CCNA Deployment Questions

75 of 378 questions · Page 5/6 · Deployment · Answers revealed

301
MCQhard

A developer is using AWS CodeBuild to build a Java application. The buildspec.yml file includes commands to run unit tests and package the application. Recently, the build started failing with the error 'No space left on device.' The developer notices that the build environment is using the general1.large compute type with 8 GB of disk space. The developer needs to resolve the disk space issue without modifying the application code. The build environment is managed by CodeBuild and the developer cannot change the instance type. What should the developer do?

A.Add a command in the buildspec.yml to clean the cache directory before the build phase.
B.Use an Amazon EFS file system as a cache to store dependencies.
C.Change the compute type to general1.medium with 8 GB disk space.
D.Mount an additional Amazon EBS volume to the build container.
AnswerA

Cleaning the cache frees up disk space, resolving the 'No space left on device' error.

Why this answer

Option D is correct because cleaning up the cache before building frees up disk space. Option A is wrong because CodeBuild does not allow mounting EBS volumes. Option B is wrong because EFS cache is not supported.

Option C is wrong because the instance type cannot be changed. The error is due to disk space exhaustion, and clearing the cache resolves it.

302
MCQmedium

A company uses AWS OpsWorks for Chef Automate to manage their infrastructure. A developer needs to deploy a new application version to a stack of EC2 instances. The developer wants to minimize downtime and ensure that the deployment is rolled back automatically if any instance fails. Which deployment strategy should the developer use?

A.Canary deployment
B.Rolling deployment with rollback on error
C.In-place deployment with a single batch
D.Blue/green deployment
AnswerB

OpsWorks supports rolling updates and can roll back on failure.

Why this answer

Option B is correct because rolling deployments update instances in batches, and if any instance fails, the deployment can be rolled back. Option A is wrong because blue/green is not built into OpsWorks. Option C is wrong because in-place updates can cause downtime.

Option D is wrong because canary is not a standard OpsWorks strategy.

303
MCQeasy

A developer is using AWS Elastic Beanstalk to deploy a Python web application. The application requires a specific version of a Python package that is not pre-installed on the Elastic Beanstalk platform. How should the developer ensure the package is installed on all environment instances?

A.Use the AWS CLI to run a script on each instance after deployment.
B.Include a .ebextensions configuration file that runs a command to install the package.
C.Add the package to a requirements.txt file and deploy it with the application source bundle.
D.Create a custom Dockerfile and use the Docker platform in Elastic Beanstalk.
AnswerB

.ebextensions files run custom configurations during provisioning.

Why this answer

Option B is correct because the .ebextensions configuration files allow you to run custom commands during environment creation and updates. Option A is wrong because the requirements.txt file is automatically processed only if the platform supports it, but for additional packages not in the default, .ebextensions is more reliable. Option C is wrong because the AWS CLI is not for modifying Elastic Beanstalk environment packages.

Option D is wrong because the Dockerfile is only for Docker platforms, not the Python platform.

304
Multi-Selectmedium

A company is deploying a critical application using AWS CloudFormation. The stack creation fails due to a resource creation failure. The developer needs to troubleshoot the issue. Which TWO actions should the developer take to identify the root cause? (Choose TWO.)

Select 2 answers
A.View the stack events in the CloudFormation console.
B.Check the stack outputs.
C.Delete the stack and recreate it with the same parameters.
D.Review the stack template for logical errors.
E.Check AWS CloudTrail logs for the stack creation attempt.
AnswersA, D

Events show detailed error messages for resource failures.

Why this answer

Options A and C are correct. A: The Events tab shows error messages for each resource. C: The stack template can be reviewed to check for logical errors.

Option B is wrong because deleting the stack removes all resources and logs. Option D is wrong because CloudTrail logs API calls, not CloudFormation-specific errors. Option E is wrong because the outputs are only available after successful creation.

305
MCQeasy

A company is deploying a new microservice using AWS Lambda. The deployment pipeline uses AWS CodeBuild and AWS CodePipeline. The team wants to automatically roll back to the previous function version if the new version fails CloudWatch alarms. Which deployment strategy should they implement?

A.Canary deployment with a CloudWatch alarm-based rollback
B.Rolling update with a pre-traffic hook
C.Immutable deployment with an automated rollback
D.Blue/Green deployment with an AWS CodeDeploy configuration
AnswerA

Lambda canary deployments shift traffic gradually and can roll back based on alarms.

Why this answer

Option D is correct because AWS Lambda supports traffic shifting with canary deployments, and the team can configure CloudWatch alarms to trigger a rollback to the previous version. Option A is incorrect because a rolling update is not natively supported by Lambda. Option B is incorrect because Blue/Green deployment is a separate concept but not the standard term for Lambda traffic shifting.

Option C is incorrect because immutable deployments are not automatically rolled back based on alarms.

306
MCQhard

Refer to the exhibit. A developer has attached the above IAM policy to an IAM role used by an AWS Lambda function. The Lambda function reads and writes objects to an S3 bucket. However, the function fails when trying to write objects. What is the MOST likely cause?

A.The S3 bucket policy denies the Lambda function.
B.The S3 bucket uses AWS KMS encryption, and the policy does not include KMS permissions.
C.The Lambda function does not have permission to read objects.
D.The Lambda function is not using the correct IAM role.
AnswerB

KMS permissions are required for encrypted buckets.

Why this answer

Option B is correct because the bucket is encrypted with AWS KMS, and the policy does not include kms:Decrypt and kms:GenerateDataKey permissions. Option A is wrong because GetObject works. Option C is wrong because the bucket policy is not shown.

Option D is wrong because the function role has the policy.

307
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The buildspec.yml file currently runs unit tests. The developer wants to generate a code coverage report and publish it to the CodeBuild console for analysis. Which CodeBuild feature should be used?

A.Test reports
B.Build artifacts
C.Amazon CloudWatch Logs
D.Amazon S3 access logs
AnswerA

CodeBuild test reports enable you to generate and view code coverage and test result reports directly in the CodeBuild console, integrating with tools like JaCoCo.

Why this answer

AWS CodeBuild's test reports feature allows developers to create reports from test result files, including code coverage reports, and publish them to the CodeBuild console for analysis. This feature supports various report formats such as JaCoCo, Cobertura, and SimpleCov, enabling the developer to visualize coverage metrics directly in the console without external tools.

Exam trap

The trap here is that candidates confuse build artifacts (which store compiled binaries) with test reports (which store structured test and coverage data), or assume CloudWatch Logs can visualize coverage metrics when it only provides raw log text.

How to eliminate wrong answers

Option B is wrong because build artifacts are used to store output files (e.g., JARs, WARs) in Amazon S3 or CodeBuild, not for generating or publishing test or coverage reports. Option C is wrong because Amazon CloudWatch Logs captures build logs and output from CodeBuild runs, but it does not parse or display structured code coverage reports. Option D is wrong because Amazon S3 access logs track requests made to an S3 bucket, not CodeBuild test results or coverage data.

308
MCQhard

A developer is deploying a containerized application on Amazon ECS with Fargate. The application needs to read configuration data from AWS Systems Manager Parameter Store. The developer wants to ensure that the ECS task definition can access the parameter without hardcoding the value. What should the developer do?

A.Store the configuration in Amazon ECR as a label and reference it in the task definition.
B.Use the 'configs' section in the task definition to load from Parameter Store.
C.Add a 'parameters' section in the task definition to load from Parameter Store.
D.Use the 'secrets' field in the task definition to reference the parameter ARN.
AnswerD

The secrets field allows referencing Parameter Store parameters.

Why this answer

Option B is correct because ECS supports injecting parameters from Parameter Store as environment variables by referencing the parameter ARN with the 'valueFrom' field. Option A is wrong because secrets are not stored in ECR. Option C is wrong because there is no 'parameters' section in task definition.

Option D is wrong because the task definition does not have a 'configs' section.

309
MCQhard

A developer is deploying a serverless application that includes an AWS Lambda function with a dependency on a native library (e.g., a compiled C library). The developer uses AWS SAM. The Lambda function runs correctly in the local development environment but fails with an 'Unable to import module' error when deployed. What is the most likely cause?

A.The Lambda function's IAM role does not have permission to access the library.
B.The Lambda function's handler configuration is incorrect.
C.The native library is compiled for a different operating system than Lambda (Amazon Linux).
D.The Lambda function's timeout is too short.
AnswerC

Lambda uses Amazon Linux; libraries must be compiled for it.

Why this answer

Option C is correct because Lambda runs on Amazon Linux, and native libraries must be compiled for that platform. The local development environment may be a different OS. Option A is wrong because the IAM role does not affect module imports.

Option B is wrong because a timeout would cause a different error. Option D is wrong because the handler name is correct locally.

310
MCQmedium

A developer is deploying a serverless application using AWS SAM. The developer runs 'sam deploy' but receives an error that the S3 bucket does not exist. How should the developer fix this?

A.Use sam publish to deploy the application.
B.Run sam build to generate the bucket.
C.Create an S3 bucket and specify it with --s3-bucket.
D.Run sam package to create the bucket automatically.
AnswerC

Bucket must exist before deploy.

Why this answer

The correct answer is B. The --s3-bucket parameter specifies the bucket for artifacts. If it doesn't exist, create it.

Option A (sam package) is a step before deploy but does not create the bucket. Option C (sam build) builds locally. Option D (sam publish) is for publishing to Serverless Application Repository.

311
MCQhard

A company is deploying a critical application using AWS CloudFormation. The stack creation fails with a 'ROLLBACK_COMPLETE' status. The engineer wants to troubleshoot the failure without deleting the stack. What should the engineer do?

A.Use the 'aws cloudformation create-change-set' command with a rollback trigger.
B.Recreate the stack using the '--on-failure DO_NOTHING' option.
C.Use the 'aws cloudformation describe-stack-events' command to view the error messages.
D.Delete the stack and recreate it with the '--disable-rollback' flag.
AnswerC

Stack events contain detailed error messages that indicate the cause of the failure.

Why this answer

Option D is correct because CloudFormation retains the stack after a rollback, and the engineer can view the events in the AWS Management Console or CLI to see the specific error messages. Options A and B are incorrect because stack deletion is not required. Option C is incorrect because rollback triggers are for rollback, not troubleshooting.

312
MCQmedium

Refer to the exhibit. A developer ran the AWS CLI command and received the output shown. What is the most likely cause of the UPDATE_FAILED status?

A.The Lambda function's execution role does not have sufficient permissions.
B.The Lambda function's timeout value is too high.
C.The CloudFormation template specified an unsupported runtime for the Lambda function.
D.The Lambda function name conflicts with an existing function.
AnswerC

The error message states the runtime is not supported.

Why this answer

Option B is correct because the error message indicates that the runtime nodejs18.x is not supported. The developer likely specified an unsupported runtime in the CloudFormation template. Option A is incorrect because IAM permissions would give a different error.

Option C is incorrect because the function name is valid. Option D is incorrect because timeout is not a runtime issue.

313
MCQeasy

A development team uses AWS Elastic Beanstalk to deploy a web application. They want to perform a blue/green deployment to minimize downtime. What should they do to implement this?

A.Create an Auto Scaling group and manually replace instances.
B.Update the existing environment with the new version and set the deployment policy to 'Rolling'.
C.Use AWS CodeDeploy to perform a blue/green deployment on the EC2 instances.
D.Create a new environment, deploy the new version, and then swap the environment URLs.
AnswerD

This is the standard blue/green deployment in Elastic Beanstalk.

Why this answer

Option D is correct because blue/green deployment in Elastic Beanstalk is achieved by creating a separate environment (the green environment) with the new application version, then swapping the CNAME records (URLs) of the two environments. This instantly routes traffic from the old (blue) environment to the new (green) environment with zero downtime, and allows quick rollback by swapping back.

Exam trap

The trap here is that candidates confuse the built-in Elastic Beanstalk blue/green deployment (environment swap) with the deployment policies (e.g., Rolling, Immutable) that operate within a single environment, or they incorrectly assume CodeDeploy is the only way to perform blue/green deployments.

How to eliminate wrong answers

Option A is wrong because manually replacing instances in an Auto Scaling group is not a blue/green deployment; it is a manual, error-prone process that does not provide instant traffic switching or easy rollback. Option B is wrong because updating the existing environment with a 'Rolling' deployment policy updates instances in batches within the same environment, which does not create a separate, isolated environment for the new version and still risks partial downtime. Option C is wrong because AWS CodeDeploy is a separate service that can perform blue/green deployments on EC2 instances, but the question specifically asks about using AWS Elastic Beanstalk, which has its own built-in blue/green deployment mechanism via environment URL swaps.

314
Multi-Selecteasy

Which TWO AWS services can be used to automatically deploy code to Amazon EC2 instances? (Choose two.)

Select 2 answers
A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CloudFormation
D.AWS OpsWorks
E.AWS CodeBuild
AnswersA, B

Elastic Beanstalk deploys applications and manages EC2 instances.

Why this answer

AWS Elastic Beanstalk is a PaaS service that automates the deployment of applications to EC2 instances by handling capacity provisioning, load balancing, and health monitoring. It automatically deploys code when you upload a new application version, making it a correct choice for automated deployment to EC2.

Exam trap

The trap here is that candidates often confuse AWS CloudFormation's ability to deploy infrastructure with deploying application code, or they mistakenly think AWS CodeBuild's build process includes deployment, when in fact CodeBuild only produces artifacts and requires a separate service like CodeDeploy for actual deployment.

315
MCQeasy

A developer is deploying a web application on AWS Elastic Beanstalk. The application needs to run on multiple instances behind a load balancer. Which deployment policy will cause the LEAST downtime?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerC

Zero downtime.

Why this answer

Option D is correct because rolling with additional batch adds new instances before taking old ones out of service, resulting in zero downtime. Option A is wrong because all at once causes downtime. Option B is wrong because rolling causes some downtime.

Option C is wrong because immutable launches a full new set, causing temporary doubling of instances.

316
MCQeasy

An application deployed on AWS Lambda needs access to an Amazon RDS database. The Lambda function is in a VPC with a public subnet. The RDS instance is in a private subnet. The function can connect to the database but experiences frequent timeouts. What is the MOST likely cause?

A.The Lambda function timeout is set too low for the database queries.
B.The IAM role for the Lambda function does not have the 'rds:Connect' permission.
C.The Lambda function does not have enough memory allocated.
D.The Lambda function's security group does not allow outbound traffic to the RDS security group.
AnswerD

If the security group blocks outbound traffic to the RDS port, connections will timeout.

Why this answer

Option C is correct: Lambda functions in a VPC need a NAT gateway to access the internet, but for RDS in private subnet, they need a VPC endpoint or the Lambda function must be in the same VPC with proper routing. Timeouts often occur if the Lambda function does not have a route to the RDS subnet (e.g., missing route table entry or security group issue). Option A (memory) would not cause connection timeouts.

Option B (timeout) is set but not the cause. Option D (IAM) would cause access denied, not timeout.

317
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. They need to update a stack that includes an Amazon RDS DB instance. To minimize downtime, they want to perform a rolling update. Which THREE properties must be set in the CloudFormation template?

Select 3 answers
A.CreationPolicy attribute with ResourceSignal
B.UpdatePolicy attribute with AutoScalingReplacingUpdate
C.UpdatePolicy attribute with AutoScalingRollingUpdate
D.DeletionPolicy attribute set to Snapshot
E.UpdatePolicy attribute with UseOnlineResizing
AnswersA, B, C

Ensures new instances are healthy before continuing.

Why this answer

Option A (UpdatePolicy with AutoScalingReplacingUpdate) is correct for rolling updates on Auto Scaling groups. Option B (CreationPolicy with ResourceSignal) is correct to wait for signals. Option D (DeletionPolicy) is incorrect because it controls deletion behavior.

Option C (UpdatePolicy with AutoScalingRollingUpdate) is correct for rolling update configuration. Option E (UpdatePolicy with UseOnlineResizing) is not a valid property. So correct are A, B, C.

318
MCQeasy

Refer to the exhibit. A CloudFormation stack update resulted in a rollback. What is the most likely reason for the rollback?

A.A user manually cancelled the update of the Lambda function.
B.The Lambda function update timed out.
C.The Lambda function's IAM role did not have sufficient permissions.
D.The Lambda function code was invalid.
AnswerA

The reason is 'Resource update cancelled by user'.

Why this answer

Option D is correct because the event shows that the Lambda function update failed with reason 'Resource update cancelled by user'. This indicates that someone cancelled the update. Option A is wrong because there is no permission error shown.

Option B is wrong because the error is not about timeout. Option C is wrong because the error is explicit.

319
MCQmedium

A developer is deploying a web application on AWS Elastic Beanstalk. The environment must maintain the same number of running instances throughout the deployment to ensure capacity. The developer also wants to minimize downtime. Which deployment policy should be used?

A.Rolling with additional batch
B.All at once
C.Rolling
D.Immutable
AnswerA

This policy adds an extra batch of instances before starting the rolling update, ensuring that capacity never drops below the original number of instances, thus maintaining full capacity and minimizing downtime.

Why this answer

Rolling with additional batch is correct because it first launches a new batch of instances in addition to the existing ones, ensuring full capacity is maintained throughout the deployment. Once the new instances are healthy, instances are updated in batches, and the original batch is terminated only after the new ones are fully serving traffic, minimizing downtime.

Exam trap

The trap here is that candidates often confuse 'rolling' with 'rolling with additional batch,' assuming both maintain capacity, but only the latter adds extra instances upfront to avoid any capacity reduction during the update.

How to eliminate wrong answers

Option B (All at once) is wrong because it replaces all instances simultaneously, causing downtime as the application is unavailable during the deployment. Option C (Rolling) is wrong because it updates instances in batches but temporarily reduces capacity by terminating a batch before deploying the new one, violating the requirement to maintain the same number of running instances. Option D (Immutable) is wrong because it launches a completely new set of instances in a new Auto Scaling group, then swaps the environment URL, which maintains capacity but does not minimize downtime due to the time required to provision and health-check the new instances before the swap.

320
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon ECS service. The developer wants to ensure that the ECS service is updated with a new task definition before the old tasks are stopped. Which deployment controller type should be used?

A.ECS (rolling update).
B.Recreate.
C.CodeDeploy (blue/green).
D.External.
AnswerA

Rolling update gradually replaces tasks, ensuring new tasks are healthy before stopping old ones.

Why this answer

Option C is correct because the 'ECS' deployment controller (rolling update) updates tasks gradually, ensuring new tasks are running before old ones are stopped. Option A is wrong because 'CodeDeploy' is for blue/green deployments. Option B is wrong because 'External' means updates are managed externally.

Option D is wrong because 'Recreate' stops all tasks before starting new ones.

321
MCQhard

An organization uses AWS Lambda functions behind an Amazon API Gateway REST API. They want to deploy a new version of the Lambda function using canary deployments. What is the recommended approach?

A.Use AWS CodeDeploy to create a canary deployment for the Lambda function.
B.Use API Gateway canary release deployment to shift traffic to the new Lambda version.
C.Deploy the new Lambda version using AWS SAM with AutoPublishAlias and DeploymentPreference.
D.Configure the Lambda function alias with traffic shifting using weights.
AnswerD

Lambda aliases can route a percentage of traffic to a new version.

Why this answer

Option D is correct because Lambda function aliases support traffic shifting by assigning weights to different versions, enabling canary deployments without external services. This is the native AWS mechanism for gradually routing a percentage of invocations to a new version while monitoring for errors, then shifting all traffic once stable.

Exam trap

The trap here is confusing API Gateway canary releases (which shift traffic between API stages) with Lambda alias traffic shifting (which shifts traffic between function versions), leading candidates to pick Option B when the question specifically asks about deploying a new Lambda function version.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy can orchestrate canary deployments for Lambda, but it is not the recommended approach when using API Gateway; the question asks for the recommended approach, and native Lambda alias traffic shifting is simpler and more direct. Option B is wrong because API Gateway canary release deployments shift traffic between API stages (e.g., prod vs. canary), not between Lambda function versions; the canary is at the API level, not the Lambda function level. Option C is wrong because AWS SAM with AutoPublishAlias and DeploymentPreference is a valid method for canary deployments, but it is a framework-level abstraction that ultimately configures Lambda alias traffic shifting under the hood; the question asks for the recommended approach, and the native, direct method is configuring the alias with weights.

322
MCQeasy

A company uses AWS Elastic Beanstalk to run a web application. They want to deploy a new version with zero downtime. They have a production environment running the current version and a staging environment running the new version. After thoroughly testing the staging environment, they want to swap the URLs so that production now points to the new version. Which deployment strategy should they use?

A.Blue/green deployment with CNAME swap
B.Rolling deployment
C.Immutable deployment
D.All at once deployment
AnswerA

This strategy uses two separate environments and swaps their CNAME records, enabling zero-downtime switching to the new version.

Why this answer

Blue/green deployment with a CNAME swap is the correct strategy because it allows you to run two identical environments (blue = current production, green = new version) and switch traffic atomically by updating the DNS CNAME record. This achieves zero downtime since the production environment remains active until the swap is complete, and the staging environment has been fully tested. Elastic Beanstalk supports this by letting you perform a CNAME swap between environments via the console, CLI, or API.

Exam trap

The trap here is that candidates confuse blue/green deployment with immutable deployment, but immutable deployment does not allow you to maintain a separate staging environment for testing before the swap; it only replaces instances in the same environment.

How to eliminate wrong answers

Option B (Rolling deployment) is wrong because it updates instances in batches within the same environment, which can cause temporary capacity reduction and potential downtime if the new version has issues. Option C (Immutable deployment) is wrong because it launches a new Auto Scaling group with the new version, then swaps instances, but it does not allow you to pre-test the new version in a separate staging environment before traffic is routed. Option D (All at once deployment) is wrong because it deploys the new version to all instances simultaneously, causing downtime during the deployment process and no ability to test the new version in isolation.

323
MCQhard

Refer to the exhibit. An IAM policy is attached to a user who needs to deploy a serverless application. The user reports that they cannot upload a new version of a Lambda function using the AWS CLI. What is the MOST likely reason?

A.The Lambda invoke permission is scoped to a specific function.
B.The policy does not include lambda:UpdateFunctionCode.
C.The user does not have permission to write to the S3 bucket.
D.The user is not in the same AWS region as the Lambda function.
AnswerB

UpdateFunctionCode action is missing.

Why this answer

The error occurs because the IAM policy attached to the user does not include the `lambda:UpdateFunctionCode` permission, which is required to upload a new version of a Lambda function via the AWS CLI. Without this action, the `update-function-code` command fails, even if other Lambda permissions like `lambda:InvokeFunction` are present. The policy must explicitly allow `lambda:UpdateFunctionCode` to enable code updates.

Exam trap

The trap here is that candidates assume the error is due to S3 permissions (Option C) because they think Lambda code must be uploaded from S3, but the CLI can upload directly from a local file, and the real missing permission is `lambda:UpdateFunctionCode`.

How to eliminate wrong answers

Option A is wrong because `lambda:InvokeFunction` permission scoped to a specific function does not affect the ability to upload code; it only controls invocation access. Option C is wrong because the error is about uploading a new Lambda function version, not about writing to an S3 bucket; the CLI command `update-function-code` can accept a zip file directly without S3. Option D is wrong because AWS CLI operations for Lambda are region-scoped by the user's configuration, not by IAM policy; the user can specify the region via `--region` flag or config, and the policy does not restrict regions.

324
MCQhard

A developer is deploying a microservices application on Amazon ECS with the Fargate launch type. The application uses an Application Load Balancer (ALB) to route traffic. The developer wants to perform a blue/green deployment with automated traffic shifting using AWS CodeDeploy. What is the minimum number of target groups required for this deployment?

A.One
B.Two
C.Three
D.Four
AnswerB

Two target groups are needed: one for the blue (original) tasks and one for the green (replacement) tasks. CodeDeploy shifts traffic between them.

Why this answer

In a blue/green deployment with AWS CodeDeploy and an Application Load Balancer (ALB) on Amazon ECS (Fargate), two target groups are required: one for the 'blue' (current) environment and one for the 'green' (new) environment. CodeDeploy shifts traffic from the blue target group to the green target group by updating the ALB listener rules, allowing zero-downtime deployments and automated rollback if needed.

Exam trap

The trap here is that candidates often confuse blue/green deployments with canary deployments or assume that a single target group with multiple ports can serve both environments, but AWS CodeDeploy for ECS explicitly requires two distinct target groups to manage traffic shifting and rollback.

How to eliminate wrong answers

Option A is wrong because a single target group cannot differentiate between the blue and green environments; traffic shifting requires two separate target groups to route traffic to the old and new task sets independently. Option C is wrong because three target groups are unnecessary; the blue/green deployment model only needs one target group for each environment (two total), and no additional target group is required for the ALB listener. Option D is wrong because four target groups are excessive; the deployment does not require any extra target groups beyond the two used for blue and green.

325
MCQmedium

A developer uses AWS CodeBuild to run unit tests. The build succeeds but the tests fail. The developer wants to fail the build if tests fail. What should the developer do?

A.Ensure the test command exits with a non-zero status on failure.
B.Run tests in the post_build phase.
C.Set the command to always exit 0.
D.Enable build badges.
AnswerA

CodeBuild fails build on non-zero exit.

Why this answer

In CodeBuild, the build phase succeeds or fails based on the exit code of the commands in the buildspec. By default, if a test command exits with a non-zero status, CodeBuild marks the build as FAILED. Therefore, ensuring the test command exits with a non-zero status on failure is the correct approach to fail the build when tests fail.

Exam trap

The trap here is that candidates may think moving tests to a different phase (post_build) or enabling badges will fix the issue, but the core mechanism is the exit code of the command, not the phase or visual indicators.

How to eliminate wrong answers

Option B is wrong because running tests in the post_build phase does not change the exit code behavior; the post_build phase also respects exit codes, but the issue is about the test command's exit status, not the phase. Option C is wrong because setting the command to always exit 0 would suppress the failure indication, causing the build to succeed even when tests fail, which is the opposite of the desired outcome. Option D is wrong because enabling build badges only adds a visual status badge to the repository; it does not affect build success or failure behavior.

326
MCQeasy

A developer is deploying an application on Amazon ECS using the Fargate launch type. The application needs to read configuration data from an Amazon S3 bucket. How should the developer securely provide the S3 bucket name to the container at runtime?

A.Define an environment variable in the ECS task definition with the bucket name.
B.Hardcode the bucket name in the application code.
C.Use AWS Systems Manager Parameter Store and retrieve the bucket name at startup.
D.Store the bucket name in the container image's environment file.
AnswerA

Environment variables can be set in the task definition and accessed by the container.

Why this answer

Option B is correct because environment variables in the task definition can include the bucket name, and using IAM roles (task role) ensures secure access. Option A is wrong because hardcoding is insecure. Option C is wrong because storing in the container image is not dynamic.

Option D is wrong because storing in a parameter store is good, but environment variables with IAM roles are simpler for this use case.

327
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. A developer wants to update a stack but needs to ensure that certain resources are not accidentally deleted. The developer wants to protect specific resources from stack updates that would delete them. Which CloudFormation feature should the developer use?

A.Enable termination protection on the stack
B.Use a Change Set to review changes before applying them
C.Use a stack policy to prevent deletion of specific resources
D.Set the DeletionPolicy attribute to Retain on the resources
AnswerD

DeletionPolicy: Retain prevents deletion of specific resources during stack update or deletion.

Why this answer

Option C is correct because termination protection prevents a stack from being deleted, but not individual resources. Stack policy controls which resources can be updated or deleted. Option A is incorrect because a stack policy can protect resources.

Option B is incorrect because a Change Set shows changes but does not prevent deletion. Option D is incorrect because DeletionPolicy is a resource attribute that can preserve resources, but it is set at resource level, not during update.

328
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to a fleet of EC2 instances in an Auto Scaling group. The application must remain available during the deployment. The developer wants to update one instance at a time, ensuring that only one instance is taken offline at any moment. Which deployment configuration should the developer choose?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.AllAtOnce
D.CodeDeployDefault.LambdaCanary10Percent5Minutes
AnswerA

This configuration deploys to exactly one instance at a time. It ensures minimal disruption because only one instance is removed from service during each deploy interval.

Why this answer

CodeDeployDefault.OneAtATime is the correct deployment configuration because it deploys the application to only one instance at a time, ensuring that the remaining instances continue to serve traffic. This matches the requirement to take only one instance offline at any moment, preserving high availability throughout the deployment.

Exam trap

The trap here is that candidates may confuse 'one at a time' with 'half at a time' or 'all at once' due to misreading the requirement for minimal disruption, or they may incorrectly apply a Lambda-specific configuration to an EC2 deployment.

How to eliminate wrong answers

Option B is wrong because CodeDeployDefault.HalfAtATime deploys to half of the instances simultaneously, which would take multiple instances offline at once, violating the requirement to update only one instance at a time. Option C is wrong because CodeDeployDefault.AllAtOnce deploys to all instances concurrently, taking the entire fleet offline simultaneously and causing downtime. Option D is wrong because CodeDeployDefault.LambdaCanary10Percent5Minutes is a deployment configuration for AWS Lambda functions, not for EC2 instances in an Auto Scaling group, and it uses a canary traffic-shifting pattern irrelevant to EC2-based deployments.

329
MCQhard

A team is using AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Deploy stage uses AWS CodeDeploy to deploy to an EC2 Auto Scaling group. The pipeline runs successfully, but the application still serves the old version. What is the most likely cause?

A.The CodeDeploy deployment group is associated with a different Auto Scaling group than the one serving traffic.
B.The load balancer's target group is not pointing to the correct instances.
C.The build artifact in the Source stage is corrupted.
D.The CodeBuild stage failed silently and did not produce a new artifact.
AnswerA

The deployment goes to the wrong instances, so the live instances are not updated.

Why this answer

Option A is correct because if the CodeDeploy deployment group is configured to deploy to a different Auto Scaling group, the new revision is deployed to the wrong instances. Option B is incorrect because the pipeline succeeded, so the artifact is not corrupted. Option C is incorrect because a misconfigured load balancer would cause health check issues but not serve the old version.

Option D is incorrect because a failed CodeBuild stage would prevent the pipeline from reaching Deploy.

330
MCQhard

A company is using AWS CloudFormation to manage infrastructure. The developer wants to update a stack but needs to prevent specific resources from being replaced. What CloudFormation feature should the developer use?

A.Use a custom resource to manage the update logic.
B.Apply a stack policy that denies updates to the specific resources.
C.Create a change set to review the changes before execution.
D.Use a deletion policy attribute on the resources to protect them.
AnswerB

Stack policies can prevent updates to specified resources.

Why this answer

A stack policy is a JSON-based policy that defines which resources in a CloudFormation stack can be updated, replaced, or deleted. By applying a stack policy that denies updates to specific resources, the developer can prevent those resources from being replaced during a stack update, even if the template change would normally trigger a replacement.

Exam trap

The trap here is confusing a deletion policy (which only protects against stack deletion) with a stack policy (which controls update-time replacement), leading candidates to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because custom resources are used to implement custom provisioning logic (e.g., calling an external API) during stack operations, not to prevent resource replacement. Option C is wrong because a change set only allows you to preview the changes that will be made; it does not prevent specific resources from being replaced. Option D is wrong because a deletion policy (e.g., Retain, Snapshot) only controls what happens when a resource is deleted from the stack; it does not prevent the resource from being replaced during an update.

331
Multi-Selecthard

Which THREE components are required to perform a blue/green deployment of an application running on Amazon ECS using AWS CodeDeploy? (Select THREE.)

Select 3 answers
A.An Amazon ECS cluster
B.An Application Load Balancer
C.An AWS CodeDeploy deployment group
D.An AWS CodeDeploy application
E.A target tracking scaling policy
AnswersB, C, D

The ALB is used to shift traffic between blue and green task sets.

Why this answer

Options A, B, and D are correct. CodeDeploy requires a CodeDeploy application and deployment group. An ECS service with a load balancer is also required.

Option C is wrong because an ECS cluster is required, but the question asks for components, and the cluster is implicit; however, the deployment group references the ECS service, so the cluster is needed. But among options, A, B, D are explicitly required. Option E is wrong because a target tracking scaling policy is not required for blue/green deployment.

332
MCQmedium

A developer is deploying a microservice using AWS CodeDeploy with an Amazon ECS compute platform. The service must be updated with a blue/green deployment strategy. The developer wants to ensure that if the deployment fails, the new task set is automatically terminated and the original task set continues to serve traffic. Which configuration should the developer set?

A.Set the deployment configuration to 'AllAtOnce' and enable termination of the original task set
B.Define a blue/green deployment using an AppSpec file with a 'Hooks' section to specify a 'BeforeAllowTraffic' hook that checks health. If the check fails, CodeDeploy automatically rolls back.
C.Set the deployment group's 'Rollback configuration' to automatically roll back failed deployments and configure the 'Deployment configuration' to terminate the original task set on success, but keep it on failure.
D.Use a manual approval step in the pipeline to decide whether to terminate the new task set.
AnswerC

By enabling automatic rollback in the deployment group, CodeDeploy will automatically roll back to the original task set if the deployment fails. The 'terminate original task set on success' setting ensures that after a successful deployment, the old task set is terminated. The rollback configuration handles the failure case by terminating the new task set and keeping the original.

Why this answer

Option C is correct because AWS CodeDeploy for Amazon ECS blue/green deployments allows you to configure automatic rollback on failure within the deployment group settings. By enabling 'Rollback configuration' to automatically roll back failed deployments and setting the 'Deployment configuration' to terminate the original task set only on success (keeping it on failure), you ensure that if the deployment fails, the new task set is automatically terminated and the original task set continues to serve traffic. This directly meets the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse the 'Rollback configuration' with hook-based health checks, not realizing that hooks alone do not trigger automatic rollback—you must explicitly enable rollback in the deployment group settings.

How to eliminate wrong answers

Option A is wrong because 'AllAtOnce' is a deployment configuration for EC2/On-Premises compute platforms, not for Amazon ECS; ECS blue/green deployments use a 'canary' or 'linear' configuration, and 'AllAtOnce' does not control termination of the original task set. Option B is wrong because while a 'BeforeAllowTraffic' hook can check health, CodeDeploy does not automatically roll back based on hook failures; hooks only shift traffic after success, and rollback must be explicitly configured in the deployment group. Option D is wrong because a manual approval step in the pipeline does not automatically terminate the new task set on failure; it requires human intervention and does not integrate with CodeDeploy's native rollback mechanism.

333
MCQeasy

A developer is creating a deployment pipeline using AWS CodePipeline. The pipeline includes a source stage from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CloudFormation. The developer wants to ensure that the pipeline can automatically create the CloudFormation stack if it does not exist. Which action mode should the developer use in the CloudFormation deploy action?

A.UPDATE_ONLY
B.CREATE_UPDATE
C.REPLACE_ON_FAILURE
D.CREATE_ONLY
AnswerB

This creates or updates the stack.

Why this answer

Option B is correct because the 'CREATE_UPDATE' action mode creates a new stack if it does not exist or updates it if it does. Option A is wrong because 'REPLACE_ON_FAILURE' only replaces a failed stack. Option C is wrong because 'CREATE_ONLY' only creates a stack, not update.

Option D is wrong because 'UPDATE_ONLY' only updates an existing stack, fails if not exist.

334
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires custom configuration, such as setting environment variables for the EC2 instances. Which file should the developer include in the application source bundle under the appropriate directory to achieve this?

A.Include a buildspec.yml file in the root directory.
B.Include a .ebextensions/options.config file.
C.Include an appspec.yml file.
D.Include a cron.yaml file.
AnswerB

Files in the .ebextensions directory with a .config extension are automatically processed by Elastic Beanstalk. They can set environment variables using the option_settings key, among other configurations.

Why this answer

Option B is correct because AWS Elastic Beanstalk uses `.ebextensions` directory with `.config` files (e.g., `options.config`) to define custom configuration, including environment variables for EC2 instances. These YAML or JSON files are processed during environment creation and updates, allowing you to set `option_settings` that override or augment the default platform configuration.

Exam trap

The trap here is that candidates confuse Elastic Beanstalk configuration files with other AWS service configuration files (CodeBuild's `buildspec.yml` or CodeDeploy's `appspec.yml`) or assume `cron.yaml` can handle general environment settings, leading them to pick a wrong option based on familiarity with other services.

How to eliminate wrong answers

Option A is wrong because `buildspec.yml` is used by AWS CodeBuild to define build commands and output artifacts, not by Elastic Beanstalk for environment configuration. Option C is wrong because `appspec.yml` is used by AWS CodeDeploy to manage deployment lifecycle hooks and file permissions, not by Elastic Beanstalk for custom EC2 settings. Option D is wrong because `cron.yaml` is used by Elastic Beanstalk for periodic tasks (worker environment cron jobs), not for setting environment variables or general configuration.

335
MCQhard

A company is deploying a microservices-based application on Amazon ECS using Fargate. The application consists of three services: frontend, backend, and database. The database service uses Amazon Aurora Serverless. The frontend and backend services are deployed as separate ECS services. The company uses AWS CodePipeline for CI/CD. Each service has its own CodePipeline pipeline that builds a Docker image and pushes it to Amazon ECR, then updates the ECS service with the new image. Recently, the backend service deployment started causing intermittent errors. After investigation, the developer found that the backend service is being updated while the frontend service is still pointing to the old backend version, causing API incompatibility. The developer needs to ensure that the backend service is updated before the frontend service, and that both are updated atomically. The developer also wants to automate the update process using CodePipeline. What should the developer do?

A.Add a manual approval step between the backend and frontend pipelines.
B.Create a single pipeline that deploys both services simultaneously by updating both ECS services in a single CodeDeploy deployment.
C.Configure the frontend pipeline to trigger after the backend pipeline completes using Amazon CloudWatch Events.
D.Create a single pipeline with separate stages: first deploy backend, then after successful deployment, deploy frontend.
AnswerD

Sequential stages in one pipeline ensure order and atomicity of the release.

Why this answer

Option D is correct because a single pipeline with sequential stages ensures the backend is deployed first, and the frontend deploys only after the backend is stable. Option A is wrong because triggers don't control order. Option B is wrong because manual approval is not atomic and can be error-prone.

Option C is wrong because updating services is not atomic; they should be in one pipeline.

336
MCQhard

A company is deploying a new microservice on AWS Lambda that processes high-resolution images and stores results in Amazon S3. The Lambda function currently uses 1024 MB of memory and has a timeout of 2 minutes. During peak load, many invocations are timing out. The function is CPU-bound during image processing. Which change is MOST likely to reduce timeouts without increasing costs unnecessarily?

A.Increase the function memory to 3008 MB.
B.Enable provisioned concurrency to reduce cold starts.
C.Increase the function memory to 2048 MB.
D.Increase the function timeout to 5 minutes.
AnswerC

Lambda allocates CPU proportionally to memory; more memory speeds up CPU-bound tasks, reducing execution time.

Why this answer

Option C is correct because increasing memory from 1024 MB to 2048 MB proportionally increases CPU allocation in AWS Lambda (up to 1.7 GHz per vCPU at 1769 MB). Since the function is CPU-bound, this directly reduces processing time, mitigating timeouts without the cost spike of 3008 MB. The cost increase is linear with memory, so doubling memory doubles cost per invocation, but the reduced duration often offsets this, keeping total cost similar or lower.

Exam trap

The trap here is that candidates assume increasing timeout (Option D) is the simplest fix for timeouts, ignoring that CPU-bound functions need more CPU, not just more time, and that provisioned concurrency (Option B) is mistakenly thought to improve execution speed rather than just reducing cold start latency.

How to eliminate wrong answers

Option A is wrong because increasing memory to 3008 MB provides more CPU than needed for a CPU-bound task, leading to unnecessary cost without proportional performance gain (Lambda CPU scales linearly up to ~1769 MB, then plateaus). Option B is wrong because provisioned concurrency addresses cold starts, not timeout issues caused by insufficient CPU during peak load; it does not reduce execution time for CPU-bound processing. Option D is wrong because increasing the timeout to 5 minutes does not fix the root cause (CPU-bound processing is too slow); it only delays the timeout, allowing the function to run longer but still at the same slow speed, potentially increasing costs due to longer execution duration.

337
MCQeasy

A developer deploys a new version of an AWS Lambda function using the AWS CLI. The deployment fails with a 'ResourceConflictException' error. What is the most likely cause?

A.The function's handler name is incorrect in the deployment package.
B.The Lambda function's IAM role is missing necessary permissions.
C.The Lambda function's memory limit is set too low for the deployment package.
D.Another deployment is currently in progress for the same Lambda function.
AnswerD

AWS Lambda does not allow concurrent updates; a 'ResourceConflictException' indicates an ongoing update.

Why this answer

The error occurs when trying to update a Lambda function's code while a deployment is in progress or when the function's reserved concurrency is being modified. Option B is correct because publishing a new version during an active deployment causes a conflict. Options A, C, and D are incorrect because missing IAM roles, incorrect handler names, or exceeding memory limits cause different errors.

338
MCQhard

The developer tries to deploy this stack but receives an error: 'CREATE_FAILED: LambdaExecutionRole - Resource creation cancelled'. The Lambda function is not created. What is the most likely cause?

A.The S3 bucket is in a different region
B.The Lambda function handler name is incorrect
C.The Lambda function code is missing from the S3 bucket
D.The IAM user does not have permission to create IAM roles
AnswerD

Creation cancelled typically indicates a permissions issue.

Why this answer

The error 'Resource creation cancelled' often occurs when a dependent resource (the Lambda function) references a resource that hasn't been created yet. In this template, the Lambda function depends on the role (via !GetAtt), but the role creation might fail due to permissions. However, the error says the role itself had creation cancelled.

The most likely cause is that the role creation was cancelled due to a dependency on a resource that doesn't exist. But in this case, the role has no dependencies. The error might be due to a missing permission to create the role.

Option A is correct because the role creation fails due to missing iam:CreateRole permission. Option B (Lambda function error) would show a different error. Option C (S3 bucket) would affect the Lambda function, not the role.

Option D (incorrect role name) would cause a different error.

339
MCQhard

A developer is using AWS CodeDeploy with a blue/green deployment on an Amazon ECS service running on Fargate. The developer wants to ensure that the new (green) task set is fully healthy and serving traffic before the old (blue) task set is terminated. The deployment should automatically roll back to the blue task set if the green task set fails health checks. Which configuration should the developer set in the CodeDeploy deployment group?

A.Deployment type: blue/green, with rollback configuration enabled to trigger automatic rollback and reroute traffic to the original task set
B.Deployment type: blue/green, Deployment configuration: CodeDeployDefault.ECSAllAtOnce
C.Deployment type: blue/green, Deployment configuration: CodeDeployDefault.ECSLinear10PercentEvery1Minutes
D.Deployment type: blue/green, with an Application Load Balancer
AnswerA

Correct. This configuration ensures that if the new task set fails, CodeDeploy rolls back to the previous version.

Why this answer

Option A is correct because the developer needs to configure the CodeDeploy deployment group with a blue/green deployment type and enable automatic rollback. This ensures that if the green task set fails health checks, CodeDeploy automatically terminates the green deployment and reroutes traffic back to the original blue task set, meeting the requirement for a fully healthy green task set before termination.

Exam trap

The trap here is that candidates often confuse deployment configurations (like AllAtOnce or Linear) with rollback settings, assuming that a traffic shifting strategy alone ensures health checks and automatic rollback, but rollback must be explicitly configured in the deployment group.

How to eliminate wrong answers

Option B is wrong because CodeDeployDefault.ECSAllAtOnce is a deployment configuration that shifts all traffic to the green task set immediately, which does not ensure the green task set is fully healthy before the blue task set is terminated; it also lacks automatic rollback on health check failure. Option C is wrong because CodeDeployDefault.ECSLinear10PercentEvery1Minutes is a linear traffic shifting configuration that gradually moves traffic in 10% increments every minute, but it does not automatically roll back to the blue task set if the green task set fails health checks; it only controls the traffic shift rate. Option D is wrong because while an Application Load Balancer is required for blue/green deployments on ECS, it alone does not provide the automatic rollback behavior needed; the rollback configuration must be explicitly enabled in the deployment group.

340
MCQhard

A team is using AWS CodePipeline to deploy a critical application to Amazon ECS. The pipeline has a deployment stage that uses Amazon ECS (Blue/Green) action with CodeDeploy. Recently, the deployment failed because the new task set did not become healthy within the specified timeout. The team wants to ensure that future deployments automatically roll back if the health check fails. What should the team do?

A.Create a CloudWatch alarm that triggers when the healthy task count of the ECS service falls below a threshold. Configure the CodeDeploy deployment group to automatically roll back when this alarm is in ALARM state.
B.Modify the CodeDeploy deployment group to enable automatic rollback when a deployment fails. The deployment will automatically revert to the last successful deployment.
C.Increase the deployment timeout in the CodeDeploy deployment configuration to allow more time for the new task set to become healthy.
D.Configure the ECS service to automatically roll back to the previous task definition if the deployment fails. Use the ECS service's deployment circuit breaker.
AnswerA

This allows automatic rollback based on health check failure, as the healthy task count will drop.

Why this answer

Option A is correct because it leverages CloudWatch alarms to monitor the health of the ECS service's new task set. When the alarm triggers due to insufficient healthy tasks, CodeDeploy can automatically initiate a rollback to the previous revision. This approach provides a proactive, health-based rollback mechanism that directly addresses the failure condition described (new task set not becoming healthy within timeout).

Exam trap

The trap here is that candidates confuse 'automatic rollback on deployment failure' (Option B) with 'health-based rollback via CloudWatch alarms' (Option A), not realizing that the former only triggers after the deployment times out, while the latter proactively rolls back during the health check phase.

How to eliminate wrong answers

Option B is wrong because enabling automatic rollback on deployment failure only triggers after the deployment has already failed (e.g., timeout exceeded), not when health checks fail during the deployment's lifecycle. Option C is wrong because increasing the timeout merely delays the failure detection; it does not implement a rollback mechanism. Option D is wrong because the ECS service's deployment circuit breaker rolls back the ECS service itself, but it does not integrate with CodeDeploy's Blue/Green deployment lifecycle or trigger a rollback of the CodePipeline pipeline stage.

341
MCQmedium

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an Amazon API Gateway HTTP API and several AWS Lambda functions. The developer wants to implement a canary deployment for the API Gateway stage so that 10% of traffic is shifted to the new version for 30 minutes before the remaining 90% is shifted. Which SAM resource attribute should the developer configure on the API Gateway resource?

A.AutoPublishAlias
B.DeploymentPreference
C.ProvisionedConcurrencyConfig
D.EventInvokeConfig
AnswerB

DeploymentPreference with a Canary setting enables gradual traffic shifting for the API Gateway stage.

Why this answer

The `DeploymentPreference` attribute on an AWS::Serverless::Api resource in SAM enables canary deployments by allowing you to specify traffic-shifting patterns, such as `Canary10Percent30Minutes`. This shifts 10% of traffic to the new API Gateway stage for 30 minutes before rolling out the remaining 90%, exactly matching the requirement.

Exam trap

The trap here is that candidates confuse `AutoPublishAlias` (which manages Lambda versioning) with `DeploymentPreference` (which manages API Gateway stage traffic shifting), leading them to pick A when the question explicitly asks about API Gateway canary deployments.

How to eliminate wrong answers

Option A is wrong because `AutoPublishAlias` is used for Lambda functions to automatically publish a new version and update an alias, but it does not control API Gateway stage traffic shifting. Option C is wrong because `ProvisionedConcurrencyConfig` is for Lambda functions to pre-warm execution environments, not for API Gateway deployment strategies. Option D is wrong because `EventInvokeConfig` configures Lambda function invocation settings like retries and DLQ, not API Gateway canary deployments.

342
MCQmedium

Refer to the exhibit. A developer attempted to update a CloudFormation stack that includes an EC2 instance. The update failed and the stack is rolling back. The event shows that the EC2 instance update failed with reason 'Resource update cancelled: stack update cancelled'. What is the most likely cause of this failure?

A.A stack policy is preventing updates to the EC2 instance resource.
B.The IAM user does not have permission to update EC2 instances.
C.The template has a missing required parameter for the EC2 instance.
D.The EC2 instance is in a stopped state and cannot be updated.
AnswerA

Stack policies can prevent updates to specific resources, causing the update to be cancelled.

Why this answer

Option B is correct because the error 'Resource update cancelled: stack update cancelled' indicates that the stack update was cancelled, likely due to a stack policy that denies updates to the EC2 instance. Option A is wrong because insufficient permissions would show a different error. Option C is wrong because the instance being in a stopped state would cause a different error.

Option D is wrong because a missing parameter would cause a validation error before update.

343
Multi-Selecthard

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is set to use a 'OneAtATime' deployment configuration. The developer wants to ensure that the deployment does not cause downtime. Which TWO configurations are necessary?

Select 2 answers
A.Set the 'IgnoreApplicationStopFailures' flag to true.
B.Configure a load balancer for the Auto Scaling group.
C.Use an 'AllAtOnce' deployment configuration.
D.Configure health checks on the load balancer.
E.Install the CodeDeploy agent on each instance.
AnswersB, D

A load balancer can drain connections and reroute traffic.

Why this answer

Option A and Option D are correct. A load balancer is necessary to route traffic away from instances being updated. Health checks ensure that the instance is healthy before traffic is routed back.

Option B is wrong because 'AllAtOnce' would cause downtime. Option C is wrong because 'IgnoreApplicationStopFailures' would ignore failures, potentially causing issues. Option E is wrong because CodeDeploy agent can be installed on the instance, but it is necessary for deployment, not specifically for zero downtime.

344
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The development team wants to update a stack that includes an Amazon RDS database. The update requires changing the DB instance class, which will cause a brief downtime. The team wants to minimize downtime by creating a new database instance before deleting the old one. Which CloudFormation stack update policy should be used?

A.Use a 'DeletionPolicy' attribute set to 'Delete' for the RDS instance.
B.Use a 'DeletionPolicy' attribute set to 'Snapshot' for the RDS instance.
C.Use an 'UpdatePolicy' attribute with 'UseOnlineResharding' set to true.
D.Use an 'UpdatePolicy' attribute with 'AutoScalingReplacingUpdate' set to true.
AnswerD

For resources that support replacement updates, this policy creates a new resource before deleting the old one, minimizing downtime.

Why this answer

Option D is correct because the 'AutoScalingReplacingUpdate' update policy directs CloudFormation to create a new resource (in this case, an RDS DB instance) before deleting the old one, enabling a rolling replacement that minimizes downtime. This policy is specifically designed for resources that support replacement updates, allowing the new instance to be provisioned and traffic shifted before the old instance is terminated.

Exam trap

The trap here is that candidates confuse 'DeletionPolicy' (which only governs deletion behavior) with update policies, or mistakenly apply ElastiCache-specific policies like 'UseOnlineResharding' to RDS, not realizing that 'AutoScalingReplacingUpdate' is the correct mechanism for replacing resources during a CloudFormation stack update.

How to eliminate wrong answers

Option A is wrong because 'DeletionPolicy' with 'Delete' only controls what happens when a resource is deleted (e.g., during stack deletion), not how updates are performed; it does not create a new instance before deleting the old one. Option B is wrong because 'DeletionPolicy' with 'Snapshot' takes a final snapshot before deletion but still does not orchestrate a rolling replacement to minimize downtime during an update. Option C is wrong because 'UseOnlineResharding' is a policy for Amazon ElastiCache (Redis) clusters to reshard without downtime, not for RDS DB instance class changes.

345
MCQhard

A company is migrating a monolithic application to microservices on AWS. They want to use a blue/green deployment strategy for a new version of a service running on Amazon ECS with Fargate. The service is behind an Application Load Balancer. Which combination of actions should be taken to implement blue/green deployment with minimal downtime? (Choose the correct answer.)

A.Create a second ALB pointing to the new service, then update DNS to switch traffic.
B.Use AWS CodeDeploy to orchestrate a blue/green deployment by creating a new task set and shifting traffic.
C.Update the existing ECS service with the new task definition and allow rolling update.
D.Manually create a new target group with the new service and update the ALB listener rule.
AnswerB

CodeDeploy automates blue/green deployments on ECS with minimal downtime.

Why this answer

Option D is correct because AWS CodeDeploy supports blue/green deployments on ECS, creating a new task set and shifting traffic. Option A is wrong because updating the existing service directly causes downtime. Option B is wrong because a second ALB is unnecessary and adds complexity.

Option C is wrong because manually updating target groups is error-prone and not automated.

346
MCQhard

A company is deploying a containerized application on Amazon ECS using Fargate launch type. The application consists of multiple microservices, each deployed as a separate ECS service. The company uses AWS CodePipeline to automate deployments. The pipeline has a Source stage (CodeCommit), a Build stage (CodeBuild), and a Deploy stage (ECS). Recently, a deployment failed because the new task definition referenced an environment variable that was not available in the Parameter Store. The developer wants to prevent such failures in the future by validating the task definition before deployment. The developer has access to the AWS CLI and the AWS SDKs. The pipeline is configured to use CodeBuild for the build stage. What is the MOST efficient way to validate the task definition before deployment?

A.Add a step in the CodeBuild buildspec that runs 'aws ecs register-task-definition --cli-input-json file://taskdef.json --no-cli-pager --dry-run' to validate the task definition.
B.Add a step in the CodeBuild buildspec that runs 'aws ecs update-service --service my-service --task-definition <task-def-arn>' to see if the service accepts the task definition.
C.Add a step in the CodeBuild buildspec that runs 'aws ecs run-task --task-definition <task-def-arn> --count 1' to test the task definition.
D.Add a step in the CodeBuild buildspec that runs 'aws ecs describe-task-definition --task-definition <task-def-arn>' to check if the task definition exists.
AnswerA

The --dry-run flag validates the input without actually registering the task definition.

Why this answer

Option B is correct because using the 'aws ecs register-task-definition --cli-input-json' command with the '--no-cli-pager' and '--dry-run' flags will validate the task definition without actually registering it. This command checks for syntax errors and missing references, including Parameter Store parameters. Option A is incorrect because the 'aws ecs describe-task-definition' command only retrieves existing task definitions, not validates new ones.

Option C is incorrect because the 'aws ecs run-task' command will actually try to run the task, which could incur costs and may fail at runtime. Option D is incorrect because the 'aws ecs update-service' command updates a service, not validates a task definition.

347
Multi-Selectmedium

Which THREE steps should a developer include in a CI/CD pipeline to deploy a serverless application using AWS SAM? (Choose three.)

Select 3 answers
A.Run 'sam build' to prepare the application
B.Manually configure API Gateway stages
C.Run 'sam deploy' to create or update the CloudFormation stack
D.Run 'aws lambda update-alias' to shift traffic
E.Run 'sam package' to upload artifacts to S3
AnswersA, C, E

sam build compiles and prepares artifacts.

Why this answer

A typical SAM CI/CD pipeline includes building the app (A), packaging and uploading to S3 (B), and deploying the CloudFormation stack (C). Option D (update alias) is not a standard step. Option E (configure API Gateway) is part of deployment.

348
MCQmedium

A team uses AWS Elastic Beanstalk to deploy a web application. The application experiences intermittent high latency. The team notices that the environment's Auto Scaling group is not scaling out quickly enough. Which configuration change should the team make to improve scaling responsiveness?

A.Modify the Elastic Load Balancer health check path to a lighter endpoint
B.Enable detailed CloudWatch metrics for the Auto Scaling group
C.Increase the instance type to a larger size
D.Decrease the Auto Scaling group's cooldown period
AnswerD

Lower cooldown allows faster scaling.

Why this answer

Option B is correct because lowering the Auto Scaling cooldown period allows the group to start new instances sooner after a scaling activity. Option A is incorrect because adjusting the health check path affects routing, not scaling speed. Option C is incorrect because increasing instance size does not improve scaling responsiveness.

Option D is incorrect because pushing metrics more frequently to CloudWatch can help but does not directly reduce cooldown.

349
MCQmedium

A company uses AWS OpsWorks for configuration management. They have a stack with multiple layers. They want to deploy a new application version to the application layer using rolling updates. What is the correct way to achieve this?

A.Update the custom cookbook and run the 'setup' command on the layer.
B.Clone the stack and then delete the old stack.
C.Update the app with the new version and run the 'deploy' command on the stack.
D.Modify the Auto Scaling group to launch new instances with the updated app.
AnswerC

The deploy command updates the app on all instances according to the deployment strategy.

Why this answer

Option C is correct because in AWS OpsWorks, deploying a new application version to a layer is done by updating the app configuration with the new version and then running the 'deploy' command on the stack. This command triggers the built-in Chef deploy recipes on the layer's instances, performing a rolling update that installs the new application version while minimizing downtime. The 'deploy' lifecycle event is specifically designed for application deployment, unlike 'setup' which configures the instance's initial state.

Exam trap

The trap here is confusing the 'setup' lifecycle event (used for initial configuration) with the 'deploy' lifecycle event (used for application deployment), leading candidates to incorrectly choose Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the 'setup' command runs the setup lifecycle event, which configures the instance's packages, dependencies, and custom cookbooks, but it does not deploy application code; deploying a new app version requires the 'deploy' command. Option B is wrong because cloning the stack and deleting the old stack is an unnecessarily disruptive and manual process that does not achieve a rolling update; OpsWorks supports in-place rolling updates via the 'deploy' command without stack recreation. Option D is wrong because modifying the Auto Scaling group to launch new instances with an updated app bypasses OpsWorks's deployment lifecycle and does not perform a controlled rolling update; it would replace instances without the orchestrated 'deploy' recipes that handle application-specific tasks like database migrations or cache clearing.

350
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a Node.js application. The application requires an environment variable that contains a secret (e.g., a database password). The developer wants to store the secret securely and make it available to the application instances. Which Elastic Beanstalk feature should be used?

A.Store the secret in an environment property with the value set in plaintext.
B.Use the AWS Secrets Manager integration in Elastic Beanstalk.
C.Use an .ebextensions configuration file to set the environment variable.
D.Use Elastic Beanstalk platform hooks to retrieve the secret at startup.
AnswerB

This securely retrieves the secret from Secrets Manager and injects it as an environment variable.

Why this answer

AWS Elastic Beanstalk has a native integration with AWS Secrets Manager that allows you to retrieve secrets and inject them as environment variables into your application instances without exposing the secret in plaintext. This integration handles the secure retrieval and rotation of secrets automatically, making it the correct choice for securely storing and accessing a database password.

Exam trap

The trap here is that candidates may think platform hooks (Option D) are the correct approach because they can run scripts at startup, but they overlook the fact that Elastic Beanstalk's native Secrets Manager integration provides a simpler, more secure, and fully managed solution without requiring custom code to handle API calls and permissions.

How to eliminate wrong answers

Option A is wrong because storing the secret in an environment property with the value set in plaintext exposes the secret in the Elastic Beanstalk environment configuration and logs, violating security best practices. Option C is wrong because .ebextensions configuration files are processed during environment creation and updates, but they still require the secret value to be specified in plaintext or referenced from a source that does not inherently provide secure secret management. Option D is wrong because platform hooks are used to run custom scripts at specific lifecycle events (e.g., deployment, startup) but do not provide a built-in, managed mechanism for securely retrieving and injecting secrets; you would have to manually call the AWS Secrets Manager API and handle permissions, which is less secure and more complex than using the native integration.

351
MCQhard

A developer is using AWS CodeDeploy with a blue/green deployment strategy to update an application running on Amazon ECS with the Fargate launch type. After the new (green) task set is created and traffic is shifted to it, users immediately report errors when trying to write data. The developer discovers that the green task set is connecting to a different database than the blue task set. The database endpoints are configured in the ECS task definition. What is the simplest way to prevent this issue in future deployments?

A.Modify the blue/green deployment configuration to use the same database endpoint for both task sets by updating the environment variables in the task definition before deployment.
B.Create two separate Amazon RDS databases and use an Amazon Route 53 weighted routing policy to distribute traffic.
C.Use an Application Load Balancer (ALB) with stickiness to route each user to the correct task set.
D.Use AWS CloudFormation to create a new database stack for each deployment and update the task definition dynamically.
AnswerA

Environment variables in the task definition can be changed without modifying the container image. Set the database endpoint to the same value for both blue and green task sets. This is the simplest solution.

Why this answer

Option A is correct because the issue stems from the green task set using a different database endpoint than the blue task set, which is configured via environment variables in the ECS task definition. By updating the task definition to use the same database endpoint before deployment, both task sets will connect to the same database, ensuring consistency during the traffic shift. This is the simplest fix as it requires no additional infrastructure or complex routing changes.

Exam trap

The trap here is that candidates may think the issue is about traffic routing or session persistence (options B or C), rather than recognizing that the root cause is a configuration mismatch in the task definition environment variables, which is a common oversight in blue/green deployments.

How to eliminate wrong answers

Option B is wrong because creating two separate RDS databases and using Route 53 weighted routing would introduce data inconsistency and complexity, as users would write to different databases, defeating the purpose of a single application state. Option C is wrong because using an ALB with stickiness would route users to either the blue or green task set based on session affinity, but it does not address the root cause of different database endpoints; the task sets would still connect to different databases, causing data fragmentation. Option D is wrong because using CloudFormation to create a new database stack for each deployment is overly complex and unnecessary; it would require managing multiple databases and updating the task definition dynamically, which is not the simplest solution and could lead to data loss or inconsistency.

352
Multi-Selecteasy

A developer is deploying a serverless application using AWS SAM. The application includes multiple Lambda functions and an API Gateway. Which THREE AWS CLI commands are part of the typical SAM deployment workflow? (Choose THREE.)

Select 3 answers
A.sam deploy
B.sam init
C.sam package
D.sam build
E.aws s3 cp
AnswersA, C, D

Deploys the application.

Why this answer

Option A is correct because `sam deploy` is the AWS SAM CLI command that deploys the packaged application to AWS, creating or updating the CloudFormation stack with the Lambda functions and API Gateway resources. It reads the `template.yaml` and the packaged artifacts (from `sam package`) to provision the infrastructure. This command is the final step in the standard SAM deployment workflow.

Exam trap

The trap here is that candidates confuse `sam init` (a project scaffolding command) with a deployment step, or mistakenly think `aws s3 cp` is part of the SAM workflow when in fact SAM provides its own `sam package` command to handle S3 uploads and template transformation.

353
MCQhard

A developer is deploying a serverless application using AWS SAM. The application consists of multiple Lambda functions and an API Gateway REST API. The developer needs to ensure that the API Gateway endpoint is created before the Lambda functions are deployed, because the functions need the endpoint URL as an environment variable. How should the developer configure the SAM template?

A.Separate the deployment into two stacks: first deploy API Gateway, then deploy Lambda functions
B.Add a DependsOn clause to each Lambda function resource to wait for the API Gateway resource
C.Define the Lambda functions to use the ServerlessRestApi implicit API and reference the API's output in the function's environment variables
D.Use a custom resource in CloudFormation to create the API Gateway endpoint before Lambda functions
AnswerC

SAM creates dependencies automatically.

Why this answer

Option C is correct because AWS SAM automatically creates an implicit API Gateway REST API (logical ID `ServerlessRestApi`) when you define an `AWS::Serverless::Api` or use the `Events` property on a function. You can reference its endpoint URL using the `Fn::Sub` intrinsic function with the `ServerlessRestApi` logical ID, such as `!Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/${Stage}'`. This ensures the API Gateway resource is created before the Lambda functions that reference it, as CloudFormation resolves dependencies through intrinsic function references.

Exam trap

The trap here is that candidates may think `DependsOn` is sufficient to pass the endpoint URL, but it only orders creation and does not inject the URL into environment variables, which requires an intrinsic function reference like `Fn::Sub` or `Fn::GetAtt`.

How to eliminate wrong answers

Option A is wrong because separating into two stacks introduces unnecessary complexity and cross-stack output references, which is not required when SAM can handle the dependency within a single stack. Option B is wrong because `DependsOn` only ensures resource creation order but does not provide the endpoint URL as an environment variable; the developer still needs to reference the API Gateway output, and `DependsOn` alone does not pass the URL. Option D is wrong because using a custom resource to create the API Gateway endpoint is over-engineered and redundant; SAM already provides a built-in implicit API resource that handles creation and dependency resolution automatically.

354
MCQmedium

A company uses AWS OpsWorks to manage a stack of EC2 instances. The operations team needs to deploy a new configuration file to all instances in a layer. Which approach should the team use to automate this deployment?

A.Use AWS Systems Manager Run Command to execute a script that deploys the file
B.Add a Chef recipe to the layer's custom cookbooks that copies the configuration file to the instances
C.Create a new AWS CloudFormation stack to update the instances
D.Use AWS CodeDeploy to deploy the configuration file
AnswerB

Chef recipes manage configuration.

Why this answer

Option C is correct because OpsWorks uses Chef recipes to automate configuration management. Option A is incorrect because CloudFormation is for infrastructure provisioning, not configuration. Option B is incorrect because CodeDeploy is for application deployment, not system configuration.

Option D is incorrect because Systems Manager Run Command can be used but is not native to OpsWorks.

355
MCQhard

A developer needs to deploy a serverless application using AWS CloudFormation. The application includes an AWS Lambda function, an Amazon API Gateway REST API, and an Amazon DynamoDB table. The developer wants to create a stack that can be updated without downtime. Which CloudFormation feature should be used?

A.Drift detection
B.StackSets
C.Nested stacks
D.Change Sets
AnswerD

Change Sets allow you to review and apply changes safely.

Why this answer

Option A is correct because Change Sets allow you to preview how changes will affect running resources before applying them, enabling you to plan for zero downtime. Option B is wrong because Nested Stacks are for modularity, not specifically for zero-downtime updates. Option C is wrong because StackSets are for multi-account/region deployments.

Option D is wrong because Drift Detection identifies changes but does not prevent downtime.

356
MCQhard

A developer is deploying a microservices architecture on Amazon ECS. The services need to communicate with each other securely. The developer wants to use service discovery and ensure that traffic between services is encrypted. Which combination of services should the developer use?

A.Use AWS Cloud Map for service discovery and AWS App Mesh with mutual TLS
B.Use Amazon API Gateway and AWS Lambda
C.Use Amazon Route 53 private hosted zones and enable DNSSEC
D.Use an Application Load Balancer for each service and enable TLS termination
AnswerA

Cloud Map provides DNS, App Mesh provides mTLS.

Why this answer

Option D is correct because ECS service discovery with AWS Cloud Map provides DNS-based service discovery, and mTLS via App Mesh or service mesh provides encryption. Option A is incorrect because ELB is for external traffic. Option B is incorrect because API Gateway is for APIs.

Option C is incorrect because Route 53 is not suitable for service discovery in ECS.

357
MCQmedium

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. The team wants to automatically deploy changes to a staging environment when a pull request is merged into the main branch. Which CodePipeline trigger configuration should be used?

A.Set up a periodic polling schedule in CodePipeline to check for changes.
B.Configure a webhook in CodeCommit to trigger the pipeline on push events.
C.Create an Amazon CloudWatch Events rule that triggers the pipeline on a 'Reference Created' event for the main branch.
D.Use the 'Start pipeline execution' API in CodePipeline on pull request creation.
AnswerC

When a pull request is merged, a reference is created for the merge commit, triggering the rule.

Why this answer

Option C is correct because the CloudWatch Events rule on a pull request merge event can trigger the pipeline. Option A is wrong because a webhook on push events would trigger on every push, not specifically on pull request merge. Option B is wrong because CodePipeline does not have a built-in pull request trigger; it uses CloudWatch Events.

Option D is wrong because polling is not recommended and is less efficient.

358
MCQmedium

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The build stage runs successfully, but the deploy stage fails with an error: 'The deployment failed because no instances were found for the environment.' What is the most likely cause?

A.The CodeDeploy application is not configured correctly.
B.The IAM role for CodePipeline lacks permissions to describe EC2 instances.
C.The build artifact is not named correctly for Elastic Beanstalk.
D.The Elastic Beanstalk environment has no running instances due to a failed health check.
AnswerD

If no instances exist, the deployment cannot proceed.

Why this answer

Option C is correct because if the Elastic Beanstalk environment does not have any running EC2 instances (e.g., due to a failed health check or scaling issue), the deployment cannot find any instances to update. Option A is wrong because the IAM role permissions would cause a different error (e.g., access denied). Option B is wrong because CodeDeploy is not used with Elastic Beanstalk.

Option D is wrong because incorrect artifact name would cause a different error (e.g., artifact not found).

359
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The deployment fails intermittently during the 'Deploy' stage. The pipeline includes a step that runs a shell script on an EC2 instance. The pipeline uses a CodeBuild project for the build stage. What is the MOST likely cause of the intermittent failure?

A.The CodeBuild project is using an outdated build image.
B.The EC2 instance used for deployment does not have the CodeDeploy agent installed.
C.The pipeline is not configured to use a VPC.
D.The IAM role for CodePipeline does not have permissions to deploy.
AnswerB

Missing agent causes intermittent failures if instance is replaced.

Why this answer

Option B is correct because if the EC2 instance is terminated or replaced, the CodeDeploy agent may not be installed, causing intermittent failures. Option A is wrong because CodeBuild uses temporary instances. Option C is wrong because CodePipeline does not require a VPC.

Option D is wrong because IAM roles are not updated automatically.

360
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group of Amazon EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The developer needs to identify the root cause. Which AWS service should the developer use to view detailed error logs from the failed deployment?

A.Amazon CloudWatch Logs (if configured) or the CodeDeploy agent log files on the EC2 instances
B.AWS X-Ray
C.AWS CloudTrail
D.AWS CodeDeploy console
AnswerA

The CodeDeploy agent logs provide detailed error information for troubleshooting.

Why this answer

Option A is correct because when a CodeDeploy deployment fails due to instance-level errors, the most direct way to investigate is to examine the CodeDeploy agent logs located on each EC2 instance at `/opt/codedeploy-agent/deployment-root/deployment-logs/codedeploy-agent.log`. If Amazon CloudWatch Logs has been configured to stream these logs, you can also view them centrally in the CloudWatch console. These logs contain detailed error messages from the `codedeploy-agent` process, including script failures, permission issues, or missing dependencies that caused the deployment to fail.

Exam trap

The trap here is that candidates assume the CodeDeploy console provides detailed error logs, but it only shows aggregated failure counts and high-level messages, while the actual root cause is buried in the agent logs on the EC2 instances or in CloudWatch Logs if configured.

How to eliminate wrong answers

Option B is wrong because AWS X-Ray is a distributed tracing service for analyzing and debugging request flows in microservices applications, not a log viewer for deployment errors. Option C is wrong because AWS CloudTrail records API calls made to AWS services (e.g., who triggered the deployment), but it does not capture the internal agent-level error logs from individual EC2 instances. Option D is wrong because the AWS CodeDeploy console only shows high-level deployment status and failure summaries (e.g., 'failed instances'), not the detailed per-instance error logs needed to diagnose root causes.

361
Multi-Selectmedium

A developer is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. The build fails with a 'no basic auth credentials' error when trying to push the image. Which TWO actions should the developer take to resolve this issue? (Choose two.)

Select 2 answers
A.Add a pre-build command to run 'aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com'.
B.Install the AWS CLI in the buildspec.yml file.
C.Install Docker in the buildspec.yml file.
D.Add an IAM policy to the CodeBuild service role that allows ecr:GetAuthorizationToken and ecr:Push.
E.Configure SSH key-based authentication for ECR.
AnswersA, D

This authenticates Docker to ECR.

Why this answer

Options B and D are correct because the build project needs to have an IAM role with permissions to push to ECR, and the pre-build phase should include the 'aws ecr get-login-password' command to authenticate. Option A is wrong because AWS CLI is already installed in CodeBuild. Option C is wrong because Docker is already available.

Option E is wrong because ECR access is via IAM, not SSH keys.

362
MCQeasy

Refer to the exhibit. A developer creates this CloudFormation template and tries to deploy it. The deployment fails with 'CREATE_FAILED' for the S3 bucket resource. What is the most likely cause?

A.The template does not enable versioning on the bucket.
B.The bucket name must be in all lowercase letters.
C.The bucket name is already taken by another AWS account.
D.The template does not specify a bucket policy.
AnswerC

Bucket names must be globally unique.

Why this answer

Option D is correct because bucket names must be globally unique, and 'my-app-data-12345' may already exist. Option A is wrong because S3 buckets can be created without a bucket policy. Option B is wrong because the template does not include versioning configuration.

Option C is wrong because the bucket name is not required to be in a specific format.

363
MCQmedium

A company uses AWS OpsWorks for configuration management. They want to migrate to AWS Systems Manager for patching and automation. They have a fleet of EC2 instances running Amazon Linux 2. Which Systems Manager capability should they use to automate patching?

A.Patch Manager
B.State Manager
C.Run Command
D.Maintenance Windows
AnswerA

Patch Manager automates the process of patching managed instances with security updates.

Why this answer

Option A is correct: Systems Manager Patch Manager is designed for patching. Option B (Run Command) can run scripts but not schedule patching natively. Option C (State Manager) can enforce state but not specifically patching.

Option D (Maintenance Windows) is a scheduling mechanism, but used with Patch Manager.

364
MCQmedium

A developer is using AWS CodePipeline to deploy a web application. The pipeline has a source stage that pulls from CodeCommit and a deploy stage that uses AWS Elastic Beanstalk. The developer wants to run unit tests automatically before deploying to Elastic Beanstalk. Which action should the developer add to the pipeline?

A.Add a test stage that uses an AWS CodeBuild project configured to run unit tests
B.Add a manual approval step before the deploy stage
C.Configure Elastic Beanstalk health checks to run tests
D.Replace Elastic Beanstalk with AWS CodeDeploy
AnswerA

Correct. CodeBuild can execute tests as part of the pipeline before deployment.

Why this answer

Option A is correct because AWS CodeBuild can be integrated as a test stage in CodePipeline to run unit tests automatically. By adding a CodeBuild project configured with a buildspec.yml file that executes unit tests, the pipeline will run tests after the source stage and before the deploy stage, ensuring only code that passes tests is deployed to Elastic Beanstalk.

Exam trap

The trap here is that candidates may confuse health checks (which monitor runtime health) with unit tests (which validate code logic), or think a manual approval step can substitute for automated testing, but AWS specifically tests the understanding that CodeBuild is the service designed for running custom build and test commands in a pipeline.

How to eliminate wrong answers

Option B is wrong because a manual approval step pauses the pipeline for human review, but does not execute unit tests automatically; it only gates deployment. Option C is wrong because Elastic Beanstalk health checks monitor the environment's operational status (e.g., HTTP response codes), not run unit tests on the application code. Option D is wrong because replacing Elastic Beanstalk with CodeDeploy does not add automated testing; CodeDeploy is a deployment service, not a test runner.

365
MCQeasy

A developer is using AWS CodePipeline to deploy a web application. The pipeline has stages: Source, Build, Staging Deploy, Staging Test, and Prod Deploy. The developer wants to ensure that if the Staging Test stage fails, the pipeline automatically stops and does not proceed to Prod Deploy. Which action should the developer take?

A.No action is needed; CodePipeline automatically stops on stage failure
B.Add a manual approval step before Prod Deploy
C.Disable the transition from Staging Test to Prod Deploy
D.Configure the pipeline execution mode to 'Superseded'
AnswerA

CodePipeline halts execution when a stage fails and does not proceed to the next stage unless manually retried.

Why this answer

Option A is correct because AWS CodePipeline's default behavior is to stop execution when a stage fails, preventing the pipeline from proceeding to subsequent stages. When the Staging Test stage fails, the pipeline transitions to a 'Failed' status and does not automatically continue to Prod Deploy. No additional configuration is required for this behavior.

Exam trap

The trap here is that candidates may overthink the solution and assume additional configuration is needed, when in fact CodePipeline's default behavior already stops on stage failure, making options like manual approval or disabling transitions unnecessary.

How to eliminate wrong answers

Option B is wrong because adding a manual approval step before Prod Deploy would require human intervention to proceed, but it does not automatically stop the pipeline on Staging Test failure; the pipeline would still wait for approval even if the test failed, which is not the desired behavior. Option C is wrong because disabling the transition from Staging Test to Prod Deploy would prevent any execution to Prod Deploy, even if the Staging Test stage succeeds, which is overly restrictive and not conditional on failure. Option D is wrong because configuring the pipeline execution mode to 'Superseded' controls how multiple pipeline executions are handled (e.g., canceling a running execution when a new one starts), not how the pipeline responds to stage failures.

366
MCQeasy

A development team wants to automatically deploy a web application to Amazon EC2 instances when new code is pushed to the master branch of an AWS CodeCommit repository. Which AWS service should the team use to orchestrate the build, test, and deployment phases?

A.AWS CloudFormation
B.AWS CodeBuild
C.AWS CodePipeline
D.AWS CodeDeploy
AnswerC

CodePipeline orchestrates the entire CI/CD workflow.

Why this answer

Option B is correct because AWS CodePipeline is a fully managed continuous delivery service that orchestrates build, test, and deploy phases. Option A is wrong because AWS CodeBuild only performs build and test, not deployment. Option C is wrong because AWS CodeDeploy only handles deployment, not build and test.

Option D is wrong because AWS CloudFormation is for infrastructure as code, not CI/CD orchestration.

367
Multi-Selecthard

A company is deploying a microservices architecture using AWS Lambda and Amazon API Gateway. The developer wants to implement a canary release deployment for the API. Which THREE steps should the developer take? (Choose THREE.)

Select 3 answers
A.Configure stage variables to point the canary stage to a different Lambda function alias.
B.Enable canary by setting the traffic percentage in the API Gateway stage.
C.Use API Gateway canary release settings to create a canary stage.
D.Use Amazon CloudFront to distribute traffic between two API Gateway stages.
E.Use Lambda canary releases to gradually shift traffic.
AnswersA, B, C

Stage variables can route traffic to different aliases.

Why this answer

Option A is correct because stage variables in API Gateway can be configured to point the canary stage to a different Lambda function alias, enabling the canary to invoke a separate version of the function for testing. This allows the canary to route a percentage of traffic to a new Lambda version while the main stage continues using the stable alias, supporting gradual rollouts.

Exam trap

The trap here is that candidates may confuse Lambda alias weighted routing (Option E) with API Gateway canary releases, but the question explicitly asks for API-level canary deployment, which requires API Gateway's native canary settings, not just Lambda-level traffic shifting.

368
MCQeasy

A developer is deploying a Docker container to Amazon ECS using the Fargate launch type. The developer wants to ensure the container has access to an Amazon RDS database. What is the best way to securely pass the database credentials to the container?

A.Pass the credentials as plain text environment variables in the task definition.
B.Store the credentials in an Amazon S3 bucket and download them at container startup.
C.Store the credentials in the container image as environment variables.
D.Use AWS Systems Manager Parameter Store or AWS Secrets Manager to store the credentials and reference them in the task definition.
AnswerD

This is the secure way to manage secrets.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store and AWS Secrets Manager are designed to securely store and manage sensitive information like database credentials. In Amazon ECS with Fargate, you can reference these secrets directly in the task definition using the 'secrets' parameter, which injects them as environment variables at runtime without exposing them in plain text or requiring additional code to fetch them. This approach adheres to the principle of least privilege and integrates natively with IAM roles for secure access.

Exam trap

The trap here is that candidates may think environment variables are inherently secure or that storing credentials in S3 is a safe alternative, overlooking the native integration and security guarantees of AWS Secrets Manager and Parameter Store for ECS tasks.

How to eliminate wrong answers

Option A is wrong because passing credentials as plain text environment variables in the task definition exposes them in the ECS console, API responses, and logs, violating security best practices. Option B is wrong because downloading credentials from an S3 bucket at container startup requires storing AWS access keys in the container or granting broad S3 permissions, and the credentials could be exposed in transit or logs; it also adds unnecessary complexity and latency. Option C is wrong because embedding credentials in the container image as environment variables makes them accessible to anyone with access to the image registry and prevents rotation without rebuilding the image, violating immutable infrastructure principles.

369
MCQmedium

A team uses AWS CodeCommit for source control and wants to automatically trigger a build and deployment when code is pushed to the master branch. Which AWS service should be used to create this automation?

A.AWS CodeBuild
B.AWS CodePipeline
C.AWS Lambda
D.AWS CodeDeploy
AnswerB

CodePipeline integrates with CodeCommit as source.

Why this answer

AWS CodePipeline is the correct service because it is a fully managed continuous delivery service that can be configured to automatically start a pipeline execution when a change is pushed to a specific branch in AWS CodeCommit. By setting the source stage to the CodeCommit repository and master branch, CodePipeline triggers subsequent build and deploy actions without manual intervention, enabling a complete CI/CD workflow.

Exam trap

The trap here is that candidates confuse individual services (CodeBuild for building, CodeDeploy for deploying) with the orchestration service (CodePipeline) needed to chain them together in response to a source code event.

How to eliminate wrong answers

Option A is wrong because AWS CodeBuild is a build service that compiles source code and runs tests, but it does not have native event-driven triggers to automatically start on a CodeCommit push; it requires an external trigger like CodePipeline or a webhook. Option C is wrong because AWS Lambda can be used to react to CodeCommit events via CloudWatch Events or SNS, but it is not a purpose-built CI/CD service and would require custom code to orchestrate build and deployment steps, making it less suitable than CodePipeline. Option D is wrong because AWS CodeDeploy is a deployment service that automates application deployments to compute services like EC2 or Lambda, but it cannot directly listen to CodeCommit push events or orchestrate a build step; it relies on a pipeline or other trigger to initiate deployments.

370
MCQhard

A developer is using AWS CodeBuild to compile a Java application. The build project is configured with a 'buildspec.yml' file. The developer notices that the build succeeds on the local machine but fails in CodeBuild with the error: 'Error: Could not find or load main class com.example.App'. What is the most likely cause?

A.The 'build' phase command is incorrect, causing compilation to fail.
B.The build environment does not have Java installed.
C.The buildspec.yml file does not include an 'install' phase to download dependencies.
D.The 'artifacts' section in buildspec.yml is misconfigured.
AnswerC

The local machine may have dependencies pre-installed, but CodeBuild needs explicit installation.

Why this answer

Option B is correct because CodeBuild uses a clean environment; if the buildspec does not include the 'install' phase to download dependencies, the application will fail. Option A is wrong because Java is pre-installed in CodeBuild images. Option C is wrong because the error indicates a missing class, not a compile error.

Option D is wrong because the 'artifacts' section only affects output, not execution.

371
Multi-Selectmedium

A company is using AWS CodeCommit as a source repository for a CI/CD pipeline. The developer has set up AWS CodePipeline with a source stage that uses CodeCommit. The pipeline triggers automatically on changes to the repository. The developer wants to ensure that only changes to the 'main' branch trigger the pipeline. Which THREE configurations should the developer set in the CodePipeline source stage? (Choose THREE.)

Select 3 answers
A.Set 'Output artifact format' to 'CodeCommit'.
B.Disable 'Poll for source changes'.
C.Set 'Change detection' to 'Amazon CloudWatch Events'.
D.Set 'Repository name' to 'main'.
E.Set the 'Branch name' to 'main'.
AnswersB, C, E

When using CloudWatch Events, polling should be disabled to avoid duplicate triggers.

Why this answer

Option B is correct because disabling 'Poll for source changes' is necessary when using event-based change detection (CloudWatch Events) to trigger the pipeline. When you set 'Change detection' to 'Amazon CloudWatch Events' (option C), you must disable polling to avoid duplicate triggers and ensure the pipeline only responds to CloudWatch Events triggered by commits to the specified branch. This configuration ensures that only changes to the 'main' branch (set in option E) initiate the pipeline.

Exam trap

The trap here is that candidates mistakenly think 'Repository name' can be used to specify the branch, or that 'Output artifact format' influences trigger behavior, when in fact only the 'Branch name' field and the combination of CloudWatch Events with polling disabled enforce branch-specific triggering.

372
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails during the 'BeforeInstall' lifecycle event. Which file should the developer check to debug the failure?

A.index.js
B.appspec.yml
C.taskdef.json
D.buildspec.yml
AnswerB

appspec.yml defines lifecycle events and scripts for CodeDeploy.

Why this answer

Option C is correct because the appspec.yml defines lifecycle hooks like BeforeInstall, and the scripts referenced in those hooks are executed. If the hook fails, the developer should check the scripts specified in appspec.yml. Option A is incorrect because buildspec.yml is for CodeBuild.

Option B is incorrect because taskdef.json is for ECS. Option D is incorrect because the application code is not the direct cause.

373
MCQmedium

A development team uses AWS CodeDeploy to deploy a serverless application. The deployment fails with the error: 'The deployment failed because the deployment group did not contain any instances.' The deployment group is configured with an Amazon ECS service and uses the Blue/Green deployment type. What is the MOST likely cause?

A.The AppSpec file is incorrectly formatted and does not specify the task definition.
B.The deployment group's traffic routing configuration is set to 'AllAtOnce' causing immediate failure.
C.The CodeDeploy service role does not have permissions to describe ECS clusters.
D.The deployment group does not have a configured ECS service to deploy to.
AnswerD

CodeDeploy requires an ECS service to be specified in the deployment group; missing this results in no target instances.

Why this answer

The error 'The deployment failed because the deployment group did not contain any instances' indicates that CodeDeploy cannot find a target resource to deploy to. Since the deployment group is configured for an Amazon ECS service with Blue/Green deployment, the most likely cause is that the deployment group does not have an ECS service specified. Without a configured ECS service, CodeDeploy has no target to route traffic to or replace during the deployment, resulting in this error.

Exam trap

The trap here is that candidates may confuse the 'no instances' error with missing EC2 instances, but in ECS deployments, 'instances' refers to the ECS service itself as the deployment target, not individual container instances.

How to eliminate wrong answers

Option A is wrong because an incorrectly formatted AppSpec file would cause a different error, such as 'Invalid AppSpec file' or 'Missing required property', not a missing instances error. Option B is wrong because 'AllAtOnce' traffic routing configuration controls how traffic is shifted to the replacement task set, not whether instances exist; it would not cause an immediate failure due to missing instances. Option C is wrong because insufficient permissions for the CodeDeploy service role would result in an access denied or authorization error, not a 'deployment group did not contain any instances' error.

374
MCQhard

A developer is using AWS Elastic Beanstalk to deploy a Node.js application. The developer wants to run a custom script to set environment variables before the application starts. Which configuration file and location should the developer use?

A.Add a configuration file in the .ebextensions directory that uses container_commands.
B.Add a Procfile to the application root.
C.Place a shell script in the .ebextensions/scripts directory.
D.Add a cron.yaml file to the .ebextensions directory.
AnswerA

container_commands in .ebextensions run custom commands during deployment.

Why this answer

Option A is correct because `.ebextensions` configuration files with `container_commands` allow you to run custom commands before the application starts. `container_commands` execute after the application and web server have been set up but before the application is deployed, making them ideal for setting environment variables or running setup scripts. The files must be in YAML or JSON format and placed in the `.ebextensions` directory at the root of your source bundle.

Exam trap

The trap here is that candidates confuse `container_commands` with `commands` (which run before the application setup) or assume a Procfile is used in Elastic Beanstalk, when in fact Elastic Beanstalk uses platform-specific hooks like `.platform/hooks/prebuild` or `.ebextensions` for custom scripts.

How to eliminate wrong answers

Option B is wrong because a Procfile is used by Heroku, not AWS Elastic Beanstalk; Elastic Beanstalk uses its own platform hooks and configuration files. Option C is wrong because placing a shell script in `.ebextensions/scripts` is not a recognized configuration method; Elastic Beanstalk does not automatically execute scripts from that path. Option D is wrong because `cron.yaml` is used for periodic tasks (cron jobs) in Elastic Beanstalk worker environments, not for running pre-deployment setup scripts.

375
MCQhard

A developer performed a CodeDeploy deployment to an Auto Scaling group. The deployment status is Failed with code HEALTH_CONSTRAINTS. Based on the exhibit, what is the most likely cause?

A.The CodeDeploy agent on the instances is not running
B.The minimum number of healthy instances required for the deployment was not met
C.The application revision contains invalid scripts
D.The IAM role for CodeDeploy does not have sufficient permissions
AnswerB

HEALTH_CONSTRAINTS indicates that the deployment could not maintain the required healthy instance count.

Why this answer

The error 'HEALTH_CONSTRAINTS' means that too many instances failed health checks. The deployment overview shows 2 failed instances and 3 succeeded. The minimum healthy instances setting likely required more than 3 healthy instances.

Option B is correct. Option A (incorrect application revision) would cause a different error. Option C (CodeDeploy agent) would show agent issues.

Option D (permissions) would cause access denied errors.

← PreviousPage 5 of 6 · 378 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deployment questions.