AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 751825

1740 questions total · 24pages · All types, answers revealed

Page 10

Page 11 of 24

Page 12
751
MCQeasy

A DevOps engineer is troubleshooting a Lambda function that times out after 3 seconds. The function makes an HTTP request to an external API. The function's timeout setting is 10 seconds. What is the most likely cause of the timeout?

A.The external API is throttling the request.
B.The HTTP client's timeout is set to a low value.
C.The Lambda function is not in a VPC.
D.The Lambda function's memory is insufficient.
AnswerB

Default HTTP client timeout is often 3 seconds; needs to be increased.

Why this answer

The Lambda function times out after exactly 3 seconds, which is a common default HTTP client timeout (e.g., 3 seconds in the Node.js `http` module or Python `requests` library). Even though the Lambda function's configured timeout is 10 seconds, the HTTP client's internal timeout fires first, causing the function to fail before the Lambda timeout is reached. This is the most likely cause because the symptom matches a client-side timeout rather than a server-side or infrastructure issue.

Exam trap

The trap here is that candidates assume the Lambda function's configured timeout (10 seconds) is the only timeout that matters, overlooking that application-level timeouts (like HTTP client timeouts) can fire independently and cause earlier failures.

How to eliminate wrong answers

Option A is wrong because external API throttling would typically return an HTTP 429 status code or cause a slower response, not a consistent 3-second timeout; the function would still wait for the response up to the Lambda timeout. Option C is wrong because not being in a VPC actually reduces network latency and complexity (Lambda uses the public internet by default), so it would not cause a timeout; VPC-related timeouts usually occur when the function is in a VPC without a NAT gateway or proper routing. Option D is wrong because insufficient memory would cause out-of-memory errors or slower execution, not a consistent 3-second timeout; memory affects CPU allocation but does not directly trigger a timeout at a specific second.

752
MCQeasy

A startup is using AWS CodeCommit to store their application code. They have set up a CI/CD pipeline with AWS CodePipeline and AWS CodeBuild. The pipeline consists of a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using AWS CodeDeploy to deploy to an Auto Scaling group of EC2 instances. Recently, a developer committed code that introduced a critical bug, and the pipeline automatically deployed the bug to production, causing an outage. The team wants to implement a manual approval step before production deployment. They also want to ensure that the approval step is only required for deployments to the production environment, not for development or testing. Which solution should they implement?

A.Add a manual approval action in the CodePipeline pipeline before the production deployment stage. Configure the approval to require a designated approver.
B.Configure the CodeDeploy deployment group to require approval before deploying to any instance.
C.Use Amazon Simple Notification Service (SNS) to send a notification to the team and have them manually stop the pipeline if needed.
D.Use Amazon CloudWatch Events to trigger an AWS Lambda function that sends an approval request via email and pauses the pipeline until approved.
AnswerA

Manual approval actions in CodePipeline allow a human to approve before deployment.

Why this answer

Option A is correct because CodePipeline supports manual approval actions that can be added as a stage before production deployment. By configuring separate pipelines or stages for different environments, the approval step can be limited to production. Option B is wrong because CodeDeploy does not have approval workflows.

Option C is wrong because CloudWatch Events does not provide manual approval. Option D is wrong because SNS is for notifications, not approvals.

753
MCQmedium

A company uses Amazon RDS for MySQL. The database performance has degraded, and the engineer suspects that slow queries are the cause. Which service should be used to identify and analyze the slow queries?

A.Amazon RDS Performance Insights
B.Amazon CloudWatch Metrics
C.Amazon CloudWatch Logs
D.AWS X-Ray
AnswerA

Performance Insights provides a detailed view of database load and slow queries.

Why this answer

Amazon RDS Performance Insights is the correct service because it provides a database-specific performance schema that visualizes database load and identifies the exact SQL queries causing performance degradation. It integrates directly with RDS for MySQL, offering a dashboard that breaks down wait events, SQL text, and host-level metrics, making it the ideal tool for analyzing slow queries.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs (which can store slow query logs) with a native analysis tool, overlooking that Performance Insights provides immediate, built-in visualization and query-level analysis without requiring custom log parsing.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Metrics provides aggregated performance metrics like CPU utilization and IOPS, but it does not capture individual SQL query text or detailed database wait event analysis needed to identify slow queries. Option C is wrong because Amazon CloudWatch Logs can store MySQL slow query logs if configured, but it requires manual setup and does not provide built-in visualization or analysis of query performance; it is a log storage service, not an analysis tool. Option D is wrong because AWS X-Ray is designed for tracing distributed application requests and debugging microservices, not for analyzing database query performance or slow SQL statements.

754
MCQmedium

An organization uses AWS CodePipeline with a multi-branch strategy. They want to run unit tests on every push to any branch, but only deploy to production on pushes to the 'main' branch. What is the most efficient way to achieve this?

A.Configure a single pipeline with a source action that triggers on all branches, then use a 'branch' condition on the deployment stage to only proceed if the branch is 'main'.
B.Use a single pipeline with a source action that triggers on all branches, and deploy to a test environment for all branches, then promote to production manually.
C.Create separate pipelines for each branch, each with its own test and deploy stages.
D.Use a single pipeline with a source action that only triggers on the 'main' branch, and run tests in a separate system.
AnswerA

This uses one pipeline and conditions to control deployment, minimizing overhead.

Why this answer

Option B is correct because using a single pipeline with a branch filter on the source action triggers on all branches, and a separate deployment stage with a condition based on the branch name ensures only main deploys. Option A is wrong because it requires manual pipeline creation per branch. Option C is wrong because it still deploys to all environments.

Option D is wrong because it would trigger for main only, missing other branches.

755
MCQhard

A company runs a critical microservices architecture on Amazon ECS with Fargate. They want to ensure that if a task fails, it is automatically restarted, and the service remains available across multiple Availability Zones. How should they configure the ECS service?

A.Place all tasks in the same Availability Zone to reduce latency
B.Run a standalone Fargate task and use a CloudWatch alarm to restart it
C.Use an EC2 launch type with a single instance to reduce complexity
D.Define an ECS service with a task definition, set desired count across multiple Availability Zones, and use Service Auto Scaling
AnswerD

This ensures tasks are distributed and automatically replaced.

Why this answer

Setting the number of tasks across multiple AZs and enabling Service Auto Scaling with task-level restart ensures resilience. The ECS service scheduler automatically restarts failed tasks. Option A is wrong because a single-AZ deployment is a single point of failure.

Option B is wrong because placing all tasks in one AZ does not provide AZ resilience. Option D is wrong because a standalone task does not have automatic restart.

756
MCQhard

A company uses AWS CloudFormation to manage infrastructure. A recent stack update failed with the error 'UPDATE_ROLLBACK_FAILED'. The stack is now in a 'UPDATE_ROLLBACK_FAILED' state, and the engineer needs to fix the stack. What is the correct course of action?

A.Contact AWS Support to fix the stack
B.Delete the stack and recreate it
C.Submit another stack update with the desired configuration
D.Continue the rollback using the 'ContinueUpdateRollback' API
AnswerD

This allows the stack to complete rollback by skipping resources that failed.

Why this answer

Option A is correct because when a rollback fails, you can continue the rollback (which may skip resources that failed to roll back) or perform a stack operation to fix. Option B is wrong because deleting may not be possible if the stack is stuck. Option C is wrong because you cannot update a stack in rollback failed state without first continuing rollback.

Option D is wrong because support can help but is not the direct action.

757
MCQmedium

A team uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The team checks the logs and finds that the application installation script fails on some instances due to missing dependencies. What is the BEST long-term solution?

A.Create a custom AMI that includes all dependencies and use it in the Auto Scaling group.
B.Use an Elastic Load Balancer health check to automatically replace failed instances.
C.Modify the CodeDeploy AppSpec file to run the installation script as root.
D.Implement a retry mechanism in the deployment script to install dependencies again.
AnswerA

Baking dependencies into the AMI avoids runtime installation issues and ensures consistency.

Why this answer

Option A is correct because baking dependencies into the AMI ensures all instances have them. Option B is wrong because it does not fix the root cause. Option C is wrong because it only works for in-place deployments.

Option D is wrong because it does not prevent script failures.

758
MCQhard

A company has a multi-account AWS environment with separate accounts for development, staging, and production. They want to implement a CI/CD pipeline that deploys to each account sequentially after manual approvals. Which setup allows cross-account deployment with CodePipeline?

A.Create an IAM role in the target account with permissions for the pipeline service role to assume, and use that role in the deployment action.
B.Create separate pipelines in each account and trigger them via SNS from a master pipeline.
C.Use CodePipeline with cross-account actions by specifying the target account ID and region.
D.Use a single pipeline in the management account with different stages for each account.
AnswerA

This is the standard cross-account deployment pattern with CodePipeline.

Why this answer

Cross-account deployment requires an IAM role in the target account that the pipeline can assume. Option D is correct.

759
MCQhard

A company runs a critical application on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The DevOps team needs to implement a dashboard that shows real-time request latency, error rates, and the number of healthy hosts. Which AWS service should be used to create this dashboard?

A.Amazon QuickSight
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Dashboards
AnswerD

Correct. CloudWatch Dashboards can graph multiple metrics from different sources.

Why this answer

Amazon CloudWatch Dashboards is the correct choice because it provides real-time monitoring and visualization of metrics such as request latency, error rates, and healthy host counts directly from CloudWatch. These metrics are automatically emitted by the Application Load Balancer (e.g., TargetResponseTime, HTTPCode_ELB_5XX_Count, HealthyHostCount) and can be displayed on a customizable dashboard without additional data transformation or querying.

Exam trap

The trap here is that candidates may confuse Amazon QuickSight with CloudWatch Dashboards, assuming QuickSight is the go-to for any dashboarding need, but QuickSight is for business analytics and not designed for real-time infrastructure monitoring with sub-minute latency metrics.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a business intelligence service for interactive dashboards and ad-hoc analysis, not designed for real-time operational monitoring of live infrastructure metrics like ALB latency or healthy hosts. Option B is wrong because AWS CloudTrail records API activity and governance events, not real-time performance metrics or health status of EC2 instances behind a load balancer. Option C is wrong because AWS Config tracks resource configuration changes and compliance, not real-time operational metrics such as request latency or error rates.

760
MCQeasy

A company uses AWS CloudFormation to deploy a multi-tier web application. During an incident, the stack update fails with a 'ROLLBACK_IN_PROGRESS' status. The operations team needs to investigate the root cause quickly without losing the stack's current state. What is the MOST efficient approach?

A.Create a change set and execute it to see the changes.
B.Delete the stack and recreate it using the same template.
C.Manually fix the resources and then retry the stack update.
D.Use the ContinueUpdateRollback API with the ResourcesToSkip parameter.
AnswerD

This allows continuing the rollback while skipping problematic resources.

Why this answer

Option C is correct because using 'ContinueUpdateRollback' with the 'ResourcesToSkip' parameter allows skipping resources that caused the failure while preserving the stack. Option A is wrong because deleting the stack removes all resources. Option B is wrong because creating a new stack does not help investigate the current failure.

Option D is wrong because manually fixing resources and retrying the update without rollback is risky; the stack is already in rollback.

761
Multi-Selecthard

A company runs a critical application on Amazon EKS. The operations team needs to monitor the health of the Kubernetes cluster and the applications running on it. Which THREE services can be used together to achieve comprehensive monitoring? (Choose THREE.)

Select 3 answers
A.AWS X-Ray
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Container Insights
E.Amazon Managed Service for Prometheus
AnswersA, D, E

X-Ray traces requests through distributed applications, helping to identify performance issues.

Why this answer

Correct options: A, C, D. Option A: CloudWatch Container Insights provides metrics and logs for EKS. Option C: Prometheus (via AWS managed service or self-hosted) is a common open-source monitoring tool for Kubernetes.

Option D: AWS X-Ray can trace requests across microservices. Option B is wrong because CloudTrail logs API calls, not cluster health. Option E is wrong because VPC Flow Logs capture network traffic, not application health.

762
Multi-Selecthard

A company is running a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). They need to implement a monitoring strategy that provides detailed visibility into application performance, including request-level latency and error codes. Which THREE actions should they take?

Select 3 answers
A.Enable VPC Flow Logs to capture traffic patterns.
B.Enable ALB access logs and store them in Amazon S3.
C.Install the CloudWatch agent on EC2 instances to collect application logs and custom metrics.
D.Enable AWS CloudTrail to log API calls made to the load balancer.
E.Enable detailed CloudWatch metrics for the ALB (e.g., RequestCount, TargetResponseTime).
AnswersB, C, E

Access logs contain request-level details including latency and error codes.

Why this answer

Correct: A (Enable ALB access logs), C (Enable detailed CloudWatch metrics for the ALB), and D (Enable CloudWatch agent on EC2 instances for application logs). Option B is wrong because VPC Flow Logs are for network traffic, not application performance. Option E is wrong because CloudTrail is for API calls, not application metrics.

763
MCQmedium

A team uses AWS CodePipeline to orchestrate deployments. They want to integrate a manual approval step before deploying to production. Which action should they take?

A.Use an AWS Lambda function to send an approval request email and wait for HTTP response.
B.Add a manual approval action to the pipeline before the production deployment stage.
C.Add an Amazon CloudWatch Events rule to pause the pipeline before the production stage.
D.Add an Amazon SNS topic to the pipeline and require subscription confirmation.
AnswerB

Manual approval action pauses the pipeline until approval.

Why this answer

Option B is correct because AWS CodePipeline natively supports a manual approval action that can be added as a stage before the production deployment. This action pauses the pipeline and sends a notification (via Amazon SNS) to specified approvers, who can then approve or reject the deployment through the AWS Management Console, CLI, or API. No custom code or external services are required.

Exam trap

The trap here is that candidates may confuse the manual approval action's dependency on SNS with the idea that simply adding an SNS topic to the pipeline creates an approval step, when in fact the approval action must be explicitly added as a stage action.

How to eliminate wrong answers

Option A is wrong because using an AWS Lambda function to send an approval request email and wait for an HTTP response introduces unnecessary complexity and does not integrate with CodePipeline's built-in approval workflow; CodePipeline already provides a native manual approval action with SNS notifications. Option C is wrong because Amazon CloudWatch Events rules can trigger actions based on pipeline state changes but cannot pause a pipeline or add an approval step; pausing is a feature of the manual approval action itself. Option D is wrong because adding an Amazon SNS topic to the pipeline does not create an approval step; the SNS topic is used by the manual approval action to notify approvers, but simply adding a topic without the approval action does not pause the pipeline or require approval.

764
MCQhard

A company uses AWS OpsWorks for configuration management with Chef. They are migrating to AWS Systems Manager to reduce complexity. The operations team needs to run custom scripts on a fleet of EC2 instances on a schedule, with the ability to target instances based on tags. Which Systems Manager capability should the engineer use?

A.Patch Manager
B.Automation
C.State Manager
D.Run Command
AnswerC

B: State Manager associations can schedule documents and target instances by tags.

Why this answer

Option B is correct because State Manager allows you to define associations that run documents on a schedule with tag-based targeting. Option A is wrong because Run Command is for ad-hoc execution, not scheduled. Option C is wrong because Patch Manager is for patching only.

Option D is wrong because Automation is for multi-step workflows, not simple script execution.

765
Multi-Selectmedium

Which of the following are valid strategies for implementing continuous integration in AWS? (Choose two.)

Select 2 answers
A.Configure AWS CodeBuild to automatically run tests when a pull request is created in CodeCommit.
B.Set up AWS CodeDeploy to trigger a build every time a commit is pushed to a repository.
C.Use AWS CodePipeline with a source stage that polls CodeCommit for changes and triggers a build stage.
D.Use AWS CloudFormation to create a stack that runs tests every time a new commit is pushed.
AnswersA, C

Why this answer

Option A is correct because AWS CodeBuild can be configured to automatically run tests when a pull request is created in CodeCommit using a webhook or event rule. This enables continuous integration by validating code changes before merging, ensuring that only tested code is integrated into the main branch.

Exam trap

The trap here is confusing deployment services (CodeDeploy) and infrastructure provisioning (CloudFormation) with CI build triggers, leading candidates to select options that sound plausible but lack the specific capability to initiate a build or run tests.

Why the other options are wrong

B

CodeDeploy is for deployment, not building or testing.

D

CloudFormation is for infrastructure as code, not for running tests.

766
MCQhard

A company runs a stateful web application on EC2 instances behind an ALB. The application uses sticky sessions (session affinity) to maintain user sessions. During a deployment, the company wants to update the application with zero downtime and ensure that in-flight sessions are not lost. Which deployment strategy should they use?

A.Perform a rolling update of the Auto Scaling group with a health check grace period.
B.Use an immutable deployment by launching a new Auto Scaling group and then updating the ALB target group to point to the new group.
C.Use a blue/green deployment: launch a new Auto Scaling group, register it with a new target group, and gradually shift traffic using weighted target groups on the ALB.
D.Use a canary deployment with AWS Lambda to gradually route a percentage of requests to the new version.
AnswerC

Gradual shift preserves sessions on old environment until they complete.

Why this answer

Option C is correct because a blue/green deployment with a new target group and a gradual shift of traffic using the ALB's weighted target groups allows existing sessions to complete on the old environment while new sessions go to the new one. Option A is wrong because rolling update with a fixed number of instances may cause session loss. Option B is wrong because immutable deployment without traffic shifting drops sessions.

Option D is wrong because canary deployment with Lambda is not applicable to EC2.

767
Multi-Selecthard

A DevOps team uses AWS CloudFormation to deploy a web application stack. The stack includes an EC2 instance, an RDS database, and an Application Load Balancer. After a successful deployment, they notice that the database security group does not allow inbound traffic from the instance security group. The team wants to enforce that the database security group always allows traffic only from the instance security group, even if the stack is updated. Which TWO methods should the team use? (Choose TWO.)

Select 2 answers
A.Hardcode the instance security group CIDR in the database security group ingress rule.
B.Use Fn::GetAtt or Ref to reference the instance security group in the database security group rule.
C.Use AWS CloudTrail to monitor and alert on security group changes.
D.Use a CloudFormation parameter to pass the instance security group ID to the database security group rule.
E.Create a separate security group rule outside of CloudFormation using the AWS CLI.
AnswersB, D

Intrinsic functions allow referencing resources within the same template.

Why this answer

Options B and D are correct. Option B uses a parameter to pass the instance security group ID into the database security group rule, ensuring dynamic referencing. Option D uses a Fn::GetAtt to retrieve the security group ID and reference it in the rule.

Option A is incorrect because hardcoding IP addresses is not dynamic. Option C is incorrect because a security group rule outside the template is not managed by CloudFormation. Option E is incorrect because VPC flow logs do not enforce security group rules.

768
Multi-Selecteasy

A company uses AWS CloudFormation to deploy a VPC with public and private subnets. They want to ensure that the VPC has internet access for the public subnets. Which THREE resources must be included in the template?

Select 3 answers
A.AWS::EC2::VPCEndpoint
B.AWS::EC2::Route (pointing to InternetGateway)
C.AWS::EC2::RouteTable
D.AWS::EC2::NatGateway
E.AWS::EC2::InternetGateway
AnswersB, C, E

Directs traffic to internet.

Why this answer

Option A is correct because an internet gateway is required for internet access. Option B is correct because a route table is needed to route traffic. Option D is correct because a route to the internet gateway must be added to the route table.

Option C is wrong because a NAT gateway is for private subnets. Option E is wrong because a VPC endpoint is for private connectivity to AWS services.

769
MCQeasy

A company uses AWS CodeBuild to build a Docker image and push it to Amazon ECR. The buildspec.yml includes a 'post_build' phase command to tag the image. The build fails with 'unauthorized: authentication required'. What must be done to resolve this?

A.Add 'ecr:InitiateLayerUpload' and 'ecr:CompleteLayerUpload' permissions to the CodeBuild service role.
B.Use the 'docker login' command with AWS CLI in the build phase.
C.Install the AWS CLI in the CodeBuild build environment.
D.Create a new IAM user with ECR permissions and store the keys in CodeBuild environment variables.
AnswerA

These are required for pushing Docker images to ECR.

Why this answer

CodeBuild needs permission to push to ECR. The IAM role must have appropriate ECR permissions. Option A is correct.

770
MCQhard

A company uses AWS CloudFormation to manage infrastructure. The DevOps team wants to implement a change management process where all stack updates must be reviewed before execution. Which AWS feature should be used?

A.Drift detection
B.Change Sets
C.StackSets
D.Stack policies
AnswerB

Change Sets allow you to preview changes before applying.

Why this answer

Option C is correct because Change Sets allow you to review proposed changes before executing them. Option A (Stack policy) controls update permissions. Option B (StackSets) manage stacks across accounts.

Option D (Drift detection) detects configuration drift.

771
Multi-Selectmedium

A DevOps team is investigating a security incident where an unauthorized user accessed an S3 bucket. The team needs to determine what actions were taken by the user. Which TWO AWS services should be used together to investigate? (Choose TWO.)

Select 2 answers
A.S3 server access logs
B.Amazon CloudWatch metrics
C.AWS Config
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, D

Server access logs provide detailed records of requests made to the bucket.

Why this answer

Option A and Option D are correct. CloudTrail logs all API calls to S3, including who made the call, from where, and what action was taken. S3 server access logs provide detailed records of requests made to the bucket, including object-level operations.

Option B is wrong because Config records configuration changes, not access. Option C is wrong because GuardDuty detects threats but does not provide detailed logs of past actions. Option E is wrong because CloudWatch metrics provide performance data, not access details.

772
MCQmedium

A DevOps team is using AWS CodePipeline to automate build, test, and deploy phases. The team notices that the pipeline is failing intermittently during the deploy stage due to a timeout when updating an Auto Scaling group. The deploy stage uses CodeDeploy with a blue/green deployment configuration. What is the MOST likely cause and solution?

A.The CloudFormation stack update is failing. Update the stack with a longer timeout.
B.The CodeCommit repository has too many branches. Clean up unused branches.
C.The CodeDeploy deployment group has a low original revision timeout. Increase the original revision timeout.
D.The CodeBuild project has a low build timeout. Increase the build timeout.
AnswerC

Blue/green deployment waits for new instances to be healthy; increasing timeout allows more time.

Why this answer

Option C is correct because the blue/green deployment typically waits for instances to be healthy before completing. Option A is wrong because CodeBuild timeout affects build stage, not deploy. Option B is wrong because CodeCommit is the source stage.

Option D is wrong because CloudFormation is not used in this deploy stage.

773
MCQeasy

A DevOps engineer receives an alarm that an EC2 instance's status check has failed. The instance is part of an Auto Scaling group. How should the engineer respond?

A.Immediately terminate the instance to trigger a replacement
B.Verify the instance's system and instance status checks, then consider terminating the instance to allow the Auto Scaling group to launch a new one
C.Do nothing, because the Auto Scaling group will automatically replace the instance
D.Check the security group rules to ensure they allow traffic
AnswerB

This is the correct response to a status check failure.

Why this answer

Option B is correct because if the instance fails status checks, the engineer should verify the instance is healthy and replace it if needed. Option A is wrong because status checks are internal, not security group issues; C is wrong because terminating the instance manually may not be necessary; D is wrong because the Auto Scaling group will launch a new instance only if the instance is terminated or marked unhealthy.

774
Multi-Selecthard

A company is experiencing a DDoS attack on its application hosted on AWS. The application uses an Application Load Balancer (ALB) with an Auto Scaling group of EC2 instances. The security team needs to mitigate the attack with minimal latency impact on legitimate users. Which THREE actions should the team take? (Choose THREE.)

Select 3 answers
A.Disable cross-zone load balancing on the ALB to limit the number of instances receiving traffic.
B.Enable AWS Shield Advanced on the ALB.
C.Enable connection draining (deregistration delay) on the ALB target group.
D.Configure the Auto Scaling group to scale based on the NetworkIn metric to handle the increased traffic.
E.Configure AWS WAF on the ALB to block requests based on source IP reputation or rate-based rules.
AnswersB, C, E

Shield Advanced provides enhanced DDoS protection and access to DDoS Response Team (DRT).

Why this answer

AWS Shield Advanced provides enhanced DDoS mitigation for ALBs, including access to the DDoS Response Team (DRT) and financial protection against scaling costs. It operates at the network and transport layers with minimal latency, as it inspects traffic inline without introducing significant processing delay. This makes it a critical first line of defense for high-availability applications under attack.

Exam trap

The trap here is confusing scaling-based absorption (Option D) with actual mitigation, leading candidates to think handling more traffic automatically defends against DDoS, when in reality it only increases cost and resource exhaustion without blocking the attack source.

775
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team wants to ensure that if a stack update fails, the stack automatically rolls back to the previous known good state. The team also wants to receive notifications of the rollback. Which combination of steps should the team take? (Choose THREE.)

Select 3 answers
A.Set the 'Rollback on failure' option to 'Yes' in the CloudFormation stack properties.
B.Enable termination protection on the CloudFormation stack.
C.Configure an SNS topic as a notification target in the CloudFormation stack.
D.Create a CloudWatch Logs log group and subscribe to stack events.
E.Enable drift detection on the CloudFormation stack.
AnswersA, B, C

This ensures automatic rollback to the last known good state on update failure.

Why this answer

Option A is correct because CloudFormation stack updates can be configured with a rollback on failure. Option B is correct because CloudFormation can send events to Amazon SNS, which can then trigger notifications (e.g., email). Option C is correct because enabling termination protection prevents accidental deletion of the stack.

Option D (CloudWatch Logs) is for logging, not rollback. Option E (drift detection) is for detecting manual changes, not rollback.

776
MCQhard

Refer to the exhibit. A DevOps engineer runs the CLI command to view stack events. The output shows that a Lambda function update was cancelled by the stack update. What is the most likely cause?

A.The stack had a drift detection operation that overrode the update.
B.The IAM role for the Lambda function lacked permissions to update the function.
C.The Lambda function code exceeded the maximum size limit for inline code.
D.A concurrent stack update was initiated while a previous update was in progress.
AnswerD

CloudFormation cancels pending updates when a new update is started.

Why this answer

Option B is correct because 'Resource update cancelled by stack update' indicates that a previous update to the Lambda function was interrupted by a newer stack update operation. Option A is wrong because a permissions error would show 'AccessDenied'. Option C is wrong because size limits would show a different error.

Option D is wrong because drift detection does not cancel updates.

777
MCQmedium

Refer to the exhibit. A CloudTrail log shows a failed GitPush event to a CodeCommit repository by the IAM user 'jenkins'. The DevOps engineer has attached the following IAM policy to the user: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codecommit:*", "Resource": "*" } ] } What is the MOST likely reason for the failure?

A.The user has not generated a Git credential for CodeCommit in the IAM console.
B.The user is trying to push via HTTPS but the repository only allows SSH.
C.The user's IAM policy includes a condition that restricts access based on source IP, and the push originates from a different IP.
D.The policy is attached but the user has a permissions boundary that denies codecommit:GitPush.
AnswerA

CodeCommit requires Git credentials or SSH key for Git operations, even if IAM policy allows.

Why this answer

Option C is correct because CodeCommit requires an inline policy or managed policy to allow Git operations, but the user may be trying to push using HTTPS with a Git credential that is not associated with the IAM user, or the SSH key is not configured. However, the error says the user is not authorized, which suggests that the IAM policy is not effective because CodeCommit requires a specific Git credentials or SSH key to authenticate, not just an IAM policy. Actually, the IAM policy should allow the action.

The most common issue is that the user has not created a Git credential in IAM for CodeCommit. Option A is about permissions boundary. Option B is about IP restriction.

Option D is about HTTPS vs SSH.

778
MCQeasy

A DevOps engineer uses AWS CodeBuild to build a Java application. The build fails with an error indicating that the build environment does not have the required Java version. What is the MOST efficient way to ensure the correct Java version is installed for all future builds?

A.Use AWS Lambda to install Java on the build instance before the build starts.
B.Specify a managed image in the buildspec that includes the required Java version.
C.Add a command in the buildspec to install the required Java version using apt-get.
D.Create a custom Docker image with the required Java version and reference it in the build project.
AnswerB

Managed images come pre-configured with specific runtimes, ensuring consistency.

Why this answer

Option A is correct because using an AWS CodeBuild managed image with the required Java version ensures a consistent build environment without manual installation steps. Option B is incorrect because installing Java via a command may be unreliable and increases build time. Option C is incorrect because managing a custom image requires additional maintenance.

Option D is incorrect because Lambda is not used for build environments.

779
MCQmedium

A company uses AWS CodeCommit and wants to enforce that all commits to the main branch are signed. What must be configured to enforce this requirement?

A.Configure a repository policy that requires signed commits.
B.Assign an IAM role that only allows signed API calls.
C.Use a pre-commit hook in the local repository.
D.Set up a CloudWatch Events rule to reject unsigned commits.
AnswerA

CodeCommit supports repository policies to require commit signing.

Why this answer

AWS CodeCommit supports repository policies that can enforce commit signing by denying `codecommit:GitPush` unless the commit is signed with a GPG key. This is done using the `git:IsSigned` condition key in an IAM-based resource policy attached to the repository. Option A is correct because it directly configures this policy to reject unsigned pushes to the main branch.

Exam trap

The trap here is that candidates confuse client-side Git hooks (pre-commit) with server-side enforcement, or assume CloudWatch Events can block API calls, when only a repository policy with the `git:IsSigned` condition can enforce signed commits at the service level.

How to eliminate wrong answers

Option B is wrong because IAM roles control who can make API calls, not the signing status of individual commits within a Git push; the `git:IsSigned` condition key is not available in IAM identity policies for the `codecommit:GitPush` action. Option C is wrong because pre-commit hooks are client-side and cannot be enforced server-side; a developer can bypass or remove them locally. Option D is wrong because CloudWatch Events (now Amazon EventBridge) can trigger on API calls but cannot reject or block the Git push itself; it can only react after the fact.

780
MCQmedium

A development team uses AWS CodeCommit and AWS CodePipeline for CI/CD. They notice that a pipeline execution failed due to a code review rejection in the 'Approve' stage. The pipeline is configured with a manual approval action. What is the most likely cause of the failure?

A.The IAM role for the pipeline does not have permission to invoke the approval action.
B.The CodeCommit repository has a branch policy that prevents direct commits.
C.An authorized user logged in to the CodePipeline console and rejected the approval request.
D.The pipeline is not configured with a CloudWatch Events rule to trigger the approval.
AnswerC

A manual approval action fails if an authorized user explicitly rejects the approval request.

Why this answer

Option D is correct because a manual approval action requires a user to approve before proceeding; if the approval is rejected, the pipeline fails. Option A is wrong because an IAM policy issue would likely cause a different error. Option B is wrong because CodeCommit repository settings do not directly block pipeline approval actions.

Option C is wrong because a CloudWatch Events rule is not required for manual approvals.

781
MCQmedium

A company is using AWS CodeBuild to compile a Java application. The build takes over 30 minutes, causing timeouts. The team has already increased the build timeout to the maximum. Which action would MOST effectively reduce the build time?

A.Use a smaller instance type to reduce provisioning time.
B.Enable dependency caching in the buildspec file.
C.Use a larger compute type in CodeBuild.
D.Split the build into multiple parallel CodeBuild projects.
AnswerB

Caches downloaded dependencies across builds.

Why this answer

Option C is correct because caching dependencies can significantly reduce build time by avoiding re-downloading. Option A is wrong because increasing compute resources can help but may not be as effective as caching. Option B is wrong because parallel builds may introduce complexity and dependencies.

Option D is wrong because using a smaller instance would increase build time.

782
MCQmedium

A company uses AWS CodeCommit for source control. Developers work on feature branches and create pull requests to merge into the 'develop' branch. The company wants to enforce that all commits to the 'develop' branch are signed. Which AWS service or feature should be used to enforce this policy?

A.Use Amazon CloudWatch Events to trigger a Lambda function that verifies commit signatures and reverts unsigned commits.
B.Create an approval rule template in CodeCommit that requires commits to be signed and associate it with the 'develop' branch.
C.Use AWS Key Management Service (KMS) to create a signing key and require developers to use it.
D.Configure an IAM policy that denies 'git push' unless the commit is signed.
AnswerB

CodeCommit approval rule templates can enforce signed commits as a condition for merging.

Why this answer

Option C is correct because CodeCommit supports approval rule templates that can require signed commits. Option A is incorrect because IAM policies can restrict who can push but not enforce signing. Option B is incorrect because CloudWatch Events can trigger actions but not enforce signing.

Option D is incorrect because AWS KMS is used for encryption keys, not for enforcing commit signing.

783
MCQeasy

A DevOps engineer is investigating why an Amazon ECS service is not scaling out as expected. The service has a target tracking scaling policy based on average CPU utilization. The CloudWatch alarm shows that CPU utilization has exceeded the target for several minutes, but no scaling activity has occurred. What is the most likely cause?

A.The ECS service is configured with a minimum healthy percent that prevents scaling out.
B.The ECS service does not have an IAM role that allows it to call CloudWatch.
C.The CloudWatch alarm is configured with a period that is too long.
D.The scaling policy has a cooldown period that is still in effect from a previous scaling activity.
AnswerD

Cooldown periods prevent further scaling actions until the cooldown expires.

Why this answer

Option D is correct because target tracking scaling policies in Amazon ECS have a cooldown period (default 300 seconds) that prevents the policy from initiating additional scaling activities immediately after a previous scaling action. If a recent scaling activity occurred, the cooldown period would still be in effect, causing the policy to ignore the alarm even though CPU utilization has exceeded the target. This is the most likely reason no scaling activity is observed despite the alarm being triggered.

Exam trap

The trap here is that candidates often overlook the cooldown period and instead blame IAM permissions or alarm configuration, but the cooldown is a deliberate stabilization mechanism that directly explains why scaling is not occurring despite the alarm being active.

How to eliminate wrong answers

Option A is wrong because the minimum healthy percent parameter controls the minimum percentage of tasks that must remain healthy during deployments or scaling activities, but it does not prevent scaling out; it only affects how many tasks can be stopped or started at once. Option B is wrong because the ECS service does not need an IAM role to call CloudWatch; the scaling policy uses the service-linked role AWSServiceRoleForApplicationAutoScaling, which already has permissions to read CloudWatch alarms and metrics. Option C is wrong because a long CloudWatch alarm period would delay the alarm transition to ALARM state, but the question states the alarm has already exceeded the target for several minutes, meaning the period is not the issue.

784
MCQmedium

A company uses an AWS Elastic Load Balancer (ELB) to distribute traffic to EC2 instances. During an incident, some users report slow response times. The DevOps engineer suspects that one instance is unhealthy but the health check is not detecting it. What should the engineer do to improve health check accuracy?

A.Increase the health check interval to reduce load on instances
B.Configure a health check that checks a specific application endpoint
C.Decrease the health check unhealthy threshold to 2
D.Set the health check path to the root document ('/')
AnswerB

Deep health checks verify application availability.

Why this answer

Option C is correct because a deep health check (checking an application-specific endpoint) ensures the instance is truly healthy. Option A is incorrect because increasing the interval makes checks less frequent. Option B is incorrect because decreasing the threshold makes it easier to mark unhealthy.

Option D is incorrect because the health check path should be specific to the application.

785
Drag & Dropmedium

Drag and drop the steps to set up an AWS CodePipeline with a source stage from CodeCommit and a deploy stage to Elastic Beanstalk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order is: first create the S3 bucket for artifacts, then create the CodeCommit repository and push code, then create the pipeline, then configure source, then configure deploy.

786
Multi-Selectmedium

A company uses AWS CodePipeline for CI/CD. The security team requires that all code changes be scanned for secrets before deployment. The pipeline consists of a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team wants to automatically scan for secrets and block the pipeline if any secrets are found. Which THREE actions should the team take? (Choose THREE.)

Select 3 answers
A.Add a scanning action in the deploy stage to scan after deployment.
B.Configure the build project to fail the build if the scanning tool returns a non-zero exit code.
C.Add a scanning action in the build stage using a custom action or a third-party action from AWS Marketplace.
D.Configure an S3 bucket policy to deny access if secrets are detected.
E.Grant the CodeBuild service role permissions to retrieve the scanning tool from an S3 bucket.
AnswersB, C, E

A failed build stops the pipeline.

Why this answer

Option A is correct because using a scanning action in the build stage can catch secrets. Option C is correct because CodeBuild can fail the build if secrets are found, preventing deployment. Option E is correct because IAM permissions are needed for CodeBuild to access the scanning tool.

Option B is incorrect because S3 bucket policies are not relevant. Option D is incorrect because post-deployment scanning would not block the pipeline before deployment.

787
MCQhard

A company's security policy requires that all EC2 instances must be launched with an IAM role that provides least privilege access. A DevOps engineer needs to enforce this across the organization. Which approach is MOST effective?

A.Create an SCP that denies ec2:RunInstances if the specified IAM role is not the approved role
B.Create a service control policy (SCP) that denies the ec2:RunInstances action unless an instance profile is attached
C.Use AWS Config to detect instances without the required role and terminate them via Lambda
D.Create an IAM policy that denies ec2:RunInstances unless the instance is launched with the required IAM role, and attach it to all users
AnswerD

IAM policies can use condition keys like iam:PassedToService to enforce specific roles.

Why this answer

Using an IAM policy with a condition that denies instance launch unless a specific IAM role is attached. Option A is wrong because it only restricts instance profiles, not the launch. Option B is wrong because SCPs cannot enforce a specific role attachment.

Option D is wrong because instance metadata service does not enforce roles.

788
MCQeasy

A DevOps engineer is designing a CI/CD pipeline that deploys code to an EC2 instance. The engineer needs to securely store and retrieve database credentials used by the application. Which AWS service should be used?

A.Amazon S3 with server-side encryption
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.AWS Key Management Service (KMS)
AnswerC

Secrets Manager provides secure storage and automatic rotation of secrets.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and rotate secrets like database credentials. Option A is wrong because Systems Manager Parameter Store can store secrets but lacks automatic rotation. Option C is wrong because KMS is for encryption keys, not secret storage.

Option D is wrong because S3 is not designed for secret management.

789
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. During an update, the stack fails and rolls back. The rollback also fails, leaving the stack in UPDATE_ROLLBACK_FAILED state. The operations team needs to resolve this with minimal disruption. What is the MOST efficient approach?

A.Use the 'ContinueUpdateRollback' API or AWS Management Console to retry the rollback.
B.Manually modify the resources to match the previous stack state.
C.Delete the stack and recreate it from the original template.
D.Execute a change set to update the stack to the desired configuration.
AnswerA

This action can complete the rollback and recover the stack.

Why this answer

Option A is correct because continuing the rollback can resolve the failure and bring the stack to a consistent state. Option B is wrong because deleting the stack would remove all resources. Option C is wrong because executing a change set on a failed stack is not possible.

Option D is wrong because manual modification is error-prone and not recommended.

790
MCQhard

A company has a microservices architecture with 50 services running on Amazon ECS. The DevOps team wants to collect and analyze logs from all services centrally. They need to query logs across services and set up alerts for error patterns. Which solution is the most scalable and cost-effective?

A.Use AWS CloudTrail to capture all log events and store them in an S3 bucket for analysis
B.Deploy an Amazon Elasticsearch cluster and configure the ECS Fargate agent to send logs directly to Elasticsearch
C.Use the awslogs driver to send logs to Amazon CloudWatch Logs and use CloudWatch Logs Insights for querying and metric filters for alerts
D.Send logs to Amazon S3 and use Amazon Athena for querying, with scheduled queries for alerts
AnswerC

Correct. This is scalable, integrates with ECS, and provides real-time alerts.

Why this answer

Option D is correct because sending logs to CloudWatch Logs and using Logs Insights provides centralized querying and alerting. Option A (S3 + Athena) is cheaper but has slower query times and no real-time alerting. Option B (Elasticsearch) is more complex and costly.

Option C (CloudTrail) is for API logs.

791
MCQhard

A company deploys the above CloudFormation stack. They want to enforce HTTPS for all requests to the S3 bucket. After deployment, users are still able to make HTTP requests. What is the problem?

A.The condition key 'aws:SecureTransport' is misspelled; it should be 'aws:SecureTransport' with a capital 'T'
B.The bucket is not versioned, so the policy does not apply to object versions
C.The policy uses Deny, but an Allow policy from another statement overrides it
D.The Deny statement's Resource specifies only the objects, not the bucket itself
AnswerD

The Resource does not include the bucket ARN, so bucket-level operations like ListBucket are not denied.

Why this answer

The Deny policy only applies to objects in the bucket (Resource: arn:aws:s3:::bucket/*), but not to the bucket itself. Actions like listing objects (s3:ListBucket) are denied only if the resource is the bucket itself. Option A is wrong because the bucket is versioned, but that doesn't affect encryption.

Option B is wrong because the Condition is correct. Option D is wrong because the policy uses Deny, which overrides Allow.

792
MCQmedium

A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?

A.Create an IAM role in each member account with a trust policy that allows the Security account, and use AWS CloudFormation StackSets to deploy the roles.
B.Use AWS Single Sign-On (SSO) to assign permissions to users across accounts.
C.Create an IAM role in the Security account with a trust policy that references a service control policy (SCP) in AWS Organizations.
D.Create a resource-based policy on each IAM role in the member accounts that allows the Security account to assume the role.
AnswerC

SCPs can restrict IAM actions across accounts, and the trust policy can reference the SCP to enforce central control.

Why this answer

Option C is correct because it leverages AWS Organizations and Service Control Policies (SCPs) to centrally enforce which IAM roles can be assumed across member accounts. An SCP applied to an OU or account can explicitly deny the `sts:AssumeRole` action for any role that does not match a specific ARN pattern, ensuring that only the Security account's designated roles are assumable. Since SCPs are automatically inherited by all accounts in the organization, policy updates are applied without manual intervention.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can grant permissions (they only deny or allow by default), or they assume that resource-based policies (Option D) are sufficient for centralized enforcement without realizing they lack automatic propagation across accounts.

How to eliminate wrong answers

Option A is wrong because while CloudFormation StackSets can deploy IAM roles across accounts, they do not enforce that only specific roles are assumable—any role created with a permissive trust policy could be used, and updates require redeployment. Option B is wrong because AWS SSO manages user permissions and access to AWS accounts via permission sets, but it does not centrally control which IAM roles can be assumed by users in member accounts; it is a separate identity federation service. Option D is wrong because resource-based policies on IAM roles in member accounts would require manual updates in each account and do not provide automatic, organization-wide enforcement of which roles are assumable.

793
MCQhard

A company uses AWS CodeBuild to run integration tests. The tests require access to an RDS database in a private subnet. CodeBuild runs in a VPC but the build times out waiting for the database connection. What is the MOST likely cause?

A.CodeBuild cannot access resources in a private subnet unless it uses a NAT gateway.
B.The CodeBuild service role does not have rds:Connect permission.
C.The CodeBuild project's security group outbound rules do not allow traffic to the RDS security group on port 3306 (or appropriate port).
D.The RDS instance is in a different subnet CIDR than CodeBuild's subnet.
AnswerC

Security groups control network traffic; missing outbound rule causes timeout.

Why this answer

Option B is correct because CodeBuild must be configured with a security group that allows outbound traffic to the RDS security group on the database port. Option A is wrong because IAM permissions affect API calls, not network connectivity. Option C is wrong because subnet CIDR is not relevant for security group rules.

Option D is wrong because CodeBuild can access resources in the same VPC if security groups allow.

794
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a containerized application using AWS CodePipeline and Amazon ECS. The pipeline should build a Docker image, push it to Amazon ECR, and deploy it to an ECS service. Which deployment action should they use in the pipeline?

A.AWS Elastic Beanstalk deployment action.
B.AWS CodeBuild with a buildspec that runs aws ecs update-service.
C.Amazon ECS (Blue/Green) deployment provider with CodeDeploy.
D.AWS CloudFormation deployment action to update the ECS service.
AnswerC

Native integration for ECS deployments.

Why this answer

Option B is correct because the ECS deployment provider in CodePipeline supports deploying to ECS services, including blue/green deployments with CodeDeploy. Option A is wrong because CodeBuild is for building, not deploying. Option C is wrong because Elastic Beanstalk is for web applications, not ECS.

Option D is wrong because CloudFormation is not a direct deployment action for ECS services.

795
MCQeasy

A DevOps engineer is responsible for monitoring an AWS environment that includes multiple EC2 instances running a web application. The engineer needs to set up a solution that sends an email alert when the average CPU utilization across all instances exceeds 80% for 10 consecutive minutes. The engineer has created a CloudWatch alarm with the metric `CPUUtilization` aggregated across all instances using the statistic `Average` and a period of 5 minutes. The alarm is set to trigger when the metric exceeds 80% for 2 consecutive periods (10 minutes). The alarm's action is configured to send a notification to an Amazon SNS topic that has an email subscription. However, the engineer is not receiving the email alerts. The engineer verified that the SNS topic exists and the email subscription is confirmed. The CloudWatch alarm shows that the metric value exceeded the threshold for 2 periods, but the alarm state is still 'OK'. What is the MOST likely reason for this?

A.The email subscription is not confirmed.
B.The metric `CPUUtilization` is not being published to CloudWatch.
C.The CloudWatch alarm requires 2 consecutive evaluation periods with the metric exceeding the threshold, but the alarm is still evaluating because of insufficient data points.
D.The SNS topic is not configured to allow CloudWatch to publish to it.
AnswerC

If the metric has missing data points, the alarm may not evaluate to ALARM.

Why this answer

Option A is correct because the alarm must be in the 'ALARM' state to send notifications. If the metric exceeds the threshold but the alarm does not transition to ALARM, it may be due to missing data points or insufficient data to evaluate. Option B is wrong because the SNS topic appears to be correctly configured.

Option C is wrong because the email subscription is confirmed. Option D is wrong because the metric is being published; the alarm shows values.

796
Multi-Selectmedium

A company wants to audit all changes to IAM policies in their AWS account. Which THREE services can be used to capture and alert on IAM policy changes? (Choose THREE.)

Select 3 answers
A.AWS Config
B.AWS CloudTrail
C.AWS Trusted Advisor
D.Amazon EventBridge
E.Amazon Inspector
AnswersA, B, D

Can track changes to IAM resources and evaluate rules.

Why this answer

Options A, B, and D are correct. AWS CloudTrail logs all IAM API calls. AWS Config can track resource changes and trigger rules.

Amazon EventBridge can create rules to detect specific CloudTrail events and trigger notifications. Option C: AWS Trusted Advisor provides best practice checks, not change auditing. Option E: Amazon Inspector is for security vulnerabilities.

797
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that creates an Amazon RDS DB instance. The database password must be stored securely and rotated automatically. Which approach meets these requirements?

A.Hardcode the password in the CloudFormation template and use a NoEcho parameter.
B.Use AWS Key Management Service (KMS) to encrypt the password and pass it as a parameter.
C.Store the password in AWS Systems Manager Parameter Store and reference it using a dynamic reference.
D.Store the password in AWS Secrets Manager and enable automatic rotation. Reference the secret in the template using a dynamic reference.
AnswerD

Secrets Manager supports rotation and dynamic references.

Why this answer

Option D is correct because AWS Secrets Manager provides built-in capabilities for automatic password rotation, which is a requirement. By storing the password in Secrets Manager and referencing it in the CloudFormation template using a dynamic reference (e.g., `{{resolve:secretsmanager:secret-id:SecretString:password}}`), the password is never exposed in the template or parameter logs, and rotation can be configured without updating the stack. This approach meets both security and automation requirements.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store with AWS Secrets Manager, assuming both support automatic rotation, but only Secrets Manager provides native rotation capabilities for RDS credentials.

How to eliminate wrong answers

Option A is wrong because hardcoding the password in the template, even with NoEcho, still exposes the password in the template source code and does not support automatic rotation. Option B is wrong because passing the password as a parameter, even if encrypted with KMS, does not enable automatic rotation and the plaintext value may be logged in AWS CloudTrail or parameter history. Option C is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it is a parameter store, not a secrets manager with rotation capabilities.

798
MCQmedium

A company uses AWS CodeBuild to compile and test code. The build takes 30 minutes, but the team wants to reduce build time by caching dependencies. Which approach should be used?

A.Remove unnecessary dependencies from the build specification.
B.Store dependencies in an S3 bucket and download them before each build.
C.Use AWS CodeArtifact to store dependencies and pull them during build.
D.Enable local caching in the build project configuration.
AnswerD

CodeBuild local caching stores dependencies in a cache directory that persists across builds.

Why this answer

Option D is correct because AWS CodeBuild's local caching feature allows you to cache intermediate build artifacts (such as dependencies) in a local directory on the build instance, which persists across builds for the same build project. This eliminates the need to re-download dependencies from external sources for every build, significantly reducing build time. The cache is stored in a Docker volume or S3 bucket, but the key benefit is that it is automatically managed by CodeBuild without manual download steps.

Exam trap

The trap here is that candidates may confuse caching with simply storing artifacts externally (like S3 or CodeArtifact) and fail to recognize that CodeBuild's local caching is the only option that eliminates the download overhead by persisting dependencies on the build instance itself.

How to eliminate wrong answers

Option A is wrong because removing unnecessary dependencies from the build specification is a good practice but does not address caching of existing dependencies; it reduces the total amount of dependencies but does not speed up the download of those that remain. Option B is wrong because storing dependencies in an S3 bucket and downloading them before each build still incurs network transfer time and does not leverage CodeBuild's built-in caching mechanism; it is a manual workaround that adds complexity and latency. Option C is wrong because AWS CodeArtifact is a managed artifact repository service for storing and retrieving packages, but it does not inherently cache dependencies on the build instance; using it still requires a download step during each build, which does not reduce build time as effectively as local caching.

799
MCQhard

A company uses AWS CloudFormation to manage a stack that includes an Auto Scaling group with a LaunchTemplate. The DevOps team wants to update the LaunchTemplate with a new AMI. The stack update fails with the error 'Launch template version does not exist'. What is the most likely cause?

A.The LaunchTemplate was recently modified and the new version is not yet available
B.The LaunchTemplate version specified in the template was deleted
C.The target group attachment is incorrect
D.The Auto Scaling group is using a different launch template
AnswerB

If the version is deleted, CloudFormation cannot find it.

Why this answer

Option A is correct because CloudFormation references a specific LaunchTemplate version. If the version is deleted, the update fails. Option B is incorrect because the error is about version not existing, not a recent modification.

Option C is incorrect because the Auto Scaling group uses the template version, not the default. Option D is incorrect because target group attachment does not affect LaunchTemplate versions.

800
MCQeasy

A DevOps engineer is troubleshooting a slow-running Lambda function. The function processes messages from an SQS queue. Which CloudWatch metric should be examined first to determine if the function is experiencing throttling?

A.Invocations
B.ConcurrentExecutions
C.Duration
D.Throttles
AnswerD

Throttles metric counts the number of times invocation requests are throttled.

Why this answer

The Throttles metric directly indicates when Lambda is rejecting invocation requests due to concurrency limits being reached. Since the question asks specifically about throttling, this is the first metric to examine to confirm whether the function is being rate-limited by AWS.

Exam trap

The trap here is that candidates may confuse high ConcurrentExecutions with throttling, but throttling is a separate metric that directly counts rejected invocations, not the number of concurrent runs.

How to eliminate wrong answers

Option A is wrong because Invocations counts total function invocations, including successful ones, and does not indicate throttling events. Option B is wrong because ConcurrentExecutions shows the number of function instances running at a given time, but it does not directly measure throttling; high concurrency can lead to throttling but the metric itself is not the throttling indicator. Option C is wrong because Duration measures how long the function runs, which can be affected by throttling indirectly but is not a direct measure of throttling events.

801
MCQhard

A DevOps engineer manages a production environment with EC2 instances behind an Application Load Balancer (ALB). The application logs show intermittent 5xx errors from the ALB. The engineer needs to identify whether the errors originate from the targets or the ALB itself. Which CloudWatch metric should be examined to differentiate between these two sources?

A.TargetResponseTime
B.UnhealthyHostCount
C.HTTPCode_Target_5XX_Count
D.RequestCount
AnswerC

This metric counts 5xx responses from targets, distinguishing from ALB-originated 5xx.

Why this answer

Option B is correct because HTTPCode_Target_5XX_Count indicates errors from the target (EC2 instances), while HTTPCode_ELB_5XX_Count indicates errors from the ALB. Option A is wrong because RequestCount is total requests. Option C is wrong because TargetResponseTime measures latency.

Option D is wrong because UnhealthyHostCount indicates unhealthy targets, not specific error codes.

802
MCQhard

A company uses AWS CloudFormation to deploy its infrastructure. They have a production stack that includes an RDS PostgreSQL instance with a read replica. The stack update to modify the DB instance class fails with the error: 'The parameter group cannot be changed during a read replica update.' The DevOps engineer needs to update the DB instance class while minimizing downtime and without losing the read replica. The current configuration: the RDS instance is using a custom parameter group. The read replica is using the same parameter group. The update changes the DBInstanceClass property from db.r5.large to db.r5.xlarge. What should the engineer do to successfully update the stack?

A.Remove the read replica from the stack, update the master instance, then add the read replica back
B.Update the read replica first to the new instance class, then update the master instance
C.Use the AWS Management Console to modify the DB instance class directly, bypassing CloudFormation
D.Create a new parameter group for the master instance and associate it before the update
AnswerA

This avoids the conflict during the update.

Why this answer

Option B is correct because the error indicates that the parameter group cannot be changed during a read replica update. To update the instance class, the engineer should first remove the read replica from the stack (or delete it), update the master instance, and then recreate the read replica. Option A is wrong because creating a new parameter group does not resolve the conflict.

Option C is wrong because modifying the replica first would also fail. Option D is wrong because the update cannot be done in-place due to the read replica.

803
MCQmedium

A DevOps engineer created this IAM policy for a CI/CD pipeline role. The pipeline needs to stop and start production EC2 instances and manage Auto Scaling groups. However, the pipeline fails when trying to stop an instance. What is the most likely reason?

A.The policy does not allow ec2:DescribeInstances for all instances.
B.The policy does not allow autoscaling:UpdateAutoScalingGroup for instances.
C.The instance does not have the tag 'Environment' with value 'production'.
D.The ec2:StopInstances action requires an additional ec2:DescribeInstanceStatus permission.
AnswerC

The condition restricts StartInstances and StopInstances to instances with that tag. Without the tag, the action is denied.

Why this answer

Option B is correct because the ec2:StartInstances and ec2:StopInstances actions are resource-level actions, but the Condition in the first statement requires the resource tag to be 'Environment':'production'. If the instance does not have that tag, the action is denied. The second statement allows Auto Scaling actions without conditions.

Option A (ec2:DescribeInstances) is allowed. Option C (Auto Scaling actions) are allowed. Option D (stop operations require stop permission) is not accurate because the permission exists but is conditional.

804
Multi-Selecteasy

A DevOps engineer is setting up a CI/CD pipeline for a Python application using AWS CodePipeline. The pipeline includes a build stage with CodeBuild and a deploy stage that runs an AWS CLI command to update a Lambda function. Which THREE steps are necessary to ensure the pipeline can update the Lambda function? (Choose 3)

Select 3 answers
A.Store the AWS CLI command in the buildspec file or as a separate script in the source repository.
B.Grant the CodePipeline service role permission to pass the CodeBuild IAM role to CodeBuild.
C.Configure a CloudWatch Events rule to trigger the pipeline when the Lambda function is updated.
D.Create an IAM role for CodeBuild that includes permissions to invoke 'lambda:UpdateFunctionCode'.
E.Use AWS CodeDeploy instead of the AWS CLI to update the Lambda function.
AnswersA, B, D

The deploy stage must have the command to execute.

Why this answer

Options A, B, and D are correct. The CodeBuild project needs a role that allows Lambda updates, and the pipeline role needs to pass the CodeBuild role. Option C is incorrect because CloudWatch is not required.

Option E is incorrect because the CLI command is already in the deploy stage.

805
MCQmedium

Refer to the exhibit. A DevOps engineer sees the following error when trying to update a CloudFormation stack: 'Stack [arn:aws:cloudformation:us-west-2:123456789012:stack/MyStack/abc123] is in ROLLBACK_COMPLETE state and can not be updated.' What should the engineer do to proceed?

A.Run 'aws cloudformation continue-update-rollback' to finish the rollback and then update.
B.Modify the stack's template and try the update again.
C.Use the 'aws cloudformation resume-update' command to resume the update.
D.Delete the stack and create a new one with the updated template.
AnswerD

A stack in ROLLBACK_COMPLETE must be deleted and recreated.

Why this answer

Option D is correct. A stack in ROLLBACK_COMPLETE state cannot be updated; it must be deleted and recreated. Option A is wrong because continue-update-rollback is for stacks in UPDATE_ROLLBACK_FAILED state.

Option B is wrong because there is no 'resume' operation. Option C is wrong because you cannot update a stack in ROLLBACK_COMPLETE.

806
MCQhard

A company runs a web application on EC2 behind an Application Load Balancer (ALB). They want to protect against SQL injection and cross-site scripting (XSS) attacks. Which AWS service should they use?

A.Configure security groups to allow only HTTP/HTTPS traffic.
B.Configure network ACLs to block common attack patterns based on IP ranges.
C.Deploy AWS WAF in front of the ALB and create rules to block SQL injection and XSS.
D.Enable AWS Shield Advanced to protect the ALB.
AnswerC

AWS WAF provides managed rules for SQL injection and XSS at the application layer.

Why this answer

AWS WAF is a web application firewall that integrates directly with Application Load Balancers to inspect HTTP/HTTPS requests for common attack patterns. It provides managed rule sets specifically designed to block SQL injection and cross-site scripting (XSS) attacks at the application layer, which is exactly what this scenario requires.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups, NACLs) or DDoS protection (Shield) with application-layer filtering, failing to recognize that only a web application firewall like AWS WAF can inspect HTTP payloads for injection attacks.

How to eliminate wrong answers

Option A is wrong because security groups operate at the network layer (Layer 3/4) and only filter traffic based on IP addresses, ports, and protocols; they cannot inspect application-layer payloads for SQL injection or XSS patterns. Option B is wrong because network ACLs are stateless packet filters that also operate at the network layer and cannot parse HTTP request bodies or query strings for malicious content; blocking IP ranges does not prevent application-layer attacks. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks at the network and transport layers, but it does not include the application-layer inspection capabilities needed to detect and block SQL injection or XSS.

807
Multi-Selecthard

Which THREE components are necessary to implement a secure VPC with a public subnet and a private subnet that hosts a database? (Choose THREE.)

Select 3 answers
A.AWS Site-to-Site VPN connection.
B.Internet Gateway attached to the VPC.
C.NAT Gateway in the public subnet.
D.VPC Peering connection to a central VPC.
E.Security group for the database allowing traffic only from the application tier.
AnswersB, C, E

Provides internet access to public subnet.

Why this answer

Correct options: A, B, and D. Option A: NAT Gateway allows private subnet instances to access the internet. Option B: Internet Gateway allows public subnet instances to access the internet.

Option D: Security groups act as firewalls for the database. Option C is wrong because VPN is not necessary. Option E is wrong because VPC Peering is for connecting VPCs.

808
MCQhard

A company uses multiple AWS accounts: one for development, one for testing, and one for production. They want to implement a CI/CD pipeline using AWS CodePipeline that deploys the same application to all three accounts. The source code is stored in a CodeCommit repository in the development account. The pipeline should first build the application, then deploy to development, then after approval, deploy to testing, and finally after another approval, deploy to production. The deployment uses AWS CodeDeploy to deploy to EC2 instances in each account. The pipeline will be created in the development account. Which configuration will allow the pipeline to deploy to the testing and production accounts?

A.Create IAM roles in the testing and production accounts that grant CodeDeploy permissions, and configure the pipeline to assume those roles using the CodePipeline cross-account action.
B.Establish VPC peering between the accounts and allow the pipeline to communicate directly with CodeDeploy in the other accounts.
C.Create IAM users in testing and production accounts with programmatic access, and configure the pipeline to use those credentials.
D.Use AWS Organizations to create a shared service and grant the pipeline full access to all accounts.
AnswerA

Cross-account roles are the standard way to allow a pipeline in one account to deploy to another.

Why this answer

Option C is correct because using cross-account roles allows the pipeline in the development account to assume a role in the target accounts to perform deployments. The pipeline can use the CodePipeline cross-account action with a role ARN. Option A is wrong because IAM users cannot be used programmatically by CodePipeline.

Option B is wrong because VPC peering is not relevant to cross-account permissions. Option D is wrong because AWS Organizations does not grant cross-account access automatically.

809
MCQeasy

A DevOps engineer is tasked with setting up a centralized logging solution for a multi-account AWS environment. Which service should be used to aggregate logs from multiple accounts?

A.Amazon S3 with cross-region replication
B.AWS CloudTrail with organization trails
C.Amazon CloudWatch Logs with cross-account subscription
D.AWS Config with aggregated compliance rules
AnswerC

CloudWatch Logs supports cross-account subscriptions to centralize logs.

Why this answer

Amazon CloudWatch Logs can aggregate logs across accounts using cross-account subscriptions with a central destination (e.g., Kinesis or Lambda). Option C is correct. Option A is incorrect because S3 is a storage service, not for real-time aggregation.

Option B is incorrect as CloudTrail is for API activity, not application logs. Option D is incorrect because AWS Config is for configuration compliance.

810
MCQhard

Refer to the exhibit. A CodeBuild project uses this buildspec.yml to build and push a Docker image to Amazon ECR. The build fails at the pre_build phase with the error 'Error: Cannot perform an interactive login from a non TTY device'. What is the MOST likely issue?

A.The AWS_DEFAULT_REGION environment variable is not set in CodeBuild.
B.The CodeBuild project's IAM role does not have permission to call ecr:GetAuthorizationToken.
C.The buildspec.yml is missing the 'docker login' command.
D.The Docker daemon is not running on the CodeBuild instance.
AnswerB

This is a common cause; without this permission, the login command fails.

Why this answer

Option C is correct because aws ecr get-login-password outputs the password to stdout, and docker login reads from stdin. The pipe (|) should work. However, the error indicates that docker login is trying interactive mode, which suggests that the command is not receiving the password correctly.

But the real issue is that the ECR login command requires AWS credentials, and if the CodeBuild project does not have proper permissions to call ecr:GetAuthorizationToken, it will fail. Option A is not relevant because the error is about interactive login. Option B is not the cause.

Option D is incorrect because the region is specified via environment variable.

811
MCQeasy

A DevOps engineer needs to monitor the memory utilization of an Amazon RDS for MySQL instance. Which AWS service should be used to collect and visualize this metric?

A.CloudWatch default metrics for RDS.
B.AWS Systems Manager Inventory.
C.Enhanced Monitoring for RDS.
D.AWS Trusted Advisor.
AnswerC

Enhanced Monitoring provides memory, CPU, and disk metrics.

Why this answer

Option C is correct because Enhanced Monitoring for RDS provides memory metrics (among others) and sends them to CloudWatch Logs, which can be visualized with CloudWatch dashboards. Option A is wrong because RDS does not expose memory utilization by default in CloudWatch; Enhanced Monitoring is required. Option B is wrong because Trusted Advisor does not collect instance-level metrics.

Option D is wrong because Systems Manager is not the primary tool for RDS monitoring.

812
MCQmedium

A DevOps engineer is setting up monitoring for an Amazon RDS for PostgreSQL instance. The engineer wants to track the number of active database connections over time to plan for scaling. Which approach should the engineer use?

A.Enable Enhanced Monitoring and view the 'DatabaseConnections' metric in CloudWatch.
B.Configure CloudWatch Logs to monitor the PostgreSQL error log for connection entries.
C.Enable RDS event subscriptions to receive notifications about connection changes.
D.Use Performance Insights to view the number of active connections.
AnswerA

Enhanced Monitoring provides the DatabaseConnections metric.

Why this answer

Option B is correct. Enhanced Monitoring provides OS-level metrics including the number of database connections. Option A is incorrect because RDS event subscriptions are for events like failover, not metrics.

Option C is incorrect because Performance Insights shows database load, not connection count. Option D is incorrect because CloudWatch Logs does not directly provide connection count metrics.

813
MCQmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in all accounts are encrypted with SSE-S3. They plan to use an SCP to deny the creation of unencrypted buckets. The DevOps engineer writes an SCP with a Deny effect for s3:PutBucketEncryption without a condition. However, when testing, an administrator in a member account is able to create a bucket without encryption. The engineer checks CloudTrail and sees that the bucket was created with a PutBucket call that did not include the x-amz-server-side-encryption header. What is the most likely reason the SCP did not prevent this?

A.The SCP should also deny s3:PutBucketDefaultEncryption, which is the correct action for default encryption.
B.The SCP denies s3:PutBucketEncryption, but the bucket creation does not call that action; it calls s3:CreateBucket. The SCP should deny s3:CreateBucket with a condition on the encryption parameter.
C.The SCP is not attached to the organizational unit that contains the member account.
D.The member account is the management account of the organization, so SCPs do not apply.
AnswerB

s3:PutBucketEncryption is for modifying encryption after creation.

Why this answer

SCPs can deny the s3:PutBucketEncryption action, but the bucket is created with PutBucket, which is a different action. To enforce encryption at creation, the SCP should deny s3:CreateBucket with a condition that the encryption is not set. Option A is correct.

Option B is about default encryption, which is a separate setting. Option C is about the SCP being attached to the wrong OU. Option D is about management account, but the test was in a member account.

814
MCQeasy

A company wants to ensure that all S3 buckets are encrypted at rest by default. Which S3 feature should be enabled at the bucket level to automatically encrypt new objects?

A.S3 Object Lock
B.Bucket policy with a Deny for unencrypted uploads
C.S3 Versioning
D.Default encryption
AnswerD

Default encryption automatically encrypts new objects.

Why this answer

S3 default encryption allows you to set a default encryption behavior for a bucket, so that all new objects are encrypted at rest automatically. Bucket policies can enforce encryption but do not automatically encrypt. Object lock is for retention.

Versioning is for object versions.

815
MCQeasy

A company wants to centralize logging from multiple AWS accounts into a single Amazon S3 bucket for long-term storage and analysis. The logs include AWS CloudTrail, VPC Flow Logs, and Amazon RDS audit logs. Which solution is the MOST operationally efficient?

A.Configure each account to send logs to a central CloudWatch Logs account, then export to S3.
B.Use Amazon Kinesis Data Firehose in each account to stream logs to a central S3 bucket.
C.Create an S3 bucket in each account and use S3 replication to copy logs to the central bucket.
D.Configure each account to deliver logs directly to a central S3 bucket using a bucket policy that allows cross-account writes.
AnswerD

Direct delivery is the most efficient and uses native S3 features.

Why this answer

Option D is correct. Amazon S3 supports cross-account access via bucket policies, and enabling S3 server access logs is not required for this use case. Option A is incorrect because CloudWatch Logs subscription filters can stream to a cross-account S3 bucket, but Kinesis Data Firehose adds unnecessary complexity.

Option B is incorrect because aggregating into a single CloudWatch Logs account and then exporting requires additional steps. Option C is incorrect because it requires manual configuration per account.

816
Multi-Selecthard

A company uses AWS CloudFormation StackSets to deploy resources across multiple accounts and regions. They need to ensure that updates to the stack set are rolled out in a controlled manner, with the ability to roll back if errors occur. Which THREE strategies should they implement? (Choose THREE.)

Select 3 answers
A.Use a canary deployment strategy by updating only a subset of accounts first
B.Set a failure tolerance to allow a certain number of stack operation failures before the overall operation fails
C.Pause stack instances manually if errors are detected
D.Configure region concurrency to control how many regions are updated at a time
E.Set the maximum concurrent accounts to control how many accounts are updated simultaneously
AnswersB, D, E

Failure tolerance allows you to specify how many stack instance failures are acceptable.

Why this answer

StackSets support failure tolerances, concurrent accounts, and region concurrency settings to control rollouts. Options A, B, and E are correct. Option C is incorrect because CloudFormation does not support canary deployments natively.

Option D is incorrect because stack instances cannot be paused individually; you would use failure tolerance settings.

817
MCQmedium

A DevOps engineer is troubleshooting a CloudFormation stack that fails to create an EC2 instance with a custom AMI. The error message indicates that the AMI ID does not exist. The engineer is using a mapping in the template to select the AMI based on the region. However, the stack is being created in a region not covered by the mapping. What is the most efficient way to resolve this issue?

A.Retrieve the AMI ID dynamically using AWS Systems Manager Parameter Store and a dynamic reference in the template.
B.Create a new mapping entry for the region by updating the template.
C.Use AWS Systems Manager Run Command to find the correct AMI ID.
D.Hardcode the AMI ID in the template for the missing region.
AnswerA

Parameter Store provides a dynamic, maintainable way to reference AMI IDs per region.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store can be used to store AMI IDs per region dynamically, eliminating the need to update mappings. Option A is wrong because it doesn't guarantee correct AMI for the region. Option B is wrong because SSM Run Command is not for parameter retrieval.

Option C is wrong because it is less dynamic and harder to maintain.

818
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a web application. The pipeline has a deploy stage that uses CodeDeploy to deploy to an Auto Scaling group. During deployment, the new instances fail health checks and the deployment rolls back. However, the rollback also fails because the old instances have been terminated. What should the team do to avoid this issue?

A.Increase the health check grace period in the Auto Scaling group.
B.Add a manual approval step before the deploy stage.
C.Configure the pipeline to deploy to a new Auto Scaling group each time.
D.Use a blue/green deployment strategy in CodeDeploy to keep the old instances running until the new ones pass health checks.
AnswerD

Blue/green deployment preserves the old environment for rollback.

Why this answer

Option B is correct because using a blue/green deployment with CodeDeploy allows the old instances to remain until the new ones are verified healthy. Option A is wrong because increasing the health check grace period does not help if instances are unhealthy. Option C is wrong because manual approval does not prevent the rollback failure.

Option D is wrong because creating a new Auto Scaling group does not inherently solve the termination issue.

819
MCQmedium

An organization manages multiple AWS accounts using AWS Organizations. They want to enforce that all Amazon S3 buckets across accounts have versioning enabled. Which approach is the most scalable and least error-prone?

A.Use AWS Config rules to detect buckets without versioning and send alerts.
B.Create an SCP that denies s3:PutBucketVersioning if versioning is not enabled.
C.Deploy a CloudFormation StackSet to all accounts with a template that enables versioning.
D.Manually enable versioning on each bucket after creation.
AnswerB

SCPs prevent non-compliant actions at the account level.

Why this answer

Option C is correct because using a service control policy (SCP) at the organizational level can deny the creation of S3 buckets without versioning, enforcing compliance across all accounts. Option A is wrong because it is not automated and depends on each account owner. Option B is wrong because Config rules only detect non-compliance, they do not prevent it.

Option D is wrong because CloudFormation StackSets would require deploying a template to every account and region, which is more complex than an SCP.

820
MCQmedium

A company uses AWS Secrets Manager to store database credentials. The security team requires that secrets be automatically rotated every 30 days. Which rotation strategy should the engineer configure to meet this requirement with minimal operational overhead?

A.Manually rotate the secret every 30 days using the AWS CLI.
B.Store the secret in AWS Systems Manager Parameter Store with a SecureString parameter.
C.Enable automatic rotation using the pre-built Lambda rotation function for the database type.
D.Enable automatic rotation with a custom Lambda function.
AnswerC

Secrets Manager provides pre-built rotation templates for common databases.

Why this answer

Secrets Manager can automatically rotate secrets using a Lambda function. The easiest way is to use the pre-built Lambda rotation function for the specific database type (e.g., Amazon RDS). Creating a custom Lambda function is more overhead.

Manually rotating via CLI defeats automation. Using Systems Manager Parameter Store with SecureString does not provide built-in rotation.

821
MCQhard

A DevOps engineer updates an ECS service via CloudFormation. The stack update fails with the message 'Resource update cancelled'. The engineer notices that the ECS service's desired count was temporarily reduced during the update. What is the most likely cause of the failure?

A.The ECS service's minimum healthy percent was set to 100, causing the desired count reduction to zero to be rejected.
B.The ECS service's target group had an unhealthy instance that prevented the deregistration.
C.The ECS service deployment circuit breaker was triggered due to a timeout.
D.The ECS service did not have the required IAM role to call ecs:UpdateService.
AnswerA

CloudFormation reduces desired count to 0 during update; if min healthy percent is 100, it fails.

Why this answer

The error 'Resource update cancelled' occurs because CloudFormation detected that the ECS service update was not progressing as expected. When the minimum healthy percent is set to 100, the deployment process cannot reduce the desired count to zero (or below the current running count) without violating the requirement that 100% of the tasks remain healthy. This causes the update to be cancelled as CloudFormation waits indefinitely for the deployment to complete, eventually timing out and rolling back.

Exam trap

The trap here is that candidates often confuse the 'Resource update cancelled' error with a permissions or circuit breaker issue, but the key clue is the temporary reduction in desired count, which directly points to a minimum healthy percent constraint that prevents the service from scaling down to zero.

How to eliminate wrong answers

Option B is wrong because an unhealthy instance in the target group would cause health check failures and potential deployment issues, but it would not directly cause a 'Resource update cancelled' error with a temporary desired count reduction; the error message specifically points to a deployment configuration issue, not a target group health issue. Option C is wrong because the deployment circuit breaker is a feature that rolls back a deployment when it detects a failure (e.g., tasks failing to start), but it would not cause the desired count to be temporarily reduced; the circuit breaker triggers after a deployment failure, not as a cause of the count reduction. Option D is wrong because a missing IAM role for ecs:UpdateService would result in an authorization error (e.g., 'AccessDenied') during the update, not a 'Resource update cancelled' error with a temporary desired count reduction; the update would fail immediately with a permissions error, not after a partial state change.

822
MCQmedium

A DevOps engineer is troubleshooting a production issue where an application's response time has increased. The application is deployed on Amazon ECS with Fargate. The engineer wants to identify which microservice is causing the latency. Which AWS service should be used?

A.Amazon CloudWatch Synthetics canary to monitor the application endpoint.
B.AWS X-Ray to trace requests and analyze service latency.
C.Amazon CloudWatch Logs Insights to query application logs for errors.
D.Amazon CloudWatch ServiceLens to visualize service maps and traces.
AnswerB

X-Ray provides detailed traces and service maps to pinpoint latency.

Why this answer

AWS X-Ray is the correct service because it provides end-to-end tracing of requests as they travel through microservices, allowing the engineer to pinpoint which service is introducing latency. By analyzing trace segments and subsegments, X-Ray can break down response times for each component in the application, directly addressing the need to identify the specific microservice causing the delay.

Exam trap

The trap here is that candidates often confuse CloudWatch ServiceLens (which visualizes traces) with the actual tracing service itself, forgetting that ServiceLens depends on X-Ray to collect the trace data in the first place.

How to eliminate wrong answers

Option A is wrong because CloudWatch Synthetics canaries monitor endpoint availability and performance from the outside, but they cannot trace internal request paths across microservices to identify which specific service is causing latency. Option C is wrong because CloudWatch Logs Insights is designed for querying and analyzing log data, not for tracing request flows or measuring per-service latency; it would require manual correlation of timestamps across services. Option D is wrong because CloudWatch ServiceLens is a visualization layer that combines traces from X-Ray and metrics from CloudWatch, but it is not the primary service for tracing; the engineer must first use X-Ray to collect the trace data that ServiceLens visualizes.

823
MCQhard

A DevOps team is configuring an Auto Scaling group for a web application behind an Application Load Balancer. The team wants to automatically replace instances that fail the health check. Which scaling policy should be used?

A.Target tracking scaling policy
B.Default health check replacement
C.Step scaling policy
D.Manual scaling
AnswerB

Auto Scaling automatically terminates unhealthy instances and launches new ones based on the health check configuration.

Why this answer

Option A is correct because the default health check replacement automatically replaces unhealthy instances. Option B is wrong because manual scaling does not automate replacement. Option C is wrong because target tracking policies adjust based on metrics, not health.

Option D is wrong because step scaling policies adjust based on metric thresholds, not health.

824
Multi-Selecthard

A DevOps team needs to enforce that all S3 buckets in an AWS account are encrypted at rest. Which THREE steps should be taken to achieve this? (Choose THREE.)

Select 3 answers
A.Configure AWS Config rules to detect buckets without encryption
B.Use an S3 bucket policy to deny PutObject requests that do not include encryption headers
C.Enable S3 server access logging
D.Enable default encryption on each S3 bucket
E.Enable S3 Transfer Acceleration
AnswersA, B, D

Detects and can trigger remediation.

Why this answer

Using a bucket policy to deny PUT requests without encryption ensures objects are encrypted on upload. AWS Config rules can detect non-compliant buckets. S3 default encryption ensures new objects are encrypted.

Option B is irrelevant; Option D is about logging.

825
Multi-Selectmedium

A company needs to audit all changes to IAM policies in their AWS account. Which services can be used to track and log these changes? (Select TWO.)

Select 2 answers
A.Amazon S3
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersC, D

Config can track changes to IAM policies and provide a history of configuration changes.

Why this answer

AWS CloudTrail logs API calls, including IAM policy changes. AWS Config can track configuration changes to IAM resources. CloudWatch Logs stores logs but does not track changes itself.

GuardDuty is for threat detection. S3 is storage.

Page 10

Page 11 of 24

Page 12