function. S3 event notifications must be explicitly set on the bucket to trigger a Lambda function when objects are created; without this configuration, S3 will not send any invocation request to Lambda, regardless of the function's permissions or settings.

Exam trap

The trap here is that candidates often confuse the trigger configuration (S3 event notification) with the function's permissions (IAM execution role), assuming that if the function has read access to S3, it will automatically be triggered, when in fact the event notification is a separate, mandatory setup step.

How to eliminate wrong answers

Option B is wrong because low memory affects execution performance (e.g., duration, CPU allocation) but does not prevent the function from being triggered; the trigger mechanism is independent of memory settings. Option C is wrong because the Lambda function does not need permission to read from the S3 bucket to be triggered; the S3 event notification invokes the function via a resource-based policy, and the function only needs read permissions if it explicitly calls S3 GetObject in its code. Option D is wrong because S3 event notifications can invoke Lambda functions across regions; cross-region triggers are supported as long as the Lambda function's resource-based policy allows the S3 bucket's account to invoke it.

252
Multi-Selecthard

A CloudFormation stack update fails and rolls back. Which two practices help diagnose and reduce future deployment risk?

Select 2 answers
A.Review stack events and resource status reasons
B.Delete the stack immediately without checking events
C.Create and inspect change sets before high-risk updates
D.Disable rollback for all production deployments permanently
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because reviewing stack events and resource status reasons in CloudFormation provides detailed error messages for each resource that failed during the update. This allows you to pinpoint the exact cause of the failure, such as insufficient IAM permissions, a resource limit exceeded, or a dependency conflict. Analyzing these events is essential for diagnosing issues and preventing similar failures in future deployments.

Exam trap

The trap here is that candidates may think disabling rollback is a valid troubleshooting step for production, but the exam emphasizes that rollback is a safety feature that should not be permanently disabled, as it prevents partial updates that could leave infrastructure in an inconsistent state.

253
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an EC2 instance. The deployment fails with the error 'The overall deployment failed because the deployment group did not have enough instances to successfully deploy.' What is the most likely cause?

A.The revision has an incorrect file format.
B.The deployment group contains zero instances.
C.The CodeDeploy agent on the instance is not running.
D.The appspec file contains an invalid lifecycle hook.
AnswerB

CodeDeploy requires at least one instance in the group.

Why this answer

Option A is correct because the deployment group must have at least one instance. Option B is wrong because CodeDeploy agent issues cause instance-level failures. Option C is wrong because action failures cause different errors.

Option D is wrong because revision errors cause different errors.

254
MCQmedium

A company deploys a serverless application using AWS SAM. The application includes an API Gateway REST API and multiple Lambda functions. The developer wants to deploy a new version of the API with a canary release strategy, sending 10% of traffic to the new version initially. Which SAM template configuration should the developer use?

A.Set Type: Canary in the DeploymentPreference of the Lambda function and add CanarySetting: { Percent: 10 } under DeploymentPreference.
B.Set CanarySetting: { Percent: 10 } in the API Gateway resource's properties.
C.Set Type: Canary and TrafficShiftType: Canary in the DeploymentPreference of the Lambda function.
D.Set Type: Canary in the DeploymentPreference of the Lambda function and add a Percentage: 10 property.
AnswerA

This is the correct syntax for a canary deployment in SAM.

Why this answer

Option A is correct because AWS SAM's `DeploymentPreference` with `Type: Canary` on the Lambda function enables canary traffic shifting for the API Gateway integration. The `CanarySetting` property with `Percent: 10` specifies that 10% of traffic is initially routed to the new Lambda version, while the remaining 90% goes to the previous version. This configuration leverages SAM's built-in CodeDeploy integration to manage the canary release automatically.

Exam trap

The trap here is that candidates mistakenly apply canary settings directly to the API Gateway resource or use incorrect property names like `Percentage` or `TrafficShiftType`, instead of recognizing that SAM delegates canary traffic management to the Lambda function's `DeploymentPreference` with the correct `CanarySetting` structure.

How to eliminate wrong answers

Option B is wrong because `CanarySetting` is not a valid property of an API Gateway resource in SAM; canary deployments for API Gateway are configured via the Lambda function's `DeploymentPreference`, not directly on the API resource. Option C is wrong because `TrafficShiftType` is not a valid property in SAM's `DeploymentPreference`; the correct property to specify the shift type is `Type` (e.g., Canary, Linear, AllAtOnce), and there is no separate `TrafficShiftType` field. Option D is wrong because the correct property name for the traffic percentage is `CanarySetting` with a nested `Percent` key, not a top-level `Percentage` property.

255
MCQhard

A company uses AWS CodeBuild to compile and package code, and AWS CodePipeline to orchestrate deployments to Amazon ECS. The pipeline includes a manual approval step. During a recent deployment, the build succeeded but the pipeline failed at the deploy stage with the error 'CannotPullContainerError: manifest for image:tag not found'. The ECS task definition references the image:tag. What is the most likely cause?

A.The CodeBuild project does not have permissions to push to Amazon ECR.
B.The ECS cluster does not have internet access to pull the image from ECR.
C.The image tag used is 'latest', and a subsequent build pushed a new 'latest' image, overwriting the original before the manual approval was granted.
D.The task definition references an incorrect image name.
AnswerC

Correct because manual approval delays deployment, and 'latest' tag is mutable.

Why this answer

Option D is correct because the manual approval step may cause a delay, and if the image tag is 'latest', it may be overwritten by a subsequent build, causing the image to be unavailable. Option A is wrong because the build succeeded. Option B is wrong because the error is about manifest, not networking.

Option C is wrong because the task definition is correct at the time of deployment.

256
MCQmedium

A company is deploying a microservices application on Amazon ECS using the Fargate launch type. The application includes a service that must process messages from an Amazon SQS queue. The developer wants to ensure that the service scales based on the number of messages in the queue. Which scaling solution should the developer implement?

A.Configure DynamoDB auto scaling to adjust read capacity based on queue depth.
B.Use Amazon ECS Service Auto Scaling with a target tracking scaling policy based on the SQS queue backlog per task.
C.Configure AWS Lambda with reserved concurrency and trigger it from the SQS queue.
D.Use Application Auto Scaling with a scheduled scaling policy to increase the number of tasks during peak hours.
AnswerB

This allows dynamic scaling based on queue depth.

Why this answer

Option C is correct because Amazon ECS Service Auto Scaling with a target tracking scaling policy based on the SQS queue backlog can automatically adjust the number of tasks. Option A is wrong because Application Auto Scaling with a scheduled scaling policy is not dynamic. Option B is wrong because DynamoDB auto scaling is for database throughput, not ECS tasks.

Option D is wrong because Lambda reserved concurrency limits the number of concurrent executions but does not scale ECS tasks.

257
MCQmedium

A developer attempted to create a CloudFormation stack. The stack creation failed and rolled back. Based on the exhibit, which resource caused the failure?

A.The WaitCondition resource
B.The EC2Instance resource
C.The user who requested the rollback
D.The stack itself
AnswerB

The error states 'The following resource(s) failed to create: [EC2Instance]'.

Why this answer

The error message indicates that EC2Instance failed to create, and that caused the WaitCondition to fail. Option A is correct because EC2Instance is listed as failed. Option B is incorrect because WaitCondition failed as a consequence.

Option C is incorrect because the stack status is ROLLBACK_COMPLETE. Option D is incorrect because the rollback was automatic.

258
Multi-Selectmedium

A company is deploying a critical application using AWS Elastic Beanstalk. The application experiences occasional spikes in traffic. The company wants to ensure that the environment scales automatically and that deployments are rolled back if health checks fail. Which TWO configurations should be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.Use a blue/green deployment policy.
B.Configure the Auto Scaling group to scale based on the average request count per instance.
C.Set the environment's capacity to a fixed number of instances.
D.Configure the environment to use rolling updates with a batch size of 50%.
E.Enable immutable updates for the environment.
AnswersB, D

This allows the environment to automatically scale based on traffic.

Why this answer

Option B is correct because configuring the Auto Scaling group to scale based on the average request count per instance allows the environment to automatically add or remove instances in response to traffic spikes, ensuring dynamic scaling. Option D is correct because rolling updates with a batch size of 50% update instances in batches and automatically roll back the deployment if health checks fail, meeting the rollback requirement. Together, these configurations provide both automatic scaling and safe, self-healing deployments.

Exam trap

The trap here is that candidates often confuse immutable updates with rolling updates, assuming immutable updates also support automatic rollback on health check failure, but immutable updates only fail the deployment without reverting the environment to the previous version.

259
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The developer wants to set environment variables for the Lambda function that are specific to the deployment stage (e.g., dev, prod). How should the developer accomplish this?

A.Use SAM parameters to pass stage-specific values into the template.
B.Define the environment variables in the Lambda function configuration and use 'Ref' with the stage name.
C.Hardcode the environment variables in the SAM template for each stage.
D.Use AWS CloudFormation 'Conditions' to set environment variables based on the stage.
AnswerA

Parameters allow passing different values for different stages.

Why this answer

Option C is correct because SAM supports defining parameters with default values and then using them in the template. The developer can use the 'Parameters' section and pass different values for each stage. Option A is wrong because environment variables are not automatically injected by stage.

Option B is wrong because hardcoding is not flexible. Option D is wrong because 'Conditions' are for resource creation, not variable values.

260
Multi-Selectmedium

A developer is using AWS CodeDeploy to deploy a revision to an Amazon EC2 instance. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which TWO actions should the developer take to troubleshoot the issue? (Choose TWO.)

Select 2 answers
A.Check the CodeDeploy agent logs on the EC2 instance for errors.
B.Change the deployment configuration to AllAtOnce.
C.Verify that the EC2 instance has an IAM role that allows CodeDeploy to access it.
D.Verify that the CodeDeploy agent is installed and running on the instance.
E.Increase the health check grace period on the Auto Scaling group.
AnswersA, D

Agent logs provide detailed error messages.

Why this answer

Option A is correct because the CodeDeploy agent logs on the EC2 instance contain detailed error messages about why the deployment script failed, such as script exit codes, missing dependencies, or permission issues. Checking these logs is the first step in diagnosing individual instance failures, as the agent writes events to `/var/log/aws/codedeploy-agent/codedeploy-agent.log`.

Exam trap

The trap here is that candidates often confuse the deployment configuration (AllAtOnce) with a troubleshooting step, when in fact it only changes the rollout speed and does not help diagnose why individual instances are failing.

261
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. They have a stack that creates an Amazon RDS DB instance. They want to update the DB instance class without downtime. Which update policy should they use?

A.UseLatestRestorableTime
B.AutoScalingRollingUpdate
C.UpdateReplacePolicy
D.CreationPolicy
AnswerA

This enables a blue/green deployment for RDS to minimize downtime.

Why this answer

Option A is correct because the `UseLatestRestorableTime` update policy is used with AWS CloudFormation to perform an update that replaces the DB instance with the latest restorable time snapshot, which minimizes downtime by allowing the new instance to be created from the most recent automated backup. This policy is specifically designed for RDS instances to enable a blue/green deployment-like update without manual intervention, ensuring the database remains available during the transition.

Exam trap

The trap here is that candidates confuse update policies for EC2 Auto Scaling groups (like `AutoScalingRollingUpdate`) with those for stateful services like RDS, or they assume `UpdateReplacePolicy` is a valid CloudFormation attribute when it does not exist.

How to eliminate wrong answers

Option B is wrong because `AutoScalingRollingUpdate` is a policy for Auto Scaling groups, not for RDS DB instances; it updates instances in a rolling fashion but does not apply to database resources. Option C is wrong because `UpdateReplacePolicy` is not a valid CloudFormation policy; the correct attribute is `DeletionPolicy` (which controls what happens when a resource is deleted), and `UpdateReplacePolicy` does not exist. Option D is wrong because `CreationPolicy` is used to control the creation of resources (e.g., waiting for signals from EC2 instances), not for updating existing resources like RDS instances.

262
MCQhard

A development team uses AWS CodePipeline to automate deployments. The pipeline includes a build stage using AWS CodeBuild and a deploy stage using AWS CodeDeploy. After a recent change, the deploy stage fails intermittently with a timeout error. The CodeBuild stage succeeds. What should the team do to troubleshoot the issue?

A.Ensure the deployment group is configured to use the correct Auto Scaling group.
B.Verify that the CodeDeploy service role has sufficient permissions.
C.Check the buildspec.yml file for syntax errors.
D.Increase the timeout value in the CodeDeploy deployment configuration.
AnswerD

Increasing timeout can resolve intermittent timeout errors.

Why this answer

Option D is correct because the intermittent timeout error in the deploy stage, despite a successful build, indicates that the CodeDeploy agent is taking longer than the configured timeout to complete the deployment lifecycle events (e.g., BeforeInstall, AfterInstall, ApplicationStart). Increasing the timeout value in the CodeDeploy deployment configuration gives the agent more time to finish these operations, which directly addresses the timeout failure without altering the build or permissions.

Exam trap

The trap here is that candidates often confuse build-stage failures (CodeBuild) with deploy-stage failures (CodeDeploy), leading them to check buildspec.yml or permissions, when the intermittent timeout is a classic symptom of a deployment configuration timeout being too short for the application's startup or script execution time.

How to eliminate wrong answers

Option A is wrong because the deployment group's Auto Scaling group configuration is unrelated to a timeout error; an incorrect Auto Scaling group would cause a deployment to fail immediately with a 'No instances found' or 'Invalid Auto Scaling group' error, not an intermittent timeout. Option B is wrong because insufficient CodeDeploy service role permissions would result in a consistent authorization failure (e.g., 'AccessDeniedException') during the deployment, not an intermittent timeout after a successful build. Option C is wrong because the buildspec.yml file is used by CodeBuild, not CodeDeploy; syntax errors in buildspec.yml would cause the build stage to fail, but the question states the build stage succeeds, so the issue must be in the deploy stage.

263
Multi-Selecteasy

A developer is using AWS CodeDeploy to deploy an application to EC2 instances. The developer wants to ensure that the deployment stops if any instance fails to install the application. Which TWO CodeDeploy settings should be configured to achieve this? (Choose TWO.)

Select 2 answers
A.Set the 'DeploymentStyle' to 'BLUE_GREEN'.
B.Set the 'IgnoreApplicationStopFailures' option to false in the deployment configuration.
C.Configure the 'LoadBalancerInfo' to include the target group.
D.Configure the 'RevisionLocation' to point to an S3 bucket.
E.Set the 'MinimumHealthyHosts' option to a value that requires all instances to be healthy for the deployment to succeed.
AnswersB, E

This ensures that failures in the ApplicationStop lifecycle event cause the deployment to fail.

Why this answer

Option B is correct because setting 'IgnoreApplicationStopFailures' to false ensures that if the application stop hook fails on any instance, the deployment stops immediately rather than continuing. This prevents the deployment from proceeding when an instance cannot properly stop the existing application, which could lead to conflicts or corrupted states.

Exam trap

The trap here is that candidates often confuse deployment configuration settings like 'IgnoreApplicationStopFailures' and 'MinimumHealthyHosts' with unrelated settings such as deployment style or revision location, leading them to select options that control deployment strategy or artifact storage instead of failure behavior.

264
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The deployment must ensure that a minimum number of instances are always running and healthy. The developer wants to deploy to 10 instances. Which deployment configuration should the developer use?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.AllAtOnce
C.CodeDeployDefault.HalfAtATime
D.CodeDeployDefault.MinHealthyHostsPercentage: 90
AnswerA

This configuration deploys to one instance at a time, keeping the maximum number of healthy instances at any time.

Why this answer

Option A, CodeDeployDefault.OneAtATime, is correct because it ensures that only one instance is updated at a time, which guarantees that a minimum number of instances (9 out of 10) remain healthy and running throughout the deployment. This configuration is ideal for maintaining high availability and meeting strict uptime requirements.

Exam trap

The trap here is that candidates often confuse the predefined deployment configurations with custom settings, assuming that 'MinHealthyHostsPercentage: 90' is a valid named configuration, when in fact it is a parameter that must be specified as part of a custom configuration, not a built-in option.

How to eliminate wrong answers

Option B (CodeDeployDefault.AllAtOnce) is wrong because it deploys to all 10 instances simultaneously, which can cause a complete outage if the deployment fails or the application has issues. Option C (CodeDeployDefault.HalfAtATime) is wrong because it deploys to 5 instances at a time, which does not guarantee that a minimum number of instances (e.g., 9) are always running; it only ensures half are updated at once, potentially leaving only 5 healthy instances. Option D (CodeDeployDefault.MinHealthyHostsPercentage: 90) is wrong because it is not a valid predefined deployment configuration in AWS CodeDeploy; it is a custom configuration option that can be set via the API or CLI, but it is not a built-in named configuration like the others.

265
Multi-Selectmedium

Which TWO statements are true about AWS CodeDeploy deployment groups? (Choose two.)

Select 2 answers
A.A deployment group can only target a single EC2 instance.
B.A deployment group can use an Auto Scaling group as its target.
C.A deployment group can be shared across multiple CodeDeploy applications.
D.A deployment group is a collection of deployment targets for an application.
E.A deployment group cannot be associated with a load balancer.
AnswersB, D

Auto Scaling groups are common targets.

Why this answer

Option B is correct because AWS CodeDeploy deployment groups can target an Auto Scaling group, enabling automatic deployment to all instances in the group and integration with scaling events. This allows CodeDeploy to automatically deploy revisions to new instances launched by the Auto Scaling group, ensuring consistent application versions across the fleet.

Exam trap

The trap here is that candidates often confuse deployment groups with being application-specific and think they can be shared across applications, or they incorrectly assume that deployment groups are limited to single instances or cannot integrate with load balancers.

266
Multi-Selectmedium

A company is deploying a web application on AWS Elastic Beanstalk. The application requires a relational database. The company wants to decouple the database lifecycle from the environment lifecycle. Which TWO steps should the company take to achieve this? (Choose TWO.)

Select 2 answers
A.Use Amazon DynamoDB instead of Amazon RDS
B.Create an Amazon RDS DB instance outside of Elastic Beanstalk
C.Add an Amazon RDS DB instance to the Elastic Beanstalk environment using the Elastic Beanstalk console
D.Configure the Elastic Beanstalk environment to use environment properties to pass the DB connection string
E.Create a separate Elastic Beanstalk environment for the database
AnswersB, D

Separate lifecycle.

Why this answer

Option B is correct because creating an Amazon RDS DB instance outside of Elastic Beanstalk decouples the database lifecycle from the environment lifecycle. This means the database can be retained, modified, or terminated independently of the Elastic Beanstalk environment, preventing data loss when the environment is terminated or recreated. The application can then connect to the external RDS instance via environment properties passed to the EC2 instances.

Exam trap

The trap here is that candidates often think adding an RDS instance via the Elastic Beanstalk console is the correct way to decouple the database, but it actually couples the database lifecycle to the environment, leading to potential data loss when the environment is terminated.

267
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an API Gateway endpoint and an AWS Lambda function. The developer wants to define a stage name for the API Gateway deployment. Which section of the SAM template should the developer use?

A.Globals
B.Conditions
C.Outputs
D.Parameters
AnswerA

Globals section includes Api.StageName to set stage name for all APIs.

Why this answer

Option B is correct because the Globals section allows setting properties that apply to all resources, including Api.StageName. Option A is wrong because Outputs are for stack outputs. Option C is wrong because Parameters are for input values.

Option D is wrong because Conditions are for conditional resource creation.

268
MCQmedium

A team uses AWS CloudFormation to manage infrastructure. They want to update a stack that contains an Amazon RDS database. During the update, they need to modify the DB instance class. Which update policy should they use to minimize downtime?

A.SnapshotUpdate
B.AutoScalingReplacingUpdate
C.ReplacingUpdate
D.AutoScalingRollingUpdate
AnswerB

This policy replaces the DB instance with a new one while keeping the old one until the new is healthy.

Why this answer

Option C is correct because the AWS::RDS::DBInstance resource supports the UpdatePolicy with AutoScalingReplacingUpdate, which can perform a rolling replacement. However, to minimize downtime, they should use a blue/green deployment pattern. But among the options, 'AutoScalingReplacingUpdate' is the correct policy for replacing instances with minimal downtime.

Option A is incorrect because 'AutoScalingRollingUpdate' is for Auto Scaling groups. Option B is incorrect because 'ReplacingUpdate' is not a valid CloudFormation policy. Option D is incorrect because 'SnapshotUpdate' is not a standard policy.

269
MCQhard

A DevOps engineer is implementing a blue/green deployment for a microservice running on Amazon ECS with Fargate. The service is fronted by an Application Load Balancer. During deployment, the new task set fails health checks, but the deployment does not automatically roll back. What is the MOST likely reason?

A.The ECS service deployment controller is set to 'ECS' instead of 'CODE_DEPLOY'.
B.The CodeDeploy application and deployment group are not configured for automatic rollback.
C.The health check grace period is set too high.
D.The ECS service is configured with a 'minimum healthy percent' of 100 percent.
AnswerA

With ECS deployment controller, blue/green deployments do not support automatic rollback; must use CODE_DEPLOY controller to enable CodeDeploy and automatic rollback.

Why this answer

Option A is correct. For blue/green deployments on ECS, you must specify a deployment controller type of 'CODE_DEPLOY' to use CodeDeploy and enable automatic rollback. If the controller is 'ECS' (the default), the deployment is managed by ECS and does not support automatic rollback on health check failures in blue/green mode.

Option B is wrong because ECS does roll back if health checks fail when using ECS deployment controller with rolling update, but not for blue/green. Option C is wrong because CodeDeploy is not used if deployment controller is not CODE_DEPLOY. Option D is wrong because health check grace period delays health checks but does not prevent rollback if checks fail after grace period.

270
MCQhard

A company uses AWS OpsWorks for configuration management. They want to deploy a new application version to a stack. Which lifecycle event should they use to run deployment scripts?

A.Configure
B.Undeploy
C.Setup
D.Deploy
AnswerD

Runs when you deploy an app.

Why this answer

The Deploy lifecycle event in AWS OpsWorks is specifically designed to run deployment scripts when you deploy a new application version to a stack. This event occurs after the application code has been installed, allowing you to execute custom scripts for tasks like database migrations, cache clearing, or service restarts. It is the correct choice because it aligns with the deployment phase of the application lifecycle.

Exam trap

The trap here is that candidates confuse the Deploy event with the Setup or Configure events, mistakenly thinking that code deployment happens during initial instance setup or configuration updates, rather than understanding that Deploy is the dedicated event for application version releases.

How to eliminate wrong answers

Option A is wrong because the Configure lifecycle event runs whenever an instance enters or leaves the online state, not for deploying application code; it is used for updating configuration files or adjusting settings based on the stack's current state. Option B is wrong because Undeploy is not a standard lifecycle event in AWS OpsWorks; the correct event for removing an application is the Shutdown lifecycle event, which runs when an instance is stopped or terminated. Option C is wrong because the Setup lifecycle event runs only once when an instance is first booted, to install packages and configure the instance, not for deploying new application versions.

271
Multi-Selectmedium

A company uses AWS CodePipeline to deploy a web application. The pipeline has a Source stage (CodeCommit), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The developer wants to add a manual approval step before the Deploy stage. Which TWO configurations are required?

Select 2 answers
A.An Amazon SES identity to send emails.
B.An AWS Lambda function to send approval emails.
C.An Amazon CloudWatch alarm to trigger the approval.
D.An IAM role that allows CodePipeline to publish to the SNS topic.
E.An Amazon SNS topic to notify the approver.
AnswersD, E

The pipeline needs permission to publish to SNS.

Why this answer

Options B and D are correct because a manual approval action requires an SNS topic for notification and an IAM role for the pipeline to publish to SNS. Option A is wrong because Lambda is not required. Option C is wrong because CloudWatch is not needed.

Option E is wrong because SES is not used.

272
Multi-Selecthard

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment group has a deployment configuration of CodeDeployDefault.AllAtOnce. During a deployment, some instances fail the deployment. Which THREE actions should the developer take to improve the deployment health?

Select 3 answers
A.Increase the minimum number of healthy instances in the Auto Scaling group.
B.Change the deployment configuration to CodeDeployDefault.OneAtATime.
C.Configure a lifecycle hook to run validation tests before the instance is marked as healthy.
D.Use a larger instance type to handle the deployment load.
E.Add an Elastic Load Balancer health check to the deployment group.
AnswersB, C, E

Deploys to one instance at a time, reducing blast radius.

Why this answer

Option A (use CodeDeployDefault.OneAtATime) is correct because it reduces risk by deploying to one instance at a time. Option B (add a health check) is correct to catch issues early. Option D (use lifecycle hooks) is correct to run tests before instances are marked healthy.

Option C is wrong because it does not help with deployment failures. Option E is wrong because it does not affect deployment health.

273
MCQhard

A development team uses AWS Elastic Beanstalk for a Node.js application. They want to deploy a new version with zero downtime. Which deployment policy should they choose?

A.Immutable
B.All at once
C.Rolling
D.Rolling with additional batch
AnswerA

Launches new instances and swaps CNAME, zero downtime.

Why this answer

The correct answer is C. Immutable deployment launches new instances in a new Auto Scaling group, then swaps the CNAME, ensuring zero downtime. Option A (All at once) causes downtime.

Option B (Rolling) has a brief window with old and new versions but may reduce capacity. Option D (Rolling with additional batch) is similar to rolling but adds instances, still not zero downtime.

274
MCQeasy

A developer deploys a new version of an AWS Lambda function using the AWS CLI. After the deployment, the function starts returning errors. The developer needs to quickly revert to the previous version without redeploying. What should the developer do?

A.Use AWS CodeDeploy to automatically roll back the deployment.
B.Update the alias to point to the previous version.
C.Use the AWS CLI to update the function code with the previous code.
D.Delete the current function and recreate it using the previous deployment package.
AnswerB

Updating the alias to point to the previous version provides an instant rollback.

Why this answer

Option B is correct because AWS Lambda aliases are immutable pointers to specific function versions. By updating the alias to point to the previous version, the developer can instantly revert traffic to the stable code without any redeployment, as the alias is used as the invocation target (e.g., via the function's ARN with the alias name). This approach leverages Lambda's built-in versioning and alias routing, which is the fastest and safest rollback mechanism.

Exam trap

The trap here is that candidates may think they need to redeploy or use a separate deployment service (like CodeDeploy) to revert, when in fact Lambda's alias and versioning system provides a built-in, instant rollback mechanism without any code changes.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a separate service for automated deployments, not a built-in Lambda rollback feature; using it would require additional setup and is not the quickest revert method from the CLI. Option C is wrong because updating the function code with the previous code via the AWS CLI would overwrite the current version, effectively redeploying the old code rather than instantly reverting, and it does not leverage versioning. Option D is wrong because deleting and recreating the function is unnecessarily destructive and time-consuming, and it would lose the version history and any associated triggers or configurations.

275
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The deployment configuration is CodeDeployDefault.AllAtOnce. What is the most likely cause?

A.The application is not running on the instances before the deployment.
B.The Auto Scaling group has more than 100 instances.
C.The new application revision contains an error that prevents it from running.
D.The deployment group is not associated with the correct Amazon EC2 instances.
AnswerC

With AllAtOnce, if the revision fails on all instances, the overall deployment fails.

Why this answer

Option D is correct because with AllAtOnce, all instances are targeted simultaneously. If the new revision has a critical error, all instances fail, causing the overall deployment to fail. Option A is wrong because CodeDeploy does not have a hard limit on instances.

Option B is wrong because the deployment group is the Auto Scaling group itself, not individual instances. Option C is wrong because if the application was not running, the deployment would fail on each instance but not necessarily all at once.

276
MCQmedium

A developer is deploying a new version of a Lambda function using AWS CodeDeploy with a linear canary deployment. The function is part of a serverless application. After the deployment starts, the developer notices that the new version is receiving only 10% of traffic initially, but after 10 minutes, the traffic increases to 100%. What should the developer do to ensure a more gradual traffic shift?

A.Use Lambda function aliases with weighted traffic shifting.
B.Use multiple Lambda function versions and update the alias gradually.
C.Configure AWS CloudFormation to update the Lambda alias.
D.Modify the CodeDeploy deployment configuration to use a linear 10% every 5 minutes instead of canary.
AnswerD

CodeDeploy linear deployments shift traffic in increments over a specified time, allowing a more gradual shift.

Why this answer

Option D is correct because the developer is using a canary deployment configuration that shifts 10% of traffic immediately and then waits 10 minutes before shifting to 100%. To achieve a more gradual traffic shift, the developer should modify the CodeDeploy deployment configuration to use a linear 10% every 5 minutes, which will increment traffic by 10% every 5 minutes, taking 50 minutes to reach 100%.

Exam trap

The trap here is that candidates may confuse the built-in CodeDeploy deployment configurations (canary vs. linear) with manual alias weight adjustments, thinking that modifying the alias directly is the correct approach instead of changing the deployment configuration.

How to eliminate wrong answers

Option A is wrong because Lambda function aliases with weighted traffic shifting are used for manual or custom traffic routing, not for controlling the pace of a CodeDeploy deployment. Option B is wrong because using multiple Lambda function versions and updating the alias gradually is a manual process that does not leverage CodeDeploy's built-in deployment configurations for automated traffic shifting. Option C is wrong because configuring AWS CloudFormation to update the Lambda alias does not change the CodeDeploy deployment configuration; CloudFormation can manage the alias but cannot alter the traffic shift pattern defined in the CodeDeploy deployment group.

277
MCQhard

Refer to the exhibit. A developer created this IAM policy to allow a CI/CD service to trigger CodePipeline and CodeBuild. However, the pipeline fails with an 'AccessDenied' error when trying to start the CodeBuild project. What is the likely cause?

A.The policy should use 'Effect': 'Deny' for the CodeBuild actions.
B.The policy does not include 'codebuild:StartBuild' for the specific CodeBuild project ARN.
C.The policy must include 'codebuild:BatchGetBuilds' for the specific project.
D.The policy is attached to the developer's IAM user instead of the CodePipeline service role.
AnswerD

CodePipeline uses a service role to perform actions; the policy must be attached to that role.

Why this answer

Option B is correct because the policy allows 'codebuild:StartBuild' on all resources, but CodePipeline needs to start builds on behalf of the pipeline. The CodeBuild project resource ARN is not specified; however, the 'Resource' is '*', so that should be fine. Actually, the issue might be that the policy allows StartBuild for CodeBuild, but the pipeline's service role needs permissions.

The policy shown is for a user, not for the pipeline's service role. The question says 'a developer created this IAM policy', but the pipeline uses a service role. So the correct answer is that the policy should be attached to the pipeline's service role, not the developer.

Option A is wrong because the action is correct. Option C is wrong because the resource is '*', covering all projects. Option D is wrong because the policy does not need to be attached to the user; it needs to be attached to the pipeline's role.

278
MCQhard

A company is using AWS CodePipeline with a multi-branch strategy. The pipeline includes a source stage from AWS CodeCommit, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The team wants to automatically deploy changes only when a pull request is merged to the 'main' branch. Which configuration should be used?

A.Configure a CodeCommit trigger to start the pipeline on push events to the 'main' branch.
B.Create a manual approval step before deployment and require a pull request merge as a trigger.
C.Use a scheduled trigger to run the pipeline every hour and check for changes.
D.Configure the source stage to use the 'main' branch and enable periodic polling.
AnswerA

A push event to main (including pull request merges) triggers the pipeline automatically.

Why this answer

Option D is correct: CodePipeline should use a webhook trigger with an event filter for push events to the 'main' branch. Option A (all branches) would deploy every push. Option B (manual approval) defeats automation.

Option C (scheduled) is not event-driven.

279
MCQeasy

A developer is deploying a Node.js application to AWS Elastic Beanstalk. The application needs to read environment-specific configuration variables. Which configuration file should the developer use to define these variables within the Elastic Beanstalk environment?

A.package.json
B..ebextensions/*.config
C.Dockerfile
D.buildspec.yml
AnswerB

Correct: .ebextensions files allow setting environment properties.

Why this answer

Option A is correct because .ebextensions configuration files in YAML or JSON format are used to set environment properties in Elastic Beanstalk. Option B is wrong because Dockerfile is for Docker containers, not for environment variables. Option C is wrong because the application's package.json is not used for environment-specific configuration.

Option D is wrong because the buildspec.yml is for CodeBuild, not Elastic Beanstalk.

280
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The developer has updated the application code and wants to deploy the new version with a rolling deployment strategy to minimize downtime. Which configuration should the developer use?

A.Set the deployment policy to 'Rolling'
B.Set the deployment policy to 'Immutable'
C.Set the deployment policy to 'All at once'
D.Set the deployment policy to 'Blue/green'
AnswerA

Rolling updates instances in batches, keeping the application available.

Why this answer

Option B is correct because Rolling deployment updates instances in batches, minimizing downtime. Option A is wrong because All at once causes downtime. Option C is wrong because Immutable creates new instances and swaps, but Rolling is more cost-effective.

Option D is wrong because Blue/green is a separate deployment method.

281
MCQhard

A CodeDeploy deployment to Lambda should shift 10 percent of traffic for 10 minutes before full rollout and automatically roll back on alarms. Which configuration should be used?

A.Canary deployment preference with CloudWatch alarms
B.All-at-once deployment without alarms
C.Manual alias update after deployment
D.S3 static website deployment
AnswerA

Correct for the stated requirement.

Why this answer

A is correct because CodeDeploy's canary deployment preference shifts 10% of traffic to the new Lambda version for 10 minutes, then automatically shifts the remaining 90% after the specified interval. CloudWatch alarms are configured to trigger an automatic rollback if the alarm state is breached during the canary period, meeting the requirement for a gradual shift with automated rollback on failure.

Exam trap

The trap here is that candidates may confuse 'canary' with 'linear' deployments, or assume that any gradual shift (like 'linear10PercentEvery10Minutes') is equivalent, but the requirement specifies a single 10% shift for 10 minutes before full rollout, which matches the canary preference, not a linear incremental shift.

How to eliminate wrong answers

Option B is wrong because 'All-at-once' deploys all traffic instantly without a gradual 10% shift or a 10-minute waiting period, and it lacks any alarm-based rollback mechanism. Option C is wrong because manually updating an alias after deployment bypasses CodeDeploy's automated traffic shifting and rollback capabilities, requiring manual intervention for both the shift and any rollback. Option D is wrong because an S3 static website deployment is unrelated to Lambda traffic shifting; it is used for hosting static content, not for managing Lambda alias traffic or CodeDeploy deployments.

282
Multi-Selecthard

A company is using AWS CloudFormation to deploy a stack with a Lambda function and an API Gateway REST API. The deployment must be updated without downtime. The current stack has a Lambda function with an alias 'prod'. Which THREE steps should the developer take to achieve a zero-downtime deployment? (Choose THREE.)

Select 3 answers
A.Update the existing 'prod' alias to point to the new function version.
B.Create a new Lambda function version and assign it to a new alias 'blue'.
C.Use AWS CodeDeploy to gradually shift traffic from the 'prod' alias to the 'blue' alias.
D.Delete the old Lambda function version after the update.
E.Update the API Gateway stage to point to the 'blue' alias and test the new version.
AnswersB, C, E

This creates a separate target for the new code.

Why this answer

Options A, C, and E are correct: Using a second alias for the new version, updating the API Gateway stage to point to the new alias, and then switching traffic gradually. Option B (changing alias directly) causes downtime. Option D (deleting old version) is not part of update.

283
Multi-Selecthard

A developer is deploying a containerized application on Amazon ECS with Fargate. The application requires access to an Amazon RDS database. The developer needs to securely pass database credentials to the container. Which THREE methods can the developer use?

Select 3 answers
A.Store the credentials in AWS Systems Manager Parameter Store and reference the parameter in the task definition.
B.Store the credentials in AWS Secrets Manager and reference the secret in the task definition.
C.Use IAM roles for tasks and retrieve credentials from AWS Secrets Manager at runtime.
D.Hardcode the credentials in the container image.
E.Define environment variables in the task definition with the credentials.
AnswersA, B, C

Parameter Store can securely store and inject secrets.

Why this answer

Options A, C, and D are correct. Option B is wrong because hardcoding credentials is insecure. Option E is wrong because environment variables in the task definition are visible in plain text.

284
MCQmedium

A company deploys a critical application on Amazon ECS with Fargate using a blue/green deployment strategy with AWS CodeDeploy. The deployment group has two target groups, one for blue and one for green. The Application Load Balancer (ALB) is configured with a listener that forwards traffic to the blue target group initially. A recent deployment to the green environment failed, and the green service is in a steady state with zero healthy tasks. The developer needs to ensure that the blue service continues to serve traffic without interruption. The developer checks the CodeDeploy console and sees that the deployment is stuck in the 'InProgress' state with a status of 'Green fleet is not healthy.' What should the developer do to restore the deployment to a healthy state?

A.Update the ECS task definition for the green service to a working version and wait for the deployment to complete.
B.Manually update the ECS service for the blue environment to increase the desired count.
C.Stop the deployment in CodeDeploy and re-point the ALB listener to the blue target group.
D.Roll back the deployment to the previous version using the CodeDeploy console.
AnswerC

Stopping the deployment and rerouting traffic ensures blue continues to serve traffic without interruption.

Why this answer

Option B is correct because stopping the deployment and rerouting traffic to the blue target group ensures the blue service continues to serve traffic. Option A is wrong because manually updating the blue service does not address the stuck deployment. Option C is wrong because updating the green service may not fix the deployment.

Option D is wrong because rolling back may not be available if the deployment is stuck.

285
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. A developer wants to update a stack that includes an Amazon RDS database. The update requires replacing the database with a new instance. Which stack update policy should the developer use to minimize downtime?

A.Snapshot
B.Retain
C.Delete
D.Replacement with Snapshot
AnswerD

Creates a new instance and takes a snapshot of the old one.

Why this answer

Option C is correct because the Replacement policy with Snapshot allows CloudFormation to create a new DB instance, take a snapshot of the old instance, and then delete the old instance, minimizing downtime. Option A is wrong because Delete does not preserve data. Option B is wrong because Retain keeps the old instance, causing downtime.

Option D is wrong because Snapshot without Replacement is not a valid update policy.

286
MCQeasy

A developer needs to deploy a containerized application on AWS. The application requires persistent storage that can be shared across multiple containers running on different EC2 instances. Which AWS service should the developer use?

A.Amazon S3
B.Amazon Elastic Block Store (EBS)
C.Amazon RDS
D.Amazon Elastic File System (EFS)
AnswerD

EFS is a shared file system for multiple instances.

Why this answer

Amazon EFS provides NFS-based file storage that can be mounted to multiple EC2 instances and ECS tasks. Option A is correct. Option B (EBS) is block storage attached to a single instance.

Option C (S3) is object storage, not a filesystem. Option D (RDS) is a relational database.

287
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is currently running a previous version. The developer uploads a new application version and deploys it to the environment. After the deployment, the environment health status turns 'Severe' and the new version is not accessible. The developer needs to quickly revert to the previous working version. What should the developer do?

A.Create a new environment with the previous version and swap CNAMEs.
B.Use the Elastic Beanstalk console to deploy the previous application version.
C.Roll back the environment configuration to a previous saved configuration.
D.Terminate the environment and launch a new one with the previous version.
AnswerB

Elastic Beanstalk supports deploying a specific version directly.

Why this answer

Option B is correct because Elastic Beanstalk allows you to deploy a previous application version directly from the console or CLI without creating a new environment. This action replaces the current application version in the existing environment, restoring the previously working code and resolving the health status. It is the fastest and most straightforward way to revert while preserving the environment's configuration and resources.

Exam trap

The trap here is that candidates confuse 'deploying a previous application version' (which directly fixes the code) with 'rolling back environment configuration' (which only affects settings), leading them to incorrectly choose Option C.

How to eliminate wrong answers

Option A is wrong because creating a new environment and swapping CNAMEs is an unnecessary, time-consuming process that introduces a new environment with its own resources and potential configuration drift, whereas a simple version rollback achieves the same result instantly. Option C is wrong because rolling back the environment configuration reverts settings like instance type or scaling rules, not the application version; the application code remains the broken version. Option D is wrong because terminating the environment and launching a new one with the previous version destroys all existing resources (e.g., RDS database if attached, logs, monitoring data) and requires reconfiguration, which is far more disruptive than a direct version deployment.

288
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an Amazon ECS service with the Fargate launch type. The deployment uses a blue/green strategy. After the new task set is created and passes the initial health checks, the traffic is shifted to the new task set. However, the new task set is immediately replaced by the old one after a few minutes, causing a rollback. What is the most likely reason?

A.The lifecycle hooks for the new task set are failing.
B.The target group for the new task set is not configured correctly.
C.The deployment group's rollback configuration triggers due to alarm threshold.
D.The new task set fails the post-traffic shift validation tests.
AnswerD

CodeDeploy performs validation after traffic shift; if the validation fails (e.g., health check failure or Lambda hook failure), it triggers an automatic rollback to the original task set.

Why this answer

Option D is correct because in a blue/green deployment on ECS with CodeDeploy, after traffic is shifted to the new task set, CodeDeploy runs post-traffic shift validation tests (e.g., via Lambda hooks or target group health checks). If these tests fail, CodeDeploy automatically triggers a rollback by replacing the new task set with the original (old) task set. This matches the described behavior where the new task set is immediately replaced after a few minutes.

Exam trap

The trap here is that candidates often confuse pre-traffic shift hooks (which prevent traffic from being shifted) with post-traffic shift hooks (which cause a rollback after traffic is already shifted), leading them to incorrectly select lifecycle hook failures or target group misconfiguration.

How to eliminate wrong answers

Option A is wrong because lifecycle hooks (e.g., BeforeAllowTraffic, AfterAllowTraffic) run before or during traffic shifting, not after the new task set is already serving traffic; failing hooks would prevent traffic from being shifted in the first place, not cause a delayed rollback. Option B is wrong because if the target group for the new task set were misconfigured, the initial health checks would fail and traffic would never be shifted to the new task set; the scenario states traffic is shifted successfully. Option C is wrong because alarm-based rollback would require a CloudWatch alarm to be explicitly configured in the deployment group's rollback settings, and the question does not mention any alarm being triggered; the immediate replacement after a few minutes is characteristic of a validation test failure, not an alarm threshold breach.

289
MCQhard

Refer to the exhibit. A developer is creating an IAM policy for a CI/CD service to deploy to CodeDeploy. The policy allows creating deployments and registering application revisions. However, deployments fail with an access denied error. What is the missing permission?

A.codedeploy:ListDeployments
B.codedeploy:BatchGetDeployments
C.codedeploy:StopDeployment
D.codedeploy:UpdateDeploymentGroup
AnswerD

UpdateDeploymentGroup may be needed if the deployment group is being modified.

Why this answer

Option D is correct because to update a deployment group, the codedeploy:UpdateDeploymentGroup permission is required. The CI/CD service may need to update the deployment group configuration. Option A is incorrect because codedeploy:ListDeployments is read-only.

Option B is incorrect because codedeploy:StopDeployment is not needed for creation. Option C is incorrect because codedeploy:BatchGetDeployments is read-only.

290
MCQmedium

A developer is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The developer uses AWS CodeDeploy to deploy new application versions. The deployment group is configured with an in-place deployment. The developer wants to ensure that the deployment does not cause any downtime. Which additional configuration is required?

A.Change the deployment type to blue/green deployment.
B.Set the minimum healthy hosts percentage to 100%.
C.Configure the CodeDeploy deployment group to enable load balancer deregistration and re-registration.
D.Create an Auto Scaling group and configure the deployment to use a rolling update.
AnswerC

This ensures traffic is routed away from instances being updated, preventing downtime.

Why this answer

Option B is correct because using a load balancer with in-place deployment, CodeDeploy can register instances with the load balancer and deregister them before deployment, then re-register after. This minimizes downtime. Option A is wrong because creating an Auto Scaling group is not necessary; the deployment can work with existing instances.

Option C is wrong because using blue/green deployment is an alternative, but the question specifically asks for in-place. Option D is wrong because increasing the minimum healthy hosts percentage helps but does not eliminate downtime if instances are not properly drained.

291
MCQmedium

A company is using AWS CodeBuild to compile and test a Java application. The build takes 15 minutes, but the company wants to reduce build time by caching dependencies. Which file should the developer modify to enable caching in the build project?

A.CodeBuild console settings
B.pom.xml
C.buildspec.json
D.buildspec.yml
AnswerD

buildspec.yml includes cache.paths to cache directories.

Why this answer

Option B is correct because the buildspec.yml can specify cache.paths to cache directories like .m2. Option A is wrong because pom.xml is for Maven project configuration, not build caching. Option C is wrong because buildspec.json is not a standard file; buildspec.yml is used.

Option D is wrong because the CodeBuild console settings can enable cache, but the question asks which *file* to modify.

292
MCQmedium

A development team is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with a 'HealthCheck' error. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). What is the MOST likely cause of this error?

A.The ALB target group health check is misconfigured or the application is not responding to health check requests.
B.The EC2 instances do not have the correct IAM instance profile attached.
C.The deployment configuration is set to 'AllAtOnce' which does not support health checks.
D.The deployment group is not configured with the ALB target group.
AnswerA

CodeDeploy uses ALB health checks to validate instance health; a failing health check causes the deployment to fail.

Why this answer

Option B is correct because CodeDeploy uses the ALB health check to determine instance health during deployment. If the health check fails, CodeDeploy considers the instance unhealthy and may fail the deployment. Option A is wrong because CodeDeploy does not require IAM roles for EC2 instances? Actually it does, but missing role would cause different error.

Option C is wrong because the deployment group is correctly configured with the ALB. Option D is wrong because an incorrect deployment configuration would not cause a health check error specifically.

293
MCQmedium

A company is deploying a new microservice on AWS Lambda behind an API Gateway. The development team wants to ensure that new versions of the Lambda function can be rolled out gradually and automatically rolled back if error rates exceed a threshold. Which deployment strategy should the team use?

A.Use AWS CodeDeploy with a canary deployment strategy that shifts 10% of traffic to the new version for 5 minutes, then shifts the remaining 90%. Configure a CloudWatch alarm to automatically roll back if error rates exceed 2%.
B.Use AWS Lambda function aliases with weighted alias traffic shifting. Update the weights manually and monitor error rates using CloudWatch. Roll back by reverting the alias weights.
C.Use AWS CodeDeploy with a linear deployment strategy that shifts 10% of traffic every 5 minutes. Configure a CloudWatch alarm to monitor error rates and manually roll back if needed.
D.Use AWS CodeDeploy with a blue/green deployment and an Application Load Balancer (ALB) to shift traffic to the new version. Configure CloudWatch alarms to trigger a rollback if errors exceed 5%.
AnswerA

Canary deployment allows gradual traffic shifting and automatic rollback via CloudWatch alarms.

Why this answer

Option C is correct because AWS CodeDeploy supports canary deployments with automatic rollback based on CloudWatch alarms. Option A is wrong because blue/green deployment with an NLB is more complex than needed and does not natively support gradual traffic shifting for Lambda. Option B is wrong because a linear deployment using CodeDeploy also works, but the question emphasizes automatic rollback based on error rates, which is more directly supported with canary alarms.

Option D is wrong because manual traffic shifting via Route53 is not automated and does not provide automatic rollback.

294
Multi-Selecthard

A CodeDeploy blue/green ECS deployment uses an ALB. Which two resources are required?

Select 2 answers
A.Two target groups for original and replacement task sets
B.A single target group shared by both task sets only
C.An S3 static website endpoint
D.Listener configuration that allows traffic shifting/testing
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because a blue/green deployment in CodeDeploy for ECS requires two distinct target groups: one for the original (blue) task set and one for the replacement (green) task set. The ALB routes traffic to the appropriate target group based on the listener rules, allowing CodeDeploy to shift traffic gradually from the blue to the green task set during deployment.

Exam trap

The trap here is that candidates often assume a single target group is sufficient because they think the ALB can differentiate between task sets internally, but in reality, each task set must have its own target group to enable independent traffic routing and rollback.

295
MCQeasy

A developer is deploying a new version of a Lambda function using the AWS CLI. Which command should the developer use to update the function code?

A.aws lambda update-function-code
B.aws lambda update-function-configuration
C.aws lambda invoke
D.aws lambda create-function
AnswerA

This updates the function code.

Why this answer

The correct answer is B. The update-function-code command updates the code of a Lambda function. Option A (update-function-configuration) updates configuration settings only.

Option C (create-function) is for creating a new function, not updating. Option D (invoke) is for invoking the function.

296
MCQmedium

A developer is deploying a Lambda function using CloudFormation. The function code is stored in an S3 bucket. The developer wants to automatically update the function when the S3 object is updated. Which approach should be used?

A.Set the 'DeletionPolicy' attribute to 'Retain' on the Lambda function resource.
B.Use the 'S3ObjectVersion' property in the Lambda function's 'Code' property to reference the specific version of the S3 object.
C.Use an S3 event notification to invoke a Lambda function that updates the CloudFormation stack.
D.Set a 'DependsOn' attribute on the Lambda function to the S3 bucket.
AnswerB

CloudFormation will update the function when the S3 object version changes.

Why this answer

Option C is correct because setting the 'S3ObjectVersion' property in the CloudFormation template triggers a stack update when the object version changes. Option A is wrong because CloudFormation does not automatically detect S3 updates. Option B is wrong because 'DeletionPolicy' controls what happens on stack deletion, not updates.

Option D is wrong because 'DependsOn' only sets dependencies, not triggers.

297
MCQeasy

A development team uses AWS Elastic Beanstalk to deploy a containerized application. They notice that after a successful deployment, the environment's health turns from Green to Red. The application logs show no errors. What is the most likely cause?

A.The ELB health check endpoint returns a 503 status code after the new version is deployed.
B.The deployment failed due to a missing environment variable.
C.The application's Docker image is not compatible with the platform version.
D.The Auto Scaling group's minimum instance count is too low.
AnswerA

Correct because Elastic Beanstalk health is based on ELB health checks.

Why this answer

Option B is correct because Elastic Beanstalk uses an ELB health check to determine environment health. If the health check path returns a non-200 status, the environment turns red. Option A is wrong because it would cause deployment failure, not post-deployment health issues.

Option C is wrong because it would cause scaling issues, not immediate health change. Option D is wrong because it would affect deployment, not health.

298
Multi-Selecthard

A company is deploying a containerized application on Amazon ECS using AWS Fargate. The application needs to handle variable traffic. The developer wants to set up automatic scaling based on CPU utilization. Which THREE steps are required to achieve this? (Choose three.)

Select 3 answers
A.Update the ECS service to set the desired count to a static value.
B.Create a CloudWatch alarm for CPUUtilization metric.
C.Define a task definition with CPU and memory limits.
D.Register the ECS service as a scalable target with Application Auto Scaling.
E.Create a scaling policy that specifies the target CPU utilization.
AnswersB, D, E

The alarm triggers the scaling policy.

Why this answer

Option B is correct because a CloudWatch alarm for the CPUUtilization metric is required to trigger the scaling action. This alarm monitors the average CPU utilization of the ECS service and, when breached, invokes the Application Auto Scaling policy to adjust the desired count. Without this alarm, the scaling policy has no trigger to act upon.

Exam trap

The trap here is that candidates often confuse the prerequisite task definition (which is always needed for any ECS service) with a scaling-specific step, or they mistakenly think setting a static desired count is part of scaling configuration, when in fact it must be dynamic and managed by the scaling policy.

299
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails, and the rollback is triggered. However, the rollback also fails. What is a likely cause?

A.The rollback deployment uses an AppSpec file that references a lifecycle hook that does not exist in the current environment.
B.The target group for the load balancer is not properly configured.
C.The Amazon S3 bucket containing the deployment artifacts is missing.
D.The Auto Scaling group does not have sufficient capacity to run the rollback.
AnswerA

Rollback deploys the previous revision; if that revision's AppSpec references a non-existent resource, the rollback fails.

Why this answer

Option D is correct because if the rollback tries to deploy the previous version, but that version's AppSpec file references a hook that no longer exists in the environment (e.g., a previously deleted directory), the rollback fails. Options A, B, and C are incorrect: insufficient capacity would cause the original deployment to fail differently, a misconfigured target group would affect traffic but not rollback, and a missing S3 bucket would cause the original deployment to fail, not the rollback specifically.

300
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires a relational database. The developer wants to ensure that the database is not accidentally deleted when the Elastic Beanstalk environment is terminated. Which approach should the developer take?

A.Create the database as part of the Elastic Beanstalk environment by adding an RDS database configuration in the .ebextensions.
B.Create the RDS instance outside of Elastic Beanstalk and configure the application to connect to it using environment variables.
C.Use an Amazon DynamoDB table instead of a relational database.
D.Configure a retention policy on the RDS instance within the Elastic Beanstalk environment.
AnswerB

The database is independent of the environment lifecycle, so it will not be deleted when the environment is terminated.

Why this answer

Option B is correct because creating the RDS instance outside of Elastic Beanstalk decouples the database lifecycle from the environment lifecycle. When the Elastic Beanstalk environment is terminated, the external RDS instance remains intact and is not deleted. The application can connect to it using environment variables configured in the Elastic Beanstalk environment, ensuring persistence of data.

Exam trap

The trap here is that candidates may assume that adding a retention policy (Option D) is possible within Elastic Beanstalk, but Elastic Beanstalk does not expose a retention policy for RDS instances created as part of the environment; the database is always deleted with the environment unless it is created externally.

How to eliminate wrong answers

Option A is wrong because adding an RDS database configuration in .ebextensions creates the database as part of the Elastic Beanstalk environment, which means it will be deleted when the environment is terminated. Option C is wrong because DynamoDB is a NoSQL database, not a relational database, and the question explicitly requires a relational database. Option D is wrong because Elastic Beanstalk does not support configuring a retention policy on an RDS instance created within the environment; the database is tied to the environment's lifecycle and will be deleted upon termination.

← PreviousPage 4 of 6 · 378 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deployment questions.