AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 175

1740 questions total · 24pages · All types, answers revealed

Page 1 of 24

Page 2
1
MCQmedium

A financial services company uses AWS CloudFormation to deploy a three-tier web application. The stack includes an Amazon RDS for PostgreSQL database. The database master password is stored in AWS Secrets Manager, and the CloudFormation template uses a dynamic reference to retrieve it during stack creation. The team recently rotated the database password in Secrets Manager. When they attempt to update the stack to change other parameters, the update fails with the error: 'Value of property MasterUserPassword must be a string.' The team is using the following template snippet for the password: 'MasterUserPassword': '{{resolve:secretsmanager:MySecret:SecretString:password}}'. The stack was originally created with AWS CloudFormation. What is the most likely cause of the failure?

A.The secret was rotated before the stack was created, causing a mismatch.
B.The template syntax is incorrect; it should use '{{resolve:secretsmanager:MySecret:SecretString:password}}' with different quotes.
C.Dynamic references in CloudFormation are only resolved at stack creation, not during updates. The team must use a different method to reference the rotated password.
D.The secret is in a different region than the stack.
AnswerC

CloudFormation does not re-resolve dynamic secrets on stack updates.

Why this answer

Option A is correct because dynamic references are only resolved during stack creation and not during updates. To update the password, the team must use a different approach. Option B is incorrect because Secrets Manager rotation does not invalidate the secret immediately.

Option C is incorrect because the template syntax is correct. Option D is incorrect because Secrets Manager is not region-bound in this context.

2
MCQeasy

A team uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that creates an S3 bucket and a DynamoDB table. The S3 bucket name must be unique across all AWS accounts. Which CloudFormation intrinsic function should be used to generate a unique bucket name?

A.!Ref 'AWS::StackName'
B.!GetAtt S3Bucket.Arn
C.!Sub 'mybucket-${AWS::AccountId}'
D.!Select [0, !Split ['-', !Ref 'AWS::Region']]
AnswerC

AccountId is globally unique, ensuring bucket name uniqueness.

Why this answer

Option C is correct because the `!Sub 'mybucket-${AWS::AccountId}'` intrinsic function substitutes the AWS::AccountId pseudo parameter, which is guaranteed to be unique per AWS account. Since S3 bucket names must be globally unique across all AWS accounts, appending the account ID ensures the generated name does not conflict with buckets in other accounts. This approach is a common pattern for creating unique resource names in CloudFormation.

Exam trap

The trap here is that candidates may think `!Ref 'AWS::StackName'` or `!Ref 'AWS::Region'` provide sufficient uniqueness, but they overlook the requirement for global uniqueness across all AWS accounts, which only `AWS::AccountId` guarantees.

How to eliminate wrong answers

Option A is wrong because `!Ref 'AWS::StackName'` returns the name of the CloudFormation stack, which is not guaranteed to be unique across AWS accounts—multiple accounts can have stacks with the same name. Option B is wrong because `!GetAtt S3Bucket.Arn` returns the Amazon Resource Name of the S3 bucket, which is only available after the bucket is created, and cannot be used to generate a name before creation. Option D is wrong because `!Select [0, !Split ['-', !Ref 'AWS::Region']]` extracts the first part of the region name (e.g., 'us' from 'us-east-1'), which is not unique across accounts or even across regions within the same account.

3
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for an application that runs on Amazon ECS. The pipeline should automatically build a Docker image from source code, push it to Amazon ECR, and deploy it to the ECS service. The engineer wants to use AWS CodePipeline with Amazon ECR as a source. Which action provider should be used for the deploy stage?

A.AWS CloudFormation
B.AWS CodeDeploy
C.Amazon ECS
D.AWS Elastic Beanstalk
AnswerC

ECS action provider directly deploys to an ECS service.

Why this answer

Amazon ECS is the correct action provider for the deploy stage when using AWS CodePipeline because it directly integrates with ECS to update an existing ECS service with a new task definition. When Amazon ECR is configured as a source, CodePipeline detects image pushes, and the ECS deploy action automatically triggers a rolling update of the ECS service using the new image, without requiring additional deployment tools.

Exam trap

The trap here is that candidates often confuse the Amazon ECS deploy action with AWS CodeDeploy, but CodeDeploy is only required for ECS blue/green deployments, while the Amazon ECS action directly handles rolling updates and is the simplest choice for standard ECS service deployments.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an infrastructure-as-code service used to provision and manage AWS resources, not a direct deploy action for updating an ECS service with a new Docker image; using it would require custom scripts and adds unnecessary complexity. Option B is wrong because AWS CodeDeploy can deploy to ECS only when using the ECS blue/green deployment type, which requires an additional CodeDeploy application and deployment group setup, but the question asks for the simplest direct deploy action provider for ECS, which is Amazon ECS itself. Option D is wrong because AWS Elastic Beanstalk is a PaaS service for deploying web applications, not designed for ECS service deployments; it abstracts underlying infrastructure and does not provide a native action to update an ECS service with a new image from ECR.

4
MCQmedium

Refer to the exhibit. A DevOps engineer runs the AWS CLI command shown to retrieve the RequestCount metric for an ELB. The output shows datapoints with Sum values. What is the total number of requests received by the load balancer during the entire hour?

A.18600 requests
B.1500 + 2000 = 3500 requests
C.36000 requests
D.Cannot be determined from the data
AnswerA

Summing all 12 datapoints (each representing 5-minute sums) gives the total requests for the hour.

Why this answer

Option B is correct because the datapoints are at 5-minute intervals (period 300 seconds), and each datapoint's Sum represents the total requests in that 5-minute window. To get the total for the hour, we sum all datapoints: 1500+2000+...+1800 = 18600 (assuming the sum of the listed datapoints is 18600). The calculation shows that summing the 12 datapoints yields 18600.

Option A, C, and D are incorrect because they do not correctly sum the datapoints.

5
MCQhard

A DevOps engineer is troubleshooting a CloudFormation stack creation failure. The stack includes an AWS::EC2::Instance with a UserData script. The stack creation fails with the error: 'The following resource(s) failed to create: [EC2Instance]. The requested configuration is currently not supported. Please check the documentation for supported configurations.' The engineer suspects the instance type is not supported in the selected Availability Zone. Which action should the engineer take to resolve this issue and ensure successful stack creation?

A.Add an Availability Zone parameter and map it to an AZ that supports the instance type, or use the AWS::EC2::Instance AvailabilityZone property to specify an AZ that supports the instance type.
B.Use AWS OpsWorks to deploy the instance instead of CloudFormation.
C.Change the instance type to a previous generation that is supported in all AZs.
D.Modify the template to specify a different region that supports the instance type.
AnswerA

Explicitly specifying a supported AZ resolves the incompatibility.

Why this answer

Option C is correct because specifying AllowedPattern in the template for the instance type parameter is not relevant; the solution is to use the AWS::EC2::Instance property AvailabilityZone to explicitly set an AZ that supports the instance type, or use a parameter to select an AZ. Option A is wrong because OpsWorks is not needed. Option B is wrong because it only changes the region, not the availability zone within the region.

Option D is wrong because changing the instance type to a previous generation might not be desired and does not address the AZ constraint.

6
MCQhard

A company runs a critical application on AWS Lambda that processes messages from an Amazon SQS queue. The application must be resilient to downstream service failures. The team notices that when the downstream service is unhealthy, messages are repeatedly retried and eventually sent to the dead-letter queue (DLQ) before the service recovers. What design change would improve resilience by allowing automatic retries after the downstream service recovers?

A.Configure the SQS queue with a large visibility timeout (e.g., 6 hours) and use a redrive policy only after a high number of receives. Keep the messages in the queue and retry when the downstream service becomes healthy.
B.Reduce the maxReceiveCount to 1 so that messages are sent to DLQ immediately, then reprocess them from DLQ later.
C.Increase the message retention period to 14 days and use a DLQ with high retention.
D.Use Amazon SNS to fan out messages to multiple SQS queues, each with different retry policies.
AnswerA

Long visibility timeout and high maxReceiveCount allow messages to be retried over an extended period.

Why this answer

Option A is correct because increasing the visibility timeout to a long duration (e.g., 6 hours) prevents messages from being repeatedly retried and sent to the DLQ while the downstream service is unhealthy. Instead, messages remain in the SQS queue and become visible again only after the visibility timeout expires, allowing automatic retries once the downstream service recovers. This approach avoids premature DLQ delivery and leverages SQS's built-in redrive policy based on maxReceiveCount.

Exam trap

The trap here is that candidates often think increasing the DLQ retention or reducing retries (maxReceiveCount) is the solution, but the real key is controlling the retry timing via the visibility timeout to allow the downstream service to recover before messages are exhausted.

How to eliminate wrong answers

Option B is wrong because reducing maxReceiveCount to 1 sends messages to the DLQ immediately after the first failure, which defeats resilience by not allowing any retries and requiring manual reprocessing from the DLQ. Option C is wrong because increasing the message retention period and using a DLQ with high retention does not prevent messages from being sent to the DLQ prematurely; it only keeps them in the DLQ longer, but the downstream service may recover before the messages are consumed from the DLQ. Option D is wrong because using SNS to fan out to multiple SQS queues with different retry policies adds complexity and does not address the core issue of preventing premature DLQ delivery; it still relies on the same visibility timeout and retry mechanism.

7
Multi-Selectmedium

A company runs a microservices application on Amazon ECS with Fargate. The services need to be resilient to AZ failures. Which TWO actions should the company take? (Choose two.)

Select 2 answers
A.Configure the ECS service to spread tasks across multiple Availability Zones
B.Enable Service Auto Scaling to maintain desired count across AZs
C.Use a Network Load Balancer in each AZ for the service
D.Use a placement group to ensure tasks are launched on the same underlying hardware
E.Place all tasks in a single Availability Zone to minimize cross-AZ latency
AnswersA, B

Spreading across AZs provides fault tolerance.

Why this answer

Spreading tasks across multiple AZs and using service auto scaling ensure resilience. Option A is wrong because a single AZ is not resilient. Option C is wrong because Fargate tasks are not attached to EC2 instances.

Option E is wrong because a standalone ALB in one AZ is a single point of failure.

8
MCQeasy

A company wants to visualize the performance of their application running on EC2. They need to create a dashboard that shows CPU utilization, memory usage, and disk I/O. Which AWS service should they use?

A.Amazon CloudWatch Dashboards.
B.AWS CloudTrail.
C.AWS Systems Manager.
D.Amazon QuickSight.
AnswerA

CloudWatch Dashboards can display custom metrics from the CloudWatch agent.

Why this answer

Option A is correct because CloudWatch Dashboards can display metrics from EC2 and the CloudWatch agent, including memory and disk metrics. Option B is wrong because QuickSight is for business intelligence, not infrastructure monitoring. Option C is wrong because Systems Manager is for management, not visualization.

Option D is wrong because CloudTrail is for auditing API calls.

9
MCQmedium

A company uses AWS CodeBuild to compile a Java application. The buildspec.yml includes a 'pre_build' phase that runs SonarQube for static code analysis. The analysis requires access to a private SonarQube server hosted on an EC2 instance in the same VPC. The CodeBuild project is configured with a VPC ID, subnet IDs, and security group IDs. However, the build fails with a timeout when trying to connect to the SonarQube server. The security group for the SonarQube server allows inbound traffic on port 9000 from the CodeBuild security group. What is the MOST likely reason for the failure?

A.The CodeBuild project is not configured with the correct VPC subnets.
B.The security group for the SonarQube server does not allow inbound traffic on port 9000 from the CodeBuild security group.
C.The SonarQube server is using a self-signed certificate that CodeBuild does not trust.
D.The CodeBuild project does not have internet access, so it cannot reach the SonarQube server.
AnswerB

Without inbound rule from CodeBuild's security group, the connection is blocked.

Why this answer

Option B is correct because the scenario explicitly states that the security group for the SonarQube server allows inbound traffic on port 9000 from the CodeBuild security group, yet the build fails with a timeout. A timeout typically indicates a network connectivity issue, not a certificate or permission problem. The most likely cause is that the security group rule is misconfigured (e.g., using the wrong security group ID, or the rule is not actually applied), preventing the TCP handshake on port 9000 from completing.

Exam trap

The trap here is that candidates assume the security group rule is correctly configured because it is described in the question, but the timeout indicates the rule is either missing, misconfigured, or not applied, making option B the most likely cause despite the description.

How to eliminate wrong answers

Option A is wrong because the CodeBuild project is already configured with VPC ID, subnet IDs, and security group IDs, so the subnets are correctly specified; a subnet misconfiguration would cause a different error (e.g., 'subnet not found') rather than a timeout. Option C is wrong because a self-signed certificate would cause an SSL/TLS handshake failure (e.g., 'unable to find valid certification path') or a certificate validation error, not a generic timeout; CodeBuild can be configured to ignore SSL errors if needed. Option D is wrong because the SonarQube server is in the same VPC, so internet access is not required; the build fails due to lack of connectivity within the VPC, not because of internet egress.

10
MCQhard

An e-commerce application runs on Amazon ECS with Fargate. The operations team notices that the application's latency increases during peak hours. The engineer needs to correlate high CPU usage with increased request latency to identify the root cause. Which approach should be used?

A.Use CloudWatch Logs Insights to query container logs
B.Enable Container Insights and ServiceLens to correlate metrics and traces
C.Configure CloudWatch Synthetics canaries to measure latency
D.Set up a Prometheus server on an EC2 instance to scrape container metrics
AnswerB

Container Insights provides CPU metrics; ServiceLens integrates X-Ray traces.

Why this answer

Option D is correct because CloudWatch Container Insights collects CPU metrics and ServiceLens integrates with X-Ray to trace requests, providing end-to-end visibility. Option A is wrong because CloudWatch Logs Insights alone does not correlate metrics and traces. Option B is wrong because Prometheus is a third-party tool.

Option C is wrong because CloudWatch Synthetics only monitors endpoints, not internal metrics.

11
MCQmedium

A company is deploying a critical microservice on Amazon ECS with Fargate. They need to ensure that the service can tolerate an Availability Zone failure. What is the BEST approach?

A.Use a cluster placement constraint to spread tasks across instances
B.Use EC2 launch type and spread tasks across instance types
C.Define the service to spread tasks across multiple Availability Zones
D.Configure service auto scaling to add tasks when CPU is high
AnswerC

ECS Fargate services can spread across AZs.

Why this answer

Spreading tasks across multiple AZs ensures that if one AZ fails, tasks in other AZs continue. Option A is wrong because Fargate doesn't support instance diversity. Option C is wrong because service auto scaling adds tasks but not across AZs.

Option D is wrong because cluster placement constraints are not used with Fargate.

12
MCQeasy

A company uses AWS Systems Manager to manage configuration compliance. They want to ensure that all EC2 instances have a specific security patch installed. Which Systems Manager capability should they use?

A.Automation
B.Parameter Store
C.State Manager
D.Patch Manager
AnswerD

Patch Manager automates the patching process.

Why this answer

Option B is correct because Patch Manager is designed to patch instances. Option A is wrong because State Manager is for state management, not patching. Option C is wrong because Automation is for workflows.

Option D is wrong because Parameter Store is for configuration data.

13
MCQeasy

A DevOps engineer needs to manage configuration files for multiple applications across several EC2 instances. The configuration values are sensitive (e.g., database passwords) and must be encrypted at rest and in transit. Which AWS service should be used to store and retrieve these configuration values?

A.AWS Systems Manager Parameter Store (SecureString)
B.AWS CloudFormation template parameters
C.Amazon DynamoDB with encryption
D.Amazon S3 with server-side encryption
AnswerA

Parameter Store provides secure, hierarchical storage for configuration data with encryption.

Why this answer

AWS Systems Manager Parameter Store supports secure string parameters that are encrypted with KMS. It also integrates with EC2 instances via the SSM Agent for secure retrieval. Option B is correct.

Options A, C, and D either lack encryption or are not designed for configuration management.

14
MCQhard

A company runs a critical e-commerce application on AWS. They use AWS CodePipeline to manage deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy to an Auto Scaling group). Recently, a deployment caused a 5-minute outage because the new application version had a bug that caused the health checks to fail. The Auto Scaling group marked instances as unhealthy and replaced them, but during the replacement, traffic was routed to the remaining instances, which also failed health checks, causing a full outage. The company wants to implement a deployment strategy that prevents any traffic from being routed to unhealthy instances and automatically rolls back if the deployment fails. They also want to minimize deployment time and cost. Which solution should the DevOps team implement?

A.Add a manual approval step in CodePipeline before deploy
B.Use CodeDeploy in-place deployment with automatic rollback enabled
C.Use CodeDeploy blue/green deployment with automatic rollback enabled
D.Increase the health check grace period in the Auto Scaling group
AnswerC

Blue/green creates a new environment, tests it, and shifts traffic only if healthy; rollback is automatic

Why this answer

The best approach is to use a blue/green deployment with CodeDeploy, which creates a new Auto Scaling group (green) alongside the existing one (blue). Traffic is shifted to the green group only after health checks pass. If health checks fail, the deployment is automatically rolled back by terminating the green group.

This avoids any outage. Option B is correct. Option A (in-place with rollback) would still cause downtime during instance replacement.

Option C (increase health check grace period) would delay detection but not prevent outage. Option D (manual approval) slows down deployment and doesn't automate rollback.

15
MCQmedium

A company uses Amazon S3 to store critical data. An incident occurs where an S3 bucket is accidentally deleted. The DevOps engineer needs to recover the bucket and its objects. What should the engineer do?

A.Restore the bucket from AWS CloudTrail event history
B.Contact AWS Support to restore the bucket from a backup if versioning was enabled
C.Recreate the bucket with the same name and restore objects from a previous backup
D.Use the AWS S3 console to undo the deletion
AnswerB

AWS can restore buckets if versioning and MFA delete were configured.

Why this answer

Option B is correct because S3 bucket names are unique and cannot be recreated immediately; however, objects can be recovered if versioning and MFA delete were enabled. Option A is incorrect because buckets cannot be restored from CloudTrail. Option C is incorrect because only the bucket owner can delete a bucket, but deletion cannot be undone.

Option D is incorrect because buckets are not recovered automatically.

16
MCQmedium

A DevOps engineer notices that an EC2 instance running a critical web application has been terminated unexpectedly. The instance was part of an Auto Scaling group. Which step should the engineer take FIRST to investigate the root cause?

A.Review AWS CloudTrail logs for TerminateInstances API calls.
B.Look at the EC2 console's 'Termination Protection' setting.
C.Check the application logs on the instance's attached EBS volume (detached and attached to another instance).
D.Verify the Auto Scaling group's scaling policies and scheduled actions.
AnswerA

CloudTrail logs all API calls and can identify the source of termination.

Why this answer

Option A is correct because the first step in incident response is to gather information. CloudTrail logs all API calls, including TerminateInstances, and can identify who or what terminated the instance. Option B is wrong because examining the application logs does not reveal the termination cause.

Option C is wrong because scaling policies would not cause termination without CloudWatch. Option D is wrong because the termination reason is not available in the console without checking logs.

17
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires environment-specific configuration values (database URL, API keys) that must be stored securely and rotated automatically. The team uses AWS Secrets Manager. Which configuration management strategy should the team implement to securely inject secrets into the Elastic Beanstalk environment?

A.Store the secrets in the Elastic Beanstalk environment configuration as plain text under 'aws:elasticbeanstalk:application:environment'.
B.Configure Secrets Manager to automatically push secrets to Elastic Beanstalk environment properties.
C.Use an Elastic Beanstalk platform hook script that retrieves secrets from Secrets Manager and sets them as environment variables.
D.Use AWS CloudFormation dynamic references to inject secrets into the Elastic Beanstalk environment.
AnswerC

Platform hooks can run scripts during deployment to fetch secrets and set environment variables.

Why this answer

Option C is correct because Elastic Beanstalk platform hooks allow custom scripts to run during deployment, enabling retrieval of secrets from AWS Secrets Manager and setting them as environment variables before the application starts. This approach keeps secrets out of the environment configuration and supports automatic rotation by having the script fetch the latest secret value on each deployment.

Exam trap

The trap here is that candidates often assume CloudFormation dynamic references (Option D) are the best fit for automatic rotation, but they only inject secrets at deployment time and do not handle in-place rotation without a stack update, whereas platform hooks can be used to fetch the latest secret on every instance start or deployment.

How to eliminate wrong answers

Option A is wrong because storing secrets as plain text in the Elastic Beanstalk environment configuration under 'aws:elasticbeanstalk:application:environment' exposes them in the environment properties, which can be viewed by anyone with access to the environment configuration and does not support automatic rotation. Option B is wrong because Secrets Manager does not have a native capability to automatically push secrets to Elastic Beanstalk environment properties; it requires an external mechanism (e.g., Lambda, custom script) to retrieve and set them. Option D is wrong because AWS CloudFormation dynamic references can inject secrets at stack creation or update time, but they do not handle automatic rotation of secrets within a running Elastic Beanstalk environment without additional custom logic.

18
MCQhard

An organization uses AWS OpsWorks for configuration management. They have a stack with multiple layers, including a PHP application layer and a MySQL database layer. The operations team needs to deploy a custom configuration file to all PHP application instances. How should this be accomplished using OpsWorks?

A.Use the OpsWorks agent to directly copy the file to each instance via SSH.
B.Add the configuration file as a stack-level custom cookbook and assign it to all layers.
C.Create a custom cookbook with a recipe that deploys the configuration file, and assign it to the Deploy lifecycle event of the PHP layer.
D.Use a custom JSON attribute in the stack settings to define the file content, and then use a built-in recipe to apply it.
AnswerC

This targets only the PHP instances at deploy time.

Why this answer

Option C is correct because OpsWorks uses Chef cookbooks to manage configuration. By creating a custom cookbook with a recipe that deploys the configuration file and assigning it to the Deploy lifecycle event of the PHP layer, the recipe runs on all PHP application instances during deployment, ensuring the file is placed correctly. This approach leverages OpsWorks' built-in lifecycle events and Chef's idempotent execution model.

Exam trap

The trap here is that candidates confuse stack-level custom cookbooks (which apply to all layers) with layer-specific lifecycle event assignments, leading them to choose Option B, which would incorrectly deploy the configuration file to the MySQL layer as well.

How to eliminate wrong answers

Option A is wrong because the OpsWorks agent does not support direct SSH file copying; OpsWorks uses Chef recipes to manage instances, and manual SSH operations bypass automation and are not scalable. Option B is wrong because stack-level custom cookbooks are assigned to layers, not to all layers automatically; assigning a cookbook to all layers would run its recipes on every instance, including the MySQL layer, which is not desired. Option D is wrong because custom JSON attributes can pass data to recipes but cannot directly deploy files; a custom recipe is required to interpret the JSON and write the file.

19
MCQhard

Refer to the exhibit. A security team reviews this CloudTrail log entry. Which finding is most concerning?

A.The event occurred in us-east-1.
B.The instance was terminated by an assumed role.
C.The source IP is from a public IP.
D.The user did not authenticate with MFA.
AnswerD

Correct; lack of MFA reduces security.

Why this answer

The session was created without MFA (mfaAuthenticated: false). This is a security concern because the role allows console access and the user did not use MFA, increasing risk of unauthorized access. The termination is the action, but the lack of MFA is a security gap.

20
Multi-Selecthard

A company uses AWS CodeBuild to build and test their application. They want to integrate Infrastructure as Code (IaC) scanning into their build pipeline to detect security misconfigurations in CloudFormation templates before deployment. Which TWO tools or services can be used for this purpose? (Choose TWO.)

Select 2 answers
A.AWS CloudFormation Guard
B.AWS Security Hub
C.AWS Config
D.HashiCorp Terraform
E.cfn-nag
AnswersA, E

CloudFormation Guard checks templates against policy rules.

Why this answer

AWS CloudFormation Guard (cfn-guard) is a policy-as-code tool that allows you to define rules to enforce compliance and security best practices on CloudFormation templates. It can be integrated into a CodeBuild pipeline to scan templates for misconfigurations before deployment, making it a correct choice for IaC security scanning.

Exam trap

The trap here is that candidates may confuse AWS Config (which evaluates deployed resources) with a pre-deployment scanning tool, or assume Security Hub can scan templates directly, when in fact both operate on live infrastructure, not on template files.

21
MCQhard

A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that EBS snapshots are shared with another account without exposing the underlying data. What is the correct approach?

A.Share the encrypted snapshot without modifying the KMS key policy.
B.Create an unencrypted copy of the snapshot and share it.
C.Share the encrypted snapshot and also share the KMS key with the target account.
D.Share the encrypted snapshot and update the KMS key policy to allow the target account to use the key.
AnswerD

Target account can then create encrypted volumes from the snapshot.

Why this answer

Option D is correct because sharing an encrypted EBS snapshot requires the KMS key policy to grant the target account permission to use the key (via kms:Decrypt and kms:CreateGrant). Without this, the target account cannot decrypt the snapshot to create volumes or copies. AWS KMS enforces that the key policy explicitly allows cross-account access, and the target account must have the corresponding IAM permissions.

Exam trap

The trap here is that candidates often confuse sharing the KMS key itself (which is impossible) with updating the key policy to grant cross-account usage, leading them to select Option C.

How to eliminate wrong answers

Option A is wrong because sharing an encrypted snapshot without modifying the KMS key policy denies the target account the ability to decrypt the snapshot, making it unusable. Option B is wrong because creating an unencrypted copy of an encrypted snapshot would expose the underlying data in plaintext, violating the security requirement. Option C is wrong because sharing the KMS key with the target account is not a supported operation; KMS keys cannot be shared or transferred; instead, you must update the key policy to grant cross-account usage permissions.

22
MCQeasy

A company uses AWS OpsWorks for configuration management. They want to automate the installation of a custom agent on new EC2 instances. Which OpsWorks feature should they use?

A.Use a custom Chef recipe in the layer's configuration to run the installation.
B.Define the agent installation in the layer's built-in configuration.
C.Use custom JSON to pass the installation commands.
D.Create a cookbook repository and upload the agent installation script.
AnswerA

Custom recipes run on instance setup.

Why this answer

Option B is correct because OpsWorks uses Chef recipes or Ansible playbooks to define configuration. Custom recipes can be used to install agents. Option A is wrong because Cookbook repositories store cookbooks but don't automatically run them on new instances.

Option C is wrong because custom JSON is for input data, not execution. Option D is wrong because Layers define the configuration but recipes are the actual executable code.

23
MCQmedium

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. During a deployment, the deployment fails because the target instances are not passing the health checks. The DevOps engineer notices that the CodeDeploy agent logs show 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which step should the engineer take to diagnose the issue?

A.Increase the size of the Auto Scaling group to ensure more instances are available.
B.Review the CodeDeploy deployment logs on a failed instance to identify script errors.
C.Create a CloudWatch alarm to monitor the deployment health.
D.Check AWS CloudTrail logs for the CodeDeploy API calls to see if permissions are missing.
AnswerB

The agent logs contain detailed output of the lifecycle event hooks.

Why this answer

Option B is correct because reviewing the deployment logs on a failed instance provides details on why the application installation failed. Option A is wrong because CloudTrail logs API calls, not deployment scripts. Option C is wrong because scaling policies do not cause deployment failures.

Option D is wrong because CloudWatch alarms may not capture script-level errors.

24
MCQeasy

A team creates the CloudFormation template shown in the exhibit. What is a potential security concern with this configuration?

A.The bucket name is not unique.
B.The bucket does not have server-side encryption enabled.
C.The bucket is not versioned.
D.The bucket policy allows public read access to all objects.
AnswerD

Principal: '*' allows anyone to read objects.

Why this answer

Option C is correct because the bucket policy allows anonymous access (Principal: "*") to get objects, which can lead to unauthorized access if the bucket contains sensitive data. Option A is wrong because versioning is enabled. Option B is wrong because the bucket name is unique.

Option D is wrong because there is no encryption specified, but the primary concern is the public access.

25
Multi-Selecteasy

A company wants to ensure that its Amazon S3 bucket is resilient to accidental deletion of objects. Which TWO actions should be taken?

Select 2 answers
A.Enable MFA Delete on the bucket.
B.Enable S3 Object Lock.
C.Enable S3 Versioning.
D.Enable S3 Transfer Acceleration.
E.Configure a lifecycle policy to expire objects after 30 days.
AnswersA, C

Requires MFA to permanently delete versions.

Why this answer

Enable Versioning to keep multiple versions of objects, and enable MFA Delete to require multi-factor authentication for permanent deletions.

26
MCQeasy

A company wants to enforce that all infrastructure changes go through a CI/CD pipeline. Which AWS service can be used to prevent direct changes to production resources?

A.AWS Service Catalog
B.AWS IAM
C.AWS Config
D.AWS CloudTrail
AnswerC

Config rules can detect and automatically remediate non-compliant changes.

Why this answer

Option D is correct because AWS Config rules can detect changes and trigger remediation. Option A is incorrect because IAM alone does not prevent changes. Option B is incorrect because CloudTrail is for auditing.

Option C is incorrect because Service Catalog is for pre-approved products.

27
Multi-Selecteasy

A DevOps engineer is troubleshooting an Amazon RDS for PostgreSQL instance that is running out of storage. The engineer wants to resolve the issue without downtime. Which TWO actions can achieve this? (Choose two.)

Select 2 answers
A.Create a read replica and promote it to primary.
B.Enable storage auto scaling on the DB instance.
C.Delete old automated snapshots to free up storage.
D.Scale up the DB instance to a larger instance class.
E.Modify the DB instance to increase the allocated storage size.
AnswersB, E

Auto scaling adds storage automatically without manual intervention.

Why this answer

Option B is correct because enabling storage auto scaling on an Amazon RDS for PostgreSQL instance allows the database to automatically increase its allocated storage when it detects that available storage is running low, preventing out-of-storage errors without requiring manual intervention or downtime. Option E is correct because modifying the DB instance to increase the allocated storage size is a dynamic operation that can be performed without downtime, as Amazon RDS supports online storage scaling for PostgreSQL instances, allowing the change to take effect while the database remains available.

Exam trap

The trap here is that candidates often confuse instance class scaling (compute/memory) with storage scaling, or mistakenly think that deleting snapshots (which are stored separately in S3) can free up space on the DB instance's attached storage volume.

28
MCQhard

A company runs a stateful web application on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. During a deployment, the Auto Scaling group launches new instances, but users experience session loss. What is the most likely cause?

A.The Auto Scaling group's lifecycle hooks are not configured.
B.The stickiness duration is set too low.
C.The target group's deregistration delay is too short.
D.The target group's health check interval is too long.
AnswerC

A short delay causes the ALB to stop sending traffic to the instance before sessions are drained.

Why this answer

The correct answer is D. Sticky sessions are tied to the instance ID. If the ALB target group's deregistration delay is too short, the ALB may route traffic to a new instance before the session is migrated.

Session stickiness duration would affect how long sessions persist on the same instance, but not cause loss during deployments. Lifecycle hooks are for custom actions. Health check thresholds affect availability.

29
MCQeasy

A company uses AWS CodePipeline to automate the deployment of a static website hosted on Amazon S3. The pipeline includes a source stage that pulls from a CodeCommit repository and a deploy stage that uses CodeBuild to sync the files to an S3 bucket. The team noticed that the website is not updating after a successful pipeline run. The CodeBuild logs show that the 'aws s3 sync' command completed successfully. However, the website still shows the old content. What is the MOST likely cause?

A.The CodeBuild project does not have permission to write to the S3 bucket.
B.The S3 bucket is not configured for static website hosting.
C.The website is fronted by Amazon CloudFront, which is caching the old content.
D.The S3 bucket policy is blocking public access to the updated objects.
AnswerC

CloudFront caches content; a cache invalidation is needed to serve the new files.

Why this answer

Option B is correct because S3 static website hosting serves content from the bucket, but if CloudFront is used as a CDN, it caches the content. The sync command updates the S3 bucket, but CloudFront serves cached content until the TTL expires or the cache is invalidated. Option A is wrong because the bucket policy does not affect serving content if it's already public.

Option C is wrong because the sync command does not require public access to update objects. Option D is wrong because website hosting can be enabled on the bucket; the issue is caching.

30
MCQeasy

A DevOps engineer receives an alert that an Amazon ECS service is failing to start tasks. The service uses the Fargate launch type. The task definition includes a container that requires port 8080. The security group associated with the service allows inbound traffic on port 8080. What should the engineer check NEXT?

A.Verify that the VPC subnets have a route to a NAT Gateway or Internet Gateway.
B.Confirm that the task definition's container image exists in ECR.
C.Check if the task definition has sufficient CPU and memory allocated.
D.Review the security group rules for outbound traffic.
AnswerA

Fargate tasks need outbound internet access to pull images.

Why this answer

Option B is correct because Fargate tasks require a VPC and subnets with outbound internet access (NAT Gateway or Internet Gateway) to pull images from ECR or Docker Hub. Option A is wrong because CPU/memory limits would cause tasks to fail with resource errors, not prevent starting. Option C is wrong because the security group is already configured.

Option D is wrong because the task definition is already defined.

31
MCQeasy

A DevOps team is using AWS CloudFormation to manage infrastructure. They want to reuse the same template across multiple environments (dev, test, prod) with minor parameter variations. Which CloudFormation feature should they use to pass environment-specific values without modifying the template?

A.Conditions
B.Outputs
C.Mappings
D.Parameters
AnswerD

Parameters enable passing environment-specific values into the template.

Why this answer

Parameters allow passing custom values to the template at stack creation or update time. Mappings are for static lookup tables, Conditions control resource creation, and Outputs return stack values. Option B is correct.

32
MCQmedium

A CloudFormation stack creation failed as shown in the exhibit. What is the MOST likely cause of the failure?

A.The subnet resource depends on a resource that was not created successfully
B.The VPC creation failed, so the subnet could not be created
C.The CloudFormation service role does not have permission to create subnets
D.The subnet logical ID conflicts with an existing resource in the stack
AnswerA

The subnet likely depends on the VPC, but the VPC succeeded; the error suggests the subnet's physical ID was not assigned, possibly due to a missing dependency or invalid property.

Why this answer

The exhibit shows that the VPC was created successfully, but the subnet creation failed with a 'dependency violation' error. In CloudFormation, when a resource depends on another resource that was not created successfully (or was deleted), the dependent resource cannot be created because the target resource (the VPC) no longer exists or is in a failed state. This is the most likely cause because the subnet depends on the VPC, and if the VPC was rolled back or deleted due to a prior failure, the subnet creation will fail with a dependency violation.

Exam trap

The trap here is that candidates assume the subnet failed because the VPC creation failed, but the exhibit clearly shows the VPC succeeded, so the real issue is a dependency violation caused by the VPC being deleted or rolled back after initial creation.

How to eliminate wrong answers

Option B is wrong because the VPC creation succeeded (as shown in the exhibit), so the subnet failure is not due to a VPC creation failure. Option C is wrong because if the CloudFormation service role lacked permissions, the error would typically be an 'AccessDenied' or 'UnauthorizedOperation' error, not a 'dependency violation' error. Option D is wrong because a logical ID conflict within the same stack would cause a 'ResourceConflict' or 'AlreadyExists' error, not a dependency violation; logical IDs are unique within a stack template and do not conflict with existing resources in the same stack.

33
MCQhard

A DevOps team is debugging a production incident where an Application Load Balancer (ALB) is returning 503 errors for some requests. The target group instances are healthy. What is the most likely cause?

A.The security group for the ALB does not allow inbound traffic on port 443
B.Health checks are misconfigured to use an incorrect path
C.The deregistration delay setting on the target group is too long
D.Cross-zone load balancing is disabled
AnswerC

A long deregistration delay can cause the ALB to route requests to instances that are draining, resulting in 503.

Why this answer

Option D is correct because a deregistration delay setting can cause the ALB to continue sending requests to instances that are being de-registered, leading to 503 errors if the instances are no longer accepting traffic. Option A is incorrect because healthy instances mean the health checks pass. Option B is incorrect because a missing security group rule would cause connection timeouts, not 503.

Option C is incorrect because cross-zone load balancing does not cause 503 errors.

34
MCQeasy

The CloudWatch alarm 'HighCPU' has transitioned to ALARM state. What does the alarm history indicate about the metric that triggered it?

A.The metric value remained below the threshold.
B.The metric value was exactly 80.0 at the time of the alarm.
C.The metric value of 90.0 exceeded the threshold of 80.0.
D.The alarm was triggered after 3 consecutive datapoints breached the threshold.
AnswerC

The history clearly states the threshold was crossed with a value of 90.0.

Why this answer

Option D is correct because the history shows that 1 datapoint with value 90.0 was greater than the threshold of 80.0. Option A is wrong because the datapoint is 90.0, not 80.0. Option B is wrong because it crossed the threshold.

Option C is wrong because the alarm uses 1 datapoint, not 3.

35
Matchingmedium

Match each AWS deployment strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Two identical environments; traffic switches after validation

Incremental rollout to a small subset before full release

Updates instances in batches to minimize downtime

Replaces entire instances with new ones; no in-place changes

Deploys to all instances simultaneously (fastest but riskier)

Why these pairings

These are common deployment patterns used in DevOps.

36
MCQmedium

A team is using AWS CodeDeploy to deploy an application to EC2 instances. They want to ensure that if a deployment fails, the instances are automatically rolled back to the previous version. What should they configure?

A.Add a BeforeBlockTraffic hook to the AppSpec file to run a rollback script.
B.Set the deployment configuration to 'CodeDeployDefault.OneAtATime' for a gradual deployment.
C.Configure the deployment group to use the same Auto Scaling group for rollback.
D.Enable automatic rollback in the deployment group settings.
AnswerD

Automatic rollback redeploys the previous revision on failure.

Why this answer

Option D is correct because CodeDeploy supports automatic rollback configuration. When enabled, if a deployment fails, CodeDeploy automatically redeploys the last successful revision. Option A is wrong because a hook is a lifecycle event, not a rollback mechanism.

Option B is wrong because a deployment group contains instances but does not have a rollback setting. Option C is wrong because a deployment configuration specifies traffic routing and failure thresholds, not automatic rollback.

37
MCQeasy

A company uses AWS CloudFormation to manage a stack that includes an Amazon SQS queue. The queue name must be unique. The developer wants to define the queue name in the CloudFormation template. Which intrinsic function should be used to generate a unique name?

A.Fn::Sub
B.Fn::Select
C.AWS::NoValue
D.Fn::GetAtt
AnswerA

Sub can substitute ${AWS::StackName} to make a unique name.

Why this answer

Option C is correct because AWS::NoValue is not a function; AWS::StackName can be used to incorporate the stack name, but not generate a unique suffix. Option A is wrong because Fn::Select picks from a list. Option B is wrong because Fn::GetAtt gets attributes.

Option D is correct because Fn::Sub can substitute a parameter like ${AWS::StackName} to create a unique name.

38
MCQmedium

A company experiences intermittent high latency for a web application running on EC2 behind an ALB. They want to monitor and automatically replace instances that have high CPU. Which solution meets this requirement?

A.Create a CloudWatch alarm on CPU utilization that triggers an Auto Scaling policy to replace the instance
B.Use Auto Scaling scheduled scaling actions to replace instances at peak times
C.Use AWS Lambda to periodically check CPU and terminate high-CPU instances
D.Configure the ALB health check to mark instances unhealthy when CPU is high
AnswerA

CloudWatch alarm can trigger a scale-in or terminate action.

Why this answer

Option A is correct because you can configure a CloudWatch alarm on the EC2 instance's CPU utilization metric, and then use that alarm to trigger an Auto Scaling lifecycle hook or a scaling policy that terminates the unhealthy instance and launches a replacement. This directly ties performance monitoring to automated instance replacement, meeting the requirement to replace instances with high CPU.

Exam trap

The trap here is that candidates often confuse ALB health checks with instance health monitoring, assuming ALB can react to CPU metrics, when in fact ALB health checks only verify application-level responsiveness (e.g., HTTP status codes) and cannot directly measure CPU utilization.

How to eliminate wrong answers

Option B is wrong because scheduled scaling actions replace instances at fixed times, not in response to real-time high CPU utilization, so they cannot address intermittent latency. Option C is wrong because while Lambda could terminate instances, it adds unnecessary complexity and latency, and Auto Scaling already provides native health-check-based replacement without custom code. Option D is wrong because ALB health checks are designed to detect application or network failures (e.g., HTTP 5xx, connection timeouts), not CPU utilization; they cannot be configured to mark instances unhealthy based on CPU metrics.

39
MCQhard

A company uses AWS CodeBuild to compile and test their Java application. The build takes about 20 minutes. They have enabled Amazon S3 cache to store the Maven repository to speed up subsequent builds. However, they notice that the build time has not improved significantly. The buildspec file includes the 'cache' section with 'paths' pointing to '/root/.m2'. The CodeBuild project has cache type set to 'S3' and a valid bucket. The build logs show that the cache is being downloaded and uploaded, but the Maven dependencies are still being downloaded from the internet each time. What is the most likely cause?

A.The cache is too large and takes as long to download as the build itself.
B.The S3 bucket is in a different region than the CodeBuild project.
C.The buildspec file does not include the 'cache' section correctly.
D.The Maven dependencies are not being stored in the local repository path specified in the cache.
AnswerD

If Maven is configured to download dependencies to a different location, the cache won't capture them.

Why this answer

Option C is correct because if the Maven local repository is not configured to store dependencies, the cache will not help. The build might be using a different repository or the dependencies are not cached properly. Option A is wrong because the cache bucket is configured.

Option B is wrong because the cache is being used. Option D is wrong because the paths are correct.

40
Multi-Selecthard

Which THREE factors should be considered when designing a deployment strategy using AWS CodeDeploy to minimize downtime during updates? (Choose three.)

Select 3 answers
A.Configure a load balancer to deregister instances before deployment.
B.Use a blue/green deployment to switch traffic instantly.
C.Use canary deployments to shift traffic gradually.
D.Deploy to all instances simultaneously to reduce total time.
E.Use the same instance type for all instances.
AnswersA, B, C

Deregistering prevents traffic during update.

Why this answer

Options A, B, and D are correct. Option A ensures service continuity. Option B leverages rolling updates.

Option D allows testing before full rollout. Option C is wrong because smaller batch size increases deployment time, not reduces downtime. Option E is wrong because same instance type is irrelevant.

41
MCQmedium

A DevOps team is designing a disaster recovery solution for an Amazon RDS for MySQL database. The primary database is in us-east-1, and the recovery point objective (RPO) is 5 minutes, recovery time objective (RTO) is 1 hour. Which solution meets these requirements?

A.Enable Multi-AZ deployment for high availability.
B.Create a cross-Region read replica in the secondary Region.
C.Take manual snapshots and copy them to the secondary Region daily.
D.Configure automated backups with a retention period of 35 days.
AnswerB

A cross-Region read replica can be promoted quickly, meeting RPO of 5 minutes and RTO of 1 hour.

Why this answer

A cross-Region read replica in the secondary Region meets the RPO of 5 minutes because replication from the primary RDS instance to the read replica is asynchronous but typically completes within seconds to a few minutes, well under the 5-minute threshold. In a disaster, promoting the read replica to a standalone instance can be done manually or automated, and the RTO of 1 hour is achievable because promotion takes only a few minutes, leaving ample time for DNS and application failover. This solution provides a continuous replication stream without manual intervention, unlike snapshot-based approaches.

Exam trap

The trap here is that candidates confuse Multi-AZ (high availability within a Region) with cross-Region disaster recovery, assuming Multi-AZ protects against Regional failures, but it only protects against Availability Zone failures within the same Region.

How to eliminate wrong answers

Option A is wrong because Multi-AZ deployment provides high availability within a single Region (us-east-1) by synchronously replicating to a standby in a different Availability Zone, but it does not protect against a Regional disaster, so it cannot meet the cross-Region recovery requirement. Option C is wrong because taking manual snapshots daily and copying them to the secondary Region results in an RPO of up to 24 hours, far exceeding the required 5 minutes, and the copy operation adds additional latency. Option D is wrong because automated backups with a retention period of 35 days are stored within the same Region and cannot be used for cross-Region recovery; they also do not provide a mechanism to restore in a secondary Region within the required RPO/RTO.

42
MCQmedium

A company is running a production application on Amazon ECS with AWS Fargate. The application has unpredictable traffic patterns and occasionally experiences increased latency. The DevOps team needs to configure scaling based on a custom metric that tracks the number of active user sessions in real time. Which solution will allow the team to scale the ECS service based on this custom metric?

A.Use AWS Auto Scaling to scale the ECS service based on the custom metric.
B.Create a CloudWatch dashboard to visualize the metric and manually adjust the service count.
C.Publish the custom metric to Amazon CloudWatch, then create a target tracking scaling policy in Application Auto Scaling for the ECS service.
D.Use an AWS Lambda function to directly update the desired count of the ECS service based on the metric.
AnswerC

This is the recommended approach for scaling ECS services using custom metrics.

Why this answer

Option B is correct because CloudWatch custom metrics can be used with ECS Service Auto Scaling. Option A is wrong because Application Auto Scaling is the correct service, but it is not direct. Option C is wrong because Lambda cannot directly scale ECS services.

Option D is wrong because CloudWatch dashboards are for visualization only.

43
MCQeasy

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation function is failing with a permission error. Which IAM policy should be attached to the Lambda execution role to allow Secrets Manager to invoke the rotation function?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"lambda:*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"lambda:InvokeFunction","Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"secretsmanager:*","Resource":"*"}]}
AnswerC

Allows Secrets Manager to invoke the Lambda function.

Why this answer

Option C is correct because Secrets Manager needs to invoke the Lambda function. Option A is wrong because it grants full Lambda access, which is excessive. Option B is wrong because it grants Secrets Manager access, not function invocation.

Option D is wrong because it grants S3 access.

44
MCQmedium

A company runs a production application on EC2 instances behind an Application Load Balancer (ALB). The application handles sensitive data. The Security team wants to encrypt all traffic between the ALB and the EC2 instances using TLS. They have created a self-signed certificate on each instance. However, the ALB health checks are failing with a 502 error. The instances are healthy when accessed directly via SSH. What is the MOST likely cause?

A.The target group health check is configured to use HTTPS, but the self-signed certificate is not trusted by the ALB
B.The EC2 instances are not configured with a certificate that matches the ALB's domain name
C.The ALB is configured to use a different TLS protocol version than the instances
D.The security groups on the EC2 instances do not allow inbound traffic from the ALB
AnswerA

ALB does not trust self-signed certificates by default, causing health checks to fail.

Why this answer

ALB health checks use HTTPS with a certificate that must be trusted by the target group. Self-signed certificates are not trusted by default. Option C directly addresses this.

Option A would cause connection issues but not specifically health checks. Option B could cause failures if mismatched, but self-signed certs generally don't cause that. Option D is about instance security groups, not TLS.

45
MCQmedium

A company runs a stateless web application on Amazon ECS with Fargate. The application must be highly available across multiple Availability Zones. What is the BEST way to achieve this?

A.Create an ECS service with tasks in multiple AZs and place an ALB in front.
B.Use an Auto Scaling group of EC2 instances in a single AZ and run ECS tasks on them.
C.Deploy a CloudFront distribution with multiple origins in different AZs.
D.Deploy a single ECS service with tasks in one AZ and use an ALB.
AnswerA

Multi-AZ tasks and ALB provide HA.

Why this answer

Creating an ECS service with tasks distributed across multiple AZs and using an ALB to distribute traffic ensures high availability.

46
Multi-Selectmedium

A company uses AWS CodeBuild to build and test code. The build jobs need to access a private S3 bucket to download dependencies. Which THREE steps are required to securely grant access?

Select 3 answers
A.Configure the S3 bucket policy to allow access from the CodeBuild service principal
B.Set up a VPC endpoint for S3
C.Create an IAM role with a policy that allows s3:GetObject on the bucket
D.Create a KMS key and grant CodeBuild access to it
E.Attach the IAM role to the CodeBuild project in the service role field
AnswersA, C, E

The bucket policy must explicitly allow the role to access the bucket, unless the role has cross-account permissions.

Why this answer

To grant CodeBuild access to an S3 bucket, you need an IAM role that allows the required actions, attach it to the CodeBuild project, and also ensure the bucket policy allows the role. KMS key is not required if SSE-S3 is used. VPC endpoint is optional.

47
MCQmedium

A company is using Amazon CloudWatch Synthetics to monitor the availability of a web application. The canary runs every 5 minutes from multiple locations. Recently, the canary has been failing intermittently with HTTP 503 errors, but the application team reports that the application is healthy. Which step should the DevOps engineer take to identify the cause of the false positives?

A.Increase the canary timeout setting to allow more time for the application to respond.
B.Add more canary locations to increase coverage.
C.Review the canary's CloudWatch Logs to check for network errors or timeouts.
D.Increase the canary run frequency to every 1 minute.
AnswerC

Logs might reveal that the failure is due to network or client-side issues, not the application.

Why this answer

Option C is correct because checking the canary's CloudWatch Logs might reveal that the failure is due to a network timeout or other client-side issue, not the application. Option A is wrong because increasing canary frequency would generate more data but not identify the cause. Option B is wrong because increasing timeout might mask the issue.

Option D is wrong because adding more locations would not pinpoint the cause if the issue is client-side.

48
MCQmedium

A company uses AWS CodePipeline with a GitHub source action. The pipeline is configured to trigger on changes to the main branch. After a recent commit, the pipeline did not trigger. The DevOps engineer verified that the webhook is configured correctly and the IAM role has the necessary permissions. What is the most likely cause?

A.The GitHub personal access token used for authentication has expired.
B.The pipeline is set to manual execution only.
C.The source action's branch filter is set to a different branch.
D.The GitHub webhook endpoint URL is incorrect.
AnswerA

Expired token prevents webhook events.

Why this answer

Option C is correct because if the GitHub personal access token has expired, CodePipeline cannot receive webhook events. Option A is wrong because the branch filter is set to main. Option B is wrong because the webhook is configured correctly.

Option D is wrong because the pipeline execution frequency is not the issue.

49
MCQeasy

A DevOps engineer is troubleshooting a production issue where an Application Load Balancer (ALB) is returning 503 errors. The ALB targets are EC2 instances in an Auto Scaling group behind the ALB. The engineer checks the ALB access logs in Amazon S3 and finds that the ALB is healthy. However, the 503 errors persist. Which configuration should the engineer check next?

A.Enable AWS Shield Advanced to protect the ALB from DDoS attacks.
B.Verify that the SSL certificate associated with the ALB is not expired.
C.Check the security groups for the EC2 instances to ensure they allow traffic from the ALB on the listener port.
D.Check the ALB's target group health check settings and verify that the health check path is correct.
AnswerC

Security groups blocking traffic from the ALB can cause 503 errors.

Why this answer

Option C is correct because 503 errors are often caused by the ALB being unable to establish a connection to the targets due to security groups blocking traffic. Checking the target group's health check settings and the security groups for the EC2 instances is the logical next step. Option A is wrong because the ALB is healthy per the logs.

Option B is wrong because the issue is not about SSL certificates. Option D is wrong because AWS Shield Advanced is a DDoS protection service, not relevant to 503 errors.

50
MCQeasy

A company runs a stateless web application on EC2 instances in an Auto Scaling group across three Availability Zones. The application uses an Application Load Balancer. The operations team needs to ensure that the application remains available if one AZ fails. Which solution is MOST resilient?

A.Configure the Auto Scaling group to launch instances in a single Availability Zone with a desired capacity of 6.
B.Configure the Auto Scaling group to launch instances in two Availability Zones with a desired capacity of 4.
C.Configure the Auto Scaling group to launch instances in three Availability Zones with a desired capacity of 3.
D.Configure the Auto Scaling group to launch instances in two Availability Zones with a desired capacity of 6, all in one AZ.
AnswerC

Three AZs with at least one instance each ensures capacity remains in two AZs if one fails.

Why this answer

Option C is correct because distributing instances across three Availability Zones (AZs) with a desired capacity of 3 ensures that even if one AZ fails, the remaining two AZs still have at least 2 instances running, maintaining service capacity. The Application Load Balancer (ALB) automatically routes traffic away from the failed AZ, and the Auto Scaling group will replace lost instances in the healthy AZs, providing the highest resilience against a single-AZ failure.

Exam trap

The trap here is that candidates often think using two AZs is sufficient for high availability, but the question specifically asks for the 'MOST resilient' solution, and three AZs provide better fault isolation and recovery capacity than two, especially when the desired capacity is low.

How to eliminate wrong answers

Option A is wrong because launching all instances in a single AZ creates a single point of failure; if that AZ fails, all instances are lost and the application becomes unavailable. Option B is wrong because distributing instances across only two AZs with a desired capacity of 4 means that if one AZ fails, the remaining AZ may have only 2 instances (if evenly split), but the total capacity drops by 50%, and the Auto Scaling group cannot launch instances in the failed AZ, potentially leading to insufficient capacity. Option D is wrong because it configures instances in two AZs but places all 6 instances in one AZ, which is functionally identical to a single-AZ deployment and provides no resilience against an AZ failure.

51
MCQmedium

After deploying a new application version using AWS CodeDeploy, an EC2 instance fails the deployment. The deployment group is configured with an in-place deployment. The engineer sees the error 'ScriptMissing' in the CodeDeploy logs. What should the engineer check?

A.The deployment group's deployment configuration
B.The file path defined in the appspec.yml for the lifecycle hook
C.The security group attached to the instance
D.The AMI used for the EC2 instance
AnswerB

The appspec.yml specifies scripts; if the script file is not at the specified path, the error occurs.

Why this answer

Option A is correct because the appspec.yml references lifecycle event hooks scripts; if the file is missing, 'ScriptMissing' error occurs. Option B is wrong because the AMI is not related to script files. Option C is wrong because the security group does not affect script execution.

Option D is wrong because the deployment group configuration is not the cause.

52
MCQmedium

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment configuration uses a linear traffic shifting with a 10-minute interval. The application logs show that the new version of the application crashes on startup. What is the MOST effective way to handle this situation to ensure successful future deployments?

A.Increase the interval in the linear traffic shifting to 30 minutes to allow more time for instances to stabilize.
B.Configure the deployment to automatically roll back when a failure occurs and ignore the error.
C.Switch to a blue/green deployment strategy to minimize the impact on existing instances.
D.Add a script in the AppSpec file's 'Validate Service' lifecycle hook to check the application health and fail the deployment if the application does not start successfully.
AnswerD

This ensures that unhealthy instances are detected early and the deployment is stopped before traffic is shifted.

Why this answer

Option B is correct because adding a script to the AppSpec file that validates the application health before allowing traffic shifting can catch startup failures early and prevent deployment failures. Option A is wrong because increasing the interval doesn't fix the root cause. Option C is wrong because rolling back doesn't address the underlying issue.

Option D is wrong because a blue/green deployment would still have the same crash issue.

53
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group across three Availability Zones. The application uses an Amazon RDS Multi-AZ DB instance. During a recent incident, one Availability Zone experienced a complete failure. The application remained available, but performance degraded significantly. What is the most likely cause of the degradation?

A.The Route 53 health checks failed and directed traffic to another Region, increasing latency
B.The RDS DB instance failed over to a read replica in a different Region
C.The Auto Scaling group was configured to span only two Availability Zones, and the failed AZ contained a majority of the running instances
D.The EBS volumes in the failed AZ were not available, causing data loss
AnswerC

Loss of one AZ halves capacity if only two AZs used.

Why this answer

Option C is correct because if the Auto Scaling group is configured to span only two Availability Zones, the failure of one AZ would result in a disproportionate loss of capacity. Since the failed AZ contained a majority of the running instances, the remaining instances in the surviving AZ would be overloaded, causing significant performance degradation. The application remained available because the surviving instances and the Multi-AZ RDS instance continued to operate, but the reduced compute capacity led to degraded performance.

Exam trap

The trap here is that candidates may assume Multi-AZ RDS or Route 53 health checks are the primary cause of degradation, but the real issue is the Auto Scaling group's AZ configuration and the resulting imbalance in compute capacity after an AZ failure.

How to eliminate wrong answers

Option A is wrong because Route 53 health checks do not direct traffic to another Region in this scenario; they are used for DNS-based routing within the same Region or across Regions, and the question does not mention any cross-Region setup. Option B is wrong because an RDS Multi-AZ DB instance does not use a read replica for failover; it uses a synchronous standby replica in a different Availability Zone within the same Region, and failover would not cause performance degradation as it is automatic and transparent. Option D is wrong because EBS volumes in the failed AZ would not cause data loss for the application; the EC2 instances in that AZ would be terminated, but the Auto Scaling group would launch new instances in other AZs, and the RDS database remains available, so no data loss occurs.

54
MCQeasy

A DevOps engineer needs to ensure that all API calls made to AWS are logged for compliance. The logs must be stored in S3 for at least 7 years. Which AWS service should they use?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerD

CloudTrail records all AWS API calls and can deliver logs to S3 for long-term retention.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS, including the identity, source IP, and timestamp, and can deliver log files to an S3 bucket for long-term retention. The requirement to store logs for at least 7 years aligns with CloudTrail's ability to integrate with S3 lifecycle policies for archival or deletion after a specified period.

Exam trap

The trap here is that candidates often confuse CloudTrail with CloudWatch Logs or AWS Config, thinking that any logging service can capture API calls, but only CloudTrail is designed specifically for auditing AWS API activity.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) for VPCs, not API calls to AWS services. Option B is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not log API calls. Option C is wrong because Amazon CloudWatch Logs is designed for real-time monitoring and log storage from applications and AWS services, but it is not the primary service for auditing AWS API calls; CloudTrail is the dedicated service for that purpose.

55
MCQhard

A company wants to enforce that S3 buckets are not publicly accessible. Which AWS service can continuously monitor and automatically remediate non-compliant buckets?

A.AWS Config
B.Amazon Macie
C.AWS Security Hub
D.AWS Trusted Advisor
AnswerA

Config can evaluate rules and trigger remediation actions.

Why this answer

AWS Config with managed rules can evaluate bucket policies and use automatic remediation via Systems Manager Automation. Option B is correct.

56
MCQeasy

A company uses AWS Secrets Manager to store database credentials for a legacy application running on an on-premises server. The application retrieves the secret via the AWS SDK. Recently, the database password was rotated in Secrets Manager, but the application continued to use the old password and failed to connect. The application code is correct and uses the latest SDK. The IAM role attached to the server has the secretsmanager:GetSecretValue permission. What is the MOST likely cause?

A.The IAM role does not have permission to list secrets
B.The application is using the wrong secret ID
C.The secret rotation Lambda function is failing
D.The application is caching the secret and not refreshing it after rotation
AnswerD

Secrets Manager SDK caches credentials by default; the application may need to force refresh or wait for cache expiry.

Why this answer

If the secret is rotated, the application may still have the old version cached. By default, Secrets Manager caches credentials for a certain period. Option A is the most likely.

Option B would cause immediate failure. Option C is unrelated to rotation. Option D would also cause immediate failure.

57
Multi-Selectmedium

A company is deploying a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must be resilient to regional outages. Which THREE steps should the company take to achieve multi-Region resilience? (Choose THREE.)

Select 3 answers
A.Use Amazon CloudFront with multiple origins pointing to each Region's API Gateway.
B.Configure Route 53 with a failover routing policy to direct traffic to the secondary Region if the primary fails.
C.Use DynamoDB global tables to replicate data across Regions.
D.Deploy Lambda@Edge functions to handle requests at edge locations.
E.Deploy a second API Gateway and Lambda function in another Region.
AnswersB, C, E

Route 53 failover routing enables traffic redirection.

Why this answer

Option B is correct because Amazon Route 53 with a failover routing policy allows the company to route traffic to a secondary Region when health checks detect a failure in the primary Region. This provides DNS-level failover, which is a fundamental component of multi-Region resilience for HTTP-based applications.

Exam trap

The trap here is that candidates often confuse CloudFront's origin failover capability (which requires manual configuration of origin groups) with automatic multi-Region failover, or they mistakenly believe Lambda@Edge can serve as a full application backend across Regions, when in fact it is limited to edge processing and cannot replace regional Lambda deployments.

58
MCQmedium

An EC2 instance shows as 'running' in the AWS console, but the system status check is 'impaired'. What is the most likely cause?

A.The instance's security group rules are blocking traffic.
B.The EBS root volume is corrupted.
C.The instance's operating system is not responding.
D.The underlying physical host has experienced a failure.
AnswerD

System status checks monitor the health of the physical host; impairment indicates host issues.

Why this answer

Option B is correct because system status checks indicate problems with the underlying physical host, such as loss of network connectivity or power. Option A is wrong because instance status checks are for the OS, not system. Option C is wrong because EBS volume issues are instance status checks.

Option D is wrong because security group rules affect network access but not system status checks.

59
Multi-Selectmedium

Which TWO actions can be taken to protect an S3 bucket from being publicly accessible? (Select TWO.)

Select 2 answers
A.Use an SCP to deny s3:PutBucketPolicy.
B.Enable default encryption on the bucket.
C.Enable S3 Block Public Access settings on the bucket.
D.Enable MFA Delete on the bucket.
E.Use CloudFront to serve the bucket content.
AnswersA, C

Prevents users from setting a public bucket policy.

Why this answer

Option A is correct because an SCP (Service Control Policy) can explicitly deny the s3:PutBucketPolicy action at the AWS Organizations level, which prevents any IAM principal in affected accounts from attaching a public bucket policy. This is a preventive guardrail that overrides any permissive IAM permissions, ensuring the bucket cannot be made publicly accessible via policy statements.

Exam trap

The trap here is that candidates often confuse security features like encryption or MFA Delete with access control mechanisms, failing to recognize that only explicit policy restrictions (SCP or Block Public Access) can prevent public accessibility.

60
MCQhard

Refer to the exhibit. A developer is troubleshooting a failed AWS CodeBuild build. The buildspec file contains the following build commands: 'pre_build' - run linting, 'build' - './gradlew build', 'post_build' - package artifact. The error occurs in the build phase. Which of the following is the MOST likely cause?

A.The Gradle build encountered compilation or test errors.
B.The build environment ran out of disk space.
C.The artifact packaging step failed.
D.The linting step failed.
AnswerA

exit status 1 from gradlew indicates a build failure.

Why this answer

Option B is correct because a Gradle build failure (exit status 1) typically indicates compilation errors or test failures. Option A is wrong because linting is in pre_build and would have failed earlier. Option C is wrong because disk space would cause a different error.

Option D is wrong because the error is from the Gradle command itself.

61
MCQeasy

A DevOps engineer receives a CloudWatch alarm for high CPU utilization on an EC2 instance. The engineer needs to investigate the cause. Which AWS service can provide a detailed analysis of the running processes and their resource consumption?

A.AWS Config
B.AWS CloudTrail
C.AWS Systems Manager Run Command
D.Amazon Inspector
AnswerC

Run Command can run scripts to gather process information.

Why this answer

Option C is correct because AWS Systems Manager Run Command can execute commands (e.g., 'top') on EC2 instances to gather process-level details. Option A (CloudTrail) does not provide OS-level metrics. Option B (Config) records configuration state.

Option D (Inspector) is for vulnerability assessment.

62
MCQhard

Refer to the exhibit. The S3 bucket policy is applied to a bucket. An application attempts to upload an object to the bucket using HTTP (not HTTPS). What will happen?

A.The upload fails because the condition matches HTTP requests
B.The upload succeeds if the bucket also has an allow policy for the user
C.The upload succeeds because there is no explicit allow statement
D.The upload fails because the bucket policy does not allow any access
AnswerA

Deny applies when SecureTransport is false.

Why this answer

The policy denies all s3 actions when SecureTransport is false (i.e., HTTP). Option A is wrong because the deny overrides any allow. Option B is wrong because the condition matches HTTP requests.

Option D is wrong because the policy explicitly denies HTTP.

63
MCQhard

A company runs a stateless web application on AWS Lambda behind an Application Load Balancer (ALB). During a deployment, the team updates the Lambda function to a new version. Some users report seeing the old version of the application for several minutes after the deployment. What is the MOST likely cause?

A.The Lambda function versions are not immutable, causing a gradual rollout.
B.Lambda@Edge is overriding the function version at the edge locations.
C.Amazon CloudFront is caching the old response and has not been invalidated.
D.The ALB target group is still pointing to the old Lambda function version due to connection draining.
AnswerD

Connection draining and warm-up can cause ALB to serve old versions until all connections are drained.

Why this answer

Option B is correct because ALB has a warm-up effect and may keep old connections alive, causing traffic to old Lambda versions if the alias is not updated atomically. Option A is wrong because Lambda versions are immutable. Option C is wrong because CloudFront caching is unrelated to ALB.

Option D is wrong because Lambda@Edge is not involved in this setup.

64
MCQmedium

A company is running a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The operations team notices that the application's error rate has increased significantly in the last 30 minutes, but they are unable to identify the root cause because the metrics are aggregated across all instances. Which solution would provide the MOST granular visibility into individual instance performance?

A.Create a CloudWatch dashboard to visualize the error metrics across all instances.
B.Enable detailed monitoring on the EC2 instances to get 1-minute CloudWatch metrics.
C.Enable VPC Flow Logs to capture traffic to each instance.
D.Enable ALB access logs and store them in Amazon S3 for analysis.
AnswerB

Detailed monitoring provides 1-minute metrics for each instance, allowing granular visibility.

Why this answer

Option C is correct because enabling detailed monitoring on EC2 instances provides 1-minute metrics for each instance, allowing granular visibility. Option A is wrong because ALB access logs provide request-level data but not per-instance metrics aggregated in CloudWatch. Option B is wrong because CloudWatch dashboards aggregate metrics but do not increase granularity.

Option D is wrong because VPC Flow Logs capture network traffic, not application error metrics.

65
Multi-Selecthard

A DevOps engineer is designing a centralized logging solution for 10 AWS accounts. Logs must be stored in a central S3 bucket with encryption and access logging. Which THREE services/resources are required to meet these requirements?

Select 3 answers
A.AWS Config.
B.AWS CloudTrail.
C.AWS KMS customer managed key.
D.Amazon CloudWatch Logs.
E.Amazon S3 server access logs.
AnswersB, C, E

CloudTrail can deliver logs to a central S3 bucket.

Why this answer

Option A, Option C, and Option E are correct. CloudTrail can deliver logs to a central S3 bucket. S3 server access logs record requests to the bucket.

KMS encryption key encrypts the logs. Option B (CloudWatch Logs) is not required for storage. Option D (Config) is not required for logging.

66
MCQmedium

Refer to the exhibit. A DevOps engineer applies the IAM policy shown to an S3 bucket to enforce server-side encryption. However, users report that some uploads succeed without encryption. What is the most likely reason?

A.The resource ARN is incorrect; it should be the bucket ARN.
B.The policy only allows the action but does not deny actions that do not meet the condition.
C.The action should be s3:PutEncryptedObject instead of s3:PutObject.
D.The policy uses StringEquals instead of StringNotEquals.
AnswerB

Without an explicit Deny, other policies may allow uploads without encryption.

Why this answer

Option B is correct because the IAM policy shown only allows the s3:PutObject action when the encryption condition is met, but it does not include a Deny statement to explicitly block uploads that do not satisfy the condition. In AWS IAM, an Allow statement alone does not prevent actions that fail the condition; it simply grants permission when the condition is true. Without a corresponding Deny, users with other permissions (e.g., from a broader policy) can still upload objects without encryption, as the Allow does not override other effective allows.

Exam trap

The trap here is that candidates assume an Allow statement with a condition implicitly denies requests that don't meet the condition, but AWS IAM requires an explicit Deny to block non-compliant actions.

How to eliminate wrong answers

Option A is wrong because the resource ARN in the policy (arn:aws:s3:::example-bucket/*) is correct for object-level operations like s3:PutObject, which require the object ARN (bucket/*), not just the bucket ARN. Option C is wrong because s3:PutEncryptedObject is not a valid AWS S3 action; the correct action is s3:PutObject, and encryption is enforced via conditions, not a separate action. Option D is wrong because using StringEquals is appropriate here to require the encryption header to equal 'AES256'; StringNotEquals would incorrectly allow uploads that do not specify encryption or specify a different value.

67
MCQhard

A company uses AWS CodeBuild to run builds for a Java application. The buildspec includes a 'mvn test' command. The build succeeds but the tests fail. The team wants to fail the build if any test fails. What should they do?

A.Add a 'post_build' phase that fails the build if tests fail.
B.Add a 'test' phase in the buildspec before the 'build' phase.
C.Ensure the buildspec's 'build' phase includes the test command and that the command returns a non-zero exit code on failure.
D.Configure the build project to use batch builds.
AnswerC

CodeBuild fails the build if any command returns non-zero.

Why this answer

Option C is correct because CodeBuild's build phase returns exit code; if Maven test fails, it returns non-zero, and CodeBuild fails the build. Option A is wrong because phases are not modified. Option B is wrong because batch builds are for multiple builds.

Option D is wrong because post_build runs after build phases.

68
MCQhard

A company uses AWS OpsWorks for configuration management. The DevOps team wants to run a custom recipe on all instances in a layer during stack updates. Which OpsWorks lifecycle event should they hook the recipe into?

A.Deploy
B.Shutdown
C.Configure
D.Setup
AnswerD

Setup runs after boot, suitable for initial configuration.

Why this answer

Option C is correct because the Setup event runs after an instance finishes booting, which is appropriate for applying configurations during stack updates. Option A is wrong because Configure runs when instances come online or go offline. Option B is wrong because Deploy runs when you run a deploy command.

Option D is wrong because Shutdown runs when the instance is terminated.

69
MCQmedium

Refer to the exhibit. A DevOps engineer ran the above AWS CLI command after a CloudFormation stack update. What does the status 'ROLLBACK_COMPLETE' indicate?

A.The stack update is in progress.
B.The stack was deleted successfully.
C.The stack was created successfully.
D.The stack update failed and CloudFormation reverted to the previous stack.
AnswerD

ROLLBACK_COMPLETE indicates a failed update with rollback.

Why this answer

Option D is correct because ROLLBACK_COMPLETE means the update failed and CloudForm reverted to the previous state. Option A is wrong because the stack was not created successfully; it rolled back. Option B is wrong because ROLLBACK_COMPLETE is not a delete status.

Option C is wrong because it is not an update in progress.

70
Matchingmedium

Match each AWS security and identity service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages users, groups, roles, and permissions

Creates and manages encryption keys

Rotates and manages secrets like database credentials

DDoS protection service

Web application firewall

Why these pairings

These are key services for security and access control.

71
MCQhard

Refer to the exhibit. A CodePipeline deployment fails at the CloudFormation stage. The Lambda function creation is cancelled. What is the MOST likely cause?

A.The buildspec.yml file contains an invalid command.
B.The Lambda function is configured in a VPC without a NAT gateway or VPC endpoints, causing deployment timeout.
C.The Lambda function's execution role lacks permissions to create ENIs.
D.The CodeCommit branch is not configured correctly in the pipeline.
AnswerB

Lambda in VPC without internet access can cause timeouts if it needs to download packages or call external services during initialization.

Why this answer

The error indicates CloudFormation timed out waiting for a signal (WaitCondition). Lambda functions in a VPC require a NAT gateway or VPC endpoints to download dependencies or access external services, and the wait condition might be waiting for a signal that never arrives due to network issues.

72
MCQmedium

A team uses AWS CloudFormation to manage a VPC with multiple subnets. They want to ensure that when a stack is updated, the update does not accidentally replace the VPC or any subnet. Which CloudFormation property should they set on the resources?

A.CreationPolicy
B.DependsOn
C.UpdateReplacePolicy
D.DeletionPolicy
AnswerC

UpdateReplacePolicy specifies what to do if a resource is replaced during an update; setting 'Retain' prevents deletion of the original resource.

Why this answer

The 'DeletionPolicy' attribute with 'Retain' keeps the resource if the stack is deleted, but does not prevent replacement during update. To prevent replacement, use 'UpdateReplacePolicy' with 'Retain', or design the template to avoid replacement. However, the most direct way is to use 'UpdateReplacePolicy'.

Option C is correct because it specifically handles update replacement.

73
MCQhard

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance with the tag 'Environment=production' in us-east-1. What will happen?

A.The action is denied because the Deny statement explicitly denies the action for production instances.
B.The action is allowed because there is no explicit Deny for the user.
C.The action is denied only if the instance is in the us-east-1 region.
D.The action is allowed because the Allow statement grants ec2:TerminateInstances.
AnswerA

Explicit Deny wins.

Why this answer

Option C is correct because the Deny statement explicitly denies TerminateInstances for instances with tag Environment=production, regardless of any Allow. Option A is wrong because Deny overrides Allow. Option B is wrong because the Deny applies to all instances with that tag.

Option D is wrong because the Deny is explicit.

74
MCQeasy

A company uses AWS CloudTrail to record API calls across multiple accounts and regions. The security team needs to be alerted immediately when an IAM user creates a new access key. Which combination of services should be used to achieve this with minimal latency?

A.Send CloudTrail logs to CloudWatch Logs, create a metric filter, and set up a CloudWatch Alarm to publish to an SNS topic.
B.Enable S3 event notifications on the CloudTrail S3 bucket to trigger a Lambda function.
C.Use Amazon EventBridge to match the CloudTrail event and invoke an AWS Lambda function that sends an email.
D.Configure a Lambda function to poll the CloudTrail API every minute and check for new access keys.
AnswerA

This is the standard low-latency alerting pattern for CloudTrail events.

Why this answer

Option B is correct because CloudTrail delivers events to CloudWatch Logs, and a metric filter on 'CreateAccessKey' can trigger a CloudWatch Alarm to send an SNS notification. Option A is wrong because CloudWatch Events (now Amazon EventBridge) can directly match CloudTrail events, but the question asks for minimal latency and a common pattern. Option C is wrong because S3 event notifications are not designed for real-time alerting on API calls.

Option D is wrong because Lambda polling CloudTrail is inefficient and introduces latency.

75
Multi-Selectmedium

A DevOps engineer is designing a CI/CD pipeline for a Python application using AWS CodeBuild and AWS CodeDeploy. The application is deployed to an Auto Scaling group of EC2 instances. The engineer wants to ensure that the deployment does not impact availability. Which TWO strategies can be used? (Choose 2.)

Select 2 answers
A.In-place deployment with a large batch size.
B.Rolling deployment with a small batch size.
C.Immutable deployment.
D.Blue/green deployment.
E.Canary deployment.
AnswersB, D

Rolling updates instances in batches, maintaining availability.

Why this answer

Options B and C are correct. A blue/green deployment (B) creates a new environment and switches traffic. A rolling deployment (C) updates instances in batches, maintaining availability.

Option A is wrong because in-place deployment can cause downtime. Option D is wrong because immutable deployments are not supported directly with Auto Scaling groups. Option E is wrong because canary is not a deployment type for EC2/ASG.

Page 1 of 24

Page 2