CCNA Dva Deployment Questions

75 of 378 questions · Page 2/6 · Dva Deployment topic · Answers revealed

76
MCQhard

A developer is deploying a microservices application on Amazon ECS using Fargate. The developer wants to implement a blue/green deployment strategy using AWS CodeDeploy. The current production environment uses an Application Load Balancer (ALB). What is the minimum configuration required to enable blue/green deployments?

A.An ALB with two target groups, one for blue and one for green.
B.An ALB with a single target group and an Amazon CloudFront distribution.
C.An ECS service discovery namespace.
D.A Network Load Balancer (NLB) with a single target group.
AnswerA

CodeDeploy uses two target groups to shift traffic between blue and green environments.

Why this answer

Option A is correct because CodeDeploy blue/green requires an ALB and a target group for each environment. Option B is wrong because NLB also works but requires additional configuration. Option C is wrong because CloudFront is not required.

Option D is wrong because ECS service discovery is not necessary.

77
Multi-Selecthard

Which THREE are valid deployment strategies in AWS CodeDeploy? (Choose three.)

Select 3 answers
A.AllAtOnce
B.Rolling
C.Immutable
D.Canary
E.Blue/Green
AnswersA, B, E

Deploys to all instances simultaneously.

Why this answer

Options A, B, and D are correct. CodeDeploy supports AllAtOnce, Rolling, and Blue/Green. Option C is wrong because Canary is not a CodeDeploy strategy.

Option E is wrong because Immutable is an Elastic Beanstalk strategy, not CodeDeploy.

78
MCQhard

A company uses AWS CodePipeline with CodeBuild and CodeDeploy. The pipeline deploys a web application to an Auto Scaling group. Recently, a deployment failed because the build output exceeded the CodeDeploy deployment limit for the number of files. The developer needs to prevent this issue in the future. What should the developer do?

A.Use AWS CodeStar to manage the pipeline.
B.Increase the instance size in the Auto Scaling group to handle more files.
C.Store the build output in an S3 bucket and modify the CodeDeploy deployment to pull the archive from S3.
D.Modify the buildspec.yml to compress the build output.
AnswerC

Using S3 reduces the number of files in the deployment package to one.

Why this answer

Option C is correct because CodeDeploy has a hard limit on the number of files in a deployment archive (currently 10,000 files for in-place deployments). By storing the build output in an S3 bucket and configuring CodeDeploy to pull the archive from S3, the developer bypasses the file count limit entirely. S3 has no such file count restriction, and CodeDeploy can retrieve the archive directly, allowing deployments with a large number of files to succeed.

Exam trap

The trap here is that candidates often confuse the file count limit with archive size limits or instance resource constraints, leading them to choose compression or instance scaling instead of addressing the actual CodeDeploy limitation.

How to eliminate wrong answers

Option A is wrong because AWS CodeStar is a project management and orchestration service that does not change the underlying CodeDeploy file count limit; it simply provides a unified interface for CI/CD pipelines. Option B is wrong because increasing the instance size in the Auto Scaling group does not affect the CodeDeploy deployment limit on the number of files; the limit is imposed by CodeDeploy itself, not by instance resources. Option D is wrong because compressing the build output in buildspec.yml does not reduce the number of files; it only reduces the archive size, and CodeDeploy still counts the individual files within the archive against its limit.

79
MCQmedium

A company uses AWS CodeCommit for source control and AWS CodeBuild for building a Java application. They have a CodePipeline that deploys the built artifacts to an Auto Scaling group using CodeDeploy. Recently, the build stage started failing with the error: 'BUILD FAILED: Could not resolve dependencies for project'. The developer checks the buildspec.yml and sees that it uses Maven to download dependencies from a private repository. The developer also notices that the build environment is a managed Docker image. What is the most likely cause?

A.The CodeBuild project does not have the necessary IAM permissions to access the private Maven repository.
B.The build environment does not have network access to the private Maven repository because it is not configured with a VPC.
C.The buildspec.yml has a syntax error in the 'phases' section.
D.The Java compiler version is incompatible with the project.
AnswerB

Managed images in CodeBuild have internet access, but private repos may require VPC.

Why this answer

Option B is correct because a managed Docker image may not have network access to a private repository if it's not configured with a VPC or NAT gateway. Option A is wrong because CodeBuild supports private repositories with proper network configuration. Option C is wrong because the buildspec is correct.

Option D is wrong because the error is about dependency resolution, not compilation.

80
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM role used by an EC2 instance in a CodeDeploy deployment group. The deployment fails with 'Access Denied' when the CodeDeploy agent tries to register the application revision. What is the most likely cause?

A.The resource is set to '*' which is not allowed for CodeDeploy actions.
B.The role is not associated with the CodeDeploy service.
C.The policy does not include the 'codedeploy:PutApplicationRevision' action.
D.The policy is missing an explicit deny for other actions.
AnswerC

RegisterApplicationRevision is not a valid action.

Why this answer

Option A is correct because the policy is missing 'codedeploy:PutApplicationRevision' permission. The 'RegisterApplicationRevision' action is not a valid CodeDeploy API call; the correct action is 'PutApplicationRevision'. Option B is wrong because the actions are allowed, not denied.

Option C is wrong because the policy uses '*' resource. Option D is wrong because the instance profile role is for EC2, not CodeDeploy.

81
MCQeasy

A developer is deploying a serverless application using AWS SAM. The developer wants to define a Lambda function that is invoked by an Amazon API Gateway REST API. Which SAM resource type should the developer use to define the API?

A.AWS::Serverless::SimpleTable
B.AWS::Serverless::Api
C.AWS::ApiGateway::RestApi
D.AWS::Serverless::Function
AnswerB

This defines an API Gateway REST API.

Why this answer

Option B is correct because AWS::Serverless::Api defines an API Gateway REST API in SAM. Option A is wrong because AWS::Serverless::Function defines a Lambda function. Option C is wrong because AWS::ApiGateway::RestApi is a raw CloudFormation resource, not a SAM shorthand.

Option D is wrong because AWS::Serverless::SimpleTable defines a DynamoDB table.

82
MCQhard

A large enterprise is deploying a critical application across multiple AWS regions using AWS CodePipeline and AWS CodeDeploy. The application runs on EC2 instances in an Auto Scaling group. The deployment uses a blue/green strategy. During a cross-region deployment, the pipeline fails in the secondary region with the error 'The deployment group does not exist.' The developer confirms that the deployment group exists in the primary region and has been replicated via AWS CloudFormation StackSets. The developer also checks that the StackSet is successfully deployed in the secondary region. What is the most likely cause?

A.The CodePipeline in the secondary region references the deployment group ARN from the primary region instead of the secondary region.
B.The deployment group name is case-sensitive and differs between regions.
C.The CodePipeline in the secondary region is not configured with the correct source stage.
D.The IAM role for CodeDeploy in the secondary region does not have cross-region permissions.
AnswerA

Pipeline must reference local resources.

Why this answer

Option D is correct because CodePipeline is region-specific and the pipeline in the secondary region must be configured to use the deployment group in that same region. The StackSet may have created the resources, but the pipeline definition still points to the primary region. Option A is wrong because the deployment group does exist.

Option B is wrong because the pipeline exists. Option C is wrong because permissions are global.

83
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The developer wants to run database migration scripts as part of the deployment process before the new application version starts serving traffic. Which Elastic Beanstalk configuration file should the developer use to define the migration commands?

A..ebextensions/<filename>.config with container_commands
B..ebextensions/<filename>.config with commands
C.Procfile
D.buildspec.yml
AnswerA

container_commands are executed after the application and web server are ready but before the new version starts serving traffic. This makes them suitable for database migrations.

Why this answer

Option A is correct because `container_commands` in `.ebextensions/<filename>.config` runs commands after the application and web server have been set up but before the new application version starts serving traffic. This makes it the ideal place to execute database migration scripts that must complete before the environment accepts requests, ensuring data consistency.

Exam trap

The trap here is confusing `commands` with `container_commands`; candidates often pick `commands` because they sound similar, but they run at different lifecycle stages, and only `container_commands` guarantees execution after the application stack is ready but before traffic is routed.

How to eliminate wrong answers

Option B is wrong because `commands` in `.ebextensions/<filename>.config` runs before the application and web server are set up, so the database migration scripts would execute too early, potentially before the application dependencies or environment variables are ready. Option C is wrong because a `Procfile` is used to specify the processes that run your application (e.g., web server, worker), not to define deployment lifecycle commands like database migrations. Option D is wrong because `buildspec.yml` is a configuration file for AWS CodeBuild, not for Elastic Beanstalk; it defines build phases and commands for a CI/CD pipeline, not deployment hooks within Elastic Beanstalk.

84
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. The development team wants to implement a CI/CD pipeline that automatically updates a CloudFormation stack when code is pushed to a CodeCommit repository. The pipeline should also run tests before deploying. Which THREE services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS CodeBuild
B.Amazon CloudWatch Events
C.AWS CodeDeploy
D.AWS CodePipeline
E.AWS CodeCommit
AnswersA, D, E

CodeBuild runs tests and builds the project.

Why this answer

AWS CodeBuild is correct because it can compile source code, run tests, and produce artifacts that are ready for deployment. In this CI/CD pipeline, CodeBuild executes the test suite after code is pushed to CodeCommit, ensuring that only validated code proceeds to update the CloudFormation stack.

Exam trap

The trap here is that candidates may confuse AWS CodeDeploy with CloudFormation stack updates, but CodeDeploy handles application-level deployments (e.g., code to instances) while CloudFormation manages infrastructure provisioning and updates, so CodeDeploy is not used for stack updates in this context.

85
MCQmedium

A company is using AWS CloudFormation to manage infrastructure. The developer wants to update a stack that includes an RDS database. The update requires replacing the database with a new one. Which stack update policy should the developer use to minimize downtime?

A.Use a 'Rolling update' update policy.
B.Use a 'Replacement with snapshot' update policy.
C.Use a 'Delete and recreate' update policy.
D.Use an 'Update with snapshot' update policy.
AnswerB

This creates a snapshot before replacing, allowing data preservation.

Why this answer

Option A is correct because 'Replacement with snapshot' creates a new DB instance from a snapshot of the old one, minimizing data loss and downtime. Option B is wrong because 'Update with snapshot' does not exist. Option C is wrong because 'Delete and recreate' would cause data loss.

Option D is wrong because 'Rolling update' is not applicable to RDS.

86
MCQeasy

A developer is using AWS CloudFormation to create a stack. They want to update the stack but need to ensure that if the update fails, the stack is automatically rolled back to the previous state. Which stack option should they configure?

A.Configure SNS notification topics for the stack.
B.Set the 'Rollback on failure' option to 'Yes'.
C.Set the 'Disable rollback' option to 'No'.
D.Define a stack policy that protects critical resources.
AnswerB

This is the default behavior but can be explicitly set.

Why this answer

Option B is correct because the 'Rollback on failure' option, when set to 'Yes', instructs AWS CloudFormation to automatically revert the stack to its previous working state if the stack update fails. This ensures that any changes that cause errors are undone, maintaining stack stability without manual intervention.

Exam trap

The trap here is that candidates confuse 'Disable rollback' with 'Rollback on failure' or think that SNS notifications or stack policies can control rollback behavior, but only the 'Rollback on failure' option directly enables automatic rollback on update failures.

How to eliminate wrong answers

Option A is wrong because configuring SNS notification topics only sends alerts about stack events (e.g., update success or failure) but does not trigger or control automatic rollback behavior. Option C is wrong because setting 'Disable rollback' to 'No' is not a valid configuration; the actual parameter is 'Disable rollback' which, when set to 'True', prevents rollback, and setting it to 'False' is the default that allows rollback, but the question asks for explicitly configuring rollback, which is done via 'Rollback on failure'. Option D is wrong because a stack policy defines which stack resources can be updated or replaced during an update, but it does not control rollback behavior on failure.

87
Multi-Selectmedium

A company is implementing a CI/CD pipeline using AWS CodeCommit, CodeBuild, and CodeDeploy. The developer wants to ensure that the pipeline automatically deploys to production only after a manual approval step. Which TWO actions should the developer take?

Select 2 answers
A.Create a CloudWatch Events rule to trigger a Lambda function that waits for approval.
B.Add a manual approval action in the CodePipeline pipeline.
C.Configure the approval action to require a specified IAM user or group to approve.
D.Use a CodeDeploy lifecycle hook to pause the deployment.
E.Configure an SNS topic to send an email to the approver.
AnswersB, C

CodePipeline supports manual approval actions that pause the pipeline.

Why this answer

Option B and Option D are correct. Adding an approval action in CodePipeline pauses the pipeline until manual approval. CodePipeline natively supports manual approval actions.

Option A is wrong because SNS is used for notifications, not approval. Option C is wrong because CodeDeploy does not have a built-in manual approval step; it can use lifecycle hooks but not manual approval. Option E is wrong because CloudWatch Events can trigger pipelines but not provide manual approval.

88
Multi-Selectmedium

A developer is using AWS CodePipeline to deploy a web application. The pipeline has a source stage from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The developer notices that the deploy stage fails intermittently due to EC2 instances not being available. Which TWO actions should the developer take to improve the reliability of the deployment? (Choose two.)

Select 2 answers
A.Increase the number of EC2 instances in the Auto Scaling group to ensure availability.
B.Configure the CodeDeploy deployment group to have a minimum healthy hosts threshold.
C.Reduce the deployment timeout to fail faster.
D.Use a different deployment type, such as blue/green, instead of in-place.
E.Add a manual approval step in the pipeline before the deploy stage to verify instance health.
AnswersB, E

This ensures that deployments proceed only when enough healthy hosts are available.

Why this answer

Option B is correct because configuring a minimum healthy hosts threshold in the CodeDeploy deployment group ensures that a certain percentage or number of EC2 instances remain healthy during the deployment. This prevents the deployment from proceeding if too many instances are unavailable, reducing the risk of failure due to insufficient capacity. Option E is correct because adding a manual approval step before the deploy stage allows the developer to verify instance health (e.g., via AWS Systems Manager or custom scripts) before triggering the deployment, catching availability issues early.

Exam trap

The trap here is that candidates often confuse increasing instance count (Option A) with improving deployment reliability, but the question specifically targets intermittent unavailability during the deploy stage, which is better addressed by health checks and approval gates rather than raw capacity.

89
Multi-Selecteasy

A developer wants to deploy a static website to AWS. The website content is stored in an S3 bucket. Which combination of actions is required to host the website? (Choose TWO.)

Select 2 answers
A.Enable server access logging.
B.Enable static website hosting on the S3 bucket.
C.Set a bucket policy that restricts access to a specific IP.
D.Configure Amazon CloudFront as a CDN.
E.Set the bucket objects to publicly readable.
AnswersB, E

Required for S3 website hosting.

Why this answer

Option A and D are correct because enabling static website hosting and making objects publicly readable are required. Option B is wrong because CloudFront is optional. Option C is wrong because bucket policy is not required if ACLs are used.

Option E is wrong because logging is optional.

90
Multi-Selectmedium

A developer is designing a CI/CD pipeline for a serverless application using AWS CodePipeline. The pipeline must automatically build and deploy the application when changes are pushed to a CodeCommit repository. The application uses AWS CloudFormation for infrastructure provisioning. Which TWO actions should the developer include in the pipeline?

Select 2 answers
A.Use AWS CodeDeploy to deploy the application to EC2 instances.
B.Use AWS CodeCommit as a deployment action.
C.Use AWS CodeBuild to run unit tests and package the application.
D.Use AWS Lambda to run integration tests.
E.Use AWS CloudFormation to create or update the stack.
AnswersC, E

CodeBuild is ideal for build and test.

Why this answer

Options A and C are correct because CodeBuild can run unit tests, and CloudFormation can deploy and update stacks. Option B is wrong because CodeDeploy is not used for CloudFormation deployments. Option D is wrong because Lambda can be invoked but is not the primary deployment mechanism.

Option E is wrong because CodeCommit is the source, not an action in the pipeline.

91
Multi-Selecteasy

A developer is setting up a CI/CD pipeline for a Python application using AWS CodeCommit, CodeBuild, and CodeDeploy. The developer wants to trigger the pipeline automatically when code is pushed to the master branch. Which TWO actions are required? (Choose two.)

Select 2 answers
A.Configure CodeDeploy to run after the build stage.
B.Set the source stage in the pipeline to use AWS CodeCommit as the source provider.
C.Create a CloudWatch Events rule to trigger the pipeline on a schedule.
D.Configure a webhook in CodeCommit to trigger the pipeline.
E.Enable AWS CloudTrail to log API calls.
AnswersB, D

The source stage must be configured to pull from CodeCommit.

Why this answer

Options A and D are correct because a webhook (or event) from CodeCommit triggers the pipeline, and the source stage must use CodeCommit as the provider. Option B is wrong because CodeDeploy does not trigger the pipeline. Option C is wrong because a schedule is not needed.

Option E is wrong because AWS CloudTrail is not required for pipeline triggers.

92
MCQhard

A company uses AWS CodePipeline to deploy a critical web application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). During a recent deployment, the CodeDeploy stage failed because the target EC2 instances were not in a healthy state. The developer needs to ensure that the pipeline automatically rolls back the deployment to the last successful version if the deployment fails. What should the developer do?

A.In the CodeDeploy deployment group, enable automatic rollback when a deployment fails.
B.Use AWS CloudFormation to manage the deployment and enable rollback on failure.
C.Configure a CloudWatch alarm to trigger a rollback in CodePipeline.
D.Modify the CodePipeline stage to include a manual approval step that checks health before proceeding.
AnswerA

CodeDeploy supports automatic rollback on failure, which will revert to the last successful deployment.

Why this answer

Option A is correct because CodeDeploy deployment groups have a built-in automatic rollback configuration that can be enabled to revert to the last successful deployment revision when a deployment fails. This feature directly addresses the requirement without requiring additional services or manual steps, as it operates within the CodeDeploy service itself.

Exam trap

The trap here is that candidates may confuse CodePipeline's built-in rollback capabilities with CodeDeploy's automatic rollback, or incorrectly assume that CloudWatch alarms or manual approvals can directly perform rollbacks without custom logic.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation is an infrastructure-as-code service for managing resources, not a deployment service for CodePipeline; enabling rollback on failure in CloudFormation would roll back the stack, not the CodeDeploy deployment. Option C is wrong because CloudWatch alarms can trigger actions like SNS notifications or Auto Scaling, but they cannot directly trigger a rollback in CodePipeline or CodeDeploy without custom Lambda functions or additional configuration. Option D is wrong because a manual approval step only pauses the pipeline for human review before proceeding; it does not automatically roll back a failed deployment to the last successful version.

93
MCQhard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The developer wants to update the stack to change the DB instance class. The update fails because CloudFormation cannot modify the DB instance class without replacement. The developer needs to complete the update with minimal downtime. What should the developer do?

A.Delete the stack and create a new stack with the new DB instance class.
B.Use a custom resource with an AWS Lambda function to perform the modification, ensuring data is backed up and downtime is minimized.
C.Update the stack and disable rollback on failure.
D.Update the stack using a change set, then execute it.
AnswerB

A custom resource can orchestrate the change with minimal downtime, e.g., by creating a read replica and promoting it.

Why this answer

Option B is correct because a custom resource backed by an AWS Lambda function allows you to perform the RDS DB instance class modification outside of CloudFormation's direct lifecycle, enabling you to use the 'ApplyImmediately' parameter to minimize downtime. CloudFormation's native update for RDS DB instance class requires replacement (i.e., a new physical resource), which causes downtime; a custom resource can orchestrate a 'modify-db-instance' API call with '--apply-immediately' to change the class in-place with only a brief reboot.

Exam trap

The trap here is that candidates assume a change set (Option D) can bypass CloudFormation's replacement requirement, but change sets only preview and execute the same update logic—they do not change the underlying resource behavior.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the stack would cause full downtime (the DB instance is destroyed and re-provisioned), which is not minimal. Option C is wrong because disabling rollback on failure does not resolve the underlying issue—CloudFormation still cannot modify the DB instance class without replacement, so the update will still fail and leave the stack in a failed state. Option D is wrong because a change set only previews changes and executes them; it does not alter CloudFormation's inability to perform an in-place modification of the DB instance class—the update would still fail with the same 'requires replacement' error.

94
MCQeasy

A company is using AWS CodeBuild to compile a Java application. The build takes a long time because Maven dependencies are downloaded each time. How can the developer reduce build time?

A.Use a higher compute type for the build project.
B.Use a custom AMI with pre-installed dependencies.
C.Increase the timeout value for the build.
D.Configure a cache in Amazon S3 for the Maven repository.
AnswerD

Caching dependencies avoids re-downloading them.

Why this answer

Option B is correct because storing the Maven repository in Amazon S3 and caching it across builds avoids re-downloading dependencies. Option A is incorrect because increasing compute resources may help but not as much as caching. Option C is incorrect because installing dependencies in a custom AMI would require managing images.

Option D is incorrect because using a larger instance type might help but is not the direct solution.

95
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The developer wants to monitor the deployment and automatically roll back if a specified Amazon CloudWatch alarm is triggered during the deployment. Which CodeDeploy feature should the developer configure?

A.Deployment group alarm configuration
B.Deployment configuration with alarm
C.Revision rollback
D.EC2 instance health check
AnswerA

Correct. You add a CloudWatch alarm to the deployment group, and set the rollback behavior to trigger when the alarm enters the ALARM state.

Why this answer

The Deployment group alarm configuration in AWS CodeDeploy allows you to specify Amazon CloudWatch alarms that, when triggered during a deployment, automatically initiate a rollback. This feature is configured at the deployment group level and ensures that if a predefined alarm (e.g., high error rate or latency) enters the ALARM state, CodeDeploy stops the deployment and reverts to the last known good revision. This provides automated, policy-driven rollback without manual intervention.

Exam trap

The trap here is that candidates confuse the deployment group alarm configuration (which monitors CloudWatch alarms during deployment) with a deployment configuration (which controls traffic shifting and failure thresholds), leading them to select Option B instead of A.

How to eliminate wrong answers

Option B is wrong because 'Deployment configuration with alarm' is not a valid CodeDeploy feature; CodeDeploy deployment configurations define traffic routing and failure thresholds, not alarm-based rollback triggers. Option C is wrong because 'Revision rollback' is a manual or automated action that can be initiated by the deployment group alarm configuration, but it is not a feature you configure to monitor alarms—it is the outcome of the alarm trigger. Option D is wrong because 'EC2 instance health check' refers to the health checks performed by Auto Scaling or Elastic Load Balancing to determine instance health, not to CloudWatch alarm-based rollback logic in CodeDeploy.

96
MCQmedium

A company uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which of the following is the MOST likely cause?

A.The new application version fails the configured health checks on the instances.
B.The deployment group does not exist.
C.The IAM role for CodeDeploy does not have sufficient permissions.
D.The CodeDeploy agent is not installed on the instances.
AnswerA

Health check failures cause the deployment to roll back.

Why this answer

The error message indicates that instances failed deployment, which is most commonly caused by the new application version failing the health checks configured in the deployment group. CodeDeploy uses these health checks (e.g., ELB health checks or custom scripts) to determine if an instance is healthy after deployment; if the application crashes or returns non-200 status codes, CodeDeploy marks the instance as failed and aborts the deployment.

Exam trap

The trap here is that candidates often confuse deployment failures caused by health check failures with infrastructure issues like missing IAM roles or agents, but the specific error message about 'too many individual instances failed deployment' directly points to application-level health check failures, not permission or agent problems.

How to eliminate wrong answers

Option B is wrong because if the deployment group did not exist, CodeDeploy would return a 'DeploymentGroupDoesNotExistException' error, not a generic instance failure error. Option C is wrong because insufficient IAM permissions would cause a different error, such as 'AccessDeniedException' when CodeDeploy tries to call EC2 or Auto Scaling APIs, not a per-instance deployment failure. Option D is wrong because if the CodeDeploy agent is not installed, the instance would show as 'Unknown' or 'Not Registered' in the deployment group, and the error would be about missing agent, not about too many instances failing health checks.

97
MCQmedium

A CloudFormation template defines a Lambda function and a version resource. After updating the function code in the S3 bucket, the developer updates the stack. The Lambda function is updated, but the version resource remains unchanged. What is the most likely reason?

A.The template should use AutoPublishAlias to create versions.
B.The function code changed, but CloudFormation does not detect the change because the S3 key is the same.
C.The version resource is created before the function update completes.
D.The version resource has a DependsOn clause that prevents it from updating.
AnswerB

CloudFormation compares the S3 key, not the content; if the key is unchanged, it may not trigger an update.

Why this answer

Option A is correct. The Lambda version resource depends on the function's code. If the function's properties (except the code) do not change, CloudFormation does not update the function resource, and thus the version is not updated.

Option B is incorrect; the version resource does not use DependsOn, but its FunctionName reference triggers an update if the function is updated. Option C is incorrect; the version is created after the function update. Option D is incorrect; the template does not use AutoPublishAlias.

98
MCQeasy

A developer is using AWS CodeCommit as a source repository. They want to automatically build and test code whenever a new branch is created. Which AWS service should they use to trigger the pipeline?

A.Amazon CloudWatch Events
B.Amazon S3 event notification
C.Amazon Simple Notification Service (SNS)
D.AWS Lambda
AnswerA

CloudWatch Events can capture CodeCommit repository events.

Why this answer

Option B is correct because CloudWatch Events (now Amazon EventBridge) can detect CodeCommit events like branch creation and trigger a pipeline. Option A is incorrect because S3 events are for object-level operations. Option C is incorrect because SNS is a notification service.

Option D is incorrect because Lambda can be triggered but the question asks for the service that triggers the pipeline directly.

99
MCQeasy

A developer is deploying a web application using AWS Elastic Beanstalk. The application runs on multiple Amazon EC2 instances behind an Application Load Balancer. The developer wants to deploy a new version with zero downtime and the ability to quickly roll back if issues are discovered. Which deployment policy should the developer choose?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

Correct. Immutable deployment creates a completely new environment, swaps the load balancer target group, and provides zero downtime with easy rollback by terminating the new environment.

Why this answer

Immutable deployment is the correct choice because it launches a completely new set of EC2 instances in a new Auto Scaling group with the updated application version, then swaps the load balancer target group to point to the new instances. This ensures zero downtime during deployment and provides an instant rollback by simply reverting the target group to the old instances if issues are detected.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' with zero-downtime because it adds capacity, but it still terminates old instances before new ones are fully healthy, causing brief downtime, whereas immutable deployment guarantees zero downtime by keeping the old environment fully intact until the swap is complete.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing downtime during the deployment and no ability to roll back without redeploying the old version. Option B is wrong because 'Rolling' updates instances in batches, which reduces but does not eliminate downtime (the old instances are terminated before new ones are fully in service) and rollback requires a reverse rolling update. Option C is wrong because 'Rolling with additional batch' adds a temporary batch of instances to maintain capacity during the update, but still terminates old instances before new ones are fully healthy, risking brief downtime and making rollback slower than immutable.

100
MCQeasy

A company is using AWS CodeBuild to compile and test code before deploying to Amazon S3. The build process must be triggered automatically whenever a developer pushes code to the 'main' branch of an AWS CodeCommit repository. Which resource should be used to trigger the build?

A.Use AWS CodePipeline with a source stage that connects to the CodeCommit repository and a build stage that invokes the CodeBuild project.
B.Set up an AWS CodeDeploy trigger to start the build when a deployment is created.
C.Configure an Amazon S3 event notification to invoke the CodeBuild project when a new object is created.
D.Create an Amazon CloudWatch Events rule that triggers the CodeBuild project when a repository event occurs.
AnswerA

CodePipeline automatically starts the build when changes are pushed to the repository.

Why this answer

Option B is correct because CodePipeline can be used to automatically start a build in CodeBuild when a code change is pushed to CodeCommit. Option A is wrong because CloudWatch Events can trigger builds, but it requires setting up a rule; CodePipeline is the recommended service for CI/CD. Option C is wrong because S3 events are used for S3 buckets, not CodeCommit.

Option D is wrong because CodeDeploy is for deployment, not for triggering builds.

101
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The developer has created a stack that includes an Amazon RDS DB instance. The stack creation fails with a rollback, and the error message indicates that the DB instance could not be created because the DB instance identifier already exists. The developer has verified that there is no existing DB instance with that identifier in the account. The stack uses a custom resource to generate the DB instance identifier. The custom resource is a Lambda function that returns a unique identifier. The developer suspects that the custom resource is returning a stale value. What is the MOST likely cause of this issue?

A.The custom resource Lambda function has not been updated with the new code; the stack is using a previous version of the function.
B.The stack is using the same stack name, and CloudFormation is reusing the previous custom resource output.
C.The custom resource Lambda function is returning the same value because it uses a random number generator without a seed.
D.The custom resource Lambda function is not being invoked during stack creation because the service token is incorrect.
AnswerA

If the Lambda function code is changed but the stack uses the old version, it will return the same identifier.

Why this answer

Option D is correct because custom resources in CloudFormation can return data that is cached if the Lambda function is not updated correctly. The developer may have updated the Lambda function code but the stack is still using the old function version. Option A is incorrect because the custom resource is invoked each time the stack is created; it should generate a new value.

Option B is incorrect because if the custom resource is not invoked, the stack would fail with a different error (missing property). Option C is incorrect because the DB instance identifier is generated by the custom resource, not by the stack name.

102
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The build fails with the error 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE'. What is the most likely cause?

A.The build environment does not have enough memory.
B.The Docker image specified in the build environment does not exist or the repository is not accessible.
C.The build command has a syntax error.
D.The buildspec.yml file does not define artifacts.
AnswerB

This error indicates the image could not be pulled.

Why this answer

The error 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE' in AWS CodeBuild indicates that the service cannot pull the specified Docker image from the repository. This occurs when the image name/tag is incorrect, the image does not exist in the specified registry (e.g., Amazon ECR or Docker Hub), or the CodeBuild service role lacks the necessary permissions (e.g., ecr:GetDownloadUrlForLayer, ecr:BatchGetImage) to access the repository. Option B correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates often confuse build-phase errors (like syntax errors in commands) with environment setup errors (like image pull failures), leading them to select options related to build commands or artifacts instead of recognizing the error message's specific reference to container image retrieval.

How to eliminate wrong answers

Option A is wrong because insufficient memory would cause a different error, such as 'BUILD_CONTAINER_MEMORY_LIMIT_EXCEEDED' or a container OOM kill, not an image pull failure. Option C is wrong because a syntax error in the build command would result in a build phase failure (e.g., 'Error: command not found' or a non-zero exit code), not a container image pull error. Option D is wrong because the absence of artifacts in buildspec.yml would cause a build success but no output, or a warning, not a container image pull failure.

103
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application uses an in-environment Amazon RDS database instance. The developer needs to update the application code without risking data loss. The database must not be affected by environment operations such as termination or updates. What is the recommended approach?

A.Create a standalone Amazon RDS instance and reconfigure the application to use it instead of the in-environment database.
B.Take a snapshot of the database before each deployment and restore it after the deployment completes.
C.Use the Elastic Beanstalk environment's 'Swap environment URLs' feature to perform a blue/green deployment.
D.Create a new Elastic Beanstalk environment with a new RDS instance and migrate data manually.
AnswerA

Decoupling the database from the Elastic Beanstalk environment ensures that data persists even if the environment is terminated. This is the recommended approach.

Why this answer

Option A is correct because decoupling the RDS database from the Elastic Beanstalk environment by creating a standalone RDS instance ensures that the database is not tied to the environment's lifecycle. In-environment databases are automatically deleted when the environment is terminated or updated, risking data loss. By reconfiguring the application to point to an external RDS instance, the database persists independently of environment operations, meeting the requirement to avoid data loss during code updates or environment changes.

Exam trap

The trap here is that candidates may assume the 'Swap environment URLs' blue/green deployment (Option C) inherently protects the database, but they overlook that in-environment databases are still tied to the environment lifecycle, so the original database can be lost when the old environment is terminated.

How to eliminate wrong answers

Option B is wrong because taking a snapshot before each deployment and restoring it after does not prevent data loss during the deployment window; any writes between the snapshot and restore would be lost, and it introduces unnecessary complexity and downtime. Option C is wrong because the 'Swap environment URLs' feature for blue/green deployment swaps traffic between two environments, but if both environments use in-environment databases, the database in the original environment is still at risk of deletion or data loss during termination or updates. Option D is wrong because creating a new environment with a new RDS instance and manually migrating data does not guarantee zero data loss during the migration process, and it duplicates effort without addressing the core issue of decoupling the database from the environment lifecycle.

104
MCQeasy

A developer is deploying a Node.js application to AWS Elastic Beanstalk. The application uses environment variables for database credentials. What is the BEST way to securely provide these credentials to the application?

A.Store the credentials in a file in the source code repository.
B.Store the credentials in the application's configuration file within the deployment package.
C.Hardcode the credentials in the application code.
D.Set environment properties in the Elastic Beanstalk environment configuration.
AnswerD

Environment properties are secure and easily managed.

Why this answer

Option D is correct because Elastic Beanstalk allows you to set environment properties in the environment configuration, which are injected as environment variables into the application's runtime. This approach keeps sensitive credentials out of the source code and deployment artifacts, adhering to the principle of least privilege and secure credential management. For a Node.js application, these environment variables can be accessed via `process.env`, providing a secure and flexible way to manage database credentials without hardcoding or storing them in files.

Exam trap

The trap here is that candidates may think storing credentials in a configuration file (Option B) is acceptable because it separates code from configuration, but they overlook that the configuration file is still part of the deployment package and can be accessed by anyone with access to the artifact or the running environment.

How to eliminate wrong answers

Option A is wrong because storing credentials in a file in the source code repository exposes them to anyone with access to the repository, violating security best practices and potentially leading to credential leakage in version control history. Option B is wrong because including credentials in the application's configuration file within the deployment package embeds them in the deployable artifact, making them accessible to anyone who can access the deployment package or the running environment's filesystem. Option C is wrong because hardcoding credentials in the application code is a severe security risk, as it exposes secrets in the codebase, makes rotation difficult, and violates the principle of separating configuration from code.

105
MCQeasy

A developer is deploying a Python application to AWS Lambda. The application has several dependencies. The developer wants to ensure that the deployment package is as small as possible to reduce cold start times. What should the developer do?

A.Use Lambda Layers to manage dependencies separately from the function code.
B.Use an S3 bucket to store the deployment package.
C.Use AWS CodeBuild to optimize the package.
D.Include all dependencies in the deployment package.
AnswerA

Layers reduce the function code size and are reused across functions.

Why this answer

Lambda Layers allow you to package and manage dependencies (like Python libraries) separately from your function code. By moving dependencies to a layer, the function code deployment package becomes smaller, which reduces the time Lambda spends downloading and extracting the package during cold starts. Layers are cached across executions, further improving performance.

Exam trap

The trap here is that candidates may think including all dependencies in the package is simpler or more reliable, but they overlook that Lambda Layers are the designed AWS mechanism to reduce deployment package size and improve cold start performance.

How to eliminate wrong answers

Option B is wrong because storing the deployment package in an S3 bucket is a standard way to upload large packages to Lambda, but it does not reduce the package size or cold start times. Option C is wrong because AWS CodeBuild is a continuous integration service that builds and tests code, but it does not inherently optimize the deployment package for size or cold start performance. Option D is wrong because including all dependencies in the deployment package directly increases its size, which worsens cold start latency, contradicting the goal of minimizing the package.

106
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The deployment must be rolled back automatically if any instance in the deployment fails a health check within 10 minutes after the deployment. Which configuration should the developer set in the CodeDeploy deployment group?

A.Set the deployment style to in-place and enable automatic rollback with event triggers.
B.Configure a deployment configuration with a minimum healthy hosts of 90% and enable CloudWatch alarm-based rollback.
C.Set the deployment style to blue/green and enable automatic rollback for deployment failure.
D.Configure a deployment group with automatic rollback enabled and set the rollback trigger to instance failure.
AnswerD

This directly configures automatic rollback based on instance failure events, which include health check failures during the deployment lifecycle. CodeDeploy will then automatically revert to the previous deployment revision.

Why this answer

Option D is correct because the developer needs to configure the CodeDeploy deployment group with automatic rollback enabled and set the rollback trigger to 'instance failure'. This configuration ensures that if any instance fails a health check within the specified monitoring period (10 minutes after deployment), CodeDeploy automatically rolls back the deployment to the last known good revision. The 'instance failure' trigger specifically monitors the health of each instance and initiates a rollback when a health check fails, meeting the requirement exactly.

Exam trap

The trap here is that candidates often confuse 'deployment failure' (which triggers rollback only when the entire deployment process fails) with 'instance failure' (which triggers rollback when any individual instance fails a health check after deployment), leading them to choose options that only handle deployment-level failures.

How to eliminate wrong answers

Option A is wrong because setting the deployment style to in-place with automatic rollback and event triggers does not provide the specific health check monitoring within a 10-minute window; event triggers are for lifecycle events, not for health check failures. Option B is wrong because configuring a minimum healthy hosts of 90% and enabling CloudWatch alarm-based rollback only triggers a rollback when a CloudWatch alarm fires, not directly when an instance fails a health check within 10 minutes; this approach is for broader metric-based rollbacks, not per-instance health monitoring. Option C is wrong because blue/green deployment style with automatic rollback for deployment failure only rolls back if the entire deployment fails, not if a single instance fails a health check after deployment; it does not provide the granular per-instance health check monitoring required.

107
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The development team wants to deploy a new version of the application to a separate environment for testing before switching production traffic. Which deployment strategy should be used?

A.Immutable deployment.
B.All at once deployment.
C.Blue/green deployment.
D.Rolling deployment.
AnswerC

This creates a separate environment for testing and swaps URLs.

Why this answer

Option D is correct because blue/green deployment creates a separate environment (green) for testing and then swaps URLs to switch traffic. Option A is wrong because all-at-once updates the current environment. Option B is wrong because rolling updates update instances in batches in the same environment.

Option C is wrong because immutable updates create a new Auto Scaling group in the same environment.

108
MCQeasy

A developer is deploying a new version of a Lambda function using the AWS CLI. The function is part of a serverless application that processes S3 events. The developer wants to ensure that the new version is production-ready and that the old version is still available for rollback. Which CLI command should the developer use to create a new version of the Lambda function?

A.aws lambda publish-version --function-name my-function
B.aws lambda update-function-configuration --function-name my-function --handler new-handler
C.aws lambda update-function-code --function-name my-function --zip-file fileb://my-code.zip
D.aws lambda create-function --function-name my-function --zip-file fileb://my-code.zip
AnswerA

This command publishes a new version of the Lambda function.

Why this answer

Option A is correct because the `aws lambda publish-version` command creates an immutable, versioned snapshot of the Lambda function's code and configuration, which is required for production-ready deployments. This ensures the old version remains available for rollback while the new version is published with a unique version number (e.g., $LATEST, 1, 2). The command explicitly publishes the current $LATEST version as a new numbered version, making it production-ready without affecting existing versions.

Exam trap

The trap here is that candidates confuse deploying code with `update-function-code` (which only updates $LATEST) with publishing a new version, assuming that any code update automatically creates a version; in reality, you must explicitly run `publish-version` to create an immutable, numbered version for production use and rollback.

How to eliminate wrong answers

Option B is wrong because `update-function-configuration` only modifies the function's configuration settings (e.g., handler, runtime, environment variables) and does not create a new version; it updates the $LATEST version in place, leaving no immutable snapshot for rollback. Option C is wrong because `update-function-code` only deploys new code to the $LATEST version, overwriting the existing code without creating a new numbered version; the old code is lost unless a version was previously published. Option D is wrong because `create-function` is used to create a new Lambda function from scratch, not to deploy a new version of an existing function; it would fail if the function already exists or create a separate function, which does not preserve the old version for rollback.

109
Multi-Selectmedium

Which TWO actions should a developer take to ensure that an AWS CodeDeploy deployment is successful when deploying to an Auto Scaling group? (Choose TWO.)

Select 2 answers
A.Create an IAM service role that allows CodeDeploy to access the instances.
B.Attach an Application Load Balancer to the Auto Scaling group.
C.Enable the Application Discovery Service for the instances.
D.Configure the deployment to use a blue/green deployment type.
E.Install the CodeDeploy agent on each EC2 instance in the Auto Scaling group.
AnswersA, E

Role is required for CodeDeploy to perform actions.

Why this answer

Option B and D are correct because the CodeDeploy agent must be installed on each instance, and the service role must have permissions to access the instances. Option A is wrong because CodeDeploy supports in-place deployments. Option C is wrong because a load balancer is optional.

Option E is wrong because CodeDeploy does not require an Application Discovery Service.

110
MCQeasy

A company wants to deploy an application using AWS Elastic Beanstalk. The application requires a relational database. What is the BEST practice for managing the database?

A.Create an Amazon RDS database instance separately and configure the application to connect to it.
B.Use the Elastic Beanstalk console to add an RDS database to the environment.
C.Use an S3 bucket to store data.
D.Use Amazon DynamoDB as the database.
AnswerA

Decouples database from environment.

Why this answer

The best practice for managing a relational database in Elastic Beanstalk is to decouple the database from the application lifecycle by creating an Amazon RDS instance separately. This ensures the database is not deleted when the Elastic Beanstalk environment is terminated, provides better control over backups, scaling, and maintenance, and allows the application to connect via environment variables or configuration files. Using a separate RDS instance aligns with production best practices for durability and operational flexibility.

Exam trap

The trap here is that candidates assume the integrated RDS option in Elastic Beanstalk is the simplest and therefore best approach, but the exam tests the understanding that decoupling the database from the environment lifecycle is the production best practice to avoid accidental data loss.

How to eliminate wrong answers

Option B is wrong because adding an RDS database via the Elastic Beanstalk console ties the database lifecycle to the environment, meaning the database is deleted when the environment is terminated, which is risky for production workloads. Option C is wrong because Amazon S3 is an object storage service, not a relational database; it cannot support SQL queries, transactions, or relational data models required by the application. Option D is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational database; it does not support SQL joins, ACID transactions across multiple tables, or schema enforcement needed for relational workloads.

111
MCQeasy

A developer is using AWS CodeBuild to build and test a Java application. The buildspec.yaml file includes phases for install, pre_build, build, and post_build. The developer notices that the build fails intermittently due to network timeouts when downloading dependencies from an external repository. The developer wants to improve the reliability of the build by caching the dependencies. The build environment is Linux and the dependencies are stored in the /root/.m2 directory (Maven cache). The developer has an S3 bucket for caching. What should the developer add to the buildspec.yaml to enable caching?

A.Add a 'phases' section with install commands to manually copy dependencies to S3.
B.Add an 'artifacts' section with 'files' including '/root/.m2/**/*' and 'location' set to the S3 bucket.
C.Add a 'cache' section with 'paths' including '/root/.m2' and 'location' set to the S3 bucket ARN.
D.Add an 'env' section with 'parameter-store' variables to store the dependency paths.
AnswerC

The cache section in buildspec enables caching of specified paths to an S3 bucket.

Why this answer

Option A is correct because adding a 'cache' section with 'paths' pointing to /root/.m2 and 'location' pointing to the S3 bucket will cache the Maven dependencies. Option B is incorrect because the 'artifacts' section is for output artifacts, not caching. Option C is incorrect because the 'env' section is for environment variables.

Option D is incorrect because the 'phases' section defines build commands, not caching.

112
MCQmedium

A developer is using AWS CloudFormation to deploy a stack with multiple resources. To ensure that a specific EC2 instance is created only after a security group is created, the developer wants to define the dependency. How should the developer achieve this in the CloudFormation template?

A.Use the DependsOn attribute on the EC2 instance resource
B.Use the Ref function to refer to the security group in the EC2 instance properties
C.Use the AWS::NoValue intrinsic function
D.Use the Condition attribute on the EC2 instance
AnswerA

DependsOn explicitly defines that the EC2 instance depends on the security group, ensuring creation order.

Why this answer

Option A is correct because the `DependsOn` attribute explicitly tells AWS CloudFormation to create the EC2 instance only after the security group has been successfully created. Without this explicit dependency, CloudFormation may attempt to create resources in parallel, which could cause the EC2 instance launch to fail if it references a security group that does not yet exist.

Exam trap

The trap here is that candidates often assume that using `Ref` to reference a resource automatically creates a dependency, but CloudFormation only creates implicit dependencies when the reference is used in a property that directly requires the referenced resource's physical ID (e.g., `SecurityGroups`), not for all uses of `Ref`.

How to eliminate wrong answers

Option B is wrong because using the `Ref` function to refer to the security group in the EC2 instance properties does not create an explicit dependency; it only passes the security group's logical ID or physical ID as a parameter. CloudFormation may still create the EC2 instance before the security group if no explicit dependency is declared. Option C is wrong because `AWS::NoValue` is used to conditionally omit a property value or to suppress a return value, not to define resource creation order.

Option D is wrong because the `Condition` attribute controls whether a resource is created at all based on a condition, not the order in which resources are created.

113
MCQeasy

A developer is deploying a serverless application using AWS SAM. The application consists of an API Gateway REST API and multiple AWS Lambda functions. The developer wants to deploy the application to a production environment with minimal downtime. Which deployment strategy should the developer use?

A.Create a blue/green deployment using AWS Elastic Beanstalk.
B.Delete the existing stack and deploy a new one.
C.Perform a rolling update by updating functions one by one.
D.Use SAM's built-in canary deployment with traffic shifting.
AnswerD

SAM supports canary deployments natively for gradual traffic shifting.

Why this answer

Option A is correct because AWS SAM supports canary deployments, which allow traffic shifting gradually to new versions, minimizing downtime. Option B is wrong because rolling updates are not natively supported by SAM for Lambda. Option C is wrong because blue/green deployments require manual setup and are not built into SAM.

Option D is wrong because replacing the stack causes downtime.

114
MCQhard

A company uses AWS CodePipeline with a manual approval step before deployment. The developer wants to ensure that if a pipeline execution is waiting for approval and new code is pushed, the awaiting execution is canceled and a new one starts with the latest code. Which pipeline execution mode should be configured?

A.Queued
B.Superseded
C.Parallel
D.Single
AnswerB

Superseded mode cancels the current execution and starts a new one with the latest changes.

Why this answer

The Superseded execution mode is correct because it automatically cancels any currently running or waiting pipeline execution when a new one is triggered, ensuring that only the latest code proceeds through the pipeline. This is ideal for scenarios with manual approval steps where stale executions should not block or delay the deployment of the most recent commit.

Exam trap

The trap here is that candidates may confuse Superseded with Queued, assuming that queuing is the default or safest option, but they miss that Superseded is specifically designed to replace pending executions with the latest code push.

How to eliminate wrong answers

Option A is wrong because Queued mode places executions in a queue and runs them sequentially, meaning a waiting approval would not be canceled and the new push would wait until the previous execution completes. Option C is wrong because Parallel mode allows multiple executions to run concurrently, which would not cancel the awaiting execution and could lead to conflicting deployments. Option D is wrong because Single mode is not a valid execution mode in AWS CodePipeline; the available modes are Queued, Superseded, and Parallel.

115
Multi-Selectmedium

A SAM application should gradually shift Lambda traffic and roll back on errors. Which two pieces are needed?

Select 2 answers
A.An S3 lifecycle rule
B.A Lambda alias/deployment preference
C.CloudWatch alarms tied to deployment health
D.A public S3 bucket
AnswersB, C

Correct for the stated requirement.

Why this answer

Option B is correct because AWS SAM uses Lambda aliases with deployment preferences (e.g., Canary10Percent5Minutes or Linear10PercentEvery10Minutes) to gradually shift traffic from the old version to the new version. Option C is correct because CloudWatch alarms can be tied to the deployment preferences to automatically roll back the traffic shift if the alarm enters the ALARM state, indicating errors or degraded health.

Exam trap

The trap here is that candidates often confuse deployment-related features (like S3 lifecycle rules or public buckets) with the actual AWS services (Lambda alias and CodeDeploy) that handle traffic shifting and rollback, leading them to select irrelevant options.

116
Multi-Selecthard

Which TWO approaches can a developer use to automate the deployment of a microservices application to Amazon ECS with Fargate, ensuring that each microservice is independently deployable and can scale based on demand?

Select 2 answers
A.Define all microservices in a single task definition and run them as one service
B.Use a single ECS service with multiple containers per task definition
C.Use a single CodePipeline that builds all microservices together
D.Define each microservice as a separate ECS service with its own task definition
E.Use a separate CodePipeline for each microservice that builds and deploys independently
AnswersD, E

Separate services allow independent deployment and scaling.

Why this answer

Using separate ECS services (A) and a CI/CD pipeline per microservice (B) ensures independent deployment and scaling. Option C (monolithic pipeline) defeats independence. Option D (single task definition) couples services.

Option E (single service) does not allow independent scaling.

117
MCQmedium

A developer is deploying a new version of a Lambda function using the AWS CLI. The developer wants to shift 10% of traffic to the new version and then gradually increase to 100% over 10 minutes. Which CLI command should the developer use?

A.aws lambda publish-version --function-name my-function
B.aws lambda create-function --function-name my-function --zip-file fileb://my-code.zip
C.aws lambda update-alias --function-name my-function --name prod --function-version 2 --routing-config AdditionalVersionWeights={"1":0.9}
D.aws lambda invoke --function-name my-function --payload '{}'
AnswerC

This sets up routing to send 10% to version 2.

Why this answer

The update-function-code command deploys a new version. To shift traffic, the developer must use the update-alias command with a routing configuration. Option C is correct because it creates an alias with a routing config.

Option A (create-function) creates a new function. Option B (invoke) invokes a function. Option D (publish-version) publishes a version but does not shift traffic.

118
MCQmedium

A developer is deploying a web application on AWS Elastic Beanstalk. The application uses a relational database and requires a custom environment variable for the database connection string. The developer has created an Elastic Beanstalk environment and wants to set the environment variable securely without exposing it in the source code or configuration files. The developer also wants to ensure that the environment variable is available to the application instances at deployment time. What is the BEST way to achieve this?

A.Set the environment variable using the Elastic Beanstalk console or CLI by configuring environment properties.
B.Store the connection string in AWS Systems Manager Parameter Store and retrieve it from the application code at runtime.
C.Hardcode the connection string in the application code and commit it to the source repository.
D.Store the connection string in a file named 'env.txt' in the application source bundle and read it at application startup.
AnswerA

Elastic Beanstalk environment properties are secure and automatically available to instances.

Why this answer

Option B is correct because Elastic Beanstalk allows setting environment properties in the environment configuration, which are securely passed to the instances. Option A is incorrect because storing the connection string in a plain text file is insecure. Option C is incorrect because hardcoding the value in the application code is not secure and not a best practice.

Option D is incorrect because although AWS Systems Manager Parameter Store can store the value, the application would need to retrieve it at runtime, adding complexity; Elastic Beanstalk environment properties are simpler and automatically injected.

119
MCQhard

A company uses AWS CodeBuild for building and testing their application. They have a build project that runs on a Linux environment. They want to run a build in a custom Docker image that is stored in Amazon ECR. How should they configure the build project?

A.Add a 'Dockerfile' to the source code and specify it in the buildspec.
B.In the environment configuration, set the 'Image' field to the ECR image URI.
C.Use a managed image provided by AWS CodeBuild.
D.Configure the pipeline to pass the image URI as an environment variable.
AnswerB

CodeBuild supports custom images from ECR.

Why this answer

Option B is correct because AWS CodeBuild allows you to specify a custom Docker image from Amazon ECR by entering its URI directly in the 'Image' field under the environment configuration. This enables the build to run in a container that includes all necessary dependencies, without requiring a Dockerfile in the source code or a managed image.

Exam trap

The trap here is that candidates confuse specifying a Dockerfile to build a new image (Option A) with using an existing custom image as the build environment, leading them to overlook the direct ECR URI configuration in the environment settings.

How to eliminate wrong answers

Option A is wrong because adding a Dockerfile to the source code and specifying it in the buildspec is used for building a new Docker image, not for running the build in an existing custom image from ECR. Option C is wrong because managed images provided by AWS CodeBuild are pre-configured environments (e.g., Ubuntu, Windows) and do not include custom dependencies that the company needs. Option D is wrong because passing the image URI as an environment variable does not instruct CodeBuild to use that image as the runtime environment; the image must be specified in the environment configuration's 'Image' field.

120
MCQmedium

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group of EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment.' What is the most likely cause?

A.The application specification file (appspec) is missing required hooks.
B.The IAM role for CodeDeploy does not have sufficient permissions to call EC2 APIs.
C.The Auto Scaling group does not have enough instances to meet the minimum healthy count.
D.The number of instances that failed deployment exceeded the configured failure threshold.
AnswerD

CodeDeploy fails the deployment if too many instances fail.

Why this answer

Option C is correct because CodeDeploy has a failure threshold that, when exceeded, fails the entire deployment. Option A is wrong because insufficient capacity would cause a different error. Option B is wrong because IAM permissions would cause access denied errors.

Option D is wrong because missing tags would cause a different error.

121
Multi-Selecthard

Which TWO are valid ways to automate deployments to Amazon ECS? (Choose TWO.)

Select 2 answers
A.Use AWS CodeDeploy with an Amazon ECS blue/green deployment.
B.Use AWS CloudFormation to create a change set and update the service.
C.Use AWS OpsWorks with a Docker layer.
D.Use AWS CodePipeline with an Amazon ECS deploy action.
E.Use AWS Elastic Beanstalk with a Docker platform.
AnswersA, D

CodeDeploy supports ECS blue/green deployments.

Why this answer

Options B and D are correct. AWS CodePipeline with ECS deploy action and AWS CodeDeploy with ECS blue/green are valid. Option A is incorrect because CloudFormation is for infrastructure, not deployments.

Option C is incorrect because Elastic Beanstalk is not for ECS. Option E is incorrect because OpsWorks is not for ECS.

122
MCQhard

A developer is creating a CloudFormation template to deploy a microservices architecture. The template includes an Amazon ECS service with an Application Load Balancer. The developer wants to ensure that the load balancer is created before the ECS service. How should the developer achieve this?

A.Use the Ref function in the ECS service to reference the load balancer.
B.Use the DependsOn attribute in the ECS service resource to reference the load balancer.
C.Define the load balancer before the ECS service in the template.
D.Use the Fn::GetAtt function to reference the load balancer.
AnswerB

DependsOn ensures creation order.

Why this answer

Option A is correct because DependsOn explicitly specifies the order. Option B is wrong because Ref does not guarantee creation order. Option C is wrong because order in template does not guarantee creation order.

Option D is wrong because Fn::GetAtt does not enforce order.

123
MCQeasy

A developer uses AWS CodeCommit to store source code. The developer wants to automatically trigger a build in AWS CodeBuild every time a new commit is pushed to the master branch. Which AWS service should the developer use to configure this integration?

A.Amazon CloudWatch Events (or EventBridge)
B.Amazon S3 events
C.AWS CodeDeploy
D.AWS CodePipeline
AnswerD

CodePipeline integrates CodeCommit and CodeBuild for continuous integration.

Why this answer

Option C is correct because CodePipeline can be configured to trigger on CodeCommit events and start a CodeBuild project. Option A is wrong because CloudWatch Events can trigger CodeBuild directly, but CodePipeline is the standard integration. Option B is wrong because CodeDeploy is for deployment, not build.

Option D is wrong because S3 events are not directly related to CodeCommit.

124
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group of EC2 instances. The application is critical and must have zero downtime. The Auto Scaling group currently has 4 instances spread across 2 Availability Zones. Which predefined deployment configuration minimizes the number of instances taken out of service at any given time?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.OneAtATime
D.CodeDeployDefault.LambdaCanary10Percent5Minutes
AnswerC

OneAtATime deploys to a single instance at a time, minimizing the number of instances offline and best preserving availability.

Why this answer

Option C, CodeDeployDefault.OneAtATime, is correct because it deploys the application to only one instance at a time, ensuring that the remaining instances continue to serve traffic. This minimizes the number of instances taken out of service at any given moment, which is critical for achieving zero downtime in an Auto Scaling group with 4 instances across 2 Availability Zones.

Exam trap

The trap here is that candidates may confuse deployment configurations designed for EC2 instances (like OneAtATime) with those for Lambda (like LambdaCanary10Percent5Minutes), or incorrectly assume HalfAtATime is the safest option without considering that OneAtATime minimizes the number of instances out of service even further.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, taking all 4 instances out of service at once, which violates the zero-downtime requirement. Option B is wrong because CodeDeployDefault.HalfAtATime deploys to 2 instances at a time (half of 4), which takes more instances out of service than necessary compared to OneAtATime. Option D is wrong because CodeDeployDefault.LambdaCanary10Percent5Minutes is a deployment configuration for AWS Lambda functions, not for EC2 instances in an Auto Scaling group, and is therefore inapplicable.

125
Multi-Selectmedium

A developer is deploying a web application using AWS Elastic Beanstalk. Which TWO configuration files can be used to customize the software that runs on the EC2 instances? (Select TWO.)

Select 2 answers
A..platform/hooks/
B.Dockerfile
C..ebextensions/*.config
D.appspec.yml
E.buildspec.yml
AnswersA, C

Used for custom platform hooks.

Why this answer

Option A is correct because the `.platform/hooks/` directory is a feature of Elastic Beanstalk's platform-specific configuration that allows you to run custom scripts at specific lifecycle events (e.g., prebuild, postdeploy) on the EC2 instances. This is the modern replacement for the older `.ebextensions` approach for running commands during deployment, and it directly customizes the software running on the instances.

Exam trap

The trap here is that candidates often confuse Elastic Beanstalk configuration files with other AWS services' configuration files (like CodeDeploy's appspec.yml or CodeBuild's buildspec.yml) or assume a Dockerfile is universally applicable, when in fact only `.platform/hooks/` and `.ebextensions/*.config` are the two valid options for customizing software on EC2 instances in Elastic Beanstalk.

126
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS database instance that is included in the Elastic Beanstalk environment. The developer wants to update the application code without affecting the database. What is the recommended approach?

A.Update the application code directly on the EC2 instances without redeploying the environment.
B.Create a new environment configuration, update the code, and swap the CNAME of the environments.
C.Decouple the database from the Elastic Beanstalk environment by creating a separate RDS instance and connecting the application to it externally.
D.Use Elastic Beanstalk's platform updates while keeping the database attached to the environment.
AnswerC

By creating an independent RDS instance and configuring the Elastic Beanstalk environment to connect to it via environment properties, the database is unaffected by application updates or environment changes.

Why this answer

Option C is correct because when an RDS instance is included in an Elastic Beanstalk environment, it is tied to the environment's lifecycle. If the environment is terminated or rebuilt, the database is also deleted. Decoupling the database by creating a standalone RDS instance and connecting the application to it externally ensures the database persists independently of application deployments, allowing code updates without risking data loss.

Exam trap

The trap here is that candidates assume swapping CNAMEs between environments (blue/green deployment) is sufficient to protect the database, but they overlook that the database is still lifecycle-managed within each environment and will be lost if the original environment is terminated.

How to eliminate wrong answers

Option A is wrong because directly updating code on EC2 instances bypasses Elastic Beanstalk's managed deployment process, leading to configuration drift and loss of rollback capability. Option B is wrong because swapping CNAMEs between environments does not decouple the database; the new environment would still have its own lifecycle-managed RDS instance, and the original database remains tied to the old environment. Option D is wrong because platform updates only update the Elastic Beanstalk platform version, not the application code, and the database remains lifecycle-coupled, so any environment rebuild or termination would still affect the database.

127
MCQeasy

A company is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance with an attached Amazon EBS volume. The developer wants to ensure that the EBS volume is deleted when the EC2 instance is terminated. The developer has set the DeletionPolicy attribute on the EBS volume resource to Delete. However, after terminating the EC2 instance through the console, the EBS volume is still present. The stack still exists. What is the most likely reason the volume was not deleted?

A.The EBS volume has a DeleteOnTermination attribute set to false.
B.The DeletionPolicy attribute only takes effect when the CloudFormation stack is deleted, not when an individual resource is terminated.
C.The EBS volume is the root device of the EC2 instance.
D.The EC2 instance was terminated manually, not through a stack update.
AnswerB

DeletionPolicy applies to stack deletion, not resource termination.

Why this answer

Option A is correct because DeletionPolicy only applies when the stack is deleted, not when an individual resource is terminated. Option B is wrong because the EC2 instance termination does not trigger stack update. Option C is wrong because the EBS volume is not a root device; root device is an instance store or EBS volume.

Option D is wrong because the DeleteOnTermination attribute on the EC2 instance's BlockDeviceMapping controls whether the volume is deleted when the instance is terminated, not the DeletionPolicy on the volume resource.

128
Multi-Selecthard

A company uses AWS CodePipeline to automate deployments of a microservices application to Amazon ECS with Fargate. The pipeline has a deploy stage that uses Amazon ECS Blue/Green deployment. The deployment fails intermittently with a 'Task failed to start' error. The developer needs to troubleshoot the issue. Which THREE steps should the developer take? (Choose three.)

Select 3 answers
A.Review the CodeBuild build logs for errors.
B.Check the Amazon ECS service events for the task failure reason.
C.Validate that the task definition JSON is correctly formatted and references the correct container images.
D.Check the CloudFormation stack events for the ECS service.
E.Verify that the task execution IAM role has permissions to pull the container image from ECR.
AnswersB, C, E

ECS service events provide detailed failure reasons.

Why this answer

Options A, C, and E are correct because checking ECS service events (A) gives direct error messages, validating the task definition (C) ensures container configuration is correct, and verifying the IAM role (E) addresses permission issues. Option B is wrong because CodeBuild logs are for build, not deploy. Option D is wrong because CloudFormation events are not relevant for ECS deployments.

129
MCQeasy

Refer to the exhibit. A CloudFormation template creates an S3 bucket with a 'Retain' deletion policy and an EC2 instance. If the stack is deleted, what happens to the S3 bucket?

A.The S3 bucket is deleted along with the stack.
B.The S3 bucket is moved to a different account.
C.A snapshot of the S3 bucket is taken before deletion.
D.The S3 bucket is retained and must be deleted manually.
AnswerD

The 'Retain' policy preserves the resource.

Why this answer

Option D is correct because the 'Retain' deletion policy on the S3 bucket overrides the default stack deletion behavior. When a CloudFormation stack is deleted, any resource with a 'DeletionPolicy' set to 'Retain' is preserved in the AWS account, even though the resource is removed from the stack's template. The bucket continues to exist independently and must be manually deleted by the user via the AWS Management Console, CLI, or SDK.

Exam trap

The trap here is that candidates may assume all resources are automatically deleted when a stack is deleted, overlooking the 'DeletionPolicy' attribute that can override this default behavior for specific resources like S3 buckets.

How to eliminate wrong answers

Option A is wrong because the 'Retain' deletion policy explicitly prevents the S3 bucket from being deleted when the stack is deleted; without this policy, the bucket would be deleted by default. Option B is wrong because CloudFormation does not have any mechanism to move resources to a different account during stack deletion; the bucket remains in the same AWS account. Option C is wrong because CloudFormation does not take snapshots of S3 buckets; snapshot functionality is specific to Amazon EBS volumes, not S3.

130
MCQhard

A developer is trying to update a CloudFormation stack that includes a Lambda function. The stack rolls back with the error shown. What is the most likely cause?

A.The Lambda function's execution role lacks permissions to write logs to CloudWatch.
B.The Lambda function's deployment package is not stored in Amazon S3.
C.The Lambda function's code is too large for the deployment.
D.The Lambda function's execution role does not have a trust policy that allows Lambda to assume it.
AnswerD

Lambda needs to assume the role, so the trust policy must include lambda.amazonaws.com.

Why this answer

Option A is correct because the error states that the role cannot be assumed by Lambda, meaning the trust policy of the IAM role does not include 'lambda.amazonaws.com' as a trusted entity. Option B is wrong because the error is about the role, not permissions. Option C is wrong because the error is not about S3.

Option D is wrong because the function code is not the issue.

131
MCQmedium

A company uses AWS OpsWorks to manage a stack of EC2 instances. After a deployment, the application becomes unresponsive. The engineer suspects that a configuration file was not updated correctly. What is the best way to verify the deployed configuration?

A.Use AWS Systems Manager Run Command to execute a script that outputs the configuration.
B.Check the OpsWorks stack's logs for any JSON syntax errors in the custom JSON.
C.SSH into an instance and inspect the configuration files in /var/lib/aws/opsworks.
D.Review the application logs in Amazon CloudWatch Logs for configuration errors.
AnswerC

This location contains the applied configuration, allowing verification of what was actually deployed.

Why this answer

Option B is correct because OpsWorks stores the last applied configuration in /var/lib/aws/opsworks, and checking this location shows the actual configuration used. Option A is incorrect because JSON syntax errors cause deployment failures, not silent misconfiguration. Option C is incorrect because AWS Systems Manager Run Command is not specific to OpsWorks.

Option D is incorrect because CloudWatch Logs may not contain configuration details.

132
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is configured with a 'OneAtATime' deployment configuration. The developer notices that the deployment is taking a long time. What is the most likely reason?

A.The deployment group is configured with an incorrect load balancer.
B.The Auto Scaling group has a large number of instances, and deploying one at a time is slow.
C.The deployment configuration is set to 'AllAtOnce', but the developer intended 'OneAtATime'.
D.The CodeDeploy agent on the instances is not running.
AnswerB

OneAtATime deploys sequentially.

Why this answer

Option C is correct because 'OneAtATime' deploys to one instance at a time, which can be slow for large groups. Option A is wrong because the deployment configuration is correct. Option B is wrong because the agent is not the issue.

Option D is wrong because the deployment group is correctly configured.

133
MCQeasy

A developer uses AWS CodePipeline with a manual approval step before deployment. The developer wants to ensure that if a new commit is pushed while a pipeline execution is waiting for approval, the waiting execution is canceled and a new one starts with the latest commit. Which pipeline execution mode should be configured?

A.Queued
B.Superseded
C.Parallel
D.Single
AnswerB

Superseded mode cancels the current execution (if it is still in progress) and starts a new one with the latest changes.

Why this answer

The Superseded execution mode is designed to automatically cancel any in-progress pipeline execution when a new commit is pushed, and start a new execution with the latest source changes. This ensures that the manual approval step does not block newer commits, as the waiting execution is replaced by the one triggered by the latest commit. In contrast, other modes either queue or run executions in parallel, which would not cancel the waiting approval step.

Exam trap

The trap here is that candidates may confuse Superseded with Queued, thinking that queuing will handle the latest commit, but Queued only delays execution without canceling the waiting approval step.

How to eliminate wrong answers

Option A is wrong because Queued mode places new executions in a queue, waiting for the current execution to complete before starting the next one, which would not cancel the waiting approval step. Option C is wrong because Parallel mode allows multiple executions to run concurrently, which would not cancel the waiting execution and could lead to multiple approvals or deployments. Option D is wrong because Single mode is not a valid execution mode in AWS CodePipeline; the valid modes are Queued, Superseded, and Parallel.

134
MCQhard

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an API Gateway endpoint backed by a Lambda function. The developer wants to enable canary deployments to shift traffic gradually. Which SAM resource attribute should they configure?

A.DeploymentPreference
B.StageName
C.Events
D.AutoPublishAlias
AnswerA

DeploymentPreference enables canary, linear, or all-at-once deployments.

Why this answer

Option A is correct because the DeploymentPreference attribute in the AWS::Serverless::Function resource allows configuring canary deployments with CodeDeploy. Option B is incorrect because AutoPublishAlias is used for automatic alias creation but not for canary traffic shifting. Option C is incorrect because StageName is for API Gateway stage name.

Option D is incorrect because Events define event sources.

135
MCQhard

A development team wants to automate the deployment of a microservices application on Amazon ECS with Fargate. The team uses AWS CodePipeline for CI/CD. Each microservice has its own source repository and Dockerfile. The team wants to build Docker images, push them to Amazon ECR, and deploy them to ECS. Which approach minimizes manual effort and follows best practices?

A.Use AWS CodeDeploy to deploy to ECS with a blue/green deployment.
B.Use AWS CloudFormation to create the infrastructure and manually trigger updates.
C.Use AWS CodePipeline with a build stage in CodeBuild and a deploy stage that uses the ECS deploy provider.
D.Use AWS CodeBuild to build and push images, then manually update the ECS service.
AnswerC

CodePipeline natively supports ECS deployment.

Why this answer

Option D is correct because CodePipeline can directly integrate with ECS using deploy actions that update the ECS service with new task definitions. Option A is wrong because it adds unnecessary manual steps. Option B is wrong because it is not a best practice to bypass CI/CD.

Option C is wrong because it adds extra complexity with CodeDeploy when not needed for Fargate.

136
Multi-Selecteasy

A developer is using AWS CloudFormation to manage infrastructure. The developer needs to update a stack that contains a resource that requires replacement. Which TWO actions can the developer take to perform the update with minimal downtime?

Select 2 answers
A.Use a change set and execute it, allowing CloudFormation to replace the resource.
B.Use the 'Stack Policy' to prevent replacement.
C.Delete the stack and recreate it.
D.Create a new stack with the updated resource and then update the DNS to point to the new stack.
E.Use AWS CodeDeploy with a blue/green deployment to manage the replacement.
AnswersD, E

This blue/green approach minimizes downtime.

Why this answer

Options A and D are correct because creating a new stack in parallel and using a blue/green deployment with CodeDeploy minimize downtime. Option B causes downtime. Option C is not a method.

Option E does not address downtime.

137
MCQhard

A team wants CloudFormation to prevent accidental deletion of a production DynamoDB table during stack updates. What should they configure?

A.A larger write capacity setting
B.A Lambda layer
C.An API Gateway usage plan
D.DeletionPolicy or UpdateReplacePolicy Retain as appropriate
AnswerD

Correct for the stated requirement.

Why this answer

The DeletionPolicy attribute with a value of Retain instructs AWS CloudFormation to preserve the DynamoDB table when its stack resource is deleted during a stack update or stack deletion. Similarly, UpdateReplacePolicy Retain ensures that if a resource replacement is required during an update, the existing table is kept rather than deleted. This directly prevents accidental data loss by overriding CloudFormation's default behavior of deleting resources that are removed from the template or replaced.

Exam trap

The trap here is that candidates may confuse operational settings (like write capacity) or unrelated services (Lambda layers, API Gateway) with CloudFormation's resource lifecycle policies, missing the direct purpose of DeletionPolicy and UpdateReplacePolicy.

How to eliminate wrong answers

Option A is wrong because a larger write capacity setting only affects DynamoDB's throughput performance and has no impact on resource lifecycle or deletion prevention. Option B is wrong because a Lambda layer is used to package runtime dependencies for Lambda functions and does not influence CloudFormation's resource deletion behavior. Option C is wrong because an API Gateway usage plan throttles and monitors API requests for billing or rate-limiting purposes and is unrelated to CloudFormation stack resource protection.

138
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The developer runs 'sam deploy' and receives an error: 'Error: Failed to create changeset for the stack.' What is a common cause of this error?

A.The SAM template contains a syntax error.
B.The S3 bucket specified for artifacts does not exist.
C.The IAM user does not have permission to create CloudFormation stacks.
D.AWS CodeDeploy is not configured for the application.
AnswerA

A malformed template prevents CloudFormation from creating a changeset, resulting in this error.

Why this answer

Option C is correct because the SAM template must be valid JSON or YAML; malformed syntax causes the changeset creation to fail. Options A, B, and D are incorrect: missing S3 bucket causes a different error, insufficient IAM permissions cause an authorization error, and CodeDeploy is not involved in SAM deployments.

139
MCQeasy

A developer is using AWS CloudFormation to create a stack that includes an EC2 instance. The stack creation fails because the instance type is not supported in the selected Availability Zone. What should the developer do?

A.Delete the stack and start over.
B.Change the instance type to one that is supported.
C.Update the stack to specify a different subnet or not specify an Availability Zone.
D.Create the stack in a different region.
AnswerC

CloudFormation can choose an AZ automatically.

Why this answer

Option C is correct because when an EC2 instance type is not supported in a specific Availability Zone (AZ), the developer can update the CloudFormation stack to either specify a different subnet (which implicitly selects a different AZ) or omit the Availability Zone parameter entirely, allowing AWS to automatically choose an AZ where the instance type is supported. This avoids the need to delete the stack or change the instance type, preserving other stack resources and configurations.

Exam trap

The trap here is that candidates assume the only fix is to change the instance type (Option B) or restart from scratch (Option A), overlooking CloudFormation's ability to update the stack's subnet or AZ selection to match the instance type's availability.

How to eliminate wrong answers

Option A is wrong because deleting the stack and starting over is unnecessary and inefficient; the issue can be resolved by updating the stack's subnet or AZ specification without losing existing resources. Option B is wrong because changing the instance type may not be desirable if the developer specifically needs that instance type for performance or cost reasons; the problem is the AZ constraint, not the instance type itself. Option D is wrong because creating the stack in a different region is an overreaction; the instance type is likely supported in other AZs within the same region, and changing regions could introduce latency, cost, or compliance issues.

140
MCQmedium

A developer is using AWS CodeDeploy to deploy a new version of an AWS Lambda function. The developer wants to gradually shift traffic from the old version to the new version in 10-minute increments. Which deployment configuration should the developer use?

A.Canary10Percent10Minutes
B.Canary10Percent30Minutes
C.Linear10PercentEvery10Minutes
D.AllAtOnce
AnswerC

This configuration shifts 10% of traffic every 10 minutes until 100% is shifted, meeting the requirement of gradual 10-minute increments.

Why this answer

The Linear10PercentEvery10Minutes configuration shifts traffic from the old Lambda version to the new version in 10% increments every 10 minutes, which matches the developer's requirement of gradually shifting traffic in 10-minute increments. This is a linear deployment type in AWS CodeDeploy that provides a steady, incremental traffic shift over time.

Exam trap

The trap here is confusing canary deployments (which shift a small percentage immediately and then the remainder after a wait) with linear deployments (which shift traffic in equal increments over time), leading candidates to select a canary configuration when a linear one is required.

How to eliminate wrong answers

Option A is wrong because Canary10Percent10Minutes shifts 10% of traffic to the new version immediately, then waits 10 minutes before shifting the remaining 90% all at once, which does not provide gradual 10-minute increments. Option B is wrong because Canary10Percent30Minutes shifts 10% immediately, then waits 30 minutes before shifting the remaining 90%, which does not match the 10-minute increment requirement. Option D is wrong because AllAtOnce shifts 100% of traffic to the new version immediately with no gradual traffic shifting, which contradicts the developer's requirement.

141
MCQmedium

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The developer wants to create a new version and update the alias to point to the new version. Which sequence of CLI commands should the developer use?

A.Update alias, update function code, publish version
B.Create alias, update function code, publish version
C.Publish version, update function code, update alias
D.Update function code, publish version, update alias
AnswerD

Correct sequence to deploy new code and shift traffic.

Why this answer

Option C is correct because first update the function code, then publish a new version, and finally update the alias. Option A is wrong because it creates an alias before publishing. Option B is wrong because it publishes before updating code.

Option D is wrong because it updates the alias before publishing.

142
MCQeasy

A developer is deploying an application using AWS Elastic Beanstalk. The application needs to connect to an Amazon RDS database. What is the best practice for storing database credentials?

A.Hardcode the credentials in the application code.
B.Store credentials in Elastic Beanstalk environment properties.
C.Store credentials in an Amazon S3 bucket with public read access.
D.Store credentials in AWS Secrets Manager and retrieve them at runtime.
AnswerD

Secrets Manager provides secure storage and rotation.

Why this answer

Option C is correct because AWS Secrets Manager is designed for securely storing and rotating secrets. Option A is wrong because hardcoding credentials is insecure. Option B is wrong because environment variables can be exposed in logs.

Option D is wrong because S3 is not secure for credentials without encryption.

143
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. The development team wants to ensure that the deployment does not cause any downtime and that new instances are fully registered with the load balancer before old instances are terminated. Which deployment policy should they use?

A.Immutable
B.Rolling with an additional batch
C.Rolling
D.All at once
AnswerB

This policy adds new instances before removing old ones, ensuring zero downtime.

Why this answer

Option A is correct because rolling with an additional batch launches new instances, registers them with the ELB, and then terminates old instances, ensuring zero downtime. Option B is incorrect because immutable deployments create a new Auto Scaling group but can be slower. Option C is incorrect because rolling deployments can cause downtime if the batch size is too large.

Option D is incorrect because all at once causes downtime.

144
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires a highly available environment across multiple Availability Zones. The developer wants to update the application without any downtime while minimizing the number of new instances launched. Which deployment policy should the developer use?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerC

This policy launches a new batch of instances alongside the existing ones, ensuring capacity is never reduced. It achieves zero downtime with minimal additional instances compared to immutable.

Why this answer

Option C (Rolling with additional batch) is correct because it launches a new batch of instances before taking the old ones out of service, ensuring full capacity is maintained during the deployment. This provides high availability across multiple Availability Zones while minimizing the number of new instances compared to an immutable deployment, which would double the instance count. The additional batch absorbs the traffic during the rolling update, preventing any downtime.

Exam trap

The trap here is that candidates confuse 'Rolling' with 'Rolling with additional batch', assuming both provide zero downtime, but only the latter guarantees full capacity throughout the update by adding an extra batch to absorb traffic.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing downtime as all instances are replaced at the same time. Option B is wrong because 'Rolling' updates instances in batches without an extra batch, which reduces capacity during the update and can lead to downtime if the application cannot handle reduced load. Option D is wrong because 'Immutable' launches a completely new set of instances in a new Auto Scaling group, then swaps the environment, which minimizes downtime but launches the maximum number of new instances (doubling the count), contradicting the requirement to minimize new instances.

145
MCQhard

A company uses AWS CodeCommit for source control. A developer needs to automate the build and test process for every commit to the 'develop' branch. The developer creates a CodeBuild project and wants to trigger it automatically. What is the most efficient way to set up this automation?

A.Create a CloudWatch Events rule that triggers CodeBuild on code commit events
B.Configure a webhook in CodeCommit to call CodeBuild directly
C.Create a CodePipeline with a source stage from CodeCommit and a build stage from CodeBuild
D.Use an SQS queue to receive SNS notifications from CodeCommit and trigger CodeBuild
AnswerC

CodePipeline natively integrates and triggers on changes.

Why this answer

CodePipeline can be configured to start on changes to a CodeCommit repository and then invoke CodeBuild. Option C is correct because it uses a pipeline with a source trigger. Option A (CloudWatch Events) is less efficient as it requires a separate rule.

Option B (webhooks) is used for third-party repositories. Option D (SQS) is unnecessary overhead.

146
MCQmedium

A developer is using AWS SAM to define a serverless application. The application includes an AWS Lambda function and an Amazon API Gateway REST API. The developer wants to configure the API Gateway stage to enable logging and set the stage name based on the SAM parameter Stage. In the SAM template, which property of the AWS::Serverless::Api resource should the developer use to set the stage name?

A.StageName
B.DefinitionBody
C.StageDescription
D.EndpointConfiguration
AnswerA

This property sets the name of the API Gateway stage. It can reference a SAM parameter, e.g., !Ref Stage.

Why this answer

The `StageName` property of the `AWS::Serverless::Api` resource directly sets the stage name for the API Gateway REST API. By using a SAM parameter like `Stage` (e.g., `StageName: !Ref Stage`), the developer can dynamically control the stage name at deployment time. This is the intended and simplest way to configure the stage name in an AWS SAM template.

Exam trap

The trap here is that candidates confuse `StageName` with `StageDescription` (Option C) because both relate to stage configuration, but `StageDescription` only provides metadata and does not control the actual stage identifier used in the API endpoint URL.

How to eliminate wrong answers

Option B (`DefinitionBody`) is wrong because it defines the OpenAPI specification for the API, not the stage name; it can include a `stageName` field within the OpenAPI definition, but that is not the SAM-level property for setting the stage name. Option C (`StageDescription`) is wrong because it provides a description of the stage (e.g., for documentation or tagging), not the stage name itself. Option D (`EndpointConfiguration`) is wrong because it specifies the endpoint type (e.g., REGIONAL, EDGE, PRIVATE) for the API, not the stage name.

147
MCQhard

A team uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that includes an Amazon RDS DB instance. During deployment, the stack creation fails because the DB instance creation times out. The team wants to ensure that subsequent stack creation attempts do not recreate the DB instance from scratch but instead continue from the failed state. Which CloudFormation feature should they use?

A.Use a CloudFormation WaitCondition to pause stack creation until the DB instance is available.
B.Create the DB instance using a separate CloudFormation stack and reference it using Fn::ImportValue.
C.Apply a stack policy that prevents the DB instance from being deleted during stack updates.
D.Use a CloudFormation custom resource to check for an existing DB instance and create it only if it does not exist.
AnswerD

Custom resource can implement logic to reuse an existing DB instance or create a new one, avoiding recreation on retry.

Why this answer

Option B is correct. CloudFormation stack creation rollback triggers with '--on-failure DO_NOTHING' or '--disable-rollback' will leave the failed resources in place so they can be resumed? Actually, CloudFormation does not support resuming a failed stack creation; it will roll back and delete resources. To avoid this, you can use a custom resource to check if the DB instance already exists, but the question asks for a feature to continue from failed state.

The best approach is to use a custom resource or separate stack for the DB instance. Among options, only 'Custom resource' (Option A) can handle such logic, but the correct answer is B: Use a custom resource to check for existing DB instance and skip creation if it exists. However, Option A is also custom resource.

Let's re-evaluate: The feature that allows you to conditionally create resources based on existing resources is 'Conditions' but that requires knowing the DB instance ID. 'Custom resource' can query existing DB and return a value to use in conditions. So Option B is correct. Option A (WaitCondition) is for signaling completion, not for conditional creation.

Option C (Stack policy) protects resources but does not help with continuation. Option D (Change sets) are for updates, not creation rollback.

148
MCQhard

An ECS blue/green deployment with CodeDeploy and an Application Load Balancer fails because the replacement task set never receives test traffic. Which configuration should be checked?

A.S3 bucket versioning
B.Lambda provisioned concurrency
C.The test listener and target group mapping in the deployment group
D.DynamoDB TTL
AnswerC

Correct for the stated requirement.

Why this answer

In an ECS blue/green deployment with CodeDeploy and an Application Load Balancer, the test listener and its associated target group are responsible for routing test traffic to the replacement task set. If the replacement task set never receives test traffic, the most likely cause is that the test listener is not correctly mapped to the target group in the CodeDeploy deployment group configuration. This mapping ensures that traffic from the test listener is directed to the replacement task set during the deployment lifecycle.

Exam trap

The trap here is that candidates may confuse the test listener with the production listener or assume the issue is with the ALB itself, rather than recognizing that the test listener-to-target-group mapping in the CodeDeploy deployment group is the specific configuration that controls test traffic routing.

How to eliminate wrong answers

Option A is wrong because S3 bucket versioning is unrelated to ECS deployment traffic routing; it is used for object version control and rollback in S3, not for CodeDeploy traffic routing. Option B is wrong because Lambda provisioned concurrency is a feature for managing concurrent execution capacity of Lambda functions, not for ECS task set traffic routing in blue/green deployments. Option D is wrong because DynamoDB TTL (Time to Live) is a feature for automatically expiring items in DynamoDB tables, and it has no role in CodeDeploy or ALB traffic routing.

149
Multi-Selectmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS database. The developer wants to ensure that the database connection string is not hard-coded in the application code. Which THREE methods can the developer use to pass the connection string securely? (Choose THREE.)

Select 3 answers
A.Read the connection string from Amazon RDS tags.
B.Use AWS Secrets Manager.
C.Use Elastic Beanstalk environment properties.
D.Store the connection string in a configuration file in the application bundle.
E.Use AWS Systems Manager Parameter Store.
AnswersB, C, E

Secrets Manager is designed for managing secrets.

Why this answer

Options A, B, and D are correct. A: Environment properties in Elastic Beanstalk are injected into the application. B: AWS Systems Manager Parameter Store provides secure, encrypted storage.

D: AWS Secrets Manager is designed for secrets like database credentials. Option C is wrong because the application code should not read from RDS tags; tags are not intended for sensitive data. Option E is wrong because putting the connection string in a file in the deployment package is not secure.

150
MCQeasy

A developer is using AWS OpsWorks for Chef Automate to manage a stack. The developer needs to deploy a new application version to existing instances. Which OpsWorks feature should the developer use?

A.Recipes
B.Custom JSON
C.Stacks
D.Layers
AnswerA

Recipes run on instances to perform tasks like deploying applications.

Why this answer

Recipes are Chef cookbook components that define the sequence of commands to execute on an instance. To deploy a new application version, the developer can run a custom recipe (e.g., via an OpsWorks lifecycle event or a manual 'Execute Recipes' action) that pulls the updated code, restarts services, or performs any necessary deployment steps. This directly maps to the requirement of deploying a new version to existing instances.

Exam trap

The trap here is confusing the static configuration elements (Stacks, Layers, Custom JSON) with the dynamic execution mechanism (Recipes) needed to actually perform a deployment action on running instances.

How to eliminate wrong answers

Option B is wrong because Custom JSON is used to pass custom configuration data (like database credentials or app settings) to OpsWorks stacks, not to execute deployment actions. Option C is wrong because a Stack is the top-level container for resources (instances, layers, apps) and does not itself perform deployment actions; it defines the environment. Option D is wrong because a Layer defines the configuration, packages, and lifecycle recipes for a group of instances, but deploying a new application version requires running a specific recipe, not just defining a layer.

← PreviousPage 2 of 6 · 378 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dva Deployment questions.