AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 826900

1740 questions total · 24pages · All types, answers revealed

Page 11

Page 12 of 24

Page 13
826
Multi-Selecthard

Which THREE of the following are best practices for managing IAM roles in AWS Organizations? (Choose three.)

Select 3 answers
A.Use service control policies (SCPs) to set permission boundaries.
B.Share the root user credentials of the master account with administrators.
C.Use a single IAM user with full permissions across all accounts.
D.Use IAM roles to delegate access to users and services across accounts.
E.Create IAM roles with the principle of least privilege.
AnswersA, D, E

SCPs help centrally control permissions for all accounts.

Why this answer

Using IAM roles to delegate access across accounts is a best practice. Creating roles with least privilege and using service control policies (SCPs) to enforce permission boundaries are also best practices. Sharing root user credentials is never a best practice.

Using a single IAM user across accounts is not recommended.

827
MCQmedium

A company runs a critical database on Amazon RDS for PostgreSQL with Multi-AZ deployment. The application experiences a brief outage during automatic failover. To improve availability, the company wants to reduce the failover time. What should they do?

A.Create a cross-Region Read Replica and promote it during failure
B.Enable Multi-AZ DB cluster with synchronous replication and a standby in a different AZ
C.Increase the DB instance class size to improve I/O performance
D.Remove Multi-AZ and use a single instance with increased backup frequency
AnswerB

Multi-AZ DB cluster provides faster failover with reader endpoint.

Why this answer

Using a Multi-AZ deployment with synchronous replication and a Multi-AZ DB cluster (standby with reader endpoint) provides faster failover times. Option B is wrong because Read Replicas are for read scaling, not automatic failover. Option C is wrong because removing Multi-AZ increases downtime.

Option D is wrong because increasing instance size does not reduce failover time.

828
MCQhard

A company needs to enforce that all EC2 instances launched in an AWS account use a specific Amazon Machine Image (AMI) that is approved by the security team. Which combination of services should be used?

A.AWS Organizations SCP and AWS CloudTrail
B.AWS Config rule to check AMI ID and AWS Systems Manager Automation to remediate non-compliant instances
C.AWS Lambda and Amazon SNS
D.AWS CloudTrail and Amazon CloudWatch Events
AnswerB

Config detects, Systems Manager automates remediation.

Why this answer

AWS Config can detect non-compliant instances and AWS Systems Manager Automation can automatically remediate by stopping or terminating them. Option B is correct. Option A (SCP) cannot enforce AMI IDs.

Option C (CloudTrail) only logs. Option D (Lambda) could be used but is not the primary service.

829
MCQeasy

A DevOps engineer is designing a disaster recovery plan for a critical database. The RTO is 15 minutes and RPO is 1 minute. Which solution meets these requirements?

A.Use Amazon RDS Multi-AZ with automatic failover.
B.Use Amazon RDS with cross-Region read replicas and promote one during failover.
C.Schedule automated snapshots every 1 minute and restore in the same AZ.
D.Deploy a standby EC2 instance with a self-managed replication script.
AnswerA

Synchronous replication meets RPO; automatic failover meets RTO.

Why this answer

Option B is correct because Amazon RDS Multi-AZ provides synchronous replication with automatic failover, meeting RPO of seconds and RTO of a few minutes. Option A is wrong because cross-Region replication has higher RPO due to asynchronous replication. Option C is wrong because manual snapshots have high RPO and RTO.

Option D is wrong because RDS Multi-AZ is cheaper and simpler than always-on EC2 replica.

830
MCQmedium

A company runs a global web application on EC2 instances behind an ALB in us-east-1. They want to improve resilience by routing users to the nearest healthy region. Which service should they use?

A.AWS Global Accelerator
B.Application Load Balancer cross-zone load balancing
C.Amazon Route 53 latency-based routing with health checks
D.Amazon CloudFront with multiple origins
AnswerC

Routes to the region with lowest latency and healthy endpoints.

Why this answer

Amazon Route 53 with latency-based routing and health checks routes users to the region with the lowest latency and only to healthy endpoints. Option A is wrong because CloudFront with multi-region origins requires additional configuration. Option B is wrong because Global Accelerator improves performance but not primarily for routing to nearest region.

Option D is wrong because ALB is regional, not global.

831
MCQhard

A company experiences a security incident where an unauthorized user accessed an S3 bucket containing sensitive data. The DevOps team needs to identify the source IP address and user agent of the request. Which AWS service provides this information?

A.VPC Flow Logs
B.Amazon S3 server access logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerB

Contains source IP and user agent.

Why this answer

Option B is correct because S3 server access logs contain detailed information about each request, including source IP, user agent, and requester. Option A is wrong because CloudTrail logs S3 API calls but does not include user agent by default. Option C is wrong because CloudWatch Logs can store logs but does not generate them.

Option D is wrong because VPC Flow Logs capture network traffic but not application-level details like user agent.

832
MCQeasy

A DevOps engineer is managing the lifecycle of a CloudFormation stack. The engineer needs to update a stack that contains an Auto Scaling group. The update requires a replacement of the Auto Scaling group. What will happen to the existing instances during the update?

A.The existing instances will be terminated after the new Auto Scaling group is created
B.The stack update will fail because Auto Scaling groups cannot be replaced
C.The existing instances will remain running and be associated with the new Auto Scaling group
D.The instances will be updated in-place by terminating and recreating each instance one by one
AnswerA

CloudFormation creates the new group first, then deletes the old one, terminating its instances.

Why this answer

When a CloudFormation stack update requires replacement of an Auto Scaling group (e.g., due to a change in the `LaunchConfigurationName` or `LaunchTemplate` property), CloudFormation creates the new Auto Scaling group first, then terminates the old instances after the new group is fully operational. This ensures minimal downtime because the new group begins serving traffic before the old one is torn down.

Exam trap

The trap here is that candidates assume CloudFormation performs in-place updates (Option D) or that replacement always fails (Option B), but the service explicitly supports create-before-destroy replacement for Auto Scaling groups.

How to eliminate wrong answers

Option B is wrong because CloudFormation supports replacing Auto Scaling groups during stack updates when the resource requires replacement; it does not fail. Option C is wrong because existing instances cannot be reassigned to a new Auto Scaling group—each instance is tied to a specific Auto Scaling group via its lifecycle hooks and launch configuration. Option D is wrong because CloudFormation does not perform in-place updates on Auto Scaling groups; it uses a create-before-destroy strategy, terminating the old group only after the new one is created.

833
MCQhard

A company is using AWS CodeCommit with multiple repositories. Developers are required to create pull requests for all changes, and the pull request must be associated with a JIRA issue key (e.g., PROJ-123) in the commit message. A DevOps engineer needs to enforce this policy automatically. Which approach meets the requirement with minimal operational overhead?

A.Store JIRA keys in an S3 bucket and configure a CloudWatch Events rule to check commits
B.Create a CodeCommit trigger that invokes an AWS Lambda function to validate the pull request description and reject if missing JIRA key
C.Use AWS CodeBuild to run a validation script during the build phase
D.Require developers to install a pre-commit hook script locally
AnswerB

Server-side enforcement via triggers.

Why this answer

Option B is correct because CodeCommit supports custom triggers that can invoke a Lambda function to validate commit messages or pull request descriptions. This approach is automatic and does not require additional infrastructure. Option A is wrong because pre-commit hooks are client-side and not enforceable.

Option C is wrong because CodeBuild does not run on every commit by default and would require a pipeline trigger. Option D is wrong because S3 is not involved.

834
MCQmedium

Refer to the exhibit. An Auto Scaling group is configured with an Application Load Balancer. The group has a desired capacity of 2 instances spread across two Availability Zones. Recently, the application has been experiencing high error rates during deployments. The team suspects that new instances are being marked as healthy before they are fully ready. What should the team do to resolve this issue?

A.Add a step scaling policy to scale out more gradually.
B.Increase the HealthCheckGracePeriod to 600 seconds.
C.Increase the MaxSize to 10.
D.Change the HealthCheckType to ELB.
AnswerD

ELB health checks can be configured to require a successful response from the application, ensuring readiness.

Why this answer

Option B is correct because changing the health check type to ELB ensures that the ALB health checks determine instance health, which can be configured to require the application to respond before marking the instance healthy. Option A is wrong because increasing the grace period may delay health checks but does not ensure readiness. Option C is wrong because scaling policies do not affect health checks.

Option D is wrong because increasing max size does not address the readiness issue.

835
MCQeasy

A company needs to ensure that all API calls made to AWS are encrypted in transit. Which of the following is the correct way to enforce this?

A.Use an IAM policy with a condition that denies access unless the request uses HTTPS.
B.Configure security groups to allow only HTTPS traffic.
C.Use AWS Key Management Service (KMS) to create a key and require encryption.
D.Enable AWS CloudTrail to log all API calls.
AnswerA

You can attach an IAM policy with a condition key 'aws:SecureTransport' set to 'false' to deny access, thus enforcing HTTPS for all API calls.

Why this answer

All AWS API endpoints support HTTPS (TLS) by default. To enforce encrypted access, you should use AWS Certificate Manager (ACM) to provide TLS certificates for your own services, but for AWS API calls, the encryption is inherent. However, the question asks to ensure that API calls to AWS are encrypted.

The correct approach is to use a resource-based policy like an S3 bucket policy that denies requests that are not using HTTPS (aws:SecureTransport). For other services, you can use IAM policies with conditions. Option A is wrong because security groups do not enforce encryption.

Option B is wrong because CloudTrail logs API calls but does not enforce encryption. Option C is wrong because KMS is for encryption keys, not for enforcing HTTPS.

836
MCQmedium

Refer to the exhibit. A security team wants to enforce that passwords expire after 60 days. Which action should be taken?

A.Use the AWS Management Console to change the password policy for each IAM user
B.Create a new IAM user and set the password policy on that user
C.Delete the current password policy and create a new one
D.Use the update-account-password-policy CLI command with --max-password-age 60
AnswerD

This command updates the password policy.

Why this answer

The current MaxPasswordAge is 90 days. To change it to 60, use the update-account-password-policy command. Option A is wrong because that command changes other settings.

Option B is wrong because the policy is account-level. Option C is wrong because the CLI can modify the policy.

837
MCQhard

A company has a serverless application using AWS Lambda functions that process messages from an Amazon SQS queue. The Lambda function sometimes fails due to transient errors. The company wants to ensure that failed messages are retried and eventually processed or sent to a dead-letter queue after 3 retries. What is the correct configuration?

A.Set the Lambda function's retry policy to Maximum retries: 3 and configure a DLQ on the Lambda function.
B.Set the Lambda function's DLQ to an SQS queue and configure the event source mapping to use that DLQ after 3 retries.
C.Configure the SQS queue's redrive policy with maxReceiveCount: 3 and a dead-letter queue.
D.Create an AWS Step Functions workflow that polls the SQS queue, processes messages, and retries failures up to 3 times before moving to a DLQ.
AnswerC

SQS redrive policy handles retries and DLQ for messages that fail processing.

Why this answer

Option B is correct because the SQS queue's redrive policy specifies the max receive count and dead-letter queue, and Lambda's event source mapping handles retries. Option A is wrong because Lambda's retry policy with max retries=3 is for asynchronous invocations, not SQS. Option C is wrong because Step Functions add unnecessary complexity.

Option D is wrong because DLQ on Lambda function is for async invocations, not SQS.

838
MCQhard

A DevOps engineer is configuring CloudWatch Logs for a Lambda function that processes streaming data from Kinesis. The function sometimes fails due to memory exhaustion. The engineer wants to ensure that logs from the function are shipped to CloudWatch Logs even when the function fails. Which configuration should be used?

A.Configure a Kinesis Agent on the Lambda execution environment to stream logs to CloudWatch Logs
B.Install the CloudWatch Logs agent on the Lambda function to continuously send logs
C.Enable detailed CloudWatch metrics for the Lambda function
D.Ensure the Lambda function writes logs to stdout or stderr; CloudWatch Logs will automatically capture them
AnswerD

Correct. Lambda automatically captures stdout/stderr and sends to CloudWatch Logs regardless of function success or failure.

Why this answer

Lambda functions automatically send all output written to stdout (via print or console.log) and stderr to CloudWatch Logs, regardless of whether the function succeeds or fails. This is a built-in behavior of the Lambda runtime, so no additional agents or configuration are needed to capture logs from a failed invocation due to memory exhaustion.

Exam trap

The trap here is that candidates may overthink the solution and assume a separate agent or service is required for log shipping in failure scenarios, when in fact Lambda’s native stdout/stderr capture works automatically and reliably even on invocation failure.

How to eliminate wrong answers

Option A is wrong because a Kinesis Agent is designed to run on EC2 instances or on-premises servers to send data to Kinesis, not to stream logs from a Lambda execution environment; Lambda does not support installing or running external agents. Option B is wrong because the CloudWatch Logs agent is intended for EC2 instances or on-premises servers, and cannot be installed inside a Lambda function’s ephemeral execution environment. Option C is wrong because enabling detailed CloudWatch metrics provides performance metrics (e.g., duration, invocations, errors) but does not capture or ship log output from the function.

839
MCQeasy

A company has a security policy requiring that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. The DevOps engineer needs to enforce this policy. What is the simplest way to achieve this?

A.Use Amazon Cognito to require MFA for console access.
B.Create an IAM policy that denies all actions unless MFA is present, and attach it to all IAM users or groups.
C.Enable MFA delete on the root account.
D.Enable MFA on the S3 bucket policy.
AnswerB

This policy enforces MFA for all API calls.

Why this answer

Option A is correct because an IAM policy with a condition for aws:MultiFactorAuthPresent: true can be attached to a group or user to deny access if MFA is not used. Option B is wrong because MFA cannot be enforced at the resource level for S3. Option C is wrong because it only applies to root user, not IAM users.

Option D is wrong because Cognito is for application users, not AWS console access.

840
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The stack creation fails with the error: 'Resource handler returned message: 'The security group does not exist in VPC'.' The template references a security group by name. What is the MOST likely cause?

A.The security group name is misspelled or uses incorrect case
B.The IAM role used for CloudFormation does not have permissions to describe security groups
C.The stack is being created in a Region where the security group does not exist
D.The template uses a parameter that resolves to the default VPC security group
AnswerA, C

A misspelled name would cause the security group not to be found.

Why this answer

Option A is correct because CloudFormation resolves security group references by exact name match, including case sensitivity. When a security group is specified by name in a template, CloudFormation performs a case-sensitive lookup in the target VPC. If the name is misspelled or the case differs (e.g., 'MySecurityGroup' vs 'mysecuritygroup'), the resource handler fails with the error 'The security group does not exist in VPC' because the lookup returns no match.

Exam trap

The trap here is that candidates often assume the error is due to IAM permissions or a missing VPC, but the specific phrasing 'does not exist in VPC' points directly to a name mismatch or case sensitivity issue in the security group lookup.

How to eliminate wrong answers

Option B is wrong because the error message specifically indicates the security group does not exist in the VPC, not a permissions issue; an IAM permissions error would produce a different message such as 'AccessDenied' or 'Unauthorized operation'. Option D is wrong because referencing a parameter that resolves to the default VPC security group would not cause this error; the default security group exists in every VPC and would be found, so the error would not occur unless the VPC itself is missing or the parameter value is invalid.

841
MCQeasy

A DevOps engineer notices that a CloudWatch alarm for high CPU utilization on an EC2 instance is not triggering despite the CPU consistently above the threshold. The instance is in a VPC with a public subnet and has internet access. What is the most likely cause?

A.The EC2 instance does not have a public IP address.
B.The instance is using basic monitoring (5-minute intervals) which delays the alarm.
C.The IAM role attached to the instance does not have the cloudwatch:PutMetricData permission.
D.The CloudWatch alarm is in the 'INSUFFICIENT_DATA' state because the instance is stopped.
AnswerC

Without proper IAM permissions, the CloudWatch agent cannot publish metrics, causing the alarm not to trigger.

Why this answer

Option D is correct because CloudWatch requires the SSM Agent or the CloudWatch agent to send metrics; the standard EC2 metrics include CPU utilization, but if the instance is not sending detailed metrics, the alarm may not trigger if the threshold is based on a higher-resolution metric. However, the most common cause is that the CloudWatch agent is not installed or configured, or the IAM role lacks permissions. If the instance does not have the correct IAM role to publish custom metrics, CloudWatch alarms may not trigger.

Option A is wrong because CloudWatch can collect metrics from instances without a public IP if they have a NAT gateway or VPC endpoint. Option B is wrong because CloudWatch alarms are evaluated based on metric data, not instance state. Option C is wrong because standard monitoring collects metrics every 5 minutes, which should be sufficient for high CPU, though detailed monitoring (1-minute) is recommended.

842
Multi-Selecteasy

A company uses AWS CloudFormation to manage infrastructure. A stack update fails with a 'ROLLBACK_IN_PROGRESS' status. The DevOps engineer needs to investigate the failure. Which TWO actions should the engineer take?

Select 2 answers
A.Review AWS CloudTrail logs for the 'UpdateStack' API call.
B.Review the 'Stack Events' tab in the CloudFormation console to see the specific error messages.
C.Check the 'Rollback triggers' configuration for the stack.
D.Examine the stack's 'Template' and 'Parameters' to ensure they are correct.
E.Create a Change Set to see the proposed changes before re-attempting the update.
AnswersB, D

Stack events contain detailed status reasons for each resource, including failure reasons.

Why this answer

Option A is correct because the 'Stack Events' tab shows detailed error messages for each resource. Option D is correct because viewing the stack's template and parameters helps identify misconfigurations. Option B is wrong because rollback triggers are for deletion, not update failures.

Option C is wrong because CloudTrail logs API calls, not template validation errors. Option E is wrong because Change Sets are used for reviewing changes before execution, not for debugging failed updates.

843
Multi-Selecthard

A company uses AWS CodePipeline to deploy a critical application. The pipeline has a manual approval step before deployment. Which TWO actions should be taken to improve security and auditability? (Choose two.)

Select 2 answers
A.Enable AWS CloudTrail to log all approval actions.
B.Remove the approval step and rely on post-deployment monitoring.
C.Integrate with AWS IAM to require multi-factor authentication (MFA) for approvers.
D.Replace the manual approval with an automated approval based on test results.
E.Use a shared IAM user for all approvers to simplify management.
AnswersA, C

CloudTrail logs who approved and when, providing audit trail.

Why this answer

Options A and D are correct. Option B is wrong because approval is manual. Option C is wrong because it reduces security.

Option E is wrong because it bypasses approval.

844
MCQeasy

A DevOps engineer is troubleshooting an Amazon CloudWatch alarm that is not triggering as expected. The alarm monitors an SQS queue's ApproximateNumberOfMessagesVisible metric with a threshold of 100 for 1 evaluation period. The queue has had over 100 messages for the past 30 minutes, but the alarm remains in OK state. What is the most likely cause?

A.The alarm period is set longer than 30 minutes.
B.The alarm is not configured to evaluate the metric correctly.
C.The SQS queue is not being polled.
D.Messages are being consumed but not deleted, causing them to become invisible.
AnswerD

Messages in flight are not counted as visible.

Why this answer

Option B is correct because if the SQS queue has no consumers, the messages are not visible after the visibility timeout expires; the metric ApproximateNumberOfMessagesVisible only counts messages that are available for retrieval, not those in flight. Option A is wrong because the alarm is configured to monitor a metric, so it should trigger. Option C is wrong because the alarm period is likely set appropriately.

Option D is wrong because if the queue is not polled, messages remain in the queue but are visible.

845
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The operations team needs to update a stack that includes an RDS database. The update requires changing the DB instance class, which will cause a replacement of the database. The team wants to minimize downtime and ensure that data is not lost. Which CloudFormation stack update policy should they use?

A.Set the CreationPolicy attribute on the database resource.
B.Configure a Stack Policy to protect the database resource.
C.Set the UpdatePolicy to AutoScalingRollingUpdate.
D.Set the UpdatePolicy to AutoScalingReplacingUpdate with WillReplace set to true.
AnswerD

This policy handles replacement of a resource with minimal downtime.

Why this answer

Option D is correct because the `AutoScalingReplacingUpdate` update policy with `WillReplace` set to `true` tells CloudFormation to create a new replacement resource (e.g., a new RDS DB instance) before deleting the old one, which minimizes downtime by allowing traffic to be switched to the new resource after it is fully provisioned. This policy is specifically designed for resources that must be replaced during an update, such as changing an RDS DB instance class that requires a new underlying host, and it ensures data is preserved by using the existing database snapshot or by relying on the replacement process to maintain data integrity.

Exam trap

The trap here is that candidates often confuse `AutoScalingRollingUpdate` (which is only valid for Auto Scaling groups) with `AutoScalingReplacingUpdate` (which is used for any resource that needs replacement), leading them to incorrectly select option C for a non-Auto Scaling resource like RDS.

How to eliminate wrong answers

Option A is wrong because the `CreationPolicy` attribute controls how CloudFormation waits for signals (e.g., from cfn-init) before marking a resource as created; it does not affect update behavior or minimize downtime during a replacement. Option B is wrong because a Stack Policy is used to prevent accidental updates or deletions of specific resources by denying update/delete actions, but it does not control the order or method of updates to minimize downtime. Option C is wrong because `AutoScalingRollingUpdate` is designed for Auto Scaling groups to update instances in batches, not for RDS instances; applying it to an RDS resource would have no effect and would not handle the replacement of a database.

846
Multi-Selectmedium

Which TWO approaches can be used to automate the creation of an AWS CloudFormation stack that includes IAM resources? (Select TWO.)

Select 2 answers
A.Store the CloudFormation template in an Amazon S3 bucket and use the 'aws cloudformation deploy' command.
B.Set the 'CAPABILITY_NAMED_IAM' capability when calling the CreateStack API.
C.Attach the AWS managed policy 'IAMFullAccess' to the IAM user or role executing the stack creation.
D.Use an AWS Lambda function to call the CreateStack API with the capabilities parameter set to 'CAPABILITY_IAM'.
E.Use the AWS CLI command 'aws cloudformation create-stack' with the '--capabilities CAPABILITY_IAM' parameter.
AnswersD, E

The Lambda function can programmatically create the stack with the required capability.

Why this answer

Option D is correct because when a CloudFormation stack includes IAM resources, you must explicitly acknowledge that the stack may create IAM entities. An AWS Lambda function calling the CreateStack API with the `capabilities` parameter set to `CAPABILITY_IAM` satisfies this requirement. Option E is correct because the AWS CLI `create-stack` command with the `--capabilities CAPABILITY_IAM` parameter also provides the required acknowledgment, allowing the stack to be created successfully.

Exam trap

The trap here is that candidates often confuse IAM permissions (like `IAMFullAccess`) with the CloudFormation capability acknowledgment, thinking that having the right IAM policy alone is sufficient to create IAM resources in a stack, when in fact the `CAPABILITY_IAM` or `CAPABILITY_NAMED_IAM` flag must be explicitly set in the API call.

847
MCQmedium

A company uses AWS CodePipeline with a multi-branch strategy. Developers push to feature branches, which should trigger a pipeline that runs unit tests and then deploys to a staging environment. However, the pipeline only triggers on the main branch. What should be done to enable pipeline execution for feature branches?

A.Change the source provider from Amazon S3 to AWS CodeCommit.
B.Increase the polling frequency in the source stage to detect new branches.
C.Create a separate pipeline for each feature branch.
D.Update the source stage to use 'Webhook' as the change detection method and specify a branch pattern.
AnswerD

Webhooks with branch patterns trigger pipelines on pushes to matching branches.

Why this answer

Option B is correct because enabling 'Webhook' as the source trigger type and specifying the feature branch pattern allows CodePipeline to start on pushes to those branches. Option A is incorrect because changing the source provider does not affect branch filtering. Option C is incorrect because polling is less efficient and not the recommended approach.

Option D is incorrect because a separate pipeline per branch would be overkill.

848
MCQmedium

A DevOps engineer is troubleshooting a slow web application. The application runs on EC2 instances behind an ALB. The engineer notices that the ALB's TargetResponseTime metric shows high p99 values, but the CPU and memory on the EC2 instances are well below thresholds. What is the most likely cause?

A.The Auto Scaling group has too many instances, causing increased network overhead
B.The ALB is routing requests to instances in different Availability Zones, increasing latency
C.The application is waiting on a slow database query or external API call
D.The ALB idle timeout is set too low, causing connections to be dropped
AnswerC

Correct. Application latency often comes from external dependencies.

Why this answer

High p99 TargetResponseTime on the ALB with low CPU and memory on the EC2 instances indicates that the bottleneck is not compute capacity but rather a dependency external to the application server. The application is likely waiting on a slow database query or external API call, which increases response time without consuming significant local CPU or memory. This is a classic symptom of an I/O-bound or network-bound dependency.

Exam trap

The trap here is that candidates often assume high response times must be caused by compute saturation (CPU/memory) or network issues, but the question deliberately shows low resource utilization to force you to consider external dependencies as the root cause.

How to eliminate wrong answers

Option A is wrong because having too many instances in the Auto Scaling group would reduce per-instance load and likely decrease response times, not increase them; network overhead from more instances is negligible compared to the ALB's connection management. Option B is wrong because ALB inherently routes requests to instances across Availability Zones with minimal latency overhead (typically <1 ms), and cross-AZ data transfer costs are not a significant factor in p99 response time. Option D is wrong because a low ALB idle timeout would cause connections to be dropped prematurely, resulting in client-side errors (e.g., 504 Gateway Timeout) rather than consistently high p99 response times; the metric would show timeouts, not slow completions.

849
Multi-Selectmedium

Which TWO actions are best practices when designing a CI/CD pipeline for a containerized application on Amazon ECS? (Choose two.)

Select 2 answers
A.Run a full integration test suite on every commit to the repository.
B.Separate the build stage from the deploy stage in the pipeline.
C.Build the Docker image in the deploy stage to ensure consistency.
D.Use a rolling update with a fixed number of tasks for deployment.
E.Use a blue/green deployment strategy for the ECS service.
AnswersB, E

Separation allows independent validation and rollback.

Why this answer

Using separate build and deploy stages (C) is a best practice for separation of concerns. Using a blue/green deployment strategy (D) ensures zero-downtime. A is wrong because building the image inside the deployment stage conflates steps.

B is wrong because running a full integration test suite in every commit slows down the pipeline; tests should be optimized. E is wrong because rolling update may cause downtime; blue/green is preferred for zero-downtime.

850
Multi-Selecthard

A company is migrating to a microservices architecture on Amazon ECS with AWS Fargate. They want to automate the deployment process using AWS CodePipeline. The pipeline should build a Docker image, push it to Amazon ECR, and deploy the updated service to ECS. Which THREE components are required in the pipeline? (Choose 3.)

Select 3 answers
A.Deploy stage with AWS CodeDeploy to ECS.
B.Build stage with AWS CodeBuild to build the Docker image and push to ECR.
C.Manual approval stage.
D.Source stage with AWS CodeCommit or Amazon S3 as source.
E.Test stage with AWS CodeBuild to run unit tests.
AnswersA, B, D

Deploy stage updates the ECS service.

Why this answer

Options A, C, and E are correct. Source stage (A) with CodeCommit or S3, build stage (C) with CodeBuild to build and push the image, and deploy stage (E) with CodeDeploy (or ECS) to deploy. Option B is wrong because a manual approval is optional.

Option D is wrong because a test stage is optional.

851
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to ensure that an Amazon RDS for PostgreSQL database is automatically recovered in the event of a failure?

Select 2 answers
A.Create a read replica in a different Availability Zone
B.Take manual snapshots every hour
C.Configure cross-region replication to a secondary region
D.Enable automated backups with a retention period of at least 1 day
E.Enable Multi-AZ deployment
AnswersD, E

Automated backups enable point-in-time recovery for manual restoration.

Why this answer

Options A and D are correct. Multi-AZ deployment provides automatic failover, and automated backups with point-in-time recovery allow restoring to a specific time. Option B is incorrect because manual snapshots require manual intervention.

Option C is incorrect because read replicas are for read scaling, not automatic failover. Option E is incorrect because cross-region replication is for disaster recovery, not automatic recovery.

852
MCQeasy

A DevOps team uses AWS CodePipeline to deploy a web application. They notice that the deployment stage fails intermittently due to a missing configuration file. Which troubleshooting step should they take first?

A.Switch to AWS CodeBuild for the deployment stage.
B.Review the build logs in AWS CodeBuild to identify the error.
C.Recreate the pipeline with the same configuration to see if the issue repeats.
D.Verify the deployment group settings in AWS CodeDeploy.
AnswerB

Logs provide immediate insight into the failure.

Why this answer

Option A is correct because checking the build logs is the first step to identify why the file is missing. Option B is wrong because recreating the pipeline does not address the root cause. Option C is wrong because CodeBuild is for building, not deployment.

Option D is wrong because CodeDeploy logs are relevant only if the file is missing at deployment time, but the issue occurs during the build stage.

853
MCQeasy

An organization is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails because the target group is not configured correctly. Which CodeDeploy component is responsible for registering instances with the load balancer?

A.The CodeDeploy agent configuration
B.The deployment group configuration
C.The AppSpec file hooks section
D.The application revision bundle
AnswerC

Hooks define lifecycle events, including registration/deregistration

Why this answer

The AppSpec file's 'hooks' section includes lifecycle hooks like BeforeInstall, AfterInstall, ApplicationStart, etc. One of the hooks is 'BeforeAllowTraffic' and 'AfterAllowTraffic', which are used to manage traffic routing and deregister/register instances with the load balancer. The 'hooks' section in AppSpec contains the script to register/deregister.

Option B is correct. Option A is wrong because the deployment group defines the target group, but the registration action is in the AppSpec hooks. Option C is wrong because CodeDeploy agent runs the scripts, but the configuration is in AppSpec.

Option D is wrong because the revision contains the application files, not the traffic routing logic.

854
MCQmedium

An organization uses AWS CodeDeploy for automated deployments to EC2 instances. The deployment is failing with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment group has a minimum healthy hosts setting of 75%. The application has 4 instances. What is the MOST likely issue?

A.The AppSpec file references a script that does not exist.
B.The IAM instance profile does not have sufficient permissions.
C.The CodeDeploy agent is not installed on any of the instances.
D.The deployment failed on 2 instances, leaving only 2 healthy.
AnswerD

75% of 4 is 3; only 2 healthy is below threshold.

Why this answer

Option B is correct because if the deployment fails on 2 instances, only 2 remain healthy (50%), which is below 75%. Option A is wrong because CodeDeploy agent not installed would cause failure on all instances. Option C is wrong because a missing script would cause failure on all.

Option D is wrong because incorrect IAM role would cause failure on all.

855
MCQmedium

A company is using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The operations team notices that the error rate on the ALB is increasing, but the CPU utilization on the EC2 instances remains low. Which CloudWatch metric should be examined to determine if the errors are due to a lack of healthy targets?

A.UnHealthyHostCount
B.RequestCount
C.HealthyHostCount
D.TargetResponseTime
AnswerC

Correct. HealthyHostCount shows the number of healthy targets. A decrease indicates fewer available targets, which can cause errors.

Why this answer

Option A is correct because HealthyHostCount indicates the number of healthy targets per Availability Zone. If it drops, the ALB may return errors. Option B (UnHealthyHostCount) shows unhealthy hosts but not the direct cause of errors.

Option C (RequestCount) measures total requests. Option D (TargetResponseTime) measures latency.

856
MCQhard

A DevOps team uses AWS Systems Manager Incident Manager for incident response. They have an escalation plan that sends notifications to an SNS topic. However, during a recent incident, the on-call engineer did not receive the notification. The engineer's phone number and email are correct in the SSM Incident Manager contact settings. What is the MOST likely cause of the missed notification?

A.SSM Incident Manager requires a VPC endpoint for SNS, which is not configured.
B.The SNS topic's IAM policy does not allow Systems Manager to publish messages.
C.The SNS subscription for the engineer's contact was never confirmed.
D.The SNS topic and the engineer's contact are in different AWS Regions.
AnswerC

SNS requires subscription confirmation for email/HTTP endpoints; without confirmation, notifications are not sent.

Why this answer

Option D is correct because SNS topic subscriptions must be confirmed (typically via email) before delivery begins; an unconfirmed subscription will not deliver messages. Option A is wrong because CloudWatch alarm actions use different IAM permissions; the issue is subscription-level. Option B is wrong because SNS delivery is regional; cross-region delivery works fine.

Option C is wrong because SSM Incident Manager does not require a VPC endpoint to send SNS notifications.

857
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. Which KMS key type should the company use to meet this requirement without manual intervention?

A.Customer managed key
B.Imported key material
C.Custom key store (CloudHSM)
D.AWS managed key
AnswerA

Customer managed keys can be configured for automatic annual rotation.

Why this answer

AWS managed keys (AWS managed key) are automatically rotated every three years, not every year. Customer managed keys (Customer managed key) can be configured for automatic annual rotation. Imported key material cannot be automatically rotated.

A Custom key store does not support automatic rotation.

858
Multi-Selecthard

A company runs a critical application on Amazon ECS with Fargate. The application emits structured logs in JSON format. The DevOps team wants to monitor for specific error codes and receive near-real-time alerts. The team also needs to retain logs for 5 years for compliance. Which TWO steps should the team implement?

Select 2 answers
A.Create a CloudWatch Logs metric filter to count occurrences of specific error codes and create an alarm
B.Use Amazon Kinesis Data Analytics to analyze logs in real-time and send alerts
C.Enable AWS CloudTrail to log the application's API calls
D.Stream logs to Amazon S3 via Amazon Kinesis Data Firehose and use S3 event notifications to trigger alerts
E.Configure a CloudWatch Logs retention policy to keep logs for 5 years
AnswersA, E

Metric filters allow real-time monitoring and alerting.

Why this answer

Option A is correct because CloudWatch Logs metric filters can parse JSON-structured logs to count occurrences of specific error codes, and you can create a CloudWatch alarm on that metric to trigger near-real-time notifications via SNS. This is a native, low-latency solution for monitoring specific patterns in ECS Fargate logs without additional infrastructure.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs AWS API calls) with application-level logging, or they over-engineer the solution with Kinesis Data Analytics or Firehose when CloudWatch native features (metric filters and retention policies) are sufficient and more cost-effective for this use case.

859
Multi-Selectmedium

A DevOps engineer is designing a secure CI/CD pipeline. Which TWO of the following are best practices for securing secrets in the pipeline?

Select 2 answers
A.Use encrypted environment variables in CodeBuild.
B.Store secrets in a parameter file in the source repository.
C.Hardcode secrets in CloudFormation template parameters.
D.Use S3 bucket policies to restrict access to secret files.
E.Store secrets in AWS Secrets Manager and retrieve them during the build.
AnswersA, E

CodeBuild supports encrypted environment variables.

Why this answer

Options A and D are correct because AWS Secrets Manager is a secure service for storing secrets, and environment variables in CodeBuild can be encrypted. Option B is wrong because storing secrets in source code is insecure. Option C is wrong because S3 bucket policies do not encrypt secrets.

Option E is wrong because hardcoding secrets in CloudFormation templates is insecure.

860
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They need to implement a CI/CD pipeline that automatically updates CloudFormation stacks when changes are pushed to a CodeCommit repository. The pipeline must use change sets to review changes before execution. Which pipeline configuration meets these requirements?

A.Use a CloudFormation action in CodePipeline with action mode 'CREATE_UPDATE' and include a manual approval step before the action.
B.Use a CloudFormation action with action mode 'CHANGE_SET_REPLACEMENT' and then a separate action with mode 'CHANGE_SET_EXECUTE' after an approval step.
C.Use an AWS Lambda function to create a change set and trigger a manual approval via SNS.
D.Use a CloudFormation action with action mode 'CREATE_UPDATE' and set the 'Review' flag to true.
AnswerB

Why this answer

Option B is correct because CodePipeline's CloudFormation deployment action supports a 'CHANGE_SET_REPLACEMENT' mode that creates or replaces a change set without executing it, followed by a 'CHANGE_SET_EXECUTE' action that applies the change set after an approval step. This two-step approach allows teams to review infrastructure changes before they are applied, meeting the requirement to use change sets for review before execution.

Exam trap

The trap here is that candidates often assume a manual approval step combined with a 'CREATE_UPDATE' action is sufficient for review, but they miss that change sets are required to preview the actual changes before execution, and 'CREATE_UPDATE' does not generate a change set at all.

Why the other options are wrong

A

CREATE_UPDATE directly applies changes without creating a change set first.

C

This is more complex and not the native CodePipeline CloudFormation action.

D

There is no 'Review' flag; CloudFormation actions do not support reviewing before update in that mode.

861
MCQmedium

A company is designing a disaster recovery strategy for a critical application that requires a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 1 hour. The application runs on EC2 with data stored in Amazon RDS Multi-AZ. Which approach meets these requirements?

A.Use a pilot light strategy with RDS cross-Region read replicas and automated backups
B.Use backup and restore with daily snapshots to another Region
C.Use a warm standby with a scaled-down production environment in another Region
D.Use a Multi-AZ deployment in the same Region for DR
AnswerA

Pilot light can achieve RTO 15 min, RPO 1 hour.

Why this answer

Option A is correct because a pilot light strategy with RDS cross-Region read replicas and automated backups meets the RTO of 15 minutes and RPO of 1 hour. The cross-Region read replica provides near-synchronous replication with an RPO typically under 5 seconds, and automated backups enable point-in-time recovery within the 1-hour RPO. The pilot light approach allows rapid promotion of the replica to a primary instance, achieving the 15-minute RTO by keeping minimal core services running in the DR Region.

Exam trap

The trap here is that candidates often confuse Multi-AZ (high availability within a Region) with cross-Region disaster recovery, assuming Multi-AZ alone provides DR, but it does not protect against Region-wide outages.

How to eliminate wrong answers

Option B is wrong because daily snapshots to another Region result in an RPO of up to 24 hours, far exceeding the required 1-hour RPO, and restoring from snapshots takes longer than 15 minutes. Option C is wrong because a warm standby with a scaled-down production environment typically has an RTO of minutes but requires continuous replication and failover orchestration; while it could meet the RPO, it is over-engineered and more costly than necessary, and the question asks for an approach that meets requirements, not the most optimal. Option D is wrong because a Multi-AZ deployment in the same Region does not provide disaster recovery across Regions; it only protects against Availability Zone failures, not regional disasters, and thus fails to meet the DR requirement.

862
MCQmedium

A DevOps team uses AWS CodePipeline to automate deployments. The pipeline has a Deploy stage that uses AWS CloudFormation to create or update a stack. Recently, a stack update failed because the template referenced an AMI that was deprecated. The team wants to automatically roll back the stack to the last known good state if a deployment fails. What should they do?

A.Configure the CloudFormation deployment action in CodePipeline with 'ActionMode' set to 'CREATE_UPDATE' and check the 'Rollback on failure' option.
B.Use the CodePipeline console to enable 'Automatic rollback' for the Deploy stage.
C.Set the stack's 'DisableRollback' parameter to 'true' in the template.
D.Add a stack policy to the CloudFormation stack that denies updates to the AMI parameter.
AnswerA

CodePipeline's CloudFormation action supports automatic rollback on failure.

Why this answer

Option A is correct because the CloudFormation deployment action in CodePipeline supports a 'Rollback on failure' option when 'ActionMode' is set to 'CREATE_UPDATE'. When enabled, if the stack update fails, CloudFormation automatically rolls back the stack to the last known good state (the previously deployed stack). This directly addresses the team's requirement to revert to a stable state after a failed deployment due to a deprecated AMI.

Exam trap

The trap here is that candidates confuse the CloudFormation stack-level 'DisableRollback' parameter (which controls rollback during stack creation) with the CodePipeline action-level 'Rollback on failure' option, leading them to incorrectly select Option C.

How to eliminate wrong answers

Option B is wrong because CodePipeline does not have an 'Automatic rollback' toggle at the stage level; rollback behavior is configured within the CloudFormation action itself, not via a generic stage setting. Option C is wrong because setting 'DisableRollback' to 'true' actually prevents rollback on failure, which is the opposite of what the team wants. Option D is wrong because a stack policy controls permissions for stack updates (e.g., preventing updates to specific resources), but it does not trigger an automatic rollback after a failed deployment.

863
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team has a template that creates an Amazon RDS DB instance and an EC2 instance that runs a web application. The EC2 instance needs to connect to the RDS instance using the database endpoint and password. The team currently passes the endpoint and password as CloudFormation parameters, which are then stored in the EC2 instance's user data. However, security audit has flagged this as a security risk because the password is visible in the user data. The team wants to securely pass the database credentials to the EC2 instance without exposing them in the template or user data. The EC2 instance has an IAM role that allows it to read from AWS Secrets Manager. Which solution should the team implement?

A.Store the password in AWS Systems Manager Parameter Store as a SecureString and have the EC2 instance retrieve it using the AWS CLI.
B.Encrypt the user data using AWS KMS and decrypt it on the EC2 instance at boot time.
C.Store the password in AWS Secrets Manager, use a dynamic reference to pass it to the EC2 instance's IAM role, and have the application retrieve it from Secrets Manager at runtime.
D.Use CloudFormation's Fn::GetAtt to retrieve the password from the RDS instance and pass it to the EC2 instance via user data.
AnswerC

This ensures the password is never stored in plaintext in the template or on the instance.

Why this answer

Option D is correct. By storing the password in Secrets Manager and using a dynamic reference in CloudFormation, the password is never exposed in the template or user data. The EC2 instance can retrieve the password from Secrets Manager at runtime using its IAM role.

Option A is wrong because storing the password in Parameter Store is also possible but Secrets Manager is more secure and supports rotation. Option B is wrong because encrypting the user data is still risky as the encryption key might be exposed. Option C is wrong because the password would still be in the template.

864
MCQeasy

A startup wants to provide temporary, limited-privilege AWS access to external contractors who will assist with a project. The contractors do not have AWS accounts. The company wants to avoid creating IAM users for each contractor. They need a solution that allows contractors to log in to the AWS Management Console for a limited time. Which AWS service should the engineer use?

A.Use AWS SSO with an external identity provider, and grant access to an AWS account with a permission set.
B.Create IAM users for each contractor and attach a policy with a condition to expire access after the project.
C.Use Amazon Cognito user pools to create temporary user accounts.
D.Provide the contractors with the root user credentials of a separate AWS account.
AnswerA

AWS SSO allows granting temporary console access to external users.

Why this answer

AWS SSO can be used to grant external users access to AWS accounts via a portal, with temporary credentials. You can invite users as external members in AWS SSO, and they can log in with their own email and receive temporary credentials. IAM roles cannot be directly assumed without AWS credentials.

Cognito is for app users. IAM users would require creating permanent users.

865
MCQhard

An organization uses AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Test stage runs integration tests that take 30 minutes. The team wants to speed up feedback without skipping tests. Which action should they take?

A.Use a larger build environment for the Test stage.
B.Configure parallel build actions in the Test stage to run tests concurrently.
C.Remove the Test stage and rely on post-deployment testing.
D.Move the Test stage to after deployment.
AnswerB

Running tests in parallel reduces the overall stage duration.

Why this answer

Option A is correct because parallel actions reduce total time. Option B is wrong because it skips tests. Option C is wrong because increasing instance size may not help if tests are I/O bound.

Option D is wrong because it does not speed tests.

866
MCQmedium

A DevOps engineer is troubleshooting a failed AWS CloudFormation stack update. The stack contains an AWS::Lambda::Function resource. The update failed with the error 'Resource creation cancelled' after a timeout. The engineer wants to view the logs from the Lambda function during the stack update to diagnose the issue. What should the engineer do?

A.Use AWS CodeBuild to build and test the function locally
B.Enable detailed CloudFormation logging in the stack template
C.Access the CloudWatch Logs log group for the Lambda function
D.Review the CloudFormation stack events in the AWS Management Console
AnswerC

Lambda writes logs to CloudWatch Logs automatically

Why this answer

CloudFormation does not directly capture Lambda function logs. The Lambda function logs are sent to Amazon CloudWatch Logs. The engineer should check the CloudWatch Logs log group for the specific function to see any errors during invocation.

Option A is correct. Option B is wrong because the stack events do not include function logs. Option C is wrong because CloudFormation does not log function output.

Option D is wrong because CodeBuild is not involved in this scenario.

867
MCQmedium

A DevOps engineer needs to implement a CI/CD pipeline that builds a Docker image, scans it for vulnerabilities, and deploys it to Amazon ECS. The scanning must be integrated into the pipeline before the image is pushed to Amazon ECR. Which approach meets these requirements?

A.Enable ECR 'Scan on Push' and configure CodePipeline to deploy only if the scan result is clean.
B.Use CodeBuild to run a vulnerability scanner on the Docker image, then push to ECR only if the scan passes.
C.Use AWS Lambda to scan the image after push and automatically roll back if vulnerabilities are found.
D.Use AWS Security Hub to scan images in ECR and block deployment.
AnswerB

Why this answer

Option B is correct because it uses CodeBuild to run a vulnerability scanner on the Docker image before pushing to ECR, ensuring that only images that pass the scan are stored and deployed. This satisfies the requirement to scan before the image is pushed to ECR, which is critical for preventing vulnerable images from entering the registry.

Exam trap

The trap here is that candidates often confuse 'Scan on Push' (post-push) with pre-push scanning, or assume that Security Hub can directly scan and block deployments, when in reality it is an aggregation and correlation service, not a scanning engine.

Why the other options are wrong

A

Scan on Push scans after the image is pushed, not before. The requirement is to scan before push.

C

This scans after push, not before.

D

Security Hub aggregates findings but does not scan images itself; it relies on other services.

868
MCQeasy

A DevOps engineer is setting up a CI/CD pipeline for a microservices architecture. The team uses AWS CodeCommit, CodeBuild, and CodeDeploy. The engineer needs to ensure that the pipeline can automatically roll back the deployment if the health checks fail after deployment. Which action should the engineer take?

A.Use AWS Lambda to monitor health checks and trigger a rollback via the CodeDeploy API.
B.Configure the deployment group to roll back when a CloudWatch alarm is triggered.
C.Set up the deployment group to use blue/green deployment with traffic shifting.
D.Configure the pipeline to have a manual approval step after deployment.
AnswerB

CodeDeploy can automatically roll back based on CloudWatch alarms.

Why this answer

Option D is correct because CodeDeploy supports automatic rollback based on CloudWatch alarm triggers. Options A and B are manual steps. Option C only stops traffic, not rollback.

869
MCQmedium

A company uses AWS CloudFormation StackSets to deploy a common security group across multiple accounts in an AWS Organization. The security group must allow inbound traffic from the organization's central VPN CIDR range. The VPN CIDR range is stored in AWS Systems Manager Parameter Store. How should the engineer reference this parameter in the StackSet template to ensure the value is resolved at deployment time?

A.Use Fn::ImportValue with an export from another stack that reads the parameter.
B.Use the dynamic reference '{{resolve:ssm:/org/vpn/cidr}}' in the template.
C.Use the Ref function on the parameter name as a CloudFormation parameter.
D.Use Fn::GetAtt to retrieve the parameter value from an AWS::SSM::Parameter resource.
AnswerB

B: Dynamic references allow CloudFormation to fetch the value from Parameter Store during stack operations.

Why this answer

Option B is correct because dynamic references in CloudFormation templates (using the 'resolve:ssm' prefix) fetch the parameter value at stack creation/update time. Option A is wrong because the Ref function on a parameter would require the parameter to be passed as a stack parameter, not directly from Parameter Store. Option C is wrong because Fn::GetAtt is for resource attributes.

Option D is wrong because Fn::ImportValue is for cross-stack references, not Parameter Store.

870
MCQeasy

A developer wants to automate the creation of a new Amazon ECS service whenever a new Docker image is pushed to Amazon ECR. Which AWS service should be used to orchestrate this workflow?

A.Amazon EventBridge
B.AWS Step Functions
C.Amazon CloudWatch Logs
D.Amazon S3
AnswerA

EventBridge can detect ECR events and invoke a Lambda function to create the ECS service.

Why this answer

Option A is correct because Amazon EventBridge can listen for ECR image push events and trigger a target (e.g., Lambda) to create the ECS service. Option B is incorrect because CloudWatch Logs is for log storage. Option C is incorrect because Step Functions is for state machines, not direct event triggers.

Option D is incorrect because S3 is for object storage.

871
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. A stack update fails with the error: 'UPDATE_ROLLBACK_IN_PROGRESS'. The DevOps engineer needs to investigate the cause. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Create a change set to see what changes were attempted.
B.Use the 'describe-stack-resource' AWS CLI command to get the resource status.
C.Review the CloudFormation console to identify which resource failed.
D.Use the '--retain-resources' option to preserve resources that failed to delete.
E.Check the CloudFormation stack events for error messages.
AnswersC, D, E

The console highlights the failed resource.

Why this answer

Options A, D, and E are correct. Option A: The CloudFormation console shows the specific resource that caused the failure. Option D: Stack events provide detailed status and error messages.

Option E: The '--retain-resources' parameter can preserve resources that failed to delete during rollback. Option B is wrong because change sets are used to preview changes before execution, not to troubleshoot failures. Option C is wrong because DescribeStackResource returns specific resource details but not the overall failure cause; also, it's not a primary troubleshooting step.

872
Multi-Selecthard

A DevOps team manages hundreds of EC2 instances using AWS Systems Manager State Manager. They need to ensure that a specific configuration (e.g., a custom firewall rule) is applied to all instances and remains enforced. Which THREE steps should they take? (Choose THREE.)

Select 3 answers
A.Ensure the instances have an IAM role that allows Systems Manager to perform actions.
B.Create a State Manager association using a custom document that defines the firewall rule.
C.Use AWS Config rules to detect non-compliance.
D.Use Run Command to execute the configuration once.
E.Set the association to apply the configuration on a schedule (e.g., every 30 minutes).
AnswersA, B, E

Proper IAM permissions are required for Systems Manager to manage instances.

Why this answer

Options A, C, and E are correct. Option A creates a State Manager association for the configuration. Option C sets the association to apply the configuration on a schedule, ensuring enforcement.

Option E uses an IAM role to allow Systems Manager to apply the configuration. Option B is wrong because Run Command is ad-hoc, not continuous enforcement. Option D is wrong because Config rules only detect, not enforce.

873
Multi-Selectmedium

A company uses AWS CodeBuild to build and test a Node.js application. The buildspec.yml currently runs npm install and npm test. They want to also run a security scan using a third-party tool. Which THREE steps are required to integrate the security scan into the CodeBuild build?

Select 3 answers
A.Ensure the build fails if the scanner finds vulnerabilities by checking the exit code.
B.Create a new 'security' phase in the buildspec.yml.
C.Add a command to run the security scanner in the build phase.
D.Add a command to install the security scanning tool in the pre_build or build phase.
E.Upload the security scanner configuration to an S3 bucket and reference it in the buildspec.
AnswersA, C, D

Fail the build on security issues.

Why this answer

Option A is correct because CodeBuild phases (install, pre_build, build, post_build) run shell commands sequentially, and a non-zero exit code from any command causes the build to fail. By checking the exit code of the security scanner (e.g., via `$?` or relying on the tool's default exit behavior), the build will stop and report failure if vulnerabilities are found, enforcing a security gate. This is the standard mechanism to integrate third-party tools without custom scripting.

Exam trap

The trap here is that candidates think they need to create a custom phase (Option B) to run a security scan, but CodeBuild's fixed phases are sufficient—simply add the scanner command to the existing build phase after the test step.

874
MCQeasy

A development team is using AWS CodeCommit as the source for a CI/CD pipeline. They want to automatically trigger a build in AWS CodeBuild whenever a developer pushes changes to any branch in the repository. Which pipeline configuration should be used?

A.Configure CodePipeline to poll the CodeCommit repository every minute
B.Use Amazon EventBridge to capture CodeCommit events and start a CodePipeline execution
C.Set up a scheduled CodePipeline execution using Amazon CloudWatch Events
D.Configure a CodeCommit repository trigger to invoke a Lambda function that starts a CodeBuild build
AnswerD

Triggers provide immediate response to pushes.

Why this answer

Option B is correct because using a webhook that triggers on all branch pushes is the simplest and most direct way to achieve automatic builds on every push. Option A is wrong because polling is less efficient and introduces latency. Option C is wrong because event rules require event bus setup and are more complex.

Option D is wrong because scheduled builds do not respond to pushes.

875
MCQhard

Refer to the exhibit. The deployment succeeded but the application fails. What is the MOST likely cause?

A.The CodePipeline deployment action uses the wrong cluster.
B.The new task definition has a misconfigured database connection string or security group.
C.The ECS service is not registered with a target group.
D.The database is not available in the same Availability Zone.
AnswerB

The timeout to database IP indicates network or configuration issue introduced by the new task definition.

Why this answer

The error shows a database connection timeout to an internal IP (10.0.0.5). The new task definition likely has incorrect environment variables or security group rules that prevent connecting to the database.

876
Multi-Selecteasy

A company is using AWS KMS to encrypt data. Which TWO statements about AWS KMS key rotation are correct? (Choose TWO.)

Select 2 answers
A.Customer managed keys can be configured for automatic rotation
B.Keys imported into KMS support automatic rotation
C.Automatic rotation is enabled by default for customer managed keys
D.Automatic rotation can be disabled for AWS managed keys
E.AWS managed keys are automatically rotated every year
AnswersA, E

You can enable automatic rotation for customer managed keys.

Why this answer

AWS managed keys are rotated automatically every year. Customer managed keys can have automatic rotation enabled, but it is not enabled by default. Option C is wrong because AWS managed keys cannot have automatic rotation disabled.

Option E is wrong because imported key material does not support automatic rotation.

877
MCQmedium

A DevOps engineer ran the above command and saw this output. What is the MOST likely cause of the stack creation failure?

A.The key pair specified in the launch template does not exist.
B.The IAM role does not have permission to create the Auto Scaling group.
C.The AMI ID specified in the launch template is not available in this Region.
D.The launch template name specified in the CloudFormation template is incorrect or does not exist.
AnswerD

The error indicates the launch template parameter is not supported, likely due to a missing or incorrect name.

Why this answer

The error message indicates that the launch template name specified in the CloudFormation template does not match any existing launch template in the account and Region. CloudFormation resolves the launch template name at stack creation time; if the name is incorrect or the template does not exist, the Auto Scaling group creation fails with a validation error. This is the most direct cause because the launch template name is a required parameter that must reference a pre-existing resource.

Exam trap

The trap here is that candidates confuse launch template validation errors with instance-level errors (like missing AMI or key pair), but CloudFormation validates the launch template name at the Auto Scaling group resource level before any EC2 instances are launched.

How to eliminate wrong answers

Option A is wrong because a missing key pair would cause an EC2 instance launch failure, not a stack creation failure at the Auto Scaling group level; the error message would reference 'InvalidKeyPair.NotFound' or similar. Option B is wrong because an IAM role lacking permissions to create an Auto Scaling group would produce an 'AccessDenied' or authorization error, not a validation error about a missing launch template. Option C is wrong because an unavailable AMI ID would cause an instance launch failure with an 'InvalidAMIID.NotFound' error, not a stack creation failure related to the launch template name.

878
MCQeasy

A company is building a multi-tier web application on AWS. The web tier runs on EC2 instances behind an ALB. The application tier runs on EC2 instances that are not publicly accessible. The database tier runs on RDS MySQL. Which design provides the HIGHEST level of resilience for the database tier?

A.Deploy a single RDS DB instance in one Availability Zone.
B.Deploy an RDS DB instance with a cross-region read replica.
C.Deploy an RDS DB instance with a read replica in the same region.
D.Deploy an RDS DB instance in a Multi-AZ configuration.
AnswerD

Multi-AZ provides automatic failover to a standby in another AZ.

Why this answer

Option D is correct because a Multi-AZ RDS deployment provides automatic failover to a standby in another AZ. Option A is wrong because a single DB instance is not resilient. Option B is wrong because read replicas do not provide automatic failover.

Option C is wrong because cross-region read replicas have higher latency and are not for failover.

879
MCQhard

A company is running a production microservices architecture on Amazon ECS with Fargate. The operations team wants to set up centralized logging across all services, including the ability to search logs in near real-time and retain them for 3 years. The logs are currently sent to CloudWatch Logs. Which combination of services would meet these requirements with the least operational overhead?

A.Stream logs to Amazon OpenSearch Service (Elasticsearch) using a CloudWatch Logs subscription filter.
B.Set a retention policy of 3 years on the CloudWatch Logs log groups and use CloudWatch Logs Insights for searching.
C.Export logs to Amazon S3 and use Amazon Athena to query them.
D.Use Amazon Kinesis Data Firehose to deliver logs to Amazon S3 with a 3-year lifecycle policy.
AnswerB

CloudWatch Logs Insights provides near real-time querying and retention policies are straightforward.

Why this answer

Option C is correct because CloudWatch Logs provides near real-time search and can set retention to 3 years. Option A is wrong because S3 + Athena is not real-time and adds complexity. Option B is wrong because Elasticsearch Service adds operational overhead.

Option D is wrong because Firehose to S3 alone lacks search capability.

880
Multi-Selecthard

A company runs a containerized application on Amazon EKS. The application must be highly available across multiple Availability Zones and must automatically recover from node failures. Which THREE steps should be taken?

Select 3 answers
A.Use Pod Disruption Budgets to ensure a minimum number of pods are available during voluntary disruptions.
B.Configure the Cluster Autoscaler to add nodes when pods are unschedulable.
C.Deploy worker nodes across multiple Availability Zones.
D.Deploy worker nodes in a single Availability Zone to reduce cross-AZ data transfer costs.
E.Use a single large instance type for all worker nodes to simplify management.
AnswersA, B, C

Helps maintain availability during updates.

Why this answer

Deploy worker nodes across multiple AZs ensures node diversity. Use Pod Disruption Budgets to maintain minimum pod availability. Configure cluster auto scaling to replace failed nodes.

881
Multi-Selecthard

Which THREE services can be used to protect a VPC from malicious traffic? (Choose 3.)

Select 3 answers
A.Network ACLs
B.Security Groups
C.AWS Shield
D.Amazon Route 53 Resolver
E.AWS Network Firewall
AnswersA, B, E

NACLs provide stateless firewall rules at the subnet level.

Why this answer

Network ACLs (NACLs) are stateless, subnet-level firewalls that filter traffic based on rules evaluating source/destination IP, protocol, and port. They provide an additional layer of defense by explicitly allowing or denying inbound and outbound traffic at the subnet boundary, making them a correct choice for protecting a VPC from malicious traffic.

Exam trap

The trap here is that candidates often confuse AWS Shield (a DDoS protection service) with a VPC-level firewall, not realizing it operates at the edge/global layer and does not filter traffic within the VPC itself.

882
MCQmedium

A company uses an Auto Scaling group with a dynamic scaling policy based on the average CPU utilization of the instances. During an incident, the DevOps team notices that the Auto Scaling group is not launching new instances quickly enough to handle a traffic spike. What is a possible cause for the slow scaling response?

A.The cooldown period is set too high.
B.The health check grace period is set too low.
C.The minimum group size is set too low.
D.The launch template has a long warm-up time.
AnswerA

A long cooldown can delay additional scaling activities after a previous one.

Why this answer

Option A is correct because the cooldown period prevents the Auto Scaling group from launching or terminating instances after a scaling activity. If the cooldown is too long, it delays subsequent scaling actions. Option B is wrong because the health check grace period is for instance health checks after launch, not scaling speed.

Option C is wrong because the warm-up time for the launch template is not a real parameter. Option D is wrong because the minimum group size is irrelevant to scaling speed.

883
MCQhard

A company runs a critical application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer (ALB) in front. During a load test, the team notices a sudden increase in 5xx errors from the ALB, and some tasks become unhealthy. The task logs show occasional 'OutOfMemoryError' exceptions. The task definition currently has 512 CPU units and 1024 MiB memory. What should the team do to mitigate the issue while maintaining a cost-effective approach?

A.Increase the task definition CPU to 1024 units and memory to 2048 MiB.
B.Increase the task definition memory to 2048 MiB while keeping CPU at 512 units.
C.Configure the ECS service to use a rolling update with a longer health check grace period.
D.Decrease the task definition memory to 512 MiB to force garbage collection more frequently.
AnswerB

This directly addresses the memory error without wasting resources on extra CPU.

Why this answer

Option B is correct because the application is experiencing OutOfMemoryError, indicating the current 1024 MiB memory allocation is insufficient. Increasing memory to 2048 MiB while keeping CPU at 512 units directly resolves the memory constraint without unnecessary CPU cost. ECS Fargate allows independent scaling of CPU and memory within valid combinations, and this change maintains a cost-effective approach by only increasing the resource that is actually constrained.

Exam trap

The trap here is that candidates may assume both CPU and memory must be increased together (Option A) or that a deployment strategy change (Option C) can mitigate resource exhaustion, when in fact the root cause is a memory limit that must be raised independently.

How to eliminate wrong answers

Option A is wrong because it increases both CPU and memory, which is unnecessary and more costly; the issue is memory, not CPU, and the extra CPU units would not resolve OutOfMemoryError. Option C is wrong because a rolling update with a longer health check grace period does not address the root cause of memory exhaustion; it only delays health check failures without fixing the underlying resource shortage. Option D is wrong because decreasing memory to 512 MiB would exacerbate the OutOfMemoryError, causing more frequent failures and task crashes, not improving garbage collection behavior.

884
MCQhard

A company is using Amazon CloudWatch Synthetics canaries to monitor its web application endpoints. The canaries are deployed in multiple AWS regions. The team wants to aggregate the canary results into a single dashboard in the US East (N. Virginia) region. What is the MOST efficient way to achieve this?

A.Replicate the canaries to US East (N. Virginia) and run them from there.
B.Create a cross-region CloudWatch dashboard and add metrics from each region using metric math.
C.Set up a Lambda function in each region to push canary results to a central S3 bucket, then create a dashboard from S3.
D.Create a CloudWatch Logs Insights query across all regions and visualize results.
AnswerB

Correct: Cross-region dashboards natively support displaying metrics from different regions.

Why this answer

Option B is correct because CloudWatch cross-region dashboards allow you to aggregate metrics from multiple regions into a single dashboard without data movement. By using metric math, you can reference metric IDs from different regions directly in the dashboard widget, enabling real-time aggregation of Synthetics canary success/failure rates and latency metrics from all regions into a unified view in US East (N. Virginia).

This approach avoids unnecessary data replication, reduces latency, and minimizes operational overhead.

Exam trap

The trap here is that candidates may assume cross-region aggregation requires data movement (e.g., to S3 or Lambda) or that CloudWatch dashboards are region-scoped, but AWS actually supports cross-region dashboards natively, making option B the most efficient and direct solution.

How to eliminate wrong answers

Option A is wrong because replicating canaries to US East (N. Virginia) would only monitor endpoints from that single region, losing the geographic distribution and failing to aggregate results from the original regions. Option C is wrong because pushing canary results to an S3 bucket and then creating a dashboard from S3 introduces unnecessary complexity, latency, and potential data staleness; CloudWatch Synthetics already stores metrics and logs in CloudWatch, so a cross-region dashboard is more direct and efficient.

Option D is wrong because CloudWatch Logs Insights queries cannot span multiple regions; they are scoped to a single region and log group, making cross-region aggregation impossible without additional tooling.

885
MCQmedium

A team uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is configured with a deployment configuration that uses the 'CodeDeployDefault.OneAtATime' traffic routing. However, during deployment, the new instances are failing health checks and the deployment is rolling back. The team wants to minimize the impact on users. What should the team do to detect issues earlier?

A.Change the deployment configuration to 'CodeDeployDefault.AllAtOnce'.
B.Use a canary deployment configuration that shifts 10% of traffic initially.
C.Increase the batch size to deploy to multiple instances at once.
D.Add a manual approval step in the pipeline before the deployment.
AnswerB

Canary deployments allow early detection of issues with minimal impact.

Why this answer

Option B is correct because the 'CodeDeployDefault.AllAtOnce' deployment would update all instances at once, but that could cause full outage. However, the question asks to detect issues earlier, so using a smaller batch size or a canary deployment would detect issues earlier. In this context, changing to a canary deployment that shifts a small percentage of traffic first is best.

Option A is wrong because increasing batch size makes detection later. Option C is wrong because manual approval doesn't detect health issues automatically. Option D is wrong because stopping the deployment is reactive, not proactive.

886
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. They want to receive notifications when a stack operation fails, including the specific resource that caused the failure. Which approach should they use?

A.Create a CloudWatch alarm on the 'StackFailure' metric.
B.Configure an SNS topic as a notification option in the CloudFormation stack and subscribe to receive stack events.
C.Create an AWS Lambda function that polls the CloudFormation DescribeStackEvents API every minute and sends an email on failure.
D.Enable AWS CloudTrail to log CloudFormation API calls and configure an SNS notification on the trail.
AnswerB

CloudFormation can send stack events (including failures) to SNS.

Why this answer

Option B is correct because CloudFormation allows you to specify an SNS topic ARN as a notification option when creating or updating a stack. When a stack operation fails, CloudFormation publishes a notification to that SNS topic, and the notification includes the logical resource ID and the status reason for the failure. This provides real-time, event-driven notifications without requiring polling or additional services.

Exam trap

The trap here is that candidates may confuse CloudWatch metrics or CloudTrail with CloudFormation's native notification capability, assuming that failure events are exposed as metrics or logs rather than through SNS topic subscriptions.

How to eliminate wrong answers

Option A is wrong because CloudFormation does not emit a 'StackFailure' metric to CloudWatch; CloudFormation publishes stack events to SNS topics, not CloudWatch metrics. Option C is wrong because polling the DescribeStackEvents API every minute introduces latency, unnecessary cost, and complexity compared to the native SNS notification mechanism; it also violates the principle of event-driven architecture. Option D is wrong because AWS CloudTrail logs API calls for auditing, but it does not provide real-time notifications on stack operation failures; configuring SNS on a trail only delivers log file delivery notifications, not stack failure events.

887
MCQhard

A company runs a critical application on Amazon ECS with the Fargate launch type. The application is deployed across three Availability Zones. Each service has its own Application Load Balancer. The company wants to implement a blue/green deployment strategy to reduce risk. They currently use AWS CodeDeploy for ECS deployments. During a recent deployment, the company noticed that the new version (green) was not receiving any traffic even after passing all health checks. The CodeDeploy configuration uses a 'Linear10PercentEvery3Minutes' traffic shifting configuration. What is the most likely reason that the green tasks are not receiving traffic?

A.The CodeDeploy deployment group is not associated with the correct ECS service.
B.The green target group's health check is misconfigured, causing CodeDeploy to consider the green tasks unhealthy and not route traffic.
C.The blue target group is still set as the production target group in the load balancer listener.
D.The green tasks are in a different VPC than the load balancer.
AnswerB

Health check failures prevent traffic routing even if tasks run.

Why this answer

The green target group's health check is misconfigured, causing CodeDeploy to consider the green tasks unhealthy. With a 'Linear10PercentEvery3Minutes' traffic shifting configuration, CodeDeploy gradually shifts traffic in 10% increments every 3 minutes, but only if the green target group passes health checks. If the health check fails, CodeDeploy stops traffic shifting, leaving the green tasks with zero traffic despite the tasks themselves being healthy.

Exam trap

The trap here is that candidates assume health checks passing on the ECS tasks means traffic will automatically route, but CodeDeploy relies on the target group's health check configuration, not the task's health status, to determine when to shift traffic.

How to eliminate wrong answers

Option A is wrong because if the CodeDeploy deployment group were not associated with the correct ECS service, the deployment would fail entirely or target the wrong service, but the green tasks would still be created and potentially receive traffic if health checks passed. Option C is wrong because CodeDeploy automatically updates the load balancer listener rules to point to the green target group during the traffic shifting process; the blue target group being set as production is the initial state, but CodeDeploy changes it as traffic shifts. Option D is wrong because ECS Fargate tasks and the load balancer must be in the same VPC for the service to function; if they were in different VPCs, the service would not register targets or pass health checks at all, not just fail to receive traffic after health checks pass.

888
MCQmedium

A DevOps engineer is designing a Git-based workflow for Infrastructure as Code using AWS CodeCommit and CodePipeline. The pipeline should deploy infrastructure changes to a test environment automatically when a pull request is merged to the 'main' branch. What is the minimal set of resources required?

A.CodeCommit, CodePipeline, CodeDeploy.
B.CodeCommit, CodePipeline, CloudFormation.
C.CodeCommit, CloudFormation, IAM.
D.CodeCommit, CodePipeline, CodeBuild, CloudFormation.
AnswerD

CodeBuild can execute CloudFormation via AWS CLI or SDK.

Why this answer

Option C is correct because CodeCommit triggers on pull request merge, CodeBuild runs the deployment, and CloudFormation executes the stack. Option A is wrong because CodeDeploy is for application deployment, not infrastructure. Option B is wrong because it lacks a build step.

Option D is wrong because it lacks automation.

889
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. They have a production stack that creates an Auto Scaling group. They want to update the launch configuration to use a new Amazon Machine Image (AMI) ID without causing downtime. Which update policy should they set on the Auto Scaling group?

A.AutoScalingScheduledAction
B.AutoScalingReplacingUpdate
C.AutoScalingRollingUpdate
D.AutoScalingBatchUpdate
AnswerC

Rolling update updates instances in batches, minimizing downtime.

Why this answer

Option C is correct because the AutoScalingRollingUpdate policy allows CloudFormation to update the Auto Scaling group's launch configuration by gradually replacing instances in batches, ensuring that a minimum number of instances remain in service throughout the update. This prevents downtime by terminating old instances and launching new ones with the updated AMI in a controlled, rolling fashion.

Exam trap

The trap here is that candidates often confuse 'AutoScalingReplacingUpdate' (a non-existent policy) with the actual 'AutoScalingRollingUpdate' policy, or they mistakenly think 'AutoScalingScheduledAction' can handle launch configuration updates, when it only manages scheduled scaling events.

How to eliminate wrong answers

Option A is wrong because AutoScalingScheduledAction is used to define time-based scaling actions (e.g., increase capacity at a specific time), not to manage rolling updates or replace launch configurations. Option B is wrong because AutoScalingReplacingUpdate is not a valid CloudFormation update policy; the correct term for a full replacement update is 'AutoScalingReplacingUpdate' does not exist—CloudFormation uses 'AutoScalingRollingUpdate' for rolling updates and 'AutoScalingScheduledAction' for scheduled actions. Option D is wrong because AutoScalingBatchUpdate is not a valid CloudFormation update policy; the service does not support a 'batch' update policy—rolling updates are the only native mechanism for gradual replacement.

890
Multi-Selecteasy

A company is designing a highly available architecture for a web application using AWS. Which TWO of the following design principles should be applied? (Select TWO.)

Select 2 answers
A.Run all resources in a single Availability Zone to reduce complexity
B.Store session data on EC2 instances to improve performance
C.Deploy resources across multiple Availability Zones
D.Use loosely coupled components, such as queues and asynchronous processing
E.Use tightly coupled components to reduce latency
AnswersC, D

Provides fault tolerance.

Why this answer

Correct answers: B and D. B spreads resources across AZs for fault tolerance. D decouples components to prevent cascading failures.

A is wrong because single Region is not resilient. C is wrong because tightly coupled components reduce availability.

891
MCQmedium

A DevOps engineer creates the IAM policy above for an instance role. The role is attached to an EC2 instance that runs an application. The application starts and stops EC2 instances and reads a database password from Systems Manager Parameter Store. However, the application fails to retrieve the parameter. What is the most likely cause?

A.The policy does not allow 'ssm:GetParameterHistory'.
B.The policy does not allow 'ec2:DescribeParameters'.
C.The parameter is a SecureString and the policy does not grant 'kms:Decrypt' permission for the KMS key.
D.The policy does not allow 'ssm:GetParameter' on the specific resource.
AnswerC

SecureString parameters require KMS decrypt permissions.

Why this answer

The policy allows 'ssm:GetParameter' and 'ssm:GetParameters' on the specific parameter ARN. However, to retrieve a parameter, the action 'ssm:GetParameter' is sufficient, but the resource ARN must be correct. The given ARN includes the parameter name '/MyApp/DBPassword'.

If the application is using a different path or the parameter is encrypted, the policy might be insufficient. But the most common issue is that the parameter is a SecureString and the policy also needs 'kms:Decrypt' access to the KMS key. Option C is correct because the policy does not include KMS permissions.

Option A and B are less likely. Option D is incorrect because the actions are allowed.

892
MCQmedium

A company uses AWS Elastic Beanstalk for its web application. After a deployment, the environment health changes to 'Severe' and the application becomes unresponsive. The DevOps team needs to quickly revert to the previous working version. What is the FASTEST way to achieve this?

A.Use the Elastic Beanstalk console to deploy the previous application version.
B.Swap environment URLs with a different environment that runs the previous version.
C.Terminate the environment and create a new one with the previous version.
D.Redeploy the same application version to the environment.
AnswerA

Elastic Beanstalk allows rolling back to a previous version quickly.

Why this answer

Option A is correct because Elastic Beanstalk supports rolling back to a previous application version through the console or CLI. Option B is wrong because terminating and recreating takes longer and loses configuration. Option C is wrong because swapping URLs with a different environment requires that environment to exist.

Option D is wrong because redeploying the same version may not fix the issue if the environment configuration has changed.

893
MCQhard

A company uses AWS CodeStar to manage software development projects. The team wants to integrate a third-party issue tracking system with CodeStar. Which AWS service should they use to achieve this integration?

A.Amazon API Gateway
B.Amazon CloudWatch Events
C.AWS CodePipeline webhooks
D.Amazon Simple Notification Service (SNS)
AnswerC

CodePipeline webhooks allow integration with external systems.

Why this answer

AWS CodePipeline webhooks allow you to connect external systems, such as a third-party issue tracking system, to your CodePipeline pipeline. When the external system triggers an event (e.g., an issue status change), the webhook sends an HTTP POST request to a configured endpoint in CodePipeline, which then starts the pipeline. This is the native integration mechanism for CodeStar to receive events from outside AWS.

Exam trap

The trap here is that candidates often confuse the purpose of AWS services like SNS or CloudWatch Events, thinking they can directly receive external HTTP callbacks, but they lack native webhook support for third-party systems, whereas CodePipeline webhooks are specifically designed for this integration.

How to eliminate wrong answers

Option A is wrong because Amazon API Gateway is used to create, publish, and manage RESTful APIs, not to directly integrate third-party issue tracking systems with CodeStar; it would require custom Lambda functions and additional overhead. Option B is wrong because Amazon CloudWatch Events (now Amazon EventBridge) is designed to route AWS service events and custom application events, but it cannot natively receive HTTP callbacks from a third-party issue tracking system without an intermediary like API Gateway. Option D is wrong because Amazon Simple Notification Service (SNS) is a pub/sub messaging service that can send notifications, but it does not provide a direct HTTP endpoint for third-party systems to trigger CodePipeline; it would require additional components to translate the webhook call into an SNS message.

894
MCQeasy

A company uses AWS OpsWorks for configuration management of a fleet of EC2 instances running a legacy application. The operations team needs to deploy a new version of the application across all instances without causing downtime. The application runs on each instance and requires a rolling update. Which approach should the team use?

A.Use AWS CodeDeploy to perform a blue/green deployment on the existing instances.
B.Create a new Auto Scaling group with the updated AMI and terminate old instances.
C.Manually update each instance by adding a new layer and reassigning instances.
D.Use the OpsWorks Deploy command to trigger a rolling update across the stack.
AnswerD

OpsWorks Deploy command updates instances one by one or in batches, minimizing downtime.

Why this answer

OpsWorks provides rolling updates via the Deploy command (A), which updates instances in batches. Option B (Layers) does not manage updates; C (Auto Scaling) is for scaling, not updates; D (CodeDeploy) is a separate service but OpsWorks is the current tool.

895
MCQeasy

A DevOps engineer is writing an AWS CloudFormation template that creates an Amazon S3 bucket with versioning enabled. The engineer wants to ensure that the bucket cannot be deleted accidentally. What should the engineer add to the template?

A.Set the DeletionPolicy attribute to Retain on the S3 bucket resource
B.Enable termination protection on the S3 bucket
C.Add a DependsOn clause to the bucket referencing the stack itself
D.A bucket policy that denies s3:DeleteBucket
AnswerA

DeletionPolicy: Retain prevents the bucket from being deleted when the stack is deleted.

Why this answer

Setting the DeletionPolicy attribute to Retain on the S3 bucket resource ensures that when the CloudFormation stack is deleted, the bucket is preserved and not removed. This is the correct AWS CloudFormation mechanism to prevent accidental deletion of a resource, as it overrides the default behavior of deleting all resources when a stack is deleted.

Exam trap

The trap here is that candidates confuse termination protection (an EC2 feature) with CloudFormation's DeletionPolicy, or mistakenly believe a bucket policy can override CloudFormation's resource deletion behavior during stack teardown.

How to eliminate wrong answers

Option B is wrong because termination protection is a feature for EC2 instances, not for S3 buckets; S3 buckets do not have a termination protection attribute. Option C is wrong because a DependsOn clause only establishes resource creation order within a stack and does not prevent deletion of the bucket. Option D is wrong because a bucket policy that denies s3:DeleteBucket would prevent any IAM user or role from deleting the bucket, but it does not protect against the bucket being deleted when the CloudFormation stack is deleted, as CloudFormation uses the underlying AWS API with sufficient permissions to delete resources regardless of bucket policies.

896
MCQhard

Refer to the exhibit. A DevOps engineer runs the AWS CLI command to get the average TargetResponseTime for an ALB over a 1-hour period. The output shows only three datapoints. What is the most likely reason?

A.The ALB did not receive any requests during most of the 5-minute periods.
B.The metric TargetResponseTime is not available for Application Load Balancers.
C.The command is missing the 'Statistics' parameter with 'Average'.
D.The period of 300 seconds is too large; a smaller period should be used.
AnswerA

If no requests are received, no datapoints are emitted for that period.

Why this answer

Option C is correct because the period is 300 seconds (5 minutes), so there should be 12 datapoints in an hour. However, the output shows only 3, which suggests that data is missing for most intervals, likely because the ALB did not receive any requests during those periods (the metric is only emitted when there are requests). Option A is wrong because the metric is available.

Option B is wrong because the command includes the TargetGroup dimension. Option D is wrong because the period is set to 300.

897
MCQeasy

A company uses AWS CloudTrail to log API activity in their AWS account. The DevOps engineer needs to ensure that all management events are logged and that the logs are delivered to an S3 bucket in another account for centralized auditing. The engineer has already created an S3 bucket in the central auditing account and applied a bucket policy that grants the CloudTrail service permission to write logs. However, logs are not being delivered. The engineer verifies that the CloudTrail trail is configured to point to the correct S3 bucket name and that the bucket exists. What is the MOST likely reason the logs are not being delivered?

A.The S3 bucket policy in the central account does not include the 's3:PutObject' action for the CloudTrail service.
B.The S3 bucket must have ACLs enabled to allow cross-account writes.
C.The source account does not have a VPC peering connection to the central auditing account.
D.The CloudTrail trail must be created in the central auditing account, not the source account.
AnswerA

The bucket policy must explicitly allow the CloudTrail service to put objects; otherwise, the service cannot write.

Why this answer

Option B is correct because the S3 bucket policy must also grant the CloudTrail service the 's3:PutObject' permission for the bucket, not just allow write access generically. Option A is wrong because CloudTrail can deliver logs cross-account without a VPC peering connection. Option C is wrong because the bucket policy should be on the destination bucket, not the source account.

Option D is wrong because the bucket is in another account, so the source account cannot set ACLs; bucket policy is the correct mechanism.

898
MCQeasy

A DevOps engineer is responsible for monitoring a production environment that uses Amazon EC2 Auto Scaling. The engineer notices that the Auto Scaling group has been launching and terminating instances frequently over the past hour. The group uses a dynamic scaling policy based on average CPU utilization. The CloudWatch alarm that triggers scaling is set to a threshold of 70% CPU for scale-out and 30% for scale-in. The engineer checks the CloudWatch metrics and sees that CPU utilization is oscillating between 40% and 60%, never reaching the thresholds. The engineer suspects that the scaling policy is not working correctly. The engineer is considering the following actions: A) Change the scaling policy to use a target tracking policy with a target value of 50% CPU utilization. B) Increase the cooldown period for the scaling policy to 300 seconds. C) Disable the scale-in policy to prevent frequent terminations. D) Use a simple scaling policy instead of a dynamic scaling policy. Which action should the engineer take?

A.Disable the scale-in policy to prevent frequent terminations.
B.Change the scaling policy to use a target tracking policy with a target value of 50% CPU utilization.
C.Use a simple scaling policy instead of a dynamic scaling policy.
D.Increase the cooldown period for the scaling policy to 300 seconds.
AnswerB

Target tracking maintains a steady CPU level, reducing oscillations.

Why this answer

Option A is correct because a target tracking policy automatically adjusts the desired capacity to maintain the target value, smoothing out oscillations. Option B is wrong because increasing cooldown may help but does not address the root cause of oscillations; target tracking is more effective. Option C is wrong because disabling scale-in could lead to over-provisioning.

Option D is wrong because simple scaling policies are less responsive and can also cause oscillations.

899
MCQeasy

A company uses AWS CodeBuild to compile and test code. The build process requires a specific version of a library that is not available in the default build environment. Which approach should be used to include this library in the build process?

A.Modify the buildspec file to include the library as a build artifact.
B.Store the compiled library in an Amazon S3 bucket and download it during the build process using the buildspec file.
C.Add an install command in the buildspec file to download and compile the library during each build.
D.Create a custom Docker image that includes the library and use it as the build environment in CodeBuild.
AnswerD

Custom images allow full control over the build environment.

Why this answer

Option D is correct because creating a custom Docker image that includes the required library ensures the build environment is consistent, reproducible, and avoids repeated download/compile overhead. AWS CodeBuild supports custom Docker images via the `image` field in the buildspec file or the console, allowing you to specify a repository in Amazon ECR or Docker Hub. This approach aligns with infrastructure-as-code best practices by baking dependencies into the environment rather than managing them at build time.

Exam trap

The trap here is that candidates often choose Option B or C because they think 'download during build' is simpler, but they overlook the core DevOps principle of immutable build environments and the inefficiency of re-downloading or recompiling dependencies on every build run.

How to eliminate wrong answers

Option A is wrong because a build artifact is the output of a build process, not a mechanism to include external dependencies; modifying the buildspec to include a library as an artifact would not install it into the build environment. Option B is wrong because while downloading from S3 is possible, it introduces network latency, potential permission issues, and version management overhead; it is a workaround rather than a proper solution for a missing library. Option C is wrong because adding an install command to download and compile the library during each build is inefficient, increases build time, and risks build failures due to network issues or source unavailability; it also violates the principle of using a consistent, pre-configured environment.

900
Multi-Selecteasy

Which TWO are valid deployment configurations in AWS CodeDeploy? (Choose two.)

Select 2 answers
A.Rolling
B.Linear
C.AllAtOnce
D.Canary10Percent5Minutes
E.BlueGreen
AnswersC, D

This is a predefined configuration that deploys to all instances at once.

Why this answer

CodeDeploy provides predefined deployment configurations like Canary10Percent5Minutes and AllAtOnce. BlueGreen is a deployment type, not a configuration. Rolling is not a configuration name.

Linear is also a type.

Page 11

Page 12 of 24

Page 13