AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 676750

1740 questions total · 24pages · All types, answers revealed

Page 9

Page 10 of 24

Page 11
676
MCQmedium

You are a DevOps engineer for a company that uses AWS CodePipeline to deploy a microservice to Amazon ECS with Fargate. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild) that builds a Docker image and pushes it to Amazon ECR, and a deploy stage that uses an ECS task definition update. Recently, the deploy stage started failing intermittently with the error 'The task definition does not have a compatibilities attribute set correctly.' The task definition is generated dynamically during the build stage and uses the 'FARGATE' launch type. The error occurs only when a new task definition revision is created. You suspect the issue is related to how the task definition is generated. Upon reviewing the buildspec, you see that the task definition JSON is created using environment variables for the image URI. What is the MOST likely cause and solution?

A.The task definition is missing the 'executionRoleArn' field, which is required for Fargate.
B.The task definition JSON does not include the 'requiresCompatibilities' field with the value '["FARGATE"]'.
C.The task definition specifies 'networkMode' as 'bridge', but Fargate requires 'awsvpc'.
D.The task definition does not specify 'cpu' and 'memory' values, which are required for Fargate.
AnswerB

Without this field, ECS cannot determine the launch type compatibility.

Why this answer

Option B is correct because the 'requiresCompatibilities' attribute must be explicitly set to 'FARGATE' for Fargate tasks. Option A is incorrect because the error is about compatibilities, not execution role. Option C is incorrect because network mode should be 'awsvpc', but that is not the error.

Option D is incorrect because CPU and memory values are required but would cause a different error.

677
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. Which of the following actions will be allowed by this policy?

A.DescribeInstances on an instance in us-east-1
B.StartInstances on an instance in us-east-1
C.DescribeInstances on an instance in us-west-2
D.StopInstances on an instance in us-east-1
AnswerA

Allowed by the first statement and not denied because condition is false.

Why this answer

Option B is correct because the Deny statement only denies ec2 actions on instances when the requested region is NOT us-east-1. Since DescribeInstances is allowed by the first statement and the Deny does not apply to DescribeInstances (action is ec2:*, but the condition only denies if region is not us-east-1, and if the request is for us-east-1, the condition is false, so the Deny does not apply. However, note that the Deny statement denies all ec2 actions (including DescribeInstances) on instances when the condition is met.

But if the request is for us-east-1, the condition is false, so no Deny, so DescribeInstances in us-east-1 is allowed. Option A is wrong because StopInstances is an ec2 action on an instance, and if the region is us-east-1, the condition is false, so the Deny does not apply, but the Allow statement only allows DescribeInstances, not StopInstances. Since there is no explicit Allow for StopInstances, it is implicitly denied.

Option C is wrong because if the region is us-west-2, the condition is true, so the Deny applies to all ec2 actions on instances, including DescribeInstances, so it is denied. Option D is wrong because although the Deny would apply to StartInstances if region is not us-east-1, but if region is us-east-1, the Deny does not apply, but there is no Allow for StartInstances, so it is implicitly denied.

678
MCQhard

A company uses AWS Lambda with an Amazon DynamoDB table to process high-volume clickstream data. The Lambda function writes the data to DynamoDB. Recently, the function has been experiencing throttling and timeouts during peak traffic. The DevOps team needs to set up monitoring to identify the root cause. Which combination of metrics should they analyze?

A.DynamoDB throttled write events and Lambda concurrent executions.
B.DynamoDB read and write capacity metrics and Lambda error count.
C.CloudWatch metrics for Lambda invocations and duration.
D.CloudWatch Logs for Lambda function logs and Lambda memory utilization.
AnswerA

Throttled write events indicate DynamoDB throttling, and concurrent executions show if Lambda is under-provisioned.

Why this answer

Option C is correct because DynamoDB throttling metrics and Lambda concurrency metrics directly indicate the issue. Option A is wrong because Lambda invocations and duration don't show throttling. Option B is wrong because DynamoDB read/write capacity and Lambda errors don't pinpoint the cause.

Option D is wrong because CloudWatch Logs and Lambda memory are not the primary indicators.

679
MCQhard

A company requires that all secrets (e.g., database passwords) used by Lambda functions be rotated automatically every 30 days. Which combination of services should be used?

A.AWS CloudHSM and AWS Lambda
B.AWS Secrets Manager and AWS Lambda
C.AWS Systems Manager Parameter Store and AWS Lambda
D.AWS KMS and AWS Lambda
AnswerB

Secrets Manager provides automatic rotation and Lambda can retrieve secrets.

Why this answer

AWS Secrets Manager is the correct choice because it natively supports automatic secret rotation on a configurable schedule (e.g., every 30 days) using a Lambda function as the rotation handler. Secrets Manager directly integrates with Lambda to invoke the rotation logic, updating the secret value and propagating the change to the target database or service without custom infrastructure. CloudHSM, Parameter Store, and KMS do not provide built-in, scheduled rotation of secrets with automatic Lambda invocation.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with AWS Secrets Manager (which is purpose-built for rotation), or they assume KMS or CloudHSM can manage secrets directly when they only handle encryption keys.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM is a hardware security module for key generation and cryptographic operations, not a service for storing or rotating secrets like database passwords; it lacks any built-in rotation scheduling or Lambda integration for secret rotation. Option C is wrong because AWS Systems Manager Parameter Store can store secrets but does not natively support automatic rotation; any rotation would require custom orchestration and polling, whereas Secrets Manager provides managed rotation with a single API call. Option D is wrong because AWS KMS is a key management service for encryption keys, not a secret store; it cannot store or rotate secrets like database passwords, and while it can encrypt secrets stored elsewhere, it does not provide rotation logic.

680
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline for a containerized application. Which THREE components are essential for a complete pipeline? (Choose three.)

Select 3 answers
A.AWS CodeDeploy
B.Artifact storage
C.Amazon CloudWatch
D.Build and test automation
E.Source control repository
AnswersB, D, E

Build artifacts need to be stored for deployment.

Why this answer

Options A, C, and D are correct. Option B is wrong because it's a deployment service, not a pipeline component. Option E is wrong because it's a monitoring service.

681
Multi-Selectmedium

A company is designing a highly available architecture for a stateless web application using AWS services. Which TWO steps should they take to achieve high availability?

Select 2 answers
A.Store session state in an EBS volume attached to each instance
B.Deploy EC2 instances in multiple Availability Zones
C.Use a single NAT instance in a public subnet
D.Use only M5 instance types for better performance
E.Use an Application Load Balancer to distribute traffic
AnswersB, E

Essential for high availability.

Why this answer

Deploying across multiple AZs ensures availability during AZ failure. An ALB distributes traffic and performs health checks. Option C is wrong because M5 instances are not required.

Option D is wrong because EBS is not stateless; better to use ephemeral or S3. Option E is wrong because it's an anti-pattern.

682
MCQeasy

A company uses AWS CodePipeline with multiple stages: Source, Build, Test, Deploy. The Test stage runs integration tests using AWS CodeBuild. If the Test stage fails, what happens to the pipeline execution?

A.The pipeline continues to the next stage but marks the Test stage as failed.
B.The pipeline execution stops and the status is set to 'Failed'.
C.The pipeline skips the Test stage and proceeds to Deploy.
D.The pipeline automatically retries the Test stage up to three times.
AnswerB

On failure, the pipeline execution stops.

Why this answer

In AWS CodePipeline, by default, if a stage (such as Test) fails, the pipeline execution immediately stops and the overall pipeline status is set to 'Failed'. This is because CodePipeline treats each stage as a sequential gate; a failure in any stage blocks progression to subsequent stages unless explicitly configured otherwise (e.g., with a 'Blocker' or 'Manual Approval' action). Option B correctly describes this default behavior.

Exam trap

The trap here is that candidates may confuse the default behavior with optional features like automatic retries or stage skipping, assuming CodePipeline behaves like a CI/CD tool that allows failures to pass through (e.g., Jenkins with 'unstable' status) or automatically retries failed jobs.

How to eliminate wrong answers

Option A is wrong because CodePipeline does not continue to the next stage after a failure; it halts execution and marks the pipeline as 'Failed', not just the stage. Option C is wrong because CodePipeline does not skip a failed stage; it stops entirely, preventing the Deploy stage from running. Option D is wrong because CodePipeline does not automatically retry a failed stage; retry behavior must be explicitly configured using the 'Retry' feature in the pipeline settings or via manual intervention.

683
MCQmedium

An e-commerce platform uses Amazon DynamoDB as its primary database. The platform experiences occasional read throttling during flash sales. The operations team needs to ensure that read traffic is handled without errors, while keeping costs low. What should a DevOps engineer recommend?

A.Enable DynamoDB Accelerator (DAX) to cache frequently read data.
B.Increase the read capacity units for the table during flash sale events.
C.Use DynamoDB Streams to replicate reads to a separate table.
D.Implement Global Tables to distribute read traffic across multiple regions.
AnswerA

DAX reduces read load and throttling with lower cost than increasing capacity.

Why this answer

Option A is correct because DynamoDB Accelerator (DAX) provides an in-memory cache that reduces read load on the database, improving performance and reducing throttling. Option B is wrong because increasing read capacity units increases cost without optimization. Option C is wrong because DynamoDB Streams is for change data capture, not caching.

Option D is wrong because Global Tables is for multi-region replication, not read scaling.

684
MCQeasy

A company is deploying a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB) across multiple Availability Zones. The application must be resilient to the failure of an entire Availability Zone. Which design should the company implement?

A.Launch EC2 instances in at least two Availability Zones and place them behind an Application Load Balancer with cross-zone load balancing enabled.
B.Use one EC2 instance in a single Availability Zone behind a Network Load Balancer.
C.Launch EC2 instances in one Availability Zone and use an Application Load Balancer to distribute traffic.
D.Deploy EC2 instances in two Availability Zones but use a single Application Load Balancer in one AZ.
AnswerA

Multiple AZs provide resilience; ALB distributes traffic and performs health checks.

Why this answer

Option A is correct because deploying EC2 instances across at least two Availability Zones (AZs) behind an Application Load Balancer (ALB) with cross-zone load balancing enabled ensures that if an entire AZ fails, the ALB can route traffic to healthy instances in the remaining AZs. Cross-zone load balancing allows the ALB to distribute incoming requests evenly across all registered instances in all enabled AZs, which improves fault tolerance and resource utilization. This design meets the requirement for resilience to an AZ failure by eliminating a single point of failure at the AZ level.

Exam trap

The trap here is that candidates often assume that simply placing instances in multiple AZs behind a load balancer is sufficient, but they overlook the critical requirement that the load balancer itself must be deployed across multiple AZs to avoid being a single point of failure.

How to eliminate wrong answers

Option B is wrong because using a single EC2 instance in one AZ behind a Network Load Balancer (NLB) does not provide resilience to an AZ failure; if that AZ goes down, the application becomes unavailable. Option C is wrong because launching EC2 instances in only one AZ behind an ALB still creates a single point of failure at the AZ level; the ALB cannot route traffic to healthy instances if the entire AZ fails. Option D is wrong because deploying EC2 instances in two AZs but using a single ALB in one AZ means the ALB itself is a single point of failure; if that AZ fails, the ALB becomes unavailable, and traffic cannot be distributed to instances in the other AZ.

685
MCQmedium

A company's DevOps team is designing a multi-region disaster recovery solution for a stateless web application. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in the us-east-1 region. The team needs to fail over to a secondary region (us-west-2) with minimal downtime in case of a regional outage. Which AWS service should the team use to route traffic to the healthy region?

A.Amazon Route 53 with a failover routing policy and health checks on the primary ALB.
B.Elastic Load Balancing (ELB) cross-zone load balancing across regions.
C.AWS Global Accelerator with endpoint groups in both regions.
D.Amazon CloudFront with a multi-origin setup and origin failover.
AnswerA

Route 53 automatically responds to health check failures by routing to the secondary region.

Why this answer

Amazon Route 53 with a failover routing policy and health checks on the primary ALB is correct because it allows DNS-based routing that automatically directs traffic to the secondary region (us-west-2) when the primary ALB in us-east-1 is unhealthy. The health checks monitor the ALB endpoint, and upon failure, Route 53 returns the failover record's IP addresses, enabling multi-region failover with minimal downtime for stateless web applications.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator's traffic dials and endpoint weights with a true failover mechanism, but Route 53 failover routing is the only service that provides a binary, health-check-driven switch between primary and secondary regions for DNS-based traffic routing.

How to eliminate wrong answers

Option B is wrong because ELB cross-zone load balancing distributes traffic across instances within the same region, not across regions; it cannot route traffic between us-east-1 and us-west-2. Option C is wrong because AWS Global Accelerator uses anycast IPs and endpoint groups to route traffic to the nearest healthy endpoint, but it does not provide a failover routing policy that explicitly switches traffic to a secondary region only when the primary fails; it relies on endpoint health and traffic dials, which can cause partial traffic shifts rather than a clean failover. Option D is wrong because Amazon CloudFront with multi-origin and origin failover is designed for static content delivery and can fail over between origins, but it is not optimized for dynamic web application traffic behind an ALB and introduces additional latency and complexity for failover scenarios that require immediate DNS-level switching.

686
MCQmedium

Refer to the exhibit. A DevOps engineer runs the above commands. The build project 'my-project' uses an S3 bucket as source and another S3 bucket for artifacts. The build fails with an 'Access Denied' error when trying to download the source code. What is the most likely cause?

A.The encryption key is a KMS key that the role cannot access
B.The service role does not have s3:GetObject permission on the source bucket
C.The source type is S3, but the project expects CodeCommit
D.The source location is incorrect
AnswerB

The role needs GetObject to download the source.

Why this answer

Option B is correct because the service role must have s3:GetObject permission on the source bucket. Option A is incorrect because the source type is S3, not CodeCommit. Option C is incorrect because the encryption key is the default S3 key, not a custom KMS key.

Option D is incorrect because the source bucket is specified.

687
MCQeasy

A company uses AWS OpsWorks for configuration management. They want to ensure that a custom recipe runs on all instances in a layer every 30 minutes. What should they do?

A.Set a custom chef recipe with a cron schedule
B.Add the recipe to the 'Setup' lifecycle event
C.Add the recipe to the 'Deploy' lifecycle event
D.Add the recipe to the 'Configure' lifecycle event
AnswerA

OpsWorks allows you to run recipes on a schedule using cron.

Why this answer

OpsWorks allows you to configure custom chef recipes to run on a schedule using the 'cron' setup in the layer's 'Recipes' configuration. Option D is correct. Option A is incorrect because the 'Setup' lifecycle event runs only once when the instance boots.

Option B is incorrect because 'Configure' runs when instances enter or leave the stack. Option C is incorrect because 'Deploy' runs when you deploy an app.

688
MCQmedium

A DevOps engineer is designing a configuration management solution for a fleet of EC2 instances. The instances are ephemeral and frequently replaced by an Auto Scaling group. The engineer needs to ensure that newly launched instances are automatically configured with the latest software packages and settings. Which AWS service should be used?

A.AWS CodeDeploy
B.AWS OpsWorks Stacks
C.AWS CloudFormation
D.AWS Systems Manager State Manager
AnswerD

State Manager enforces configuration on instances based on associations.

Why this answer

Option A is correct because AWS Systems Manager State Manager can associate a configuration with instances based on tags or resource groups, ensuring new instances are configured automatically. Option B (OpsWorks) is suited for long-lived instances. Option C (CloudFormation) is for infrastructure provisioning, not ongoing configuration.

Option D (CodeDeploy) is for deploying applications, not system configuration.

689
MCQhard

A company runs a critical web application on AWS. The application is deployed across multiple Availability Zones using an Application Load Balancer (ALB) with an Auto Scaling group of EC2 instances. The Auto Scaling group uses a launch template that specifies an Amazon Linux 2 AMI. The application stores session state in an ElastiCache Redis cluster. Recently, the operations team received alerts that the application is returning 503 errors intermittently. Investigation shows that the ALB target group health checks are failing for some instances, but those instances are still in service. The CloudWatch logs from the instances show that the application is running, but the health check endpoint is timing out after 5 seconds. The health check is configured with a 5-second timeout, 10-second interval, and 2 consecutive successes required to mark healthy. The DevOps engineer suspects that the issue is due to high CPU utilization on the instances causing the health check to respond slowly. The engineer wants to implement a solution that prevents the ALB from routing traffic to instances that are experiencing high CPU, and also automatically scales out to handle the increased load. What should the engineer do?

A.Configure the Auto Scaling group to use ELB health checks and set the health check grace period to 600 seconds.
B.Create a CloudWatch alarm on CPU utilization and use it to perform an EC2 action to stop the instance, and configure the Auto Scaling group to use a target tracking scaling policy based on CPU utilization.
C.Create a scheduled scaling action to add more instances during peak hours.
D.Increase the health check timeout to 10 seconds and the interval to 20 seconds to give instances more time to respond.
AnswerB

Stopping high CPU instances removes them from the ALB, and target tracking scaling adds capacity when needed.

Why this answer

Option B is correct because it addresses both the immediate issue (high CPU causing health check timeouts) and the scaling requirement. Stopping the instance via a CloudWatch alarm removes it from the ALB target group, preventing traffic routing to unhealthy instances. The target tracking scaling policy based on CPU utilization automatically adds instances when CPU is high, ensuring capacity matches demand.

Exam trap

The trap here is that candidates may think increasing health check timeout or grace period solves the problem, but AWS expects you to recognize that high CPU instances should be removed from service and replaced via scaling, not just given more time to respond.

How to eliminate wrong answers

Option A is wrong because increasing the health check grace period to 600 seconds only delays the start of health checks, but does not prevent traffic from being routed to instances with high CPU after the grace period ends; it also does not trigger scaling. Option C is wrong because a scheduled scaling action is reactive to time-based patterns, not to real-time CPU spikes, and does not address the immediate health check failures. Option D is wrong because increasing the health check timeout and interval only masks the symptom by allowing more time for slow responses, but does not remove unhealthy instances from service or scale out to handle load.

690
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that stack updates do not accidentally delete critical resources like a database. Which CloudFormation stack policy should they apply to protect the database resource?

A.Create a stack policy that denies delete actions on the logical resource ID of the database.
B.Apply an IAM policy that denies cloudformation:DeleteStack on the database.
C.Use an S3 bucket policy to deny deletion of the database snapshot.
D.Enable termination protection on the CloudFormation stack.
AnswerA

A stack policy can deny update or delete actions on specific resources within a stack.

Why this answer

Option A is correct because a CloudFormation stack policy allows you to define resource-level permissions that prevent specific resources (identified by their logical resource ID) from being updated or deleted during a stack update. By creating a policy that denies delete actions on the database's logical resource ID, the DevOps team ensures that even if the template or parameters change, the database resource cannot be accidentally removed.

Exam trap

The trap here is that candidates confuse termination protection (which prevents stack deletion) with resource-level protection during updates, leading them to choose option D instead of understanding that stack policies are needed for granular resource safeguards.

How to eliminate wrong answers

Option B is wrong because an IAM policy denying cloudformation:DeleteStack would block the entire stack deletion, not protect individual resources like a database during an update; it does not prevent resource-level deletion within an update. Option C is wrong because an S3 bucket policy controls access to S3 buckets and objects, not CloudFormation resources; database snapshots are not managed by S3 bucket policies in this context. Option D is wrong because termination protection only prevents the entire stack from being deleted, not individual resources from being replaced or removed during a stack update.

691
MCQmedium

A company's application running on EC2 instances behind an Application Load Balancer (ALB) is returning intermittent 504 errors. The instances are in an Auto Scaling group with a health check grace period of 300 seconds. What should the DevOps engineer check first to troubleshoot the issue?

A.Review the Auto Scaling group scaling policies.
B.Verify the target group health checks are passing.
C.Check security group rules for the ALB.
D.Check ALB access logs for target response times.
AnswerD

Helps identify slow responses from targets.

Why this answer

Option A is correct because 504 errors indicate the load balancer is not receiving a response from the target within the idle timeout period. Checking the ALB access logs for target response times can confirm if the backend is slow. Option B is wrong because if the ELB is not healthy, the instances would be replaced, but the issue is intermittent.

Option C is wrong because scaling policies affect capacity, not response times. Option D is wrong because security group rules would cause connection timeouts, not 504s.

692
MCQeasy

A DevOps engineer is troubleshooting a Lambda function that processes S3 events. The function has been running successfully for months, but today it started timing out. The engineer checks CloudWatch Logs and sees 'Task timed out after 3.01 seconds' errors. The function is configured with a 3-second timeout. What should the engineer do to resolve the issue?

A.Increase the Lambda function reserved concurrency.
B.Increase the memory allocation for the Lambda function.
C.Increase the Lambda function timeout to 10 seconds.
D.Configure a dead-letter queue (DLQ) for the Lambda function.
AnswerC

Increasing the timeout directly resolves the timeout error.

Why this answer

Option C is correct because the function is timing out at the configured limit. Increasing the timeout to a higher value (e.g., 10 seconds) gives the function more time to complete. Option A is wrong because increasing memory may improve performance but does not directly address the timeout.

Option B is wrong because the function already has a DLQ; the issue is the function timing out. Option D is wrong because the function is timing out, not provisioning limits.

693
MCQmedium

A DevOps engineer is designing a multi-Region active-active architecture for a stateless web application using Route 53 latency-based routing and DynamoDB global tables. The application must continue to serve traffic even if an entire AWS Region becomes unavailable. Which additional step is MOST critical for resilience?

A.Use an Auto Scaling group with a scheduled scaling policy
B.Enable DynamoDB Accelerator (DAX) in each Region
C.Place a CloudFront distribution in front of the application
D.Configure Route 53 health checks and associate them with the latency records
AnswerD

Health checks enable Route 53 to detect regional outages and failover.

Why this answer

Option D is correct because health checks are required for Route 53 to detect regional failures and route traffic away from unhealthy endpoints. Option A is wrong because read replicas do not help with write failures. Option B is wrong because CloudFront does not replace regional routing.

Option C is wrong because it does not address failover automation.

694
Multi-Selecteasy

A company wants to enable AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team requires that logs be encrypted at rest and that any unauthorized deletion of log files be prevented. Which TWO actions should the security team take? (Choose TWO.)

Select 2 answers
A.Create a trail in the management account that applies to all accounts in the organization.
B.Enable default encryption with SSE-S3 on the S3 bucket where CloudTrail delivers logs.
C.Configure CloudTrail to send logs to Amazon CloudWatch Logs and enable encryption using an AWS KMS key.
D.Enable S3 Object Lock on the destination S3 bucket to prevent log file deletion.
E.Enable CloudTrail Insights to detect unusual API activity.
AnswersA, D

A trail applied to the organization logs all accounts.

Why this answer

Option A is correct because enabling CloudTrail for all accounts in the organization ensures centralized logging. Option D is correct because S3 Object Lock prevents deletion of log files. Option B is incorrect because KMS with a customer managed key provides encryption, but the key must be created beforehand, not just enabled.

Option C is incorrect because CloudWatch Logs encryption uses KMS, not S3 SSE. Option E is incorrect because CloudTrail can be configured to log management events by default, and this is not about data events.

695
MCQhard

An organization runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application requires that all traffic be encrypted in transit. The security team mandates the use of TLS 1.2 or higher and specific ciphers. What is the MOST efficient way to enforce this requirement?

A.Use a Network Load Balancer with TLS listeners and target groups.
B.Place a CloudFront distribution in front of the ALB and configure the origin protocol policy.
C.Install a self-signed certificate on each EC2 instance and configure the web server.
D.Configure the ALB with a security policy that enforces TLS 1.2 and the required ciphers.
AnswerD

ALB security policies allow centralized control of TLS settings.

Why this answer

Option A is correct because ALB supports a predefined security policy that can be set to require TLS 1.2 and specific ciphers. Option B is wrong because CloudFront is for CDN, not for backend ALB. Option C is wrong because NLB does not support TLS termination at the load balancer.

Option D is wrong because configuring each EC2 instance is inefficient and not centralized.

696
MCQhard

An organization uses AWS CloudFormation StackSets to deploy resources across multiple accounts and regions. They need to update a stack set with a new template version. The update fails in some accounts due to a resource conflict. What is the BEST way to resolve the conflict and complete the update?

A.Delete the stack set and recreate it with the new template.
B.Manually delete the conflicting resources in the failing accounts and retry the update.
C.Modify the CloudFormation template to ignore the conflicting resources using a condition.
D.Use the 'Skip accounts' option to temporarily exclude failing accounts, then fix and retry.
AnswerD

StackSets allows skipping specific accounts or regions during updates.

Why this answer

Option C is correct because StackSets allows skipping accounts or regions that fail, and the engineer can retry later. Option A is incorrect because manual deletion may cause data loss. Option B is incorrect because changing the template may not resolve the conflict.

Option D is incorrect because recreating the stack set is disruptive.

697
Multi-Selectmedium

A company wants to monitor and detect suspicious API activity across all AWS accounts in an organization. Which TWO services should be used together?

Select 2 answers
A.Amazon Inspector
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersC, D

CloudWatch Logs can receive CloudTrail logs and create metric filters for suspicious activity.

Why this answer

Amazon CloudWatch Logs is correct because it can centrally aggregate and store API activity logs from all AWS accounts in an organization. When combined with AWS CloudTrail, which records API calls, CloudWatch Logs enables real-time monitoring and alerting on suspicious API patterns using metric filters and alarms.

Exam trap

The trap here is that candidates often pick GuardDuty (Option E) because it is a security service, but the question specifically asks for services to monitor and detect suspicious API activity, which requires the log capture and analysis capabilities of CloudTrail and CloudWatch Logs, not GuardDuty's threat detection which consumes those logs as a downstream source.

698
MCQmedium

A DevOps team is troubleshooting a slow application. They enabled AWS X-Ray tracing and see that one of the downstream services has a high average response time. However, the traces show that the service itself is fast; the delay is in the network call from the upstream service. Which X-Ray feature should the team use to identify the root cause?

A.Examine the trace map to see the connection between services.
B.Add annotations to the traces for better filtering.
C.View the raw segments of the upstream service.
D.Adjust the sampling rules to capture more traces.
AnswerA

Correct: The trace map visualizes service connections and latency.

Why this answer

The trace map in AWS X-Ray provides a visual representation of the service graph, showing the connections and latency between services. Since the delay is in the network call from the upstream service to the downstream service, the trace map can highlight the specific edge where the high latency occurs, allowing the team to pinpoint whether the issue is due to network congestion, DNS resolution, or a slow HTTP connection. This is the most direct way to identify the root cause of the inter-service communication delay.

Exam trap

The trap here is that candidates might focus on the downstream service's segment (Option C) thinking the delay is inside that service, when the trace map is specifically designed to reveal inter-service communication latency that is not captured by individual segment durations.

How to eliminate wrong answers

Option B is wrong because annotations are key-value pairs added to traces for custom metadata filtering, not for diagnosing network latency between services. Option C is wrong because viewing raw segments of the upstream service would show the service's own processing time and subsegments, but the delay is in the downstream network call, which is captured as a subsegment of the upstream service's trace; however, the trace map is more efficient for visualizing the edge-level latency. Option D is wrong because adjusting sampling rules increases the number of traces captured but does not help identify the root cause of an existing latency issue in the network call.

699
MCQmedium

A company uses EC2 instances in an Auto Scaling group behind an ALB. The DevOps team receives alerts that the CPU utilization on the instances is consistently above 90% during peak hours. The Auto Scaling group is configured with a simple scaling policy that adds one instance when CPU exceeds 80% and removes one when below 30%. However, during sudden traffic spikes, the scaling policy reacts too slowly, causing performance degradation. The team wants to improve the scaling responsiveness without over-provisioning. What should the team do?

A.Increase the cooldown period for the simple scaling policy to allow more time for metrics to stabilize.
B.Replace the simple scaling policy with a step scaling policy that adds multiple instances when CPU exceeds 80%.
C.Create a scheduled scaling action to add instances before peak hours based on historical data.
D.Replace the simple scaling policy with a target tracking scaling policy based on average CPU utilization with a target value of 70%.
AnswerD

Target tracking continuously adjusts capacity to maintain the target metric, providing faster response to spikes.

Why this answer

Option D is correct because using a target tracking scaling policy with a lower target value (e.g., 70%) allows a more proactive scaling response, and the policy automatically adjusts based on the metric. Option A is wrong because scheduled scaling may not handle unpredictable spikes. Option B is wrong because increasing cooldown would slow down scaling.

Option C is wrong because a step scaling policy can be more responsive than simple scaling, but target tracking is even simpler and more effective.

700
MCQeasy

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a Source stage from CodeCommit and a Deploy stage that syncs the contents to an S3 bucket. The deployment fails intermittently with a 'BucketNotEmpty' error. What is the most likely cause?

A.The S3 bucket has versioning enabled, and the deploy action is trying to delete the bucket before syncing.
B.The source artifact from CodeCommit contains a 'delete' manifest that instructs S3 to remove all files.
C.The CodePipeline service role does not have permission to list the bucket contents.
D.The S3 bucket has a bucket policy that denies DeleteObject permissions.
AnswerA

When versioning is enabled, the bucket cannot be deleted until all versions are removed; the 'aws s3 sync' command may attempt to delete objects, but versioning causes issues.

Why this answer

Option B is correct because the error 'BucketNotEmpty' indicates the bucket has versioning enabled and the sync command does not delete previous versions. Option A is wrong because S3 bucket policies do not cause this error. Option C is wrong because CodePipeline does not enforce bucket deletion.

Option D is wrong because the source stage is unrelated to the bucket's state.

701
Multi-Selecteasy

A company wants to design a highly available and fault-tolerant architecture for a stateless web application on AWS. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Use a single large EC2 instance to simplify management
B.Deploy multiple Application Load Balancers in each AZ
C.Launch EC2 instances in at least two Availability Zones
D.Use an RDS Multi-AZ deployment for the web server fleet
E.Use an Auto Scaling group to replace failed instances automatically
AnswersC, E

Multiple AZs provide fault tolerance.

Why this answer

Deploying EC2 instances in multiple Availability Zones and using an Auto Scaling group ensures fault tolerance and high availability. Option B is wrong because a single instance in one AZ is not fault-tolerant. Option D is wrong because Multi-AZ is for RDS, not for web application instances.

Option E is wrong because a single ALB is sufficient; multiple ALBs are not needed.

702
MCQeasy

A company uses AWS Systems Manager to manage a fleet of EC2 instances. They need to run a script on all instances that have a specific tag 'Environment:Development'. Which Systems Manager capability should be used?

A.Inventory
B.Patch Manager
C.Run Command
D.State Manager
AnswerC

Run Command executes scripts on instances based on tags.

Why this answer

Option C is correct. Run Command allows you to remotely and securely run commands on instances. It can target instances by tags.

State Manager is for maintaining consistent state, Patch Manager for patching, and Inventory for collecting metadata. Run Command is the appropriate tool for ad-hoc script execution.

703
MCQmedium

A DevOps engineer runs the command above to retrieve CPU utilization for an EC2 instance, but gets no data points. The instance is running and has basic monitoring enabled. What is the most likely reason?

A.The dimension name should be 'InstanceId' with a different case.
B.The instance has basic monitoring disabled.
C.The period of 300 seconds is less than the minimum supported period.
D.The IAM user executing the command lacks 'cloudwatch:GetMetricStatistics' permission.
AnswerD

Without the proper permission, the API call returns no data.

Why this answer

Option A is correct because basic monitoring publishes metrics every 5 minutes (300 seconds), so a period of 300 seconds should work. However, the command may fail due to insufficient permissions. Option B is wrong because basic monitoring does publish CPUUtilization.

Option C is wrong because the period matches the default 5-minute interval. Option D is wrong because the command syntax is correct.

704
MCQmedium

An organization uses AWS Elastic Beanstalk to deploy a web application. They need to ensure that configuration changes (e.g., environment variables, instance types) are version-controlled and can be rolled back. Which approach meets these requirements?

A.Use AWS Systems Manager Parameter Store to store configuration values.
B.Create a custom script that uses the Elastic Beanstalk API to apply configuration and store the script in a Git repository.
C.Use Elastic Beanstalk saved configurations to capture environment settings and store the configuration files in a version control system.
D.Manually record all configuration changes in a spreadsheet.
AnswerC

Saved configurations capture settings and can be applied to any environment, enabling rollback.

Why this answer

Using saved configurations in Elastic Beanstalk allows capturing environment settings and later applying them to any environment, enabling version control and rollback. Option D is correct. Options A, B, and C do not provide version-controlled rollback of configuration.

705
Multi-Selectmedium

A company is using AWS CloudFormation to manage its infrastructure. The DevOps team wants to implement drift detection to identify resources that have been modified outside of CloudFormation. Which TWO of the following are correct statements about CloudFormation drift detection?

Select 2 answers
A.Drift detection is automatically performed every time the stack is updated.
B.Drift detection can be performed on nested stacks independently.
C.Drift detection automatically reverts any changes to the original template.
D.Drift detection can detect changes to resources such as security groups.
E.Drift detection can be performed on a stack at any time.
AnswersD, E

Drift detection works on supported resources like security groups.

Why this answer

Drift detection can detect changes to resources such as security groups because CloudFormation supports drift detection for a wide range of AWS resources, including EC2 security groups. When drift detection is performed, CloudFormation compares the current configuration of each supported resource in the stack with the expected configuration defined in the stack template. If a security group rule is added or removed outside of CloudFormation (e.g., via the AWS Console or CLI), drift detection will report that resource as drifted.

Exam trap

The trap here is that candidates often assume drift detection is automatic or can fix drift, but AWS explicitly requires manual initiation and only provides detection, not remediation.

706
MCQmedium

A company runs a stateful application on EC2 instances. They want to distribute traffic evenly and maintain session stickiness. Which AWS service should they use?

A.Network Load Balancer
B.Application Load Balancer with sticky sessions
C.Amazon Route 53 weighted routing policy
D.Amazon CloudFront with origin failover
AnswerB

ALB supports sticky sessions via cookies.

Why this answer

An Application Load Balancer with sticky sessions (session affinity) ensures that a client's requests are sent to the same target. Option A is wrong because Network Load Balancer does not natively support sticky sessions based on application cookies. Option C is wrong because Route53 weighted routing does not handle session stickiness.

Option D is wrong because CloudFront can forward cookies but is not primarily for load balancing.

707
MCQmedium

A company uses AWS CloudTrail to log all API calls. During an incident investigation, a security engineer needs to identify who deleted an S3 bucket named 'critical-data' two days ago. Which approach will provide the necessary information?

A.Use AWS CloudTrail LookupEvents API to search for DeleteBucket events.
B.Check the AWS Management Console activity history.
C.Review the S3 access logs for the bucket.
D.Search CloudWatch Logs for 'DeleteBucket' events.
AnswerA

CloudTrail records DeleteBucket and LookupEvents can filter by event name and time.

Why this answer

Option D is correct because CloudTrail logs all API calls, including DeleteBucket, and the LookupEvents API can be used to search for events. The engineer can filter by event name and resource name. Option A is wrong because S3 access logs record object-level access, not bucket deletion.

Option B is wrong because CloudWatch Logs does not store CloudTrail events by default; they must be streamed. Option C is wrong because the AWS Management Console activity is also logged in CloudTrail; the console itself does not track user actions.

708
MCQeasy

A company uses AWS CodeCommit for source control. Developers frequently push large binary files, causing the repository size to exceed the recommended limit. What is the most efficient way to manage this situation?

A.Increase the repository size limit in CodeCommit settings.
B.Use Git LFS (Large File Storage) and configure it to store binaries in S3.
C.Periodically run a script to remove large files from the commit history.
D.Use S3 directly for storing binaries and reference them in code.
AnswerB

Git LFS replaces large files with text pointers in the repository and stores the actual files in S3, keeping the repository lean.

Why this answer

Option A is best practice: use Git LFS to handle large files without bloating the repository. Option B is temporary. Option C is not efficient.

Option D is not a good practice.

709
Multi-Selectmedium

A DevOps engineer is designing a monitoring solution for a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The team needs to monitor for errors and latency. Which TWO actions should the engineer take to implement comprehensive monitoring? (Choose TWO.)

Select 2 answers
A.Enable DynamoDB Accelerator (DAX) to reduce latency.
B.Enable detailed billing metrics for cost analysis.
C.Configure CloudWatch Logs for DynamoDB.
D.Enable AWS X-Ray tracing on API Gateway and Lambda.
E.Set up CloudWatch Alarms on Lambda error count and API Gateway 5XX count.
AnswersD, E

Correct: X-Ray provides end-to-end tracing to identify latency and errors.

Why this answer

Option D is correct because AWS X-Ray provides end-to-end tracing for requests as they travel through API Gateway, Lambda, and DynamoDB, enabling the team to identify latency bottlenecks and errors across the entire serverless application. This is essential for comprehensive monitoring of distributed applications, as it captures detailed timing and error data for each component.

Exam trap

The trap here is that candidates may confuse performance optimization tools (like DAX) or cost monitoring (like billing metrics) with actual monitoring solutions, or assume that DynamoDB has native CloudWatch Logs support, when in fact it only emits metrics and requires X-Ray or CloudTrail for detailed request tracing.

710
MCQmedium

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using server-side encryption with customer-managed keys (SSE-KMS). When uploading an object via the AWS CLI, which parameter must be included to enforce this?

A.--kms-key-id <key-id>
B.--sse AES256
C.--encryption aws:kms
D.--server-side-encryption aws:kms
AnswerD

This parameter enables SSE-KMS.

Why this answer

The --server-side-encryption parameter with value 'aws:kms' specifies SSE-KMS. Option C is correct. Option A is wrong because --sse with value 'AES256' is for SSE-S3.

Option B is wrong because --kms-key-id only specifies the key ID, but encryption must be enabled. Option D is wrong because --encryption is not a valid parameter.

711
MCQeasy

A company wants to centrally manage and apply policies across multiple AWS accounts in an AWS Organization. Which service should be used to define and enforce compliance rules?

A.AWS Organizations Service Control Policies (SCPs)
B.AWS Config rules
C.AWS CloudTrail
D.IAM policies
AnswerA

SCPs centrally control permissions across accounts.

Why this answer

AWS Organizations Service Control Policies (SCPs) are the correct choice because they centrally manage permissions across all accounts in an AWS Organization by defining maximum allowable permissions. SCPs act as a guardrail, restricting what member accounts can do, even if IAM policies within those accounts grant broader access. This makes SCPs the ideal service for enforcing compliance rules at the organization level.

Exam trap

The trap here is that candidates often confuse AWS Config rules (which detect non-compliance) with SCPs (which enforce compliance), leading them to choose Config instead of SCPs for policy enforcement.

How to eliminate wrong answers

Option B is wrong because AWS Config rules evaluate resource configurations for compliance against desired states, but they do not enforce or prevent actions; they only detect and report non-compliance. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot define or enforce policies—it is a logging service. Option D is wrong because IAM policies are attached to users, groups, or roles within a single account and cannot centrally manage permissions across multiple accounts in an AWS Organization.

712
MCQhard

A DevOps engineer creates the CloudFormation template shown in the exhibit. When the stack is created, the EC2 instance is launched but the security group is not applied to the instance. What is the likely cause?

A.The security group resource is missing a VpcId property, so it is not created in the same VPC as the instance.
B.The instance does not have a SecurityGroup or SecurityGroupIds property referencing the security group.
C.The security group is created after the instance, so the instance cannot reference it.
D.The DependsOn clause should be removed because it causes a circular dependency.
AnswerB

D: The instance properties must include SecurityGroupIds or SecurityGroups to attach the group; DependsOn only controls creation order.

Why this answer

Option D is correct because the template does not associate the security group with the instance; the DependsOn only ensures creation order, but does not attach the group. Option A is wrong because DependsOn does not automatically attach. Option B is wrong because the security group is created.

Option C is wrong because the security group is created first due to DependsOn, but still not attached.

713
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application frequently experiences high latency during peak hours. The DevOps team needs to implement a solution that automatically adds capacity based on demand and reduces cost during off-peak hours. Which combination of AWS services should the team use?

A.Use an AWS Auto Scaling group with scheduled scaling policies that add instances during known peak hours and remove them during off-peak hours.
B.Implement Amazon Route 53 weighted routing policies to distribute traffic to multiple ALBs, each fronting a fixed set of EC2 instances.
C.Use an AWS Auto Scaling group with simple scaling policies based on CPU utilization and attach it to the ALB target group.
D.Use an AWS Auto Scaling group with target tracking scaling policies based on the ALB's request count per target, and attach it to the ALB target group.
AnswerD

This dynamically adjusts capacity based on actual load.

Why this answer

Option D is correct because target tracking scaling policies allow the Auto Scaling group to automatically adjust capacity based on a specific metric, such as ALB request count per target, which directly reflects the load on each instance. This ensures that capacity is added during high latency periods and removed during off-peak hours, optimizing both performance and cost. The ALB target group integration ensures that new instances are automatically registered and start receiving traffic.

Exam trap

The trap here is that candidates often choose scheduled scaling (Option A) because it seems straightforward for known peak hours, but they overlook the requirement to handle unpredictable high latency during peak hours, which demands a dynamic, metric-based scaling solution like target tracking.

How to eliminate wrong answers

Option A is wrong because scheduled scaling policies only add or remove instances at predefined times, which cannot react to real-time demand fluctuations or unexpected traffic spikes, leading to either over-provisioning or under-provisioning. Option B is wrong because Route 53 weighted routing policies distribute traffic across multiple ALBs but do not dynamically scale the underlying EC2 instances; each fixed set of instances would still suffer from high latency during peak hours. Option C is wrong because simple scaling policies based on CPU utilization require manual configuration of thresholds and cooldown periods, which can cause slow reaction to sudden load changes and may not directly correlate with application latency as effectively as request count per target.

714
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Machine Image (AMI) for its EC2 instances. The DevOps team updates the AMI monthly. What is the most efficient way to update the Elastic Beanstalk environment to use the new AMI?

A.Use the Elastic Beanstalk console to modify the launch configuration's AMI ID
B.Create a new Elastic Beanstalk environment with the new AMI and swap the environment URL
C.Use the AWS CLI command aws elasticbeanstalk update-environment with the new AMI ID
D.Update the CloudFormation template that manages the environment to reference the new AMI ID, and perform a stack update
AnswerD

This allows controlled updates with rollback capability.

Why this answer

Option D is correct because Elastic Beanstalk environments are built on AWS CloudFormation stacks. Updating the CloudFormation template that manages the environment to reference the new AMI ID and performing a stack update triggers a rolling or immutable update that replaces EC2 instances with the new AMI while preserving the environment configuration, DNS name, and other resources. This is the most efficient and supported method for updating the AMI in an existing environment without creating a new one.

Exam trap

The trap here is that candidates often assume they can directly update the AMI via the Elastic Beanstalk console or CLI commands like 'update-environment', but Elastic Beanstalk abstracts the underlying CloudFormation stack, and the only supported way to change the AMI for an existing environment is through a configuration file (.ebextensions) or by updating the CloudFormation template that manages the environment.

How to eliminate wrong answers

Option A is wrong because the Elastic Beanstalk console does not allow direct modification of the launch configuration's AMI ID; the console only exposes environment-level configuration options, and the AMI is managed through the platform or custom AMI settings in the environment configuration, not by editing the launch configuration directly. Option B is wrong because creating a new environment and swapping the URL is inefficient and introduces unnecessary complexity and potential downtime, as it requires provisioning a full new environment and then performing a DNS swap, which is not the most efficient approach for a routine monthly AMI update. Option C is wrong because the AWS CLI command 'aws elasticbeanstalk update-environment' does not accept an AMI ID parameter; it updates environment configuration settings (e.g., option settings) but cannot directly change the AMI used by the instances, as the AMI is tied to the platform version or custom AMI defined in the environment's configuration template.

715
MCQhard

A CodeDeploy deployment group is configured as shown in the exhibit. During a deployment, the deployment fails because the instances are not found. What is the MOST likely reason?

A.The deployment configuration 'CodeDeployDefault.AllAtOnce' is not compatible with in-place deployments
B.The EC2 instances do not have the tag 'Environment' with value 'Production'
C.The service role ARN is incorrect and does not have the necessary permissions
D.The load balancer 'my-alb' is not registered with the instances
AnswerB

The deployment group filters instances by tag; if no instances match, the deployment fails.

Why this answer

Option B is correct because the exhibit shows the deployment group is configured to match EC2 instances with the tag 'Environment' set to 'Production'. If the instances do not have this exact tag key-value pair, CodeDeploy cannot find them during the deployment, causing the failure. The error 'instances are not found' directly points to a tag mismatch, not to permissions or load balancer issues.

Exam trap

The trap here is that candidates often confuse 'instances not found' errors with permission or load balancer issues, but the error is a direct result of tag mismatch, which is the most common cause in CodeDeploy tag-based deployments.

How to eliminate wrong answers

Option A is wrong because 'CodeDeployDefault.AllAtOnce' is a valid deployment configuration that deploys to all instances simultaneously and is fully compatible with in-place deployments; the error is about instances not found, not about configuration incompatibility. Option C is wrong because an incorrect service role ARN or insufficient permissions would typically result in an 'access denied' or 'permission error', not an 'instances not found' error. Option D is wrong because the load balancer 'my-alb' not being registered with instances would cause health check or routing issues, but the deployment would still find the instances; the error specifically states instances are not found, indicating a tag or filter mismatch.

716
MCQhard

A company uses AWS CodeBuild to compile and test code. The buildspec.yaml includes a pre_build phase that runs 'aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com'. The build fails with 'Error: Cannot connect to the Docker daemon'. What is the most likely cause?

A.The CodeBuild project does not have privileged mode enabled.
B.The region specified does not match the ECR repository region.
C.The Docker login command syntax is incorrect.
D.The AWS CLI is not installed in the CodeBuild environment.
AnswerA

Docker commands require privileged mode in CodeBuild.

Why this answer

Option D is correct because CodeBuild runs in a managed environment where the Docker daemon is only available if the compute type is set to a privileged mode (e.g., by setting 'privileged: true' in buildspec). Option A is wrong because the command is syntactically correct. Option B is wrong because the ECR login command is correct.

Option C is wrong because the region is specified.

717
MCQhard

A company uses AWS CodeCommit for source control and wants to enforce that all commits to the main branch are signed. The DevOps team has configured Git commit signing using GPG keys. However, some developers are able to push unsigned commits to main. What should the engineer do to enforce signed commits?

A.Set the 'requireSignedCommits' parameter in the repository configuration to 'true'.
B.Configure branch protection rules in IAM to deny push access to main unless the commit is signed.
C.Use an AWS CodeCommit trigger with an AWS Lambda function that validates commit signatures and rejects unsigned commits.
D.Create a repository policy that denies git push actions unless the condition 'codecommit:References' and 'codecommit:SourceIp' match.
AnswerC

Lambda can validate signatures and reject pushes via CodeCommit's ability to reject triggers.

Why this answer

Option C is correct because CodeCommit repository policies can require commit signing. Option A does not enforce signing. Option B is not a repository setting.

Option D is a CodeCommit feature for notifications, not enforcement.

718
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. The application is deployed across three Availability Zones. The DevOps team uses AWS CloudFormation to manage the infrastructure. During a recent deployment, a stack update failed, and the stack entered a ROLLBACK_IN_PROGRESS state. However, the rollback also failed, leaving the stack in UPDATE_ROLLBACK_FAILED state. The engineer needs to restore the application to a working state. The stack includes an Auto Scaling group, an ALB, security groups, and a DynamoDB table. The DynamoDB table is defined with deletion protection enabled. The engineer is considering the following actions: A) ContinueUpdateRollback to retry the rollback, fixing the resource that caused the failure. B) Delete the stack and recreate it from the last known good template. C) Use CloudFormation's 'SignalResource' to manually complete the rollback. D) Manually update the resources to match the previous template, then resume the rollback. Which action should the engineer take?

A.Manually update the resources to match the previous template, then resume the rollback.
B.Use ContinueUpdateRollback to retry the rollback after fixing the resource that caused the failure.
C.Use CloudFormation's 'SignalResource' to manually complete the rollback.
D.Delete the stack and recreate it from the last known good template.
AnswerB

ContinueUpdateRollback is the correct procedure to resolve rollback failures.

Why this answer

Option A is correct because ContinueUpdateRollback is the designed method to resolve a rollback failure. The engineer can fix the underlying issue (e.g., DynamoDB deletion protection preventing table deletion) and then retry the rollback. Option B is wrong because deleting the stack would also delete the DynamoDB table (deletion protection may prevent deletion, causing further issues).

Option C is wrong because SignalResource is for signaling creation of resources, not for rollback. Option D is wrong because manually updating resources is error-prone and not recommended; ContinueUpdateRollback automates the process.

719
MCQeasy

A development team wants to ensure that their application can continue serving traffic even if an entire AWS Availability Zone (AZ) becomes unavailable. The application runs on Amazon EC2 instances in an Auto Scaling group and uses an Application Load Balancer (ALB). Which configuration should the team implement to meet this requirement?

A.Configure the Auto Scaling group to launch EC2 instances across multiple AZs, and ensure the ALB is enabled for cross-zone load balancing.
B.Use a launch template with multiple instance types to ensure diversity across the fleet.
C.Use a single AZ but configure EC2 Auto Scaling to replace unhealthy instances automatically.
D.Launch all EC2 instances in the same AZ to minimize latency, and configure the Auto Scaling group to maintain a minimum of two instances.
AnswerA

Multiple AZs provide resilience against AZ failure; cross-zone load balancing distributes traffic evenly.

Why this answer

Option A is correct because deploying EC2 instances across multiple Availability Zones (AZs) ensures that if one AZ fails, the remaining AZs continue to serve traffic. Enabling cross-zone load balancing on the ALB distributes incoming requests evenly across all healthy instances in all AZs, preventing traffic from being sent only to instances in the same AZ as the client. This architecture meets the requirement for high availability and fault tolerance at the AZ level.

Exam trap

The trap here is that candidates often confuse instance-level resilience (e.g., replacing unhealthy instances) with AZ-level resilience, or they think that multiple instances in a single AZ provide sufficient fault tolerance, ignoring the fact that an AZ failure takes down all instances in that AZ.

How to eliminate wrong answers

Option B is wrong because using multiple instance types in a launch template addresses instance diversity and spot instance interruption resilience, not AZ-level failure; it does not protect against an entire AZ becoming unavailable. Option C is wrong because using a single AZ means all instances are in one failure domain; even with automatic replacement, the application cannot serve traffic if that AZ fails, as the new instances would also be launched in the same unavailable AZ. Option D is wrong because launching all instances in the same AZ and maintaining a minimum of two instances does not provide AZ-level redundancy; if that AZ fails, all instances become unavailable, and the application cannot serve traffic.

720
MCQeasy

A DevOps engineer receives a CloudWatch alarm that the 'StatusCheckFailed' metric for an EC2 instance is in ALARM state. The instance is part of an Auto Scaling group. What should the engineer do first to restore service?

A.Update the Auto Scaling group's launch configuration
B.Wait for Auto Scaling to replace the instance
C.Manually terminate the instance
D.Reboot the instance
AnswerB

Auto Scaling will automatically terminate and launch a new instance.

Why this answer

Option B is correct because the instance status check failure indicates a system issue; if the instance is unhealthy, Auto Scaling will terminate and replace it. Option A is wrong because rebooting may not fix underlying issues. Option C is wrong because terminating manually is not needed; Auto Scaling handles it.

Option D is wrong because changing the AMI is not immediate.

721
MCQmedium

A DevOps engineer runs these commands to investigate a failed CloudFormation stack creation. The stack status is ROLLBACK_COMPLETE and the most recent event shows CREATE_FAILED. What should the engineer do next to identify the root cause?

A.Run update-stack to recreate the stack and examine the error.
B.Run describe-stacks with additional query to get the StackStatusReason.
C.Run describe-stack-events with a filter to see the ResourceStatusReason for the CREATE_FAILED event.
D.Run delete-stack and recreate with debugging enabled.
AnswerC

The ResourceStatusReason field contains the error message.

Why this answer

Option A is correct because the stack events will show the failure reason in the ResourceStatusReason field. Option B is wrong because the stack has already rolled back. Option C is wrong because describe-stacks does not show failure reasons.

Option D is wrong because the stack is already rolled back.

722
MCQeasy

A DevOps engineer is designing a resilient architecture for a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application experiences occasional spikes in traffic that cause Lambda function throttling and increased error rates. What is the MOST effective way to improve resilience and reduce throttling?

A.Increase the Lambda function memory to the maximum allowed.
B.Enable DynamoDB auto scaling for the table to handle traffic spikes.
C.Set API Gateway throttling limits to match the expected peak traffic.
D.Reserve concurrency for the Lambda function to ensure it always has available capacity.
AnswerB

Auto scaling adjusts capacity to prevent throttling.

Why this answer

DynamoDB auto scaling adjusts the provisioned throughput (read/write capacity units) in response to traffic spikes, preventing throttling at the database layer that would cause Lambda retries and errors. This directly addresses the root cause of increased error rates when the table's capacity is exceeded, which is a common bottleneck in serverless architectures.

Exam trap

The trap here is that candidates often focus on Lambda concurrency or API Gateway throttling as the first line of defense, but the scenario's 'increased error rates' and 'spikes' point to a downstream dependency (DynamoDB) being overwhelmed, not the upstream request path.

How to eliminate wrong answers

Option A is wrong because increasing Lambda memory also increases CPU and network allocation, but it does not resolve throttling caused by DynamoDB capacity limits or Lambda concurrency limits; it only improves execution speed for compute-bound functions. Option C is wrong because setting API Gateway throttling limits to match expected peak traffic would cap requests at that level, rejecting legitimate traffic during spikes rather than improving resilience. Option D is wrong because reserving concurrency for the Lambda function guarantees a fixed number of concurrent executions, but if the DynamoDB table lacks sufficient capacity, those executions will still fail due to database throttling, and reserved concurrency can also waste capacity during low traffic.

723
MCQmedium

A DevOps engineer is troubleshooting an application that runs on Amazon EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. CloudWatch metrics for the ALB show an increase in 'HTTPCode_ELB_5XX_Count' but the backend 'HealthyHostCount' remains stable. Which action should the engineer take to identify the root cause?

A.Increase the size of the EC2 instances to handle more requests.
B.Enable detailed CloudWatch metrics on the EC2 instances to monitor CPU and memory.
C.Enable and review the ALB access logs stored in Amazon S3 to analyze the HTTP response codes and request patterns.
D.Increase the idle timeout setting on the ALB.
AnswerC

ALB access logs provide detailed information about each request, including response codes, timestamps, and request paths, enabling identification of the specific requests that are failing.

Why this answer

Option C is correct because increasing the ALB's idle timeout will not help if requests are taking longer than the timeout. Option A is wrong because it would only help if there were autoscaling issues. Option B is wrong because the backend is healthy, so the issue is likely with the ALB configuration.

Option D is correct because checking ALB access logs can reveal the exact requests that are failing, allowing analysis of latency or errors.

724
MCQeasy

A DevOps team wants to run unit tests in parallel across multiple build environments using AWS CodeBuild. Which build specification configuration allows this?

A.Use multiple build phases in the buildspec file.
B.Configure multiple artifacts in the buildspec.
C.Define a batch build with multiple builds.
D.Set environment variables to run multiple commands concurrently.
AnswerC

Batch builds run multiple builds in parallel.

Why this answer

Option C is correct because AWS CodeBuild supports batch builds, which allow you to define a build project that runs multiple builds in parallel. By specifying a batch configuration in your buildspec file (using the `batch` section), you can run unit tests across multiple build environments simultaneously, improving test execution speed and resource utilization.

Exam trap

The trap here is that candidates confuse sequential build phases with parallel execution, or assume that environment variables or multiple artifacts can achieve parallelism, when only the batch build feature in CodeBuild provides true parallel builds across multiple environments.

How to eliminate wrong answers

Option A is wrong because multiple build phases (e.g., install, pre_build, build, post_build) run sequentially within a single build, not in parallel across multiple environments. Option B is wrong because configuring multiple artifacts in the buildspec defines output files from a single build, not parallel execution across environments. Option D is wrong because setting environment variables to run multiple commands concurrently does not enable parallel builds across separate environments; it only runs commands sequentially within the same build container.

725
Multi-Selectmedium

A company uses AWS Elastic Beanstalk to manage its web application. The DevOps team wants to customize the Amazon EC2 instances launched by Elastic Beanstalk. Which two methods can they use to achieve this? (Choose TWO.)

Select 2 answers
A.Use .ebextensions configuration files in the application source bundle to install packages and run commands.
B.Use AWS OpsWorks to manage the instances instead of Elastic Beanstalk.
C.Create a custom AMI and specify it in the Elastic Beanstalk environment configuration.
D.Add user data to the Auto Scaling group launch configuration that Elastic Beanstalk creates.
E.Modify the CloudFormation template generated by Elastic Beanstalk directly.
AnswersA, C

.ebextensions is the standard way to customize Elastic Beanstalk instances.

Why this answer

Option A is correct because `.ebextensions` configuration files allow you to customize the EC2 instances launched by Elastic Beanstalk by installing packages, running commands, and configuring services during instance provisioning. These YAML or JSON files are placed in the `.ebextensions` folder of your application source bundle and are executed by the Elastic Beanstalk platform as part of the instance initialization process, providing a native and supported customization mechanism.

Exam trap

The trap here is that candidates often think they can directly modify the Auto Scaling group's launch configuration or the CloudFormation template, but Elastic Beanstalk treats these as managed resources and will revert any manual changes, making `.ebextensions` and custom AMIs the only supported customization methods.

726
MCQmedium

A DevOps team manages AWS Lambda functions using the Serverless Application Model (SAM). They need to deploy a new version of a function that requires an increased memory allocation from 128 MB to 256 MB. The team updates the SAM template and runs sam deploy. The deployment succeeds, but the function's memory remains at 128 MB. What is the MOST likely reason?

A.The deployment triggered a rollback due to a health check failure.
B.AWS CodeDeploy is configured to control the update and requires manual approval.
C.The sam deploy command requires the --capabilities CAPABILITY_IAM flag to update memory.
D.The SAM CLI did not apply the change set because the stack policy does not allow updates to the Lambda function.
AnswerD

Stack policies can prevent updates to specific resources.

Why this answer

The SAM CLI does not automatically update function configuration on an existing stack (C). It uses a change set; if the user does not approve changes or if the stack policy prevents updates, the configuration won't change. Option A (rollback) is not indicated; B (CodeDeploy) is for traffic shifting; D (missing property) would cause an error.

727
Multi-Selectmedium

A company uses AWS CodePipeline for CI/CD. A recent pipeline execution failed at the 'Deploy' stage with the error 'Action execution failed: Access Denied'. The pipeline uses an IAM service role. Which THREE checks should the engineer perform to resolve this?

Select 3 answers
A.Check that CloudWatch Events rule is configured to trigger the pipeline.
B.Verify that the IAM service role has sufficient permissions to perform the deploy action on the target resource.
C.Ensure the artifact store S3 bucket has a bucket policy that allows the pipeline role to access it.
D.Enable S3 event notifications to trigger the pipeline on code changes.
E.Confirm that the service role's trust policy allows CodePipeline to assume the role.
AnswersB, C, E

Missing permissions cause access denied errors.

Why this answer

Option A is correct because the service role may lack permissions to the deployment target. Option C is correct because the artifact bucket needs permissions for the pipeline. Option D is correct because the IAM role trust policy must allow CodePipeline to assume it.

Option B is wrong because CloudWatch Events are not required for pipeline execution. Option E is wrong because S3 events are not relevant to the deploy stage.

728
MCQmedium

A DevOps engineer is troubleshooting a failed CodeBuild project. The build fails with an error: 'Access Denied: Unable to put object to S3.' The build project has an S3 bucket as the artifact store. What should the engineer do to resolve this issue?

A.Add s3:PutObject permission to the CodeBuild service role for the artifact bucket.
B.Enable server-side encryption on the artifact bucket.
C.Enable CloudWatch Logs for the build project.
D.Add s3:GetObject permission to the CodeBuild service role for the source bucket.
AnswerA

The service role lacks write permission.

Why this answer

Option A is correct because the CodeBuild service role needs s3:PutObject permission. Option B is wrong because the issue is about writing artifacts, not reading source. Option C is wrong because CloudWatch Logs is for logs, not artifacts.

Option D is wrong because KMS is for encryption, not direct write permission.

729
MCQhard

A company uses Terraform to manage a multi-account AWS environment. The Terraform state files are stored in an S3 bucket with DynamoDB locking. Recently, a DevOps engineer ran 'terraform apply' from a CI/CD pipeline, and it failed with the error: 'Error acquiring the state lock. Lock ID: "abc123". Possible causes: Another process has the lock; or a previous process crashed.' The engineer checks DynamoDB and sees that the lock item exists but there is no active Terraform process. The engineer needs to proceed with the deployment urgently. What should the engineer do?

A.Use the 'terraform force-unlock' command with the lock ID to remove the lock.
B.Wait for the lock to expire automatically.
C.Delete the state file from S3 and recreate it from the last backup.
D.Manually delete the lock item from DynamoDB using the AWS Console.
AnswerA

Force-unlock is designed for this situation when no process holds the lock.

Why this answer

Option C is correct because force-unlock removes the lock item, allowing the pipeline to proceed. Option A is wrong because waiting may be futile if no process holds the lock. Option B is wrong because deleting the state file would cause data loss.

Option D is wrong because manual editing of state is risky and unnecessary.

730
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team wants to monitor the CloudFormation stack events to detect when stack creation or updates fail, and automatically send notifications to a Slack channel. The team has set up an Amazon SNS topic that sends messages to a Slack webhook via a Lambda function. Which solution should the team implement to trigger the SNS topic when a CloudFormation stack fails?

A.Use CloudWatch Logs Insights to query CloudFormation logs and set up a scheduled query to send results to SNS.
B.Configure the CloudFormation stack to send events to an SNS topic by specifying the topic ARN in the stack's notification options.
C.Enable AWS CloudTrail to log CloudFormation API calls and create a CloudWatch metric filter that detects failure messages, then trigger an alarm to SNS.
D.Create an Amazon EventBridge rule that matches CloudFormation API calls for CreateStack and UpdateStack with a status of CREATE_FAILED or UPDATE_FAILED, and set the target to the SNS topic.
AnswerB

CloudFormation can directly publish stack events to an SNS topic.

Why this answer

Option D is correct because CloudFormation publishes stack events to an SNS topic when specified as a notification ARN in the stack. The team can create an SNS topic and subscribe the Slack webhook Lambda function to it, then specify that topic as the notification ARN when creating or updating the stack. This will send events directly to SNS.

Option A is wrong because CloudFormation does not send events to EventBridge by default; you would need to create a rule. Option B is wrong because CloudTrail logs API calls, but you would need additional setup. Option C is wrong because CloudWatch Logs Insights is for querying logs, not real-time events.

731
MCQeasy

A DevOps engineer receives an alarm that an EC2 instance's CPU utilization has exceeded 90% for 5 minutes. The engineer needs to automatically recover the instance. Which AWS service should be used to configure automatic recovery?

A.Amazon CloudWatch Alarms
B.AWS Lambda
C.AWS Systems Manager Automation
D.EC2 Auto Scaling
AnswerA

CloudWatch alarms can initiate EC2 AutoRecovery by setting 'recover' action.

Why this answer

Amazon CloudWatch Alarms can be configured to trigger an EC2 instance recovery action when a metric like CPU utilization exceeds a threshold (e.g., 90% for 5 minutes). The alarm sends a signal to the EC2 service, which automatically recovers the instance by stopping it and starting it on a new underlying host, preserving the instance ID, private IP, and Elastic IP. This is the native, built-in mechanism for automatic instance recovery without requiring additional compute or orchestration services.

Exam trap

The trap here is that candidates often confuse EC2 Auto Scaling (which replaces instances) with automatic recovery (which recovers the same instance), or they overcomplicate the solution by choosing Lambda or Systems Manager when a simple CloudWatch Alarm action is the correct and native AWS mechanism.

How to eliminate wrong answers

Option B is wrong because AWS Lambda is a serverless compute service that can execute custom code in response to events, but it is not the direct service used to configure automatic EC2 instance recovery; while Lambda could be used to script a recovery, it adds unnecessary complexity and latency compared to the native CloudWatch Alarm recovery action. Option C is wrong because AWS Systems Manager Automation provides runbooks for automated remediation and operational tasks, but it is not the primary service for configuring automatic EC2 instance recovery; it would require additional setup and is not the simplest or recommended approach. Option D is wrong because EC2 Auto Scaling is designed to manage the number of instances in an Auto Scaling group based on scaling policies, not to recover a specific impaired instance; it would terminate and replace the instance rather than recover it, which changes the instance ID and associated resources.

732
Multi-Selecteasy

A DevOps team is designing a centralized logging solution for multiple AWS accounts. The team needs to collect logs from EC2 instances, Lambda functions, and VPC Flow Logs, and store them in a central account for analysis. The solution must be cost-effective and support near real-time log aggregation. Which THREE steps should the team take? (Choose three.)

Select 3 answers
A.Configure VPC Flow Logs to deliver to a Lambda function in each account, which forwards logs to the central account.
B.Deliver logs from the central account's CloudWatch Logs to Amazon Kinesis Data Firehose, which writes to Amazon S3.
C.Use Amazon OpenSearch Service to index and search the logs in near real time.
D.Use Amazon Athena to query the logs stored in S3 for analysis.
E.Use CloudWatch cross-account subscription to stream logs from source accounts to a central account's CloudWatch Logs.
AnswersB, D, E

Kinesis Data Firehose provides near real-time delivery to S3 at low cost.

Why this answer

Options B, C, and D are correct. CloudWatch cross-account subscription allows sending logs from source accounts to a central account (Option B). Kinesis Data Firehose can buffer and deliver logs to S3 at low cost (Option C).

Athena can query logs in S3 efficiently (Option D). Option A (direct delivery to S3) does not support near real-time aggregation; VPC Flow Logs can be delivered to S3, but not Lambda directly. Option E (OpenSearch) is more expensive and not necessary for cost-effective storage and analysis.

733
MCQmedium

A DevOps engineer is creating a CodePipeline service role. The above IAM policy is attached to the role. The pipeline fails when trying to download artifacts from the S3 bucket. What is the issue?

A.The Resource for S3 actions should be the bucket ARN, not the object ARN.
B.The policy is missing s3:ListBucket permission on the bucket.
C.The CodeDeploy actions require a specific resource ARN instead of '*'.
D.The Action list is missing s3:GetObjectVersion.
AnswerB

ListBucket is required to list objects in the bucket.

Why this answer

The policy allows s3:GetObject on the bucket, but it does not allow s3:ListBucket. CodePipeline needs to list objects in the bucket to find the artifact. Option C is correct.

734
MCQeasy

A developer wants to provision AWS resources using AWS Cloud Development Kit (CDK) and ensure that the infrastructure can be version-controlled and reviewed. Which practice should they follow?

A.Write the CDK app and deploy directly without synthesis to avoid extra steps.
B.Write the CDK app to generate Terraform configurations and store them in Git.
C.Write raw CloudFormation templates instead of CDK to simplify version control.
D.Write the CDK app in TypeScript, store it in a Git repository, and use CDK pipelines for deployment.
AnswerD

This is the recommended approach for version control and review.

Why this answer

Option A is correct because CDK apps should be written in a supported programming language, synthesized to CloudFormation templates, and deployed. Version control of the source code enables review. Option B is wrong because CDK does not generate Terraform.

Option C is wrong because CDK apps are not deployed directly; they are synthesized. Option D is wrong because CDK does not require separate templates; it generates them.

735
Multi-Selectmedium

A company is designing an incident response strategy for its Amazon EKS cluster. Which THREE steps should be taken to ensure rapid response to a compromised pod?

Select 3 answers
A.Delete the entire namespace to ensure all resources are removed.
B.Scale down the deployment to 0 replicas.
C.Delete the pod using kubectl delete pod.
D.Use kubectl exec to gather forensic data from the pod before termination.
E.Apply a Kubernetes NetworkPolicy to deny all ingress/egress traffic to the compromised pod.
AnswersC, D, E

Terminating the pod stops the compromise.

Why this answer

Option A is correct because a network policy can isolate the pod. Option B is correct because executing commands helps gather forensics. Option C is correct because terminating the pod stops the compromise.

Option D is wrong because deleting the namespace would affect other resources. Option E is wrong because scaling down the deployment might not be immediate enough.

736
MCQmedium

An organization uses AWS Elastic Beanstalk to deploy a Node.js application. The application requires access to an Amazon RDS database. The database credentials are stored in AWS Secrets Manager. How should the Elastic Beanstalk environment be configured to securely retrieve the database credentials at runtime?

A.In the Elastic Beanstalk environment properties, set the database password to the ARN of the secret in Secrets Manager.
B.Configure the Elastic Beanstalk environment to use the Amazon RDS integration feature, and select the option to retrieve credentials from Secrets Manager in the environment's software configuration.
C.Use a configuration file (.ebextensions) to define an option setting that retrieves the secret from Secrets Manager and sets it as an environment variable.
D.Modify the EC2 instance profile of the Elastic Beanstalk environment to grant read access to the Secrets Manager secret, and use the AWS CLI in the application code to retrieve the secret.
AnswerC

Elastic Beanstalk supports using .ebextensions to define environment variables from Secrets Manager using the 'aws:elasticbeanstalk:environment' option settings.

Why this answer

Option C is correct because it uses an .ebextensions configuration file to define a command or script that retrieves the secret from AWS Secrets Manager at deployment time and sets it as an environment variable. This approach ensures the secret is fetched securely via the AWS SDK or CLI, using the instance profile for permissions, and avoids hardcoding credentials in environment properties or application code. It aligns with AWS best practices for dynamic secret retrieval in Elastic Beanstalk.

Exam trap

The trap here is that candidates often assume the RDS integration feature or environment properties can directly reference Secrets Manager ARNs, but Elastic Beanstalk does not natively resolve secrets from ARNs; only explicit retrieval via .ebextensions or custom scripts works.

How to eliminate wrong answers

Option A is wrong because setting the database password to the ARN of the secret in Secrets Manager does not cause Elastic Beanstalk to automatically retrieve the secret value; the ARN is just a reference string, not the actual credential. Option B is wrong because the Amazon RDS integration feature in Elastic Beanstalk does not support selecting an option to retrieve credentials from Secrets Manager; it only creates and manages an RDS instance with credentials stored in plaintext environment properties. Option D is wrong because while modifying the instance profile to grant read access to Secrets Manager is necessary, using the AWS CLI in application code to retrieve the secret at runtime is not a configuration-driven approach and introduces unnecessary complexity and latency; the recommended pattern is to retrieve the secret during environment setup via .ebextensions.

737
MCQmedium

A company uses AWS CodeCommit as a Git repository and CodeBuild for continuous integration. The buildspec.yml file includes steps to run unit tests and package the application. The team wants to ensure that only code from the main branch is deployed to production. They have set up a CodePipeline that triggers on changes to any branch. The pipeline includes a build stage that runs CodeBuild, and then a deploy stage that deploys to production. The team noticed that code from feature branches is being deployed to production accidentally. The team wants to modify the pipeline to prevent this. What is the MOST effective solution?

A.Use IAM policies to restrict developers from pushing to the main branch.
B.In the CodePipeline source stage, configure the branch filter to only allow the main branch to trigger the pipeline.
C.Add a manual approval step before the deploy stage and require approval from a senior engineer.
D.Modify the CodeBuild project to only build the main branch by specifying the branch in the source configuration.
AnswerB

Branch filtering at the source stage prevents the pipeline from starting for non-main branches.

Why this answer

Option A is correct because adding a filter to the source stage that only triggers on the main branch ensures that feature branch changes do not start the pipeline. Option B is wrong because restricting IAM permissions for developers does not prevent the pipeline from triggering on feature branches if the pipeline is configured to do so. Option C is wrong because a manual approval step prevents unintended deployments but still triggers the pipeline, wasting resources.

Option D is wrong because configuring the branch in the build stage does not stop the pipeline from being triggered by feature branches.

738
MCQeasy

A DevOps team is designing a disaster recovery plan for an RDS MySQL database. The database must be recoverable with minimal data loss in case of a regional failure. Which solution provides the LOWEST Recovery Point Objective (RPO)?

A.Configure a Cross-Region Read Replica.
B.Take daily automated snapshots and copy them to another Region.
C.Use a Multi-AZ deployment with synchronous standby.
D.Use RDS Proxy to cache database writes.
AnswerA

Replication is continuous, RPO in seconds.

Why this answer

Cross-Region Read Replicas provide asynchronous replication with a typical RPO of seconds, offering minimal data loss.

739
MCQhard

A large enterprise uses AWS CodePipeline with multiple stages including source, build, test, and deploy. The test stage runs a suite of integration tests that take 30 minutes. The team wants to reduce the overall pipeline execution time by running the test stage in parallel across different test environments (e.g., different browsers, operating systems). However, they also need to aggregate the test results into a single report. Which approach should they use?

A.Create separate pipelines for each test environment
B.Create a sequential test stage that runs each environment one after another
C.Use CodeBuild batch builds with a single buildspec to run tests in parallel
D.Configure parallel actions in the test stage and use a custom action to aggregate results
AnswerD

Parallel actions reduce time, and a custom Lambda or CodeBuild action can aggregate reports

Why this answer

CodePipeline supports parallel actions within a stage. You can define multiple test actions (e.g., one for each browser) and run them in parallel. To aggregate results, use a post-test action that runs after all parallel actions complete, or use a custom report generation step.

Option C is correct. Option A (sequential) increases time. Option B (separate pipelines) adds complexity.

Option D (batch builds) is for CodeBuild batch, but not for different environments.

740
MCQeasy

A development team uses AWS CodeBuild to run unit tests on every commit to the develop branch. The tests take a long time because they download dependencies each time. What should the team do to reduce build time?

A.Enable the local cache feature in CodeBuild.
B.Store dependencies in Amazon Elastic File System (EFS) and mount it during builds.
C.Increase the compute type of the build environment.
D.Use multiple builds in parallel for the same commit.
AnswerA

Caching dependencies reduces download time.

Why this answer

Option B is correct because enabling the local cache in CodeBuild allows dependencies to be cached across builds, reducing download time. Option A is wrong because increasing compute resources may help but not as effectively as caching. Option C is wrong because parallel builds do not reduce a single build's time.

Option D is wrong because Amazon EFS adds network latency; local instance store is better.

741
Multi-Selectmedium

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The team wants to automate the response to an instance failure. Which THREE steps should be taken to ensure automatic recovery and notification?

Select 3 answers
A.Create a CloudWatch alarm to terminate the instance
B.Configure Auto Scaling to replace unhealthy instances
C.Configure the ALB health check to mark instances as unhealthy
D.Set up Amazon SNS notifications for Auto Scaling events
E.Create a scaling policy based on CPU utilization
AnswersB, C, D

Auto Scaling can automatically terminate and launch instances based on health checks.

Why this answer

Option A is correct to terminate unhealthy instances. Option C is correct to send notifications via SNS. Option D is correct to configure health checks on ALB.

Option B is wrong because scaling policies adjust capacity but do not handle individual instance failures. Option E is wrong because CloudWatch can terminate instances but Auto Scaling handles it.

742
MCQhard

A Lambda function is unable to write logs to CloudWatch Logs. The IAM policy attached to the function's execution role is shown above. What is the issue?

A.The resource ARN is incorrect; it should include the log stream name.
B.The region in the ARN does not match the Lambda function's region.
C.The action should be 'logs:PutLogEvents' but the resource is too restrictive.
D.The policy is missing the 'logs:CreateLogGroup' and 'logs:CreateLogStream' actions.
AnswerD

Lambda needs to create the log group and stream before writing events.

Why this answer

Option B is correct because the policy grants permission to put log events but does not include the necessary permissions to create log groups and log streams. The Lambda function needs 'logs:CreateLogGroup' and 'logs:CreateLogStream' actions. Option A is wrong because the resource ARN is valid.

Option C is wrong because the region matches. Option D is wrong because the action 'logs:PutLogEvents' is correct for writing logs.

743
MCQeasy

A DevOps engineer needs to allow an AWS Lambda function to write logs to Amazon CloudWatch Logs. What should the engineer do?

A.Attach an IAM role to the Lambda function's instance profile.
B.Attach an IAM policy to the Lambda execution role that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
C.Generate an access key for the Lambda function and configure the function to use it.
D.Create a resource-based policy on the CloudWatch Logs log group that allows the Lambda function to write.
AnswerB

The execution role is the standard way to grant permissions to a Lambda function.

Why this answer

Option A is correct because Lambda functions assume an IAM role (execution role) that grants permissions. Option B is wrong because Lambda functions do not use access keys. Option C is wrong because Lambda functions do not have instance profiles.

Option D is wrong because resource-based policies are for cross-account access, not for Lambda to CloudWatch.

744
MCQmedium

A company runs a high-traffic e-commerce application on EC2 instances in an Auto Scaling group behind an ALB. The application uses an in-memory cache on the EC2 instances. During a recent deployment, the Auto Scaling group terminated an instance that had active user sessions, causing users to lose their cart data and leading to a poor customer experience. The company wants to prevent this in future deployments. They need a solution that allows existing sessions to complete before instance termination, without manual intervention. Which solution should they use?

A.Increase the Auto Scaling group's cooldown period and health check grace period.
B.Enable connection draining on the ALB target group and increase the deregistration delay.
C.Implement an Auto Scaling lifecycle hook that puts the instance in a 'terminating:wait' state, and have a script on the instance that signals completion after draining sessions.
D.Change the health check type to ELB and mark instances unhealthy before deployment.
AnswerC

Lifecycle hooks enable custom actions before termination, allowing session draining.

Why this answer

Option C is correct because lifecycle hooks allow the Auto Scaling group to wait for a specified timeout before terminating an instance, giving the application time to drain sessions. Option A is incorrect because connection draining on the ALB only handles HTTP connections, not application-level session state. Option B is incorrect because increasing cooldown does not delay termination.

Option D is incorrect because updating the health check type does not prevent immediate termination.

745
MCQmedium

A DevOps engineer needs to monitor the number of messages in an Amazon SQS queue and trigger an auto scaling action when the queue depth exceeds a threshold. Which combination of services should be used?

A.Amazon CloudWatch Logs and Amazon EC2 Auto Scaling
B.Amazon CloudWatch and Amazon EC2 Auto Scaling
C.Amazon EventBridge and Amazon EC2 Auto Scaling
D.Amazon SQS and AWS Lambda
AnswerB

CloudWatch monitors SQS queue depth and alarm triggers auto scaling policy.

Why this answer

Option D is correct because CloudWatch can monitor the ApproximateNumberOfMessagesVisible metric from SQS, and a CloudWatch alarm can trigger an auto scaling policy based on that metric. Option A is wrong because SQS does not directly invoke Lambda for scaling. Option B is wrong because EventBridge can capture SQS events but is not the standard way to trigger auto scaling.

Option C is wrong because CloudWatch Logs does not directly trigger auto scaling.

746
MCQeasy

A DevOps team is implementing infrastructure as code using AWS CloudFormation. They need to ensure that the stack can be updated to modify a resource's property that requires replacement. Which CloudFormation stack policy should they use?

A.No stack policy, or a policy that allows updates to all resources.
B.A stack policy with an AllowAll statement.
C.A stack policy with a DenyAll statement.
D.A stack policy that explicitly denies updates to the resource.
AnswerA

Default allows updates; policy only restricts.

Why this answer

Option A is correct because CloudFormation stack policies are designed to prevent accidental updates to critical resources, not to block updates that require replacement. By default, if no stack policy is applied, all resources can be updated, including those that require replacement. A policy that allows updates to all resources (or no policy) is necessary to permit a stack update that modifies a property requiring resource replacement, as the replacement process involves creating a new resource and deleting the old one, which is a valid update action.

Exam trap

The trap here is that candidates confuse stack policies with IAM policies or assume that any policy statement (like AllowAll) is valid, when in fact CloudFormation stack policies require specific Effect, Action, and Resource keys, and the default behavior (no policy) already allows all updates, including replacement.

How to eliminate wrong answers

Option B is wrong because an AllowAll statement is not a valid CloudFormation stack policy construct; stack policies use Effect, Action, and Resource statements, and an 'AllowAll' statement does not exist in the CloudFormation policy language. Option C is wrong because a DenyAll statement would block all update operations, including the replacement update, which is the opposite of what is needed. Option D is wrong because explicitly denying updates to the resource would prevent any modification, including replacement, making it impossible to perform the required stack update.

747
MCQhard

Refer to the exhibit. A DevOps engineer runs this query to investigate a spike in errors. What is the most likely interpretation?

A.The error rate is increasing sharply in the last 15 minutes.
B.The error rate is decreasing over time.
C.The error rate is stable with no significant change.
D.The query is incorrectly filtering log streams.
AnswerA

Correct; the count jumps from 1 to 12 in the most recent bins.

Why this answer

The query counts ERROR messages per 5-minute bin for a specific log stream. The output shows a clear increasing trend from 1 to 12 errors over the last 20 minutes, indicating a recent escalation of errors.

748
Multi-Selecteasy

A company wants to protect its application from DDoS attacks. Which THREE AWS services should they use?

Select 3 answers
A.Amazon Inspector
B.AWS WAF
C.AWS Shield Advanced
D.Amazon CloudFront
E.Amazon GuardDuty
AnswersB, C, D

WAF filters malicious web traffic.

Why this answer

AWS Shield Advanced, WAF, and CloudFront provide layered DDoS protection.

749
MCQhard

A company is migrating from Jenkins to AWS CodeBuild. They have hundreds of Jenkins jobs that run on a schedule. Some jobs take hours and must not overlap. What is the most efficient way to migrate these jobs to CodeBuild while ensuring no overlapping builds?

A.Create a buildspec file that includes a sleep command to stagger start times.
B.Configure the CodeBuild project with a concurrent build limit of 1.
C.Set up a separate CodeBuild project for each job and use a custom retry policy.
D.Use Amazon CloudWatch Events to trigger a Lambda function that checks the build status before starting a new build.
AnswerD

Lambda can check and prevent overlapping builds.

Why this answer

Option C is correct because you can use a CloudWatch Events rule scheduled to trigger a Lambda function that checks if a previous build is running (using the CodeBuild API) before starting a new one. Option A is wrong because buildspec does not control scheduling or concurrency. Option B is wrong because different projects can run concurrently, but the issue is within the same job.

Option D is wrong because there is no built-in queue for same project; you must implement it.

750
MCQeasy

An organization needs to audit all AWS API calls made in their account for compliance purposes. Which AWS service should they enable?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

Records API calls for auditing.

Why this answer

Option D is correct because AWS CloudTrail records API activity. Option A is wrong because CloudWatch Logs stores logs but does not record API calls. Option B is wrong because AWS Config tracks resource configuration changes, not API calls.

Option C is wrong because Amazon GuardDuty is a threat detection service.

Page 9

Page 10 of 24

Page 11