CCNA Dva Deployment Questions

75 of 378 questions · Page 1/6 · Dva Deployment topic · Answers revealed

1
Matchingmedium

Match each AWS service to its port number (if applicable).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

3306

6379

5432

11211

1521

Why these pairings

Knowing default ports helps with security group configuration.

2
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The deployment is successful, but the application health checks fail. The application runs on a single EC2 instance. What should a developer do to troubleshoot this issue?

A.View the application logs in the Elastic Beanstalk console.
B.Modify the CloudFormation template to increase instance size.
C.Add an Application Load Balancer to the environment.
D.SSH into the EC2 instance and restart the web server.
AnswerA

Logs show errors causing health check failures.

Why this answer

Option D is correct because viewing the logs in the Elastic Beanstalk console helps identify why the application is not responding to health checks. Option A is wrong because SSH access may not be configured. Option B is wrong because CloudFormation is not directly related.

Option C is wrong because the environment may not be load-balanced.

3
MCQmedium

A company deploys a serverless application using AWS SAM. The application includes an Amazon API Gateway HTTP API and several AWS Lambda functions. The developer wants to implement a canary deployment for the API Gateway stage: 5% of traffic should be immediately shifted to the new version, and after 15 minutes, the remaining 95% should be shifted. Which SAM resource attribute should the developer configure?

A.DeploymentPreference with Type: Canary10Percent30Minutes
B.DeploymentPreference with Type: Canary5Percent15Minutes
C.DeploymentPreference with Type: Linear10PercentEvery10Minutes
D.DeploymentPreference with Type: AllAtOnce
AnswerB

This exactly matches: 5% traffic shifted immediately, remaining 95% after 15 minutes.

Why this answer

Option B is correct because AWS SAM's DeploymentPreference attribute with Type: Canary5Percent15Minutes shifts 5% of traffic to the new version immediately, then automatically shifts the remaining 95% after 15 minutes, exactly matching the requirement. This is a built-in canary deployment strategy for API Gateway stages when using SAM's AutoPublishAlias and DeploymentPreference features.

Exam trap

The trap here is that candidates often confuse the percentage and time values in the canary types (e.g., picking Canary10Percent30Minutes) because they misread the requirement as a 10% canary or a 30-minute wait, rather than carefully matching the exact 5% and 15-minute values specified.

How to eliminate wrong answers

Option A is wrong because Canary10Percent30Minutes shifts 10% immediately and waits 30 minutes, not the required 5% and 15 minutes. Option C is wrong because Linear10PercentEvery10Minutes shifts traffic linearly in 10% increments every 10 minutes, not a single 5% canary followed by a 95% shift. Option D is wrong because AllAtOnce shifts 100% of traffic immediately, providing no canary or gradual rollout.

4
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment must be as fast as possible while ensuring that at least 50% of instances remain healthy throughout. Which deployment configuration should be used?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.AllAtOnce
D.CodeDeployDefault.MinHealthyPercent
AnswerB

Deploys to half the instances at a time, maintaining at least 50% healthy and is faster than OneAtATime.

Why this answer

CodeDeployDefault.HalfAtATime is the correct choice because it deploys to half of the instances in the Auto Scaling group at a time, ensuring that at least 50% of instances remain healthy throughout the deployment. This configuration balances speed (by deploying to multiple instances concurrently) with the required availability constraint, making it the fastest option that satisfies the 'at least 50% healthy' requirement.

Exam trap

The trap here is that candidates may confuse 'HalfAtATime' with 'OneAtATime' thinking slower is safer, or incorrectly assume 'AllAtOnce' is fastest without considering the health constraint, or invent a configuration name like 'MinHealthyPercent' that does not exist in CodeDeploy.

How to eliminate wrong answers

Option A (CodeDeployDefault.OneAtATime) is wrong because it deploys to only one instance at a time, which is the slowest deployment configuration and does not meet the requirement for maximum speed. Option C (CodeDeployDefault.AllAtOnce) is wrong because it deploys to all instances simultaneously, which can cause all instances to become unhealthy at once, violating the 'at least 50% healthy' requirement. Option D (CodeDeployDefault.MinHealthyPercent) is wrong because it is not a valid deployment configuration name in CodeDeploy; the correct parameter is 'minimumHealthyHosts' which can be set to a percentage, but 'MinHealthyPercent' is not a predefined configuration.

5
MCQmedium

A CloudFormation update may replace an RDS database. The developer wants to preview replacement risk before executing. What should be created?

A.A stack policy only
B.A change set
C.A nested stack output
D.A CloudWatch dashboard
AnswerB

Correct for the stated requirement.

Why this answer

A change set in AWS CloudFormation allows you to preview how proposed changes to a stack will be executed, including whether any resources will be replaced (e.g., an RDS database). By reviewing the change set, you can see if the update will cause replacement (indicated by 'Replacement: True') before you actually apply the changes, enabling risk assessment without modification.

Exam trap

The trap here is that candidates confuse a stack policy (which controls update permissions) with a change set (which provides a preview of changes), or they think monitoring tools like CloudWatch can predict infrastructure changes.

How to eliminate wrong answers

Option A is wrong because a stack policy only protects specified resources from being updated or deleted during a stack update; it does not provide a preview of replacement risk. Option C is wrong because a nested stack output is used to return values from a nested stack to the parent stack, not to preview update impacts. Option D is wrong because a CloudWatch dashboard is a monitoring tool for metrics and logs, not a mechanism to preview CloudFormation stack update behavior.

6
MCQhard

A developer is deploying a microservices application on Amazon ECS using Fargate. The application uses an Application Load Balancer (ALB) to distribute traffic. The developer needs to perform a blue/green deployment with automatic rollback if health checks fail. What should the developer use?

A.Configure ECS service auto scaling to replace tasks gradually.
B.Manually update the ECS service using the AWS Management Console.
C.Use AWS CloudFormation to update the ECS service with a new task definition.
D.Use AWS CodeDeploy with a blue/green deployment configuration.
AnswerD

CodeDeploy automates blue/green deployments and rollback for ECS.

Why this answer

AWS CodeDeploy natively supports blue/green deployments for Amazon ECS, allowing you to specify a blue/green configuration that automatically shifts traffic from the old (blue) task set to the new (green) task set. It integrates with the ALB to perform health checks and can automatically roll back the deployment if the health checks fail, meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse ECS service auto scaling or CloudFormation updates with deployment strategies, but neither provides the built-in blue/green traffic shifting and automatic health-check-based rollback that CodeDeploy offers.

How to eliminate wrong answers

Option A is wrong because ECS service auto scaling adjusts the number of tasks based on load, not the deployment strategy; it does not perform blue/green deployments or automatic rollback on health check failures. Option B is wrong because manually updating the ECS service via the AWS Management Console does not provide a built-in blue/green deployment mechanism or automatic rollback; it would require manual monitoring and intervention. Option C is wrong because AWS CloudFormation can update an ECS service with a new task definition, but it does not natively support blue/green deployments or automatic rollback based on health checks; it would require custom logic or additional resources to achieve this.

7
MCQhard

Refer to the exhibit. A developer is trying to deploy an EC2 instance using AWS CloudFormation. The stack creation fails with an 'AccessDenied' error when CloudFormation tries to create the EC2 instance. The developer has the IAM policy above. What is the MOST likely reason for the failure?

A.The policy does not allow ec2:DescribeImages.
B.The IAM role specified in the CloudFormation template is not the same as the one in the PassRole resource.
C.The policy does not allow ec2:RunInstances.
D.The policy does not allow ec2:TerminateInstances.
AnswerB

CloudFormation needs PassRole for the exact role used.

Why this answer

Option D is correct because CloudFormation needs permission to pass the IAM role specified in the template. The policy only allows PassRole for a specific role, but CloudFormation may be passing a different role. Option A is wrong because DescribeImages is allowed.

Option B is wrong because RunInstances is allowed. Option C is wrong because CloudFormation does not call TerminateInstances during creation.

8
MCQeasy

A developer uses AWS SAM (Serverless Application Model) to define a serverless application. The developer wants to run the application locally for testing. Which AWS SAM CLI command should be used?

A.sam local start-api
B.sam build
C.sam deploy
D.sam package
AnswerA

Starts a local API Gateway endpoint to invoke Lambda functions.

Why this answer

Option B is correct because 'sam local start-api' starts a local HTTP server that mimics API Gateway and runs your Lambda functions locally. Option A is wrong because 'sam build' only builds the application. Option C is wrong because 'sam deploy' deploys to AWS.

Option D is wrong because 'sam package' packages the application for deployment.

9
MCQhard

A developer uses AWS CodePipeline to deploy a serverless application defined with AWS SAM. The pipeline consists of Source (S3), Build (CodeBuild), and Deploy (CloudFormation) stages. The developer wants to run integration tests after the stack is deployed but before the pipeline completes. Which approach should the developer use?

A.Add a test stage after the Deploy stage with an action that invokes a Lambda function to run tests.
B.Use the CloudFormation stack's Outputs to trigger a Lambda function that runs tests.
C.Configure a post-deployment hook in the SAM template that runs tests.
D.Add a manual approval step after Deploy, then run tests manually.
AnswerA

This is the correct approach: a stage with an action type 'Invoke' or 'Test' can run integration tests after deployment.

Why this answer

Option A is correct because AWS CodePipeline allows you to add a test stage after the Deploy stage, and you can configure an action that invokes an AWS Lambda function to run integration tests. This ensures tests run automatically after the CloudFormation stack is deployed but before the pipeline completes, meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates may confuse CloudFormation Outputs with event-driven triggers or assume SAM has built-in post-deployment hooks, when in fact CodePipeline's custom action with Lambda is the correct mechanism for running automated tests after deployment.

How to eliminate wrong answers

Option B is wrong because CloudFormation stack Outputs are used to export values for cross-stack references, not to trigger Lambda functions; triggering Lambda from CloudFormation requires custom resources or event subscriptions, not Outputs. Option C is wrong because AWS SAM does not support post-deployment hooks in the SAM template; SAM uses lifecycle hooks (e.g., PreTraffic, PostTraffic) only for Lambda canary deployments, not for general integration testing. Option D is wrong because a manual approval step requires human intervention to run tests, which contradicts the requirement to run tests automatically before the pipeline completes.

10
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an API Gateway, a Lambda function, and a DynamoDB table. The developer wants to enable canary deployments for the Lambda function. What should the developer do?

A.Configure a CodeDeploy deployment group in the SAM template.
B.Create a Lambda alias and configure traffic shifting manually.
C.Add the AutoPublishAlias and DeploymentPreference properties to the Lambda function in the SAM template.
D.Use AWS CodePipeline to orchestrate the canary deployment.
AnswerC

These properties enable canary deployments in SAM.

Why this answer

Option C is correct because the AWS SAM template supports canary deployments for Lambda functions by adding the `AutoPublishAlias` property (which automatically creates and publishes a new version to a Lambda alias) and the `DeploymentPreference` property (which defines the traffic-shifting strategy, such as `Canary10Percent5Minutes`). This enables CodeDeploy to gradually shift traffic from the current version to the new version without manual intervention.

Exam trap

The trap here is that candidates may think they need to manually create a Lambda alias or use CodePipeline for canary deployments, when in fact SAM's `AutoPublishAlias` and `DeploymentPreference` properties automate the entire canary deployment workflow via CodeDeploy.

How to eliminate wrong answers

Option A is wrong because CodeDeploy deployment groups are not directly configured in a SAM template; SAM abstracts this by generating the necessary CodeDeploy resources automatically when you use `DeploymentPreference`. Option B is wrong because manually creating a Lambda alias and configuring traffic shifting defeats the purpose of using SAM's built-in canary deployment support, which automates the entire process and integrates with CodeDeploy. Option D is wrong because AWS CodePipeline can orchestrate the overall CI/CD pipeline but is not required for canary deployments; SAM's `DeploymentPreference` property alone enables canary deployments without needing CodePipeline.

11
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The deployment configuration is set to CodeDeployDefault.OneAtATime. What is the most likely cause of this failure?

A.The instances in the Auto Scaling group are not running a supported operating system.
B.The deployment configuration should be changed to AllAtOnce to avoid this error.
C.The IAM role for CodeDeploy does not have sufficient permissions.
D.The deployment failed on a single instance, causing the overall deployment to fail because the minimum number of healthy hosts was not maintained.
AnswerD

With OneAtATime, if one instance fails, the deployment fails because the minimum healthy hosts threshold is not met.

Why this answer

With CodeDeployDefault.OneAtATime, the deployment updates one instance at a time and requires that a minimum number of healthy hosts be maintained throughout the process. If a single instance fails its deployment, the overall deployment fails because the minimum healthy host threshold is breached—CodeDeploy cannot proceed to the next instance without risking service availability. This error indicates that the failure on one instance caused the entire deployment to abort, not that multiple instances failed independently.

Exam trap

The trap here is that candidates assume 'too many individual instances failed' means multiple instances failed independently, when in fact with OneAtATime a single instance failure is enough to fail the entire deployment because the minimum healthy hosts requirement is not maintained.

How to eliminate wrong answers

Option A is wrong because an unsupported operating system would cause a different error (e.g., 'Unsupported OS') and would affect all instances uniformly, not trigger a per-instance failure that cascades due to the OneAtATime configuration. Option B is wrong because changing to AllAtOnce would increase risk by deploying to all instances simultaneously, potentially causing a full outage; the error is not about the deployment speed but about the minimum healthy hosts requirement being violated. Option C is wrong because insufficient IAM permissions would typically result in an authorization error (e.g., 'AccessDenied') during the deployment setup or agent communication, not a per-instance failure that triggers the 'too many individual instances failed' message.

12
MCQmedium

A company uses AWS Elastic Beanstalk to run a web application. They want to deploy a new version with zero downtime and roll forward if successful. They have two environments: a production environment (current version) and a staging environment (new version). After verifying the staging environment, they want to swap the URLs so that production now points to the new version. Which deployment strategy should they use?

A.Blue/green deployment with environment CNAME swap
B.All at once deployment
C.Rolling deployment with additional batch
D.Immutable deployment
AnswerA

This strategy creates two separate environments. After testing, swapping the CNAME (e.g., via 'eb swap') redirects traffic to the new environment without downtime.

Why this answer

Option A is correct because blue/green deployment with an environment CNAME swap allows you to run two separate Elastic Beanstalk environments (production and staging) simultaneously. After verifying the new version in the staging environment, you swap the CNAME records so that the production URL points to the staging environment, achieving zero downtime and a roll-forward strategy. This approach decouples the deployment from the existing environment, ensuring no disruption to live traffic during the swap.

Exam trap

The trap here is that candidates confuse immutable deployments (which also launch new instances) with blue/green deployments, but immutable deployments do not create a separate environment with its own URL for a CNAME swap, making them unsuitable for the described two-environment swap requirement.

How to eliminate wrong answers

Option B (All at once deployment) is wrong because it deploys the new version to all instances simultaneously, causing downtime during the deployment process and not allowing a roll-forward strategy with separate environments. Option C (Rolling deployment with additional batch) is wrong because it updates instances in batches while keeping the same environment, which can cause temporary capacity reduction and does not provide a separate staging environment for verification before swapping URLs. Option D (Immutable deployment) is wrong because it launches a new set of instances in the same environment and then swaps them in, but it does not create a separate environment with its own URL for a CNAME swap; it still operates within a single environment, making it unsuitable for the described two-environment swap scenario.

13
MCQmedium

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline includes a deploy action that uses AWS CloudFormation to create the S3 bucket and upload files. The developer notices that the deploy action fails intermittently with a 'BucketAlreadyExists' error. What is the most likely cause?

A.The S3 bucket has versioning enabled.
B.The CloudFormation template has incorrect IAM permissions.
C.The S3 bucket name is already taken by another AWS account.
D.The S3 bucket policy is too restrictive.
AnswerC

S3 bucket names are globally unique.

Why this answer

Option C is correct because S3 bucket names are globally unique. If another AWS account has already created a bucket with the same name, the CloudFormation stack will fail. Option A is incorrect because the bucket policy is not related to existence errors.

Option B is incorrect because versioning does not affect bucket creation. Option D is incorrect because the error is not about file uploads.

14
MCQhard

An IAM policy is attached to an EC2 instance role. The instance is part of a CodeDeploy deployment group. The deployment fails because the CodeDeploy agent cannot download the revision. What is the most likely reason?

A.The policy does not allow the codedeploy:GetDeployment action.
B.The policy does not allow the codedeploy:CreateDeployment action.
C.The policy does not specify a region in the resource ARN.
D.The policy does not allow s3:GetObject on the specific bucket where the revision is stored.
AnswerD

The policy only allows access to 'my-bucket', but the revision may be in another bucket.

Why this answer

The CodeDeploy agent on the EC2 instance downloads the application revision from an S3 bucket. For this to succeed, the IAM role attached to the instance must include an s3:GetObject permission on the specific bucket and object. Without it, the agent cannot retrieve the revision file, causing the deployment to fail.

Options A and B are irrelevant because the agent does not call CodeDeploy API actions like GetDeployment or CreateDeployment; those are used by the user or CI/CD pipeline initiating the deployment. Option C is incorrect because IAM policies for S3 actions do not require a region in the resource ARN.

Exam trap

The trap here is that candidates confuse the permissions needed by the CodeDeploy agent (S3 read access) with the permissions needed by the user or pipeline (CodeDeploy API actions), leading them to select a CodeDeploy action instead of the correct S3 action.

How to eliminate wrong answers

Option A is wrong because the CodeDeploy agent does not call the codedeploy:GetDeployment action; that action is used by the AWS CLI, SDK, or console to retrieve deployment details. Option B is wrong because the codedeploy:CreateDeployment action is performed by the user or automation tool initiating the deployment, not by the CodeDeploy agent on the instance. Option C is wrong because S3 is a global service and its resource ARNs do not include a region element; specifying a region in an S3 ARN would be syntactically invalid.

15
MCQmedium

A company is deploying a new microservice using AWS CodeDeploy. The deployment group uses an EC2/On-Premises compute platform with an in-place deployment configuration. After the deployment, the new application version is not receiving traffic. The previous version continues to serve requests. What is the most likely cause?

A.The application revision is not stored in the correct S3 bucket.
B.The deployment configuration is set to CodeDeployDefault.OneAtATime.
C.The deployment group is not associated with a load balancer or target group.
D.The CodeDeploy agent is not installed on the EC2 instances.
AnswerC

Without a target group, the load balancer does not route traffic to the new instances.

Why this answer

In an in-place deployment with CodeDeploy on the EC2/On-Premises compute platform, traffic is routed to the new application version by a load balancer. If the deployment group is not associated with a load balancer or target group, CodeDeploy cannot register the instances or shift traffic to the new version, so the previous version continues serving requests. The deployment itself may succeed, but without the load balancer integration, the new application revision never receives incoming traffic.

Exam trap

The trap here is that candidates assume a successful deployment automatically means the new version is serving traffic, but without a load balancer association, CodeDeploy cannot manage traffic routing, leaving the old version active.

How to eliminate wrong answers

Option A is wrong because the application revision not being stored in the correct S3 bucket would cause the deployment to fail entirely (e.g., a 'RevisionNotFound' error), not silently leave the old version serving traffic. Option B is wrong because CodeDeployDefault.OneAtATime is a valid deployment configuration that controls the pace of instance updates (one instance at a time), but it does not prevent traffic from reaching the new version after deployment; it only affects the rollout speed. Option D is wrong because if the CodeDeploy agent were not installed on the EC2 instances, the deployment would fail with an 'AgentNotAvailable' error, and no new version would be installed at all, whereas the scenario describes a successful deployment with no traffic shift.

16
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The developer wants to update a stack but only if the update does not cause any resource replacement. Which CloudFormation stack update option should be used?

A.Use the direct update option with a template.
B.Create a change set and review the changes before executing it.
C.Use the 'Force rollback' option to ensure no replacement.
D.Use the 'Preserve stack settings' option when updating the stack.
AnswerB

Change sets show which resources will be replaced, allowing you to avoid replacement.

Why this answer

Option D is correct because the 'Force rollback' option is not standard; CloudFormation uses change sets to preview replacements. The 'Update stack' with 'Preserve stack settings' does not prevent replacement. Option C is correct because using a change set allows you to see which resources will be replaced and abort if any replacement is detected.

Option A is wrong because 'Direct update' does not provide preview. Option B is wrong because 'Preserve stack settings' is not a real option.

17
MCQmedium

Refer to the exhibit. A developer has the above IAM policy attached. The developer is trying to push code to a CodeCommit repository and trigger a CodePipeline. The push succeeds but the pipeline does not start. What is the most likely reason?

A.The developer does not have permissions to push to the repository.
B.The CloudWatch Events rule that triggers the pipeline on code push does not have the necessary IAM role to invoke the pipeline.
C.The developer does not have permissions to start the pipeline.
D.The CodeCommit repository does not have a trigger configured.
AnswerB

The trigger rule needs permissions to start the pipeline.

Why this answer

Option C is correct because the pipeline requires a CloudWatch Events rule to start on code push, and that rule needs permissions to invoke the pipeline. Option A is wrong because the policy allows GitPush. Option B is wrong because the developer has StartPipelineExecution permission.

Option D is wrong because the developer can push.

18
Multi-Selecteasy

A development team is using AWS Elastic Beanstalk to deploy a web application. The team wants to perform a blue/green deployment. Which THREE steps are required to complete the blue/green deployment?

Select 3 answers
A.Update the existing environment with the new version.
B.Swap the CNAMEs of the two environments.
C.Terminate the old environment after verifying the new environment.
D.Update the Route 53 DNS record to point to the new environment.
E.Deploy the new application version to a separate Elastic Beanstalk environment.
AnswersB, C, E

Swapping CNAMEs routes traffic to the new environment.

Why this answer

Options A, C, and D are correct. In a blue/green deployment with Elastic Beanstalk, you deploy the new version to a separate environment (A), then swap the CNAMEs (C), and finally terminate the old environment (D). Option B is wrong because you don't update the old environment; you create a new one.

Option E is wrong because you swap CNAMEs, not update DNS records manually.

19
Multi-Selectmedium

A company is deploying a Node.js application on AWS Elastic Beanstalk. The application uses environment variables for configuration. The development team wants to ensure that the environment variables are not exposed in the source code or in the deployment logs. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Enable detailed logging for the Elastic Beanstalk environment and filter out sensitive data.
B.Set environment variables using Elastic Beanstalk environment properties in the console.
C.Store sensitive environment variables in AWS Systems Manager Parameter Store and retrieve them at runtime.
D.Use AWS Secrets Manager to manage secrets and reference them in the application code.
E.Embed the environment variables in the application package as a .env file.
AnswersC, D

Parameter Store keeps secrets encrypted and separate from code.

Why this answer

Options A and D are correct: Using AWS Systems Manager Parameter Store or Secrets Manager to store environment variables and retrieving them at runtime prevents exposure. Option B (environment properties) stores them in plaintext in the environment configuration. Option C (logging) is not relevant.

Option E (environment variables in source) is bad practice.

20
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The developer wants to perform a blue/green deployment to minimize downtime. The developer creates a new environment and deploys the new version. After verifying the new environment is healthy, the developer needs to swap the URLs so that traffic is routed to the new environment. Which AWS Elastic Beanstalk feature should the developer use?

A.Use the 'Swap environment URLs' feature in the Elastic Beanstalk console.
B.Delete the old environment and update the DNS record to point to the new environment.
C.Use Amazon Route 53 weighted routing policies to shift traffic.
D.Change the environment's CNAME to point to the new environment.
AnswerA

This swaps the URLs between two environments.

Why this answer

Option C is correct because Elastic Beanstalk's 'Swap environment URLs' feature allows swapping the CNAME records between two environments. Option A is wrong because Route 53 weighted routing is not managed by Elastic Beanstalk. Option B is wrong because the environment URL cannot be changed manually.

Option D is wrong because updating DNS manually is not recommended and not a built-in feature.

21
MCQmedium

A team is deploying a containerized application on Amazon ECS using Fargate. The application requires high availability and must be deployed across multiple Availability Zones. The team wants to automate the deployment process using AWS CodePipeline. What is the most efficient way to update the ECS service with a new task definition?

A.Use the ECS deploy action in CodePipeline with the 'Immediate' deployment option to update the service.
B.Use an AWS Lambda function that calls the ECS UpdateService API with the new task definition.
C.Use the AWS Management Console to update the ECS service with the new task definition.
D.Use AWS CloudFormation to update the ECS service by updating the stack with the new task definition.
AnswerA

CodePipeline natively supports ECS deployments with minimal configuration.

Why this answer

Option D is correct because CodePipeline can use the ECS deploy action with the 'Immediate' deployment option to update the ECS service to use the new task definition without downtime. Option A is wrong because manually updating the service is not automated. Option B is wrong because using CloudFormation to update the stack is possible but less efficient for frequent updates.

Option C is wrong because Lambda updating the service requires custom code and is more complex.

22
MCQhard

A developer is using AWS CodePipeline with multiple actions in a stage. The pipeline has a build action that produces artifacts, followed by a deploy action. The developer wants to ensure that if the deploy action fails, the pipeline stops and does not continue to the next stage. How can they achieve this?

A.Configure the deploy action to 'Abort' on failure.
B.Set the runOrder for the deploy action to 'Blocked'.
C.No additional configuration is needed; the pipeline stops on failure by default.
D.Set the pipeline's execution mode to 'PARALLEL'.
AnswerC

CodePipeline stops by default when an action fails.

Why this answer

Option D is correct because by default, if an action fails, the pipeline stops and does not proceed. No additional configuration is needed. Option A is incorrect because there is no 'Blocked' setting.

Option B is incorrect because 'Abort' is not a pipeline action configuration. Option C is incorrect because the pipeline already stops on failure by default.

23
MCQhard

Refer to the exhibit. A developer deploys this CloudFormation template. After deployment, the S3 bucket is created but the developer notices that the lifecycle rule does not appear in the bucket's management console. What is the most likely cause?

A.The lifecycle rule is missing the 'Prefix' property, causing it to be invalid.
B.The lifecycle rule must have a 'Transitions' property.
C.The VersioningConfiguration is incorrectly specified.
D.The bucket name contains an account ID, which is not allowed.
AnswerA

S3 lifecycle rules require a Prefix; if omitted, it defaults to empty, but some consoles may not display it.

Why this answer

Option B is correct because lifecycle rules require the prefix to be specified; if omitted, the rule applies to the entire bucket but may not show in the console due to a display issue. However, the rule should be active. Option A is wrong because VersioningConfiguration is correct.

Option C is wrong because the rule does not require a prefix. Option D is wrong because bucket name is unique.

24
MCQeasy

A developer is deploying a static website to Amazon S3 and wants to use Amazon CloudFront for content delivery. The developer wants to ensure that only CloudFront can access the S3 bucket. Which S3 bucket policy should the developer use?

A.Use a bucket policy that allows access only if the Referer header matches the CloudFront distribution domain.
B.Make the bucket public and use CloudFront's default caching.
C.Grant CloudFront access by allowing the CloudFront IP address range.
D.Grant CloudFront access via an origin access identity (OAI) and restrict the bucket policy to the OAI.
AnswerD

OAI ensures only CloudFront can access the bucket.

Why this answer

Option D is correct because an Origin Access Identity (OAI) is a special CloudFront user that you can associate with your distribution. By configuring the S3 bucket policy to grant access only to that OAI, you ensure that direct S3 requests are denied, and only requests routed through CloudFront can retrieve objects. This provides a secure, private origin without exposing the bucket publicly.

Exam trap

The trap here is that candidates often choose IP-based restrictions (Option C) or Referer header checks (Option A) because they seem simpler, but AWS explicitly recommends OAI for secure S3 origin access in CloudFront, and the exam tests this best practice.

How to eliminate wrong answers

Option A is wrong because the Referer header can be easily spoofed by clients, so it does not provide a reliable security mechanism to restrict access exclusively to CloudFront. Option B is wrong because making the bucket public defeats the purpose of restricting access to CloudFront only, and anyone with the S3 URL can bypass CloudFront entirely. Option C is wrong because CloudFront IP address ranges are shared with other AWS services and can change without notice, making this approach both insecure and difficult to maintain; it also does not prevent direct access from other sources within the same IP range.

25
MCQmedium

A team uses AWS CodeBuild to run automated tests. The buildspec.yaml file contains a 'pre_build' phase that sets environment variables. During a build, the build fails with 'Error: Cannot find module 'express' when running a Node.js application. The application's package.json is in the source root. What is the most likely cause?

A.The Node.js runtime version is incompatible with the express module.
B.The environment variable NODE_ENV is set to production, which skips devDependencies.
C.The buildspec does not include a command to run 'npm install' in the install or pre_build phase.
D.The package.json file is not in the source root directory.
AnswerC

Without npm install, dependencies are not installed.

Why this answer

Option A is correct because if the npm install command is missing in the buildspec, dependencies are not installed. Option B is wrong because package.json is present. Option C is wrong because the environment variable would affect the install command, not cause missing module.

Option D is wrong because Node.js runtime is available.

26
MCQhard

A company deploys a microservices application using AWS CloudFormation. Each microservice is deployed as a separate stack. The developer wants to pass the output values (e.g., API endpoint URLs) from one stack to another. Which CloudFormation feature should be used?

A.Custom resources with Lambda
B.Stack outputs
C.Nested stacks
D.Cross-stack references using Export and ImportValue
AnswerD

Exports allow values to be imported by other stacks.

Why this answer

Option C is correct because cross-stack references using Fn::ImportValue and Export allow you to pass outputs from one stack to another. Option A is wrong because nested stacks are for hierarchical dependencies, not independent stacks. Option B is wrong because Outputs are not automatically available to other stacks.

Option D is wrong because custom resources are for custom logic, not simple value passing.

27
MCQhard

A company has a production environment using AWS Elastic Beanstalk with a multi-container Docker platform. The application consists of a PHP web server and a Redis cache, each running in separate containers. The deployment uses a rolling update policy with a batch size of 1. Recently, during deployments, some users experience intermittent 502 Bad Gateway errors for about 30 seconds. The errors occur when the old containers are terminated and new containers are not yet ready to serve traffic. The development team wants to eliminate this downtime without increasing the deployment time significantly. The team has access to modify the Elastic Beanstalk environment configuration and the Dockerrun.aws.json file. Which action should the team take to resolve the issue?

A.Increase the batch size to 2 to reduce the number of deployment cycles.
B.Configure a health check grace period in the Elastic Beanstalk environment to delay load balancer registration until the containers are healthy.
C.Change the deployment policy to 'All at once' to complete the deployment faster.
D.Reduce the health check interval on the load balancer to detect healthy instances faster.
AnswerB

Grace period prevents routing traffic to instances that are not yet healthy.

Why this answer

Option C is correct because adding a health check grace period allows the new instances to stabilize before being registered with the load balancer, preventing 502 errors. Option A is incorrect because increasing the batch size would cause more downtime. Option B is incorrect because switching to all-at-once would cause full downtime.

Option D is incorrect because reducing the health check interval would make the load balancer check more frequently, potentially causing premature routing to unhealthy instances.

28
Multi-Selecthard

A developer is using AWS CodeDeploy to deploy an application to an Amazon EC2 Auto Scaling group. The deployment fails because the CodeDeploy agent on the instances is not running. Which TWO steps should the developer take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Attach an IAM role to the instances that allows CodeDeploy actions.
B.Install the CodeDeploy agent on the instances.
C.Start the CodeDeploy agent service on the instances.
D.Reboot the instances.
E.Add a script in the Auto Scaling group's launch configuration user data to install the agent.
AnswersB, C

Agent must be installed to run.

Why this answer

Options A and C are correct. A: Installing the agent ensures it's present. C: Starting the agent makes it operational.

Option B is wrong because user data runs at launch, not on existing instances. Option D is wrong because restarting the instance may not start the agent if it's not installed. Option E is wrong because IAM roles are necessary but don't start the agent.

29
MCQmedium

A company uses CodePipeline to deploy a web application to Elastic Beanstalk. The deployment fails at the Build stage with an error 'BUILD FAILED'. Which step should the developer take first to troubleshoot?

A.Review the buildspec.yml file for syntax errors
B.Verify the CodeDeploy application revision
C.Examine the Elastic Beanstalk environment logs
D.Check AWS CloudTrail for API calls
AnswerA

The buildspec.yml defines build commands; errors there cause build failure.

Why this answer

The error 'BUILD FAILED' indicates an issue during the build phase. The buildspec.yml file defines the build commands. Checking it is the first logical step.

Option A is correct because the buildspec.yml is the configuration for CodeBuild. Option B (CloudTrail) is for API auditing, not build errors. Option C (CodeDeploy) is for deployment, not build.

Option D (Elastic Beanstalk logs) are for runtime, not build.

30
Multi-Selectmedium

A developer is using AWS CodePipeline to automate the deployment of a microservices application. The pipeline consists of a source stage (GitHub), a build stage (AWS CodeBuild), and a deploy stage (Amazon ECS). The developer wants to ensure that only approved changes are deployed to production. Which THREE actions should the developer take? (Choose THREE.)

Select 3 answers
A.Configure the pipeline to automatically deploy every commit to production.
B.Deploy all feature branches directly to production.
C.Add a manual approval step before the deploy stage.
D.Use separate pipelines for different environments (e.g., dev, staging, prod).
E.Implement integration tests in the build stage to catch errors early.
AnswersC, D, E

Manual approval ensures human review.

Why this answer

Options A, B, and D are correct. Manual approval gates, separate pipelines, and integration testing are best practices. Option C is wrong because automatic deployment bypasses approval.

Option E is wrong because deploying all branches to production is risky.

31
Drag & Dropmedium

Drag and drop the steps to set up a CI/CD pipeline using AWS CodePipeline in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set up artifact storage, then source repository, build project, deployment target, and finally the pipeline.

32
MCQhard

A company has a legacy application that runs on an Amazon EC2 instance. The developer is tasked with containerizing the application and deploying it on Amazon ECS with Fargate. The application writes logs to a local file. What should the developer do to ensure logs are available in Amazon CloudWatch Logs?

A.Modify the application to write logs to stdout, as ECS automatically captures stdout to CloudWatch Logs.
B.Install the CloudWatch Agent inside the container and configure it to tail the log file.
C.Configure the ECS task definition to use the 'awslogs' log driver and specify the log group.
D.Mount an Amazon S3 bucket and write logs to S3, then use a Lambda function to send them to CloudWatch.
AnswerC

The awslogs log driver sends container stdout/stderr to CloudWatch Logs.

Why this answer

Option A is correct because using the awslogs log driver sends container logs to CloudWatch Logs. Option B is wrong because CloudWatch Agent inside the container is less efficient. Option C is wrong because ECS does not send logs automatically.

Option D is wrong because S3 is not a direct log destination.

33
MCQhard

A developer uses CodePipeline to deploy a new task definition to an ECS service. The pipeline fails with an access denied error when updating the service. Which missing permission is the most likely cause?

A.Missing iam:PassRole permission for the task execution role used by the new task definition
B.Missing ecs:UpdateService permission for the service resource
C.Missing ecs:DescribeServices permission
D.Missing ecs:RegisterTaskDefinition permission for the new task definition
AnswerA

When updating a service, ECS needs to pass the task execution role, which requires iam:PassRole on that role.

Why this answer

The error occurs when updating the ECS service with a new task definition. The ecs:UpdateService action requires the iam:PassRole permission for the task execution role that the new task definition uses. The policy only allows iam:PassRole for a specific role, but the new task definition might reference a different role.

Option B is correct because the policy does not allow passing the specific role referenced in the new task definition. Option A is incorrect because ecs:UpdateService is allowed. Option C is incorrect because there is no condition.

Option D is incorrect because describe is allowed.

34
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an AWS Lambda function that is triggered by an S3 bucket event when an object is created. The developer wants to ensure that the Lambda function has the correct permissions to be invoked by S3. Which resource should the developer define in the SAM template?

A.AWS::Lambda::Permission
B.AWS::S3::BucketPolicy
C.AWS::Lambda::EventSourceMapping
D.AWS::IAM::Role
AnswerA

Correct. This resource explicitly grants the S3 service principal permission to invoke the Lambda function.

Why this answer

AWS::Lambda::Permission is the correct resource because it explicitly grants the S3 service principal permission to invoke the Lambda function when an object is created. In AWS SAM, this resource is automatically generated when you define an S3 event source on a Lambda function, but if you need to declare it manually or override permissions, you use AWS::Lambda::Permission with a SourceArn pointing to the S3 bucket and a SourceAccount to prevent confused deputy attacks.

Exam trap

The trap here is that candidates confuse the Lambda execution role (IAM::Role) with the invocation permission (Lambda::Permission), or mistakenly think S3 uses a bucket policy or event source mapping to trigger Lambda, when in fact S3 uses a push-based notification that requires a resource-based policy on the Lambda function.

How to eliminate wrong answers

Option B is wrong because AWS::S3::BucketPolicy controls access to the S3 bucket itself (e.g., who can read/write objects), not who can invoke a Lambda function; S3 uses a Lambda resource-based policy, not a bucket policy, to trigger invocations. Option C is wrong because AWS::Lambda::EventSourceMapping is used for poll-based event sources like DynamoDB Streams, Kinesis, or SQS, not for S3 event notifications, which are push-based and do not require an event source mapping. Option D is wrong because AWS::IAM::Role defines the execution role for the Lambda function (what the function can do), not the permissions for S3 to invoke the function; invocation permissions are handled via a resource-based policy on the Lambda function itself.

35
MCQeasy

A developer is using the AWS CLI to deploy a new version of a Lambda function. The developer runs the following command: aws lambda update-function-code --function-name my-function --zip-file fileb://my-code.zip After the command completes, the developer checks the function and sees that the code has been updated but the version number is still $LATEST. The developer wants to create a new version so that the previous version is preserved. What should the developer do next?

A.Run the update-function-code command again with the --publish flag.
B.Run the delete-function command and then create-function with the updated code.
C.Run the publish-version command to create a new version from the updated $LATEST.
D.Run the update-function-configuration command to set the version number.
AnswerC

This command creates a new version from the current $LATEST code.

Why this answer

Option C is correct because the `update-function-code` command without the `--publish` flag only updates the `$LATEST` version of the Lambda function. To create an immutable, numbered version that preserves the previous code, the developer must explicitly run the `publish-version` command, which takes the current `$LATEST` code and publishes it as a new version (e.g., version 2). This ensures the previous version (version 1) remains unchanged and can be referenced via its version ARN.

Exam trap

The trap here is that candidates assume the `update-function-code` command automatically creates a new version, but it only updates `$LATEST` unless the `--publish` flag is explicitly used, leading them to incorrectly choose Option A or D.

How to eliminate wrong answers

Option A is wrong because the `--publish` flag is used with `update-function-code` to publish a new version in a single step, but running the command again without it will not retroactively publish the already-updated `$LATEST`; it would simply re-upload the same code. Option B is wrong because deleting and recreating the function is unnecessary and destructive—it removes all existing versions, aliases, and event source mappings, which is not required to simply create a new version from the updated code. Option D is wrong because `update-function-configuration` modifies settings like memory, timeout, or environment variables, not the version number; version numbers are immutable and can only be created via `publish-version` or the `--publish` flag during code update.

36
MCQhard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The developer wants to update the DB instance to a larger instance type without causing downtime. The current template has DeletionPolicy set to 'Delete'. What should the developer do?

A.Take a snapshot of the DB instance and restore it to a larger instance type.
B.Use a blue/green deployment by creating a new stack with the larger instance type and updating the application to point to the new database.
C.Change the DeletionPolicy to 'Retain' and update the stack.
D.Create a read replica with the larger instance type and promote it.
AnswerB

Blue/green deployment minimizes downtime by switching to a new stack.

Why this answer

Option B is correct because a blue/green deployment allows you to create a new stack with the larger DB instance type in a separate environment (green), then switch the application traffic to the new database with minimal downtime. This approach avoids the downtime associated with in-place modifications, as CloudFormation updates to RDS instance types typically require a reboot, which causes an outage. By using a blue/green deployment, the developer can validate the new instance and cut over seamlessly.

Exam trap

The trap here is that candidates assume CloudFormation stack updates can resize RDS instances without downtime, but in reality, modifying the DBInstanceClass requires a reboot, making blue/green deployments the only zero-downtime option among the choices.

How to eliminate wrong answers

Option A is wrong because taking a snapshot and restoring to a larger instance type involves significant downtime during the restore process, and does not provide a zero-downtime update path. Option C is wrong because changing the DeletionPolicy to 'Retain' only affects stack deletion behavior, not updates; updating the stack with a larger instance type still triggers a reboot and downtime. Option D is wrong because promoting a read replica requires breaking replication and incurs downtime during the promotion process, and read replicas are not designed for zero-downtime instance type changes.

37
MCQhard

An Elastic Beanstalk deployment must avoid downtime and create a full new set of instances before swapping traffic, accepting higher temporary cost. Which policy fits?

A.All at once
B.Rolling
C.Immutable
D.Traffic splitting disabled
AnswerC

Correct for the stated requirement.

Why this answer

Immutable deployment is correct because it creates a fully new set of instances in a separate Auto Scaling group, then swaps the Elastic Load Balancer (ELB) traffic to the new environment in a single atomic action. This ensures zero downtime and a complete rollback capability by simply reverting to the old environment, at the cost of running double the instances temporarily.

Exam trap

The trap here is that candidates confuse 'Rolling' with 'Immutable' because both avoid downtime, but Rolling modifies existing instances in batches and does not create a full parallel environment, whereas Immutable creates a completely separate fleet before the traffic switch.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all existing instances simultaneously, causing downtime during the deployment and not creating a full new set of instances before traffic swap. Option B is wrong because 'Rolling' updates instances in batches, which avoids downtime but does not create a full new set of instances; it modifies existing instances, so rollback is slower and not atomic. Option D is wrong because 'Traffic splitting disabled' is not a valid Elastic Beanstalk deployment policy; traffic splitting is a feature for canary testing, and disabling it does not define a deployment method that creates a new instance set before swapping.

38
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a Python web application. After a successful deployment, the environment's health turns 'Severe' and the application returns HTTP 502 errors. What is the most likely cause?

A.The EC2 instances have insufficient storage for the deployment.
B.The application's requirements.txt file is missing a required dependency.
C.The load balancer's health check path is incorrectly configured.
D.The RDS database connection string is incorrect.
AnswerB

Missing dependency causes the application to fail to start, resulting in a 502 Bad Gateway from the proxy.

Why this answer

Option A is correct because if the application's dependencies (e.g., Python packages) are not included or installed, the application fails to start, causing a 502 error. Option B is incorrect because an incorrectly configured load balancer would cause 503 or 504 errors. Option C is incorrect because exceeding instance storage would cause disk full errors, not 502.

Option D is incorrect because RDS connection string misconfiguration would cause application errors but not necessarily 502; the web server would still respond.

39
Multi-Selectmedium

A developer wants separate dev and prod CloudFormation deployments from the same template. Which two practices help?

Select 2 answers
A.Use parameters or mappings for environment-specific values
B.Hardcode production ARNs throughout the template
C.Use separate stacks or stack names per environment
D.Use the root account for deployments
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because CloudFormation parameters and mappings allow you to inject environment-specific values (e.g., instance types, AMI IDs, security group IDs) into a single template without modifying the template itself. Parameters prompt for input at stack creation, while mappings provide a static lookup table keyed by environment (e.g., using the `AWS::Region` pseudo-parameter or a user-defined key). This keeps the template reusable and avoids hardcoding values that differ between dev and prod.

Exam trap

The trap here is that candidates might think hardcoding ARNs is acceptable for production stability, but the exam tests the principle of parameterizing environment-specific values to maintain a single, reusable template across multiple environments.

40
MCQmedium

A developer is deploying an application using AWS Elastic Beanstalk with a Docker platform. The developer wants to minimize downtime during deployments and ensure that the new version is fully tested before routing traffic to it. Which deployment policy should the developer choose?

A.All at once.
B.Rolling with additional batch.
C.Immutable.
D.Traffic splitting.
AnswerD

Correct. Traffic splitting allows incremental traffic shifting, enabling canary testing. The developer can start with a small percentage, verify, and then increase to 100% with minimal risk.

Why this answer

Traffic splitting (option D) is correct because it allows the developer to gradually shift a percentage of traffic from the old application version to the new version, enabling canary testing. This minimizes downtime by ensuring the new version is fully validated before receiving full traffic, and it aligns with the requirement to test the new version before routing all traffic to it.

Exam trap

The trap here is that candidates often confuse 'Immutable' (blue/green) with canary deployments, but immutable swaps all traffic at once after the new instances are healthy, whereas traffic splitting allows gradual traffic shifting and testing before full cutover.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing full downtime during the deployment and no gradual testing. Option B is wrong because 'Rolling with additional batch' updates instances in batches but does not provide a mechanism to test the new version with a subset of traffic before completing the deployment; it still replaces instances without a canary phase. Option C is wrong because 'Immutable' deploys a completely new set of instances and then swaps traffic, which minimizes downtime but does not allow testing the new version with a controlled traffic percentage before the full swap; it is a blue/green approach, not a canary.

41
MCQhard

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The application is deployed to a t2.micro instance with 1 GB of RAM. The deployment uses an in-place update with a deployment configuration that has a minimum of 1 healthy host. What is the most likely cause of the failure?

A.The application uses too much memory, causing the instance to become unhealthy during deployment.
B.The instance does not have enough disk space to download the application revision.
C.The CodeDeploy agent timed out because the deployment took longer than 30 minutes.
D.The IAM role for the CodeDeploy agent does not have sufficient permissions to deploy the application.
AnswerA

t2.micro has only 1 GB RAM; high memory usage can cause health checks to fail.

Why this answer

Option B is correct because the t2.micro instance has limited memory, and the application may cause out-of-memory errors during deployment. Option A is wrong because CodeDeploy agent timeout is typically 30 minutes, but the error mentions 'too few healthy instances', not timeout. Option C is wrong because IAM role permissions would cause a different error.

Option D is wrong because insufficient disk space is less likely given the instance type has 8 GB EBS.

42
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with a 'ScriptMissing' error. What is the most likely cause?

A.The deployment group is not configured for an Auto Scaling group.
B.The buildspec.yml file is missing from the application root.
C.The application revision is not stored in an S3 bucket.
D.The lifecycle event hook script referenced in appspec.yml is not present.
AnswerD

Missing script causes ScriptMissing error.

Why this answer

The correct answer is D. CodeDeploy requires a scripts directory with lifecycle event hooks. If the appspec.yml references a script that is missing, the deployment fails with ScriptMissing.

Option A is incorrect because CodeDeploy does not require a buildspec.yml. Option B is incorrect because the deployment group can be for an ASG. Option C is incorrect because the revision must be in a bucket in the same region.

43
MCQmedium

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. The deployment is failing with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment configuration is CodeDeployDefault.OneAtATime. The Auto Scaling group has 4 instances. What is the most likely cause?

A.The first instance in the deployment fails, and the deployment stops because only one instance is deployed at a time.
B.The CodeDeploy agent on the instances is not running.
C.The target group health checks are misconfigured.
D.The Auto Scaling group is scaling down during deployment.
AnswerA

OneAtATime deploys to one instance; if it fails, deployment fails immediately.

Why this answer

Option C is correct because with OneAtATime, if the first instance fails, the deployment stops and fails. Option A is wrong because the error indicates a deployment failure, not an Auto Scaling issue. Option B is wrong because even if CodeDeploy agent is outdated, it would not cause a healthy host error.

Option D is wrong because the error mentions too few healthy instances, not misconfigured target groups.

44
MCQhard

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway HTTP API and multiple Lambda functions. The developer wants to implement a gradual deployment strategy where 10% of traffic is shifted to the new version, and if no errors occur, the remaining traffic is shifted after 5 minutes. The developer has defined the deployment preference in the SAM template. However, after deploying, the developer notices that the traffic shift happens immediately and not gradually. The SAM template includes the following configuration for one of the Lambda functions: DeploymentPreference: Type: Linear10PercentEvery5Minutes The developer has confirmed that the Lambda function version is being updated. What is the MOST likely reason the gradual deployment is not working?

A.The developer did not create a Lambda alias for the function.
B.The API Gateway integration is pointing to the Lambda function without specifying a version or alias.
C.The developer did not enable canary deployment in the API Gateway stage.
D.The Lambda function is using the default version, which cannot be used with gradual deployments.
AnswerB

Without a version or alias, API Gateway uses $LATEST, ignoring traffic shifting.

Why this answer

Option B is correct because for gradual deployments to work with API Gateway HTTP API, the Lambda function must be integrated using the function's ARN with the version number (e.g., my-function:1), not the function name alone. If the integration uses the function name (without version), API Gateway always invokes the $LATEST version, bypassing the traffic shifting. Option A is incorrect because CodeDeploy is automatically used when DeploymentPreference is set in SAM.

Option C is incorrect because the Lambda alias is created by SAM for traffic shifting; if the alias were not created, the deployment would fail. Option D is incorrect because the default version is $LATEST, but the issue is with how API Gateway invokes the function.

45
MCQmedium

A developer has set up an AWS CodePipeline pipeline that automatically deploys a web application through a series of stages: Source, Build, Staging, and Production. The developer wants to require a manual approval before the pipeline proceeds to the Production stage. How should the developer implement this?

A.Add a manual approval action in the Staging stage
B.Add a manual approval action between the Staging and Production stages
C.Configure the Production stage to use a CloudFormation change set with execution role
D.Use an SNS topic to notify developers of the deployment
AnswerB

Correct. A manual approval action placed as a separate stage or as an action in the transition between stages pauses the pipeline until approval is granted.

Why this answer

Option B is correct because AWS CodePipeline supports manual approval actions that can be added as a stage or between stages to pause the pipeline and require explicit approval before proceeding. By placing the manual approval action between the Staging and Production stages, the pipeline will halt after the Staging stage completes and wait for an approver to manually approve the transition to the Production stage, ensuring no automatic deployment to production occurs without human oversight.

Exam trap

The trap here is that candidates may think a manual approval action must be placed inside a stage (like Staging) rather than as a separate stage between stages, but CodePipeline allows stages to be ordered sequentially, and the approval action must be in its own stage or at the end of a stage to block the transition to the next stage.

How to eliminate wrong answers

Option A is wrong because adding a manual approval action in the Staging stage would pause the pipeline during the Staging stage itself, not between Staging and Production, so the deployment would proceed to Production automatically after the Staging stage completes, defeating the requirement. Option C is wrong because configuring the Production stage to use a CloudFormation change set with execution role does not introduce a manual approval step; it only controls how CloudFormation executes changes, not a human approval gate. Option D is wrong because using an SNS topic to notify developers of the deployment does not block the pipeline; it only sends notifications, so the pipeline would continue to Production without any manual approval.

46
MCQhard

A team uses AWS CodePipeline to deploy a microservices application to Amazon ECS. The pipeline has a Source stage (GitHub), a Build stage (CodeBuild), and a Deploy stage (ECS). During a deployment, the pipeline fails at the Deploy stage with the error: 'Action execution failed: Deployment failed. The service my-service has reached the maximum number of tasks.' The service is configured with a desired count of 2 and a maximum percent of 200%. What is the most likely cause of this failure?

A.The task definition references a memory value that exceeds the available container instance memory.
B.There are already 4 tasks running for the service, which is the maximum allowed by the deployment configuration.
C.The service's minimum healthy percent is set too high, preventing new tasks from starting.
D.The pipeline is trying to deploy to an ECS cluster that has reached its Amazon EC2 instance limit.
AnswerB

The maximum percent of 200% allows up to 4 tasks (2 * 200%). If 4 tasks are already running, the new deployment cannot start more.

Why this answer

Option C is correct because the error indicates the service has reached the maximum number of tasks. With a desired count of 2 and maximum percent of 200%, ECS allows up to 4 tasks during deployment (2 * 200% = 4). If there are already 4 tasks running (e.g., due to a previous deployment that did not complete), the new deployment cannot start additional tasks.

Option A is incorrect because insufficient memory would cause a different error (task failure). Option B is incorrect because the maximum percent is already set to 200%, which allows for rolling updates. Option D is incorrect because the pipeline is not related to EC2 instance limits; it uses Fargate or EC2 launch type, but the error is about task count.

47
MCQeasy

A company wants to deploy a serverless application using AWS Lambda and API Gateway. The deployment process must support automatic rollbacks if the new version fails CloudWatch alarms. Which AWS service should be used to orchestrate this deployment?

A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CloudFormation with a change set
D.AWS CodePipeline
AnswerB

CodeDeploy supports Lambda canary/linear deployments and automatic rollback based on CloudWatch alarms.

Why this answer

Option D is correct. AWS CodeDeploy can be used with Lambda to perform canary or linear deployments and automatically roll back based on CloudWatch alarms. Option A is wrong because CloudFormation does not natively support canary deployments or automatic rollback based on alarms for Lambda.

Option B is wrong because AWS Elastic Beanstalk is for web applications, not serverless. Option C is wrong because AWS CodePipeline orchestrates build/test/deploy but does not handle canary deployments and rollback itself.

48
MCQhard

A developer is deploying a microservice to Amazon ECS using Fargate. The service needs to be accessible from the internet via an Application Load Balancer. The developer creates the ECS service with a network load balancer by mistake. What is the minimal change required to fix the deployment?

A.Create a new target group for the ALB and update the ECS service to use it.
B.Update the ECS service to point to the ALB listener.
C.Change the existing target group to use ALB protocol.
D.Delete the ECS service and recreate it with an ALB.
AnswerA

Updating the service to use a new target group is a minimal change.

Why this answer

The minimal change is to create a new target group configured for the Application Load Balancer (ALB) and update the ECS service to use it. An ECS service with Fargate must be associated with a target group that matches the load balancer type; since the service was created with a Network Load Balancer (NLB), its existing target group uses TCP/TLS protocols. Creating an ALB-compatible target group (HTTP/HTTPS) and reassigning it to the service corrects the mismatch without deleting the service.

Exam trap

The trap here is that candidates assume you can modify the existing target group's protocol or simply point the service to the ALB listener, but AWS requires a target group of the correct type to be explicitly associated with the ECS service.

How to eliminate wrong answers

Option B is wrong because updating the ECS service to point to the ALB listener does not change the underlying target group; the service still references an NLB target group, causing a protocol mismatch. Option C is wrong because you cannot change an existing target group's protocol from TCP/TLS (NLB) to HTTP/HTTPS (ALB); target groups are immutable after creation and tied to the load balancer type. Option D is wrong because deleting and recreating the ECS service is not minimal; the service can be updated in place by specifying a new target group.

49
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. The development team wants to deploy a new version of a Lambda function without downtime. The function is part of a stack. Which action should the team take?

A.Create a change set and execute it after the current stack is deleted.
B.Update the CloudFormation stack with the new function code and deploy the stack update.
C.Manually update the Lambda function code in the console and then update the stack.
D.Create a new CloudFormation stack for the new function and delete the old stack.
AnswerB

CloudFormation updates handle resource replacement; using Lambda aliases can ensure zero downtime.

Why this answer

Option A is correct: CloudFormation supports stack updates; updating the Lambda function resource in the template and performing a stack update will replace the function with zero downtime if the function is behind an alias. Option B (create new stack) leaves old stack. Option C (change set) is just a review.

Option D (manual update) bypasses CloudFormation.

50
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. The development team wants to test a new feature by routing a small percentage of traffic to a separate environment before fully rolling out. Which Elastic Beanstalk deployment strategy should the developer use?

A.Rolling deployment
B.Blue/green deployment
C.Immutable deployment
D.All at once deployment
AnswerB

Blue/green deployment creates a separate environment (green) where the new version runs. Then you can perform a CNAME swap to route all traffic at once, or use Route 53 weighted routing to split traffic gradually.

Why this answer

Blue/green deployment is the correct strategy because it allows you to route a small percentage of traffic to a separate environment (the 'green' environment) by swapping the CNAME record or using Elastic Beanstalk's environment URL swap feature. This enables testing the new feature with a subset of users before fully rolling out to the 'blue' environment, minimizing risk and enabling quick rollback if issues arise.

Exam trap

The trap here is that candidates confuse rolling deployment with blue/green deployment, mistakenly thinking rolling deployment can route traffic to a separate environment, when in fact rolling deployment updates instances within the same environment and does not provide a separate testing environment for traffic routing.

How to eliminate wrong answers

Option A is wrong because rolling deployment updates instances in batches within the same environment, which does not provide a separate environment for testing a new feature with a small percentage of traffic; it gradually replaces the existing version across all instances. Option C is wrong because immutable deployment launches a new set of instances with the new version in a separate Auto Scaling group, but it does not support routing a small percentage of traffic to the new version; it either fully replaces the old environment or fails. Option D is wrong because all at once deployment updates all instances simultaneously in the same environment, causing downtime and no ability to test with a subset of traffic.

51
Multi-Selectmedium

A company is deploying a new web application on Amazon EC2 instances behind an Application Load Balancer. The application must be deployed with no downtime. The deployment uses AWS CodeDeploy with a Blue/Green deployment configuration. Which TWO actions should be taken to achieve zero-downtime deployment? (Choose TWO.)

Select 2 answers
A.Create a new load balancer for the new environment.
B.Create a new Auto Scaling group with the new application version and register it with the ALB.
C.Update the existing Auto Scaling group with the new application version.
D.Terminate the old EC2 instances immediately after deploying the new ones.
E.Gradually shift traffic from the old environment to the new environment using the ALB.
AnswersB, E

This creates the new environment for testing.

Why this answer

Options A and D are correct. A: If the new environment passes tests, traffic is shifted to it. D: Before shifting traffic, the new environment must be fully tested.

Option B is wrong because terminating old instances immediately would cause downtime if the new environment fails. Option C is wrong because the new environment should be created first, not updated in-place. Option E is wrong because the load balancer is already in place; you should register the new instances with the existing ALB.

52
MCQhard

The exhibit shows an IAM policy attached to a user who needs to deploy applications using AWS CodeDeploy. The user reports that they cannot create a deployment for the MyApplication/MyDeploymentGroup. What is the most likely reason?

A.The policy restricts the user to a different deployment group.
B.The user does not have permission to call the codedeploy:CreateDeployment action.
C.The user does not have permission to call codedeploy:GetDeployment and codedeploy:GetDeploymentGroup.
D.The policy does not include permission on the application resource.
AnswerD

CreateDeployment requires access to the application resource as well.

Why this answer

Option D is correct because the CreateDeployment action requires permission on the deployment group resource, but also requires permission on the application resource (arn:aws:codedeploy:region:account:application:MyApplication). The policy only grants on the deployment group, not the application. Option A is wrong because the actions are allowed.

Option B is wrong because GetDeployment and GetDeploymentGroup are allowed. Option C is wrong because the policy does not restrict the deployment group; it grants on the specific group.

53
MCQmedium

A developer is using AWS CodeDeploy to perform a canary deployment for an AWS Lambda function. The deployment should first shift 10% of traffic to the new version, and then shift the remaining 90% after 5 minutes. Which deployment configuration should be used?

A.AllAtOnce
B.Canary10Percent5Minutes
C.Linear10PercentEvery10Minutes
D.BlueGreen
AnswerB

This configuration shifts 10% instantly and then the remainder after 5 minutes. It is the correct choice for the described canary deployment.

Why this answer

Option B is correct because the Canary10Percent5Minutes deployment configuration is specifically designed for canary deployments with AWS Lambda, shifting 10% of traffic to the new version immediately and then automatically shifting the remaining 90% after a 5-minute interval. This matches the requirement exactly, as CodeDeploy uses this predefined configuration to orchestrate the traffic shift in two steps with a built-in wait period.

Exam trap

The trap here is that candidates often confuse deployment configurations (like Canary10Percent5Minutes) with deployment types (like BlueGreen), or they misremember the exact traffic percentages and intervals, leading them to select Linear10PercentEvery10Minutes or AllAtOnce instead of the precise configuration that matches the 10% initial shift and 5-minute wait.

How to eliminate wrong answers

Option A is wrong because AllAtOnce shifts 100% of traffic to the new version immediately, with no gradual traffic shifting or canary phase, which does not meet the requirement for a 10% initial shift and a 5-minute wait. Option C is wrong because Linear10PercentEvery10Minutes shifts traffic in 10% increments every 10 minutes, which would take 90 minutes to complete the full shift and does not match the specified 5-minute wait after the initial 10% shift. Option D is wrong because BlueGreen is a deployment type, not a deployment configuration; it refers to the strategy of routing all traffic to a new environment after validation, but CodeDeploy requires a specific traffic-shifting configuration (like Canary10Percent5Minutes) to control the canary behavior within a blue/green deployment.

54
MCQhard

A developer is deploying a multi-container Docker application on Amazon ECS using the Fargate launch type. The application consists of a web server and a background worker. The web server must be scaled independently and must be accessible from the internet via an Application Load Balancer. The worker should not be accessible from the internet. Which ECS configuration should the developer use?

A.Create one ECS service with both containers in the same task definition, but only expose the web server port.
B.Create two separate ECS services, each with its own task definition, and place the web server in a public subnet with the worker in a private subnet.
C.Create one ECS service with two tasks, each containing one container.
D.Create one ECS service with two containers in the same task, and use a service discovery to expose the worker.
AnswerB

Correct. Separate services allow independent scaling. Placing the web server in a public subnet with an ALB provides internet access, while the worker in a private subnet remains isolated.

Why this answer

Option B is correct because it uses two separate ECS services, each with its own task definition, allowing independent scaling of the web server and worker. Placing the web server in a public subnet with an Application Load Balancer makes it internet-accessible, while the worker in a private subnet is isolated from direct internet traffic, meeting the security requirement.

Exam trap

The trap here is that candidates assume containers in the same task definition can be independently scaled or that service discovery alone provides network isolation, but in ECS, containers in the same task share the same resources and scaling lifecycle, and service discovery does not restrict internet access.

How to eliminate wrong answers

Option A is wrong because placing both containers in the same task definition forces them to be scaled together as a unit, preventing independent scaling of the web server, and exposing only the web server port does not isolate the worker from the internet since both containers share the same network namespace. Option C is wrong because creating one ECS service with two tasks, each containing one container, does not allow independent scaling of the web server and worker; the service scales all tasks together, and the worker task would still be in the same subnet as the web server unless explicitly placed in a private subnet, which is not specified. Option D is wrong because placing both containers in the same task (same task definition) again couples their scaling and lifecycle, and using service discovery (AWS Cloud Map) does not prevent the worker from being internet-accessible; service discovery only provides DNS-based service resolution within a VPC, not network isolation.

55
MCQeasy

A developer is deploying a new version of an application to Amazon ECS using AWS CodeDeploy. The application uses a blue/green deployment strategy. After the deployment, traffic is automatically shifted to the new task set. However, the developer wants to test the new version with a small percentage of users before shifting all traffic. What should the developer do?

A.Create a new ECS task definition with a different CPU/memory allocation.
B.Use CodeDeploy to perform a canary deployment that shifts 10% of traffic initially.
C.Configure the target group to route traffic to a specific task set.
D.Use ECS service auto scaling to gradually increase the number of tasks.
AnswerB

CodeDeploy supports canary deployments for ECS, allowing gradual traffic shifting.

Why this answer

CodeDeploy supports canary deployments for ECS, which allow you to shift a specified percentage of traffic to the new task set initially (e.g., 10%) and then, after a configured interval, shift the remaining traffic. This matches the requirement to test with a small percentage of users before shifting all traffic. Option B directly implements this canary strategy.

Exam trap

The trap here is that candidates confuse 'canary deployment' (traffic shifting) with 'auto scaling' (task count scaling) or think that modifying the task definition or target group alone can achieve gradual traffic routing.

How to eliminate wrong answers

Option A is wrong because changing CPU/memory allocation in the task definition does not control traffic shifting; it affects resource provisioning and may cause deployment failures but does not route a percentage of traffic to the new version. Option C is wrong because target groups route traffic to all healthy tasks in a service, not to a specific task set; you cannot use a target group to selectively route a small percentage to one task set without additional traffic-shifting logic. Option D is wrong because ECS service auto scaling adjusts the number of tasks based on load, not the percentage of traffic directed to a new version; it does not implement a canary traffic shift.

56
MCQeasy

A developer is deploying a web application using AWS Elastic Beanstalk. The application experiences high traffic during peak hours. The developer wants to ensure that the environment can scale out quickly without manual intervention. Which Elastic Beanstalk configuration should be used?

A.Use a scheduled scaling action to increase capacity during peak hours.
B.Manually add EC2 instances during peak hours.
C.Set the environment to use a fixed number of EC2 instances.
D.Configure Auto Scaling triggers based on CloudWatch alarms.
AnswerD

Auto Scaling triggers allow the environment to scale out based on metrics like CPU.

Why this answer

Option B is correct. Auto Scaling triggers based on CloudWatch alarms allow automatic scaling. Option A is wrong because fixed number of instances does not scale.

Option C is wrong because time-based scaling is not dynamic. Option D is wrong because manual scaling is not automatic.

57
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group of EC2 instances. The deployment must automatically roll back if the new application version causes health check failures for more than 20% of the instances within the first 5 minutes after deployment. Which configuration should the developer set in the deployment group?

A.Create a CloudWatch alarm that monitors the DeploymentFailure metric and configure it as a rollback trigger in the deployment group.
B.Define a lifecycle hook in the Auto Scaling group that terminates instances with failing health checks.
C.Set the deployment configuration to use a minimum healthy host percentage of 80% and a timeout of 5 minutes.
D.Configure the AppSpec file with a rollback section that specifies the health check failure threshold.
AnswerA

This is the correct method. CodeDeploy can use CloudWatch alarms as rollback triggers. When the alarm enters the ALARM state, the deployment is automatically rolled back.

Why this answer

Option A is correct because AWS CodeDeploy supports CloudWatch alarm-based rollback triggers. By creating a CloudWatch alarm that monitors the DeploymentFailure metric (or a custom metric reflecting health check failures) and configuring it as a rollback trigger in the deployment group, the deployment will automatically roll back if the alarm state is breached within the specified monitoring period (e.g., 5 minutes). This directly meets the requirement to roll back when more than 20% of instances fail health checks.

Exam trap

The trap here is that candidates often confuse deployment configuration settings (like minimum healthy hosts) with rollback triggers, not realizing that rollback triggers require explicit CloudWatch alarm integration rather than just threshold-based deployment settings.

How to eliminate wrong answers

Option B is wrong because lifecycle hooks in Auto Scaling groups control instance lifecycle actions (e.g., launch or terminate) but do not trigger a CodeDeploy rollback; they only terminate failing instances without reverting the deployment. Option C is wrong because setting a minimum healthy host percentage of 80% and a timeout of 5 minutes defines the deployment's success criteria (e.g., for blue/green or canary deployments) but does not automatically trigger a rollback upon health check failures; it only fails the deployment if the threshold is not met. Option D is wrong because the AppSpec file does not contain a 'rollback' section; rollback behavior is configured in the deployment group settings, not in the AppSpec file.

58
Multi-Selectmedium

A company is deploying a new microservice using AWS Lambda and Amazon API Gateway. Which THREE steps should be included in the deployment pipeline? (Choose three.)

Select 3 answers
A.Deploy the API Gateway API to a stage.
B.Create or update the API Gateway REST API resources and methods.
C.Invalidate the Amazon CloudFront cache.
D.Update the Route 53 DNS record to point to the new API.
E.Build the Lambda function code and create a deployment package.
AnswersA, B, E

Deploying to a stage makes the API available.

Why this answer

Options A, C, and E are correct. The pipeline should include building the Lambda function (A), creating the API Gateway resources (C), and deploying the API (E). Option B is wrong because updating DNS is not required.

Option D is wrong because CloudFront is not necessary.

59
MCQmedium

A company runs a web application on AWS Elastic Beanstalk. The application currently runs in a single environment. The developer wants to deploy a new version with zero downtime and be able to test the new version thoroughly before it receives any production traffic. Which deployment strategy should the developer use?

A.Perform a rolling deployment with a batch size of one instance at a time.
B.Use an immutable deployment to launch a new set of instances and then swap the Auto Scaling group.
C.Create a new environment (green) with the new version, run tests against it, and then swap the environment URLs so that production points to the green environment.
D.Use a rolling deployment with additional batch to launch new instances before terminating old ones.
AnswerC

This is the blue/green deployment strategy. The green environment is isolated for testing. Swapping the CNAME from the blue environment to the green environment provides zero downtime and full testing.

Why this answer

Option C is correct because it describes a blue/green deployment strategy, which creates a separate 'green' environment with the new application version, allowing thorough testing before swapping the environment URLs (CNAME records) in Elastic Beanstalk. This ensures zero downtime because the swap is instantaneous and the original 'blue' environment remains untouched until the swap occurs.

Exam trap

The trap here is that candidates confuse immutable deployments (which replace instances but not the environment) with blue/green deployments (which replace the entire environment), leading them to choose Option B because both involve launching new instances, but only blue/green allows pre-production testing without traffic exposure.

How to eliminate wrong answers

Option A is wrong because a rolling deployment with a batch size of one instance at a time updates instances in-place, which still causes a brief period where old and new versions coexist and does not allow testing the new version before it receives production traffic. Option B is wrong because an immutable deployment launches a new set of instances and then swaps the Auto Scaling group, but it does not provide a separate environment for pre-production testing; the new instances immediately serve traffic after the swap. Option D is wrong because a rolling deployment with an additional batch launches new instances before terminating old ones, which reduces downtime but still updates the existing environment in-place and does not allow isolated testing of the new version before it receives traffic.

60
MCQeasy

An organization wants to deploy a microservices architecture using AWS Lambda functions. They need to manage environment variables for each function across different stages (dev, test, prod). Which approach is the MOST secure and maintainable?

A.Use AWS Systems Manager Parameter Store with separate paths for each stage.
B.Use AWS CloudFormation parameters to pass values at deployment.
C.Hardcode the environment variables in each Lambda function code.
D.Store environment variables in the Lambda function configuration.
AnswerA

Secure, centralized, and stage-aware.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data. Option A is wrong because hardcoding is insecure. Option B is wrong because environment variables in the function code are not environment-specific.

Option D is wrong because CloudFormation parameters are for infrastructure, not runtime config.

61
MCQeasy

A team uses AWS CodePipeline to automate deployments. They notice that a deployment to Amazon ECS fails because the task definition is not updated. The pipeline includes a source stage from CodeCommit, a build stage using AWS CodeBuild, and a deploy stage to Amazon ECS. What is the most likely missing step?

A.The pipeline has a manual approval step before deployment.
B.The deploy stage action is set to 'Create a new ECS service'.
C.The task definition is not registered in the Amazon ECS console.
D.The build stage does not output the updated task definition as an artifact.
AnswerD

Without the artifact, the deploy stage uses the old task definition.

Why this answer

Option D is correct because in a CodePipeline that deploys to Amazon ECS, the build stage must output the updated task definition file (typically `imagedefinitions.json` or a task definition JSON) as an artifact. Without this artifact, the deploy stage cannot reference the new task definition revision, so it continues using the old one, causing the deployment to fail.

Exam trap

The trap here is that candidates assume the task definition is automatically updated by the deploy action or that manual registration in the ECS console is required, when in fact the build stage must explicitly output the updated definition as an artifact for the pipeline to use.

How to eliminate wrong answers

Option A is wrong because a manual approval step would pause the pipeline but not affect whether the task definition is updated; it does not cause the deployment to fail due to an outdated task definition. Option B is wrong because setting the deploy stage action to 'Create a new ECS service' would create a new service instead of updating the existing one, which is not the missing step for updating the task definition. Option C is wrong because the task definition does not need to be manually registered in the ECS console; the pipeline should register it automatically via the deploy action, and the issue is that the updated definition is not passed as an artifact.

62
MCQmedium

A company is using AWS CodePipeline to automate the deployment of a microservices application to Amazon ECS. The pipeline has the following stages: Source (GitHub), Build (CodeBuild), Deploy (ECS). The Deploy stage uses an ECS task definition and updates the service. Recently, the pipeline failed at the Deploy stage with the error: 'The task definition family is inactive.' The developer checks the ECS console and sees that the task definition family exists but is inactive. The developer also notices that the pipeline uses a parameter 'TASK_DEFINITION_FAMILY' with the value 'my-app'. What is the most likely cause?

A.The task definition family 'my-app' does not exist in the ECS cluster.
B.The environment variables in the task definition are not correctly set.
C.The IAM role for ECS does not have permission to register new task definitions.
D.The pipeline is referencing the task definition family name without a specific revision number, and the latest revision is inactive.
AnswerD

The pipeline should specify an active revision.

Why this answer

Option B is correct because CodePipeline expects a specific revision number, not just the family. When the family is inactive, it may be because the latest revision is inactive. The pipeline should reference the active revision.

Option A is wrong because the family exists. Option C is wrong because the task role is not related. Option D is wrong because the environment variables are likely correct.

63
Multi-Selecteasy

Which THREE factors should a developer consider when choosing between a blue/green deployment and a rolling deployment for an Amazon ECS service?

Select 3 answers
A.Rolling deployments require manual intervention to rollback
B.Rolling deployments update a subset of tasks at a time, which may cause slower rollback
C.Blue/green deployments are always cheaper than rolling deployments
D.Blue/green deployments require running two versions of the application simultaneously
E.Blue/green deployments provide instant rollback by switching traffic back to the old environment
AnswersB, D, E

Rolling deployments update gradually; rollback is slower.

Why this answer

Blue/green deployments require additional resources (A), support quick rollback (B), and have higher cost (C). Option D (cost) is relevant. Option E (database schema changes) is not directly related; both can handle it with proper migration.

64
MCQmedium

A developer is using AWS SAM to deploy a serverless application. The SAM template defines an API Gateway REST API and several Lambda functions. During deployment, the developer receives an error: 'Resource creation cancelled' for the API Gateway resource. The developer has sufficient IAM permissions. What is the MOST likely cause?

A.The AWS account has reached the limit of API Gateway REST APIs.
B.The SAM template has a syntax error in the YAML file.
C.The SAM template does not include an AWS::Serverless::Api resource.
D.A stack policy is preventing the creation of the API Gateway resource.
AnswerD

Stack policies can explicitly deny creation of specific resources, causing cancellation.

Why this answer

Option C is correct. AWS SAM uses AWS CloudFormation to deploy resources. If a resource creation is cancelled, it often indicates a stack policy that prevents creation or modification of certain resources.

Option A is wrong because a missing AWS::Serverless::Api would cause a different error. Option B is wrong because invalid YAML would cause a template validation error. Option D is wrong because Lambda function limit would cause a different error.

65
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The application must remain fully available; only one instance should be taken offline at a time. The developer wants to configure the deployment to update instances one by one, ensuring that the deployment fails fast if any instance fails to deploy. Which deployment configuration should the developer choose?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.OneAtATime
D.CodeDeployDefault.BlueGreen
AnswerC

This deploys to one instance at a time, minimizing impact and providing fast failure detection.

Why this answer

Option C, CodeDeployDefault.OneAtATime, is correct because it deploys the application to one instance at a time, ensuring that only one instance is taken offline during the deployment. This satisfies the requirement for the application to remain fully available. Additionally, this configuration fails fast: if any instance fails to deploy, the deployment stops immediately, preventing further instances from being updated.

Exam trap

The trap here is that candidates may confuse deployment configurations (like OneAtATime) with deployment types (like BlueGreen), or incorrectly assume that HalfAtATime updates instances one by one when it actually updates half the fleet at a time.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, which would take all instances offline at once and violate the requirement for only one instance to be offline at a time. Option B is wrong because CodeDeployDefault.HalfAtATime deploys to half the instances at a time, which would take more than one instance offline simultaneously, not meeting the one-at-a-time requirement. Option D is wrong because CodeDeployDefault.BlueGreen is a deployment type that shifts traffic between two environments (blue and green), not a deployment configuration that controls the number of instances updated at a time within a single Auto Scaling group; it also does not inherently provide a one-at-a-time update pattern.

66
MCQmedium

A developer is setting up a CI/CD pipeline using AWS CodePipeline to deploy an application to Amazon ECS. The pipeline has a source stage that pulls code from an AWS CodeCommit repository. The developer wants the pipeline to execute only when commits are pushed to the 'main' branch. How should the developer configure this?

A.Create an Amazon CloudWatch Events rule that triggers the pipeline only when the branch is 'main'.
B.Configure the pipeline's source stage to include the branch name in the CodeCommit action configuration.
C.Use an AWS Lambda function in the source stage to filter the branch.
D.Set a branch filter pattern in the pipeline trigger settings.
AnswerB

The CodeCommit source action in CodePipeline allows you to specify the branch name. The pipeline will automatically start on pushes to that branch.

Why this answer

Option B is correct because AWS CodePipeline allows you to specify a branch name directly in the source action configuration for CodeCommit. When you configure the source stage, you can set the 'BranchName' parameter to 'main', which ensures the pipeline only triggers on commits pushed to that specific branch. This is the simplest and most direct method to filter by branch without additional services or custom logic.

Exam trap

The trap here is that candidates might overthink the solution by considering external services like CloudWatch Events or Lambda, when the correct answer is a simple configuration option already built into the CodePipeline source stage.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Events rules can trigger a pipeline on various events, but they do not natively filter by branch name; you would need to add a custom event pattern or use a Lambda function to inspect the branch, which is unnecessary and more complex than the built-in branch filter. Option C is wrong because using an AWS Lambda function in the source stage to filter the branch adds unnecessary complexity and cost; CodePipeline already supports branch filtering natively in the source action configuration. Option D is wrong because CodePipeline does not have a 'pipeline trigger settings' feature with a branch filter pattern; branch filtering is configured within the source stage action, not as a separate trigger setting.

67
MCQhard

A company deploys a containerized application on Amazon ECS with Fargate launch type. The application needs to read sensitive configuration data at startup. The company requires that the data be encrypted at rest and in transit, and that the application use least-privilege permissions. Which solution meets these requirements?

A.Store the configuration data in AWS Secrets Manager and retrieve it at startup using the Secrets Manager API
B.Store the configuration data in an Amazon S3 bucket and use a pre-signed URL to download it at startup
C.Store the configuration data in environment variables within the ECS task definition
D.Store the configuration data in AWS Systems Manager Parameter Store with a SecureString parameter and retrieve it using the task IAM role
AnswerD

Parameter Store supports encryption and least-privilege access.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store supports encryption via KMS and can be accessed from ECS tasks using IAM roles. Option A is incorrect because environment variables may be visible in plaintext. Option B is incorrect because Secrets Manager is overkill for configuration data and more expensive.

Option C is incorrect because S3 does not enforce transit encryption by default and requires additional setup.

68
MCQmedium

A developer needs to package and deploy a serverless application with Lambda functions, API Gateway, and DynamoDB using concise syntax. Which framework is AWS-native for this purpose?

A.AWS Serverless Application Model
B.AWS Control Tower
C.Amazon Macie
D.AWS Backup
AnswerA

Correct for the stated requirement.

Why this answer

The AWS Serverless Application Model (SAM) is an AWS-native framework that uses a simplified YAML or JSON syntax to define and deploy serverless resources such as Lambda functions, API Gateway, and DynamoDB. It extends AWS CloudFormation, allowing developers to package and deploy with concise syntax using the `sam build` and `sam deploy` commands, making it the correct choice for this purpose.

Exam trap

The trap here is that candidates may confuse AWS SAM with general-purpose infrastructure-as-code tools like Terraform or AWS CloudFormation, but the question specifically asks for a framework with concise, AWS-native syntax for serverless applications, which SAM uniquely provides.

How to eliminate wrong answers

Option B is wrong because AWS Control Tower is a governance and multi-account management service, not a framework for packaging and deploying serverless applications. Option C is wrong because Amazon Macie is a data security and privacy service that uses machine learning to discover and protect sensitive data, not a deployment framework. Option D is wrong because AWS Backup is a centralized backup service for managing backups across AWS services, not a framework for defining or deploying serverless resources.

69
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires a database connection string that is different for each environment (development, staging, production). The developer wants to set these values without hardcoding them in the application code. Which configuration method should the developer use?

A.Use the .ebextensions configuration files with environment-specific snippet files
B.Use environment properties in the Elastic Beanstalk console
C.Use Amazon RDS within Elastic Beanstalk
D.Use AWS Systems Manager Parameter Store with an IAM instance profile
AnswerB

Correct. Environment properties are defined per environment and injected as environment variables into the instances, enabling different configurations across environments.

Why this answer

Option B is correct because Elastic Beanstalk environment properties allow you to inject configuration values (like database connection strings) into your application at deployment time without hardcoding them. These properties are set per environment in the Elastic Beanstalk console or via CLI, and the application retrieves them as environment variables, making them environment-specific and secure.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing AWS Systems Manager Parameter Store (Option D) for secret management, but the question specifically asks for a configuration method within Elastic Beanstalk's native features, where environment properties are the simplest and most direct approach for non-sensitive, environment-specific values.

How to eliminate wrong answers

Option A is wrong because .ebextensions configuration files are used for customizing the Elastic Beanstalk environment (e.g., installing packages, creating files) but not for setting environment-specific database connection strings; they are static per application version, not dynamic per environment. Option C is wrong because Amazon RDS within Elastic Beanstalk is a feature that provisions a database tied to the environment, but it does not solve the problem of setting a connection string that differs per environment—the connection string is automatically generated and managed by Elastic Beanstalk, not manually configured. Option D is wrong because AWS Systems Manager Parameter Store can store secrets, but using it requires additional IAM configuration and code changes to fetch the parameter, which is more complex than the built-in environment properties; the question asks for the simplest method within Elastic Beanstalk's native capabilities.

70
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon S3 bucket and an AWS Lambda function. The Lambda function needs to be granted permission to read objects from the S3 bucket. Which resource should the developer define in the CloudFormation template to provide these permissions?

A.AWS::IAM::Role
B.AWS::Lambda::Permission
C.AWS::S3::BucketPolicy
D.AWS::IAM::ManagedPolicy
AnswerA

Correct. An IAM role with an appropriate policy (e.g., allowing s3:GetObject) is the correct way to grant the Lambda function permissions to read from the S3 bucket.

Why this answer

Option A is correct because the Lambda function requires an IAM role (AWS::IAM::Role) with a policy that grants s3:GetObject permissions on the S3 bucket. This role is assumed by the Lambda service at runtime, allowing the function to read objects from the bucket. The role must include a trust policy that allows lambda.amazonaws.com to assume it.

Exam trap

The trap here is that candidates often confuse resource-based policies (like S3 bucket policies or Lambda permission statements) with identity-based policies (like IAM roles), thinking a bucket policy alone can grant the Lambda function access, when in fact the Lambda function needs an IAM role with the appropriate permissions to assume and use.

How to eliminate wrong answers

Option B (AWS::Lambda::Permission) is wrong because it grants a resource-based policy to allow another AWS service or account to invoke the Lambda function, not to grant the Lambda function permissions to access S3. Option C (AWS::S3::BucketPolicy) is wrong because a bucket policy controls access to the S3 bucket from external principals, but it does not grant the Lambda function's execution role the necessary IAM permissions; while a bucket policy could be used to allow the Lambda role, the standard and recommended approach is to attach permissions to the Lambda execution role. Option D (AWS::IAM::ManagedPolicy) is wrong because it defines a reusable policy document but does not create a role; the Lambda function needs an IAM role to assume, not just a managed policy.

71
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails during the 'Install' lifecycle event. The developer checks the logs and finds that the scripts in the 'appspec.yml' file are not being executed because the instances are not in a healthy state. What could be the reason for the instances being unhealthy?

A.The health check grace period on the Auto Scaling group is too short.
B.The Elastic Load Balancer is not configured to route traffic to the Auto Scaling group.
C.The CodeDeploy agent on the instances is outdated.
D.The IAM instance profile does not have permissions to access the S3 bucket where the artifacts are stored.
AnswerA

Instances may be marked unhealthy before the deployment completes.

Why this answer

Option D is correct because if the health check grace period is too short, instances may be marked unhealthy before the deployment scripts complete. Option A is wrong because insufficient IAM permissions would cause a different error (e.g., access denied). Option B is wrong because incorrect ELB configuration would cause load balancer issues, not instance health.

Option C is wrong because CodeDeploy agent version is unrelated to instance health checks.

72
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application consists of an API Gateway endpoint that triggers an AWS Lambda function. The developer wants to enable canary deployments to gradually shift traffic to a new Lambda version. Which SAM resource attribute should the developer configure?

A.ReservedConcurrentExecutions
B.Timeout
C.AutoPublishAlias and DeploymentPreference
D.ProvisionedConcurrency
AnswerC

These enable canary deployments with traffic shifting.

Why this answer

Option D is correct because SAM's AutoPublishAlias property combined with DeploymentPreference enables canary deployments. Option A is wrong because ProvisionedConcurrency is for pre-provisioned capacity. Option C is wrong because ReservedConcurrentExecutions limits concurrency.

Option B is wrong because Timeout is for function execution time.

73
MCQhard

A company uses AWS OpsWorks for configuration management and deployment of applications on EC2 instances. The company wants to migrate to AWS Systems Manager for automation and patching. Which Systems Manager capability should be used to execute scripts and commands on EC2 instances as part of a deployment?

A.AWS Systems Manager Patch Manager
B.AWS Systems Manager State Manager
C.AWS Systems Manager Automation
D.AWS Systems Manager Run Command
AnswerB

State Manager can run scripts on a schedule or on demand as part of a deployment.

Why this answer

AWS Systems Manager State Manager is the correct capability because it is designed to define and maintain consistent configuration of EC2 instances, including executing scripts and commands as part of a deployment. State Manager uses associations to enforce a desired state, such as running a custom script during instance boot or on a schedule, making it ideal for deployment automation. This aligns with the migration from OpsWorks, which also manages configuration state.

Exam trap

The trap here is that candidates often confuse Run Command (on-demand execution) with State Manager (stateful, scheduled execution), but the question's emphasis on 'as part of a deployment' implies a need for ongoing configuration enforcement, not just a one-time command.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Patch Manager is specifically for automating the patching of operating systems and applications, not for executing arbitrary scripts or commands as part of a deployment. Option C is wrong because AWS Systems Manager Automation is used for automating complex, multi-step operational tasks (e.g., AMI creation or instance recovery) and requires an Automation document, not for simple script execution on individual instances. Option D is wrong because AWS Systems Manager Run Command executes scripts or commands on demand, but it does not enforce a persistent desired state or schedule; State Manager is the correct choice for ongoing deployment and configuration management.

74
MCQmedium

The exhibit shows the output of the describe-stack-events command for a CloudFormation stack that failed to create. What is the most likely cause of the failure?

A.The Lambda function handler 'index.handler' does not exist in the deployment package.
B.The S3 bucket 'my-bucket' does not contain the object 'my-function.zip'.
C.The Lambda function code exceeds the maximum allowed size.
D.The IAM role associated with the Lambda function lacks necessary permissions.
AnswerA

A common cause of CREATE_FAILED for Lambda is an incorrect handler.

Why this answer

Option A is correct because the stack event shows CREATE_FAILED for the Lambda function resource, which could be due to an incorrect handler name. Option B is wrong because the S3 bucket and key are provided. Option C is wrong because there is no indication of a permissions issue; the event does not show an error message.

Option D is wrong because there is no indication of a missing S3 bucket.

75
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The development team wants to make a change to a stack that involves replacing a critical resource. The team wants to minimize downtime and ensure that the replacement is successful before removing the old resource. Which CloudFormation feature should the team use?

A.Use AWS CodeDeploy blue/green deployment.
B.Use a change set to review the changes before executing.
C.Use a CreationPolicy on the resource to ensure it is fully created before the old one is deleted.
D.Use nested stacks to isolate the resource.
AnswerC

CreationPolicy with 'create before destroy' ensures the new resource is up before deleting the old.

Why this answer

Option D is correct because CloudFormation stack updates with replacement use the 'create before destroy' policy when the resource has a 'DeletionPolicy' of 'Retain' or when using a custom resource with a 'CreationPolicy'. However, the best way is to use a 'CreationPolicy' on the resource to ensure it is fully created before the old is destroyed. Option A is wrong because change sets are for preview, not ordering.

Option B is wrong because it is not a CloudFormation feature. Option C is wrong because nested stacks do not control replacement order.

Page 1 of 6 · 378 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dva Deployment questions.