AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 10511125

1740 questions total · 24pages · All types, answers revealed

Page 14

Page 15 of 24

Page 16
1051
MCQeasy

An application running on Amazon EC2 instances sends custom metrics to CloudWatch. The team notices that some metrics are not appearing. What is the most likely cause?

A.The custom metric namespace is not pre-registered in CloudWatch.
B.The EC2 instances are in a private subnet without a NAT gateway.
C.The IAM role attached to the EC2 instance lacks permissions to publish metrics.
D.The CloudWatch agent is not installed or configured on the EC2 instances.
AnswerD

Custom metrics require the CloudWatch agent or direct API calls.

Why this answer

Option A is correct because the CloudWatch agent must be installed and configured to send custom metrics. Option B is wrong because IAM permissions are required but the agent also needs to be installed. Option C is wrong because the agent needs to be running.

Option D is wrong because the metric namespace is configured in the agent, not in CloudWatch.

1052
MCQmedium

A company wants to collect and analyze logs from on-premises servers and send them to AWS for centralized monitoring. Which combination of AWS services should be used?

A.Amazon CloudWatch Agent on the on-premises servers to send logs to Amazon CloudWatch Logs.
B.Amazon Kinesis Agent on the on-premises servers to send logs to Amazon Kinesis Data Firehose, then to Amazon S3.
C.Amazon CloudWatch Agent with the awslogs configuration to send logs to Amazon CloudWatch Logs.
D.AWS Systems Manager Agent to collect logs and send to Amazon CloudWatch Logs.
AnswerA

The CloudWatch Agent can collect logs and metrics from on-premises servers and send to CloudWatch.

Why this answer

Option A is correct: CloudWatch Agent collects logs from on-prem servers and sends to CloudWatch Logs. Option B is wrong because Kinesis Agent is for streaming data to Kinesis, not CloudWatch Logs directly. Option C is wrong because the unified CloudWatch Agent is the recommended tool.

Option D is wrong because SSM Agent does not collect logs.

1053
MCQeasy

A DevOps engineer is configuring AWS CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are encrypted at rest using a customer-managed KMS key. What is the correct way to achieve this?

A.Use SSE-C with a customer-provided key when uploading logs to S3.
B.Enable client-side encryption before delivering logs to S3.
C.Enable default encryption on the S3 bucket using SSE-S3.
D.Specify a KMS key ID in the CloudTrail trail configuration and grant CloudTrail permissions to use the key.
AnswerD

Correct: CloudTrail can use a customer-managed KMS key for encryption.

Why this answer

Option B is correct because CloudTrail supports SSE-KMS with a customer-managed key. Option A is wrong because SSE-S3 uses S3-managed keys. Option C is wrong because SSE-C requires customer-provided keys, which is not supported by CloudTrail.

Option D is wrong because CloudTrail does not support client-side encryption.

1054
MCQeasy

A DevOps engineer is using AWS OpsWorks for configuration management. They need to ensure that custom recipes are applied to all instances in a layer in a specific order. What should the engineer do?

A.Assign the recipes to the appropriate lifecycle events in the layer configuration.
B.Use AWS CloudFormation Init with cfn-init to order the scripts.
C.Include all recipes in a single wrapper recipe and use include_recipe with the desired order.
D.Add the recipes to the instance's user data script.
AnswerA

Lifecycle events allow ordered execution of recipes.

Why this answer

AWS OpsWorks uses lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) to control when custom recipes run on instances within a layer. By assigning recipes to the appropriate lifecycle events in the layer configuration, the engineer ensures they execute in the defined order for that event across all instances in the layer, which is the native mechanism for ordering in OpsWorks.

Exam trap

The trap here is that candidates may confuse OpsWorks lifecycle events with Chef's include_recipe directive, assuming that ordering within a wrapper recipe is sufficient, when OpsWorks actually enforces order through lifecycle event assignments.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation Init with cfn-init is used for bootstrapping EC2 instances in CloudFormation stacks, not for managing recipe execution order within an OpsWorks layer, which is a separate configuration management service. Option C is wrong because while include_recipe can be used in Chef to include other recipes, placing all recipes in a single wrapper recipe does not inherently enforce a specific order across lifecycle events; OpsWorks relies on lifecycle event assignments to control execution sequence, not Chef's include_recipe order alone. Option D is wrong because user data scripts run only at instance launch and are not integrated with OpsWorks lifecycle events; they cannot manage the ordered execution of custom recipes across the instance's operational lifecycle.

1055
MCQmedium

A DevOps engineer notices that an EC2 instance running a critical application is unresponsive. The engineer checks CloudWatch metrics and sees a CPU Utilization spike to 100% just before the instance became unresponsive. However, the instance status check passed. What should the engineer do NEXT to troubleshoot the issue?

A.Use the EC2 Serial Console to connect to the instance and diagnose the issue.
B.Terminate the instance and launch a new one from the same AMI.
C.Review CloudWatch Logs for the instance to identify any application errors.
D.Increase the instance size and restart the instance.
AnswerA

The serial console provides out-of-band access to the instance for troubleshooting OS-level problems.

Why this answer

Option D is correct because the instance is unresponsive but status check passes, indicating an OS-level issue. The serial console can be used to troubleshoot kernel hangs or high load. Option A is wrong because increasing instance size only helps if resource exhaustion is the root cause, but the instance is already unresponsive.

Option B is wrong because the status check passed, so replacing the instance without investigation may lose data. Option C is wrong because CloudWatch Logs are helpful but do not give interactive access to a hung instance.

1056
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from 'example-bucket' from an IP address 10.0.0.5. However, the request is denied. What is the most likely reason?

A.The bucket 'example-bucket' does not exist in the account.
B.The policy uses 'aws:SourceIp' which is not supported for S3.
C.The IP address 10.0.0.5 is not in the allowed range.
D.The policy does not grant s3:ListBucket permission, which is required to access objects.
AnswerD

GetObject alone may not be sufficient if the user needs to list first.

Why this answer

Option B is correct because the policy uses a condition key 'aws:SourceIp' which is not evaluated correctly for S3; S3 uses 'aws:SourceIp' only when the request is authenticated via IAM, but for anonymous requests it doesn't apply. However, the more common issue is that the policy does not allow the s3:ListBucket action, which is required to list objects. Option A is wrong because the IP is within range.

Option C is wrong because the bucket exists. Option D is wrong because the policy allows GetObject.

1057
Multi-Selecteasy

Which TWO criteria must be met for an AWS CloudFormation stack update to be successful? (Choose 2.)

Select 2 answers
A.The update template must be valid and must not contain any syntax errors.
B.The stack must be in a steady state with no previous failed updates.
C.The stack must be in a state that allows updates (e.g., CREATE_COMPLETE, UPDATE_COMPLETE).
D.A change set must be created and executed before the update.
E.The stack must have no drift detected.
AnswersA, C

CloudFormation validates the template before applying changes.

Why this answer

Options A and D are correct. Option A is required to update the stack. Option D ensures the template is valid and resources are correctly defined.

Option B is wrong because CloudFormation does not require a change set; you can update directly. Option C is wrong because drift detection is not a prerequisite. Option E is wrong because you can update a stack that is in a failed state after a previous update.

1058
MCQmedium

A DevOps team uses AWS CodeCommit and AWS CodePipeline for CI/CD. They need to ensure that sensitive configuration parameters such as database passwords are not stored in plaintext in the source code repository. Which solution meets these requirements with minimal operational overhead?

A.Store the parameters in a separate encrypted Git repository and use Git submodules.
B.Use AWS KMS to encrypt the parameters and include the encrypted blob in the source code.
C.Store the parameters in an S3 bucket with server-side encryption, and have the pipeline download them.
D.Use AWS Systems Manager Parameter Store with secure strings, and reference them in the pipeline using parameter-store action.
AnswerD

Parameter Store securely stores secrets and integrates with CodePipeline.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store with secure strings provides a native, fully managed service for storing sensitive configuration data like database passwords. By using the parameter-store action in CodePipeline, the pipeline can retrieve the secure parameter at runtime without exposing it in the source code or requiring manual encryption/decryption logic, minimizing operational overhead.

Exam trap

The trap here is that candidates may think storing an encrypted blob in the repository (Option B) is acceptable because it is 'encrypted,' but the exam tests the principle that secrets should never be stored in the source code repository at all, even in encrypted form, due to key management and exposure risks.

How to eliminate wrong answers

Option A is wrong because maintaining a separate encrypted Git repository and using Git submodules adds significant complexity, does not natively integrate with CodePipeline, and still risks exposing sensitive data in the submodule reference or during cloning. Option B is wrong because including an encrypted blob in the source code requires manual key management and decryption logic in the pipeline, and the encrypted blob itself is still stored in the repository, which violates the principle of not storing secrets in the codebase. Option C is wrong because storing parameters in an S3 bucket with server-side encryption requires additional pipeline steps to download the file, manage bucket permissions, and handle potential race conditions or stale data, increasing operational overhead compared to a direct parameter store reference.

1059
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application uses an Aurora MySQL database. Recently, the database experienced a failover, and the application started throwing connection errors. The DevOps engineer needs to make the application resilient to database failovers with minimal code changes. What should they do?

A.Configure the application to use the Aurora cluster endpoint for database connections
B.Configure the application to use the Aurora reader endpoint for all queries
C.Create a cross-Region read replica and configure the application to retry on failure
D.Use Amazon RDS Proxy with IAM authentication to handle connection pooling
AnswerA

Cluster endpoint always points to the current writer.

Why this answer

Using the Aurora cluster endpoint with a read-write endpoint that automatically points to the new writer after a failover ensures the application reconnects without code changes. Option A is wrong because the reader endpoint is for read-only. Option C is wrong because a read replica does not automatically failover.

Option D is wrong because RDS proxy does not change the endpoint behavior.

1060
Multi-Selectmedium

A DevOps team is implementing a CI/CD pipeline for a microservices architecture. Each microservice is built and deployed independently. The team wants to ensure that only one build runs per microservice at a time to avoid resource contention, and that the build artifacts are stored securely. Which THREE steps should the team take?

Select 3 answers
A.Store build artifacts in AWS CodeArtifact
B.Enable versioning on the S3 bucket storing build artifacts
C.Configure a concurrency limit in the CodeBuild project for each microservice
D.Create a separate CodePipeline for each microservice
E.Enable server-side encryption on the S3 bucket storing build artifacts
AnswersB, C, E

Versioning retains all artifact versions for rollback

Why this answer

To ensure only one build per microservice at a time, use a concurrency limit in CodePipeline or CodeBuild. CodeBuild supports batch builds and concurrency settings. Secure storage of artifacts can be achieved by encrypting the S3 bucket where artifacts are stored and enabling versioning to retain history.

Option A (concurrency limit) is correct. Option C (encrypt artifacts bucket) is correct. Option E (enable versioning on artifacts bucket) is correct.

Option B is wrong because separate pipelines are not necessary for concurrency control. Option D is wrong because CodeArtifact is for package management, not build artifacts.

1061
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. The application uses an Amazon RDS for PostgreSQL Multi-AZ DB instance. During a recent failover test, the application experienced a 5-minute downtime. The RDS failover completed within 30 seconds. What is the most likely cause of the prolonged downtime?

A.The application caches DNS resolutions, causing it to connect to the old writer endpoint
B.The RDS Multi-AZ failover took longer than expected due to a large transaction log
C.The Application Load Balancer health checks marked all instances as unhealthy during the failover
D.The application was using read replicas for writes, which failed during failover
AnswerA

Stale DNS causes connectivity issues.

Why this answer

The most likely cause is that the application caches DNS resolutions, causing it to continue connecting to the old writer endpoint after failover. When an RDS Multi-AZ failover occurs, the DNS record for the writer endpoint is updated to point to the new primary instance, but the application's cached DNS entry still points to the old IP address. Since the old primary is now a standby and no longer accepts connections, the application experiences downtime until the DNS cache expires (typically 5–60 seconds) or the application refreshes the DNS resolution.

The 5-minute downtime suggests the application uses a long DNS TTL or a custom caching layer that delays reconnection.

Exam trap

The trap here is that candidates assume the 5-minute downtime must be caused by the database failover itself, but the question explicitly states the failover completed in 30 seconds, so the real issue is application-side DNS caching or stale connection handling.

How to eliminate wrong answers

Option B is wrong because the scenario explicitly states the RDS failover completed within 30 seconds, so a large transaction log did not cause the prolonged downtime. Option C is wrong because the Application Load Balancer health checks are independent of RDS failover; even if the database is briefly unavailable, the ALB does not mark instances unhealthy unless the application itself fails health checks due to database connectivity issues. Option D is wrong because read replicas are not used for writes in a standard RDS Multi-AZ setup; writes always go to the primary instance, and read replicas are read-only, so this scenario does not apply.

1062
MCQmedium

A development team uses AWS CodeCommit for source control. They want to enforce that all commits include a JIRA issue key in the commit message. What is the MOST efficient way to achieve this?

A.Use Amazon CloudWatch Events to detect new commits and invoke a Lambda function to validate the commit message.
B.Implement a pre-commit hook in each developer's local repository.
C.Configure a branch policy on the repository that requires commit message format.
D.Create a CodeCommit trigger that invokes an AWS Lambda function on every push to validate commit messages.
AnswerD

CodeCommit triggers can invoke Lambda on push events, allowing validation of all commits.

Why this answer

Option D is correct because CodeCommit can trigger a Lambda function on pushes to run custom validation. Option A is wrong because branch policies are for pull requests, not commit messages. Option B is wrong because CloudWatch Events can trigger Lambda, but direct trigger from CodeCommit is simpler.

Option C is wrong because pre-commit hooks are client-side and not enforceable.

1063
MCQhard

A company uses AWS CloudFormation to manage infrastructure. After a failed stack update, the stack is in ROLLBACK_COMPLETE state. The DevOps team needs to identify the specific resource that caused the rollback and review the error message. Which approach provides the most efficient way to achieve this?

A.Run describe-stack-events and filter by status.
B.View the Events tab in the AWS CloudFormation console.
C.Check AWS CloudTrail for the UpdateStack API call.
D.Run describe-stack-resources to list all stack resources.
AnswerB

Provides a clear view of all events and errors.

Why this answer

Option C is correct because the CloudFormation console Events tab lists all stack events, including the failure reason and resource that caused the rollback. Option A is wrong because describe-stack-resources shows resources but not error details. Option B is wrong because describe-stack-events includes the error message.

Option D is wrong because CloudTrail logs API calls but does not directly show CloudFormation resource errors in an aggregated view.

1064
MCQhard

A company runs a stateful web application on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. During a deployment, the DevOps engineer notices that some users are being logged out and losing session data. The deployment uses a rolling update strategy. What is the MOST likely cause?

A.The Auto Scaling group is terminating instances before the new ones are fully ready.
B.The health check interval is too long, causing the ALB to route traffic to unhealthy instances.
C.The ALB sticky session cookie is not being generated correctly.
D.The session data is stored locally on the EC2 instance, not in a shared external store.
AnswerD

When the instance is terminated, local session data is lost, causing users to be logged out.

Why this answer

Option D is correct because during a rolling update, old instances are terminated and new instances are launched. Sticky sessions are tied to a specific instance; when that instance is terminated, the user's session is lost if it is not shared externally. Option A is wrong because the ALB configuration remains unchanged.

Option B is wrong because health checks are not the direct cause. Option C is wrong because Auto Scaling is not involved unless explicitly configured.

1065
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The DevOps team wants to receive notifications when stack operations fail. They create an Amazon SNS topic and subscribe the team's email. Then they configure CloudFormation to send notifications to the SNS topic. However, no notifications are received when a stack creation fails. What is the MOST likely reason?

A.The SNS topic does not have an IAM policy allowing CloudFormation to publish.
B.The email subscription to the SNS topic has not been confirmed.
C.The SNS topic is in a different AWS Region.
D.The CloudFormation stack was created without specifying the SNS topic ARN in the 'NotificationARNs' parameter.
AnswerD

The topic ARN must be specified in the stack's parameters.

Why this answer

Option D is correct. CloudFormation sends notifications to the SNS topic only if the topic ARN is specified in the stack's 'NotificationARNs' parameter. Option A is incorrect because CloudFormation can send notifications to any SNS topic.

Option B is incorrect because email subscriptions must be confirmed, but that is done when subscribing. Option C is incorrect because SNS does not require IAM roles for CloudFormation to publish.

1066
MCQmedium

A company uses AWS CloudFormation to deploy a web application across multiple AWS accounts using StackSets. The DevOps team notices that stack instance updates are failing in some accounts with the error: 'Insufficient IAM permissions to perform the action'. The team has already verified that the StackSet IAM role has the necessary permissions. What is the most likely cause of this issue?

A.The target accounts have reached the limit of 200 stacks per region.
B.The target accounts do not have the necessary trust policy to allow the StackSet IAM role to assume the execution role.
C.AWS Organizations has a service control policy (SCP) that denies the required action, but the StackSet IAM role has full admin permissions.
D.The StackSet name contains invalid characters that are not allowed in some accounts.
AnswerB

StackSets require a trust relationship between the StackSet IAM role and the execution role in target accounts.

Why this answer

Option B is correct because StackSets require that the target accounts have a trust policy allowing the StackSet IAM role to assume a role in those accounts. Option A is wrong because the error is about permissions, not limit. Option C is wrong because the stack set name is not relevant.

Option D is wrong because SCPs can block permissions even if the IAM role has them.

1067
Multi-Selecthard

A company runs a critical application on Amazon ECS with Fargate launch type. The application is experiencing intermittent failures due to resource exhaustion. The DevOps team wants to implement automated responses to scale the service. Which THREE steps should the team take to achieve this? (Choose THREE.)

Select 3 answers
A.Create an AWS Lambda function to manually update the service.
B.Create a CloudWatch alarm based on CPU or memory utilization.
C.Configure EC2 Auto Scaling group for the cluster.
D.Use Application Auto Scaling to define a scaling policy.
E.Configure the ECS service to use auto scaling.
AnswersB, D, E

Alarms trigger scaling actions when thresholds are breached.

Why this answer

Option A, Option D, and Option E are correct. Creating a CloudWatch alarm on a metric like CPU or memory triggers scaling. Application Auto Scaling adjusts the desired count of tasks based on the alarm.

The service auto scaling configuration is necessary to define the min/max tasks and scaling policies. Option B is wrong because ECS Cluster Auto Scaling is for EC2 launch type, not Fargate. Option C is wrong because Lambda for scaling is unnecessary and not a best practice.

1068
Multi-Selecthard

Which TWO actions should a DevOps engineer take to ensure that an AWS CodeBuild project's artifacts are automatically deployed to an Amazon S3 bucket with server-side encryption using AWS KMS? (Choose 2.)

Select 2 answers
A.Enable versioning on the S3 bucket.
B.Configure the S3 bucket policy to require HTTPS for all uploads.
C.In the buildspec.yaml, set the 'artifacts' section to include 'encryptionDisabled: false' and specify the KMS key ID.
D.Enable default encryption on the S3 bucket using SSE-KMS.
E.Grant the CodeBuild service role permission to use the KMS key via the key policy.
AnswersC, E

This configures CodeBuild to encrypt the artifacts with the specified KMS key.

Why this answer

Options A and C are correct. Option A ensures the CodeBuild service role has permission to use the KMS key. Option C configures the artifacts to be uploaded with KMS encryption.

Option B is wrong because setting the S3 bucket default encryption does not affect CodeBuild uploads if CodeBuild specifies its own encryption. Option D is wrong because encryption in transit (HTTPS) does not relate to server-side encryption. Option E is wrong because enabling versioning does not enforce encryption.

1069
MCQeasy

A DevOps engineer is troubleshooting an issue where an Amazon RDS for MySQL instance is experiencing high latency. The engineer wants to identify which queries are causing the problem. Which AWS service should be used?

A.Amazon RDS Performance Insights
B.AWS CloudTrail
C.Amazon CloudWatch Metrics
D.VPC Flow Logs
AnswerA

Performance Insights provides per-query performance data to identify problematic queries.

Why this answer

Option B is correct because RDS Performance Insights provides a database performance tuning and monitoring feature that allows you to assess the load on your database and determine when and where to take action. Option A is wrong because CloudWatch metrics show aggregate performance, not per-query. Option C is wrong because CloudTrail records API calls.

Option D is wrong because VPC Flow Logs capture network traffic.

1070
Multi-Selecthard

A company uses AWS CloudFormation to deploy a multi-tier application. The stack creation fails with a 'CREATE_FAILED' error for a resource. The engineer wants to troubleshoot the issue. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Use the 'describe-stack-events' AWS CLI command to view the events.
B.Review the CloudWatch Logs log group for the stack to find detailed error logs.
C.Check the 'ResourceStatusReason' field of the failed resource in the stack events.
D.Run 'delete-stack' to remove the failed stack and start over.
E.Use the 'describe-stacks' AWS CLI command to get the stack outputs.
AnswersA, B, C

Events show detailed failure messages.

Why this answer

A, B, and E are correct. A: Viewing events shows failure details. B: Checking the resource's status reason provides specific error.

E: CloudFormation logs are in CloudWatch Logs. C is incorrect because delete_stack would remove resources. D is incorrect because DescribeStacks is less detailed than events.

1071
MCQmedium

A company has a microservices architecture running on Amazon ECS with Fargate. The operations team uses Amazon CloudWatch Container Insights to monitor the cluster. They notice that one of the services is experiencing high memory utilization, causing occasional task failures. The team wants to set up proactive monitoring to receive alerts when memory utilization exceeds 80% for more than 5 minutes. They also want to automate the response by replacing the failing tasks. The team has already created a CloudWatch alarm on the MemoryUtilized metric. Which additional steps should the team take to achieve the desired proactive monitoring and automated response?

A.Use CloudWatch Logs Insights to run queries on the task logs to identify the cause of high memory.
B.Create a CloudWatch Events rule that triggers an AWS Lambda function to restart the tasks when the alarm state changes.
C.Configure the CloudWatch alarm to trigger an Auto Scaling action that increases the desired count of the service to replace failing tasks.
D.Enable AWS CloudTrail to log all ECS API calls to audit the task failures.
AnswerC

This allows the alarm to directly trigger a scaling action to replace tasks when memory is high.

Why this answer

Option A is correct because a CloudWatch Alarm can trigger an Auto Scaling action to replace tasks. Option B is wrong because CloudWatch Events (now EventBridge) can trigger Lambda, but the alarm already exists; the action should be on the alarm. Option C is wrong because CloudWatch Logs Insights is for querying logs, not for automated response.

Option D is wrong because CloudTrail is for auditing API calls, not for automation.

1072
MCQmedium

A company is using Amazon RDS for PostgreSQL and wants to monitor the database for performance issues. They need to capture slow queries and analyze them over time. Which combination of AWS services should they use?

A.Enable RDS Event notifications to send alerts for performance issues.
B.Enable RDS Performance Insights and Enhanced Monitoring.
C.Enable CloudWatch Logs for PostgreSQL and export logs to Amazon S3.
D.Use CloudWatch Metrics to monitor database connections and CPU utilization.
AnswerB

Performance Insights captures and analyzes database load, including slow queries, and Enhanced Monitoring provides OS-level visibility.

Why this answer

Option B is correct because RDS Performance Insights provides a database performance schema with detailed wait events and SQL-level metrics to identify slow queries, while Enhanced Monitoring offers OS-level metrics (CPU, memory, disk I/O) at sub-minute granularity. Together, they allow you to capture and analyze slow queries over time without additional log parsing or export overhead.

Exam trap

The trap here is that candidates often confuse general monitoring (CloudWatch Metrics) or log export (CloudWatch Logs to S3) with the specialized, integrated performance analysis tools (Performance Insights and Enhanced Monitoring) that are purpose-built for diagnosing slow queries in RDS.

How to eliminate wrong answers

Option A is wrong because RDS Event notifications only send alerts for instance lifecycle events (e.g., failover, maintenance) and do not capture or analyze slow query performance data. Option C is wrong because exporting PostgreSQL logs to S3 via CloudWatch Logs provides raw log files, but requires additional tooling (e.g., Athena) to parse and analyze slow queries; it is not a native, integrated solution for ongoing performance analysis. Option D is wrong because CloudWatch Metrics for database connections and CPU utilization provide aggregate resource metrics, not the detailed query-level or wait-event data needed to identify and analyze slow queries.

1073
Multi-Selecthard

A company runs a web application on EC2 instances in an Auto Scaling group across three Availability Zones. The application uses an Application Load Balancer (ALB) and stores session data in an ElastiCache for Redis cluster with cluster mode enabled. During a recent deployment, a new version of the application caused a memory leak in the Redis cluster, leading to out-of-memory errors and evictions. The DevOps team wants to prevent future deployments from affecting the Redis cluster's health. What should the team do? (Choose TWO.)

Select 2 answers
A.Implement a blue/green deployment strategy using a separate Redis cluster for the new version.
B.Increase the ElastiCache node type to a larger instance size.
C.Disable cluster mode on the Redis cluster to reduce overhead.
D.Take a manual snapshot of the Redis cluster before each deployment.
E.Configure Amazon CloudWatch alarms on Redis memory usage and evictions to trigger an automatic rollback.
AnswersA, E

Isolates the new version's impact; if memory leak occurs, only the green cluster is affected.

Why this answer

Option A is correct because using a blue/green deployment with a separate Redis cluster for the new version isolates the risk. Option E is correct because enabling CloudWatch alarms on Redis memory usage and evictions can trigger automatic rollback or alerting. Option B (increasing instance size) treats the symptom, not the cause.

Option C (snapshot before deployment) is good for backup but doesn't prevent impact. Option D (cluster mode disabled) reduces scalability.

1074
MCQeasy

A company uses AWS CloudTrail to log API activity in their AWS account. They need to ensure that any changes to CloudTrail configuration itself are detected and alerted upon in real time. Which service should they use?

A.Use Amazon CloudWatch Events (EventBridge) to create a rule matching the StopLogging or UpdateTrail API calls.
B.Enable AWS Config rules to monitor CloudTrail configuration changes.
C.Use Amazon CloudWatch Logs Insights to query CloudTrail logs for changes.
D.Enable Amazon GuardDuty to detect changes to CloudTrail.
AnswerA

CloudWatch Events can trigger notifications in real time for specific API calls.

Why this answer

Amazon CloudWatch Events (EventBridge) can monitor CloudTrail API calls in real time by creating a rule that matches specific API calls such as StopLogging or UpdateTrail. When these calls are made, the rule triggers an action (e.g., SNS notification or Lambda function) to alert administrators immediately. This provides the real-time detection required for changes to CloudTrail configuration itself.

Exam trap

The trap here is that candidates often confuse AWS Config (which is for compliance and configuration history) with real-time event-driven alerting, or they think GuardDuty covers all security monitoring, but neither provides the specific real-time API call detection that EventBridge offers.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are designed for continuous compliance assessment and configuration auditing, not real-time event-driven alerting; they evaluate resources periodically or on configuration changes but do not provide instantaneous alerts. Option C is wrong because CloudWatch Logs Insights is a query tool for analyzing historical log data, not a real-time alerting mechanism; it cannot proactively detect changes as they occur. Option D is wrong because Amazon GuardDuty is a threat detection service that focuses on malicious activity and anomalies (e.g., unusual API calls or compromised credentials), not specifically on monitoring CloudTrail configuration changes for compliance or operational awareness.

1075
MCQmedium

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role can create or modify VPCs, but should allow VPC usage for existing VPCs. Which SCP should be attached to the root OU?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:CreateVpc","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:CreateVpc","ec2:ModifyVpc"],"Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:*","Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:CreateVpc","ec2:DeleteVpc"],"Resource":"*"}]}
AnswerB

Denies only VPC creation and modification, allowing use of existing VPCs.

Why this answer

Option B is correct because the SCP with Deny effect for ec2:CreateVpc and ec2:ModifyVpc attributes, while allowing all other actions, meets the requirement. Option A would block all EC2 actions. Option C denies only CreateVpc but not ModifyVpc.

Option D is too permissive.

1076
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a static website to an Amazon S3 bucket. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild that runs a build tool), and a deploy stage (S3). After a recent code change, the build stage succeeded but the deploy stage failed with the error: 'Access Denied' when uploading artifacts to the S3 bucket. What should the team do to fix the issue?

A.Configure the S3 bucket to allow public access
B.Add 's3:PutObject' permission to the CodePipeline service role
C.Add an S3 bucket policy that grants the CodeBuild service role s3:PutObject access
D.Verify that the CodeCommit repository has the correct permissions for the pipeline
AnswerB

The pipeline role needs S3 write access for the deploy stage.

Why this answer

Option C is correct because the CodePipeline service role needs permissions to put objects into the S3 bucket. The error indicates the role used by CodePipeline lacks s3:PutObject permission. Option A is wrong because the build project role is for build, not deploy.

Option B is wrong because the error is about the deploy stage, not the source stage. Option D is wrong because bucket policy is not the typical issue if the role exists.

1077
MCQeasy

Which AWS service is primarily used to automate the building, testing, and deployment of code changes to AWS infrastructure based on a defined release process?

A.AWS CodeCommit
B.AWS CodePipeline
C.AWS CodeBuild
D.AWS CodeDeploy
AnswerB

Why this answer

AWS CodePipeline is the correct service because it is a fully managed continuous delivery service that orchestrates the building, testing, and deployment of code changes through a defined release process. It integrates with source control (e.g., CodeCommit, GitHub), build services (e.g., CodeBuild), and deployment services (e.g., CodeDeploy) to automate the entire pipeline from commit to production.

Exam trap

The trap here is that candidates often confuse the individual services (CodeBuild for building, CodeDeploy for deploying) with the orchestrator (CodePipeline) that ties them together, leading them to select a service that performs only one part of the process rather than the full automation of the release process.

Why the other options are wrong

A

CodeCommit is a source control service, not a CI/CD pipeline orchestrator.

C

CodeBuild is a build service that compiles source code and runs tests, but it does not orchestrate the entire release process.

D

CodeDeploy automates code deployment to compute services, but it is not a full pipeline orchestrator.

1078
MCQmedium

A DevOps engineer is investigating a security incident where an unauthorized user accessed an S3 bucket containing sensitive data. The engineer needs to determine what actions the user performed and from which IP address. Which AWS service should be used to retrieve this information?

A.AWS CloudTrail management events.
B.Amazon Inspector findings.
C.Amazon S3 server access logs.
D.Amazon CloudWatch Logs for the S3 bucket.
AnswerC

S3 server access logs capture detailed request information.

Why this answer

Option A is correct because S3 server access logs provide detailed records of requests made to a bucket, including requester, IP address, and action. Option B is wrong because CloudTrail logs API calls made by users or roles, but for S3 object-level operations, it must be specifically enabled for data events. Option C is wrong because CloudWatch Logs can store logs but are not the source of S3 access logs.

Option D is wrong because Amazon Inspector is for vulnerability assessments, not logging.

1079
MCQmedium

A company uses AWS CodePipeline to deploy a web application to an Elastic Beanstalk environment. The pipeline has a source stage (S3), a build stage (CodeBuild), and a deploy stage (Elastic Beanstalk). Recently, the deployment started failing with the error 'The Elastic Beanstalk environment is not in a ready state'. The team found that the environment was in an 'Updating' state because a previous deployment was still in progress. They need a solution that prevents concurrent deployments and ensures that the environment is ready before starting a new deployment. Which action should the DevOps engineer take?

A.Increase the deployment timeout in the Elastic Beanstalk environment
B.Disable rolling updates in the Elastic Beanstalk environment
C.Configure a 'Wait for Environment to be Ready' action before the deploy stage
D.Create multiple Elastic Beanstalk environments for blue/green deployment
AnswerC

This action checks the environment status and waits until it's ready

Why this answer

To prevent concurrent deployments, configure the pipeline with a concurrency limit or use a stage that checks the environment status before proceeding. The simplest solution is to set the Elastic Beanstalk environment's 'Rolling update type' to 'Immutable' and use a manual approval gate, but the best practice is to use a CodePipeline action that waits for the environment to be ready. Option A is correct.

Option B (increase timeout) does not prevent concurrent deployments. Option C (multiple environments) adds complexity. Option D (disable rolling updates) may cause downtime.

1080
MCQeasy

A team wants to automate the deployment of a serverless application using AWS SAM. They have a template.yaml file defining Lambda functions, an API Gateway, and a DynamoDB table. Which command should they use to build and deploy the application?

A.aws cloudformation deploy --template-file template.yaml
B.sam package --output-template-file packaged.yaml
C.sam build && sam deploy
D.sam deploy --guided
AnswerC

sam build prepares the application, and sam deploy deploys it using CloudFormation.

Why this answer

Option A is correct because 'sam build' compiles the application and 'sam deploy' deploys it. Option B is wrong because 'aws cloudformation deploy' does not build the SAM artifacts. Option C is wrong because 'sam package' only packages code; it does not build or deploy.

Option D is wrong because 'sam deploy --guided' is interactive and not suitable for automation.

1081
MCQhard

A DevOps engineer runs the above AWS CLI commands and notices that the CodeBuild project 'my-project' exists but builds fail with the error 'Access Denied' when trying to fetch source code from CodeCommit. The IAM role 'CodeBuildServiceRole' has a policy that allows 'codecommit:GitPull' on all repositories. What is the most likely cause of the failure?

A.The IAM role does not have permissions to access the CodeCommit repository.
B.The IAM role does not have a trust policy that allows CodeBuild to assume the role.
C.The CodeCommit repository does not exist.
D.The source location in the build project is incorrect.
AnswerB

CodeBuild must be able to assume the role via trust policy.

Why this answer

The error 'Access Denied' when CodeBuild tries to fetch source code from CodeCommit typically indicates that the IAM role CodeBuild is using does not have the necessary permissions to perform the action. Even though the role 'CodeBuildServiceRole' has a policy allowing 'codecommit:GitPull', the role itself must have a trust policy that allows the CodeBuild service to assume it. Without a proper trust policy, CodeBuild cannot assume the role, and any attached permissions are irrelevant, leading to an access denied error.

Exam trap

The trap here is that candidates often focus on the IAM policy permissions (e.g., 'codecommit:GitPull') and overlook the necessity of a trust policy, assuming that if the policy allows the action, the role is automatically usable by the service.

How to eliminate wrong answers

Option A is wrong because the IAM role does have a policy that allows 'codecommit:GitPull' on all repositories, so the permissions are present; the issue is that the role cannot be assumed. Option C is wrong because the problem states the CodeBuild project 'my-project' exists and the error occurs when fetching source code, implying the repository exists; if it didn't, the error would be 'RepositoryNotFound' or similar. Option D is wrong because an incorrect source location would typically result in a 'RepositoryNotFound' or 'InvalidSourceLocation' error, not an 'Access Denied' error.

1082
MCQhard

A company uses a centralized AWS KMS customer master key (CMK) in the security account to encrypt data in S3 buckets across multiple accounts. The S3 buckets are accessed by EC2 instances in the same accounts. The security team wants to ensure that the CMK can only be used by authorized IAM roles in the member accounts. Which policy configuration should be used?

A.Attach an IAM policy to the IAM roles in the member accounts that allows kms:Decrypt on the CMK.
B.Add a statement to the KMS key policy that grants the IAM roles in the member accounts permission to use the key.
C.Create a service control policy (SCP) that allows kms:Decrypt for the CMK.
D.Use a VPC endpoint policy for KMS to allow access from the member accounts' VPCs.
AnswerB

The key policy must explicitly allow the external accounts (or their IAM roles) to use the key. Then, the member accounts can delegate that permission to their roles via IAM policies.

Why this answer

To allow cross-account use of a KMS CMK, you must add a key policy that grants the necessary permissions to the IAM roles in the member accounts. The key policy should include a statement that allows the root user of the member accounts to delegate permissions, and then the member accounts must create IAM policies that grant their roles access. Option A is wrong because the key policy must explicitly allow the member accounts.

Option B is wrong because IAM policies in the member account alone are not sufficient without a key policy allowing the account. Option C is wrong because SCPs cannot grant permissions; they only deny.

1083
MCQeasy

A company wants to receive a notification when an AWS IAM user creates a new access key. Which AWS service should be used to capture this event and trigger a notification?

A.Amazon GuardDuty
B.AWS CloudTrail with CloudWatch Events
C.Amazon CloudWatch
D.AWS Config
AnswerB

Correct. CloudTrail logs API calls, and CloudWatch Events can trigger actions.

Why this answer

AWS CloudTrail captures API activity, including the CreateAccessKey event when an IAM user creates a new access key. By sending these events to Amazon CloudWatch Events (now part of Amazon EventBridge), you can define a rule that triggers a notification via SNS, Lambda, or other targets. This combination provides the real-time event-driven notification the company requires.

Exam trap

The trap here is that candidates often confuse CloudWatch (which handles metrics and logs) with CloudWatch Events (which handles event-driven triggers), leading them to pick Option C, even though CloudWatch alone cannot capture API calls without CloudTrail integration.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail management events for malicious activity, but it does not directly trigger custom notifications for specific IAM actions like CreateAccessKey. Option C is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it cannot natively capture API-level events like CreateAccessKey; it relies on CloudTrail or CloudWatch Events to ingest such events. Option D is wrong because AWS Config evaluates resource configurations and compliance rules, but it does not capture real-time API calls or trigger notifications for specific IAM user actions like creating an access key.

1084
MCQhard

An EC2 instance is in 'running' state according to the CLI output, but the application hosted on it is unreachable. The DevOps engineer checks the security group and finds it allows inbound HTTP traffic from 0.0.0.0/0. The instance has a public IP. What is the MOST likely issue?

A.The network ACL is blocking inbound HTTP traffic.
B.The instance does not have a public IP address assigned.
C.The security group is attached to the instance but does not allow inbound HTTP.
D.The instance's OS firewall (e.g., iptables) is blocking the traffic.
AnswerD

OS-level firewalls can block traffic even if security groups allow it.

Why this answer

Option D is correct because the instance's operating system may have a firewall (e.g., iptables) blocking inbound traffic. Option A is wrong because the instance has a public IP. Option B is wrong because security groups are stateful and allow return traffic.

Option C is wrong because the security group allows all inbound HTTP.

1085
Multi-Selecthard

A DevOps engineer is designing a deployment pipeline for a serverless application using AWS SAM. The pipeline must include the following stages: source, build, deploy to a development environment, run integration tests, and promote to production after manual approval. Which AWS services and features should be used to implement this pipeline? (Choose two.)

Select 2 answers
A.AWS CodeDeploy for deploying the SAM application.
B.AWS CodePipeline to orchestrate the pipeline stages.
C.AWS CodeCommit to build the SAM application.
D.AWS CodeBuild to run the SAM build, package, and test commands.
AnswersB, D

Why this answer

AWS CodePipeline is the correct service for orchestrating the pipeline stages because it provides native support for defining source, build, deploy, test, and manual approval stages in a sequential workflow. It integrates directly with AWS SAM and can trigger builds and deployments based on source code changes, making it the ideal orchestrator for this multi-stage pipeline.

Exam trap

The trap here is that candidates often confuse AWS CodeDeploy with the deployment mechanism for SAM applications, not realizing that SAM deployments are actually handled through AWS CloudFormation (via CodeBuild or CodePipeline), not CodeDeploy directly.

Why the other options are wrong

A

SAM applications are deployed via CloudFormation, not CodeDeploy.

C

CodeCommit is a source control service, not a build service.

1086
MCQeasy

A development team uses AWS CodeCommit to store source code and AWS CodePipeline to automate builds and deployments. The team wants to ensure that every commit to the main branch triggers a build and deployment to a test environment. Which action should be taken?

A.Create a CodeBuild project that watches the main branch and starts a pipeline.
B.Use AWS Lambda to poll the repository and start the pipeline on new commits.
C.Set up an Amazon CloudWatch Events rule that matches commits to the main branch and targets the CodePipeline.
D.Configure the source stage of the CodePipeline to use the CodeCommit repository and specify the main branch.
AnswerD

This directly triggers the pipeline on commits to main.

Why this answer

Option A is correct because CodePipeline can be configured with a source stage that uses CodeCommit to detect changes on a specific branch and automatically start the pipeline. Option B is wrong because CodeBuild does not monitor branches. Option C is wrong because CloudWatch Events can also trigger pipelines, but the simplest and direct method is configuring the source stage in CodePipeline.

Option D is wrong because the pipeline itself needs to be triggered.

1087
Multi-Selecteasy

Which TWO metrics should a DevOps engineer monitor to detect an EC2 instance that is unresponsive due to resource exhaustion?

Select 2 answers
A.StatusCheckFailed
B.MemoryUtilization
C.DiskReadOps
D.CPUUtilization
E.NetworkIn
AnswersB, D

High memory utilization can lead to swapping and unresponsiveness.

Why this answer

Options B and D are correct. CPUUtilization and MemoryUtilization (if enabled) are key indicators of resource exhaustion. Option A is incorrect because DiskReadOps alone does not indicate exhaustion.

Option C is incorrect because NetworkIn alone is not a resource exhaustion metric. Option E is incorrect because StatusCheckFailed indicates instance health issues but not specifically resource exhaustion.

1088
Multi-Selectmedium

A company has a critical application running on Amazon EC2 instances in an Auto Scaling group. The application writes logs to an Amazon EFS file system. The DevOps team needs to ensure that log data is durable and available even if an Availability Zone fails. The EFS file system is currently in one AZ. What should the team do? (Choose TWO.)

Select 2 answers
A.Increase the EFS throughput mode to Provisioned.
B.Enable AWS Backup for the EFS file system with daily backups.
C.Copy the log files to Amazon S3 using a cron job.
D.Recreate the EFS file system as a Regional (Standard) file system.
E.Configure the EC2 instances to mount the EFS file system from multiple Availability Zones.
AnswersB, D

Backups provide additional durability and recovery options.

Why this answer

Option A is correct because EFS One Zone is not resilient to AZ failure. The team should recreate the file system as EFS Standard (Regional) which stores data across multiple AZs. Option D is correct because enabling backups (e.g., AWS Backup) provides additional durability and point-in-time recovery.

Option B (increasing throughput) does not add durability. Option C (using S3) changes the architecture significantly. Option E (mounting from multiple AZs) is possible with EFS Standard but not with One Zone.

1089
MCQmedium

Refer to the exhibit. A security engineer sees this CloudTrail event. What action did the user 'admin' perform?

A.Encrypted data with a KMS key.
B.Rotated a KMS key.
C.Created a new KMS key.
D.Deleted a KMS key.
AnswerC

The event name is CreateKey and the resource is a KMS key.

Why this answer

Option B is correct because the event is CreateKey, and the resource is a KMS key. Option A is wrong because the event is not a key deletion. Option C is wrong because the event is not an encryption operation.

Option D is wrong because the event is not a key rotation.

1090
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user tries to upload an object to the S3 bucket 'my-bucket' without server-side encryption. What will happen?

A.The upload succeeds without encryption.
B.The upload succeeds with SSE-S3 encryption.
C.The upload succeeds and is automatically encrypted with SSE-S3.
D.The upload fails with an Access Denied error.
AnswerD

Policy requires encryption.

Why this answer

Option A is correct because the policy requires encryption, so the upload will fail with Access Denied. Option B is wrong because the condition requires encryption. Option C is wrong because SSE-S3 uses AES256, but the condition requires it to be set explicitly.

Option D is wrong because the policy does not allow unencrypted uploads.

1091
MCQeasy

A DevOps engineer is troubleshooting an AWS Lambda function that is intermittently timing out. The function is configured with a 3-second timeout and 128 MB memory. The function processes messages from an SQS queue. What is the most cost-effective change to reduce timeouts?

A.Increase the SQS batch size to 20
B.Increase the function timeout to 10 seconds
C.Increase the function memory to 256 MB
D.Set reserved concurrency to 10
AnswerC

More memory provides more CPU, reducing execution time.

Why this answer

Increasing the memory to 256 MB is the most cost-effective change because Lambda allocates CPU proportionally to memory, so doubling the memory from 128 MB to 256 MB also doubles the CPU performance. This reduces execution time, which can resolve timeouts without increasing the timeout duration, and since Lambda billing is based on compute time (GB-seconds), the total cost may stay the same or even decrease if the function finishes faster.

Exam trap

The trap here is that candidates assume increasing the timeout is the only way to fix timeouts, but AWS explicitly recommends increasing memory as a cost-effective performance tuning method because it also increases CPU, which can reduce execution time and thus avoid timeouts without increasing cost.

How to eliminate wrong answers

Option A is wrong because increasing the SQS batch size to 20 would cause the Lambda function to process more messages per invocation, increasing the workload and likely worsening timeouts rather than fixing them. Option B is wrong because increasing the function timeout to 10 seconds does not address the root cause of slow execution; it only masks the symptom and could increase costs if the function still runs longer. Option D is wrong because setting reserved concurrency to 10 limits the number of concurrent executions but does not improve the performance of a single invocation, so it would not reduce timeouts.

1092
MCQmedium

A company uses AWS Systems Manager to manage a fleet of EC2 instances. During an incident, a DevOps engineer needs to execute a script on a specific instance to collect diagnostic data. The engineer does not have SSH key access. Which approach should the engineer use to execute the script?

A.Use AWS Systems Manager Run Command to execute the script.
B.Use AWS OpsWorks to run the script as a Chef recipe.
C.Use EC2 Instance Connect to SSH into the instance and run the script.
D.Use AWS Systems Manager Session Manager to open a shell and run the script.
AnswerA

Run Command can execute scripts without SSH, using SSM Agent.

Why this answer

Option C is correct because AWS Systems Manager Run Command can execute scripts on EC2 instances without requiring SSH or RDP access, using the SSM Agent. Option A is wrong because AWS OpsWorks requires an agent and is typically used for Chef/Puppet. Option B is wrong because EC2 Instance Connect requires SSH key and port 22.

Option D is wrong because SSM Session Manager is for interactive sessions, not script execution triggered as a command.

1093
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The DevOps team wants to receive notifications when CloudFormation stack creation fails. Which AWS service should be used to capture the stack failure event and send a notification?

A.Amazon SQS
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon EventBridge
AnswerD

EventBridge can capture CloudFormation events and trigger actions like SNS.

Why this answer

Option B is correct because Amazon EventBridge can capture CloudFormation stack events (such as CREATE_FAILED) and route them to an SNS topic for notification. Option A is wrong because CloudWatch Logs stores logs but does not directly send notifications. Option C is wrong because CloudTrail records API calls but is not the most efficient for real-time notifications.

Option D is wrong because SQS is a queue, not a notification service.

1094
MCQhard

A company runs a critical application on Amazon ECS with Fargate launch type. The application experiences intermittent connection timeouts when calling an external API. The engineer needs to capture network traffic to diagnose the issue. Which solution is most appropriate?

A.Enable detailed CloudWatch Logs for the ECS task.
B.Enable VPC Flow Logs on the ECS task's elastic network interface.
C.Enable AWS X-Ray tracing on the ECS task.
D.Run tcpdump on the EC2 instance hosting the ECS task.
AnswerB

VPC Flow Logs capture network metadata to diagnose connectivity issues.

Why this answer

Option D is correct because VPC Flow Logs capture network traffic metadata at the ENI level, which can be analyzed to identify dropped packets or timeouts. Option A is wrong because AWS X-Ray traces requests but does not capture raw network packets. Option B is wrong because CloudWatch Logs does not capture network traffic.

Option C is wrong because EC2 instances are not used with Fargate.

1095
MCQmedium

A company uses AWS CloudTrail to log all API calls in their AWS account. They need to ensure that any changes to CloudTrail configuration (such as disabling the trail or modifying the log file validation) are immediately detected and trigger an automated response. Which solution should the DevOps engineer implement?

A.Enable Amazon GuardDuty and configure it to monitor CloudTrail logs for suspicious activity.
B.Create an Amazon EventBridge rule that matches CloudTrail API calls like StopLogging or UpdateTrail and triggers an SNS topic.
C.Use AWS Config rules with remediation actions to detect and revert changes to CloudTrail.
D.Use AWS Trusted Advisor to check CloudTrail configuration and send alerts via email.
AnswerB

EventBridge can trigger in real-time on API calls.

Why this answer

Option D is correct because CloudTrail itself logs changes to its configuration, so a CloudWatch Events (now Amazon EventBridge) rule can be created to match API calls that modify CloudTrail (e.g., StopLogging, UpdateTrail) and trigger an SNS notification or Lambda for automated response. Option A is wrong because Config rules can detect configuration drift but are not real-time. Option B is wrong because GuardDuty focuses on security threats, not CloudTrail configuration changes.

Option C is wrong because Trusted Advisor does not monitor CloudTrail changes.

1096
MCQeasy

A developer wants to automatically deploy a new version of an AWS Lambda function whenever code is pushed to a specific branch in AWS CodeCommit. Which combination of services should be used?

A.AWS CodeCommit, Amazon EventBridge, AWS CodePipeline
B.AWS CodeCommit, Amazon S3, AWS Lambda
C.AWS CodeCommit, AWS CodeBuild
D.AWS CodeCommit, Amazon CloudWatch Logs
AnswerA

EventBridge can detect CodeCommit push events and trigger CodePipeline.

Why this answer

Option A is correct because CodeCommit triggers an EventBridge event, which can invoke a pipeline or Lambda. Option B is incorrect because S3 is not needed. Option C is incorrect because CodeBuild alone does not deploy.

Option D is incorrect because CloudWatch Logs is for monitoring.

1097
MCQmedium

Refer to the exhibit. A DevOps engineer runs this AWS CLI command to list all CodeBuild projects with 'production' in their name. The command returns an empty list, but the engineer knows there are projects named 'production-app' and 'production-backend'. What is the most likely reason?

A.The IAM user does not have list-projects permission.
B.The AWS CLI is not configured with valid credentials.
C.The --query parameter syntax is incorrect.
D.The region specified is incorrect.
AnswerC

The JMESPath query is malformed; it should be something like 'projects[?contains(@, `production`)]'.

Why this answer

Option C is correct because the --query parameter uses JMESPath syntax, and the filter expression `contains(Name, 'production')` is incorrectly written. The correct syntax should be `contains(Name, 'production')` without extra quotes or brackets around the string. The empty result indicates the query failed to match due to syntax error, not because the projects don't exist.

Exam trap

The trap here is that candidates assume an empty list means no matching projects exist, rather than suspecting a query syntax error, especially when the command otherwise runs without errors.

How to eliminate wrong answers

Option A is wrong because if the IAM user lacked the `codebuild:ListProjects` permission, the CLI would return an 'AccessDenied' error, not an empty list. Option B is wrong because invalid credentials would produce an authentication error (e.g., 'Unable to locate credentials' or 'ExpiredToken'), not an empty list. Option D is wrong because the `list-projects` command returns all projects in the account regardless of region; the region parameter only affects the endpoint used, not the project list scope.

1098
MCQhard

A company runs a critical application on Amazon ECS with Fargate. The application experiences intermittent slow responses. The DevOps team enabled Container Insights and CloudWatch ServiceLens. However, traces from the application do not appear in ServiceLens. The application uses the AWS X-Ray SDK for tracing. What is the MOST likely cause?

A.The X-Ray daemon is not running in the task definition.
B.The X-Ray SDK cannot send traces to AWS X-Ray from Fargate tasks.
C.ServiceLens does not support Amazon ECS with Fargate launch type.
D.The application is not sending metrics to CloudWatch Container Insights.
AnswerA

The X-Ray daemon must run alongside the application container to receive and forward trace data.

Why this answer

The X-Ray daemon is required to act as a local intermediary that receives trace segments from the X-Ray SDK and forwards them to the AWS X-Ray API. In Amazon ECS with Fargate, the daemon must be explicitly included as a sidecar container in the task definition. Without it, the SDK cannot send traces, which explains why traces are missing from ServiceLens despite the SDK being integrated.

Exam trap

The trap here is that candidates assume the X-Ray SDK can send traces directly to the AWS X-Ray API without a local daemon, but the SDK is designed to offload segment buffering and transmission to the daemon, making it a mandatory component in containerized environments like Fargate.

How to eliminate wrong answers

Option B is wrong because the X-Ray SDK can send traces from Fargate tasks when the X-Ray daemon is properly configured as a sidecar container; there is no inherent limitation preventing trace transmission from Fargate. Option C is wrong because ServiceLens fully supports Amazon ECS with Fargate launch type, including both EC2 and Fargate, as long as the required agents and permissions are in place. Option D is wrong because Container Insights metrics are not required for traces to appear in ServiceLens; ServiceLens aggregates traces from X-Ray and metrics from CloudWatch independently, and missing metrics do not prevent trace visibility.

1099
Multi-Selecthard

A DevOps team is using AWS CloudFormation to deploy a three-tier web application. The stack includes an Application Load Balancer, an Auto Scaling group, and an RDS database. They want to update the stack to change the instance type of the Auto Scaling group without downtime. Which three steps should they take? (Choose THREE.)

Select 3 answers
A.Create a new Auto Scaling group with the new instance type and attach it to the load balancer, then delete the old group.
B.Modify the RDS instance type to match the new EC2 instance type for consistency.
C.Update the Auto Scaling group's launch template or launch configuration to specify the new instance type.
D.Terminate all instances in the Auto Scaling group before updating the launch configuration.
E.Perform a rolling update with a batch size of 1 and a pause time.
AnswersA, C, E

Blue/green deployment avoids downtime.

Why this answer

Option A is correct because using a rolling update with a pause before replacing instances minimizes downtime. Option C is correct because updating the launch template with the new instance type is necessary. Option D is correct because creating a new Auto Scaling group first allows a blue/green approach.

Option B is wrong because terminating all instances at once causes downtime. Option E is wrong because modifying the RDS instance type is not part of the change.

1100
MCQhard

A company uses AWS Organizations with 20 accounts. The Security team has configured AWS CloudTrail to deliver logs from all accounts to a central S3 bucket (central-bucket). The bucket policy allows CloudTrail to write objects and uses SSE-S3 encryption. Recently, auditors found that some log files were missing for a few hours. The CloudTrail console shows that trails are enabled in all accounts. The central-bucket has default encryption enabled. What is the MOST likely cause of the missing logs?

A.The CloudTrail trail is not configured to deliver to the central bucket from all regions
B.The S3 bucket policy contains a deny condition that requires aws:SecureTransport to be true, but CloudTrail uses HTTP
C.The IAM role used by CloudTrail does not have s3:PutObject permission
D.The S3 bucket policy denies access unless the PutObject request includes the x-amz-server-side-encryption header with value AES256
AnswerD

If the bucket policy requires the encryption header, and CloudTrail does not send it (since bucket has default encryption), the request is denied.

Why this answer

If the bucket's default encryption is SSE-S3, CloudTrail can write without issue. However, if the bucket policy denies writes that do not include encryption headers, but CloudTrail does not include them by default, then logs will be denied. The missing logs suggest a policy conflict.

Option A is the most direct cause; CloudTrail may not include the required encryption headers if the bucket policy requires them.

1101
MCQhard

A company uses AWS CodePipeline with a GitHub source action. They want to automatically start the pipeline when a pull request is merged to the main branch. However, the pipeline also starts on every push to any branch. How can they limit the pipeline to only trigger on push events to the main branch?

A.Use a Lambda function as a source action instead of GitHub.
B.Create a GitHub webhook manually and point it to a Lambda function that starts the pipeline only for main branch pushes.
C.Configure the source action's 'Branch' field to 'main' and set 'PollForSourceChanges' to false, and use a webhook with filters.
D.Add a condition in the pipeline's first stage to check the branch name.
AnswerC

This ensures only push events to main trigger the pipeline.

Why this answer

Option A is correct because the GitHub source action supports configuring branch and event filters, such as 'push' and 'pull_request' with specific branches. Option B is wrong because the webhook is managed by CodePipeline; you can configure filters within the pipeline definition. Option C is wrong because the source action can filter on branch without a Lambda.

Option D is wrong because CodePipeline does not have a branch filter condition; it's configured in the source action.

1102
MCQmedium

Refer to the exhibit. A team uses this buildspec.yml file in AWS CodeBuild. After the build, they expect the artifacts to be placed in a folder structure, but all files are in the root of the output artifact. What is the reason?

A.The 'files' section only includes '**/*' which does not preserve paths.
B.The 'discard-paths' option is set to 'yes', which flattens the directory structure.
C.The 'base-directory' is not specified, so CodeBuild uses the root of the build output.
D.The 'name' property is missing, causing artifacts to be stored without structure.
AnswerB

When discard-paths is yes, all files are placed in the root without preserving paths.

Why this answer

Option A is correct because 'discard-paths: yes' flattens the structure. Option B is wrong because it only shows files. Option C is wrong because 'base-directory' is not set.

Option D is wrong because it would be 'no'.

1103
MCQmedium

A company runs a critical e-commerce application on Amazon EC2 instances behind an Application Load Balancer (ALB) with Auto Scaling. The application must be resilient to an Availability Zone (AZ) failure. What is the MOST resilient configuration?

A.Configure the Auto Scaling group to launch instances in a single AZ with a larger instance type.
B.Deploy a single large EC2 instance in one AZ and use an Elastic IP for failover.
C.Use a Network Load Balancer instead of an ALB and deploy instances in two AZs.
D.Configure the Auto Scaling group to span at least three AZs and set the ALB to route traffic to all AZs.
AnswerD

Multi-AZ deployment ensures resilience.

Why this answer

Distributing instances across three AZs ensures that if one AZ fails, the remaining AZs can handle the load. This provides high availability and resilience.

1104
MCQmedium

A DevOps team has set up centralized logging for multiple AWS accounts using Amazon OpenSearch Service. The team uses CloudWatch cross-account observability to collect logs from various accounts into a monitoring account. Recently, logs from one source account stopped appearing in the monitoring account's OpenSearch dashboard. Other source accounts continue to send logs successfully. Which step should the team take to troubleshoot this issue?

A.Verify that the monitoring account's CloudWatch cross-account observability is enabled.
B.Check the source account's CloudWatch Logs subscription filter for the OpenSearch destination.
C.Review the source account's CloudWatch Logs retention policy to confirm logs are not expired.
D.Ensure the IAM role in the source account has the correct trust policy for the monitoring account.
AnswerB

The subscription filter may have been deleted or misconfigured, stopping log forwarding.

Why this answer

Option B is correct because the most likely cause of logs from a single source account failing to appear is a misconfigured or broken CloudWatch Logs subscription filter. This filter is responsible for forwarding log events from the source account to the OpenSearch destination in the monitoring account. If the filter is missing, misconfigured, or has been accidentally deleted, logs will not be sent, while other accounts continue to work normally.

Exam trap

The trap here is that candidates confuse the cross-account observability setup (which uses IAM roles and trust policies) with the actual log delivery mechanism (subscription filters), leading them to check the IAM role or the monitoring account configuration instead of the source account's subscription filter.

How to eliminate wrong answers

Option A is wrong because cross-account observability is already working for other source accounts, so the monitoring account's feature is enabled. Option C is wrong because a retention policy would cause logs to stop appearing for all accounts after the retention period, not selectively for one account. Option D is wrong because the IAM role's trust policy is used for cross-account access to CloudWatch metrics and logs, but the actual log delivery to OpenSearch is handled by the subscription filter, not by assuming a role in the source account.

1105
MCQeasy

A company wants to design a disaster recovery solution for its primary AWS Region. The solution should have a Recovery Point Objective (RPO) of a few seconds and a Recovery Time Objective (RTO) of a few minutes. Which strategy meets these requirements?

A.Pilot light
B.Backup and restore
C.Warm standby
D.Multi-Region active-active
AnswerD

Active-active with synchronous replication achieves low RPO and RTO.

Why this answer

A multi-Region active-active setup with synchronous replication provides near-zero RPO and minimal RTO.

1106
Multi-Selecthard

A company is using AWS CodePipeline with multiple stages: Source (GitHub), Build (CodeBuild), Test (CodeBuild), and Deploy (CloudFormation). The deployment stage is failing intermittently with a 'Rate exceeded' error. The team needs to reduce deployment failures. Which TWO actions should the team take?

Select 2 answers
A.Implement a manual approval step before deployment to stagger multiple pipeline executions.
B.Use exponential backoff and retry in the deployment action.
C.Increase the timeout of the deploy action.
D.Enable CloudWatch detailed monitoring for the deployed resources.
E.Change the deployment to use an in-place deployment type.
AnswersA, B

Correct: Staggers deployments to reduce concurrent calls.

Why this answer

Option A reduces the chance of hitting API rate limits. Option E implements retry logic. Option B is not related to rate limits.

Option C could cause new issues. Option D is irrelevant.

1107
Multi-Selectmedium

A financial services company is migrating its applications to AWS. The compliance team requires that all Amazon S3 buckets containing personally identifiable information (PII) must have server-side encryption enabled and block public access. The DevOps team discovers that some S3 buckets are not compliant. Which TWO actions should the team take to enforce these requirements automatically for all current and future buckets? (Select TWO.)

Select 2 answers
A.Enable AWS CloudTrail to log all S3 API calls and send alerts when noncompliant buckets are created.
B.Use AWS Config managed rules to detect noncompliant buckets and automatically remediate by applying encryption and blocking public access.
C.Attach an IAM permissions boundary to all users that prevents them from creating or modifying S3 buckets.
D.Apply an S3 bucket policy to each existing bucket that denies all access unless encryption is enabled.
E.Create an SCP that denies the s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption actions when the required settings are not specified.
AnswersB, E

AWS Config can detect and auto-remediate.

Why this answer

AWS Config managed rules (e.g., s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited) can automatically detect noncompliant S3 buckets. Combined with AWS Config auto-remediation using Systems Manager Automation documents, the team can enforce encryption and block public access without manual intervention, ensuring all current and future buckets remain compliant.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive or corrective controls (like AWS Config auto-remediation or SCPs), leading them to select Option A instead of the automated enforcement mechanisms that actually fix noncompliant buckets.

1108
MCQeasy

A DevOps engineer is configuring a webhook trigger in AWS CodePipeline to automatically start a pipeline when changes are pushed to a specific branch in a CodeCommit repository. The webhook is created and the trigger is set to the 'main' branch. However, when a developer pushes a commit to the 'main' branch, the pipeline does not start. What is the MOST likely reason?

A.The webhook is not properly registered with CodeCommit due to a conflict with an existing webhook.
B.The CodeCommit repository is set to send events to Amazon S3, which conflicts with the webhook.
C.The pipeline requires an Amazon SNS notification to be configured for the trigger to work.
D.The CloudWatch Events rule that triggers the pipeline on repository changes is not configured.
AnswerD

CodePipeline webhooks rely on CloudWatch Events to detect changes; without the rule, the pipeline won't start.

Why this answer

Option A is correct because CodePipeline webhooks use AWS CloudWatch Events (EventBridge) to detect changes; if the CloudWatch Events rule is missing, the webhook won't trigger. Option B is incorrect because multiple webhooks can exist. Option C is incorrect because webhooks do not require SNS.

Option D is incorrect because S3 notifications are for S3 sources, not CodeCommit.

1109
MCQmedium

A company uses AWS Lambda functions to process sensitive data from an SQS queue. The Lambda function writes results to an S3 bucket. The security team requires that all data at rest in S3 be encrypted with a customer managed KMS key, and that the Lambda function only have access to decrypt the queue messages and encrypt the S3 objects. An IAM role is attached to the Lambda function. The engineer has configured the KMS key policy to allow the Lambda role to use the key. However, the Lambda function fails to write to S3 with a 'KMS access denied' error. The engineer verified that the S3 bucket has default encryption enabled with the same KMS key. Which additional step is most likely required?

A.Disable default encryption on the S3 bucket and configure the Lambda to use SSE-S3.
B.Add an inline policy to the Lambda role that allows kms:GenerateDataKey and kms:Encrypt actions for the KMS key.
C.Grant the Lambda role s3:PutObject permission on the bucket.
D.Modify the KMS key policy to allow the Lambda role to use the key without any conditions.
AnswerB

The role needs permissions to use the KMS key for encrypting S3 objects.

Why this answer

Even if the S3 bucket has default encryption, the Lambda function needs kms:GenerateDataKey permission (or kms:Encrypt) in its IAM role to encrypt objects when writing. The key policy allows the role, but the role's permissions policy must also include the necessary KMS actions. The error indicates that the role lacks the appropriate KMS action.

1110
MCQmedium

A company uses AWS CloudTrail to log API activity. The security team needs to be alerted when an IAM user creates a new access key. How can this be achieved with minimal overhead?

A.Use CloudWatch Logs Insights to run a query every hour and send results via email.
B.Set up an AWS Config rule to detect when an access key is created.
C.Configure S3 event notifications on the CloudTrail bucket to trigger a Lambda function.
D.Create an Amazon EventBridge rule that matches the 'CreateAccessKey' event and targets an SNS topic.
AnswerD

EventBridge can filter CloudTrail events and send alerts via SNS.

Why this answer

Option B is correct because CloudWatch Events (now part of EventBridge) can filter CloudTrail events and invoke a Lambda function to send an alert. Option A is wrong because S3 event notifications are for object-level events, not API calls. Option C is wrong because CloudWatch Logs Insights is a query tool, not a real-time alerting mechanism.

Option D is wrong because Config rules evaluate resource configurations, not API calls.

1111
MCQhard

An organization uses AWS OpsWorks for configuration management. They want to migrate to AWS Systems Manager to reduce costs and improve flexibility. Their current stack includes custom Chef recipes that manage package installations and service configurations. What is the MOST effective migration strategy?

A.Use AWS CloudFormation to recreate the entire infrastructure and manage configurations.
B.Use AWS CodeDeploy to replace OpsWorks and manage configurations.
C.Translate Chef recipes into Systems Manager State Manager associations and use Run Command for ad-hoc tasks.
D.Keep OpsWorks but integrate it with Systems Manager for hybrid management.
AnswerC

State Manager manages configurations similarly to Chef, and Run Command provides ad-hoc execution.

Why this answer

Option C is correct because Systems Manager State Manager can manage configurations using association documents that are equivalent to Chef recipes, and Run Command can execute ad-hoc commands. Option A is wrong because it does not address existing recipes. Option B is wrong because CodeDeploy is for application deployments, not configuration management.

Option D is wrong because it adds complexity and cost.

1112
Multi-Selecthard

A DevOps team uses Ansible for configuration management of EC2 instances. They want to ensure that the latest security patches are applied to all instances. Which THREE steps should they include in their Ansible playbook? (Choose THREE.)

Select 3 answers
A.Use the 'service' module to restart services after patching
B.Use the 'command' module to run 'yum update -y'
C.Use the 'copy' module to download patch files
D.Use the 'package' module with state=latest
E.Use the 'yum' module with state=latest
AnswersB, D, E

This is a valid way to update packages.

Why this answer

Options A, B, and D are correct. A: Using the 'yum' module to update packages. B: Using the 'command' module to run 'yum update -y'.

D: Using the 'package' module to update all packages. Option C is wrong because the 'service' module is for managing services, not patching. Option E is wrong because 'copy' is for files, not package updates.

1113
MCQhard

A company has a CloudFormation stack that creates an S3 bucket and an EC2 instance. The bucket policy must be updated to grant the EC2 instance read access. The DevOps engineer uses a custom resource backed by a Lambda function. However, the stack update fails because the Lambda function does not have permissions to update the bucket policy. What should the engineer do to resolve this issue while following security best practices?

A.Modify the custom resource to use the EC2 instance profile instead of a Lambda function.
B.Add an inline policy to the Lambda execution role that allows s3:PutBucketPolicy and ensure the bucket policy allows the EC2 instance role.
C.Attach a policy to the EC2 instance role that allows s3:GetObject on the bucket.
D.Update the Lambda execution role to include s3:PutBucketPolicy and add a bucket policy that grants s3:GetObject to the EC2 instance role.
AnswerD

Fixes both Lambda permission and bucket access.

Why this answer

Option D is correct because the Lambda function needs an IAM role with permissions to call s3:PutBucketPolicy, and the bucket policy should allow the EC2 instance role to read. Option A is wrong because adding inline policy to Lambda role is correct but does not address bucket policy. Option B is wrong because using instance profile directly for custom resource is not typical.

Option C is wrong because the Lambda function itself needs permissions, not the EC2 instance.

1114
MCQhard

An AWS Lambda function that processes sensitive data writes objects to an S3 bucket. The security team requires that all objects be encrypted at rest using SSE-S3. The Lambda execution role uses the above IAM policy. Despite the policy, some objects are uploaded without server-side encryption. What is the most likely cause?

A.The Lambda function does not include the x-amz-server-side-encryption header in the PutObject request.
B.The bucket has a default encryption policy that overrides the IAM policy.
C.The Lambda function is using a KMS key instead of SSE-S3.
D.The Lambda function is specifying a different encryption algorithm, such as aws:kms.
AnswerA

If the header is absent, the condition in the Deny statement does not evaluate (missing key not equals false), so the Deny does not apply. The Allow statement allows the action without encryption.

Why this answer

Option A is correct because the IAM policy only allows the PutObject action when the request includes the `x-amz-server-side-encryption` header set to `AES256` (SSE-S3). If the Lambda function omits this header in its PutObject call, the request does not satisfy the IAM condition key `s3:x-amz-server-side-encryption`, and the policy denies the upload. However, the question states that objects are uploaded without encryption, which implies the policy is not being enforced as intended—likely because the Lambda function is not including the required header, and the bucket's default encryption or another mechanism is allowing the upload to succeed despite the policy.

Exam trap

The trap here is that candidates assume a bucket's default encryption setting can override an IAM policy's condition, but in reality, IAM policies are evaluated first, and a missing encryption header causes a denial unless the bucket's default encryption is configured to apply encryption automatically—but even then, the object would be encrypted, not unencrypted.

How to eliminate wrong answers

Option B is wrong because a bucket's default encryption policy does not override an IAM policy; IAM policies are evaluated first, and if the IAM policy denies the request (due to missing encryption header), the upload is blocked regardless of bucket default settings. Option C is wrong because using a KMS key would set the encryption algorithm to `aws:kms`, which does not match the `AES256` value required by the IAM policy, causing the request to be denied—not allowed. Option D is wrong because specifying a different encryption algorithm like `aws:kms` would also fail the IAM condition check for `s3:x-amz-server-side-encryption` set to `AES256`, resulting in a denied request, not an unencrypted upload.

1115
Multi-Selecthard

A company is running a critical application on Amazon RDS for PostgreSQL with Multi-AZ deployment. The application performs frequent writes. During a recent failover test, the team observed that the application experienced a 30-second write outage. To minimize downtime during automatic failovers, which configuration change should the DevOps engineer implement? (Choose TWO.)

Select 2 answers
A.Enable Performance Insights to monitor database load.
B.Configure Amazon RDS Proxy in front of the RDS instance.
C.Use synchronous replication to the standby instance.
D.Increase the DB instance class to a larger size.
E.Set the DNS TTL for the RDS endpoint to 1 second.
AnswersB, E

RDS Proxy maintains connection pools and handles failover transparently, reducing application downtime.

Why this answer

Option A is correct because using Amazon RDS Proxy reduces failover time by pooling and reusing connections, so the application can resume quickly after failover. Option D is correct because enabling Multi-AZ with automatic failover is already in place, but ensuring the database connections use the RDS endpoint with a short DNS TTL allows faster reconnection. Option B (increasing DB instance size) does not reduce failover time.

Option C (enabling Performance Insights) is for monitoring, not failover. Option E (using synchronous replication) is the default for Multi-AZ and does not reduce failover time.

1116
Multi-Selectmedium

An organization uses AWS Elastic Beanstalk to manage a production web application. The application uses a custom AMI that needs to be updated periodically. The team wants to automate the process of updating the AMI and deploying it to the environment with zero downtime. Which THREE steps should the team include in the automation? (Choose THREE.)

Select 3 answers
A.Delete the environment and recreate it with the new AMI.
B.Build a new AMI using a tool like Packer and store it in EC2 Image Builder.
C.Use Elastic Beanstalk's immutable update policy to replace instances with new ones.
D.Update the Elastic Beanstalk environment configuration to use the new AMI ID.
E.Terminate all existing instances and allow Auto Scaling to launch new ones with the new AMI.
AnswersB, C, D

Packer or Image Builder can create updated AMIs.

Why this answer

Options A, C, and E are correct. Option A creates a new AMI version. Option C updates the environment configuration with a rolling update to minimize downtime.

Option E uses an immutable update for zero downtime. Option B is incorrect because terminating instances without a deployment strategy causes downtime. Option D is incorrect because deleting the environment is disruptive.

1117
MCQhard

You are a DevOps engineer at a company that runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application is deployed using AWS CodeDeploy with an in-place deployment strategy. The deployment group contains 10 EC2 instances in an Auto Scaling group. Recently, a deployment failed with the error 'The overall deployment failed because too many individual instances failed deployment.' You check the CodeDeploy agent logs on one of the failed instances and see the error 'Script at /opt/codedeploy-agent/deployment-root/deployment-logs/scripts/application_start.sh failed with exit code 1.' The application_start.sh script is part of the AppSpec file. The script attempts to restart the web server. You notice that the script uses a path that exists only on some instances. What should you do to resolve this issue and prevent future failures?

A.Increase the deployment timeout in CodeDeploy.
B.Modify the application_start.sh script to check for the existence of the path before running the restart command.
C.Remove the application_start.sh script from the AppSpec file.
D.Reinstall the CodeDeploy agent on all instances.
AnswerB

Adding a check prevents failure when the path does not exist.

Why this answer

Option D is correct because the script should check if the path exists before using it, preventing failure. Option A is wrong because it does not fix the script logic. Option B is wrong because the failure is due to the script, not the agent.

Option C is wrong because the script should be fixed, not bypassed.

1118
MCQeasy

A company runs a critical batch processing job on Amazon ECS using Fargate. The job must complete within 2 hours. If the job fails, it must be retried automatically up to 3 times. Which solution meets these requirements?

A.Use AWS Batch with a retry strategy set to 3 attempts
B.Use AWS Step Functions with a task that invokes the ECS task, and configure a retry policy in the state machine
C.Use an Amazon ECS service with a desired count of 1 and enable automatic task replacement
D.Use AWS Lambda with a dead-letter queue and reprocess events
AnswerA

AWS Batch natively supports retry and is designed for batch jobs.

Why this answer

Option B is correct because AWS Batch provides managed retry logic and job scheduling. Option A is wrong because Step Functions requires custom retry logic. Option C is wrong because ECS does not natively retry on failure.

Option D is wrong because Lambda has a 15-minute execution limit.

1119
MCQhard

A company uses DynamoDB global tables with two regions. They notice that writes in one region are not replicating to the other region after a brief network partition. Which configuration will ensure replication resumes automatically?

A.Use DynamoDB Streams with a Lambda function to manually replicate writes.
B.No action needed; DynamoDB automatically resumes replication when connectivity is restored.
C.Manually fail over the table to the other region.
D.Delete the replica table and recreate it.
AnswerB

DynamoDB global tables handle temporary partitions and resume replication automatically.

Why this answer

Option B is correct because DynamoDB global tables automatically resume replication after a partition is resolved. Option A is incorrect because there is no failover needed; replication is handled automatically. Option C is incorrect because disabling and re-enabling global tables would cause data loss.

Option D is incorrect because the issue is not a conflict but a temporary partition.

1120
Multi-Selecteasy

A company is using AWS CloudFormation to deploy a microservices architecture. The operations team wants to receive real-time notifications when any stack operation fails. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.AWS Lambda
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon CloudWatch Events (Amazon EventBridge)
E.Amazon Simple Notification Service (SNS)
AnswersD, E

EventBridge can capture CloudFormation events and trigger actions.

Why this answer

Options A and E are correct. CloudWatch Events (now Amazon EventBridge) can capture CloudFormation stack events and trigger an SNS topic to send notifications. Option B is wrong because Lambda alone doesn't provide notifications.

Option C is wrong because CloudTrail is for API auditing, not real-time notification. Option D is wrong because CloudWatch Logs doesn't trigger SNS directly for stack events.

1121
MCQmedium

Refer to the exhibit. Despite scaling up, CPU utilization remains high. What is the MOST likely cause?

A.The instance type t2.micro is too small for the application.
B.The desired capacity is not updated by the scaling policy.
C.The user data script fails to start the application on new instances.
D.The CloudWatch alarm is configured with a threshold different from the target tracking policy's target.
AnswerD

The alarm triggers at 60%, but the target is 50%, causing the scaling policy to not activate correctly or causing conflicts.

Why this answer

The scaling policy uses target tracking with a target of 50%, but the alarm triggers at 60%, which is inconsistent and may cause the scaling to not respond appropriately. Also, with target tracking, the ASG should scale to bring CPU to 50%, but it stays at 70%, suggesting the scaling policy is not being honored or there is an issue with the policy.

1122
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline for a microservices application deployed on Amazon ECS. The application uses multiple AWS services including RDS, ElastiCache, and SQS. Which TWO strategies should the team implement to ensure secure and auditable configuration management across environments?

Select 2 answers
A.Use AWS Secrets Manager to store and rotate database credentials.
B.Implement AWS Config rules to enforce tagging and compliance standards.
C.Store database credentials in a version-controlled configuration file.
D.Manually review configuration changes before deployment.
E.Grant developers direct S3 access to upload configuration files.
AnswersA, B

Secrets Manager securely stores secrets and supports automatic rotation.

Why this answer

Using AWS Secrets Manager for database credentials (B) avoids hardcoding secrets and enables rotation. AWS Config rules (C) ensure resources comply with policies and provide audit trail. Option A (hardcoded) is insecure; D (developer S3 access) violates least privilege; E (manual check) is not scalable.

1123
MCQmedium

Your organization uses AWS CodePipeline to orchestrate a multi-stage pipeline for a Java application. The pipeline has a source stage (Amazon S3), a build stage (CodeBuild), and a deploy stage (CodeDeploy to EC2). Recently, the build stage started failing with the error 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE'. The build project uses a managed image for Java. You checked the CodeBuild project settings and confirmed that the image is correct. No changes were made to the build project. What is the most likely cause?

A.The S3 bucket policy has been changed to deny access.
B.The build project's environment variables are incorrectly configured.
C.The Docker image specified in the build project is no longer available or the registry is unreachable.
D.The buildspec.yml file contains invalid syntax.
AnswerC

The image pull failure indicates registry issues.

Why this answer

Option C is correct because the managed image may have been updated and the pull failed due to network issues. Option A is wrong because the source is S3, not CodeCommit. Option B is wrong because the buildspec is not the cause.

Option D is wrong because the environment variables are not related.

1124
MCQmedium

A company uses AWS CodePipeline with an S3 source action and a CodeBuild project. The pipeline fails intermittently during the build stage with an error indicating that the source code archive is corrupt. Which action should the DevOps engineer take to resolve this issue?

A.Increase the timeout for the CodeBuild project.
B.Enable versioning on the S3 bucket and use versioned objects in the pipeline.
C.Configure the pipeline to use AWS CodeCommit as the source instead of S3.
D.Add a manual approval step before the build stage.
AnswerB

Versioning prevents corruption issues by preserving object versions.

Why this answer

Enabling versioning on the S3 bucket ensures that object versions are preserved, preventing corruption from overwrites. Option D is correct because using S3 source with versioning guarantees that the pipeline always retrieves the correct version.

1125
MCQeasy

A company uses AWS CodeCommit for source control. Developers report that their local branches are out of sync with the remote repository, and they are unable to push changes because of 'non-fast-forward' errors. What should the developers do to fix this?

A.Create a new branch and push that instead.
B.Use 'git push --force' to overwrite the remote branch.
C.Pull the latest changes using 'git pull --rebase' and then push.
D.Delete the remote branch and push again.
AnswerC

Rebase applies local commits on top of remote changes, allowing fast-forward.

Why this answer

Option B is correct because 'non-fast-forward' means the remote branch has commits not in the local branch; pull rebase integrates remote changes. Option A is wrong because force push overwrites remote commits. Option C is wrong because deleting remote branch is not needed.

Option D is wrong because creating a new branch does not resolve the conflict.

Page 14

Page 15 of 24

Page 16