AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 9761050

1740 questions total · 24pages · All types, answers revealed

Page 13

Page 14 of 24

Page 15
976
MCQhard

A team uses AWS CloudFormation to manage a multi-tier application. They update the stack and receive this error: 'UPDATE_ROLLBACK_FAILED'. The stack is in a state where some resources were updated, then rollback failed. What is the best course of action?

A.Use the 'ContinueUpdateRollback' API or AWS Management Console to resume rollback, and fix any underlying issues.
B.Ignore the error and use the stack as-is.
C.Attempt to continue the update again.
D.Delete the stack and recreate it.
AnswerA

This is the designed recovery action.

Why this answer

Option D is correct because when a rollback fails, the stack may have resources that could not be rolled back. The recommended approach is to continue rolling back the stack, which may require manual intervention to fix the failing resource. Option A is wrong because continuing update may cause further issues.

Option B is wrong because deleting the stack may lose data. Option C is wrong because the stack is not in a healthy state.

977
Multi-Selectmedium

Which TWO are valid use cases for using AWS CodeArtifact in a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Caching dependencies from public repositories to improve build speed and reliability.
B.Storing Docker images that are used by ECS tasks.
C.Hosting npm packages that are consumed by CodeBuild during the build phase.
D.Storing source code archives for use in deployment stages.
E.Hosting static website assets for deployment to S3.
AnswersA, C

CodeArtifact can proxy public repositories.

Why this answer

A: CodeArtifact can store npm packages for use in CodeBuild. C: It can proxy public registries to reduce external dependencies. B is wrong because CodeArtifact stores artifacts, not source code.

D is wrong because Docker images are stored in ECR, not CodeArtifact (which supports npm, Maven, PyPI, etc.). E is wrong because CodeArtifact does not host static websites.

978
MCQeasy

A company wants to automate the recovery of an Amazon RDS DB instance in a different region if the primary region becomes unavailable. Which service should they use?

A.RDS Multi-AZ deployment.
B.RDS cross-region automated backups.
C.RDS read replicas.
D.AWS CloudFormation custom resource.
AnswerB

Cross-region backups allow restoring in another region.

Why this answer

Option B is correct because RDS cross-region automated backups can be restored to a different region. Option A is incorrect because RDS Multi-AZ only provides failover within the same region. Option C is incorrect because read replicas can be promoted but require manual intervention.

Option D is incorrect because RDS does not support CloudFormation for automated recovery across regions.

979
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. They need to ensure that all resources created by CloudFormation are tagged with a 'CostCenter' tag. The tag must be applied automatically to all resources in the stack. What should they do?

A.Use AWS Service Catalog to enforce tagging on all products.
B.Create an AWS Config rule to detect untagged resources and trigger auto-remediation.
C.Specify the tag in the CloudFormation stack's Tags parameter, which applies the tag to all resources in the stack.
D.Use a custom Lambda function as a CloudFormation hook to tag resources after creation.
AnswerC

Stack-level tags are automatically applied to all resources that support tagging during creation.

Why this answer

Option C is correct because CloudFormation allows you to specify stack-level tags in the Tags parameter when creating or updating a stack. These tags are automatically propagated to all resources that support tagging within the stack, ensuring consistent cost allocation without additional custom logic or post-creation remediation.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing a reactive or custom approach (like AWS Config rules or Lambda hooks) when CloudFormation provides a built-in, declarative mechanism to apply tags automatically at stack creation time.

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog is a service for creating and managing a catalog of approved products, not for enforcing tags on CloudFormation stacks directly; it can apply tags to provisioned products but does not automatically tag all resources within a stack. Option B is wrong because AWS Config rules are reactive—they detect non-compliant resources after creation and can trigger auto-remediation, but they do not prevent the initial creation of untagged resources and add latency and complexity. Option D is wrong because using a custom Lambda function as a CloudFormation hook to tag resources after creation is an unnecessary workaround; CloudFormation natively supports stack-level tags that are applied at creation time, making a custom hook redundant and less efficient.

980
Multi-Selectmedium

A company uses AWS Organizations to manage multiple accounts. The Security team wants to prevent member accounts from disabling AWS CloudTrail or deleting CloudTrail log files. Which TWO actions should the Security team take in the organization's management account? (Choose TWO.)

Select 2 answers
A.Create an SCP to deny cloudtrail:UpdateTrail.
B.Create an IAM policy in each member account to deny cloudtrail:StopLogging.
C.Create an SCP to deny s3:DeleteObject on the CloudTrail log bucket.
D.Enable AWS CloudTrail from the management account with organization trail.
E.Create an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail.
AnswersC, E

This prevents deletion of log files.

Why this answer

Option C is correct because an SCP that denies s3:DeleteObject on the CloudTrail log bucket prevents member accounts from deleting log files stored in S3, even if they have full administrative permissions. This is a critical control to ensure log integrity and compliance with security policies.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies in member accounts can enforce controls, or they overlook that denying UpdateTrail is insufficient because StopLogging and DeleteTrail are separate actions that must also be blocked.

981
MCQhard

A company is using AWS Lambda to process streaming data from Amazon Kinesis. The processing rate is slower than expected, and the engineer needs to monitor the number of records that are failing processing. Which metric should be used to create a CloudWatch alarm?

A.Invocations
B.IteratorAge
C.Errors
D.Throttles
AnswerB

IteratorAge measures the age of the last record processed; high values indicate backlog.

Why this answer

The IteratorAge metric measures the age of the last record in the Lambda function's iterator, indicating how far behind real-time the processing is. A high or increasing IteratorAge suggests that records are being retried or stuck due to processing failures, making it the correct metric to monitor for records failing processing in a Kinesis-triggered Lambda.

Exam trap

The trap here is that candidates confuse 'Errors' (Lambda function exceptions) with 'record processing failures' in a Kinesis stream, not realizing that Kinesis retries failed batches internally, so the Lambda may not emit an error metric for each failed record.

How to eliminate wrong answers

Option A (Invocations) is wrong because it counts the total number of function invocations, not failures; a high invocation count could indicate success or failure, but it does not isolate failing records. Option C (Errors) is wrong because it tracks Lambda function errors (e.g., exceptions in code), but Kinesis stream processing failures often result in retries and do not always surface as Lambda errors if the function returns a success after a partial failure. Option D (Throttles) is wrong because it measures when Lambda concurrency limits are exceeded, which is unrelated to record processing failures; throttling would cause slower processing but not directly indicate failed records.

982
MCQmedium

A company is implementing a CI/CD pipeline using AWS CodePipeline to deploy a serverless application using the AWS Serverless Application Model (SAM). The pipeline must build and package the application, then deploy it to multiple environments (dev, test, prod) sequentially with manual approval gates before production. Which stage configuration should be used?

A.Use a single CloudFormation stack with a change set approval step
B.Use a CodeBuild build stage to run 'sam package' and 'sam deploy' commands, then separate deploy stages for each environment with manual approval actions
C.Configure CodePipeline with a deploy action provider set to AWS CloudFormation
D.Use CodeDeploy to deploy the SAM template directly to Lambda
AnswerB

This covers packaging and sequential deployments with approvals.

Why this answer

Option D is correct because SAM deploy commands can be run in CodeBuild, and multiple deploy stages can be created in CodePipeline with approval actions. Option A is wrong because CloudFormation alone does not handle packaging. Option B is wrong because CodeDeploy is for EC2/ECS, not Lambda.

Option C is wrong because CodePipeline cannot directly deploy SAM templates without a build action to package.

983
MCQeasy

A DevOps engineer is setting up an AWS CodePipeline to deploy a web application to an EC2 instance using AWS CodeDeploy. The deployment group uses an in-place deployment configuration. The pipeline's deploy stage fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The engineer checks the CodeDeploy logs on the instance and finds that the 'BeforeInstall' lifecycle hook script is failing. The script attempts to download a package from an Amazon S3 bucket that is encrypted with SSE-KMS. What is the MOST likely cause of the failure?

A.The EC2 instance does not have internet access to reach the S3 bucket.
B.The S3 bucket name is misspelled in the 'BeforeInstall' script.
C.The IAM role attached to the EC2 instance lacks the 'kms:Decrypt' permission for the AWS KMS key used to encrypt the S3 object.
D.The CodeDeploy agent does not have permissions to read from the S3 bucket.
AnswerC

Without kms:Decrypt permission, the script cannot download the encrypted object, causing the hook to fail.

Why this answer

The error occurs because the EC2 instance's IAM role lacks the `kms:Decrypt` permission for the AWS KMS key used to encrypt the S3 object. When the `BeforeInstall` script attempts to download the package, the AWS SDK or CLI on the instance must decrypt the object using the KMS key. Without this permission, the download fails, causing the lifecycle hook to fail and the overall deployment to abort due to too many failed instances.

Exam trap

The trap here is that candidates often assume the CodeDeploy agent handles all S3 access, but the script runs under the instance's IAM role, and missing KMS permissions are a common oversight when using encrypted artifacts.

How to eliminate wrong answers

Option A is wrong because the EC2 instance can access S3 via a VPC endpoint or NAT gateway without requiring internet access; the error is specifically about decryption, not network connectivity. Option B is wrong because a misspelled bucket name would cause a 'NoSuchBucket' error, not a KMS-related decryption failure. Option D is wrong because the CodeDeploy agent itself does not directly read from S3; the script runs under the instance's IAM role, and the agent's permissions are separate from the script's S3 access.

984
MCQmedium

A DevOps team is implementing a CI/CD pipeline using AWS CodePipeline. The pipeline has a Source stage using CodeCommit, a Build stage using CodeBuild, and a Deploy stage using CloudFormation. The team wants to add manual approval before the Deploy stage for production deployments. How should this be configured?

A.Configure a CloudWatch event to send an email on build success.
B.Use a Lambda function to approve based on build status.
C.Add an Approval stage to the pipeline with SNS topic for notification.
D.Create a separate pipeline for production and trigger it manually.
AnswerC

CodePipeline supports manual approval actions that pause the pipeline.

Why this answer

Option A is correct because CodePipeline has a built-in Approval action type. Option B is wrong because SNS notifications do not block the pipeline. Option C is wrong because Lambda cannot pause the pipeline.

Option D is wrong because a separate approval pipeline adds complexity.

985
MCQhard

A DevOps engineer runs the command above and gets the output shown. The engineer then tries to delete a versioned object from the bucket without using MFA. What will happen?

A.The delete request will fail with an AccessDenied error.
B.The object will be permanently deleted.
C.The object will be deleted but can be recovered from the 'Delete Markers' list.
D.The object will be deleted and a new version will be created.
AnswerA

MFA Delete requires MFA to delete object versions.

Why this answer

Option C is correct because MFA Delete is enabled, so deleting a versioned object requires MFA. Option A is wrong because versioning is enabled, so objects are not permanently deleted without MFA. Option B is wrong because even though MFA Delete is enabled, it does not prevent listing.

Option D is wrong because the delete will fail without MFA.

986
MCQhard

A company has a multi-region application with an RDS for MySQL database in us-east-1. They want to minimize downtime if the primary region fails. They set up a cross-region read replica in us-west-2. What additional step is needed for automated failover?

A.Create a second read replica in the secondary region
B.Use a custom automation to monitor the primary and promote the replica
C.Configure automatic backup retention on the replica
D.Enable Multi-AZ on the read replica
AnswerB

Automated failover requires custom logic or use of Route 53 health checks with Lambda.

Why this answer

Read replicas can be promoted to master, but automated failover requires additional scripting or services. Option A is wrong because RDS does not support cross-region Multi-AZ. Option B is wrong because a single read replica cannot be promoted automatically without custom automation.

Option C is wrong because read replicas can be promoted. Option D is correct: you need to implement custom monitoring to promote the replica.

987
MCQmedium

A company uses Amazon Inspector to assess the security of EC2 instances. The security team receives an alert that a high-severity vulnerability (CVE-2023-XXXX) was found on an EC2 instance running a critical application. The application is behind an Application Load Balancer (ALB) and uses an Auto Scaling group. The vulnerability has a known patch, but patching requires a reboot. The security team needs to remediate the vulnerability with minimal downtime. Which approach should the team take?

A.Create a new launch template with an updated AMI that includes the patch. Update the Auto Scaling group to use the new launch template and perform a rolling update.
B.Remove the instance from the Auto Scaling group, disable health checks on the ALB, and apply the patch manually.
C.Use AWS Systems Manager Patch Manager to apply the patch on the instance without rebooting, then verify the vulnerability is resolved.
D.Stop the vulnerable instance, apply the patch, and start it again. Re-register it with the ALB.
AnswerA

This replaces instances with patched ones without downtime.

Why this answer

Option A is correct because creating a new launch template with the patched AMI, updating the Auto Scaling group, and performing a rolling update ensures that instances are replaced with minimal downtime. Option B is incorrect because stopping and patching the instance would cause downtime for that specific instance, and it may not be in the Auto Scaling group. Option C is incorrect because using the same AMI but applying a patch user data script may not work reliably and does not ensure a clean state.

Option D is incorrect because disabling the ALB health check would cause traffic to be sent to the vulnerable instance, increasing risk.

988
MCQmedium

A company's production RDS MySQL instance experienced a failover. The DevOps team needs to understand the root cause. Which set of logs should be reviewed first?

A.VPC Flow Logs
B.RDS MySQL error logs
C.AWS CloudTrail logs
D.RDS slow query logs
AnswerC

CloudTrail records RDS API calls including failover events.

Why this answer

Option B is correct because RDS events (failover, maintenance) are logged in CloudTrail. Option A is wrong because slow query logs do not record failover events. Option C is wrong because error logs may show errors but not the failover trigger.

Option D is wrong because VPC Flow Logs capture network traffic, not database events.

989
Multi-Selecteasy

A company is designing a CI/CD pipeline using AWS CodePipeline. They want to automatically run unit tests when a pull request is created in AWS CodeCommit. Which TWO actions should be taken to implement this?

Select 2 answers
A.Include a buildspec file in the repository that defines the unit test commands.
B.Configure a CodePipeline stage that uses the pull request source action.
C.Set up an Amazon CloudWatch Events rule to detect pull request creation and invoke an AWS Lambda function that starts CodeBuild.
D.Add a CodeDeploy deployment group to run the tests on an EC2 instance.
E.Create an AWS CodeBuild project with a webhook trigger that listens to pull request events from CodeCommit.
AnswersA, E

The buildspec file tells CodeBuild how to run the tests.

Why this answer

Option A is correct because CodeBuild can be triggered by pull request events. Option D is correct because the buildspec file defines the commands to run tests. Option B is wrong because CodePipeline does not natively support pull request triggers from CodeCommit.

Option C is wrong because CloudWatch Events can trigger Lambda, but the direct integration with CodeBuild is simpler. Option E is wrong because CodeDeploy is for deployment, not testing.

990
MCQeasy

A DevOps engineer needs to create an IAM policy that allows a user to start and stop EC2 instances, but only for instances that have a specific tag 'Environment=Production'. The current policy allows all actions on all instances. Which modification must be made to enforce the tag-based restriction?

A.Add a Condition block: "Condition": {"StringEquals": {"aws:PrincipalTag/Environment": "Production"}}
B.Change the Action to "ec2:Describe*" and add a NotAction element.
C.Add a Condition block: "Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}}
D.Add a Condition block: "Condition": {"StringEquals": {"aws:RequestTag/Environment": "Production"}}
AnswerC

This condition restricts the allowed actions to instances with the specified tag.

Why this answer

Option C is correct because the `ec2:ResourceTag` condition key allows you to restrict actions based on the tags already attached to the EC2 instance. By using `StringEquals` with `ec2:ResourceTag/Environment` set to `Production`, the policy will only permit the `ec2:StartInstances` and `ec2:StopInstances` actions on instances that currently have that tag. This is the standard AWS mechanism for tag-based resource-level authorization in IAM policies.

Exam trap

The trap here is confusing `ec2:ResourceTag` (tag on the resource) with `aws:RequestTag` (tag in the API request) or `aws:PrincipalTag` (tag on the user), leading candidates to pick a condition key that does not evaluate the instance's existing tags.

How to eliminate wrong answers

Option A is wrong because `aws:PrincipalTag/Environment` checks the tag on the IAM user or role making the request, not the tag on the EC2 instance; this would allow any user with that principal tag to act on any instance, regardless of the instance's tags. Option B is wrong because changing the Action to `ec2:Describe*` would only permit read-only actions (like listing instances), not start/stop operations, and adding a `NotAction` element does not enforce tag-based restrictions—it inverts the action scope, which is irrelevant here. Option D is wrong because `aws:RequestTag/Environment` checks tags that are passed in the API request itself (e.g., when creating a resource), not the tags already present on an existing resource; this would not restrict start/stop actions on existing instances based on their current tags.

991
Matchingmedium

Match each AWS monitoring or logging tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitoring for AWS resources and applications

Records API activity for governance and audit

Traces and analyzes requests through distributed applications

Centralized log storage and analysis

Canary monitors to check endpoints and flows

Why these pairings

These are the primary tools for observability and logging.

992
MCQeasy

A company is designing a disaster recovery strategy for its primary RDS for PostgreSQL database in us-east-1. The RTO is 15 minutes and RPO is 1 minute. Which solution meets these requirements?

A.Create a cross-Region read replica in the secondary Region and promote it during failover.
B.Use AWS Backup to copy automated backups to the secondary Region every hour.
C.Deploy a Multi-AZ RDS instance and failover to the standby in the same region.
D.Take manual snapshots of the database every 5 minutes and copy them to the secondary Region.
AnswerA

Cross-Region read replicas can be promoted quickly, achieving low RTO/RPO.

Why this answer

Option C is correct because a cross-Region read replica can be promoted to a primary instance quickly, meeting both RTO and RPO. Option A is wrong because manual snapshots have a higher RPO. Option B is wrong because Multi-AZ is only within a region.

Option D is wrong because automated backups alone do not enable cross-Region failover.

993
MCQmedium

A company's DevOps team uses AWS CodePipeline to automate deployments. A recent pipeline execution failed at the 'Deploy' stage. The engineer needs to view the detailed logs for the failed action. Which AWS service or feature should the engineer use?

A.CloudWatch Logs
B.S3 access logs
C.CodeBuild logs
D.CloudTrail
AnswerA

CodePipeline logs execution details to CloudWatch Logs.

Why this answer

AWS CodePipeline integrates with Amazon CloudWatch Logs to capture and store detailed execution logs for each pipeline action, including the 'Deploy' stage. When a deployment action fails, the engineer can view the associated logs directly from the CodePipeline console or via the CloudWatch Logs console, which provides granular error messages, timestamps, and stack traces necessary for troubleshooting. This is the designated service for accessing action-level logs in CodePipeline.

Exam trap

The trap here is that candidates may confuse CloudTrail (audit logs) with CloudWatch Logs (operational logs), or assume that CodeBuild logs cover all pipeline stages, when in fact each stage type (e.g., Deploy) has its own log destination.

How to eliminate wrong answers

Option B (S3 access logs) is wrong because S3 access logs record requests made to an S3 bucket, not the execution logs of CodePipeline actions. Option C (CodeBuild logs) is wrong because CodeBuild logs are specific to build actions within CodePipeline, not to deploy actions, which may use other providers like CodeDeploy or Elastic Beanstalk. Option D (CloudTrail) is wrong because CloudTrail records API calls made to AWS services for auditing purposes, not the detailed runtime logs of a pipeline execution.

994
MCQmedium

A company uses Amazon CloudWatch Logs to store application logs. A DevOps engineer needs to create a real-time dashboard that displays the count of ERROR-level log entries across all instances. Which approach is the MOST efficient and cost-effective?

A.Create a CloudWatch Logs metric filter for each log group to count ERROR entries, and then create a CloudWatch dashboard
B.Use CloudWatch Logs Insights to run a query that counts ERROR entries across all log groups and add the query to a CloudWatch dashboard
C.Export logs to Amazon S3 and use Amazon Athena to query and visualize in Amazon QuickSight
D.Create a Kinesis Data Firehose delivery stream to stream logs to Amazon OpenSearch Service and build a dashboard in OpenSearch Dashboards
AnswerB

Logs Insights can query multiple log groups and be added to a dashboard.

Why this answer

Option C is correct because CloudWatch Logs Insights allows you to query logs across log groups in real-time and create dashboards. Option A is wrong because subscribing to a Kinesis stream adds complexity and cost. Option B is wrong because creating a custom metric filter for each log group is inefficient.

Option D is wrong because exporting logs to S3 and using Athena is near real-time, not real-time.

995
MCQeasy

A company runs a production web application on EC2 instances behind an Application Load Balancer. The application experiences intermittent high latency. The operations team needs to identify the root cause without affecting live traffic. Which approach is the MOST efficient?

A.Deploy a separate test environment with identical configuration and run load tests
B.Enable EC2 detailed monitoring and SSH into each instance to run top and iostat
C.Enable detailed CloudWatch metrics on the ALB and analyze ALB access logs
D.Run tcpdump on all EC2 instances and analyze packet captures
AnswerC

ALB metrics and logs provide request-level latency without impacting production.

Why this answer

Using detailed CloudWatch metrics and access logs from the ALB allows analyzing request latency patterns without impacting production traffic. Option A is wrong because SSH access may be restricted and cannot provide historical data. Option C is wrong because it requires creating a separate test environment.

Option D is wrong because tcpdump generates large volumes of data and can impact performance.

996
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The security team requires that logs are encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?

Select 2 answers
A.Use the CloudWatch Logs console or API to associate the KMS key with the log group
B.Enable default encryption for CloudWatch Logs in the AWS account settings
C.Update the log group's resource policy to reference the KMS key
D.Associate the KMS key with each log stream individually
E.Create a customer-managed KMS key with appropriate key policy that allows CloudWatch Logs to use the key
AnswersA, E

The association is done at log group creation or update.

Why this answer

Options A and C are correct. To encrypt CloudWatch Logs with a customer-managed KMS key, you must first create the KMS key and then associate it with the log group using the CloudWatch Logs console or API. Option B is wrong because you cannot associate a key with a log stream directly; it's at the log group level.

Option D is wrong because CloudWatch Logs does not support default encryption with a KMS key at the account level. Option E is wrong because the key policy must allow CloudWatch Logs to use the key, but the key policy is set on the key itself, not on the log group.

997
Multi-Selectmedium

A company runs a containerized application on Amazon ECS with Fargate. The application uses an Application Load Balancer (ALB) and stores data in Amazon Aurora Serverless v2. The application experiences intermittent timeouts during periods of rapid scaling. The DevOps engineer notices that the Aurora database's ACU utilization spikes to 100% during these events. What should the engineer do to improve resilience? (Choose THREE.)

Select 3 answers
A.Increase the Fargate task memory and CPU limits.
B.Implement exponential backoff and jitter in application retry logic.
C.Add Amazon ElastiCache in front of the database for caching.
D.Configure Aurora Auto Scaling with a higher maximum ACU limit.
E.Use Amazon RDS Proxy to pool database connections.
AnswersB, D, E

Prevents overwhelming the database with retries during recovery.

Why this answer

Option A is correct because enabling Aurora Auto Scaling with a higher maximum ACU allows the database to handle bursts. Option B is correct because using RDS Proxy reduces connection overhead and helps manage scaling. Option C is correct because implementing exponential backoff and jitter in application retries prevents thundering herd.

Option D (increasing ECS task memory) does not address database bottleneck. Option E (using ElastiCache) could offload reads but not writes; the issue is write-heavy scaling.

998
MCQeasy

A company wants to monitor the number of messages that are published to an Amazon SNS topic. Which CloudWatch metric should be used?

A.SMSMonthToDateSpentUSD
B.PublishSize
C.NumberOfNotificationsDelivered
D.NumberOfMessagesPublished
AnswerD

Correct. This metric tracks the number of messages published to an SNS topic.

Why this answer

Option A is correct because SNS publishes the NumberOfMessagesPublished metric. Option B (NumberOfNotificationsDelivered) is for deliveries. Option C (PublishSize) is for message size.

Option D (SMSMonthToDateSpentUSD) is for SMS costs.

999
MCQhard

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The source stage is AWS CodeCommit, and the build stage uses AWS CodeBuild. The pipeline must only trigger on changes to the main branch. However, the engineer notices that the pipeline is also triggering on changes to feature branches that are merged via pull requests. What configuration change should the engineer make to ensure the pipeline only triggers on direct commits to the main branch?

A.Configure the CodeCommit repository to disable events for all branches except main.
B.Add a branch filter in the CloudWatch Events rule that triggers the pipeline, specifying only the main branch.
C.Modify the pipeline's source stage to use a branch name filter, which will ignore events from other branches.
D.Use a Lambda function as a source action to check the branch before starting the build.
AnswerB

Why this answer

Option B is correct because AWS CodePipeline pipelines are triggered by CloudWatch Events rules that monitor CodeCommit repository events. By default, the rule may trigger on all branch changes. Adding a branch filter in the CloudWatch Events rule that specifies only the main branch ensures that only direct commits to main trigger the pipeline, ignoring feature branch merges.

Exam trap

The trap here is that candidates often confuse the pipeline source stage branch filter (which only affects which branch is used as source code) with the CloudWatch Events rule branch filter (which controls which events actually trigger the pipeline), leading them to incorrectly select option C.

Why the other options are wrong

A

CodeCommit does not have a per-branch event setting; events are emitted for all branches.

C

The branch name in the source action only defines which branch to pull; the trigger event still comes from any branch unless filtered at the event rule.

D

This is a workaround but not the standard or efficient solution; the event rule filter is simpler.

1000
MCQhard

An organization uses AWS System Manager Patch Manager to patch EC2 instances. The patches are not being applied to some instances. The instances are running Amazon Linux 2 and have the SSM Agent installed. What is the MOST likely reason for the failure?

A.The instances do not have internet access to reach the Systems Manager endpoint.
B.The SSM Agent is out of date and needs to be updated.
C.The instances are missing the required IAM role for Systems Manager.
D.The instances are not running a supported operating system.
AnswerC

An IAM role with AmazonSSMManagedInstanceCore policy is needed.

Why this answer

Option C is correct because instances must have an IAM role that allows SSM to manage patches. Without the role, SSM Agent cannot communicate with the service. Option A is incorrect because SSM Agent does not require internet access if using VPC endpoints.

Option B is incorrect because Patch Manager supports Amazon Linux 2. Option D is incorrect because SSM Agent is not patched, it is used to apply patches.

1001
MCQeasy

A DevOps engineer needs to monitor the memory utilization of an Amazon EC2 instance running a critical application. Which AWS service should be used to collect and track this metric?

A.AWS CloudTrail
B.AWS X-Ray
C.AWS Config
D.Amazon CloudWatch
AnswerD

CloudWatch with the CloudWatch Agent can collect memory metrics.

Why this answer

Option B is correct because CloudWatch can collect custom metrics like memory utilization via the CloudWatch Agent. Option A is wrong because CloudTrail tracks API calls, not memory. Option C is wrong because Config records resource configurations.

Option D is wrong because X-Ray traces application requests.

1002
Drag & Dropmedium

Drag and drop the steps to configure an AWS Elastic Load Balancer (ALB) with HTTPS listeners and target groups.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the target group, then create the ALB, then configure HTTPS listener, then register targets, then add redirect rule.

1003
MCQmedium

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a critical application. Which security practice should the engineer implement to prevent unauthorized changes to the pipeline?

A.Encrypt the pipeline artifacts using AWS KMS
B.Use SNS to send notifications when the pipeline is updated
C.Attach an IAM policy that uses a condition to allow only specific users or roles to modify the pipeline
D.Enable AWS CloudTrail and create a CloudWatch Events rule to notify on pipeline changes
AnswerC

IAM policies can restrict pipeline updates to authorized principals.

Why this answer

Using IAM conditions to restrict pipeline modifications to authorized users. Option A is wrong because CloudWatch Events detect changes but don't prevent them. Option B is wrong because pipeline notifications inform but don't prevent.

Option D is wrong because encrypting artifacts doesn't prevent pipeline changes.

1004
MCQmedium

A company uses AWS CodePipeline to orchestrate a multi-stage deployment. The pipeline has a source, build, test, and deploy stage. The test stage runs integration tests against a temporary environment. The team wants to ensure that the deploy stage only runs if the test stage succeeds. What configuration is needed?

A.Add a manual approval action in the test stage that requires a developer to confirm success
B.Set the test stage to retry on failure three times before allowing deploy to proceed
C.No additional configuration needed; the pipeline will not proceed to deploy if the test stage fails
D.Configure the deploy stage to skip if the test stage fails using a condition
AnswerC

By default, CodePipeline stops execution if a stage fails, so deploy will not run.

Why this answer

In AWS CodePipeline, each stage has a status (Succeeded, Failed, InProgress, etc.). By default, the pipeline transitions to the next stage only if the current stage completes with a status of Succeeded. If the test stage fails, the pipeline stops and does not proceed to the deploy stage.

Therefore, no additional configuration is required to enforce this behavior.

Exam trap

The trap here is that candidates may overthink the need for explicit failure handling, not realizing that CodePipeline's default behavior already prevents progression on failure, making options like adding a condition or manual approval unnecessary.

How to eliminate wrong answers

Option A is wrong because adding a manual approval action in the test stage would require a developer to manually confirm success, which is unnecessary and adds overhead; the pipeline already stops on failure. Option B is wrong because setting the test stage to retry on failure three times would still allow the pipeline to proceed to deploy only if the test eventually succeeds; if it fails after retries, the pipeline stops, but retrying does not change the default behavior of not proceeding on failure. Option D is wrong because configuring the deploy stage to skip if the test stage fails is redundant; the pipeline inherently does not proceed to the next stage if the current stage fails, so no explicit skip condition is needed.

1005
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. A recent stack update failed, and the engineer needs to roll back to the previous stable state. Which CloudFormation feature should the engineer use?

A.Use AWS CloudFormation Drift Detection.
B.Use AWS CloudFormation StackSets.
C.Use the 'Rollback' action in the CloudFormation console.
D.Create a Change Set and execute it.
AnswerC

CloudFormation supports rolling back a failed stack update.

Why this answer

Option C is correct because CloudFormation provides a built-in 'Rollback' action that automatically reverts a stack to its last known stable state when a stack update fails. This rollback occurs by default on failure, but if the engineer needs to manually trigger it after a failed update, they can use the 'Rollback' action in the CloudFormation console or API (e.g., `aws cloudformation rollback-stack`). This ensures the infrastructure returns to the previous working configuration without manual intervention.

Exam trap

The trap here is that candidates may confuse the 'Rollback' action with creating a Change Set or using Drift Detection, thinking they need to manually define the previous state, when in fact CloudFormation automatically preserves the previous stable state for rollback.

How to eliminate wrong answers

Option A is wrong because Drift Detection is used to identify whether a stack's actual resources have deviated from the expected template configuration, not to roll back a failed update. Option B is wrong because StackSets are designed to deploy stacks across multiple accounts and regions, not to handle rollback of a single stack update. Option D is wrong because creating and executing a Change Set is a method to propose and apply changes to a stack, but it does not automatically revert to the previous state; it would require the engineer to manually define the previous template and parameters, which is less efficient than using the built-in rollback feature.

1006
Multi-Selectmedium

An IAM policy is attached to a service role used by AWS CodePipeline. Which TWO statements about this policy are correct?

Select 2 answers
A.The policy allows updating the pipeline definition
B.The policy allows starting any CodeBuild project
C.The policy allows starting a pipeline execution
D.The policy allows reporting job success or failure to CodePipeline
E.The policy allows reading and writing objects to any S3 bucket
AnswersC, D

StartPipelineExecution is allowed for all pipelines (Resource: *)

Why this answer

The policy allows codepipeline:StartPipelineExecution and codepipeline:PutJobSuccessResult, PutJobFailureResult. These actions are used by custom actions or Lambda functions to report job status. However, CodePipeline itself does not call StartPipelineExecution; it's used by external triggers.

The policy does not allow codepipeline:UpdatePipeline, so updating the pipeline definition is not allowed. Option B is correct: the policy allows reporting success or failure of a job. Option D is correct: the policy allows starting a pipeline execution.

Option A is wrong because codebuild:StartBuild is allowed only for the specific project. Option C is wrong because s3:PutObject is allowed for the artifact bucket, but s3:GetObject is also allowed. Option E is wrong because updating the pipeline is not allowed.

1007
MCQeasy

A team wants to automatically deploy a new version of a Lambda function when code is pushed to a CodeCommit repository. Which AWS service should orchestrate this workflow?

A.AWS CodeDeploy
B.AWS CodeBuild
C.AWS CodePipeline
D.AWS CloudFormation
AnswerC

CodePipeline is designed for CI/CD orchestration.

Why this answer

Option A is correct because CodePipeline can orchestrate source, build, and deploy stages. Option B is wrong because CodeDeploy alone cannot monitor CodeCommit. Option C is wrong because CloudFormation is for infrastructure, not continuous deployment.

Option D is wrong because CodeBuild is for building, not deploying.

1008
MCQeasy

A company wants to automatically recover an Amazon RDS DB instance if the underlying hardware fails. Which feature should the DevOps engineer enable?

A.Multi-AZ deployment.
B.Deletion protection.
C.Read replicas in a different Region.
D.Automated backups with a retention period of 35 days.
AnswerA

Multi-AZ automatically fails over to standby on hardware failure.

Why this answer

Option B is correct because Multi-AZ deployment provides automatic failover to a standby in a different AZ. Option A is wrong because automated backups are for point-in-time recovery, not hardware failure. Option C is wrong because read replicas are for read scaling, not automatic failover.

Option D is wrong because deletion protection prevents accidental deletion, not recovery.

1009
MCQeasy

A company uses AWS Organizations with multiple accounts. The security team has implemented an SCP that denies the creation of IAM users. However, a developer in the 'development' account was able to create an IAM user. The DevOps engineer is asked to investigate. The SCP is attached to the root organizational unit (OU) and also to the 'development' OU. The 'development' account is a member of the 'development' OU. The SCP effect is 'Deny' on the 'iam:CreateUser' action. The developer's IAM permissions are managed by an IAM policy that allows 'iam:*'. The engineer checks CloudTrail and sees that the CreateUser API call succeeded. What is the most likely reason?

A.The 'development' account is the management account of the organization, so SCPs do not apply to it.
B.The SCP is attached at the root OU but not inherited by the 'development' OU due to an explicit deny on inheritance.
C.The SCP is not effective because the developer's IAM policy explicitly allows iam:CreateUser and SCPs cannot override explicit allows.
D.The SCP is not applied because the account has a resource-based policy that overrides the SCP.
AnswerA

SCPs do not affect the management account.

Why this answer

SCPs do not affect the management account of AWS Organizations. The 'development' account might be the management account. If it is, SCPs do not apply.

Option A is incorrect because SCPs are not evaluated by IAM policies. Option B is incorrect because SCPs are not resource-based policies. Option C is plausible but the management account is the most likely.

1010
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose 2.)

Select 2 answers
A.Amazon S3
B.Amazon CloudWatch
C.AWS Organizations
D.AWS Control Tower
E.AWS Lambda
AnswersC, D

Organizations allows central management of service control policies (SCPs).

Why this answer

AWS Organizations allows you to centrally manage and enforce security policies across multiple accounts by using Service Control Policies (SCPs). SCPs define the maximum permissions for accounts in an organization, enabling you to restrict access to services or actions without requiring per-account configuration. AWS Control Tower provides a managed service that automates the setup of a multi-account environment with pre-built guardrails, which are implemented using SCPs and AWS Config rules to enforce security and compliance policies consistently.

Exam trap

The trap here is that candidates often confuse AWS Organizations with AWS Control Tower, thinking they are mutually exclusive, but Control Tower actually builds on Organizations to provide a higher-level managed governance solution, making both correct for central policy enforcement.

1011
MCQmedium

A security audit reveals that EC2 instances have security groups with overly permissive inbound rules allowing all traffic (0.0.0.0/0) on SSH port 22. What is the BEST way to remediate this at scale?

A.Use AWS Config with a managed rule to detect and auto-remediate.
B.Apply a service control policy (SCP) to deny opening port 22.
C.Manually update each security group to restrict SSH to known IPs.
D.Use CloudWatch Events to trigger a Lambda function that modifies security groups.
AnswerA

Automated detection and remediation at scale.

Why this answer

Option A is correct because AWS Config with a managed rule like 'restricted-ssh' can detect and remediate non-compliant security groups. Option B is wrong because manually updating is not scalable. Option C is wrong because SCPs do not control security group rules directly.

Option D is wrong because a Lambda function triggered by CloudWatch Events could work but AWS Config provides built-in remediation.

1012
Multi-Selecthard

A company needs to enforce that all IAM users must use multi-factor authentication (MFA) to perform any AWS Console actions. Which TWO steps should be taken to enforce this?

Select 2 answers
A.Attach the policy to all IAM users or a group containing all users
B.Create an SCP in AWS Organizations
C.Create an IAM policy that uses the aws:MultiFactorAuthPresent condition key to deny access if false
D.Set an account alias for the root user
E.Enable CloudTrail to log MFA usage
AnswersA, C

The policy must be applied to users to take effect.

Why this answer

To enforce MFA, you need an IAM policy that denies actions if MFA is not present, and you must attach that policy to all users or a group. Creating an SCP can enforce across accounts but is not needed for single account. CloudTrail does not enforce.

Account alias is unrelated.

1013
MCQmedium

A company has an AWS Lambda function that processes S3 events. The function is invoked multiple times for the same S3 object, causing duplicate processing. The engineer suspects the issue is related to retries from the S3 event notification or Lambda's built-in retry behavior. What is the MOST effective way to ensure idempotent processing?

A.Modify the S3 bucket event notification configuration to use a prefix filter that excludes duplicate objects.
B.Use a DynamoDB table to store a record of processed S3 object keys and check for existence before processing.
C.Set the Lambda function's ReservedConcurrency to 1 to prevent concurrent executions.
D.Use an Amazon SQS FIFO queue as the event source and enable content-based deduplication.
AnswerB

This pattern ensures idempotency by tracking processed objects.

Why this answer

Option B is correct because storing processed S3 object keys in a DynamoDB table and checking for existence before processing ensures idempotency at the application level. This approach directly handles duplicate invocations caused by S3 event retries or Lambda's built-in retry behavior, as the function can conditionally skip processing if the key already exists in DynamoDB. It provides a durable, consistent, and scalable mechanism to prevent duplicate processing regardless of how many times the function is invoked for the same object.

Exam trap

The trap here is that candidates often confuse concurrency control (ReservedConcurrency) with idempotency, or assume SQS FIFO deduplication is a drop-in solution without realizing S3 cannot directly send events to FIFO queues.

How to eliminate wrong answers

Option A is wrong because S3 prefix filters only filter events based on object key prefixes or suffixes, not on duplicate detection; they cannot prevent multiple notifications for the same object. Option C is wrong because setting ReservedConcurrency to 1 prevents concurrent executions but does not prevent sequential duplicate invocations from retries; the function could still be invoked multiple times for the same object in sequence. Option D is wrong because using an SQS FIFO queue with content-based deduplication would require the S3 event notification to be sent to the queue, but S3 does not natively support sending events to SQS FIFO queues; it only supports standard SQS queues, and even if it did, the deduplication window is only 5 minutes, which may not cover all retry scenarios.

1014
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. During a deployment, a stack update fails and the stack is in ROLLBACK_IN_PROGRESS state. The DevOps engineer needs to investigate the failure while preserving the resources that were created before the failure. What should the engineer do?

A.Delete the stack to start fresh.
B.Use the 'describe-stack-events' API to view the error and then manually fix the issue.
C.Call the 'cancel-update' API to stop the rollback and keep the current state.
D.Use the 'continue-update-rollback' API with the 'resources-to-skip' parameter to skip the failing resource.
AnswerD

This allows the rollback to continue while preserving the specified resources.

Why this answer

Option D is correct because using 'continue update rollback' with the 'resources to skip' parameter allows the engineer to skip specific resources and preserve them while continuing the rollback for others. Option A is wrong because deleting the stack removes all resources. Option B is wrong because 'describe stack events' provides information but does not prevent the rollback from continuing.

Option C is wrong because 'cancel update' is not a valid operation; CloudFormation does not support canceling a rollback.

1015
MCQeasy

A DevOps engineer is designing a highly available web application using Amazon Route 53. The application is deployed in two AWS Regions. The engineer wants to route traffic to the nearest healthy endpoint. Which routing policy should be used?

A.Failover routing
B.Weighted routing
C.Geolocation routing
D.Latency routing
AnswerD

Routes to lowest-latency endpoint.

Why this answer

Option B is correct because latency-based routing routes to the region with the lowest latency. Option A is wrong because geolocation routes based on geographic location, not latency. Option C is wrong because failover is for active-passive setup.

Option D is wrong because weighted routing distributes traffic by weight.

1016
Multi-Selecthard

A company uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application is experiencing intermittent HTTP 503 errors. The DevOps team needs to diagnose the cause. Which THREE of the following should the team investigate? (Choose THREE.)

Select 3 answers
A.Security group inbound rules for the ALB
B.SSL certificate expiration on the ALB
C.Auto Scaling group minimum capacity and scaling policy
D.ALB idle timeout settings
E.Health check configuration and target group health status
AnswersC, D, E

Not enough instances can cause 503.

Why this answer

Option A is correct because if the instances are unhealthy, the ALB returns 503. Option C is correct because insufficient instances cannot handle the load. Option E is correct because idle timeout can cause premature connection closure leading to 503.

Option B is wrong because SSL certificate issues cause 502 or 400 errors. Option D is wrong because security group inbound rules affect access, but 503 is from ALB, not the client.

1017
Multi-Selecthard

A company uses Amazon CloudWatch Logs to centralize logs from multiple EC2 instances running a web application. The DevOps team needs to create a metric filter that parses logs for HTTP status codes (e.g., 4xx and 5xx) and increment a metric. Additionally, they need to create a CloudWatch alarm on the error count. Which of the following are required to achieve this? (Select TWO.)

Select 2 answers
A.Create an IAM role that allows CloudWatch Logs to read the log data and publish metrics.
B.Define the metric filter pattern to match HTTP status codes in the log entries.
C.Create a metric filter in CloudWatch Logs on the log group that contains the application logs.
D.Configure a subscription filter to forward the logs to a Lambda function that creates the metric.
E.Install the CloudWatch Agent on the EC2 instances to send the logs.
AnswersB, C

The filter pattern is essential to parse the logs correctly.

Why this answer

Option A is correct because a metric filter is defined on a log group to extract metrics. Option C is correct because the metric filter pattern must match the log format to extract the status code. Option B (IAM role) is not required because the CloudWatch Logs agent uses credentials from the instance profile.

Option D (subscription filter) is for streaming logs to other destinations, not for metric filters. Option E (CloudWatch Agent) is not required; the default CloudWatch Logs agent can send logs.

1018
MCQhard

A company has a production Amazon EKS cluster with multiple node groups. The DevOps team notices that some pods are frequently restarting due to OOMKilled errors, but the cluster-level metrics (CPU, memory) appear normal. Which CloudWatch Container Insights metric should be analyzed to identify the specific node or pod causing the issue?

A.node_memory_utilization.
B.number_of_running_pods.
C.pod_memory_utilization.
D.pod_cpu_utilization.
AnswerC

Shows memory usage per pod, helping identify pods exceeding limits.

Why this answer

Option A is correct because Container Insights provides pod-level memory utilization metrics that can pinpoint which pod is exceeding its memory limit. Option B is wrong because cluster-level memory utilization is aggregate. Option C is wrong because CPU metrics do not indicate memory issues.

Option D is wrong because the number of pods does not show memory usage.

1019
Multi-Selectmedium

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer, EC2 instances in an Auto Scaling group, and an Amazon RDS Multi-AZ DB instance. The application experiences intermittent failures when the RDS primary instance fails over to the standby. The engineer needs to ensure that the application handles failover gracefully without manual intervention.

Select 2 answers
A.Modify the application to use DNS caching with a TTL of 300 seconds to avoid stale DNS records.
B.Configure the Application Load Balancer to perform health checks on the RDS instance.
C.Use Amazon RDS Proxy to pool and reuse database connections, which reduces connection churn during failover.
D.Enable Multi-AZ on the Auto Scaling group to ensure EC2 instances are in multiple AZs.
E.Configure the application to use the RDS instance endpoint (not the cluster endpoint) and implement retry logic for database connections.
AnswersC, E

RDS Proxy helps maintain connections during failover and reduces load on the database.

Why this answer

Using a proxy like ProxySQL or configuring the application to use the RDS endpoint (which automatically points to the current primary) helps handle failover. Additionally, enabling RDS connection pooling or using Lambda to update the application can help, but the simplest is to use the instance endpoint with a retry mechanism.

1020
MCQhard

A DevOps engineer applies this S3 bucket policy to an S3 bucket. What is the effect of this policy?

A.All objects uploaded must be encrypted with SSE-C.
B.All uploads to the bucket are blocked.
C.All objects uploaded must use server-side encryption with Amazon S3 managed keys (SSE-S3).
D.All objects uploaded must be encrypted with SSE-KMS.
AnswerC

The policy allows only PutObject with s3:x-amz-server-side-encryption set to AES256.

Why this answer

The S3 bucket policy in question denies uploads unless the `x-amz-server-side-encryption` header is set to `AES256`, which is the value for SSE-S3 (Amazon S3 managed keys). This ensures that all objects uploaded to the bucket must be encrypted using server-side encryption with S3-managed keys (SSE-S3). Option C correctly identifies this requirement.

Exam trap

The trap here is that candidates confuse the `x-amz-server-side-encryption` header values: `AES256` is specific to SSE-S3, not SSE-C or SSE-KMS, leading to incorrect selections of A or D.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the `x-amz-server-side-encryption-customer-algorithm` header, not `x-amz-server-side-encryption: AES256`. Option B is wrong because the policy does not block all uploads; it only denies uploads that do not meet the encryption requirement, so uploads with the correct encryption header are allowed. Option D is wrong because SSE-KMS requires the `x-amz-server-side-encryption` header set to `aws:kms`, not `AES256`.

1021
MCQeasy

A DevOps engineer needs to centralize logs from multiple AWS accounts into a single CloudWatch Logs account. Which feature should be used?

A.CloudWatch Logs Insights
B.AWS CloudTrail
C.Amazon Kinesis Data Firehose
D.CloudWatch Logs cross-account subscription
AnswerD

This feature allows sending log groups from source accounts to a central destination.

Why this answer

CloudWatch Logs cross-account subscription (Option D) allows you to stream log data from multiple source AWS accounts to a single destination account's CloudWatch Logs log group. This is the native, managed feature designed specifically for centralizing logs across accounts without needing additional infrastructure or data transformation.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs Insights (a query tool) with the actual cross-account log forwarding mechanism, or they incorrectly assume that CloudTrail or Kinesis Data Firehose are the primary services for cross-account log centralization, when in fact the native CloudWatch Logs cross-account subscription is the correct, managed solution.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs Insights is a query and analysis tool for searching and visualizing log data within a single account; it does not provide cross-account log ingestion or forwarding. Option B is wrong because AWS CloudTrail records API activity and can deliver logs to CloudWatch Logs, but it is not a mechanism for centralizing logs from multiple accounts into a single CloudWatch Logs destination. Option C is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that can load logs into destinations like S3 or Redshift, but it is not designed for direct cross-account CloudWatch Logs subscription; it would require additional setup and does not natively support the cross-account subscription model.

1022
MCQhard

A company deploys a serverless application using AWS SAM. The application includes an API Gateway REST API and multiple Lambda functions. The team wants to implement canary deployments for the API to gradually shift traffic to a new version. Which SAM template configuration should be used?

A.Use the CanaryDeployment property on the Serverless::Function resource with a DeploymentPreference
B.Create multiple Lambda function versions and use API Gateway stage variables to switch between them
C.Define the Lambda function with AutoPublishAlias: live and set the API Gateway integration to point to the alias
D.Use AWS CloudFormation's UpdatePolicy with AutoScalingRollingUpdate
AnswerA

CanaryDeployment enables CodeDeploy to shift traffic in increments (e.g., 10% for 5 minutes).

Why this answer

Option A is correct because AWS SAM's `CanaryDeployment` property on the `AWS::Serverless::Function` resource, combined with a `DeploymentPreference` of type `Canary10Percent5Minutes`, enables gradual traffic shifting for API Gateway integrations. This configuration automatically creates a Lambda alias, publishes new versions, and shifts a percentage of API traffic to the new version over a specified time window, all without manual intervention.

Exam trap

The trap here is that candidates often confuse `AutoPublishAlias` with canary deployments, assuming that publishing a new version and pointing an alias to it automatically shifts traffic gradually, when in fact it requires an explicit `DeploymentPreference` with a canary type to enable traffic shifting.

How to eliminate wrong answers

Option B is wrong because manually creating multiple Lambda function versions and using API Gateway stage variables to switch between them is a manual, error-prone approach that does not provide automated canary traffic shifting or rollback capabilities. Option C is wrong because while `AutoPublishAlias: live` creates a Lambda alias and publishes new versions, it does not by itself implement canary deployments; it only points the API Gateway integration to a single alias, requiring additional custom logic for traffic shifting. Option D is wrong because `AWS CloudFormation's UpdatePolicy with AutoScalingRollingUpdate` is designed for Auto Scaling groups or EC2-based rolling updates, not for serverless resources like Lambda functions or API Gateway, and it does not support canary traffic shifting for API endpoints.

1023
MCQeasy

A company is using Amazon S3 to store critical data. The company requires that all versions of objects be retained, including deleted objects, to meet compliance requirements. Which S3 feature should be enabled?

A.S3 Versioning
B.S3 Object Lock
C.S3 Lifecycle policies
D.MFA Delete
AnswerA

Versioning retains all versions of objects, including those deleted.

Why this answer

Option A is correct because S3 Versioning keeps all versions of objects, including deleted ones (marked with delete markers). Option B is wrong because MFA Delete adds an extra layer of security but does not retain all versions. Option C is wrong because S3 Object Lock prevents deletion but requires versioning to be enabled; however, versioning itself is the feature that retains all versions.

Option D is wrong because lifecycle policies can transition or expire objects, not retain all versions.

1024
MCQeasy

A DevOps engineer needs to monitor the number of messages in an Amazon SQS queue and trigger an Auto Scaling policy to add more EC2 instances when the queue depth exceeds a threshold. Which CloudWatch metric should the alarm use?

A.NumberOfMessagesSent
B.ApproximateNumberOfMessagesNotVisible
C.ApproximateNumberOfMessagesVisible
D.SentMessageSize
AnswerC

This metric reflects the queue depth.

Why this answer

Option A is correct because ApproximateNumberOfMessagesVisible indicates the number of messages available for retrieval. Option B is wrong because NumberOfMessagesSent is a count of sent messages. Option C is wrong because ApproximateNumberOfMessagesNotVisible is for messages in flight.

Option D is wrong because SentMessageSize is the size of messages.

1025
Multi-Selecteasy

Which TWO AWS services can be used as source actions in AWS CodePipeline to automatically trigger a pipeline when changes are made? (Choose two.)

Select 2 answers
A.Amazon CloudWatch
B.Amazon S3
C.Amazon EC2
D.AWS CloudFormation
E.AWS CodeCommit
AnswersB, E

S3 can trigger a pipeline when a new object is uploaded.

Why this answer

Options A and C are correct. CodeCommit and S3 can serve as source actions. Option B is wrong because EC2 is not a source action.

Option D is wrong because CloudWatch is a monitoring service, not a source. Option E is wrong because CloudFormation is an infrastructure provisioning service.

1026
MCQmedium

A company has deployed a multi-tier application on AWS. The web tier uses an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application tier uses another Auto Scaling group of EC2 instances that process messages from an Amazon SQS queue. The database tier uses Amazon RDS Multi-AZ. Recently, the application experienced a complete outage when the SQS queue became overwhelmed with messages due to a sudden spike in traffic. The application tier could not process messages fast enough, causing the queue to grow indefinitely and eventually exceed the visibility timeout, leading to message loss and degraded performance. The DevOps engineer needs to improve the resilience of the architecture to handle traffic spikes without losing messages. Which solution should be implemented?

A.Limit the maximum message size and set a queue size limit to prevent overflow
B.Replace the standard SQS queue with a FIFO SQS queue to ensure exactly-once processing
C.Increase the visibility timeout in the SQS queue to allow more time for processing
D.Configure a dead-letter queue for unprocessed messages and implement Auto Scaling based on SQS queue depth
AnswerD

DLQ captures failed messages; scaling handles spikes.

Why this answer

Option C is correct because a dead-letter queue captures messages that cannot be processed after a number of attempts, preventing loss. Combined with Auto Scaling based on queue depth, it ensures the application tier scales to handle spikes. Option A is wrong because increasing visibility timeout only delays re-processing, it does not prevent message loss.

Option B is wrong because limiting queue size causes rejection of messages. Option D is wrong because SQS FIFO does not improve resilience against spikes and may reduce throughput.

1027
Drag & Dropmedium

Drag and drop the steps to set up an AWS Lambda function triggered by an S3 event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the bucket, then create the Lambda function, then add trigger, then configure notification, then test.

1028
Multi-Selectmedium

A company is designing a CI/CD pipeline for a microservices architecture using AWS CodePipeline. They want to use infrastructure as code to manage the pipeline itself. Which TWO services can be used together to achieve this?

Select 2 answers
A.AWS Service Catalog
B.AWS CodePipeline
C.AWS CloudFormation
D.AWS CodeDeploy
E.AWS Elastic Beanstalk
AnswersB, C

CodePipeline is the service that orchestrates the pipeline itself.

Why this answer

Option A (CloudFormation) and Option D (CodePipeline) are correct because CloudFormation can define the pipeline resource, and CodePipeline is the service being defined. Option B (CodeDeploy) is for deployment, not pipeline definition. Option C (Elastic Beanstalk) is for application deployment.

Option E (Service Catalog) is for product portfolios.

1029
MCQhard

An application running on Amazon ECS with Fargate is experiencing increased latency. The DevOps team suspects that the task is running out of memory and swapping. Which set of CloudWatch metrics should the team examine to confirm this suspicion?

A.NetworkIn and NetworkOut
B.MemoryUtilized and MemoryReserved
C.CPUUtilization and CPUReservation
D.EphemeralStorageUtilized and EphemeralStorageReserved
AnswerB

These metrics show memory usage; high utilization may cause swapping.

Why this answer

Option B is correct because MemoryUtilized and MemoryReserved are the CloudWatch metrics that directly track memory consumption and allocation for ECS tasks using Fargate. When a task runs out of memory, the Linux kernel’s OOM killer may terminate processes, but before that, swapping can occur if swap space is available, causing increased latency. These metrics allow the DevOps team to compare actual memory usage against the task’s memory reservation, confirming if memory pressure is the root cause of the latency.

Exam trap

The trap here is that candidates may confuse memory metrics with CPU or storage metrics, assuming any resource constraint can cause swapping, but only memory metrics directly indicate memory exhaustion and potential swapping behavior.

How to eliminate wrong answers

Option A is wrong because NetworkIn and NetworkOut measure network throughput, not memory usage or swapping, so they cannot confirm memory exhaustion. Option C is wrong because CPUUtilization and CPUReservation track CPU usage and reservation, which are unrelated to memory swapping; high CPU could cause latency but does not indicate memory pressure. Option D is wrong because EphemeralStorageUtilized and EphemeralStorageReserved measure storage usage on the Fargate ephemeral volume, not memory consumption; swapping would involve memory, not ephemeral storage.

1030
MCQmedium

A company's DevOps team notices that their Amazon RDS for PostgreSQL instance's CPU utilization spikes to 90% every day at 10:00 AM, causing application latency. They want to be notified when the CPU utilization exceeds 80% for more than 5 minutes to investigate the cause. Which solution should they implement?

A.Use Amazon CloudWatch Logs Insights to query the RDS logs and trigger an SNS notification when CPU utilization is high.
B.Enable AWS Trusted Advisor to automatically create a CloudWatch alarm on the CPU utilization metric.
C.Create an Amazon CloudWatch alarm on the CPUUtilization metric with a period of 5 minutes and a threshold of 80, and set the alarm action to send a notification to an Amazon SNS topic.
D.Create an AWS CloudTrail trail to monitor CPU utilization and trigger an AWS Lambda function to send an email notification.
AnswerC

This directly monitors the metric and triggers notification when the threshold is breached for the specified duration.

Why this answer

Option D is correct because a CloudWatch alarm with a metric math expression can trigger an SNS notification when CPUUtilization exceeds 80% for 5 minutes. Option A is wrong because CloudTrail does not monitor CPU utilization. Option B is wrong because Trusted Advisor does not create custom alarms.

Option C is wrong because CloudWatch Logs Insights is for log analysis, not metric alarms.

1031
MCQhard

Refer to the exhibit. A DevOps engineer created this IAM policy for a CodeDeploy service role. The deployment fails with an 'AccessDenied' error when attempting to register instances with an Auto Scaling group. What is the likely cause?

A.The policy does not allow autoscaling:CompleteLifecycleAction.
B.The role is not trusted by the EC2 service.
C.The iam:PassRole action is not scoped to the correct resource.
D.The policy is missing autoscaling:UpdateAutoScalingGroup and autoscaling:SetDesiredCapacity.
AnswerD

CodeDeploy needs these permissions to manage instance registration.

Why this answer

The correct answer is D because the CodeDeploy service role must include permissions for autoscaling:UpdateAutoScalingGroup and autoscaling:SetDesiredCapacity to allow CodeDeploy to register instances with an Auto Scaling group during a deployment. Without these actions, the deployment fails with an 'AccessDenied' error when CodeDeploy attempts to attach instances to the Auto Scaling group or adjust its capacity.

Exam trap

The trap here is that candidates often assume the error is due to missing lifecycle hook permissions (Option A) or a trust relationship issue (Option B), but the actual cause is the lack of specific Auto Scaling write permissions required for instance registration.

How to eliminate wrong answers

Option A is wrong because autoscaling:CompleteLifecycleAction is used for lifecycle hooks, not for registering instances with an Auto Scaling group, and its absence would not cause the described error. Option B is wrong because the role is trusted by CodeDeploy (not EC2), and the error occurs during instance registration with Auto Scaling, not during EC2 instance launch. Option C is wrong because iam:PassRole is used to pass a role to a service, but the error is about Auto Scaling actions, not about passing roles; the policy likely already allows PassRole for the correct resource.

1032
Multi-Selecthard

Which THREE AWS services can be used to centrally manage and enforce security policies across multiple accounts in AWS Organizations? (Select THREE.)

Select 3 answers
A.AWS Config Conformance Packs
B.AWS Organizations Service Control Policies (SCPs)
C.AWS Systems Manager
D.AWS CloudTrail
E.AWS Firewall Manager
AnswersA, B, E

Conformance packs can enforce compliance rules across accounts.

Why this answer

AWS Config Conformance Packs enable you to deploy and enforce a collection of AWS Config rules and remediation actions across multiple accounts and Regions in an AWS Organization. They provide a centralized way to ensure that resources comply with internal policies by using a YAML template that defines the rules and parameters, which are then applied to all member accounts via AWS Config aggregators and StackSets.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (audit logging) with a policy enforcement tool, or assume AWS Systems Manager can centrally enforce security policies across accounts, when it is actually designed for operational tasks like patch management and automation, not policy governance.

1033
Multi-Selecteasy

Which TWO measures can be taken to protect data at rest in Amazon S3? (Select TWO.)

Select 2 answers
A.Enable S3 Server-Side Encryption (SSE-S3 or SSE-KMS)
B.Enable cross-region replication
C.Enable MFA Delete on the bucket
D.Create a bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header
E.Use S3 Transfer Acceleration
AnswersA, D

SSE encrypts data at rest.

Why this answer

S3 Server-Side Encryption (SSE) and S3 Bucket Policies to deny unencrypted PUT requests are measures to protect data at rest. MFA Delete protects against accidental deletion, not encryption. Cross-region replication is for disaster recovery.

S3 Transfer Acceleration speeds up uploads.

1034
MCQhard

A company runs a production application on Amazon ECS with Fargate, fronted by an Application Load Balancer (ALB). The application experiences periodic latency spikes and occasional 502 errors. The ECS service is configured with a desired count of 2 tasks, and the ALB health check is set to /health with a 30-second interval and 2 consecutive failures threshold. The team uses CloudWatch Container Insights and has noticed that CPU and memory utilization of tasks remain below 50%. However, the ALB TargetGroup's HealthyHostCount metric occasionally drops to 0 for a few minutes before recovering. The deployment strategy is rolling update with a minimum healthy percent of 50% and maximum percent of 200%. The team recently updated the task definition to increase memory and CPU, but the issue persists. What is the MOST likely cause of the problem?

A.The ECS service role lacks permissions to register targets with the ALB.
B.The ALB health check is too aggressive, causing tasks to be marked unhealthy during brief initialization or deployment.
C.The ALB target group is configured with only one Availability Zone, causing loss of all targets when that AZ fails.
D.The task's CPU or memory limits are set too low, causing the container to be throttled.
AnswerB

Health check timing causes temporary loss of healthy targets during rolling updates.

Why this answer

Option B is correct because the health check interval (30 seconds) and failure threshold (2) mean it takes up to 60 seconds to mark a task unhealthy. During deployments, the rolling update may temporarily have only 1 healthy task (minimum 50% of 2 = 1), and if that task becomes unhealthy, HealthyHostCount drops to 0. Option A is wrong because CPU and memory are below 50%, so resource limits are not the issue.

Option C is wrong because a target group with 2 tasks and 2 AZs is fine; the problem is not AZ-specific. Option D is wrong because ECS service-linked role does not affect health checks.

1035
MCQhard

A DevOps team is using Amazon CloudWatch Synthetics canaries to monitor the availability of a web application. The canary is configured to run every 5 minutes. The team notices that the canary fails occasionally but the application is healthy. Which action will help identify if the failures are due to network issues between the canary and the application?

A.Enable VPC Flow Logs for the canary's VPC and analyze the logs for dropped packets
B.Enable AWS X-Ray tracing on the canary to trace the request path
C.Increase the canary's memory and timeout settings to reduce false positives
D.Configure the canary to run inside the same VPC as the application using a VPC endpoint
AnswerD

Running canary in the same VPC isolates network path and helps identify network issues.

Why this answer

Option C is correct because CloudWatch Synthetics canaries support the use of VPC endpoints or placement within a VPC to run from the same network environment as the application, allowing canary failures due to network issues to be distinguished from application issues. Option A is wrong because X-Ray traces the application, not the canary. Option B is wrong because VPC Flow Logs capture network metadata but are not directly integrated with canaries.

Option D is wrong because enabling detailed CloudWatch metrics on the ALB does not isolate canary network issues.

1036
MCQeasy

A company uses AWS OpsWorks to manage a set of EC2 instances. They need to ensure that a custom recipe runs on all instances during the 'Configure' lifecycle event. What is the correct way to achieve this?

A.Modify the stack's CloudFormation template to include the recipe.
B.Upload the recipe to a custom cookbook repository and assign it to the 'Configure' lifecycle event in the stack settings.
C.Add the recipe commands to the instance's user data script.
D.Use AWS CodeDeploy to trigger the recipe during the Configure event.
AnswerB

This is the standard way to run custom recipes on OpsWorks lifecycle events.

Why this answer

In AWS OpsWorks, lifecycle events (such as Configure) are tied to layers, not individual instances. To run a custom recipe on all instances during the Configure event, you must upload the recipe to a custom cookbook repository (e.g., S3 or Git) and then assign that recipe to the Configure lifecycle event in the stack's layer settings. This ensures OpsWorks Chef runs the recipe on every instance in that layer whenever the Configure event fires (e.g., after scaling or instance state changes).

Exam trap

The trap here is that candidates confuse the one-time execution of user data scripts (Option C) with the recurring, event-driven nature of OpsWorks lifecycle events, or mistakenly think CloudFormation (Option A) or CodeDeploy (Option D) can directly manage OpsWorks recipe execution.

How to eliminate wrong answers

Option A is wrong because AWS OpsWorks does not use CloudFormation templates to define lifecycle recipes; OpsWorks uses Chef cookbooks and lifecycle event assignments within the stack/layer configuration. Option C is wrong because user data scripts run only once at instance boot, whereas the Configure lifecycle event fires repeatedly (e.g., on instance start, stop, or scaling), so a user data script cannot handle recurring Configure events. Option D is wrong because AWS CodeDeploy is a deployment service for application code, not a mechanism to trigger OpsWorks lifecycle events; it cannot directly invoke Chef recipes during the Configure event.

1037
MCQeasy

A company is designing a disaster recovery strategy for its on-premises database to AWS using AWS Elastic Disaster Recovery (AWS DRS). The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 1 minute. Which configuration should they use?

A.Use AWS CloudEndure Disaster Recovery (now AWS DRS) with periodic replication every hour.
B.Use AWS Backup to take snapshots every 5 minutes and restore in the target region.
C.Use RDS cross-region automated backups with a 5-minute backup window.
D.Configure AWS DRS to continuously replicate data to a staging area in AWS, and launch instances in the target region on failover.
AnswerD

Continuous replication achieves sub-minute RPO and fast RTO.

Why this answer

Option A is correct because continuous replication with a staging area provides very low RPO. Option B is wrong because point-in-time restore from snapshots has higher RPO. Option C is wrong because CloudEndure (now AWS DRS) uses continuous replication.

Option D is wrong because scheduled snapshots cannot achieve 1-minute RPO.

1038
MCQhard

A DevOps engineer is troubleshooting an application running on an EC2 instance. The application needs to access an Amazon RDS database using IAM database authentication. The EC2 instance is associated with an IAM role 'EC2-AppRole', and the RDS instance has a resource-based policy that allows 'DatabaseAccessRole' to connect. The engineer sees the error in the exhibit. What is the most likely cause?

A.The RDS instance does not have a resource-based policy that grants access to 'DatabaseAccessRole'.
B.The security group for the EC2 instance does not allow outbound traffic to the RDS instance.
C.The EC2 instance does not have the correct IAM instance profile attached.
D.The trust policy of the IAM role 'DatabaseAccessRole' does not allow the EC2 instance role 'EC2-AppRole' to assume it.
AnswerD

A is correct because the access denied error indicates the trust relationship is missing.

Why this answer

The error indicates that the EC2 instance's IAM role 'EC2-AppRole' cannot authenticate to the RDS instance. IAM database authentication requires the EC2 instance to assume a database authentication token, which is generated by calling the RDS API with the 'EC2-AppRole' credentials. However, the RDS instance's resource-based policy only allows 'DatabaseAccessRole' to connect.

For 'EC2-AppRole' to successfully authenticate, it must first assume 'DatabaseAccessRole' via a trust policy that permits the EC2 instance role to assume it. Without this trust relationship, the authentication token request fails, causing the error.

Exam trap

The trap here is that candidates often assume the error is due to missing resource-based policies or network connectivity, but the core issue is the missing trust relationship between the EC2 instance role and the database access role, which is a common misconfiguration in cross-account or cross-role IAM authentication setups.

How to eliminate wrong answers

Option A is wrong because the RDS instance does have a resource-based policy that allows 'DatabaseAccessRole' to connect, as stated in the question; the issue is that the EC2 instance role cannot assume that role. Option B is wrong because security group rules control network traffic, not IAM authentication; if the security group were blocking outbound traffic, the error would be a network timeout or connection refused, not an IAM authentication failure. Option C is wrong because the EC2 instance is already associated with the IAM role 'EC2-AppRole' (the instance profile is attached), and the error is about assuming another role, not about the instance lacking a role.

1039
MCQmedium

An application running on Amazon ECS Fargate writes logs to CloudWatch Logs. The logs include sensitive data such as credit card numbers, which must be masked before storage. What is the most cost-effective solution that requires the least operational overhead?

A.Stream logs to Amazon Kinesis Data Firehose with a Lambda transformation, then deliver to CloudWatch Logs.
B.Configure a CloudWatch Logs subscription to stream logs to Amazon S3, and use S3 Object Lambda to mask data on retrieval.
C.Deploy a sidecar container in the ECS task that reads logs from stdout, masks data, and sends to CloudWatch Logs.
D.Use a CloudWatch Logs subscription filter to invoke an AWS Lambda function that masks sensitive data and writes the sanitized logs to a different log group.
AnswerD

This masks data before storage, is serverless, and cost-effective.

Why this answer

Option D is correct because CloudWatch Logs subscription filters can invoke a Lambda function in real-time as logs are ingested, allowing the function to mask sensitive data (e.g., credit card numbers) and write the sanitized logs to a different log group. This approach requires no additional infrastructure, no streaming services, and no changes to the application code, making it the most cost-effective and operationally lightweight solution.

Exam trap

The trap here is that candidates often choose Option A or C because they assume a streaming pipeline or sidecar is required for log transformation, but they overlook that CloudWatch Logs subscription filters with Lambda provide a native, serverless, and cost-effective alternative that avoids additional services and infrastructure changes.

How to eliminate wrong answers

Option A is wrong because it introduces unnecessary cost and complexity by streaming logs through Kinesis Data Firehose and a Lambda transformation, only to deliver them back to CloudWatch Logs; this adds a per-GB Firehose cost and Lambda invocation overhead without benefit. Option B is wrong because S3 Object Lambda only masks data at retrieval time, not at storage time, so sensitive data remains unmasked in S3; additionally, this approach requires a separate S3 bucket and retrieval workflow, increasing operational overhead. Option C is wrong because deploying a sidecar container in the ECS task adds complexity to the task definition, increases resource consumption (CPU/memory), and requires custom log routing logic, which violates the 'least operational overhead' requirement.

1040
MCQhard

A financial services company runs a critical application on Amazon ECS with Fargate launch type. The application has strict availability requirements and must survive an Availability Zone failure. The ECS service is configured with a desired count of 4 tasks, spread across two Availability Zones using a spread strategy. The service is fronted by an Application Load Balancer. During a recent AZ outage, one AZ became completely unavailable, but the application continued to serve traffic. However, after the AZ recovered, the ECS service did not automatically place new tasks in the recovered AZ to restore the desired count. The service remains with only 2 tasks in the remaining AZ. What is the most likely cause and solution?

A.The ECS service does not automatically replace tasks in a recovered AZ because the spread strategy is static. Manually update the service (e.g., force new deployment) to trigger rebalancing.
B.The Application Load Balancer is not health-checking the recovered AZ. Configure cross-zone load balancing.
C.The ECS service uses a spread strategy that does not automatically rebalance after an AZ recovers. Update the service to use a 'rebalance' strategy.
D.The ECS service is configured with a minimum healthy percent of 50%, which prevents replacement. Lower the minimum healthy percent to 0%.
AnswerA

Force new deployment or modify desired count to trigger rebalancing across AZs.

Why this answer

The ECS service uses a spread strategy, which maintains balance across AZs. When an AZ is unhealthy, ECS does not place tasks there. After recovery, the service may not automatically rebalance because the spread strategy is not proactive; it only ensures placement of new tasks.

To force rebalancing, one can update the service (e.g., change desired count, then change back).

1041
Multi-Selecthard

A company is designing a disaster recovery plan for an Amazon S3 data lake. The data lake stores sensitive data that must be replicated to a secondary Region with an RPO of 15 minutes. Which THREE actions should the company take? (Choose THREE.)

Select 3 answers
A.Enable S3 Versioning on both the source and destination buckets.
B.Enable S3 Replication Time Control (RTC) for the replication rule.
C.Configure cross-Region replication (CRR) from the source bucket to the destination bucket.
D.Configure S3 Event Notifications to trigger a Lambda function that copies objects to the secondary Region.
E.Enable S3 Transfer Acceleration on the source bucket.
AnswersA, B, C

Versioning is required for CRR.

Why this answer

Option A is correct because enabling S3 Versioning on both the source and destination buckets is a prerequisite for S3 Replication. Without versioning, replication cannot track object versions, which is essential for meeting the 15-minute RPO with consistency guarantees.

Exam trap

The trap here is that candidates may confuse S3 Event Notifications with Lambda as a viable replication method, overlooking that native CRR with RTC provides guaranteed RPO and versioning consistency without custom code overhead.

1042
MCQeasy

A team uses AWS CodeBuild to build Docker images and push them to Amazon ECR. The buildspec.yml includes a post_build step that runs a security scan. The team wants to ensure that only images that pass the security scan are tagged as 'latest'. Which approach should be used?

A.Build the image with the 'latest' tag first, then run the security scan. If it fails, delete the 'latest' tag.
B.In the post_build phase, run the security scan, and if it passes, tag the image with 'latest' and push.
C.Use ECR lifecycle policies to remove images that do not pass the security scan.
D.Tag the image with 'latest' only after the build phase, regardless of scan results.
AnswerB

This ensures only passing images get the 'latest' tag.

Why this answer

Option A is correct because it tags the image only after successful scan. Option B tags before scan. Option D tags all images, not just passing.

Option C uses ECR lifecycle, not relevant.

1043
MCQeasy

A DevOps team is implementing infrastructure as code using AWS CloudFormation. They want to ensure that stack updates are reviewed and approved before execution. Which feature should they use?

A.Drift detection
B.Stack policies
C.StackSets
D.Change Sets
AnswerD

Change Sets allow you to review proposed changes before applying them.

Why this answer

Option B is correct because Change Sets allow you to preview changes before executing. Option A is wrong because stack policies prevent updates to specific resources, not overall review. Option C is wrong because drift detection identifies differences, not updates.

Option D is wrong because stack sets deploy across accounts, not preview changes.

1044
MCQhard

A Lambda function has the above IAM policy attached. The function is failing to write logs to CloudWatch Logs. What is the most likely reason?

A.The policy does not include the 'logs:PutLogEvents' action.
B.The policy does not allow 'ec2:DescribeInstances' on a specific resource.
C.The log group ARN in the resource does not match the Lambda function's log group.
D.The Lambda function does not have permission to use the KMS key for log encryption.
AnswerC

The resource ARN restricts access to a specific log group; if the function uses a different log group, it fails.

Why this answer

Option B is correct because the Resource ARN in the policy specifies a specific log group name pattern, but if the function is configured to write to a different log group (e.g., /aws/lambda/other-function), access will be denied. Option A is wrong because the actions are correct for writing logs. Option C is wrong because the ec2:DescribeInstances permission is irrelevant to logging.

Option D is wrong because there is no encryption key specified in the policy.

1045
MCQhard

An organization manages multiple AWS accounts using AWS Organizations. They want to use AWS CloudFormation StackSets to deploy a standard VPC configuration across all accounts. However, some accounts require specific CIDR blocks that differ from the default. What is the most efficient way to handle this variation?

A.Create separate StackSets for each CIDR range and assign accounts accordingly.
B.Create a nested stack for each account that overrides the default parameters.
C.Use a single StackSet with parameters and pass account-specific parameter files via AWS CloudFormation parameter overrides in the StackSet instance.
D.Maintain separate templates per account with hardcoded CIDR blocks.
AnswerC

Parameter overrides allow per-account customization efficiently.

Why this answer

Option C is correct because AWS CloudFormation StackSets support parameter overrides at the stack instance level, allowing you to deploy a single StackSet template across multiple accounts while specifying account-specific CIDR blocks without duplicating infrastructure. This approach minimizes management overhead by using one template and one StackSet, with parameter overrides applied per target account or organizational unit (OU) via the StackSet instance configuration.

Exam trap

The trap here is that candidates often confuse StackSet parameter overrides with nested stacks or separate templates, not realizing that StackSets natively support per-instance parameter values without requiring multiple StackSets or template duplication.

How to eliminate wrong answers

Option A is wrong because creating separate StackSets for each CIDR range defeats the purpose of using StackSets for centralized management, leading to operational complexity and increased maintenance burden. Option B is wrong because nested stacks are not designed to override parameters per account in a StackSet; they are used for modular template composition, not for passing account-specific values across multiple StackSet instances. Option D is wrong because maintaining separate templates per account with hardcoded CIDR blocks violates IaC best practices, introduces drift risk, and eliminates the reusability and consistency that StackSets provide.

1046
Drag & Dropmedium

Drag and drop the steps to set up an AWS CodeBuild project to build a Docker image and push it to Amazon ECR.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the ECR repository, then create the CodeBuild project, then configure buildspec, then set privileged mode, then push image.

1047
MCQmedium

A company uses an Auto Scaling group with a dynamic scaling policy based on a custom CloudWatch metric. After a recent deployment, the metric spikes unexpectedly, causing the Auto Scaling group to launch several EC2 instances. The operations team wants to quickly determine whether the spike was caused by a real load increase or a deployment issue. What is the MOST efficient way to investigate this?

A.Check the SNS topic that the scaling policy publishes to for notifications.
B.Use CloudWatch Logs Insights to query application logs for error patterns or deployment markers that coincide with the metric spike.
C.Use AWS CloudTrail to review API calls that modified the scaling policy.
D.Temporarily disable the scaling policy and manually increase the desired capacity to handle the load.
AnswerB

CloudWatch Logs Insights allows querying logs to find patterns related to the spike.

Why this answer

Option B is correct because CloudWatch Logs Insights allows you to query application logs for error patterns or deployment markers (e.g., new version tags, exception stack traces) that coincide with the metric spike. This directly correlates the scaling event with application-level evidence, enabling rapid root-cause analysis without altering infrastructure or relying on indirect notifications.

Exam trap

The trap here is that candidates confuse monitoring scaling actions (SNS/CloudTrail) with diagnosing the metric's root cause, overlooking that application logs provide the direct evidence needed to distinguish real load from deployment issues.

How to eliminate wrong answers

Option A is wrong because SNS topics used by scaling policies only send notifications about scaling actions (e.g., instance launched), not the underlying cause of the metric spike; they lack application-level context. Option C is wrong because AWS CloudTrail records API calls that modify the scaling policy (e.g., PutScalingPolicy), but the metric spike itself is not an API call—it is a CloudWatch metric data point, so CloudTrail cannot show why the metric changed. Option D is wrong because temporarily disabling the scaling policy and manually increasing desired capacity is a reactive workaround that does not investigate the root cause; it masks the symptom and risks over-provisioning or missing a deployment bug.

1048
Multi-Selecthard

During an incident, a DevOps engineer needs to block traffic from a specific IP address that is attacking an Application Load Balancer. Which TWO actions can the engineer take to mitigate this?

Select 2 answers
A.Configure Amazon CloudFront to block the IP address.
B.Modify the network ACL for the ALB's subnet to deny the IP address.
C.Use AWS WAF to create an IP set rule that blocks the IP address.
D.Enable VPC Flow Logs to capture traffic from the IP address.
E.Update the ALB security group to deny inbound traffic from the IP address.
AnswersC, E

AWS WAF integrates with ALB to filter requests based on IP.

Why this answer

Option B is correct because updating the security group of the ALB to deny the IP is effective. Option D is correct because AWS WAF can block IPs based on a rule. Option A is wrong because NACLs are for subnets, not ALBs directly.

Option C is wrong because CloudFront is a CDN layer, not directly applicable. Option E is wrong because VPC Flow Logs are for monitoring, not blocking.

1049
MCQhard

A company runs a microservices application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer (ALB) to distribute traffic. The DevOps team wants to monitor the number of HTTP 5xx errors returned by each service. They configure the ALB to send access logs to an S3 bucket and enable CloudWatch Container Insights. However, the team cannot view 5xx errors per service. What should the team do to achieve this?

A.Use CloudWatch Logs Insights to query the ALB access logs directly from S3.
B.Enable Container Insights and create a CloudWatch dashboard to view HTTP 5xx errors per ECS service.
C.Enable ALB access logging and parse the logs to filter by target group, then correlate with the ECS service name.
D.Configure the ALB to add a custom header with the service name and use CloudWatch metrics.
AnswerC

Access logs include target group ARN which can be mapped to ECS service.

Why this answer

Option B is correct. ALB access logs contain the target group, but not the service name. By using the target group, you can map to the service.

Option A is incorrect because CloudWatch Logs Insights can query access logs, but the logs need to be in CloudWatch Logs, not S3. Option C is incorrect because Container Insights provides metrics per task, not per service. Option D is incorrect because adding a response header would not be visible in metrics.

1050
MCQeasy

A DevOps engineer needs to set up a monitoring solution for an AWS Lambda function that processes messages from an Amazon SQS queue. The engineer wants to be alerted if the function fails to process a message (i.e., the message ends up in the dead-letter queue). Which approach should they use?

A.Create a CloudWatch alarm on the ApproximateNumberOfMessagesVisible metric of the dead-letter queue.
B.Enable CloudTrail to log SQS API calls and create a metric filter for SendMessage to the DLQ.
C.Create a CloudWatch Events rule to monitor the Lambda function errors.
D.Configure the Lambda function's dead-letter queue to send notifications via Amazon SNS.
AnswerA

This metric increases when messages are sent to the DLQ, triggering the alarm.

Why this answer

Option A is correct because the `ApproximateNumberOfMessagesVisible` metric on the dead-letter queue (DLQ) directly reflects the number of messages that have failed processing and been moved there. By creating a CloudWatch alarm on this metric (e.g., when it exceeds 0 for a period), the engineer receives an alert precisely when messages are failing, without needing to parse logs or rely on indirect indicators.

Exam trap

The trap here is that candidates often confuse monitoring Lambda function errors (Option C) with monitoring DLQ messages, not realizing that a message can end up in the DLQ due to exhaustion of retries (configured in the SQS event source mapping) without the Lambda function itself throwing an error.

How to eliminate wrong answers

Option B is wrong because CloudTrail logs SQS API calls (like SendMessage) but does not provide a real-time metric for DLQ message count; creating a metric filter on SendMessage to the DLQ would require parsing every API call and does not natively aggregate to a simple alarm threshold. Option C is wrong because monitoring Lambda function errors (e.g., via CloudWatch Events or Lambda metrics) captures function invocation failures but does not specifically indicate that a message was sent to the DLQ—messages can fail processing without a Lambda error (e.g., if the function returns an error but the SQS trigger retries and eventually sends to DLQ). Option D is wrong because configuring the Lambda function's DLQ to send notifications via SNS would require custom code or configuration to publish a notification each time a message is moved to the DLQ, which is not a built-in feature of SQS or Lambda; SNS can be used as a target for DLQ messages only if the DLQ itself is an SNS topic, but SQS DLQs are queues, not topics, and SNS does not automatically emit notifications when messages are added to an SQS queue.

Page 13

Page 14 of 24

Page 15