AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 11261200

1740 questions total · 24pages · All types, answers revealed

Page 15

Page 16 of 24

Page 17
1126
MCQeasy

A company is running a production database on Amazon RDS for PostgreSQL with Multi-AZ deployment. The database experiences a failover due to an AZ outage. What happens to the existing database connections during the failover?

A.Existing connections are automatically redirected to the standby without interruption.
B.The RDS endpoint IP address changes, and the application must update its configuration.
C.Existing connections are dropped, and applications must reconnect to the new primary using the same endpoint.
D.The primary DB instance is promoted to standby and connections remain active.
AnswerC

RDS updates DNS to point to the new primary; reconnection required.

Why this answer

Option C is correct. During a Multi-AZ failover, RDS automatically updates the DNS record to point to the standby, but existing connections to the primary are dropped and must be re-established. Option A is wrong because connections are not preserved.

Option B is wrong because Multi-AZ automatically fails over without manual promotion. Option D is wrong because the CNAME record does not change; it's a DNS update.

1127
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The security team requires that all data be encrypted at rest and that automated backups are also encrypted. Which configuration meets these requirements?

A.Use an S3 bucket policy to enforce encryption for backup files.
B.Enable encryption for the RDS instance using AWS KMS.
C.Enable encryption on automated backups only after creating a snapshot.
D.Enable encryption on the underlying EBS volumes using KMS.
AnswerB

Encrypts data at rest, automated backups, and snapshots.

Why this answer

Option D is correct because enabling encryption on the RDS instance encrypts the data, automated backups, and snapshots. Option A is wrong because encrypting the storage separately is not sufficient; RDS encryption is needed. Option B is wrong because snapshot encryption does not encrypt the live database.

Option C is wrong because RDS does not support S3 bucket policy for encryption.

1128
MCQeasy

A DevOps engineer needs to automate the creation of an Amazon ECS cluster using AWS CloudFormation. The cluster will run a web application that requires a load balancer. Which resource should be used to define the ECS cluster?

A.AWS::ECS::Service
B.AWS::ECS::TaskDefinition
C.AWS::ECS::ContainerInstance
D.AWS::ECS::Cluster
AnswerD

This resource defines an ECS cluster.

Why this answer

Option A is correct because AWS::ECS::Cluster is the CloudFormation resource for an ECS cluster. Option B is wrong because AWS::ECS::Service is for running tasks. Option C is wrong because AWS::ECS::TaskDefinition defines the task.

Option D is wrong because AWS::ECS::ContainerInstance is not a resource; instances are managed by Auto Scaling.

1129
MCQmedium

A company uses AWS CloudFormation to deploy a three-tier web application. The stack includes an Application Load Balancer (ALB), an Auto Scaling group of EC2 instances, and an Amazon RDS Multi-AZ database. The DevOps team has configured the EC2 instances to send application logs to CloudWatch Logs using the CloudWatch agent. They also set up a CloudWatch alarm on the ALB's 5xx error count. During a recent deployment, the team noticed that the alarm did not trigger even though the application was returning 5xx errors. The team verified that the CloudWatch agent is running on the instances and logs are appearing in CloudWatch Logs. What should the team do to ensure the alarm triggers correctly?

A.Create a metric filter on the EC2 instance's log group to count 5xx errors and create an alarm on that.
B.Change the CloudWatch alarm to use the 'HTTPCode_ELB_5XX_Count' metric instead.
C.Restart the CloudWatch agent on the EC2 instances.
D.Verify that the CloudWatch alarm is using the correct metric 'HTTPCode_Target_5XX_Count' and that the threshold is appropriate.
AnswerD

The correct metric for backend errors is HTTPCode_Target_5XX_Count.

Why this answer

Option D is correct. The ALB's 5xx metric is based on requests that the ALB itself generates, not the backend responses. If the backend returns a 5xx, the ALB forwards it, but the metric may be 'HTTPCode_Target_5XX_Count'.

The team may have confused the metrics. Option A is incorrect because the agent is already working. Option B is incorrect because the alarm is on ALB, not EC2.

Option C is incorrect because log groups do not affect alarms.

1130
MCQhard

A company uses AWS CodePipeline to orchestrate a multi-stage CI/CD pipeline. The build stage uses AWS CodeBuild and the deploy stage uses AWS CodeDeploy. The pipeline includes a manual approval step between build and deploy. The team wants to automatically trigger the pipeline when changes are pushed to a Git repository hosted in AWS CodeCommit. Which pipeline configuration is required for automatic triggers?

A.Configure the source stage to use periodic polling of the CodeCommit repository.
B.Set up an SNS topic to notify the pipeline when code changes occur.
C.Add a Lambda function that calls StartPipelineExecution in response to CodeCommit events.
D.Configure the source stage to use CodeCommit as the source provider and enable 'Amazon CloudWatch Events' (EventBridge) to detect changes.
AnswerD

EventBridge rules automatically start the pipeline when changes are pushed to CodeCommit.

Why this answer

To automatically trigger the pipeline on code changes, the source stage must use CodeCommit as a source action with 'Amazon CloudWatch Events' (now Amazon EventBridge) configured to detect changes. CodePipeline integrates with EventBridge to start the pipeline on repository events. Option D is correct.

Options A, B, and C are not sufficient alone.

1131
MCQeasy

An Amazon RDS for PostgreSQL instance is running low on storage. The DevOps engineer needs to increase the allocated storage without downtime. Which action should be taken?

A.Modify the DB instance to a larger instance class.
B.Modify the DB instance to increase the allocated storage.
C.Create a snapshot of the DB instance and restore it with larger storage.
D.Launch a new read replica with larger storage and promote it.
AnswerB

Can be done without downtime.

Why this answer

Option B is correct because RDS supports modifying storage settings without downtime; the change is applied during the next maintenance window or immediately if the 'Apply Immediately' option is selected. Option A is wrong because taking a snapshot and restoring would cause downtime. Option C is wrong because you cannot add storage to an existing instance in a different way; you must modify the DB instance.

Option D is wrong because modifying the DB instance class does not increase storage.

1132
MCQeasy

A company has an Amazon S3 bucket that stores critical data. The company wants to protect the data from accidental deletion and ensure that even the root user cannot delete the bucket. Which S3 feature should the company enable?

A.S3 bucket policy that denies s3:DeleteBucket for all principals.
B.S3 bucket versioning with MFA delete.
C.S3 Object Lock with compliance retention mode.
D.S3 bucket versioning with lifecycle policy to expire noncurrent versions.
AnswerC

Compliance mode prevents any user, including root, from deleting objects.

Why this answer

Option C is correct because S3 Object Lock with compliance retention mode prevents any user, including the root user, from deleting or overwriting objects until the retention period expires. Compliance mode applies a strict, immutable lock that cannot be removed or shortened by any user, including the AWS account root user, ensuring the data is protected against accidental or malicious deletion.

Exam trap

The trap here is that candidates often confuse S3 Object Lock with versioning or MFA delete, thinking that versioning alone prevents deletion, but versioning only protects against overwrites and allows recovery via delete markers, not against intentional deletion by the root user.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy that denies s3:DeleteBucket for all principals can prevent bucket deletion, but it does not protect objects within the bucket from being deleted, and the root user can still delete the bucket if the policy is removed or if explicit allow overrides the deny. Option B is wrong because S3 bucket versioning with MFA delete protects object versions from deletion only when MFA is enforced, but it does not prevent the root user from deleting the bucket itself, and MFA delete can be disabled by the root user. Option D is wrong because S3 bucket versioning with a lifecycle policy to expire noncurrent versions is designed to manage storage costs by automatically deleting old versions, not to prevent deletion; it actually enables deletion of objects, which is the opposite of the requirement.

1133
MCQmedium

Refer to the exhibit. A CodePipeline service role has this IAM policy attached. The pipeline's deploy stage uses CodeDeploy to perform an ECS blue/green deployment. The deployment fails with an access denied error. What is the MOST likely missing permission?

A.ecs:RegisterTaskDefinition
B.codedeploy:CreateDeployment
C.ecs:UpdateService
D.ecs:CreateService
AnswerC

Required to update the service with a new task definition during deployment.

Why this answer

Option C is correct because ECS blue/green deployments require the 'ecs:UpdateService' permission to update the service with the new task definition. The policy only allows 'ecs:DescribeServices'. Option A is not needed for blue/green.

Option B is needed but already allowed. Option D is not a standard action.

1134
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets created in any account within the organization are configured with block public access enabled. Which approach is the most scalable and least operationally burdensome?

A.Use an AWS Config managed rule to detect non-compliant buckets and trigger a remediation Lambda function.
B.Enable AWS CloudTrail and create a metric filter to alert on bucket creation, then manually review.
C.Apply an S3 bucket policy in each account that denies s3:PutBucketPublicAccessBlock with a condition.
D.Attach an SCP to the organization root that denies s3:CreateBucket unless the request includes 's3:PutBucketPublicAccessBlock'.
AnswerD

Preventive and scalable.

Why this answer

Option C is correct because a service control policy (SCP) can deny the creation of S3 buckets without the 'BlockPublicAccess' settings. This applies to all accounts in the organization. Option A is wrong because AWS Config is reactive, not preventive.

Option B is wrong because it requires configuring each account individually. Option D is wrong because CloudTrail is for auditing, not prevention.

1135
MCQhard

A company uses AWS CodePipeline to deploy a serverless application using AWS SAM. The pipeline has a source stage from CodeCommit, a build stage that runs 'sam build', and a deploy stage that runs 'sam deploy --no-confirm-changeset'. The deploy stage fails with the error 'The security token included in the request is invalid.' What is the MOST likely cause?

A.The CloudFormation stack is in a 'ROLLBACK_COMPLETE' state and cannot be updated.
B.The CodeBuild project does not have access to the CodeCommit repository.
C.The IAM role used by CodeBuild has expired credentials or insufficient permissions to call AWS CloudFormation.
D.The SAM template is invalid and contains syntax errors.
AnswerC

Expired or invalid credentials result in a 'security token invalid' error.

Why this answer

Option B is correct because the '--no-confirm-changeset' flag requires the AWS CLI to make API calls, and if the credentials used by CodeBuild are expired, the error occurs. Option A is incorrect because SAM template syntax errors cause different errors. Option C is incorrect because CloudFormation stack drift does not cause token errors.

Option D is incorrect because CodeBuild logs do not affect deployment.

1136
MCQmedium

Your company runs a multi-tier web application on AWS. The web tier consists of EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group across three Availability Zones. The application tier runs on a separate Auto Scaling group of EC2 instances that process requests from the web tier. The database tier uses an Amazon RDS for PostgreSQL Multi-AZ deployment. All application servers write logs to Amazon CloudWatch Logs. Recently, the operations team reported that during peak hours, the web tier experiences intermittent 503 errors. The ALB access logs show that the errors occur when the target group's healthy host count drops to zero momentarily. The Auto Scaling group's minimum and desired capacity is 6, with a maximum of 12. The scaling policy is based on average CPU utilization, with a target of 60%. The health check grace period is 300 seconds. The application health check endpoint returns a 200 status when healthy. The DevOps engineer suspects that the scaling policy is too slow to react to traffic spikes. The engineer wants to implement a more proactive scaling approach. Which solution should the engineer implement?

A.Implement a predictive scaling policy combined with dynamic scaling to proactively adjust capacity based on forecasted traffic.
B.Implement a scheduled scaling policy that increases capacity 30 minutes before the expected peak.
C.Increase the health check grace period to 600 seconds to give new instances more time to become healthy.
D.Switch to a step scaling policy with a lower cooldown period and a greater scaling adjustment.
AnswerA

Predictive scaling uses historical data to forecast demand and proactively adjust capacity, preventing the healthy host count from dropping to zero.

Why this answer

Option D is correct because using a predictive scaling policy combined with dynamic scaling provides a proactive approach that anticipates traffic patterns and adjusts capacity in advance. Option A (increasing health check grace period) does not help with scaling speed. Option B (step scaling with a lower cooldown) is reactive and may still cause dips.

Option C (scheduled scaling) works only if traffic patterns are predictable and doesn't handle spikes well.

1137
MCQmedium

A company uses AWS CloudTrail to log API events. During an incident investigation, they need to identify who deleted an S3 bucket. Which CloudTrail feature should be used to retrieve the event details quickly?

A.CloudTrail log file integrity validation
B.CloudTrail Lake
C.CloudTrail Event history
D.CloudTrail Insights
AnswerC

Provides 90 days of management events with user identity details.

Why this answer

CloudTrail Event history provides a view of the last 90 days of management events for each AWS region, allowing you to quickly search and filter by resource name (e.g., the S3 bucket name) and event name (e.g., DeleteBucket). This feature is designed for rapid retrieval of recent API activity without needing to query S3 or set up additional infrastructure, making it the fastest option for identifying who deleted an S3 bucket during an incident investigation.

Exam trap

The trap here is that candidates often confuse CloudTrail Insights (which detects unusual activity) with the ability to search for specific past events, or they overcomplicate the solution by choosing CloudTrail Lake when Event history provides the quickest and simplest retrieval for recent events.

How to eliminate wrong answers

Option A is wrong because CloudTrail log file integrity validation is a feature that uses SHA-256 hashing and digital signatures to verify that log files have not been tampered with after delivery; it does not help retrieve or search event details. Option B is wrong because CloudTrail Lake is an analytical data store for running SQL queries on historical events, but it requires configuration and ingestion time, making it slower than Event history for a quick lookup of recent events. Option D is wrong because CloudTrail Insights identifies unusual API activity and potential security threats by analyzing write management events, but it does not provide a direct searchable list of all events or the specific details of who deleted a bucket.

1138
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user who needs to start a CodePipeline pipeline and view its details. The user reports that they cannot see the pipeline in the AWS Management Console. What is the MOST likely reason?

A.There is an explicit deny statement elsewhere that is overriding the allow.
B.The user does not have permission to start the pipeline execution.
C.The pipeline ARN is incorrect.
D.The policy does not include the codepipeline:ListPipelines action, which is needed to view pipelines in the console.
AnswerD

ListPipelines is required to list pipelines in the console.

Why this answer

Option B is correct because the policy only allows specific actions on a specific resource, but the console also requires the codepipeline:ListPipelines action to list pipelines. Without ListPipelines, the user cannot see the pipeline in the console. Option A is wrong because the actions are allowed.

Option C is wrong because there is no explicit deny. Option D is wrong because the pipeline exists.

1139
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across accounts are encrypted with AWS KMS. Which combination of controls should be used to enforce this?

A.Use an SCP to deny s3:PutBucketEncryption with encryption disabled, and AWS Config rules to detect non-compliant buckets.
B.Attach an IAM policy to all users denying s3:PutObject without KMS.
C.Use an SCP to deny s3:CreateBucket without encryption, and rely on CloudTrail to alert.
D.Use AWS Config rules only, with automatic remediation via Lambda.
AnswerA

SCP prevents non-compliant creation, Config detects existing violations.

Why this answer

Option A is correct because it combines preventive and detective controls. An SCP can deny the s3:PutBucketEncryption action unless the bucket is configured with KMS encryption, which prevents non-compliant buckets from being created or modified. AWS Config rules then detect any existing non-compliant buckets or changes that bypass the SCP, providing continuous compliance monitoring.

Exam trap

The trap here is that candidates often confuse object-level encryption (s3:PutObject) with bucket-level default encryption (s3:PutBucketEncryption), and fail to realize that an SCP is needed for preventive enforcement, not just detective or reactive controls.

How to eliminate wrong answers

Option B is wrong because it only controls s3:PutObject, which enforces encryption at the object level but does not prevent creation of unencrypted buckets or enforce bucket-level default encryption settings. Option C is wrong because relying solely on CloudTrail alerts provides only detective control after the fact, with no preventive enforcement to block non-compliant bucket creation. Option D is wrong because AWS Config rules with automatic remediation are reactive and may have a delay, whereas a preventive SCP is needed to block non-compliant actions in real time.

1140
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They have a template that creates an Amazon RDS DB instance. The template includes a 'DeletionPolicy' attribute set to 'Retain' on the DB instance resource. The DevOps team deletes the stack. Later, they notice that the DB instance still exists and is incurring costs. What is the MOST cost-effective way to remove the DB instance?

A.Create a new CloudFormation stack that includes the same DB instance but with a DeletionPolicy of 'Delete', then delete that stack.
B.Manually delete the DB instance using the AWS Management Console or AWS CLI.
C.Use the 'aws cloudformation delete-change-set' command to remove the resource.
D.Update the stack: change the DeletionPolicy to 'Delete' and then delete the stack again.
AnswerB

Correct. The instance was retained, so manual deletion is the simplest and most cost-effective approach.

Why this answer

Option C (manually delete the DB instance via the AWS Management Console or CLI) is correct because the DeletionPolicy set to Retain prevents CloudFormation from deleting the resource; manual deletion is the simplest and cost-effective. Option A is wrong because updating the stack with deletion policy 'Delete' and then deleting again would work but is unnecessary extra steps. Option B is wrong because creating a new stack to delete the resource is overly complex.

Option D is wrong because the RDS instance is not in a change set; it exists independently.

1141
MCQhard

A company runs a critical application on AWS Lambda that processes sensitive data. The security team mandates that all data must be encrypted at rest and in transit. The Lambda function uses an environment variable to store a database password. The DevOps engineer has enabled encryption of environment variables using a KMS CMK. The Lambda function also needs to decrypt the password at runtime. The engineer attaches an IAM role to the Lambda function with permissions to decrypt using the KMS key. However, when the function executes, it fails with an error 'AccessDeniedException' when trying to decrypt the environment variable. The engineer checks the IAM role and confirms that it has kms:Decrypt permission. The KMS key policy allows the root user full access. What is the most likely cause?

A.The KMS key policy does not grant the Lambda execution role permission to use the key.
B.The Lambda function code is trying to decrypt the wrong ciphertext.
C.The KMS key has been disabled or scheduled for deletion.
D.The Lambda function is not in a VPC, and the KMS key is restricted to VPC endpoints.
AnswerA

Even if IAM policy allows, key policy must also allow.

Why this answer

To decrypt environment variables, Lambda uses kms:Decrypt on the key. However, Lambda also needs kms:GenerateDataKey? No. The issue might be that the Lambda function's execution role does not have kms:Decrypt on the specific key alias or ARN.

But the key policy allows root user, which includes all IAM users and roles? Actually, root user in the account has full access, but IAM roles are not automatically allowed unless the key policy grants them. The condition in the key policy might be missing. Option A is correct.

Option B is about VPC, not relevant. Option C is about the key being disabled, but then error would be different. Option D is about the function code, but the error is access denied.

1142
MCQmedium

A company experiences an EC2 instance failure in an Auto Scaling group. The instance is terminated and replaced automatically. The DevOps engineer needs to troubleshoot why the instance failed. Which AWS service should the engineer use to view the instance's console output and screenshots before termination?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Systems Manager Session Manager
D.AWS Config
AnswerC

Session Manager can retrieve EC2 console output and screenshots.

Why this answer

Option B is correct because AWS Systems Manager Session Manager can be used to retrieve EC2 console output and screenshots. Option A (CloudWatch Logs) does not capture console output by default. Option C (CloudTrail) records API calls, not instance-level console output.

Option D (Config) is for configuration compliance, not troubleshooting instance failures.

1143
MCQeasy

A company uses AWS CodeBuild to compile and test code. The buildspec.yml file includes commands that require access to a private S3 bucket. The DevOps engineer wants to securely provide AWS credentials to the build project. What is the recommended approach?

A.Use a service role for CodeBuild with appropriate permissions
B.Store the AWS access key ID and secret access key in the buildspec.yml file
C.Use an EC2 instance profile attached to the build environment
D.Pass the credentials as environment variables in the build project configuration
AnswerA

Service roles are the secure way to grant permissions.

Why this answer

Option C is correct because the recommended approach is to use a CodeBuild service role that grants access to the S3 bucket. Option A is wrong because access keys should not be hardcoded. Option B is wrong because instance profiles are for EC2, not CodeBuild.

Option D is wrong because environment variables are not secure.

1144
MCQhard

A company uses AWS CodePipeline to deploy a static website to an S3 bucket. The pipeline has a Source stage (GitHub), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The deployment fails intermittently with the error: 'Bucket does not allow ACLs'. The S3 bucket is configured to use the 'bucket-owner-enforced' setting for Object Ownership. The team wants to resolve the failure while maintaining security best practices. What should the team do?

A.Update the CodeDeploy deployment action to use a bucket policy and disable ACLs.
B.Make the S3 bucket publicly accessible to allow CodeDeploy to write objects.
C.Add a step in CodeBuild to copy the artifacts to the S3 bucket using the AWS CLI.
D.Change the Object Ownership setting to 'ObjectWriter' to enable ACLs.
AnswerA

Bucket policies are the recommended way to manage permissions when ACLs are off.

Why this answer

When Object Ownership is set to bucket-owner-enforced, ACLs are disabled (C). The CodeDeploy action must be configured to use bucket policies instead of ACLs. Option A (remove setting) weakens security; B (public) is insecure; D (CodeBuild) is not the issue.

1145
MCQhard

A company runs a multi-account environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies all actions on DynamoDB tables unless the request includes a specific tag "Environment": "Production". The development team has an IAM role with full DynamoDB access in their account. When they try to create a DynamoDB table using the AWS CLI, they receive an access denied error. They are certain they included the tag. The DevOps engineer reviews the SCP and finds that it uses the condition key "aws:RequestTag". However, the engineer notices that the SCP also denies access if the request does not include the tag for tagging actions. What is the most likely reason for the access denied error?

A.The SCP requires an explicit allow statement in the IAM policy to override the deny.
B.The IAM role does not have permission to tag resources.
C.The CreateTable API does not accept tags in the request; tags must be added after creation using the TagResource API.
D.The SCP is not applied to the development account because it is in a different OU.
AnswerC

The CreateTable API does not support tagging at creation. The SCP condition fails because the tag is not present in the request.

Why this answer

Option C is correct because the `CreateTable` API in DynamoDB does not accept tags as part of the request parameters when creating a table. Tags can only be added after the table is created using the `TagResource` API or the `aws dynamodb tag-resource` CLI command. Since the SCP uses `aws:RequestTag` to require the tag on the initial request, and the `CreateTable` call cannot include tags, the request is denied regardless of whether the developer intended to include the tag.

Exam trap

The trap here is that candidates assume all AWS resource creation APIs support inline tagging, but DynamoDB's `CreateTable` does not, leading to a false belief that including the tag in the CLI command would satisfy the SCP condition.

How to eliminate wrong answers

Option A is wrong because SCPs do not require an explicit allow statement in IAM policies to override a deny; SCPs act as a boundary that cannot be overridden by any IAM policy within the account. Option B is wrong because the issue is not about the IAM role lacking permission to tag resources; the SCP denies the CreateTable action itself because the request cannot include the required tag, not because the role lacks tagging permissions. Option D is wrong because the SCP is applied to the development account via AWS Organizations, and the error occurs, confirming the SCP is in effect; being in a different OU does not prevent SCP application if the SCP is attached to the root or the OU containing the account.

1146
MCQhard

A DevOps engineer is designing a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The pipeline must scan the image for vulnerabilities before deployment. Which service should be integrated?

A.AWS Security Hub
B.Amazon Inspector
C.Amazon ECR image scanning
D.AWS Config
AnswerC

ECR can automatically scan images on push.

Why this answer

Amazon ECR image scanning is the correct service because it is a native feature of Amazon ECR that automatically scans Docker images for software vulnerabilities (CVEs) when they are pushed to the repository. This scanning uses the Common Vulnerabilities and Exposures (CVE) database from the open-source Clair project and can be configured to trigger on push, making it the ideal choice for integrating vulnerability scanning directly into a CI/CD pipeline before deployment.

Exam trap

The trap here is that candidates confuse Amazon Inspector (which scans running containers for runtime vulnerabilities) with ECR image scanning (which scans the image at rest in the registry), leading them to select Inspector instead of the correct ECR-native feature.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (like GuardDuty, Inspector, and Macie) but does not perform its own image vulnerability scanning. Option B is wrong because Amazon Inspector is designed for host-level vulnerability scanning of EC2 instances and container workloads running on ECS/EKS, not for scanning container images stored in ECR. Option D is wrong because AWS Config is a service for evaluating and auditing resource configurations against compliance rules (e.g., ensuring ECR repositories are private), not for scanning images for software vulnerabilities.

1147
Multi-Selectmedium

A company wants to set up centralized logging for its multi-account AWS environment. The logs include CloudTrail, VPC Flow Logs, and Amazon Route 53 resolver query logs. Which TWO services should they use to achieve this with minimal operational overhead? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon S3
C.Amazon Kinesis Data Streams
D.Amazon OpenSearch Service
E.AWS CloudTrail
AnswersA, B

Can aggregate logs from multiple accounts using cross-account subscription filters.

Why this answer

Option A (CloudWatch Logs) and Option C (S3) are correct because CloudWatch Logs can receive logs from multiple accounts via subscription filters, and S3 can serve as a central archive. Option B is wrong because Kinesis is not needed as an intermediate. Option D is wrong because OpenSearch adds overhead.

Option E is wrong because CloudTrail alone cannot centralize all log types.

1148
MCQmedium

A company runs a critical application on EC2 instances that need to access an S3 bucket with sensitive data. The security team has enabled S3 bucket policies that require TLS for all requests (aws:SecureTransport). The application is failing to access the S3 bucket, and logs show errors like 'Access Denied'. The application uses the AWS SDK to make requests. What is the most likely cause of the failure?

A.The S3 bucket is accessed through a VPC endpoint that does not support TLS.
B.The application's IAM role does not have s3:GetObject permission.
C.The bucket policy requires a specific TLS version that the application does not support.
D.The application is using HTTP instead of HTTPS to connect to S3.
AnswerD

If the application makes requests over HTTP, they will not satisfy the aws:SecureTransport condition and will be denied by the bucket policy.

Why this answer

The bucket policy requires TLS, meaning all requests must be made over HTTPS. If the application is using HTTP instead of HTTPS, the request will be denied. The AWS SDK by default uses HTTPS for S3 endpoints, but if the endpoint URL is explicitly set to HTTP or if the SDK configuration is changed, it could cause the issue.

Option A is wrong because the bucket policy does not require specific cipher suites. Option B is wrong because IAM roles can access S3 if they have the right permissions. Option C is wrong because VPC endpoints do not affect the TLS requirement.

Option D is correct: if the application is using HTTP, it violates the bucket policy condition.

1149
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline using AWS CodeBuild and CodePipeline. They want to use infrastructure as code to define the build environment. Which TWO options are valid approaches to define the build environment in CodeBuild?

Select 2 answers
A.Configure CodeDeploy to set up the build environment before the build starts.
B.Define the build environment using a buildspec.yml file that includes runtime versions and environment variables.
C.Use an Elastic Beanstalk environment to run the build.
D.Use a custom Docker image stored in Amazon ECR as the build environment.
E.Use an AWS CloudFormation template to specify the build environment configuration.
AnswersB, D

The buildspec file is the primary way to define build commands and environment.

Why this answer

Option B is correct because the buildspec.yml file is the primary mechanism in AWS CodeBuild to define the build environment, including runtime versions (e.g., runtime: nodejs:18) and environment variables. This file is placed at the root of the source code and instructs CodeBuild on how to execute the build phases, making it a valid infrastructure-as-code approach for environment configuration.

Exam trap

The trap here is that candidates may think CloudFormation or CodeDeploy can define the build environment, but CodeBuild only accepts environment definitions via buildspec.yml or a custom Docker image, not through external IaC services.

1150
MCQhard

You are a DevOps engineer for a company that runs a containerized microservices application on Amazon ECS with Fargate. The CI/CD pipeline uses AWS CodePipeline, with CodeBuild for building Docker images and pushing them to Amazon ECR, and CodeDeploy for deploying to ECS. The pipeline has a manual approval step before production deployment. Recently, the production deployment failed after approval, with the error: 'The service my-service could not be deployed because the task definition arn:aws:ecs:us-east-1:123456789012:task-definition/my-task:5 references an image that does not exist in the repository.' The image was built and pushed successfully in the Build stage. The task definition is updated by CodeDeploy to reference the new image URI. The ECS service is configured with 'deploymentController: CODE_DEPLOY' and uses a blue/green deployment. The CodeDeploy deployment group uses a 'Lambda' compute platform (incorrectly set). The pipeline uses the default CodeDeploy provider for ECS. What is the most likely cause of the failure?

A.The CodeDeploy deployment group's compute platform is set to 'Lambda' instead of 'ECS'.
B.The manual approval step changed the task definition ARN to a previous version.
C.The ECR repository has a lifecycle policy that expired the image tag before deployment.
D.The CodePipeline is not configured to use the CodeDeploy provider for ECS.
AnswerA

Incorrect compute platform causes deployment failure.

Why this answer

Option C is correct because CodeDeploy for ECS requires the compute platform to be 'ECS' (or 'Server' for EC2), not 'Lambda'. Setting it to 'Lambda' would cause the deployment to fail as it tries to use a Lambda deployment configuration. Option A is wrong because the image was pushed successfully.

Option B is wrong because the pipeline does use CodeDeploy. Option D is wrong because the approval step is manual and would not cause image reference issues.

1151
MCQhard

A Lambda function 'my-function' is invoked multiple times, but no logs appear in CloudWatch. The DevOps engineer runs the above CLI command and sees that the log group exists but 'storedBytes' is 0. What is the MOST likely cause?

A.The Lambda function is invoked too frequently, causing CloudWatch to throttle log ingestion.
B.The log group's retention policy of 7 days deletes logs immediately after creation.
C.The Lambda execution role lacks permissions to create log streams and put log events.
D.The Lambda function does not have a log group; the one shown belongs to another resource.
AnswerC

Missing CloudWatch Logs permissions is a common cause of no logs.

Why this answer

Option D is correct because the Lambda function's execution role must have permissions to create log streams and put log events. Without these permissions, the function cannot write logs. Option A is wrong because log groups with 0 storedBytes indicate no logs were written, not that there are too many.

Option B is wrong because the retention policy does not prevent log creation. Option C is wrong because Lambda automatically creates log groups when logging is configured properly.

1152
Multi-Selecthard

A company wants to centralize logging from multiple AWS accounts and regions. The logs should be stored in a central S3 bucket for compliance. Which THREE steps are required to achieve this? (Choose THREE.)

Select 3 answers
A.Create a cross-account subscription in Amazon CloudWatch Logs to stream logs to the central account.
B.Create an S3 bucket in the central account with appropriate bucket policy granting permissions to CloudTrail.
C.Enable CloudTrail in each region where the company operates.
D.Enable AWS CloudTrail in each account and configure it to deliver logs to the central S3 bucket.
E.Turn on CloudTrail data events for all S3 and Lambda resources.
AnswersB, C, D

The central bucket needs a policy allowing CloudTrail to write logs from other accounts.

Why this answer

Option B is correct because to centralize logs from multiple accounts into a single S3 bucket, the bucket in the central account must have a bucket policy that explicitly grants the necessary permissions (e.g., `s3:PutObject`) to the CloudTrail service principal (`cloudtrail.amazonaws.com`) from each source account. This policy allows CloudTrail in the source accounts to write log files directly into the central bucket, enabling centralized storage for compliance.

Exam trap

The trap here is that candidates often confuse the need for a cross-account CloudWatch Logs subscription (Option A) with the direct S3 delivery mechanism of CloudTrail, or they mistakenly think enabling data events (Option E) is mandatory for centralization, when only management events and proper S3 bucket policy configuration are required.

1153
MCQhard

Given the above AWS CLI command output, which actions are allowed for the specified policy?

A.Only s3:GetObject is allowed
B.ec2:DescribeInstances and s3:GetObject are allowed; s3:ListBucket is denied
C.Only ec2:DescribeInstances is allowed
D.All three actions are allowed
AnswerB

The policy allows ec2:Describe* and s3:GetObject, so only those are allowed.

Why this answer

The simulate-custom-policy command tests the specified policy against the given actions and resources. For ec2:DescribeInstances, the action is allowed (ec2:Describe* covers it). For s3:GetObject, the action is allowed.

For s3:ListBucket, the action is not allowed because the policy only allows s3:GetObject, not s3:ListBucket. So two actions are allowed. Option A is correct.

1154
Multi-Selecteasy

A company uses AWS CodeBuild to run tests as part of their CI/CD pipeline. They want to store build artifacts in an S3 bucket and ensure that only the latest successful build artifacts are retained. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Configure CodeBuild to output artifacts to a specific S3 bucket.
B.Use an S3 lifecycle policy to delete objects after a certain number of days.
C.Store artifacts in an AWS CodeCommit repository.
D.Enable versioning on the S3 bucket to keep all versions.
E.Use CloudWatch Logs to store build logs.
AnswersA, B

CodeBuild can directly store artifacts in S3.

Why this answer

Options B and D are correct. Option B configures CodeBuild to store artifacts in S3. Option D sets a lifecycle policy to expire old artifacts.

Option A is wrong because it would retain all artifacts. Option C is wrong because CodeCommit is for source code, not artifacts. Option E is wrong because CloudWatch Logs are for logs, not artifacts.

1155
Multi-Selectmedium

A company is building a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application is expected to have unpredictable traffic patterns. The DevOps team needs to ensure that the application can handle sudden spikes in traffic without throttling. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Use DynamoDB on-demand capacity mode for the table.
B.Configure Lambda provisioned concurrency to keep a set number of execution environments warm.
C.Configure DynamoDB auto scaling with a minimum capacity of 10 read/write capacity units.
D.Increase the Lambda function timeout to the maximum (15 minutes).
E.Set API Gateway throttling limits to a high value to prevent throttling.
AnswersA, B

On-demand instantly scales to handle spikes.

Why this answer

Option A is correct because DynamoDB on-demand capacity mode automatically scales to handle unpredictable traffic spikes without requiring capacity planning or throttling. This mode charges per request and can accommodate sudden bursts of traffic up to the table's previous peak, making it ideal for serverless applications with variable workloads.

Exam trap

The trap here is that candidates often confuse DynamoDB auto scaling with on-demand capacity, thinking auto scaling can handle sudden spikes as effectively as on-demand, but auto scaling has a lag time and can still throttle during rapid bursts.

1156
MCQhard

An application running on Amazon ECS (Fargate) experiences intermittent HTTP 503 errors. The application uses an Application Load Balancer. The ECS service has a desired count of 2. CPU and memory utilization are below 50%. What is the most likely cause?

A.The ECS service Auto Scaling is too aggressive.
B.The target group health check threshold is set too low.
C.The ALB listener rule is misconfigured.
D.The task definition has an incorrect memory hard limit.
AnswerB

A low threshold may mark healthy instances as unhealthy, causing 503 errors.

Why this answer

Intermittent HTTP 503 errors from an Application Load Balancer (ALB) typically indicate that the target group health checks are failing, causing the ALB to stop routing traffic to the affected tasks. With a desired count of 2 and low CPU/memory utilization, the most likely cause is a health check threshold set too low (e.g., a low unhealthy threshold count), which makes the ALB prematurely mark tasks as unhealthy during transient issues, leading to no healthy targets and 503 responses. This aligns with the symptom of intermittent errors, as tasks may briefly fail a health check but recover quickly, yet the low threshold causes them to be deregistered.

Exam trap

The trap here is that candidates often attribute 503 errors to resource exhaustion (CPU/memory) or scaling issues, but the question explicitly states low utilization, forcing you to focus on health check configuration as the root cause of intermittent availability.

How to eliminate wrong answers

Option A is wrong because aggressive Auto Scaling would typically cause rapid scaling events, not intermittent 503 errors, and with CPU/memory below 50%, there is no resource pressure to trigger scaling. Option C is wrong because a misconfigured ALB listener rule would cause persistent routing failures (e.g., 404 or 502 errors) for specific paths or hosts, not intermittent 503 errors across all requests. Option D is wrong because an incorrect memory hard limit in the task definition would cause the ECS task to be killed (OOMKilled) or fail to start, resulting in consistent 503 errors or task failures, not intermittent ones.

1157
Multi-Selecteasy

Which TWO are benefits of using AWS CloudFormation for infrastructure as code? (Select TWO.)

Select 2 answers
A.Manages both AWS and on-premises resources.
B.Enables declarative infrastructure definition.
C.Automates resource provisioning and reduces manual error.
D.Provides a graphical interface for designing infrastructure.
E.Automatically optimizes resource costs.
AnswersB, C

Users declare the desired state.

Why this answer

Option B is correct because CloudFormation provides a declarative way to define infrastructure. Option D is correct because it automates provisioning and reduces manual effort. Option A is wrong because CloudFormation does not provide a graphical interface for drag-and-drop.

Option C is wrong because it manages AWS resources, not on-premises. Option E is wrong because it does not automatically optimize costs.

1158
MCQmedium

A company runs a web application on AWS that uses Amazon SQS to decouple the frontend from the backend processing. The application experiences sudden spikes in traffic, causing the SQS queue to accumulate a large number of messages. The backend workers are unable to process messages fast enough, leading to increased latency. What solution can the company implement to improve the resilience and scalability of the backend?

A.Reduce the receive message wait time (long polling) to poll the queue more frequently.
B.Increase the visibility timeout of the SQS queue to allow more time for processing.
C.Use an SQS FIFO queue instead of a standard queue to ensure ordered processing.
D.Configure an Auto Scaling group for the backend workers with a scaling policy based on the SQS queue depth.
AnswerD

Auto Scaling based on queue length dynamically adjusts the number of workers to handle spikes.

Why this answer

Option D is correct because configuring an Auto Scaling group for the backend workers with a scaling policy based on the SQS queue depth (ApproximateNumberOfMessagesVisible) directly addresses the sudden traffic spikes. This approach dynamically adds more worker instances when the queue depth increases, improving processing throughput and reducing latency. It ensures the backend scales in response to demand, enhancing both resilience and scalability.

Exam trap

The trap here is that candidates often confuse operational fixes (like adjusting polling or visibility timeout) with architectural scalability solutions, failing to recognize that only dynamic scaling of compute resources can handle unpredictable traffic spikes.

How to eliminate wrong answers

Option A is wrong because reducing the receive message wait time (long polling) to poll more frequently would increase the number of empty responses and API calls, potentially throttling the workers without improving processing capacity; long polling (wait time up to 20 seconds) is actually more efficient for reducing latency and empty receives. Option B is wrong because increasing the visibility timeout only gives workers more time to process a single message, but does not address the root cause of insufficient worker capacity; it can even cause message processing delays if workers fail and messages become visible again after the timeout. Option C is wrong because using an SQS FIFO queue ensures exactly-once processing and message ordering, but does not improve throughput or scalability; FIFO queues have a lower throughput limit (300 transactions per second without batching) compared to standard queues, which would worsen the backlog during spikes.

1159
MCQhard

A company uses AWS Lambda functions to process messages from an Amazon SQS queue. The Lambda function sometimes fails due to a transient error in a downstream API. The DevOps engineer wants to ensure that failed messages are retried automatically and eventually sent to a dead-letter queue after 3 failed attempts. The SQS queue is configured with a redrive policy that moves messages to a DLQ after 3 receive attempts. However, Lambda functions that fail are not being retried. What is the MOST likely reason?

A.The batch size is set to 1, preventing retries.
B.The visibility timeout is set too low, causing messages to be retried immediately.
C.The event source mapping has 'MaximumRetryAttempts' set to 0.
D.The dead-letter queue is not configured on the Lambda function.
AnswerC

Setting MaximumRetryAttempts to 0 disables retries by Lambda, so the function is invoked only once per message.

Why this answer

Option D is correct because by default, if a Lambda function fails, the SQS queue treats the message as received and increments the receive count. If the function does not delete the message and returns an error, the message becomes visible again after the visibility timeout. However, if the function returns an error, Lambda will automatically retry the invocation up to 2 times (for a total of 3 attempts) based on the function's retry policy.

But if the function is configured with 'MaximumRetryAttempts' set to 0 in its event source mapping, then no retries will occur. The question states that the SQS redrive policy should handle retries after 3 receive attempts, but if the Lambda function is not retrying, it's likely because the event source mapping's 'MaximumRetryAttempts' is set to 0. Option A is wrong because DLQ is configured on the SQS queue, not Lambda.

Option B is wrong because the visibility timeout affects when the message becomes visible again, but if the function fails, the message will be retried based on the event source mapping settings. Option C is wrong because the batch size does not affect retries.

1160
MCQeasy

A company uses AWS OpsWorks for configuration management of its EC2 instances. The DevOps team wants to apply a new security patch to all instances in a specific layer. What is the most efficient way to accomplish this?

A.Create a new OpsWorks stack with the patch and migrate instances to it.
B.SSH into each instance and run the patch command manually.
C.Update the layer's custom Chef recipe to include the patch and trigger a lifecycle event to execute the recipe on all instances.
D.Use AWS Systems Manager Run Command to run a patch command on each instance individually.
AnswerC

OpsWorks runs Chef recipes on instances based on lifecycle events.

Why this answer

Option C is correct because OpsWorks allows running custom Chef recipes as lifecycle events. Option A is wrong because it requires manual login. Option B is wrong because it is not automated across all instances.

Option D is wrong because a new stack is unnecessary.

1161
MCQmedium

A company uses AWS CodePipeline to deploy applications. The pipeline must deploy to an Amazon ECS cluster. The security team requires that all deployment actions be logged and auditable. Which configuration should be used?

A.Enable VPC Flow Logs for the ECS cluster's VPC.
B.Enable Amazon S3 server access logs for the artifact bucket used by CodePipeline.
C.Enable AWS CloudTrail to record all API calls made by CodePipeline.
D.Enable Amazon CloudWatch Logs for the CodePipeline.
AnswerC

CloudTrail records API calls for auditing.

Why this answer

Option B is correct because CloudTrail logs all API calls, including those from CodePipeline. Option A is wrong because VPC Flow Logs log network traffic, not deployment actions. Option C is wrong because CloudWatch Logs logs application logs, not API calls.

Option D is wrong because S3 access logs log requests to S3, not pipeline actions.

1162
MCQhard

A company runs a critical application on Amazon ECS with Fargate. The DevOps engineer wants to receive alerts when the application's error rate exceeds 5% over a 5-minute period. Which combination of services should be used?

A.Amazon CloudWatch Synthetics to monitor the application endpoint and create an alarm.
B.Amazon CloudWatch Logs Insights to query logs every 5 minutes and trigger a Lambda function.
C.Amazon CloudWatch Logs metric filter to count errors, then a CloudWatch alarm.
D.Amazon CloudWatch Contributor Insights to detect error patterns, then an alarm.
AnswerC

Metric filters extract metrics from logs; alarms trigger on threshold.

Why this answer

Amazon CloudWatch Logs can use metric filters to extract error counts from logs and create a custom metric. A CloudWatch alarm can then be set on the metric. Option B is correct.

Option A is incorrect because CloudWatch Synthetics is for synthetic monitoring, not logs. Option C is incorrect because CloudWatch Contributor Insights analyzes top contributors, not error rate. Option D is incorrect because CloudWatch Logs Insights is a query tool, not for real-time alarms.

1163
MCQeasy

A development team is using AWS CodeCommit as a source control repository. They want to automate code builds and run unit tests every time a developer pushes code to the 'develop' branch. Which AWS service should they use to trigger the build automatically?

A.Create an AWS CodePipeline with CodeCommit as source and CodeBuild as build stage, configured to start on source changes.
B.Set up AWS CodeDeploy to run builds on code push.
C.Configure AWS CodeCommit to invoke AWS CodeBuild directly.
D.Use Amazon CloudWatch Events to detect a push to CodeCommit and trigger AWS CodeBuild.
AnswerA

CodePipeline can automatically start when a change is pushed to the repository.

Why this answer

Option D is correct because AWS CodePipeline can be configured with a webhook on CodeCommit to trigger a build in CodeBuild on every push. Option A is wrong because CodeCommit itself does not run builds. Option B is wrong because CloudWatch Events can trigger based on API calls but is not the direct service for build automation.

Option C is wrong because CodeDeploy is for deployment, not building.

1164
Multi-Selectmedium

Which TWO AWS services can be used to distribute incoming traffic across multiple AWS resources in different Availability Zones within a single region?

Select 2 answers
A.AWS Global Accelerator
B.Amazon Route 53
C.Amazon CloudFront
D.AWS Direct Connect
E.Application Load Balancer
AnswersA, E

Global Accelerator directs traffic to endpoints in multiple AZs.

Why this answer

AWS Global Accelerator uses the AWS global network and Anycast static IP addresses to route incoming traffic to the optimal endpoint, such as an Application Load Balancer or EC2 instance, across multiple Availability Zones within a single region. It improves performance and reliability by directing traffic to the healthiest endpoint and automatically rerouting in case of failure, making it a valid service for distributing traffic across AZs.

Exam trap

The trap here is that candidates often think only Elastic Load Balancers (like ALB) can distribute traffic across AZs, but AWS Global Accelerator also performs this function at the network layer, and the question asks for TWO services, so both ALB and Global Accelerator are correct.

1165
MCQhard

A company is subject to regulatory compliance that requires all access to S3 buckets to be logged and monitored. The company has thousands of buckets. Which solution is MOST scalable and cost-effective?

A.Enable S3 server access logging on each bucket and aggregate logs into a central bucket
B.Enable AWS CloudTrail with data events for S3 and send logs to CloudWatch Logs
C.Use VPC Flow Logs to capture traffic to S3
D.Use AWS Config rules to track bucket access and publish to SNS
AnswerB

CloudTrail data events log all S3 object-level operations centrally.

Why this answer

Using AWS CloudTrail with data events for S3 provides detailed logging. Option B is wrong because S3 server access logs require enabling per bucket and storing in another bucket, which is less scalable. Option C is wrong because Config rules detect but don't log access.

Option D is wrong because VPC Flow Logs only capture network traffic, not S3 API calls.

1166
MCQmedium

A company uses AWS CodePipeline to deploy a microservices application to Amazon ECS. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). Recently, deployments have been failing intermittently during the deploy stage with the error: 'The service has reached its maximum number of running tasks.' How should a DevOps engineer resolve this issue?

A.Increase the memory reservation for the task definition
B.Update the ECS service configuration to increase the maximum number of tasks
C.Configure an Amazon ECS Service Auto Scaling policy to scale out
D.Increase the number of concurrent deployments allowed in CodeDeploy
AnswerB

Directly resolves the error by allowing more tasks.

Why this answer

Option B is correct because the error indicates that the ECS service's desired count or maximum tasks limit has been reached. Updating the service to increase the maximum number of tasks resolves the issue. Option A is wrong because CodeDeploy does not have a deployment limit that causes this error.

Option C is wrong because scaling policies are for auto scaling, not for the error about maximum tasks. Option D is wrong because the issue is not related to insufficient memory but to task count limits.

1167
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to block traffic from known malicious IP addresses before it reaches the ALB. What is the MOST effective approach?

A.Use AWS WAF with an IP set rule to block the malicious IP addresses.
B.Configure network ACLs on the ALB's subnet to block the malicious IPs.
C.Use AWS Network Firewall to inspect and block traffic at the VPC level.
D.Configure security groups to deny inbound traffic from the malicious IP addresses.
AnswerA

AWS WAF integrates with ALB and can block IPs via IP sets.

Why this answer

Option D is correct because AWS WAF integrated with ALB can block malicious IPs at the application layer. Option A is wrong because security groups are stateful and can only allow/deny by IP/CIDR, but managing large lists is cumbersome. Option B is wrong because NACLs are stateless and not suitable for fine-grained IP blocking at the application layer.

Option C is wrong because Network Firewall is for VPC-level inspection, not specifically for ALB.

1168
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline for a microservices application using AWS CodePipeline. They want to incorporate infrastructure as code (IaC) using AWS CloudFormation. Which three practices should they follow to ensure reliable and repeatable deployments? (Choose THREE.)

Select 3 answers
A.Use the same CloudFormation template across all environments, with parameterization for environment-specific values.
B.Implement rollback triggers to automatically roll back failed stack updates.
C.Create a single monolithic template for all microservices to simplify management.
D.Skip change sets during stack updates to speed up the pipeline.
E.Use CloudFormation stack sets to deploy stacks across multiple accounts and regions consistently.
AnswersA, B, E

Parameterization allows reuse of the same template.

Why this answer

Options A, C, and E are correct. Option A ensures consistency across environments. Option C prevents configuration drift.

Option E ensures stack updates are safe. Option B is wrong because creating a single large template is not a best practice; modular templates are recommended. Option D is wrong because skipping change sets can lead to unintended changes.

1169
Multi-Selecteasy

A DevOps engineer is setting up an incident response system for a critical application. The engineer needs to ensure that notifications are sent to the appropriate team when specific CloudWatch alarms trigger. Which TWO services can be used to trigger notifications based on CloudWatch alarms? (Choose TWO.)

Select 2 answers
A.AWS Systems Manager
B.Amazon Simple Notification Service (SNS)
C.Amazon Simple Queue Service (SQS)
D.AWS Chatbot
E.AWS Lambda
AnswersB, D

SNS can send emails, SMS, etc.

Why this answer

Option A is correct because SNS can be directly subscribed to CloudWatch alarms. Option D is correct because Chatbot can integrate with SNS to send messages to chat channels. Option B is wrong because Lambda is not a notification endpoint.

Option C is wrong because SQS is not a notification delivery service. Option E is wrong because SSM is for management.

1170
Multi-Selectmedium

A company uses AWS Systems Manager Patch Manager to patch its EC2 instances. After a patch window, some instances report a 'Failed' status. The DevOps engineer needs to investigate the cause. Which actions should be taken? (Choose three.)

Select 3 answers
A.Check the S3 bucket where Patch Manager logs are stored for detailed error messages.
B.Use the Systems Manager Patch Manager dashboard to view the compliance status for each patch.
C.Review CloudTrail logs for the RunCommand API calls.
D.Verify that the SSM Agent is running and up to date on the failed instances.
E.Use AWS Config to check the configuration history of the instances.
AnswersA, B, D

Patch Manager writes logs to S3.

Why this answer

Option A is correct because Patch Manager logs to S3; checking logs helps identify failures. Option B is correct because Systems Manager requires the SSM Agent to be running and updated. Option D is correct because each patch has a status in the compliance report.

Option C is wrong because CloudTrail is for API activity, not patch details. Option E is wrong because AWS Config shows resource configurations, not patch failures.

1171
MCQeasy

A company uses AWS CodeCommit to store its infrastructure as code templates. The DevOps team wants to automatically validate CloudFormation templates before merging changes to the main branch. Which service should be used to implement this validation?

A.AWS CodeBuild
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CodeStar
AnswerA

CodeBuild can run validation scripts as part of a pull request approval rule.

Why this answer

AWS CodeBuild is the correct service because it can be configured as a pre-merge check in a pull request workflow. By integrating CodeBuild with CodeCommit, the DevOps team can automatically run a build project that validates CloudFormation templates (e.g., using `aws cloudformation validate-template` or `cfn-lint`) before the merge is allowed. This provides a serverless, automated validation step without requiring a full pipeline or deployment.

Exam trap

The trap here is that candidates often confuse CodePipeline's orchestration capabilities with the need for a simple pre-merge validation, overlooking that CodeBuild can be directly triggered by CodeCommit pull request events without a full pipeline.

How to eliminate wrong answers

Option B (AWS CodeDeploy) is wrong because CodeDeploy is designed for deploying application code to compute services (EC2, Lambda, ECS) and does not provide a mechanism to validate CloudFormation templates before merging. Option C (AWS CodePipeline) is wrong because CodePipeline orchestrates continuous delivery workflows but does not natively trigger on pull request events in CodeCommit; it requires manual setup with webhooks and is overkill for a simple pre-merge validation. Option D (AWS CodeStar) is wrong because CodeStar is a project management and collaboration dashboard that simplifies setting up CI/CD pipelines, but it does not itself perform template validation or enforce pre-merge checks.

1172
Multi-Selecthard

A company uses Amazon CloudWatch Synthetics canaries to monitor endpoint availability. The canaries are failing intermittently with timeout errors. The DevOps team needs to diagnose the issue. Which THREE aspects should they investigate?

Select 3 answers
A.The canary schedule and frequency.
B.The canary script execution time and memory usage.
C.Network connectivity and routing from the canary's VPC to the target endpoint.
D.CloudWatch Synthetics canary logs for error messages.
E.CloudWatch Logs retention policy for the canary logs.
AnswersB, C, D

Excessive execution time or memory can cause timeouts.

Why this answer

Option B is correct because canary scripts have a maximum execution time of 5 minutes (300 seconds) and a memory limit of 1 GB. If the script execution time or memory usage exceeds these limits, the canary will fail with a timeout error. Investigating these metrics in CloudWatch can reveal whether the script is too resource-intensive or slow, causing the intermittent failures.

Exam trap

The trap here is that candidates may confuse canary schedule frequency with execution timeout, thinking that running the canary less often will fix timeout errors, when the root cause is actually script performance or network latency.

1173
MCQmedium

A DevOps engineer needs to store database credentials for an application running on Amazon ECS. The credentials must be automatically rotated every 30 days and encrypted at rest. Which solution meets these requirements with the LEAST operational overhead?

A.Store credentials in AWS Systems Manager Parameter Store as SecureString.
B.Encrypt credentials with AWS KMS and store them in a versioned S3 bucket.
C.Embed credentials as environment variables in the ECS task definition.
D.Store credentials in AWS Secrets Manager and configure automatic rotation.
AnswerD

Secrets Manager supports automatic rotation and encryption with KMS.

Why this answer

AWS Secrets Manager provides built-in automatic rotation and encryption using AWS KMS. Option A is correct. Option B is wrong because Parameter Store does not support automatic rotation natively.

Option C is wrong because manual rotation increases overhead. Option D is wrong because storing in environment variables is insecure and does not rotate.

1174
MCQeasy

An application running on EC2 needs to access an S3 bucket. To follow the principle of least privilege, what is the recommended approach?

A.Store AWS access keys in the application configuration
B.Create an IAM role with a policy allowing only necessary S3 actions and attach it to the EC2 instance
C.Use an S3 bucket policy to allow access from the EC2 instance's public IP
D.Configure the EC2 security group to allow outbound access to S3
AnswerB

IAM roles provide temporary credentials and follow least privilege.

Why this answer

The best practice is to create an IAM role with a policy that grants only the required S3 actions and attach the role to the EC2 instance. This avoids using long-term credentials. Access keys are long-term and insecure.

Bucket policy can be used but is not the most secure for instance access. Security group is for network access, not API access.

1175
Multi-Selectmedium

A company uses AWS CodeDeploy for deploying applications to an Auto Scaling group of Amazon EC2 instances. The deployment is failing with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' Which two actions should the DevOps engineer take to troubleshoot and resolve the issue? (Choose two.)

Select 2 answers
A.Check the CodeDeploy agent logs on the failed instances to identify script errors or missing dependencies.
B.Increase the size of the Auto Scaling group to ensure more instances are available.
C.Verify that the deployment group's Auto Scaling group has the correct tags and that the instances have the CodeDeploy agent installed.
D.Change the deployment configuration to 'CodeDeployDefault.AllAtOnce' to bypass the error.
E.Redeploy the application using a different revision.
AnswersA, C

Why this answer

Option A is correct because the CodeDeploy agent logs on each EC2 instance contain detailed error messages about script failures, missing dependencies, or permission issues that cause the deployment to fail. Checking these logs is the first step in diagnosing why individual instances are failing, as the agent executes the AppSpec lifecycle hooks and reports back to the CodeDeploy service.

Exam trap

The trap here is that candidates often jump to scaling or configuration changes (like AllAtOnce) without first checking the instance-level logs, which are the definitive source for diagnosing deployment failures in CodeDeploy.

Why the other options are wrong

B

Increasing the group size does not address the underlying cause; it might mask the issue.

D

Changing the deployment configuration does not resolve the underlying issue; it may cause downtime.

E

Redeploying the same revision will likely fail again; the root cause must be addressed.

1176
MCQhard

A company uses AWS CodeBuild to run security scans. The scans require access to a private Amazon ECR repository. The build project is configured with a service role. What is the correct way to provide access to ECR?

A.Set environment variables with ECR credentials in the build project.
B.Configure the ECR repository policy to allow access from the CodePipeline service role.
C.Include the ECR credentials in the buildspec file.
D.Attach an IAM policy to the CodeBuild service role that allows ECR operations.
AnswerD

The service role is the correct place to grant permissions to the build project.

Why this answer

Option D is correct because CodeBuild uses an IAM service role to define the permissions granted to the build environment. By attaching an IAM policy that allows ECR operations (such as ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:GetAuthorizationToken) to the CodeBuild service role, the build project can authenticate and pull images from the private ECR repository without needing to embed or manage static credentials.

Exam trap

The trap here is that candidates often think they need to embed credentials (options A or C) or rely on another service's role (option B), when the correct approach is to attach the necessary IAM policy directly to the CodeBuild service role.

How to eliminate wrong answers

Option A is wrong because setting environment variables with ECR credentials (e.g., access keys) is insecure and unnecessary; CodeBuild should never require long-term credentials when a service role can be used. Option B is wrong because the CodePipeline service role is not involved in the CodeBuild build process; the ECR repository policy could allow access from the CodeBuild service role's principal, but the question specifically asks about the CodeBuild project's access, and the repository policy alone does not grant the CodeBuild service role the required permissions. Option C is wrong because including ECR credentials in the buildspec file would expose sensitive information in plaintext and violates security best practices; the buildspec should rely on the service role's IAM permissions.

1177
MCQhard

A company uses AWS Lambda functions to process events from an Amazon SQS queue. The Lambda function occasionally fails due to a transient downstream service error. The DevOps team wants to ensure that failed messages are not lost and can be retried later. The team also wants to reduce the number of invocations on the downstream service. Which configuration should the team use?

A.Configure a dead-letter queue (DLQ) on the SQS queue and set the Lambda function's reserved concurrency to 1.
B.Configure an Amazon SNS topic as a Lambda destination for failure events and subscribe the SQS queue to it.
C.Configure a dead-letter queue (DLQ) on the Lambda function and set the function's maximum retry attempts to 2.
D.Configure the Lambda function to write failed messages to an Amazon DynamoDB table and set up a scheduled Lambda to retry.
AnswerA

DLQ captures failed messages; reserved concurrency limits throttling impact.

Why this answer

Option A is correct because configuring a dead-letter queue (DLQ) on the SQS queue ensures that messages that exhaust their retries (due to Lambda failures) are preserved for later reprocessing, preventing data loss. Setting the Lambda function's reserved concurrency to 1 throttles the function to a single concurrent invocation, which naturally reduces the rate of downstream service calls and allows the SQS queue's visibility timeout and redrive policy to manage retry timing, thereby reducing pressure on the downstream service.

Exam trap

The trap here is that candidates often confuse a Lambda function's DLQ (which captures invocation records) with an SQS queue's DLQ (which captures the original messages), and they overlook that reserved concurrency is a direct way to throttle invocation rate, not just a capacity planning tool.

How to eliminate wrong answers

Option B is wrong because using an SNS topic as a Lambda destination for failure events and subscribing the SQS queue to it would create an asynchronous loop where failed events are re-sent to the same SQS queue, potentially causing infinite retries without a controlled retry mechanism or throttling to protect the downstream service. Option C is wrong because a dead-letter queue on the Lambda function (via Lambda destinations) only captures invocation records, not the original SQS messages; setting maximum retry attempts to 2 on the Lambda function does not reduce downstream service invocations—it actually increases them by retrying immediately without backoff. Option D is wrong because writing failed messages to DynamoDB and using a scheduled Lambda to retry adds unnecessary complexity and latency, and does not inherently reduce downstream service invocations; it also bypasses SQS's built-in retry and DLQ mechanisms, which are simpler and more reliable for transient failures.

1178
Multi-Selecthard

A company runs a containerized application on Amazon ECS with Fargate. They want to monitor the application logs and metrics. Which THREE steps should they take to collect and visualize this data? (Choose THREE.)

Select 3 answers
A.Create a CloudWatch Dashboard to display logs and metrics.
B.Use AWS CloudFormation to monitor resource metrics.
C.Configure the ECS task definition to use the awslogs log driver.
D.Use AWS X-Ray to trace requests and collect logs.
E.Enable the CloudWatch agent as a sidecar container in the task definition.
AnswersA, C, E

Dashboards provide visualization of monitoring data.

Why this answer

Option A is correct because the awslogs driver sends container logs to CloudWatch Logs. Option B is correct because enabling the CloudWatch agent in task definition allows custom metric collection. Option C is correct because CloudWatch Dashboards can visualize logs and metrics.

Option D is wrong because X-Ray is for tracing, not logs or metrics. Option E is wrong because CloudFormation is for infrastructure provisioning, not monitoring.

1179
MCQmedium

A company uses AWS CodePipeline to deploy a web application to an Elastic Beanstalk environment. The pipeline has a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage to Elastic Beanstalk. Recently, deployments started failing with an error: 'The deployment failed because the Elastic Beanstalk environment is in an UPDATE_ROLLBACK_IN_PROGRESS state.' What is the MOST likely cause?

A.The buildspec.yml file contains an invalid command that prevents artifact generation
B.A previous deployment failed and triggered an automatic rollback, leaving the environment in an unstable state
C.A CloudWatch alarm is blocking the deployment due to high error rates
D.Insufficient IAM permissions for CodePipeline to pull source code from CodeCommit
AnswerB

Elastic Beanstalk environments can enter UPDATE_ROLLBACK_IN_PROGRESS if a previous deployment failed, blocking new deployments until the rollback completes.

Why this answer

Option B is correct because a failed previous deployment can leave the environment in a rolling back state, preventing subsequent deployments. Option A is wrong because CodeCommit authentication issues would cause the source stage to fail, not the deploy stage. Option C is wrong because build spec errors would cause the build stage to fail.

Option D is wrong because CloudWatch alarms do not block deployments.

1180
MCQmedium

A DevOps engineer is designing a configuration management strategy for a fleet of EC2 instances running Amazon Linux 2. The instances must be bootstrapped with custom software and continuously managed to ensure desired state compliance. Which combination of services should the engineer use?

A.AWS CloudFormation for bootstrapping and Amazon CloudWatch Events to enforce desired state
B.AWS OpsWorks for Chef Automate for configuration management and AWS CodeDeploy for deployments
C.AWS Systems Manager State Manager for desired state configuration and AWS Systems Manager Run Command for initial bootstrapping
D.AWS Config for configuration management and Amazon CloudWatch Events for remediation
AnswerC

State Manager maintains desired state, Run Command executes one-time scripts.

Why this answer

Option C is correct because AWS Systems Manager State Manager provides a policy-driven mechanism to define and maintain desired state configuration for EC2 instances, while AWS Systems Manager Run Command enables ad-hoc or initial bootstrapping by executing scripts or commands (e.g., installing custom software) without requiring SSH. Together, they cover both the initial setup and ongoing compliance enforcement for Amazon Linux 2 instances, aligning with the requirement for continuous management.

Exam trap

The trap here is that candidates often confuse AWS Config (a compliance auditing service) with a configuration management tool, or assume CloudWatch Events can enforce state, when in fact Systems Manager State Manager is the native AWS service for desired state configuration.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Events (now Amazon EventBridge) is an event bus service for routing events, not a tool for enforcing desired state; it cannot apply or remediate configuration drift on EC2 instances. Option B is wrong because AWS OpsWorks for Chef Automate is a managed Chef server, but it is not the recommended approach for Amazon Linux 2 instances that are better served by native AWS Systems Manager capabilities, and AWS CodeDeploy handles application deployments, not configuration management or desired state enforcement. Option D is wrong because AWS Config is a service for evaluating resource compliance against rules and recording configuration history, but it does not perform remediation actions itself; while it can trigger remediation via Systems Manager Automation, it is not a configuration management tool for bootstrapping or continuous desired state enforcement.

1181
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The DevOps team needs to search across multiple log groups and visualize trends. Which TWO services can be used together to achieve this?

Select 2 answers
A.CloudWatch Logs Insights.
B.Amazon Elasticsearch Service with Kibana.
C.Amazon Athena.
D.Amazon QuickSight.
E.CloudWatch Dashboards.
AnswersA, E

Logs Insights can run queries across multiple log groups.

Why this answer

Option A and Option C are correct. CloudWatch Logs Insights can query multiple log groups, and CloudWatch Dashboards can visualize the results. Option B (Athena) queries data in S3, not directly in CloudWatch Logs.

Option D (Kibana) requires Elasticsearch Service, which adds complexity. Option E (QuickSight) can visualize but requires data in S3 or a database.

1182
MCQmedium

A DevOps engineer attempted to create a CloudFormation stack and it failed. The engineer runs the 'describe-stack-events' command and sees the output above. What is the most likely cause of the failure?

A.The EC2 key pair 'myKeyPair' does not exist in the region where the stack is being created.
B.The AMI ID specified in the template is not available in the region.
C.The CloudFormation template has a syntax error in the EC2 instance definition.
D.The security group specified for the EC2 instance does not exist.
AnswerA

The error message clearly states the key name is invalid.

Why this answer

The 'describe-stack-events' output shows a 'CREATE_FAILED' event for the EC2 instance resource with the status reason indicating that the key pair 'myKeyPair' was not found. CloudFormation validates the existence of the specified EC2 key pair in the target region at creation time; if the key pair does not exist, the stack creation fails immediately. This is a common validation error when the key pair name is misspelled, belongs to a different region, or has not been created beforehand.

Exam trap

The trap here is that candidates may confuse a missing key pair with other common EC2 launch failures like AMI unavailability or security group issues, but the specific error message in the stack events directly points to the key pair name as the root cause.

How to eliminate wrong answers

Option B is wrong because if the AMI ID were not available in the region, CloudFormation would fail with a specific error message like 'AMI ID does not exist' or 'AMI not found', not a key pair error. Option C is wrong because a syntax error in the template would cause a validation error before any resource creation attempts, typically reported as 'Template validation error' or 'Template format error', not a resource-specific failure. Option D is wrong because a missing security group would produce an error referencing the security group ID or name, such as 'Security group does not exist', not a key pair error.

1183
MCQhard

A company uses Amazon DynamoDB with global tables for a multi-region active-active application. They notice that occasionally, concurrent updates to the same item in different regions cause data inconsistency. How can they resolve this?

A.Disable global tables and use a single region
B.Use DynamoDB read replicas instead of global tables
C.Use conditional writes and design the application to handle conflicts
D.Use DynamoDB Accelerator (DAX) to cache writes
AnswerC

Conditional writes prevent overwrites and allow conflict resolution.

Why this answer

Option C is correct because DynamoDB global tables use an eventually consistent model for multi-region replication, meaning concurrent updates to the same item in different regions can lead to conflicts. Conditional writes allow the application to enforce a last-writer-wins (LWW) strategy or custom conflict resolution logic, ensuring data consistency by only applying updates that meet specified conditions (e.g., a version number or timestamp check). This approach aligns with the recommended practice for handling concurrent writes in an active-active global table setup.

Exam trap

The trap here is that candidates often assume DynamoDB global tables automatically resolve all write conflicts, but the exam tests the understanding that without conditional writes or custom conflict resolution, concurrent updates can cause data inconsistency due to eventual consistency.

How to eliminate wrong answers

Option A is wrong because disabling global tables and using a single region eliminates multi-region active-active capability, which is a core requirement of the scenario, and does not resolve the underlying conflict issue—it just avoids it by sacrificing availability and latency benefits. Option B is wrong because DynamoDB read replicas (via global tables or otherwise) are designed for read scaling, not for handling concurrent writes; they do not address write conflicts or provide write consistency across regions. Option D is wrong because DynamoDB Accelerator (DAX) is an in-memory cache for read-heavy workloads that reduces read latency, but it does not manage write conflicts or provide cross-region write consistency; caching writes does not resolve the fundamental issue of concurrent updates to the same item in different regions.

1184
MCQeasy

A company wants to ensure its RDS Multi-AZ deployment automatically fails over to a standby instance in a different Availability Zone. Which additional step is required?

A.Create an Amazon Route 53 health check to update the DNS record.
B.No additional step; RDS Multi-AZ handles automatic failover.
C.Configure a read replica in another AZ.
D.Deploy the standby instance in a different VPC.
AnswerB

RDS Multi-AZ automatically fails over to the standby instance.

Why this answer

Option A is correct because RDS Multi-AZ automatically fails over to the standby when the primary becomes unhealthy. Option B is incorrect because a read replica is for read scaling, not automatic failover. Option C is incorrect because RDS handles DNS changes automatically.

Option D is incorrect because Multi-AZ does not require a different VPC.

1185
MCQmedium

A company uses AWS CodeCommit and CodePipeline. The pipeline triggers on commits to the main branch. The DevOps engineer wants to add a stage that runs unit tests in a build environment. After the tests pass, the pipeline should deploy to a staging environment. If the tests fail, the pipeline should stop and notify the team. Which AWS service should be used to implement this workflow?

A.AWS CodeBuild
B.AWS CodeStar
C.AWS Lambda
D.AWS CodeDeploy
AnswerA

CodeBuild can run unit tests and fail the pipeline if tests fail.

Why this answer

Option D is correct because AWS CodeBuild integrates with CodePipeline to run tests and can be configured to fail the pipeline if tests fail. Option A is wrong because CodeDeploy is for deployments, not testing. Option B is wrong because Lambda can run tests but CodeBuild is more appropriate for build and test.

Option C is wrong because CodeStar is a project management tool.

1186
MCQeasy

A company is using AWS OpsWorks for configuration management of their application stack. The stack includes a PHP application layer and a MySQL database layer. The DevOps team wants to automate the deployment of a new PHP version across all instances in the PHP layer. The team has created a custom Chef recipe that updates PHP. They want to run this recipe on all instances in the PHP layer in a rolling update fashion to avoid downtime. Which OpsWorks feature should they use?

A.Use the OpsWorks 'Run Command' feature to execute the recipe on the PHP layer with rolling update settings.
B.Create a custom Chef cookbook and enable automatic updates in OpsWorks.
C.Add the recipe to the Setup lifecycle event for the PHP layer.
D.Modify the PHP layer's lifecycle configuration to include the recipe in the Configure event.
AnswerA

Run Command allows on-demand execution with rolling update configuration.

Why this answer

Option C is correct. OpsWorks allows you to run a custom Chef recipe on a layer using the 'Run Command' feature, and you can specify a rolling update by setting the 'Batch size' and 'Install on all instances' options. Option A is wrong because Setup runs at boot, not on demand.

Option B is wrong because automatic updates are not a feature. Option D is wrong because lifecycle events are for automatic execution, not on-demand rolling updates.

1187
Multi-Selectmedium

A company is using AWS CloudTrail to log API events. The security team wants to ensure that log files are tamper-proof and available for incident investigation. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Store logs in Amazon CloudWatch Logs.
B.Enable server-side encryption with S3-managed keys (SSE-S3).
C.Enable CloudTrail log file validation.
D.Enable S3 Object Lock on the S3 bucket storing the logs.
E.Use AWS KMS to encrypt the logs.
AnswersC, D

Creates digest files to verify log integrity.

Why this answer

Options A and D are correct. Enabling log file validation allows CloudTrail to create a digest file for integrity verification. Enabling S3 Object Lock prevents logs from being deleted or overwritten.

Option B: SSE-S3 provides encryption but not tamper-proofing. Option C: CloudWatch Logs does not provide file integrity. Option E: KMS encryption is for encryption, not integrity.

1188
MCQmedium

A team uses CloudFormation to deploy a multi-container Docker environment on Amazon ECS. They need to pass environment variables to the containers from Parameter Store. How should they reference these values in the CloudFormation template?

A.Using the 'Ref' function with the parameter name
B.Using the 'Fn::ParamStore' intrinsic function
C.Using 'Fn::GetAtt' on the Parameter Store resource
D.Using the 'resolve:ssm' dynamic reference
AnswerD

Dynamic references allow you to retrieve values from Parameter Store or Secrets Manager.

Why this answer

CloudFormation has a dynamic reference resolution feature that allows you to use the 'resolve:ssm' or 'resolve:ssm-secure' syntax to fetch values from Parameter Store at stack creation/update time. Option B is correct. Option A is incorrect because there is no 'aws:paramstore' intrinsic function.

Option C is incorrect because Ref returns the parameter name, not its value. Option D is incorrect because Fn::GetAtt is for resource attributes, not for Parameter Store values.

1189
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can make changes to Amazon CloudWatch Logs configurations. Which approach should be used?

A.Use AWS Config rules to automatically revert changes to CloudWatch Logs
B.Create an SCP that denies cloudwatch:Put* and cloudwatch:Delete* actions and attach it to the root OU
C.Create an IAM policy that denies changes to CloudWatch Logs and apply it to all IAM users
D.Use AWS CloudTrail to monitor and alert on changes to CloudWatch Logs
AnswerB

SCPs can deny actions across all accounts in an organization.

Why this answer

Option B is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts within an organizational unit (OU). By attaching an SCP that denies cloudwatch:Put* and cloudwatch:Delete* actions to the root OU, you ensure that no IAM user or role in any account can modify or delete CloudWatch Logs configurations, regardless of any IAM policies attached directly to users or roles. This approach provides a guardrail that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail or Config rules) with preventive controls (like SCPs), or mistakenly believe that an IAM policy applied to all users is sufficient, ignoring that IAM roles and account-level administrators can bypass such policies.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can detect and alert on non-compliant changes but cannot automatically revert changes to CloudWatch Logs; they only evaluate configuration against desired policies and can trigger remediation actions via Systems Manager Automation, but this is not a preventive control. Option C is wrong because an IAM policy applied to all IAM users does not prevent changes made by IAM roles or by users in other accounts, and it can be overridden by an account administrator who has full control over IAM policies within their own account. Option D is wrong because AWS CloudTrail only provides logging and monitoring of API calls; it does not prevent changes from occurring, only alerts after the fact.

1190
MCQeasy

A company needs to monitor the CPU utilization of its Amazon RDS for PostgreSQL instance. The metric should be available in Amazon CloudWatch with a granularity of 1 minute. Which action should the team take?

A.Install the CloudWatch agent on the RDS instance.
B.Enable Enhanced Monitoring for the RDS instance.
C.No additional configuration is needed; RDS automatically sends metrics to CloudWatch.
D.Enable Performance Insights for the RDS instance.
AnswerC

Correct: RDS publishes CPU utilization to CloudWatch by default.

Why this answer

Amazon RDS for PostgreSQL automatically publishes metrics, including CPU utilization, to CloudWatch with a default granularity of 1 minute for standard instances. No additional configuration is required to enable this basic monitoring. The metrics are collected by the RDS hypervisor layer and sent to CloudWatch without needing an agent or extra setup.

Exam trap

The trap here is that candidates often confuse Enhanced Monitoring (which provides OS-level metrics at higher granularity) with basic CloudWatch monitoring, leading them to incorrectly select Option B when the question only requires standard 1-minute CPU utilization metrics.

How to eliminate wrong answers

Option A is wrong because the CloudWatch agent cannot be installed on an RDS instance; RDS is a managed service that does not allow direct OS-level access or agent installation. Option B is wrong because Enhanced Monitoring provides OS-level metrics (e.g., memory, disk I/O) at a granularity of 1 second or more, but it is not required for basic CPU utilization metrics, which are already sent to CloudWatch at 1-minute granularity. Option D is wrong because Performance Insights is a database performance tuning feature that visualizes database load and waits, not a mechanism for sending CPU utilization metrics to CloudWatch.

1191
MCQeasy

A developer needs to give a Lambda function read-only access to a DynamoDB table. What is the BEST practice to grant this permission?

A.Attach the policy directly to the Lambda function's configuration.
B.Create an IAM role with a policy that allows DynamoDB read actions, and attach the role to the Lambda function.
C.Store the AWS access keys in environment variables of the Lambda function.
D.Use a DynamoDB resource-based policy that grants access to the Lambda function's ARN.
AnswerB

This follows the principle of least privilege and uses temporary credentials.

Why this answer

Creating an IAM role with the required policy and attaching it to the Lambda function is the best practice. Option A is correct. Option B is wrong because attaching policies to Lambda functions directly is not supported.

Option C is wrong because hardcoding credentials is insecure. Option D is wrong because using the Lambda function's ARN as a principal in a resource-based policy is for cross-account access, not for the same account.

1192
MCQmedium

A DevOps engineer needs to ensure that EC2 instances can access an S3 bucket without storing AWS credentials on the instances. Which solution meets this requirement?

A.Use an S3 bucket policy that grants access to the EC2 instance's public IP.
B.Store access keys in the EC2 user data script.
C.Create an IAM user and embed credentials in the application code.
D.Attach an IAM role to the EC2 instance with an S3 access policy.
AnswerD

The IAM role provides temporary credentials via the instance metadata service.

Why this answer

Option D is correct because attaching an IAM role to an EC2 instance allows the instance to obtain temporary security credentials from the AWS STS service via the instance metadata service (IMDS). The EC2 instance can then use these credentials to access the S3 bucket without any long-term AWS credentials being stored on the instance. This is the AWS-recommended best practice for granting permissions to AWS services running on EC2.

Exam trap

The trap here is that candidates may think storing credentials in user data or application code is acceptable, but the DOP-C02 exam specifically tests the principle of using IAM roles to avoid long-term credential storage on EC2 instances.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy that grants access based on an EC2 instance's public IP is not a secure or reliable method; public IPs can change (unless using an Elastic IP) and do not authenticate the identity of the requester, making it vulnerable to spoofing and not a substitute for AWS credentials. Option B is wrong because storing access keys in the EC2 user data script exposes long-term credentials in plaintext within the instance's metadata and logs, violating the requirement to avoid storing credentials on the instance. Option C is wrong because embedding IAM user credentials in application code stores long-term access keys directly on the instance, which is insecure and contradicts the principle of using temporary credentials via IAM roles.

1193
MCQmedium

A DevOps engineer notices that an EC2 instance is unresponsive and the CloudWatch alarm 'StatusCheckFailed' is in ALARM state. The instance was launched in a private subnet with no public IP. Which action should the engineer take to diagnose the issue without creating a new instance?

A.Modify the security group to allow SSH from the engineer's IP.
B.Use AWS Systems Manager Session Manager to start a session.
C.Check AWS Personal Health Dashboard for instance issues.
D.Use EC2 Serial Console to connect to the instance.
AnswerD

EC2 Serial Console provides out-of-band access for troubleshooting.

Why this answer

Option A is correct because EC2 Serial Console provides out-of-band access to the instance console, useful for troubleshooting OS-level issues even when network connectivity is lost. Option B is wrong because Systems Manager Session Manager requires the instance to have connectivity to the Systems Manager endpoint and the agent running. Option C is wrong because AWS Personal Health Dashboard provides service health notifications, not instance-level troubleshooting.

Option D is wrong because modifying the security group to allow SSH on port 22 does not help if the instance is unresponsive at the OS level.

1194
MCQeasy

A DevOps engineer is responsible for monitoring a set of microservices running on Amazon ECS with Fargate. The services are fronted by an Application Load Balancer (ALB). The engineer needs to collect and analyze application logs centrally with minimal latency and operational overhead. The logs should be searchable and retainable for 90 days. Which solution meets these requirements?

A.Deploy the CloudWatch agent as a Daemon service on the ECS cluster to collect logs from all tasks and forward them to CloudWatch Logs.
B.Use the FireLens log driver in the ECS task definition to send logs to Amazon CloudWatch Logs.
C.Configure the ECS tasks to write logs to Amazon S3 and use Amazon Athena to query the logs.
D.Add a sidecar container to each ECS task that streams logs to Amazon Kinesis Data Firehose, which delivers to Amazon OpenSearch Service.
AnswerA

The CloudWatch agent can collect logs from all tasks with minimal overhead and send them to CloudWatch Logs for search and retention.

Why this answer

Option C is correct because the CloudWatch agent can collect logs from ECS tasks and send them to CloudWatch Logs, which provides near real-time search and configurable retention. Option A is wrong because S3 is not searchable natively and would require additional services like Athena. Option B is wrong because FireLens is a log router, but not all containers have it configured; also, it adds overhead.

Option D is wrong because putting a sidecar for every task increases cost and complexity, and Kinesis Data Firehose adds latency.

1195
MCQhard

A DevOps engineer is designing a CI/CD pipeline that must enforce a policy: any change to the production branch in CodeCommit must be reviewed and approved by two senior developers before the change can be merged. The pipeline must also automatically build and deploy to a staging environment after approval. Which combination of AWS services and configurations should be used?

A.Configure CodeBuild to run a script that checks the commit author and rejects if not approved
B.Use Amazon EventBridge to trigger a Lambda function that validates the number of approvers before merging
C.Use IAM policies to restrict write access to the production branch to only senior developers
D.Use CodeCommit pull request approval rules and a CodePipeline with a manual approval step triggered by a Lambda function that checks approval status
AnswerD

This enforces the two-approval requirement and automates staging deployment.

Why this answer

Option C is correct because AWS CodeCommit does not have native approval workflows; however, CodePipeline can use approval actions and CodeCommit can be configured with pull request notifications to trigger pipelines. A Lambda function can be used to automatically approve the pipeline after the required number of approvals in a pull request. Option A is wrong because IAM does not enforce manual approvals.

Option B is wrong because CodeBuild does not have approval capabilities. Option D is wrong because CloudWatch Events cannot enforce two-approver rule directly.

1196
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a microservices application. The pipeline includes a CodeBuild project that runs unit tests. Recently, builds have been failing intermittently due to test timeouts. The team wants to improve the reliability of the pipeline without increasing the build timeout. Which action should the team take?

A.Increase the build timeout to the maximum allowed value of 8 hours.
B.Use AWS CodeDeploy to run the unit tests on EC2 instances with more CPU and memory.
C.Modify the unit tests to be non-flaky by adding retries for network calls.
D.Configure the CodeBuild project to run tests in parallel by using separate build environments or test splits.
AnswerD

Running tests in parallel can reduce total test execution time, helping to avoid timeouts without changing the timeout setting.

Why this answer

Option A correctly identifies that running tests in parallel reduces overall build time and helps avoid timeouts without increasing the timeout limit. Option B increases timeout but does not address intermittent failures. Option C addresses flaky tests but does not directly solve timeout issues.

Option D moves testing to CodeDeploy, which is not designed for unit testing.

1197
MCQeasy

A DevOps engineer is troubleshooting a slow API response. They suspect that the issue is related to database queries. The application runs on EC2 instances behind an ALB and uses Amazon RDS for MySQL. Which monitoring approach will provide the most granular insight into database query performance?

A.Enable CloudWatch Logs for the RDS instance and query the error log.
B.Install the CloudWatch agent on the EC2 instances to collect database performance counters.
C.Enable Enhanced Monitoring and Performance Insights for the RDS instance.
D.Monitor the ALB's 'TargetResponseTime' metric and correlate with RDS 'CPUUtilization'.
AnswerC

Enhanced Monitoring provides OS metrics; Performance Insights provides database performance and query details.

Why this answer

Option D is correct because Enhanced Monitoring provides OS-level metrics, and Performance Insights offers query-level performance data. Option A is wrong because ELB metrics only show overall latency. Option B is wrong because CloudWatch agent captures OS metrics but not query-specific data.

Option C is wrong because CloudWatch Logs requires logs to be sent manually.

1198
Multi-Selecthard

Which THREE measures can be taken to protect sensitive data stored in an Amazon S3 bucket? (Choose three.)

Select 3 answers
A.Enable server access logging for the bucket.
B.Enable cross-region replication.
C.Enable default encryption on the bucket (SSE-S3 or SSE-KMS).
D.Block all public access to the bucket.
E.Configure a bucket policy that denies all access.
.Enable versioning on the bucket.
AnswersC, D

Default encryption ensures that all objects stored in the bucket are encrypted at rest.

Why this answer

Enabling default encryption, blocking public access, and enabling versioning are key security measures. Option A is wrong because bucket policies are used for access control, not for encryption. Option D is wrong because server access logs are for auditing, not protection.

Option E is wrong because cross-region replication is for disaster recovery, not security.

1199
MCQmedium

A company is running a production web application on Auto Scaling EC2 instances behind an ALB. They have enabled detailed CloudWatch metrics on the EC2 instances and enabled CloudTrail. Recently, users reported intermittent 503 errors. The operations team reviews CloudWatch dashboards but sees no spike in CPU or memory. What is the MOST likely cause of the 503 errors?

A.Insufficient CloudTrail logging trail configuration
B.The target group has an insufficient number of healthy instances due to health check failures
C.Detailed monitoring is disabled for the EC2 instances
D.The security group for the ALB is misconfigured
AnswerB

ALB returns 503 when no healthy targets are available; health check failures can occur without high CPU/memory.

Why this answer

Option D is correct because ALB 503 errors often indicate that the target group health checks are failing due to insufficient healthy instances, which may not cause CPU/memory spikes. Option A is wrong because CloudTrail logs API calls, not HTTP responses. Option B is wrong because if detailed monitoring were disabled, metrics would be missing, but the question says they are enabled.

Option C is wrong because a misconfigured security group would cause connection timeouts, not 503 errors.

1200
MCQmedium

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon RDS for MySQL Multi-AZ DB instance for data storage. During an AWS infrastructure event, the primary Availability Zone (AZ) becomes unavailable, and the application experiences downtime. The RDS Multi-AZ failover completes automatically, but the application takes several minutes to reconnect. Which combination of actions would MOST reduce the recovery time for the application during such an event?

A.Place all EC2 instances in a single AZ and use an Amazon Route 53 health check to reroute traffic to a standby environment in another AZ.
B.Use an RDS proxy (Amazon RDS Proxy) to pool and share database connections, and ensure the application uses the RDS cluster endpoint.
C.Deploy the RDS instance as a Single-AZ instance in the same AZ as the primary EC2 instances, and use read replicas for failover.
D.Configure an Application Load Balancer in front of the RDS instance to distribute connections across AZs.
AnswerB

RDS Proxy reduces connection disruption during failover by maintaining connections, and the cluster endpoint points to the current primary.

Why this answer

Option B is correct because Amazon RDS Proxy maintains a warm connection pool to the database, so when the RDS Multi-AZ failover occurs, the proxy automatically reconnects to the new primary DB instance without requiring the application to re-establish connections. This eliminates the connection storm and the several-minute delay caused by the application's connection retry logic. By using the RDS cluster endpoint (which points to the proxy), the application benefits from seamless failover and reduced latency during the DNS propagation of the new primary.

Exam trap

The trap here is that candidates often assume that simply using an RDS Multi-AZ deployment is sufficient for application availability, but they overlook the critical bottleneck of application-side connection re-establishment and DNS propagation delays, which RDS Proxy directly addresses.

How to eliminate wrong answers

Option A is wrong because placing all EC2 instances in a single AZ creates a single point of failure; if that AZ becomes unavailable, the entire application goes down, and Route 53 health checks cannot reroute traffic fast enough to avoid downtime. Option C is wrong because a Single-AZ RDS instance in the same AZ as the primary EC2 instances would fail completely if that AZ becomes unavailable, and read replicas cannot be promoted for write traffic quickly enough to meet recovery time objectives. Option D is wrong because an Application Load Balancer operates at Layer 7 (HTTP/HTTPS) and cannot be placed in front of an RDS instance, which uses the MySQL protocol (TCP/3306); ALB does not support database connection pooling or failover for non-HTTP traffic.

Page 15

Page 16 of 24

Page 17