AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 901975

1740 questions total · 24pages · All types, answers revealed

Page 12

Page 13 of 24

Page 14
901
Multi-Selectmedium

A company is designing a resilient architecture for a critical application. Which TWO strategies improve resilience?

Select 2 answers
A.Deploy resources across multiple Availability Zones
B.Use a single large instance instead of multiple smaller ones
C.Use health checks to automatically replace unhealthy resources
D.Disable automated backups to reduce latency
E.Deploy resources in a single Availability Zone
AnswersA, C

Multi-AZ provides redundancy.

Why this answer

Multi-AZ deployments and health checks with auto-remediation improve resilience by handling failures automatically.

902
MCQhard

An organization uses AWS CodePipeline to deploy a serverless application using AWS Lambda and Amazon API Gateway. The pipeline includes a manual approval action. The team wants to ensure that the approval email is sent to multiple approvers and that any one of them can approve or reject. How should the approval action be configured?

A.Specify multiple email addresses in the 'ApproverEmail' field of the approval action.
B.Set the 'Approvers' field in the approval action to a comma-separated list of IAM user ARNs.
C.Add multiple IAM users to the pipeline's service role.
D.Create an Amazon SNS topic with multiple subscribers, and configure the approval action to use that SNS topic ARN.
AnswerD

CodePipeline sends approval notifications to the SNS topic, and any subscriber can respond.

Why this answer

Option B is correct because the manual approval action in CodePipeline supports a list of SNS topic ARNs; any subscriber of that topic can approve or reject. Option A is wrong because the approval action does not have a 'multiple approvers' attribute; it uses SNS topics. Option C is wrong because you cannot specify multiple IAM users directly in the action.

Option D is wrong because you cannot specify multiple email addresses directly in the action.

903
MCQeasy

A DevOps engineer is setting up a CI/CD pipeline for a Node.js application. The application must be built, tested, and deployed to an Amazon ECS cluster. The team wants to use AWS CodeBuild to run unit tests and package the application as a Docker image, and AWS CodePipeline to orchestrate the workflow. Which artifact type should CodeBuild output to be used by a subsequent CodePipeline action?

A.A Docker image pushed to Amazon ECR.
B.A zip file containing the application source code.
C.A tarball stored in Amazon S3.
D.A JSON file with the image details.
AnswerA

ECR is the registry for Docker images.

Why this answer

Option D is correct because CodeBuild can output a Docker image to Amazon ECR, and CodePipeline can use that image in a deploy action. Option A is wrong because the buildspec does not produce an artifact; it builds a Docker image. Option B is wrong because the image is pushed to ECR, not stored in S3 directly.

Option C is wrong because the image is stored in ECR, not S3.

904
MCQmedium

A DevOps team uses AWS Elastic Beanstalk to deploy a web application. They want to implement a blue/green deployment strategy to minimize downtime. Which configuration change should they make?

A.Create a new environment and perform a CNAME swap.
B.Set the deployment policy to 'All at once'.
C.Set the deployment policy to 'Rolling' with a batch size of 50%.
D.Set the deployment policy to 'Immutable'.
AnswerA

Blue/green deployments involve creating a separate environment and swapping the environment URL.

Why this answer

Option C is correct because blue/green deployments in Elastic Beanstalk use CNAME swap to route traffic to the new environment. Option A is wrong because immutable updates do not swap URLs. Option B is wrong because rolling updates update in-place.

Option D is wrong because all-at-once causes downtime.

905
MCQeasy

A developer is using AWS CloudFormation to deploy a stack that includes an AWS Lambda function. The Lambda function code is stored in an S3 bucket. The CloudFormation template references the S3 bucket and object key. The developer wants to update the Lambda function code by uploading a new zip file to S3 and then updating the stack. The developer updates the S3 object with a new version, but the stack update does not automatically use the new code. What should the developer do to ensure the stack update uses the new code?

A.Enable S3 event notifications to trigger a CloudFormation stack update when the object is updated.
B.Modify the CloudFormation stack policy to allow updates to the Lambda function.
C.Delete the stack and recreate it with the new code.
D.Upload the new code to a different S3 key or specify a new version ID in the CloudFormation template.
AnswerD

Changing the S3 key or version ID forces CloudFormation to recognize the change and update the Lambda function.

Why this answer

Option C is correct because CloudFormation only detects changes to S3 objects if the S3 key or version changes. By uploading the new code with a different key or setting a new version ID, CloudFormation will detect the change and update the Lambda function. Option A is wrong because the stack policy does not affect resource updates.

Option B is wrong because CloudFormation does not automatically poll for S3 changes. Option D is wrong because recreating the entire stack is unnecessary and disruptive.

906
MCQmedium

A DevOps team wants to enforce that all EC2 instances launched in an AWS account have a specific tag 'Environment' with value 'Production' or 'Development'. The team uses AWS CloudFormation to provision resources. Which approach should the team use to enforce tagging compliance at launch?

A.Configure a CloudFormation stack policy that denies stack updates if the tag is missing.
B.Add an IAM policy that denies ec2:RunInstances unless the request includes the required tag.
C.Create an AWS Service Catalog portfolio with a tag option constraint that requires the tag.
D.Use an AWS Config rule with an auto-remediation action that applies the required tag to non-compliant resources.
AnswerD

AWS Config can evaluate resources against rules and trigger auto-remediation to apply missing tags.

Why this answer

Option D is correct because AWS Config rules can evaluate EC2 instances for the presence of the 'Environment' tag with allowed values and, when combined with an auto-remediation action (e.g., using AWS Systems Manager Automation), can automatically apply the missing tag to non-compliant resources. This enforces tagging compliance at launch and throughout the resource lifecycle, even if the instance was launched without the tag. The auto-remediation action can be triggered as soon as the Config rule detects non-compliance, ensuring the tag is applied shortly after launch.

Exam trap

The trap here is that candidates often confuse 'enforcement at launch' with 'prevention at launch' and incorrectly choose an IAM policy (Option B) or a Service Catalog constraint (Option C), not realizing that AWS Config with auto-remediation provides a more flexible and comprehensive enforcement mechanism that works across all launch methods and can correct non-compliance after the fact.

How to eliminate wrong answers

Option A is wrong because CloudFormation stack policies control updates to existing stacks, not enforcement of tags on resources at launch; they cannot deny resource creation based on missing tags. Option B is wrong because IAM policies that deny ec2:RunInstances unless the request includes the required tag would block all launches that don't explicitly specify the tag in the API call, but this approach is brittle and does not cover resources launched by services like Auto Scaling or CloudFormation that may not pass tags in the same way; also, it does not remediate non-compliant resources after launch. Option C is wrong because AWS Service Catalog tag option constraints only enforce tags on products provisioned through Service Catalog, not on EC2 instances launched directly via CloudFormation or other means outside of Service Catalog.

907
MCQhard

An application running on Amazon ECS Fargate is experiencing intermittent HTTP 503 errors from the Application Load Balancer (ALB). The target group health checks are passing. Which configuration is MOST likely causing this issue?

A.The deregistration delay is set too short, causing connections to be closed before requests complete.
B.The ALB's slow start duration is too long, causing requests to be dropped.
C.The health check interval is set too low, causing targets to be marked unhealthy prematurely.
D.The ALB's circuit breaker is tripping due to high error rates.
AnswerA

If delay is too short, in-flight requests may fail with 503 when a target is deregistered.

Why this answer

Option D is correct because a deregistration delay too short can cause the ALB to route traffic to a draining target, resulting in 503. Option A is wrong because health check interval being too short would cause flapping, not 503. Option B is wrong because slow start only affects new targets.

Option C is wrong because circuit breaker doesn't cause 503s directly.

908
MCQhard

A company has a monolith application that takes over an hour to build. The DevOps team wants to implement continuous integration using AWS CodeBuild. The build environment requires a large amount of dependencies that are rarely updated. Which strategy will MINIMIZE build time and cost?

A.Enable Amazon S3 cache for the CodeBuild project to reuse dependencies from previous builds.
B.Store the dependencies in an Amazon S3 bucket and download them at the start of each build.
C.Create a custom Docker image that includes all dependencies and use it as the build environment.
D.Use a larger compute type for the CodeBuild project to speed up the build.
AnswerC

Pre-installing dependencies in the image eliminates download time entirely.

Why this answer

Option D is correct because using a custom Docker image with pre-installed dependencies avoids re-downloading them each build, reducing build time and cost. Option A is wrong because increasing compute resources may not help if the bottleneck is network. Option B is wrong because S3 caching helps but is slower than having dependencies in the image.

Option C is wrong because local cache is ephemeral and does not persist across builds.

909
MCQeasy

A DevOps engineer is setting up a CI/CD pipeline for a microservices application using AWS CodePipeline. The pipeline includes a Test stage that runs integration tests against a staging environment. The engineer wants to ensure that manual approval is required before deploying to production. Which action should be taken?

A.Configure a CodeCommit approval rule template to block the merge.
B.Use CloudWatch Events to send a notification and wait for a custom signal.
C.Set the pipeline to only run on manual invocation.
D.Add a manual approval action in the pipeline stage before production deployment.
AnswerD

Manual approval actions pause the pipeline until approved.

Why this answer

Option A is correct because a manual approval action in CodePipeline requires a reviewer to approve before proceeding to the next stage. Option B is wrong because CodeCommit does not provide approval workflows for pipeline stages. Option C is wrong because CloudWatch can monitor but not block.

Option D is wrong because the pipeline can be triggered after approval, but the approval is a stage action.

910
MCQmedium

A company uses AWS CloudTrail to log API activity across multiple accounts in AWS Organizations. The security team wants to receive near-real-time notifications for specific high-risk API calls, such as IAM policy changes or S3 bucket policy modifications. What is the MOST efficient and scalable solution?

A.Deliver CloudTrail logs to an S3 bucket, enable S3 Event Notifications to trigger a Lambda function that filters and publishes to SNS.
B.Create a CloudWatch Events rule that matches the specific API calls and publishes to an SNS topic.
C.Use CloudWatch Logs Insights to query CloudTrail logs and set up a metric filter with an alarm.
D.Enable AWS Config rules to detect changes and trigger an SNS notification.
AnswerA

This is efficient and scalable because S3 events are near-real-time and Lambda can filter precisely.

Why this answer

Option A is correct because it uses S3 Event Notifications to trigger a Lambda function in near-real-time when CloudTrail logs are delivered to S3. The Lambda function can filter for specific high-risk API calls (e.g., IAM policy changes, S3 bucket policy modifications) and publish only relevant events to an SNS topic, providing a scalable and cost-effective solution that avoids polling or complex querying.

Exam trap

The trap here is that candidates often assume CloudWatch Events (EventBridge) is the default choice for real-time CloudTrail monitoring, but they overlook that S3 Event Notifications with Lambda provide a more direct and scalable path for filtering high-volume log data without the overhead of streaming all logs to CloudWatch Logs.

How to eliminate wrong answers

Option B is wrong because CloudWatch Events (now Amazon EventBridge) can match specific API calls from CloudTrail, but it does not support near-real-time notifications for all CloudTrail log entries; it relies on CloudTrail delivering logs to CloudWatch Logs, which can introduce latency and is less efficient for high-volume filtering. Option C is wrong because CloudWatch Logs Insights is a query tool for ad-hoc analysis, not a real-time notification mechanism; metric filters and alarms can trigger notifications but require logs to be streamed to CloudWatch Logs, adding complexity and potential delay. Option D is wrong because AWS Config rules detect configuration changes (e.g., resource modifications) but are not designed for real-time API-level monitoring; they evaluate resources periodically or on configuration changes, which may not capture all high-risk API calls and introduces evaluation delays.

911
MCQhard

An organization wants to enforce that all Amazon S3 buckets are encrypted with SSE-S3. Which AWS service can be used to automatically remediate non-compliant buckets?

A.AWS CloudTrail
B.AWS Config rules with auto-remediation
C.IAM policies
D.AWS Service Catalog
AnswerB

Config can detect non-compliant buckets and trigger remediation.

Why this answer

Option D is correct because AWS Config with managed rules and auto-remediation can enforce encryption. Option A is wrong because IAM can deny non-encrypted put, but not remediate existing buckets. Option B is wrong because CloudTrail is for logging.

Option C is wrong because Service Catalog is for provisioning approved resources.

912
Multi-Selecthard

A company uses AWS Elastic Beanstalk to deploy a web application. The application experiences high traffic during business hours and low traffic at night. The company wants to configure automatic scaling based on CPU utilization. Which THREE steps are required to achieve this? (Select THREE.)

Select 3 answers
A.Create a CloudWatch alarm that triggers a scaling policy.
B.Set the minimum and maximum number of instances for the auto scaling group.
C.Configure the load balancer health check interval.
D.Set the scale-up and scale-down cooldown periods.
E.Define a scaling trigger based on average CPU utilization.
AnswersB, D, E

Defines the capacity range.

Why this answer

Option B is correct because Elastic Beanstalk uses Auto Scaling groups to manage the EC2 instances for the application. Setting the minimum and maximum number of instances defines the boundaries within which the Auto Scaling group can scale, ensuring the application can handle high traffic during business hours and scale down during low traffic at night.

Exam trap

The trap here is that candidates often think creating a CloudWatch alarm manually is required, but Elastic Beanstalk handles this automatically when you define the scaling trigger, making Option A an unnecessary step.

913
MCQhard

A DevOps engineer runs the above command and sees that one target is unhealthy with a 503 error. The application is a web server running on port 80. The health check is configured to hit the root path '/'. Which action should the engineer take to resolve the issue?

A.Change the health check port to 443 and use HTTPS
B.Verify that the application on the unhealthy instance is configured to respond to '/' with a 200 status code
C.Increase the health check interval and timeout settings
D.Check the security group rules for the target group to ensure port 80 is open
AnswerB

The health check expects a 200 response; a 503 means the app is not serving the root path correctly.

Why this answer

A 503 error indicates the web server is running but cannot handle the request, likely because the application is not responding correctly to the health check path. Option A is wrong because a 503 means the server is reachable. Option C is wrong because the health check is already on port 80.

Option D is wrong because a 503 is not a connection timeout.

914
Multi-Selecthard

A company runs a microservices architecture on Amazon ECS with Fargate. Services communicate via an internal Application Load Balancer (ALB). The operations team notices that occasional traffic spikes cause increased latency and timeouts. The team wants to improve resilience without over-provisioning. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Increase the CPU and memory limits in the task definitions.
B.Enable ECS Service Connect for inter-service communication to manage traffic distribution.
C.Configure ECS service auto scaling with a target tracking policy based on ALB request count per target.
D.Implement a graceful shutdown handler in the application to handle SIGTERM.
E.Use EC2 launch type with Spot Instances to reduce cost.
AnswersB, C, D

Service Connect provides resilient service mesh capabilities.

Why this answer

Options A, C, and E are correct. A: Auto scaling based on target tracking ensures capacity matches demand. C: ECS service connect provides service discovery and connection resilience.

E: Graceful shutdown allows in-flight requests to complete. B is wrong because spot instances are not suitable for latency-sensitive workloads. D is wrong because increasing CPU and memory does not solve latency due to traffic spikes.

915
MCQhard

An application running on Amazon ECS with Fargate experiences intermittent failures. The task definition includes a single container with a health check command. Despite the health check passing, the application occasionally returns HTTP 500 errors. The application logs are sent to CloudWatch Logs. What is the MOST likely root cause?

A.The health check command only checks the process status, not the application's ability to serve requests.
B.The application is missing environment variables that are required for certain requests.
C.The ECS service is configured with a target tracking scaling policy that reacts too slowly.
D.The container port and host port in the task definition do not match the ALB target group port.
AnswerA

A shallow health check can report healthy while the app is unable to serve requests.

Why this answer

Option C is correct because if the health check does not verify the application's ability to serve requests (e.g., only checking the process), it can report healthy even when the application is failing. Option A is wrong because ECS service auto scaling does not cause intermittent failures. Option B is wrong because a container port mismatch would cause persistent failures.

Option D is wrong because missing environment variables would cause consistent failures.

916
MCQmedium

A company's application uses Amazon SQS to decouple microservices. During peak hours, the SQS queue backlog grows significantly, causing processing delays. The DevOps team wants to reduce latency without increasing costs unnecessarily. What should the team do?

A.Increase the visibility timeout to allow consumers more time to process messages.
B.Use an SQS queue with priority settings to process high-priority messages first.
C.Increase the SQS queue's throughput by requesting a quota increase.
D.Configure Auto Scaling for the consumer fleet based on the ApproximateNumberOfMessagesVisible metric.
AnswerD

Auto Scaling adds consumers as queue depth increases, reducing processing time.

Why this answer

Option D is correct because scaling the consumer fleet based on the ApproximateNumberOfMessagesVisible metric directly addresses the backlog by adding more processing capacity when the queue grows. This approach reduces latency dynamically without incurring unnecessary costs during off-peak hours, as it only scales up when needed. Auto Scaling with SQS metrics is a cost-effective, elastic solution for handling variable workloads.

Exam trap

The trap here is that candidates may confuse SQS's throughput capabilities with consumer-side scaling, assuming that increasing queue throughput (Option C) solves backlog, when in fact SQS already handles high throughput and the bottleneck is the consumer processing rate.

How to eliminate wrong answers

Option A is wrong because increasing the visibility timeout does not reduce backlog; it only gives consumers more time to process a message, which can actually increase latency if consumers fail or take longer, as messages remain hidden longer. Option B is wrong because standard SQS queues do not support priority settings; FIFO queues offer ordering but not priority-based message selection, and SQS has no built-in priority feature. Option C is wrong because SQS queues already offer virtually unlimited throughput by default (up to 3,000 messages per second for FIFO with batching, and unlimited for standard), so requesting a quota increase is unnecessary and does not address consumer-side processing capacity.

917
MCQhard

A DevOps engineer is troubleshooting an AWS CodeDeploy deployment that fails during the 'BeforeInstall' lifecycle event. The deployment group uses an in-place deployment to an Auto Scaling group. The engineer reviews the logs on the instance and sees that the 'BeforeInstall' script exits with code 1. The script is a shell script that compiles application code. What is the most likely cause of the failure?

A.The script exited with a non-zero exit code
B.The script is not included in the 'files' section of the appspec.yml
C.The script requires dependencies that are not installed on the instance
D.The script is not owned by the root user
AnswerA

Any non-zero exit code is interpreted as a failure by CodeDeploy.

Why this answer

Option B is correct because CodeDeploy expects scripts to exit with 0 for success; any non-zero exit code is treated as a failure and the deployment stops. Option A is wrong because missing dependencies would typically cause compilation errors, but the script still exits with non-zero. Option C is wrong because CodeDeploy does not require scripts to be owned by root; any user with execute permission can run them.

Option D is wrong because the script should be in the appspec.yml's 'files' section.

918
MCQmedium

An IAM policy is attached to a user. The user is trying to push a commit to the 'main' branch of the 'MyRepo' repository. The push is denied. What is the most likely reason?

A.The user does not have permission to push to any branch.
B.The policy does not allow the 'codecommit:GitPush' action for the main branch.
C.The resource ARN is incorrect.
D.The condition key 'codecommit:References' is not correctly formatted for an array value.
AnswerD

StringEquals with an array is invalid; should use set operators.

Why this answer

Option B is correct because the condition uses StringEquals with an array, but the condition key 'codecommit:References' expects a single value when using StringEquals; the policy should use 'ForAllValues:StringEquals' or 'ForAnyValue:StringEquals' for array matching. Option A is wrong because the actions are allowed for the main branch reference. Option C is wrong because the condition restricts to main branch, not other branches.

Option D is wrong because the resource ARN matches the repository.

919
Multi-Selectmedium

A company is implementing a CI/CD pipeline for a containerized application using AWS CodePipeline, CodeBuild, and Amazon ECS. The pipeline should automatically deploy to a staging environment and then, after manual approval, to production. The production environment uses an ECS service with rolling update deployment. Which TWO actions are necessary to achieve this?

Select 2 answers
A.Use CloudFormation to deploy the ECS service with a rolling update policy.
B.Add a manual approval stage in CodePipeline between staging and production.
C.Set up an ECS task definition with a sidecar container for health checks.
D.Use the ECS-to-CodePipeline deploy action configured for rolling update.
E.Configure CodeBuild to push the Docker image to Amazon ECR.
AnswersB, D

This ensures manual approval before production deployment.

Why this answer

Option B is correct because a manual approval stage is needed between staging and production. Option D is correct because the ECS deploy action in CodePipeline can perform rolling updates. Option A is not necessary; CodeBuild can push to ECR directly.

Option C is not required for rolling update. Option E is incorrect because CodePipeline does not support CloudFormation for ECS rolling updates directly.

920
MCQmedium

An application on EC2 instances in an Auto Scaling group uses an ALB. The ALB health checks are failing for some instances, but the instances are healthy from the OS perspective. What is the most likely cause?

A.The ALB idle timeout is too low
B.The security group for the instances does not allow traffic from the ALB
C.The Auto Scaling group cooldown period is too short
D.The ALB cross-zone load balancing is disabled
AnswerB

If the security group blocks health check traffic, the ALB marks instances unhealthy.

Why this answer

Misconfigured security group rules can block health check traffic, causing the ALB to mark instances as unhealthy.

921
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. During an incident, a stack update fails with a stack rollback. The engineer needs to prevent the stack from rolling back on future failures and instead retain the resources for debugging. Which CloudFormation feature should the engineer use?

A.Enable drift detection on the stack
B.Use the '--disable-rollback' option when updating the stack
C.Use AWS CloudFormation StackSets to deploy the stack
D.Create a change set before updating instead of direct update
AnswerB

This retains resources for debugging.

Why this answer

The `--disable-rollback` option (or `DisableRollback` in the CloudFormation template) instructs AWS CloudFormation to leave the stack in its current state (with the failed resources intact) instead of automatically rolling back to the last known good state. This allows engineers to retain the resources for debugging without the stack being torn down on failure.

Exam trap

The trap here is that candidates often confuse change sets (which preview changes) with the ability to prevent rollback, or mistakenly think drift detection or StackSets can alter rollback behavior, when only the `--disable-rollback` flag directly controls whether resources are retained on failure.

How to eliminate wrong answers

Option A is wrong because drift detection only identifies differences between the stack's actual deployed resources and the expected template configuration; it does not prevent rollback or retain resources after a failed update. Option C is wrong because StackSets are used to deploy stacks across multiple accounts and regions, not to control rollback behavior on a single stack update failure. Option D is wrong because a change set allows you to preview changes before updating, but it does not affect the rollback behavior; if the update fails, the stack will still roll back by default unless `--disable-rollback` is specified.

922
MCQhard

A company uses AWS CodeBuild to compile a Java application. The buildspec.yml includes a pre_build phase that runs unit tests and a build phase that packages the application. Recently, builds have been failing intermittently with 'OutOfMemoryError' during the test phase. The build environment is set to 'BUILD_GENERAL1_SMALL'. What is the MOST cost-effective solution?

A.Split the tests into smaller batches using CodeBuild test splitting.
B.Change the build environment to 'BUILD_GENERAL1_MEDIUM' which has more memory.
C.Configure the buildspec to set MAVEN_OPTS='-Xmx512m' to reduce JVM heap usage.
D.Use multiple CodeBuild jobs to run tests in parallel.
AnswerB

This increases available memory, solving the OOM error cost-effectively.

Why this answer

Option C is correct because it directly addresses the memory issue by increasing compute resources. Option A may not solve the problem if the test runner doesn't use the environment variable. Option B doesn't increase memory.

Option D might not help if memory limit is per instance.

923
MCQmedium

A media company runs a video processing pipeline on AWS. Raw videos are uploaded to an S3 bucket, which triggers a Lambda function to start an AWS Batch job for transcoding. The Batch job reads the source video from S3, processes it, and writes the output to another S3 bucket. Recently, the company has seen an increase in processing failures. Investigation shows that the Batch jobs are being terminated with a 'TIMEOUT' status after running for exactly 30 minutes. The video files are large, and some jobs legitimately take up to 45 minutes. The Batch job definition has a 'timeout' setting configured. Which action should be taken to resolve this issue?

A.Modify the Batch job definition to increase the 'timeout' value to 3600 seconds (60 minutes).
B.Increase the S3 bucket lifecycle policy to retain videos longer.
C.Increase the Lambda function timeout to 60 minutes.
D.Change the Batch job queue to a different compute environment.
AnswerA

The timeout in the job definition controls how long Batch allows a job to run.

Why this answer

The timeout configured in the job definition is causing jobs that exceed 30 minutes to be terminated. Increasing the timeout to 60 minutes allows longer-running jobs to complete.

924
MCQhard

A company uses AWS Organizations with multiple accounts. The Security team needs to enforce that all newly created S3 buckets in any account are configured with server-side encryption (SSE-S3 or SSE-KMS) and block public access. Which approach should be used?

A.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to remediate noncompliant buckets.
B.Create an IAM policy in each account that denies s3:CreateBucket unless encryption is specified and public access is blocked.
C.Apply a service control policy (SCP) to the root organizational unit that denies s3:CreateBucket unless the request includes the x-amz-server-side-encryption header and the PublicAccessBlockConfiguration.
D.Use AWS Config rules with automatic remediation to delete or remediate noncompliant buckets after creation.
AnswerC

SCPs can be applied at the organization root or to specific OUs to enforce preventive controls across all accounts. This SCP condition ensures that any CreateBucket request must include the required parameters.

Why this answer

Service control policies (SCPs) in AWS Organizations can be used to deny actions that do not include encryption settings or that allow public access. Option A is wrong because IAM policies are account-specific and cannot be applied globally across all accounts from a central location. Option B is wrong because CloudTrail cannot enforce configurations.

Option D is wrong because Config rules can detect noncompliant buckets but not prevent creation.

925
MCQhard

During an incident, a DevOps engineer needs to quickly revoke access to a set of IAM users who are suspected to be compromised. The users have programmatic access keys and console passwords. The engineer wants to minimize the impact on non-compromised users. Which action should the engineer take FIRST?

A.Delete the compromised IAM users.
B.Attach an IAM policy that explicitly denies all actions to the compromised users.
C.Delete the access keys of the compromised users.
D.Change the IAM password policy to require strong passwords.
AnswerB

This immediately revokes all permissions while preserving the user objects for investigation.

Why this answer

Option A is correct because attaching an IAM policy that explicitly denies all actions to the users effectively revokes their permissions without deleting their credentials, which is reversible and allows investigation. Option B is wrong because deleting access keys would not disable console access. Option C is wrong because changing the password policy would affect all users, not only the compromised ones.

Option D is wrong because deleting the users is irreversible and would lose audit trails.

926
MCQeasy

A company's DevOps team uses AWS Config to monitor resource compliance. They have created a custom AWS Config rule that triggers an AWS Lambda function to evaluate whether EC2 instances have the 'Environment' tag with value 'Production' or 'Staging'. The rule is set to evaluate resources on configuration changes. However, the team notices that the rule does not trigger when an EC2 instance is launched. The Lambda function's IAM role has the necessary permissions to describe EC2 instances. The CloudWatch Logs for the Lambda function show that it is not being invoked. What is the MOST likely reason?

A.The Lambda function's IAM role does not have permission to write to CloudWatch Logs.
B.The AWS Config rule is set to evaluate resources periodically, not on configuration changes.
C.The AWS Config rule is not configured to trigger on AWS::EC2::Instance resources.
D.The custom rule must be deployed using AWS CloudFormation to be active.
AnswerC

The rule's scope must include the resource type; otherwise, Config will not evaluate EC2 instances.

Why this answer

Option A is correct because AWS Config rules need to be associated with the specific resource type (AWS::EC2::Instance) in the rule's scope; without this, the rule won't trigger on EC2 instance changes. Option B is wrong because the Lambda function's permissions are sufficient; the issue is before invocation. Option C is wrong because the rule is event-based; evaluation on configuration changes should work.

Option D is wrong because a custom rule can be triggered by configuration changes.

927
MCQhard

A company's security policy requires that all data in transit between on-premises and AWS is encrypted. Which AWS service provides a dedicated network connection with encryption?

A.AWS Transit Gateway
B.AWS Direct Connect + VPN
C.Amazon VPC peering
D.AWS Site-to-Site VPN over the internet
AnswerB

Combining Direct Connect with an IPSec VPN provides a dedicated encrypted link.

Why this answer

AWS Direct Connect with IPSec VPN provides a dedicated encrypted connection. Option A is correct.

928
MCQeasy

Refer to the exhibit. A DevOps engineer is troubleshooting a cross-account deployment where an AWS CodeBuild project in Account A needs to upload build artifacts to an S3 bucket in Account B. The engineer attaches this IAM policy to the CodeBuild service role in Account A. However, the upload fails. What is the most likely reason?

A.The bucket policy in Account B grants s3:PutObject to Account A
B.The condition requires bucket-owner-full-control ACL, but the bucket policy may not allow it
C.The policy does not include s3:PutObjectAcl permission
D.The policy does not include s3:GetObject permission
AnswerB

Cross-account uploads often require bucket policy to grant permissions.

Why this answer

Option C is correct because the policy only allows PutObject with the condition that the ACL is 'bucket-owner-full-control'. If the bucket policy in Account B does not accept objects with that ACL, the upload might fail. Option A is incorrect because the action is PutObject.

Option B is incorrect because GetObject is not needed for upload. Option D is incorrect because the bucket policy is not shown.

929
MCQhard

A company runs a critical web application on EC2 instances in an Auto Scaling group. The application uses an Application Load Balancer (ALB) with health checks pointing to /health. Recently, the application experienced intermittent failures where the ALB would mark instances as unhealthy and route traffic away, causing a reduction in capacity. The development team noticed that the /health endpoint occasionally returns HTTP 503 when the application is under heavy load, but the application can recover quickly. The team wants to avoid unnecessary instance replacements while ensuring availability. Which solution should the DevOps engineer implement?

A.Implement a custom health check using Lambda that ignores 503 responses
B.Decrease the unhealthy threshold to mark instances unhealthy faster
C.Increase the health check interval and increase the unhealthy threshold
D.Decrease the health check interval and decrease the healthy threshold
AnswerC

Less sensitive to transient errors.

Why this answer

Option B is correct because increasing the health check interval and unhealthy threshold reduces sensitivity to transient errors, avoiding unnecessary instance replacements. Option A is wrong because decreasing the interval makes the health check more sensitive, worsening the issue. Option C is wrong because reducing the unhealthy threshold makes it easier to mark instances unhealthy.

Option D is wrong because custom actions are not necessary; the health check configuration can be tuned.

930
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team needs to receive notifications when stack creation fails. Which approach should be used to automate this monitoring?

A.Create a CloudWatch Events rule that matches CloudFormation 'CREATE_FAILED' stack events and targets an SNS topic.
B.Use AWS Config rules to detect failed stack creations.
C.Enable CloudTrail and create a metric filter for 'CreateStack' API calls.
D.Stream CloudFormation logs to CloudWatch Logs and create a metric filter for 'CREATE_FAILED'.
AnswerA

CloudWatch Events can capture CloudFormation stack events and trigger notifications via SNS.

Why this answer

Option C is correct because CloudFormation stack events are sent to CloudWatch Events, which can be used to trigger a notification via SNS. Option A is wrong because CloudTrail logs CloudFormation API calls, not stack events specifically. Option B is wrong because CloudWatch Logs does not automatically receive CloudFormation events; they must be sent via CloudWatch Events.

Option D is wrong because AWS Config does not monitor CloudFormation stack events.

931
MCQeasy

A DevOps engineer notices that an Auto Scaling group is repeatedly launching and terminating instances. CloudWatch alarms show high CPU but the group's metrics are erratic. What is the most likely cause?

A.The Auto Scaling group is not associated with a load balancer.
B.The launch template user data is causing instances to fail during boot.
C.The health check grace period is too short and the health check type is ELB, but the load balancer health check is failing.
D.The AMI used in the launch template is not properly configured.
AnswerC

Short grace period and failing ELB health checks cause instances to be terminated and replaced.

Why this answer

Option C is correct because incorrect health check configuration can cause the Auto Scaling group to continuously replace instances that are actually healthy, leading to the described behavior. Option A is wrong because insufficient AMI configuration would cause launch failures, not repeated cycling. Option B is wrong because load balancer health checks determine instance health; if they are not configured, instances are considered healthy.

Option D is wrong because changing launch template user data would not cause cycling.

932
MCQmedium

An application running on Amazon EC2 instances in an Auto Scaling group is experiencing intermittent connectivity issues. The DevOps team suspects a security group configuration problem. Which approach should the team use to analyze security group traffic and identify denied requests?

A.Use AWS Config to review security group rules
B.Check AWS CloudTrail for security group modification events
C.Enable AWS Security Hub and review the security findings
D.Enable VPC Flow Logs and query Amazon Athena
AnswerD

Flow Logs capture traffic; Athena can query to find denied connections.

Why this answer

Option C is correct because VPC Flow Logs can capture all traffic (accepted and rejected) and be analyzed to find denied connections. Option A is wrong because Security Hub aggregates security findings but does not log traffic. Option B is wrong because CloudTrail logs API calls, not network traffic.

Option D is wrong because Config records resource configurations, not traffic.

933
MCQeasy

A DevOps engineer needs to automatically roll back a CodeDeploy deployment if the number of failed instances exceeds a threshold. Which deployment configuration should be used?

A.Configure the deployment group to ignore failed instances.
B.Set the minimum number of healthy instances in the deployment configuration to trigger automatic rollback.
C.Use a CloudWatch alarm to trigger a rollback.
D.Use a custom deployment configuration that fails the deployment if any instance fails.
AnswerB

CodeDeploy can automatically roll back based on health thresholds.

Why this answer

Option B is correct because setting the minimum number of healthy instances in the deployment configuration directly controls when CodeDeploy triggers an automatic rollback. When the number of healthy instances falls below this threshold during a deployment, CodeDeploy automatically stops the deployment and rolls back to the last known good state, meeting the requirement to roll back based on failed instance count.

Exam trap

The trap here is that candidates often confuse a deployment failure with an automatic rollback, assuming that failing the deployment inherently reverts changes, but CodeDeploy requires explicit rollback configuration (via minimum healthy hosts or CloudWatch alarms) to actually revert to a previous revision.

How to eliminate wrong answers

Option A is wrong because ignoring failed instances would prevent any rollback from occurring, which is the opposite of the requirement. Option C is wrong because while CloudWatch alarms can trigger a rollback, they are not the deployment configuration itself; they monitor external metrics (e.g., CPU utilization) rather than the number of failed instances during the deployment. Option D is wrong because a custom deployment configuration that fails the deployment if any instance fails does not trigger an automatic rollback; it only fails the deployment without reverting to a previous version.

934
Multi-Selectmedium

A company uses AWS CodeCommit for source control and AWS CodeBuild for building a Java application. They want to enforce that every commit triggers a build, but only if the commit message contains a specific pattern 'BUILD:'. Which THREE steps are required?

Select 3 answers
A.Create an AWS Lambda function that processes the commit message and calls CodeBuild.
B.Create a CloudWatch Events rule to invoke CodeBuild on every push to CodeCommit.
C.Configure a webhook in CodeBuild that filters events by commit message pattern.
D.Create a custom trigger in CodeCommit that invokes CodeBuild.
E.Use a buildspec.yml file with a conditional phase that checks the commit message.
AnswersC, D, E

Correct: Webhooks can filter by pattern.

Why this answer

Option B creates the trigger. Option C adds a condition for the commit message. Option E ensures the build runs in a VPC.

Option A is not needed for filtering. Option D is for Lambda integration, not required.

935
MCQhard

A company runs a microservices application on Amazon EKS. The application's frontend service needs to communicate with the backend service. The DevOps team wants to implement service-to-service authentication using AWS IAM. Which method should the team use?

A.Configure the backend service as an Amazon RDS database with IAM database authentication.
B.Use AWS App Mesh with mTLS for authentication between services.
C.Create an IAM user with access keys and store them as Kubernetes secrets.
D.Use IAM roles for service accounts (IRSA) to associate an IAM role with each service's Kubernetes service account.
AnswerD

IRSA provides fine-grained IAM permissions to pods.

Why this answer

IAM roles for service accounts (IRSA) allows each Kubernetes service account to assume an IAM role with fine-grained permissions, enabling secure service-to-service authentication without managing long-lived credentials. The frontend service can use its associated IAM role to sign AWS API requests (e.g., STS AssumeRole) to authenticate to the backend service, which validates the role via IAM policies. This approach integrates natively with EKS and follows AWS best practices for workload identity.

Exam trap

The trap here is that candidates may confuse mTLS (which provides encryption and certificate-based authentication) with IAM-based authentication, or assume that static IAM users with secrets are acceptable in Kubernetes, when IRSA is the recommended AWS-native approach for pod-level IAM integration.

How to eliminate wrong answers

Option A is wrong because Amazon RDS IAM database authentication is designed for database access, not for service-to-service authentication between microservices on EKS; it does not provide a mechanism for frontend-to-backend communication. Option B is wrong because AWS App Mesh with mTLS provides transport-layer encryption and mutual TLS authentication, but it does not use AWS IAM for authentication; it relies on X.509 certificates, not IAM roles or policies. Option C is wrong because creating an IAM user with access keys and storing them as Kubernetes secrets introduces long-lived static credentials, which violates security best practices (e.g., no automatic rotation, risk of exposure) and does not leverage IAM roles for dynamic, scoped access.

936
Multi-Selecteasy

A DevOps engineer is troubleshooting an AWS CodeDeploy deployment that failed. Which TWO resources should the engineer examine to identify the cause of the failure? (Choose two.)

Select 2 answers
A.EC2 instance system logs
B.CloudWatch Logs for CodeDeploy
C.S3 access logs
D.CloudTrail logs
E.CodeDeploy deployment group configuration
AnswersB, E

Contains deployment events and error messages.

Why this answer

Option B is correct because AWS CodeDeploy emits detailed logs about deployment lifecycle events (e.g., BeforeInstall, ApplicationStop) to CloudWatch Logs. These logs contain error messages, script output, and status codes that directly indicate why a deployment step failed, such as a permission issue or a script syntax error. Examining CloudWatch Logs for CodeDeploy is the primary method to diagnose deployment failures.

Exam trap

The trap here is that candidates often confuse CloudTrail (API auditing) with CloudWatch Logs (application-level logging), or they mistakenly think EC2 system logs are relevant for application deployment failures, when in fact CodeDeploy-specific logs are the correct source.

937
Multi-Selecthard

Which THREE components are required to implement a global application that can withstand the failure of an entire AWS Region? (Select THREE.)

Select 3 answers
A.An Application Load Balancer in the primary Region.
B.Amazon CloudFront with multiple origins and origin failover.
C.Amazon DynamoDB Global Tables.
D.Amazon RDS with a single-AZ deployment.
E.Amazon Route 53 with health checks and failover routing policy.
AnswersB, C, E

Provides edge caching and failover.

Why this answer

Options A, C, and D are correct. Route 53 with health checks and failover routing provides DNS failover. DynamoDB Global Tables provide multi-region write capability.

CloudFront provides edge caching and origin failover. Option B is wrong because a single ALB is regional. Option E is wrong because RDS Single-AZ is not resilient.

938
Multi-Selectmedium

A company wants to implement a least-privilege security model for its IAM users. Which TWO practices should be applied?

Select 2 answers
A.Use IAM policy conditions to restrict access based on IP address or time of day.
B.Use only resource-based policies to manage permissions.
C.Attach the AdministratorAccess managed policy to all IAM users.
D.Use the AWS account root user for daily administrative tasks.
E.Grant permissions based on the specific actions and resources needed.
AnswersA, E

Conditions add granularity to permissions.

Why this answer

Option A is correct because granting only required permissions is the principle of least privilege. Option B is correct because using conditions can further restrict permissions. Option C is wrong because using root user is not secure.

Option D is wrong because resource-based policies are not always applicable. Option E is wrong because AdministratorAccess violates least privilege.

939
Multi-Selecteasy

Which TWO tools can be used to manage configuration drift detection for AWS resources? (Choose two.)

Select 2 answers
A.AWS Config
B.AWS Systems Manager Inventory
C.AWS Trusted Advisor
D.AWS CloudTrail
E.AWS CloudFormation Drift Detection
AnswersA, E

Monitors and evaluates resource configurations.

Why this answer

AWS Config continuously monitors and records AWS resource configurations and can detect changes against desired baselines, enabling drift detection through rules and compliance checks. AWS CloudFormation Drift Detection directly compares the current state of a stack's resources with the expected template-defined state to identify configuration drift. Both tools provide native mechanisms to detect when resources deviate from their intended configuration.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Inventory (which collects instance-level software inventory) with configuration drift detection, or they mistakenly think AWS CloudTrail's API logging is sufficient to detect drift, when in fact drift detection requires comparing current state to a desired baseline, not just recording changes.

940
MCQmedium

A company uses AWS Lambda functions to process incoming events from Amazon S3. The operations team notices that some events are not being processed, and there is no error in the Lambda function logs. What is the most likely cause?

A.The Lambda function has reserved concurrency set to a low value, causing throttling.
B.The S3 event notification is configured to send to an SNS topic that is not subscribed to the Lambda function.
C.The S3 bucket policy does not allow the Lambda function to be invoked.
D.The Lambda function has a timeout that is too short.
AnswerA

Throttled events are not logged in the function's CloudWatch Logs because the function is not invoked.

Why this answer

When a Lambda function has reserved concurrency set to a low value, it limits the number of concurrent executions allowed for that function. If incoming S3 events exceed this limit, the Lambda service throttles the invocations, causing some events to be silently dropped without generating errors in the function logs because the function never actually runs. This matches the symptom of missing events with no error logs.

Exam trap

The trap here is that candidates often assume missing events are due to permission or timeout errors, but the absence of any error logs points to throttling, where the function is never invoked and thus no logs are generated.

How to eliminate wrong answers

Option B is wrong because if the SNS topic is not subscribed to the Lambda function, the event would never reach Lambda, but the question states the Lambda function logs show no errors, implying the function is invoked for some events; the issue is about events not being processed, not about delivery failure. Option C is wrong because if the S3 bucket policy did not allow Lambda invocation, the invocation would fail with an access denied error, which would be logged in CloudTrail or appear as an error in the Lambda logs, contradicting the 'no error' condition. Option D is wrong because a timeout that is too short would cause the function to fail mid-execution and generate a timeout error in the Lambda logs, not silently drop events without any log entries.

941
MCQmedium

A company is using Amazon RDS for MySQL and needs to monitor slow queries to optimize database performance. The team has enabled slow query logs and wants to centralize logging in Amazon CloudWatch Logs for real-time analysis and alerting. Which solution meets these requirements with minimal operational overhead?

A.Enable Performance Insights on the RDS instance and use the Performance Insights dashboard to view slow queries.
B.Enable Enhanced Monitoring on the RDS instance and configure CloudWatch alarms based on the metrics.
C.Modify the DB parameter group to enable slow_query_log and set log_output to FILE, then configure the RDS instance to publish the slowquery log file to CloudWatch Logs.
D.Configure the RDS instance to export slow query logs to an S3 bucket, then set up a Lambda function to read the logs and send them to CloudWatch Logs.
AnswerC

RDS can natively publish slow query logs to CloudWatch Logs via the 'slowquery' log export.

Why this answer

Option B is correct because publishing RDS MySQL slow query logs to CloudWatch Logs can be achieved natively by configuring the DB parameter group to set 'slow_query_log' to 1 and 'log_output' to 'FILE', then enabling the 'slowquery' log export in the RDS console or CLI. This automatically streams logs to CloudWatch without additional infrastructure. Option A is wrong because Enhanced Monitoring provides OS-level metrics, not slow query logs.

Option C is wrong because exporting logs to S3 and then using Lambda to push to CloudWatch adds unnecessary complexity. Option D is wrong because enabling Performance Insights does not automatically send slow query logs to CloudWatch; it provides a different performance schema.

942
MCQmedium

Your company has a CI/CD pipeline for a Java web application using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline has three stages: Source (CodeCommit), Build (CodeBuild), and Deploy (CodeDeploy to EC2 instances in an Auto Scaling group). Recently, after a change to the buildspec, the Build stage succeeds but the Deploy stage fails with the error 'The deployment failed because the deployment group exceeded the minimum healthy host count.' The CodeDeploy deployment configuration uses a 'OneAtATime' deployment with a minimum healthy host count of 1. The Auto Scaling group has a minimum size of 2 and a maximum size of 4. The application runs on Amazon Linux 2 instances. The CodeDeploy agent is installed and running on all instances. What is the most likely cause of the failure?

A.The CodeDeploy agent on some instances has been stopped or is not responding.
B.The Auto Scaling group is using a different Amazon Machine Image (AMI) that lacks the CodeDeploy agent.
C.The new build artifact is larger, causing the instances to run out of disk space during deployment, which prevents the CodeDeploy agent from completing the deployment.
D.The CodeDeploy service role does not have permission to describe the Auto Scaling group.
AnswerC

Disk space issues can cause the agent to fail, reducing healthy hosts.

Why this answer

Option B is correct because if the buildspec change introduced a new artifact that requires additional disk space, the instances may run out of space during deployment, causing the agent to fail and the deployment to stop, leading to insufficient healthy hosts. Option A is wrong because if the agent were missing, the error would be different. Option C is wrong because a different AMI would cause launch failures, not deployment failures.

Option D is wrong because the CodeDeploy service role is used by CodeDeploy, not the pipeline; if it were missing, the pipeline would fail earlier.

943
MCQmedium

A development team is using AWS CodeCommit to store source code and AWS CodePipeline to automate builds and deployments. The team wants to ensure that builds and tests are triggered only when code is pushed to specific branches, and that manual approval is required before deploying to production. Which CodePipeline configuration should the team implement?

A.Configure the source action to trigger on all branches and add a manual approval step before the build stage.
B.Configure the source action with a branch filter for main, and add a manual approval step before the build stage.
C.Use a branch filter on the build action to run only for the main branch, and add a manual approval step before the deploy stage.
D.Configure the source action with a branch filter for main, and add a manual approval step before the production deployment stage.
AnswerD

This ensures builds only on main pushes and requires approval before production deployment.

Why this answer

Option D is correct because it uses a branch filter in the source action to trigger only on pushes to main, and a manual approval step before the production deployment stage. Options A and B trigger on all branches, and C filters on both source and build instead of just source.

944
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Java web application. The DevOps team wants to ensure that configuration changes are tracked and can be rolled back if needed. Which Elastic Beanstalk feature should they use?

A.Use AWS CodeCommit to store configuration files and version them.
B.Use AWS CodePipeline with a manual approval stage to track changes.
C.Use AWS CloudFormation change sets to review changes before deployment.
D.Use Elastic Beanstalk saved configurations to capture environment settings and restore them if needed.
AnswerD

Saved configurations allow you to save and restore environment settings.

Why this answer

Option B is correct because Elastic Beanstalk saved configurations allow you to capture and restore environment settings. Option A is wrong because CloudFormation change sets are for CloudFormation stacks, not Elastic Beanstalk. Option C is wrong because Jenkins is a CI/CD tool, not a configuration management feature.

Option D is wrong because CodeCommit is a source control service.

945
MCQmedium

Refer to the exhibit. A security engineer runs this AWS Config query. What is the intended purpose?

A.Find all resources that are not approved.
B.Find all t2 instances that are using approved AMIs.
C.Find all t2 instances that are not using approved AMIs.
D.Find all instances regardless of type that are not using approved AMIs.
AnswerC

Correct; the query filters for t2 instances with unapproved AMIs.

Why this answer

The query selects EC2 instances of type t2.* whose AMI ID is not in the list of approved AMIs (those tagged with 'approved'). This identifies instances running unapproved AMIs.

946
MCQmedium

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The database password is stored in AWS Secrets Manager. The CloudFormation template needs to reference the secret value dynamically during stack creation. How should the template retrieve the secret?

A.Use a CloudFormation mapping to store the secret ARN.
B.Use a dynamic reference with '{{resolve:secretsmanager:secret-id:secret-string}}' in the template.
C.Hardcode the password in the template as a literal string.
D.Use a CloudFormation parameter with a default value referencing the secret ARN.
AnswerB

Dynamic references retrieve the secret value securely at stack creation.

Why this answer

CloudFormation dynamic references using 'resolve:secretsmanager' allow the template to retrieve secret values at stack creation time. Option D is correct. Options A, B, and C do not retrieve the secret value dynamically.

947
Multi-Selecteasy

Which TWO actions can help ensure that an application running on EC2 instances can survive the loss of an entire Availability Zone?

Select 2 answers
A.Deploy all instances in a single Availability Zone for consistency
B.Use an Auto Scaling group with multiple Availability Zones
C.Deploy EC2 instances in at least two Availability Zones
D.Use a larger instance type to handle more load
E.Use CloudWatch alarms to monitor instance health
AnswersB, C

Auto Scaling distributes instances across AZs and replaces failed ones.

Why this answer

Deploying instances in multiple AZs ensures that if one AZ fails, instances in other AZs continue to run. Using an Auto Scaling group with multiple AZs automatically distributes instances and replaces failed ones. Option B is wrong because a single AZ is vulnerable.

Option D is wrong because instance type does not affect AZ resilience. Option E is wrong because CloudWatch alarms do not distribute instances.

948
MCQhard

A team uses AWS CodePipeline with a source action from an Amazon S3 bucket. The pipeline triggers on changes to the S3 bucket, but sometimes runs twice for a single commit. What is the most likely cause?

A.CodePipeline has a deduplication setting that is disabled.
B.S3 event notifications for the same object may be delivered more than once.
C.The S3 bucket has versioning enabled.
D.The pipeline is also triggered by a CloudWatch Events rule.
AnswerB

S3 event notifications are at-least-once delivery, so duplicates can occur.

Why this answer

Amazon S3 event notifications are designed for at-least-once delivery, meaning the same event (e.g., an object PUT) can be delivered multiple times. When CodePipeline uses S3 as a source, it relies on these notifications to trigger the pipeline. If S3 sends duplicate notifications for the same object version, CodePipeline will start a new execution for each notification, causing the pipeline to run twice for a single commit.

Exam trap

The trap here is that candidates may assume S3 event notifications are exactly-once, leading them to incorrectly suspect versioning or a missing deduplication setting, rather than recognizing S3's inherent at-least-once delivery behavior.

How to eliminate wrong answers

Option A is wrong because CodePipeline does not have a configurable deduplication setting; deduplication is handled by the source event mechanism, not a pipeline-level toggle. Option C is wrong because S3 versioning, when enabled, creates distinct object versions for each PUT, and CodePipeline triggers on changes to the bucket (including new versions), but versioning alone does not cause duplicate notifications—it actually helps differentiate versions. Option D is wrong because if a CloudWatch Events rule were also triggering the pipeline, it would be an additional trigger source, but the question states the pipeline triggers on S3 bucket changes, and the most likely cause of duplicate runs is duplicate S3 event notifications, not an extra rule.

949
MCQmedium

A company is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The security team requires that all artifacts be encrypted at rest and in transit. Which configuration ensures encryption for all stages?

A.Enable AWS KMS encryption on the CodePipeline artifact bucket and use SSH for CodeCommit.
B.Use an AWS Certificate Manager (ACM) certificate for CodeBuild and CodeDeploy endpoints.
C.Enable default encryption on the S3 artifact bucket and ensure all connections use HTTPS.
D.Encrypt the CodePipeline artifact using the pipeline's built-in encryption feature.
AnswerC

Ensures encryption at rest and in transit.

Why this answer

Option B is correct because enabling default encryption on the S3 artifact bucket ensures encryption at rest, and using HTTPS for all endpoints ensures encryption in transit. Option A is wrong because KMS encryption for CodePipeline is not automatic. Option C is wrong because CodeCommit already uses HTTPS; additional steps not needed.

Option D is wrong because encryption at rest is not automatically enabled.

950
MCQhard

A company uses Amazon CloudWatch Logs to collect application logs from EC2 instances. The security team requires that log data be encrypted at rest using a customer-managed AWS KMS key. The logs are currently being delivered, but they are not encrypted. What is the most likely reason?

A.The IAM role for the EC2 instance does not have kms:Encrypt permission
B.The CloudWatch Logs agent is not configured to encrypt logs
C.The KMS key is disabled
D.The KMS key policy does not allow the CloudWatch Logs service principal
AnswerA

The role needs permission to encrypt using the CMK.

Why this answer

Option C is correct because the CloudWatch Logs role must have kms:Encrypt permission to use CMK. Option A is wrong because KMS key policies allow IAM policies but IAM policies must grant permissions. Option B is wrong because the CMK must be enabled, but that's not the typical issue.

Option D is wrong because encryption is applied at log group level, not at the agent level.

951
MCQeasy

A CloudFormation template includes the above snippet. The stack creation fails with the error 'Unable to validate the following destination configurations'. What is the most likely cause?

A.The template has a syntax error in the PolicyDocument section.
B.The bucket name is not globally unique.
C.S3 Bucket Policy is not supported for this bucket region.
D.The account has a public access block that denies public bucket policies.
AnswerD

The error indicates validation failure, often due to public access blocks.

Why this answer

The error 'Unable to validate the following destination configurations' typically occurs when a bucket policy grants public access but the bucket's public access block settings are enabled. By default, S3 blocks public access. Option B is correct.

Option A is incorrect because the bucket name is unique. Option C is incorrect because bucket policies are supported. Option D is incorrect because the template is valid YAML.

952
MCQmedium

A company runs a stateful application on EC2 instances in an Auto Scaling group. The application stores state on local instance storage. During a scaling event, users lose session data. How can the company make the application resilient without modifying the application code?

A.Reduce the Auto Scaling group cooldown period.
B.Enable sticky sessions on the Application Load Balancer.
C.Increase the instance size to reduce scaling events.
D.Use Elastic Block Store (EBS) volumes instead of instance store.
AnswerB

Sticky sessions route users to the same instance, preserving local state.

Why this answer

Option D is correct because using a sticky session (session affinity) on the ALB ensures users are routed to the same instance, preserving local state. Option A is wrong because larger instances do not prevent data loss on termination. Option B is wrong because EBS volumes persist but require reattachment.

Option C is wrong because reducing cooldown does not preserve state.

953
Multi-Selecthard

A company is using AWS CloudTrail to log API calls across all accounts in AWS Organizations. The security team wants to ensure that CloudTrail logs are not tampered with and are available for forensic analysis. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Disable public access to the S3 bucket using block public access settings.
B.Enable MFA delete on the S3 bucket.
C.Enable CloudTrail log file validation.
D.Use AWS Backup to create backups of the CloudTrail S3 bucket.
E.Enable server-side encryption with AWS KMS (SSE-KMS) on the S3 bucket storing CloudTrail logs.
AnswersC, E

Log file validation allows you to verify that log files have not been modified.

Why this answer

Options A and C are correct. Option A enables log file validation, which provides integrity verification. Option C enables S3 server-side encryption to protect data at rest.

Option B is wrong because CloudTrail does not support AWS Backup. Option D is wrong because disabling S3 public access is good but not sufficient. Option E is wrong because MFA delete adds protection but is not a CloudTrail feature.

954
MCQhard

A team uses Terraform to manage AWS infrastructure. After a recent update, a state file shows that a security group rule was created, but the rule does not exist in AWS. Running 'terraform plan' shows no changes. What is the most likely cause?

A.The security group rule was imported into state but not defined in configuration.
B.The 'terraform refresh' command was not run before the plan.
C.There is a conflict between multiple Terraform workspaces.
D.The security group rule was added manually via the AWS console and is not managed by Terraform, causing state to be out of sync.
AnswerD

Terraform state thinks the rule exists, but it doesn't. Plan shows no changes because Terraform believes it's already there.

Why this answer

Option A is correct because if the rule was created outside Terraform, the state file may be out of sync, and Terraform detects no drift if the rule is not managed. Option B is wrong because 'terraform refresh' would update state, but plan shows no changes. Option C is wrong because if import is needed, plan would show changes.

Option D is wrong because it would cause errors, not missing rules.

955
MCQeasy

A company uses AWS OpsWorks for configuration management. They want to ensure that whenever a new instance is added to a layer, it automatically installs the latest security patches and joins a central logging system. What is the most efficient way to achieve this?

A.Schedule a cron job on each instance to check and apply patches daily.
B.Use Chef recipes in a custom OpsWorks layer's Setup lifecycle event.
C.Configure user data scripts in the launch configuration.
D.SSH into each instance and run the commands manually.
AnswerB

Chef recipes in Setup run on every new instance added to the layer.

Why this answer

Option B is correct because Chef recipes in OpsWorks lifecycle events (Setup) run on new instances. Option A is wrong because user data runs only at launch and may not run again if instance is stopped/started. Option C is wrong because it requires manual intervention.

Option D is wrong because it is not real-time.

956
MCQmedium

A company uses AWS CodePipeline for CI/CD. During a production deployment, the pipeline fails at the 'Deploy' stage with an error: 'The deployment failed because the deployment group does not have enough capacity to handle the deployment.' The engineer checks the CodeDeploy deployment group and sees that it is configured with a minimum healthy hosts of 100% and a deployment configuration of 'CodeDeployDefault.OneAtATime'. What is the MOST likely cause?

A.The deployment configuration 'OneAtATime' is not compatible with the deployment group.
B.The target group health check is misconfigured, causing all instances to be unhealthy.
C.The CodeDeploy agent on the instances is not running.
D.The deployment group has only one instance, and the minimum healthy hosts setting prevents the deployment.
AnswerD

With one instance and min healthy hosts 100%, taking that instance out of service violates the constraint.

Why this answer

Option B is correct because with a minimum healthy hosts of 100%, CodeDeploy requires that all hosts remain healthy during deployment. The OneAtATime configuration updates only one host at a time, but if the deployment group has only one instance, taking it out of service violates the minimum healthy hosts. Option A is wrong because the error is about capacity, not target group health.

Option C is wrong because CodeDeploy agent issues would cause a different error. Option D is wrong because the deployment configuration is correct for rolling updates.

957
MCQeasy

A DevOps engineer needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which AWS service should be enabled?

A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerA

Records API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls for auditing. Option A is wrong because CloudWatch Logs is for log storage, not recording API calls. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because VPC Flow Logs capture network traffic.

958
MCQmedium

A development team uses AWS CodeBuild to compile a Java application. The build takes 15 minutes on average, but recently it started taking over 30 minutes. The buildspec.yml file is unchanged. What is the most likely cause?

A.The cache for the build project was cleared, forcing a full dependency download.
B.The build environment was changed from a Linux to a Windows environment.
C.The build project's compute type was downgraded to a smaller instance.
D.The buildspec.yml file was updated to include more build commands.
AnswerA

Clearing the cache means all dependencies must be downloaded again, increasing build time.

Why this answer

Option B is correct because CodeBuild caches dependencies and layers; clearing the cache may cause a full rebuild, increasing time. Option A is wrong because buildspec changes would affect time, but it's unchanged. Option C is wrong because environment type change would require a new build project, not just time increase.

Option D is wrong because a smaller instance type would be slower, but that would be a known change.

959
MCQhard

A company uses AWS Lambda functions that are triggered by S3 events (object creation). The Lambda function processes the file and stores results in DynamoDB. Recently, the function started timing out after 15 seconds, causing some files to not be processed. The average file size has increased significantly. The DevOps engineer increases the Lambda function's timeout to 30 seconds and the memory to 512 MB, but the function still times out for large files. The CloudWatch Logs show that the timeout occurs during the 'dynamodb.put_item' call for a large item. The DynamoDB table's write capacity is set to on-demand, and there are no throttling errors. What should the engineer do to resolve the timeout issue?

A.Modify the Lambda function to split the large item into multiple smaller items before writing to DynamoDB.
B.Configure the Lambda function to write to an SQS queue first, then have another Lambda process the queue.
C.Mount an EFS file system to the Lambda function and write the large item to a file instead of DynamoDB.
D.Increase the Lambda function's timeout to 5 minutes and memory to 1024 MB.
AnswerA

DynamoDB has a 400 KB item size limit; splitting the item avoids the timeout.

Why this answer

Option B is correct because using DynamoDB's TransactWriteItems or increasing the timeout and memory may not help if the item size exceeds the 400 KB limit; splitting the item reduces the payload. Option A is wrong because increasing memory and timeout further may not help if the DynamoDB API call itself times out due to large item size. Option C is wrong because the issue is not related to SQS.

Option D is wrong because the Lambda is not using EFS.

960
MCQeasy

A company runs a critical Amazon RDS for PostgreSQL database. The database suddenly becomes unresponsive. The DevOps team checks CloudWatch metrics and notices that the 'DatabaseConnections' metric spiked to the maximum limit. What is the MOST likely cause and immediate action?

A.There is a network connectivity issue; check the VPC settings.
B.The database storage is full; increase the allocated storage.
C.The application has a connection leak; restart the database to clear connections.
D.The database CPU is at 100%; scale up the instance class.
AnswerC

A connection leak causes connections to remain open, hitting the max. Restarting clears them.

Why this answer

Option A is correct because a sudden spike to max connections indicates that the application might have a connection leak, causing connections to accumulate. The immediate action is to restart the database to clear all connections and then investigate the application. Option B is wrong because storage full would cause 'FreeStorageSpace' to be low, not necessarily max connections.

Option C is wrong because CPU high would be shown by 'CPUUtilization' metric, not directly connections. Option D is wrong because a network issue would affect connectivity, not cause max connections.

961
MCQhard

A company has a critical application running on Amazon EC2 instances behind an Application Load Balancer. The application is experiencing intermittent latency spikes. The DevOps team has enabled detailed monitoring on the EC2 instances and is using CloudWatch metrics. They notice that CPU utilization and network traffic are normal during the spikes. Which additional diagnostic step should the team take to identify the root cause?

A.Instrument the application with AWS X-Ray to trace requests and identify bottlenecks.
B.Use CloudWatch Container Insights to monitor the performance of the EC2 instances.
C.Enable CloudWatch Synthetics to create canaries that monitor the application endpoints.
D.Run an AWS Trusted Advisor check to identify performance-related recommendations.
AnswerA

X-Ray provides end-to-end tracing to find latency sources.

Why this answer

Option B is correct because X-Ray can trace requests end-to-end and identify which component is causing latency, even if CPU and network are normal. Option A is wrong because Synthetics monitors external endpoints, not internal application behavior. Option C is wrong because Container Insights is for containerized environments.

Option D is wrong because Trusted Advisor is not a diagnostic tool.

962
MCQhard

An organization uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The engineer reviews the deployment logs and finds that the AppSpec file is correctly formatted and the scripts run successfully on some instances. What is the MOST likely cause?

A.The CodeDeploy agent is not installed on some instances.
B.The target group is not configured to route traffic to the instances.
C.The health check grace period for the Auto Scaling group is too short.
D.The IAM role assigned to the EC2 instances does not have sufficient permissions.
AnswerC

Instances may be terminated before the application starts, causing deployment failure.

Why this answer

Option B is correct because if health check grace period is too short, instances might be marked unhealthy before the application starts. Option A would affect all instances. Option C would cause consistent failures.

Option D might not cause instance failure.

963
Multi-Selecteasy

A company uses Amazon CloudWatch Logs to store application logs. The security team requires that all logs be encrypted at rest using a customer-managed AWS KMS key. Which THREE steps are necessary to meet this requirement? (Choose THREE.)

Select 3 answers
A.Grant the IAM role used by the application to write logs permission to use the KMS key (kms:Encrypt, kms:Decrypt).
B.Associate the KMS key with the CloudWatch Logs log group by specifying the key ARN in the log group's settings.
C.Create a customer-managed AWS KMS key in the same region as the CloudWatch Logs log group.
D.Enable encryption on each log stream individually.
E.Enable server-side encryption on the Amazon S3 bucket where logs are exported.
AnswersA, B, C

The writer must have permissions to use the KMS key.

Why this answer

Options A, B, and C are correct. A KMS key must be created (A), the CloudWatch Logs log group must be associated with the key (B), and the IAM role that writes logs must have permission to use the key (C). Option D (enable server-side encryption with S3) is not applicable because logs are stored in CloudWatch Logs, not S3.

Option E (enable encryption on the log stream) is not a supported action; encryption is set at the log group level.

964
Multi-Selecteasy

A company is implementing a disaster recovery plan for its on-premises database using AWS. The plan must have a Recovery Time Objective (RTO) of 2 hours and a Recovery Point Objective (RPO) of 15 minutes. Which TWO AWS services should the company use? (Choose TWO.)

Select 2 answers
A.AWS Snowball Edge
B.Amazon S3 with versioning
C.AWS Backup with cross-Region backup copy
D.AWS Database Migration Service (DMS) with ongoing replication
E.AWS Storage Gateway with cached volumes
AnswersC, D

AWS Backup can automate and restore backups quickly, meeting RTO.

Why this answer

Option B is correct because AWS Database Migration Service (DMS) can replicate changes continuously, meeting RPO of 15 minutes. Option D is correct because AWS Backup can automate backups and support cross-Region recovery, meeting RTO of 2 hours. Option A is wrong because S3 alone does not provide database replication.

Option C is wrong because Storage Gateway is for file/volume storage, not database replication. Option E is wrong because Snowball is for large data transfer, not real-time replication.

965
MCQmedium

A company uses AWS CodePipeline with a multi-branch strategy. A new feature branch triggers a pipeline that runs unit tests and deploys to a test environment. The deployment step uses AWS CodeDeploy with a deployment group configured for in-place deployment to Amazon EC2 instances. The deployment fails intermittently with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The instances are healthy and pass health checks. What is the most likely cause?

A.The pipeline has a failed execution that is blocking subsequent executions.
B.The CodeDeploy agent on the instances is not running, causing the deployment to fail.
C.The pipeline is configured with a high frequency of changes, causing throttling from CodePipeline.
D.A previous deployment is still in progress or frozen in the CodeDeploy deployment group.
AnswerD

CodeDeploy limits concurrent deployments per deployment group; a frozen deployment prevents new ones.

Why this answer

Option D is correct because CodeDeploy enforces a per-deployment-group concurrency limit of one deployment at a time. If a previous deployment is still in progress or in a 'frozen' state (e.g., due to a failed or stopped deployment that hasn't been explicitly rolled back or cleaned up), new deployments will fail with the 'too many individual instances failed' error even when instances are healthy. The error message is misleading because it reflects CodeDeploy's inability to proceed with the new deployment, not actual instance health issues.

Exam trap

The trap here is that candidates misinterpret the generic 'too many instances failed' error as a sign of instance health issues or agent problems, when in reality it often indicates a concurrency or state conflict within the CodeDeploy deployment group.

How to eliminate wrong answers

Option A is wrong because a failed pipeline execution does not block subsequent executions in CodePipeline; each execution is independent and a new execution can be triggered even if a previous one failed. Option B is wrong because if the CodeDeploy agent were not running, the deployment would fail on those specific instances with a distinct 'Agent not found' or 'Host not reachable' error, not the generic 'too many instances failed' error, and the question states instances are healthy and pass health checks. Option C is wrong because CodePipeline does not throttle based on change frequency; it can handle concurrent executions, and throttling would manifest as API rate limit errors (HTTP 429), not deployment failures within CodeDeploy.

966
Multi-Selectmedium

Which THREE steps are required to set up a cross-account CI/CD pipeline where the source stage is in Account A (CodeCommit) and the deploy stage is in Account B (ECS)? (Choose 3.)

Select 3 answers
A.Create an IAM role in Account B that the pipeline in Account A can assume for the deploy action.
B.Configure an AWS KMS key in Account B and share it with Account A for encrypting artifacts.
C.Update the CodePipeline service role in Account A to include a trust policy that allows assuming the role in Account B.
D.Create a resource-based policy on the CodeCommit repository in Account B that grants access to the CodePipeline service role in Account A.
E.Create an S3 bucket in Account B to store the artifacts and grant cross-account access.
AnswersA, C, D

The pipeline needs permissions in Account B to deploy to ECS.

Why this answer

Options A, B, and D are correct. Option A provides cross-account access for CodePipeline in Account A to pull source from Account B. Option B is necessary for the pipeline to deploy to Account B.

Option D ensures the pipeline can assume the execution role in Account B. Option C is wrong because KMS keys are not required for cross-account pipelines unless encryption is used. Option E is wrong because S3 buckets are not required for CodeCommit source.

967
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

A.AWS Shield Advanced
B.Amazon GuardDuty
C.AWS Network Firewall
D.AWS WAF
AnswerD

Web application firewall for SQL injection, XSS, etc.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. It allows you to create rules that filter and monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, URI strings, and SQL injection or cross-site scripting patterns. By integrating with an Application Load Balancer, AWS WAF can inspect incoming traffic and block malicious requests before they reach the EC2 instances.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield or GuardDuty, mistakenly thinking that DDoS protection or general threat detection covers application-layer attacks like SQL injection and XSS, when in fact only a web application firewall (WAF) can inspect and filter HTTP request payloads at Layer 7.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks, not against application-layer exploits like SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not inspect or filter HTTP request payloads for web exploits. Option C is wrong because AWS Network Firewall is a managed firewall service that filters traffic at the network and transport layers (Layer 3/4) using stateful inspection and intrusion prevention, but it does not provide application-layer (Layer 7) inspection for SQL injection or XSS patterns.

968
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team notices that stack updates sometimes fail because of resource conflicts. The team wants to prevent concurrent updates to the same stack. What should they do?

A.Use an AWS Organizations service control policy to restrict updates
B.Create an IAM policy that denies cloudformation:UpdateStack if a stack update is in progress
C.No action needed; CloudFormation already prevents concurrent stack updates
D.Enable CloudTrail to log all stack update attempts and manually review
AnswerC

CloudFormation automatically serializes updates to the same stack.

Why this answer

AWS CloudFormation inherently prevents concurrent updates to the same stack. When an update operation is initiated, CloudFormation places a lock on the stack, rejecting any subsequent update requests until the current operation completes. This behavior is built into the service and requires no additional configuration, making option C correct.

Exam trap

The trap here is that candidates overthink the problem and assume they need to implement custom concurrency controls (like IAM policies or SCPs), when in fact CloudFormation already handles this natively, making the 'no action needed' answer the correct one.

How to eliminate wrong answers

Option A is wrong because AWS Organizations service control policies (SCPs) are used to centrally control permissions across accounts, not to prevent concurrent stack updates within a single account; they cannot enforce operation-level concurrency controls. Option B is wrong because IAM policies evaluate permissions at the time of the API call, but CloudFormation already rejects concurrent updates at the service level, so an IAM policy denying UpdateStack during an in-progress update is redundant and would require custom logic (e.g., using condition keys like cloudformation:StackStatus) that is not natively supported for this purpose. Option D is wrong because CloudTrail logs API calls for auditing but does not prevent concurrent updates; manual review after the fact does not address the real-time conflict.

969
MCQeasy

A DevOps team uses the above CloudFormation template to create an S3 bucket. What does the bucket policy accomplish?

A.It denies all S3 operations on the bucket unless the request uses HTTPS.
B.It denies all read access to the bucket for anonymous users.
C.It prevents anyone from deleting objects in the bucket.
D.It allows only HTTPS requests to the bucket and denies all HTTP requests.
AnswerA

The condition denies if SecureTransport is false.

Why this answer

Option B is correct. The policy denies all S3 actions on the bucket objects if the request is not sent over HTTPS (SecureTransport false). This enforces encryption in transit.

Option A is wrong because it denies all actions, not just read. Option C is wrong because it denies only when not using HTTPS. Option D is wrong because the policy denies all actions, not just delete.

970
MCQeasy

A DevOps engineer needs to centrally collect and analyze logs from multiple AWS accounts and on-premises servers. Which AWS service should be used to aggregate logs in a single dashboard?

A.Amazon Athena.
B.Amazon S3.
C.Amazon CloudWatch Logs.
D.Amazon Kinesis Data Firehose.
AnswerC

CloudWatch Logs can aggregate logs from multiple accounts and on-premises, and provides dashboards.

Why this answer

Option D is correct because CloudWatch Logs can be used as a central destination for log data from multiple sources via subscription filters and cross-account log groups. Option A is wrong because S3 is storage, not a dashboard. Option B is wrong because Athena is a query service, not a dashboard.

Option C is wrong because Kinesis is a streaming service, not a dashboard.

971
MCQeasy

A DevOps engineer notices that an Amazon RDS for MySQL instance has failed over to a standby replica. The engineer needs to identify the root cause by examining metrics. Which AWS service should the engineer use to view the database load, replication lag, and failover events?

A.AWS CloudTrail
B.Amazon CloudWatch
C.VPC Flow Logs
D.AWS Trusted Advisor
AnswerB

CloudWatch monitors RDS metrics including load and replication lag.

Why this answer

Option B is correct because Amazon RDS integrates with CloudWatch to monitor metrics like DatabaseConnections, ReplicaLag, and failover events. Option A is wrong because CloudTrail records API calls but not database-level metrics. Option C is wrong because VPC Flow Logs capture network traffic, not database metrics.

Option D is wrong because Trusted Advisor provides best-practice checks, not real-time metrics.

972
MCQmedium

A DevOps engineer needs to audit changes to IAM policies over the past 90 days. The engineer wants to see who made the change, what the change was, and when it occurred. Which AWS tool should be used?

A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.IAM Access Analyzer
AnswerC

CloudTrail records all API calls, providing the user, timestamp, and details of the change.

Why this answer

AWS CloudTrail is the correct choice because it records all API calls made to the AWS environment, including IAM policy changes, and stores them as events with details such as the identity of the caller (IAM user or role), the time of the request, and the request parameters. By querying CloudTrail logs over the past 90 days, the DevOps engineer can audit who made the change, what the change was (e.g., the specific IAM policy document modification), and when it occurred.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to track configuration changes with CloudTrail's ability to provide a detailed audit trail of API calls, leading them to choose AWS Config for auditing who made a change, when in fact Config only shows the state change, not the identity of the actor.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration management and compliance service that tracks resource configuration changes and evaluates them against rules, but it does not record who made the change or the exact API call details; it focuses on the state of resources, not the audit trail of actions. Option B is wrong because Amazon CloudWatch Logs is used to monitor, store, and access log files from AWS resources and applications, but it does not natively capture IAM API calls; it would require custom logging or integration with CloudTrail to obtain such data. Option D is wrong because IAM Access Analyzer is designed to identify resources shared with external entities and analyze access policies for unintended public or cross-account access, not to provide a historical audit trail of who made changes to IAM policies.

973
MCQmedium

A company uses AWS CodePipeline with a source stage from Amazon S3. The pipeline triggers on changes to the S3 bucket. However, the pipeline does not trigger when a new object is uploaded. What is the MOST likely cause?

A.The S3 bucket policy denies the CodePipeline service role.
B.The S3 bucket is in a different AWS Region than the pipeline.
C.The S3 bucket does not have versioning enabled.
D.The S3 bucket does not have an event notification configured to invoke the pipeline.
AnswerD

CodePipeline requires S3 event notifications to automatically start.

Why this answer

Option C is correct because S3 event notifications need to be configured to trigger CodePipeline. Option A is wrong because the source stage bucket and pipeline must be in the same region, but the question implies it's not triggering. Option B is wrong because versioning is not required for pipeline triggers.

Option D is wrong because bucket policies do not affect event notifications.

974
MCQhard

A company uses an Application Load Balancer (ALB) in front of a fleet of EC2 instances. The security team reports that a specific client IP address is sending malicious requests and must be blocked immediately. The ALB's security group only allows HTTP/HTTPS from 0.0.0.0/0. What is the FASTEST way to block traffic from this IP address without affecting other traffic?

A.Create an AWS WAF web ACL with an IP set deny rule and associate it with the ALB.
B.Modify the ALB listener rules to drop requests from the client IP.
C.Update the ALB security group to add a deny rule for the client IP address.
D.Update the VPC route table to drop packets from the client IP.
AnswerA

AWS WAF can block requests based on source IP quickly.

Why this answer

Option C is correct because updating the ALB's security group to deny the specific IP address would block all traffic from that IP inbound to the ALB, but the current security group allows all traffic, so you would need to modify it to deny that IP. However, security groups are stateful and cannot deny rules; they only allow. The correct approach is to use a network ACL on the ALB's subnets, which is not listed.

Among the options, Option C (creating a WAF web ACL and associating it with the ALB) is the fastest and most appropriate because AWS WAF can block requests based on IP addresses immediately without changing network infrastructure. Option A is wrong because updating the security group to deny is not possible; security groups only support allow rules. Option B is wrong because modifying the ALB's listener rules does not block traffic; it only affects routing.

Option D is wrong because updating route tables would affect all traffic to the ALB, not just that IP.

975
MCQhard

A company runs a critical application on an Amazon RDS for MySQL DB instance. During a recent incident, the database became unresponsive. The DevOps team suspects that a long-running query is blocking other operations. Which metric should they monitor in Amazon CloudWatch to detect this type of issue?

A.DatabaseConnections
B.ActiveTransactions (from Enhanced Monitoring)
C.ReadLatency
D.CPUUtilization
AnswerB

High active transactions or long-running ones can cause blocking.

Why this answer

Option C is correct because the 'Maximum UsedTransactionIDs' metric (or the number of active transactions) can indicate long-running transactions that hold locks. However, for MySQL, the relevant metric is 'ActiveTransactions' or 'OldestActiveTransaction' (via Enhanced Monitoring). Among the options, 'ActiveTransactions' is the most direct.

Option A is wrong because 'DatabaseConnections' shows total connections, not blocking. Option B is wrong because 'CPUUtilization' may be high but not specific to blocking. Option D is wrong because 'ReadLatency' could be affected but is not a direct indicator of blocking.

Page 12

Page 13 of 24

Page 14