AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 12011275

1740 questions total · 24pages · All types, answers revealed

Page 16

Page 17 of 24

Page 18
1201
Multi-Selecthard

A company uses AWS CodeBuild to run security scans on code. The scan requires access to a private Amazon ECR repository for downloading scanning tools. The CodeBuild project is configured with a VPC and uses an IAM role. However, the build fails with 'Error: unable to pull image from registry.' Which TWO steps should be taken to resolve this?

Select 2 answers
A.Change the ECR repository policy to allow public access.
B.Remove the VPC configuration from the CodeBuild project so it can access the public internet.
C.Add 'ecr:GetDownloadUrlForLayer' and 'ecr:BatchGetImage' permissions to the CodeBuild service role.
D.Grant 'kms:Decrypt' permissions for the KMS key used by ECR.
E.Create a VPC endpoint for Amazon ECR and associate it with the VPC used by CodeBuild.
AnswersC, E

These permissions are required to pull images from ECR.

Why this answer

Options A and C are correct. The error suggests the build environment cannot authenticate or reach ECR. Adding ECR permissions to the IAM role allows pulling images.

Configuring VPC endpoints allows the build to reach ECR privately without NAT. Option B is unnecessary if the build already has a VPC. Option D is for public access, but the repository is private.

Option E is about KMS, not related.

1202
MCQmedium

A company is deploying a stateful application on Amazon EKS. The application requires persistent storage that can be reattached to a new pod if the original pod fails. The cluster spans multiple Availability Zones. Which storage solution provides the BEST resilience and meets these requirements?

A.Amazon S3 bucket with a mountpoint.
B.Amazon EBS with gp3 volume type.
C.EC2 instance store volumes.
D.Amazon EFS file system.
AnswerD

EFS is regional and can be mounted from any AZ, providing resilience.

Why this answer

Amazon EFS provides a fully managed, regional NFS file system that can be mounted concurrently by multiple pods across different Availability Zones. It is designed for high availability and durability, automatically replicating data across multiple AZs, and supports automatic reattachment to a new pod if the original pod fails, making it the best choice for stateful applications requiring resilient, shared persistent storage on Amazon EKS.

Exam trap

The trap here is that candidates often assume EBS is the default persistent storage for Kubernetes because of its common use with single-node stateful workloads, but they overlook the multi-AZ requirement that makes EBS unsuitable due to its zonal scope, while EFS's regional nature provides the necessary cross-AZ resilience.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service, not a file system; using a mountpoint (e.g., s3fs) introduces POSIX compatibility issues, performance overhead, and does not provide the native file locking or consistent read-after-write semantics required for a stateful application's persistent storage. Option B is wrong because Amazon EBS volumes are tied to a single Availability Zone and cannot be reattached to a pod in a different AZ; if the original pod fails and a replacement pod is scheduled in another AZ, the EBS volume cannot be mounted, breaking resilience across the multi-AZ cluster. Option C is wrong because EC2 instance store volumes are ephemeral and data is lost if the instance stops, terminates, or fails; they do not provide persistent storage that survives pod or node failures.

1203
MCQeasy

Refer to the exhibit. A developer has a buildspec.yaml for a React application. The build completes successfully, but the artifacts output is empty. What is the most likely cause?

A.The base-directory specified does not exist after the build phase.
B.The install phase did not run because npm install is not in the correct phase.
C.The artifacts files pattern '**/*' is invalid.
D.The runtime version nodejs 14 is not supported by CodeBuild.
AnswerA

If the build outputs to 'dist', the 'build' directory may be empty.

Why this answer

Option D is correct because the base-directory is set to 'build' but the build command 'npm run build' likely outputs to a different directory (e.g., 'dist'). Option A is wrong because the install phase runs npm install. Option B is wrong because runtime version is valid.

Option C is wrong because '**/*' matches all files.

1204
MCQeasy

A DevOps engineer needs to manage configuration files across a fleet of Amazon EC2 instances running Amazon Linux. The configuration files must be updated whenever they change in an S3 bucket. Which AWS service is most suitable for this task?

A.AWS OpsWorks for Chef Automate
B.AWS Systems Manager State Manager
C.AWS CloudFormation
D.AWS Config
AnswerB

State Manager can manage and update configurations automatically.

Why this answer

AWS Systems Manager State Manager is the most suitable service because it provides a configuration management solution that can automatically apply and maintain the desired state of EC2 instances. It can be configured to run associations on a schedule or in response to events, such as changes to an S3 bucket, using an AWS Lambda trigger or EventBridge rule to invoke the association. This ensures that configuration files are updated whenever they change in the S3 bucket, without requiring manual intervention or a full configuration management platform.

Exam trap

The trap here is that candidates often confuse AWS Config (which only audits and records configuration changes) with Systems Manager State Manager (which actively enforces and applies desired configurations), leading them to select AWS Config as the answer.

How to eliminate wrong answers

Option A is wrong because AWS OpsWorks for Chef Automate is a managed Chef server that requires Chef cookbooks and a Chef client agent, which is overkill for simple file synchronization and does not natively integrate with S3 bucket events for automatic updates. Option C is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service used to provision and manage AWS resources, not to manage runtime configuration files on running instances; it would require custom resources or additional automation to react to S3 changes. Option D is wrong because AWS Config is a service for evaluating resource compliance against rules and recording configuration history, not for actively pushing or updating configuration files on EC2 instances.

1205
MCQhard

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The DevOps engineer notices that the pipeline fails intermittently during the deploy stage with the error: 'The deployment failed because the deployment group does not exist'. What is the most likely cause?

A.The deployment group was deleted or renamed after the pipeline was configured
B.The Auto Scaling group associated with the deployment group has insufficient capacity
C.The CodePipeline service role does not have permission to call CodeDeploy
D.The CodeDeploy application name in the pipeline is misspelled
AnswerA

If the deployment group is missing, the deploy stage fails.

Why this answer

Option B is correct because the deployment group is configured in CodeDeploy, and if the pipeline's deploy stage references a deployment group that does not exist, it will fail. Option A is wrong because IAM roles would cause a different error. Option C is wrong because insufficient capacity would cause a deployment error, not a missing group.

Option D is wrong because the application name would also cause a different error.

1206
MCQmedium

A company is designing a disaster recovery strategy for a critical application. They need a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 1 minute. Which AWS database service configuration meets these requirements?

A.RDS MySQL with Multi-AZ and cross-region read replica
B.DynamoDB global tables
C.Aurora Global Database
D.RDS PostgreSQL with cross-region read replica
AnswerC

Typical RTO < 1 min, RPO sub-second.

Why this answer

Aurora Global Database provides cross-region replication with sub-second RPO and failover in minutes. Option A is wrong because RDS Multi-AZ is single-region. Option B is wrong because DynamoDB global tables have sub-second RPO but may not meet RTO.

Option D is wrong because read replicas have higher RPO.

1207
MCQmedium

A company has a serverless application using AWS Lambda functions and Amazon API Gateway. The application has been running fine, but recently users report that some requests are timing out with a 504 error. The Lambda function's timeout is set to 30 seconds, and API Gateway's integration timeout is 29 seconds. The CloudWatch logs for the Lambda function show that the function executes in under 5 seconds on average. What is the MOST likely cause of the 504 errors?

A.The Lambda function is logging too much data, causing delays in log delivery.
B.API Gateway's timeout is set to less than the Lambda function's timeout.
C.The Lambda function is experiencing concurrency limits and requests are being throttled.
D.The Lambda function's memory is too low, causing cold starts to take longer than the timeout.
AnswerC

Throttled requests cause API Gateway to wait and time out.

Why this answer

Option B is correct because if the Lambda function is throttled, API Gateway will wait for a response and eventually time out. Option A is wrong because the logs are being produced. Option C is wrong because the function execution is fast.

Option D is wrong because the timeout is adequate.

1208
Multi-Selecteasy

A DevOps engineer is designing a CI/CD pipeline for a containerized application using AWS CodeBuild and Amazon ECS. Which TWO actions will help reduce the frequency of Docker image pulls from the public Docker Hub registry?

Select 2 answers
A.Create a Docker Hub access token and store it in AWS Secrets Manager
B.Enable CodeBuild local caching for the cache type 'LOCAL_DOCKER_LAYER_CACHE'
C.Store the base image in Amazon ECR and use it in the build
D.Use AWS CodeArtifact as a proxy for Docker Hub
E.Configure CodeBuild to use a VPC with a NAT gateway
AnswersC, D

Using ECR as a local cache avoids pulling from Docker Hub.

Why this answer

Options A and B are correct. Option A: Using a VPC with a NAT gateway does not reduce pulls. Option C: CodeArtifact can cache images, reducing pulls from Docker Hub.

Option D: CodeBuild local caching can cache layers, reducing pulls. Option E: ECR is a registry, not a cache for Docker Hub.

1209
MCQmedium

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. The pipeline has a source stage that pulls from a CodeCommit repository, a build stage using AWS CodeBuild, and a deploy stage that uses AWS CodeDeploy to deploy to an EC2 Auto Scaling group. The team notices that the pipeline frequently fails at the deploy stage with the error 'The deployment failed because the deployment group's deployment configuration specifies a minimum healthy host count of 1, but 0 healthy hosts are available.' What is the MOST likely cause of this issue?

A.The IAM role for CodePipeline does not have sufficient permissions to access the CodeCommit repository.
B.The build artifacts are not being stored in an S3 bucket.
C.The EC2 instances are not registered with a Classic Load Balancer.
D.The CodeDeploy agent is not installed or is not running on the EC2 instances.
AnswerD

Without a running agent, instances cannot report health, causing the deployment to fail with the given error.

Why this answer

Option D is correct because if the CodeDeploy agent is not installed or not running on the EC2 instances, the instances will not report as healthy, causing the deployment to fail with the given error. Option A is incorrect because CodeDeploy does not require the instances to be behind a load balancer. Option B is incorrect because CodeCommit permissions do not affect the deploy stage.

Option C is incorrect because CodeBuild artifacts not being stored in S3 would cause a build failure, not a deploy failure.

1210
MCQhard

A media company runs a video transcoding pipeline on AWS. The pipeline uses AWS Step Functions to orchestrate multiple Lambda functions that transcode video files stored in Amazon S3. The company wants to implement a monitoring solution to track the progress of each workflow execution, including which step is currently running, the duration of each step, and any errors. The solution should provide near real-time visibility and allow the team to troubleshoot failed executions quickly. Which solution meets these requirements?

A.Create custom CloudWatch metrics from Lambda functions for each step, and build a CloudWatch dashboard.
B.Use Amazon EventBridge to capture Step Functions execution status changes and build a custom dashboard in CloudWatch.
C.Configure each Lambda function to write logs to CloudWatch Logs with the execution ID, and use CloudWatch Logs Insights to query and visualize.
D.Enable AWS X-Ray tracing on the Step Functions and Lambda functions to get a service map and trace details.
AnswerB

Step Functions emits events to EventBridge for each state transition, which can be used to create a real-time dashboard showing progress, durations, and errors.

Why this answer

Option D is correct because Step Functions natively emits execution history and CloudWatch Events (now Amazon EventBridge) for state changes. Using these events with a dashboard provides real-time visibility into step durations and errors. Option A is wrong because CloudWatch Logs from individual Lambda functions do not provide workflow-level context easily.

Option B is wrong because X-Ray traces are for distributed tracing, not for workflow step tracking; also, it adds overhead. Option C is wrong because CloudWatch dashboards can be built from existing metrics, but custom metrics from each step would require significant instrumentation.

1211
MCQhard

A company is using Amazon RDS for MySQL and needs to monitor the number of slow queries. They have enabled slow query logs. How can they effectively monitor and alert on the number of slow queries per minute?

A.Use RDS Events to send slow query metrics to CloudWatch.
B.Enable RDS Enhanced Monitoring and publish metrics to CloudWatch.
C.Use AWS CloudTrail to monitor SQL queries.
D.Publish slow query logs to CloudWatch Logs, create a metric filter, and set an alarm.
AnswerD

Metric filters can count pattern occurrences in logs.

Why this answer

Option C is correct because you can publish slow query logs to CloudWatch Logs, create a metric filter to count occurrences, and set an alarm on that metric. Option A is wrong because RDS Events do not include slow query counts. Option B is wrong because Enhanced Monitoring does not include slow query logs.

Option D is wrong because CloudTrail does not capture database queries.

1212
MCQmedium

A company is using AWS CodeCommit for source control. A developer accidentally committed a file containing AWS access keys. The keys have been removed from the file, but the commit history still contains them. What is the most secure way to remove the keys from the repository?

A.Delete the file from the repository and commit the deletion.
B.Use the AWS CLI command 'aws codecommit delete-file' with the --keep-history flag.
C.Use git filter-branch to remove the file from all commits and force push the changes.
D.Revert the commit that added the keys.
AnswerC

This rewrites history to completely remove the file from every commit, effectively purging the keys.

Why this answer

Git filter-branch can rewrite history to remove the file from all commits. However, AWS recommends using the AWS CLI's git-secrets or the AWS CodeCommit console's 'delete repository' option. But the most secure and straightforward approach is to use git filter-branch to purge the file and then force push.

Option A is wrong because simply reverting the commit leaves the keys in history. Option B is wrong because deleting the file and committing does not remove history. Option D is wrong because AWS does not provide a built-in command to remove a file from history.

1213
MCQhard

A DevOps team is implementing a comprehensive logging strategy for a microservices architecture running on Amazon EKS. They need to collect logs from all containers and send them to a centralized log analytics platform. The solution must be agentless and support multi-line log events. Which approach should the team use?

A.Deploy a Fluent Bit DaemonSet on the EKS cluster and configure it to send logs to Amazon CloudWatch Logs.
B.Use the Amazon CloudWatch agent as a sidecar container in each pod to forward logs to CloudWatch Logs.
C.Install the Amazon Kinesis Agent on each EC2 instance and configure it to stream logs to Amazon Kinesis Data Firehose.
D.Deploy a Fluentd DaemonSet on the EKS cluster and configure it to send logs to Amazon S3.
AnswerA

Fluent Bit is a lightweight, agentless log processor that can be deployed as a DaemonSet and supports multi-line logs.

Why this answer

Option A is correct because Fluent Bit is a lightweight, CNCF-graduated log processor that can be deployed as a DaemonSet on EKS to collect logs from all nodes without requiring sidecar containers. It supports multi-line log events natively via its multiline filter plugin, and it can output directly to Amazon CloudWatch Logs using the cloudwatch_logs output plugin, meeting the agentless requirement since it runs as a Kubernetes DaemonSet rather than as a per-pod sidecar.

Exam trap

The trap here is that candidates often confuse 'agentless' with 'no software at all,' but in Kubernetes, agentless means no sidecar injection per pod; a DaemonSet is considered agentless because it runs as a cluster-level service, not as part of the application deployment.

How to eliminate wrong answers

Option B is wrong because deploying the CloudWatch agent as a sidecar container in each pod is not agentless; it requires modifying every pod definition and increases resource overhead, whereas the requirement specifies an agentless solution. Option C is wrong because the Amazon Kinesis Agent is an EC2-level agent that must be installed on each underlying EC2 instance, which is not agentless and does not integrate with EKS pod-level log collection; it also does not natively support multi-line log events without custom configuration. Option D is wrong because Fluentd is a heavier log collector compared to Fluent Bit, and while it can send logs to Amazon S3, S3 is a storage service, not a centralized log analytics platform; the requirement specifies sending logs to a centralized log analytics platform, which CloudWatch Logs fulfills.

1214
MCQeasy

A company is designing a highly available architecture for a web application. The application runs on Amazon EC2 instances in an Auto Scaling group across three Availability Zones. The instances are behind an Application Load Balancer (ALB). Which additional step should the team take to ensure that traffic is evenly distributed across all healthy instances in all Availability Zones?

A.Use Amazon Route 53 weighted routing policy to distribute traffic to each AZ.
B.Configure health checks on the target group to mark instances as unhealthy if they are in an AZ with fewer instances.
C.Enable cross-zone load balancing on the ALB.
D.Configure the ALB to use least outstanding requests routing algorithm.
AnswerC

This ensures even distribution across all instances in all AZs.

Why this answer

Option C is correct. By default, ALB distributes traffic evenly across AZs, but cross-zone load balancing must be enabled to distribute traffic evenly across all instances regardless of AZ. Option A is wrong because ALB already distributes traffic across AZs.

Option B is wrong because Route 53 is not needed for internal distribution. Option D is wrong because target group health checks are already enabled.

1215
MCQhard

A company runs a critical microservices application on Amazon EKS with multiple services. They use an ingress controller (ALB Ingress Controller) to route traffic to services. They notice that when a pod fails, new requests are still sent to the failed pod for a few seconds, causing errors. The health check interval is set to 5 seconds. They want to minimize the time during which failed pods receive traffic. They also need to ensure that during rolling updates, traffic is not sent to pods that are terminating. Which solution should they implement?

A.Define liveness probes for all pods with a low failure threshold.
B.Use pod anti-affinity to spread pods across nodes.
C.Decrease the health check interval on the ALB target group to 2 seconds.
D.Configure readiness probes on the pods and set the ALB ingress controller to use the readiness probe endpoint.
AnswerD

Readiness probes ensure that only ready pods receive traffic; the ingress controller will stop sending traffic to pods that fail the probe.

Why this answer

Option D is correct because readiness probes detect when a pod is not ready to serve traffic and remove it from the service endpoints quickly. The ALB ingress controller respects readiness probes. Option A is incorrect because liveness probes restart pods but do not remove them from service immediately.

Option B is incorrect because increasing the health check interval would make the situation worse. Option C is incorrect because pod anti-affinity affects scheduling, not traffic routing.

1216
Multi-Selectmedium

Which TWO strategies can be used to improve the resilience of an application running on Amazon ECS with Fargate? (Select TWO.)

Select 2 answers
A.Use a single subnet for all tasks to simplify networking.
B.Configure the ECS service to place tasks in multiple Availability Zones.
C.Increase the task memory reservation to handle peak load.
D.Implement a circuit breaker pattern for downstream dependencies.
E.Use scheduled scaling to adjust task count based on historical patterns.
AnswersB, D

Spreads tasks across AZs for fault tolerance.

Why this answer

Option A (multi-AZ task placement) and Option D (circuit breaker pattern) are correct. Multi-AZ placement spreads tasks across Availability Zones to tolerate AZ failures. Circuit breaker pattern prevents cascading failures.

Option B is wrong because increasing memory does not improve resilience. Option C is wrong because using the same subnet reduces resilience. Option E is wrong because scheduled scaling does not handle unexpected spikes.

1217
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. The operations team notices that some services are experiencing intermittent high latency, but CPU and memory metrics appear normal. They need to identify the root cause. Which approach should they use?

A.Enable detailed CloudWatch Logs and use CloudWatch Logs Insights to query logs for slow requests.
B.Use Amazon Managed Service for Prometheus to collect custom metrics and set up dashboards.
C.Set up CloudWatch Synthetics canaries to monitor the endpoints and measure response times.
D.Instrument the application with the AWS X-Ray SDK and use the X-Ray console to analyze traces.
AnswerD

X-Ray traces individual requests across services, identifying latency sources.

Why this answer

Option D is correct because AWS X-Ray provides end-to-end tracing to pinpoint latency issues in distributed applications. Option A is wrong because CloudWatch Logs Insights alone does not trace requests across services. Option B is wrong because Prometheus metrics are aggregated and may not correlate individual requests.

Option C is wrong because CloudWatch Synthetics canaries test endpoints but cannot trace internal service calls.

1218
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier web application. The template includes a nested stack for the database layer. When updating the stack, the database stack fails with a 'CREATE_FAILED' status, but the parent stack continues updating other resources. What is the most likely cause and best practice to prevent this?

A.The parent stack's update policy is set to 'CONTINUE' by default. To prevent this, set 'OnFailure' to 'ROLLBACK' in the stack update options.
B.The parent stack was created without the '--capabilities' parameter, so it cannot roll back.
C.The nested stack failure automatically triggers a rollback of the parent stack, but the rollback also failed.
D.The parent stack is configured with 'OnFailure' set to 'DO_NOTHING'. Change it to 'DELETE'.
AnswerA

Setting 'OnFailure' to 'ROLLBACK' during update ensures the entire stack rolls back if any resource fails, maintaining consistency.

Why this answer

Option A is correct because, by default, when a CloudFormation stack update encounters a failure in a nested stack, the parent stack's update policy is set to 'CONTINUE', meaning it will proceed with updating other resources despite the failure. To prevent this, you should set the 'OnFailure' parameter to 'ROLLBACK' in the stack update options, which instructs CloudFormation to roll back the entire parent stack if any resource (including nested stacks) fails to update, ensuring consistency across the deployment.

Exam trap

The trap here is that candidates confuse the 'OnFailure' parameter (which only applies to stack creation) with update behavior, and mistakenly think that nested stack failures always trigger an automatic rollback of the parent stack, when in fact the default update policy is to continue.

How to eliminate wrong answers

Option B is wrong because the '--capabilities' parameter is required for stacks that create IAM resources, not for controlling rollback behavior; omitting it would cause a different error (e.g., 'InsufficientCapabilitiesException') but does not prevent rollback. Option C is wrong because a nested stack failure does not automatically trigger a rollback of the parent stack; the parent stack's behavior depends on the 'OnFailure' setting, which defaults to 'CONTINUE' (not rollback). Option D is wrong because 'OnFailure' set to 'DO_NOTHING' is not a valid value for stack updates; valid values are 'ROLLBACK' and 'DELETE' (for creation), and 'DO_NOTHING' is not an option—the default behavior for updates is to continue, not to do nothing.

1219
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to be notified whenever a stack is created, updated, or deleted. They also want to track who made the change. Which combination of services should be used to achieve this?

A.AWS Config rules and Amazon SNS
B.AWS CloudTrail and Amazon CloudWatch Events (now Events) with SNS
C.Amazon S3 event notifications and AWS Lambda
D.AWS Lambda and Amazon DynamoDB
AnswerB

CloudTrail logs API calls, and CloudWatch Events can filter those events and publish to SNS.

Why this answer

Option B is correct because CloudTrail captures CloudFormation API calls (CreateStack, UpdateStack, DeleteStack) and CloudWatch Events can trigger SNS notifications based on those API calls. Option A is wrong because Config rules evaluate resource compliance, not API events. Option C is wrong because S3 event notifications are for S3 objects.

Option D is wrong because Lambda alone cannot capture who made the change without CloudTrail integration.

1220
MCQhard

A developer is troubleshooting a failed CodeBuild build. The build is triggered by a pull request from a forked repository. The buildspec includes a command to fetch pull request references. What is the most likely cause of the failure?

A.The IAM role for CodeBuild does not have permission to read from the repository.
B.The buildspec file is not present in the source code.
C.The CodeBuild project is not configured to allow pull requests from forked repositories.
D.The buildspec contains invalid syntax.
AnswerC

Fetching PR refs from forks requires explicit configuration.

Why this answer

Option B is correct because by default, CodeBuild does not fetch pull request references from forked repositories for security reasons. The build project must be configured to allow pull request builds from forked repositories. Option A is wrong because the error is about fetching, not about file not found.

Option C is wrong because the buildspec is being executed, so it is valid. Option D is wrong because the error is about fetching, not about insufficient permissions.

1221
Multi-Selectmedium

A company runs a mission-critical database on Amazon RDS for MySQL. They need to ensure that if the primary DB instance fails, the database remains available with minimal downtime. Which TWO configurations should they implement? (Choose TWO.)

Select 2 answers
A.Enable automated backups with point-in-time recovery.
B.Create a read replica in the same region.
C.Enable deletion protection on the DB instance.
D.Enable Multi-AZ deployment.
E.Configure cross-region replication.
AnswersA, D

Automated backups allow restoring to a specific point, reducing data loss.

Why this answer

Options A and D are correct. Multi-AZ provides automatic failover to a standby in a different AZ. Automated backups with point-in-time recovery allow restoring to a specific time.

Option B is incorrect because read replicas do not provide automatic failover. Option C is incorrect because cross-region replication is for regional DR, not immediate failover. Option E is incorrect because deletion protection prevents accidental deletion but does not help with failure.

1222
MCQhard

A company has a monorepo in AWS CodeCommit with multiple microservices. They want to use AWS CodePipeline to build and deploy only the microservice that changed. What is the MOST efficient approach?

A.Configure a single pipeline that always builds all microservices.
B.Create separate CodeCommit repositories for each microservice.
C.Use an AWS Lambda function triggered by CloudWatch Events for CodeCommit to start the specific pipeline for the changed microservice.
D.Use a single pipeline with multiple build actions that each check if their microservice changed.
AnswerC

Lambda can analyze the commit and start the relevant pipeline, building only the changed microservice.

Why this answer

Option C is correct because Lambda can parse the commit and trigger the appropriate pipeline. Option A is wrong because it builds everything. Option B is wrong because it requires multiple repos.

Option D is wrong because it still builds all.

1223
MCQmedium

An operations team manages a fleet of Amazon EC2 instances that require periodic software updates. They want to use AWS Systems Manager to apply patches automatically while ensuring that patches are tested before production deployment. Which approach meets these requirements?

A.Use AWS Systems Manager Automation to create a runbook that patches instances one by one.
B.Create a patch baseline and assign it to all instances; enable automatic approval for all patches.
C.Use AWS Systems Manager Run Command to manually run patch commands on test instances, then on production.
D.Use AWS Systems Manager Patch Manager with maintenance windows, and configure a patch baseline that approves patches after a test period.
AnswerD

Automated and allows testing.

Why this answer

Option C is correct because Systems Manager Patch Manager supports patch baselines and maintenance windows, and can be used with State Manager to schedule patching. By creating separate patching schedules for test and production, patches can be tested first. Option A is wrong because Patch Manager does not automatically install patches without a maintenance window.

Option B is wrong because Run Command is manual. Option D is wrong because Automation is not designed for patching.

1224
Drag & Dropmedium

Drag and drop the steps to configure an AWS Auto Scaling group with a launch template and scaling policies.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the launch template, then create the Auto Scaling group, then configure network, then set capacities, then add scaling policy.

1225
MCQhard

A company is migrating to AWS and has a requirement to encrypt all data at rest and in transit. They are using AWS KMS with Customer Master Keys (CMKs) for encryption. The DevOps engineer has set up an S3 bucket with default encryption using SSE-KMS. The bucket policy allows access only to a specific IAM role. The engineer also enabled S3 bucket versioning and MFA Delete. However, when the engineer tries to download an object using the AWS CLI with the IAM role, the command fails with 'AccessDenied'. The IAM role has the following permissions: s3:GetObject, s3:ListBucket, kms:Decrypt, kms:DescribeKey. What is the most likely missing permission?

A.The IAM role is missing kms:GenerateDataKey permission.
B.The IAM role is missing kms:Encrypt permission.
C.The IAM role is missing kms:CreateGrant permission.
D.The KMS key policy does not grant the IAM role permission to decrypt using the key.
AnswerD

KMS key policies must explicitly grant access to IAM roles.

Why this answer

To download an object encrypted with SSE-KMS, the IAM role must have kms:GenerateDataKey (if uploading) and kms:Decrypt (if downloading). However, for GetObject, KMS requires kms:Decrypt. But there is also a need for kms:Encrypt? Actually, reading encrypted data requires only kms:Decrypt.

However, the error might be due to the IAM role not having kms:GenerateDataKey? No, that is for writing. The bucket policy might require kms:Encrypt? Wait. The common missing permission is kms:ReEncrypt? No.

Actually, for downloading, KMS permission needed is kms:Decrypt. But the error persists. Could be kms:DescribeKey is not needed.

But the most likely is that the KMS key policy does not grant the IAM role permissions. The key policy must allow the IAM role to use the key. The question says the IAM role has kms:Decrypt, but the key policy might not grant it.

Option A is correct. Option B is for writing. Option C is not needed.

Option D is for management.

1226
Multi-Selecthard

A company is designing a disaster recovery plan for a critical application that uses Amazon RDS for MySQL with Multi-AZ. The RPO must be less than 1 minute and RTO less than 15 minutes. The primary Region is us-east-1. Which THREE steps should the company take to meet these requirements?

Select 3 answers
A.Take manual snapshots of the RDS instance every 30 seconds and copy them to the secondary Region
B.Enable Multi-AZ in the primary Region
C.Create a cross-Region read replica of the RDS instance in the secondary Region
D.Create an AWS Lambda function to promote the read replica to primary in the secondary Region during a disaster
E.Enable automated backups with cross-Region copy enabled to the secondary Region
AnswersC, D, E

Provides low-lag replication and fast promotion.

Why this answer

B, C, and E are correct. Cross-Region read replica provides near-real-time replication (low RPO) and can be promoted quickly (low RTO). Automated backups are replicated to another Region and can be restored, but RTO may exceed 15 minutes.

Option A is wrong because manual snapshots cannot achieve <1 minute RPO. Option D is wrong because Multi-AZ protects within a Region only.

1227
Multi-Selectmedium

A company is using AWS Secrets Manager to rotate database credentials automatically. The DevOps engineer needs to ensure that the rotation process is secure and does not cause downtime. Which THREE steps should the engineer take?

Select 3 answers
A.Disable automatic rotation for the old secret version.
B.Set up CloudWatch alarms to monitor rotation failures.
C.Use a separate database user for rotation that has permissions to change passwords.
D.Configure the Lambda rotation function to use a VPC endpoint for Secrets Manager.
E.Grant the Lambda rotation function IAM permissions to read and update the secret.
AnswersB, C, E

Alerts on rotation failures help maintain security.

Why this answer

Option A is correct because the Lambda rotation function needs permissions to read and update the secret. Option C is correct because using a separate user for rotation allows the old credentials to remain valid during rotation. Option E is correct because CloudWatch alarms can detect rotation failures.

Option B is wrong because the rotation function should have network access to the database, but using a VPC endpoint is not required; the function can be in a VPC. Option D is wrong because disabling rotation for old secrets would break the rotation process.

1228
MCQhard

A DevOps team uses AWS CodePipeline to deploy a web application. The application stores user session data in an ElastiCache Redis cluster. The security team mandates that all data in transit between the application and Redis must be encrypted. What should the team do?

A.Use a network ACL to allow only encrypted traffic on the Redis port.
B.Modify the application to use TLS when connecting to Redis.
C.Place the application and Redis cluster in the same VPC and use VPC peering.
D.Enable encryption in transit on the ElastiCache Redis cluster and configure the application to use TLS.
AnswerD

This ensures both sides support encryption in transit.

Why this answer

Option D is correct because ElastiCache Redis supports encryption in transit using TLS, which must be enabled at cluster creation. Option A is wrong because VPC peering does not encrypt traffic. Option B is wrong because NACLs do not encrypt.

Option C is wrong because the application must use TLS, but the cluster must also be configured to support it.

1229
MCQeasy

An organization wants to grant cross-account access to an S3 bucket in Account A to a user in Account B. Which policy configuration is required?

A.A bucket policy in Account A and an IAM user policy in Account B
B.An S3 bucket ACL granting access to the user in Account B
C.An IAM user policy in Account B allowing access to the bucket
D.A bucket policy in Account A granting access to the user in Account B
AnswerA

Both policies are needed for cross-account access.

Why this answer

Cross-account access requires both a bucket policy in Account A granting access to the user in Account B and an IAM user policy in Account B allowing the user to access the bucket. Option A is wrong because only bucket policy is insufficient. Option C is wrong because only IAM policy is insufficient.

Option D is wrong because ACLs are legacy and not recommended.

1230
MCQmedium

An e-commerce platform uses Amazon DynamoDB as its primary database. During a flash sale, the application experienced high read latency. The DevOps team wants to set up CloudWatch alarms to detect high read latency proactively. The team has enabled DynamoDB Accelerator (DAX) for caching. Which metric should the team use to create a CloudWatch alarm for read latency?

A.DAX's CacheHitCount metric.
B.DynamoDB's ConsumedReadCapacityUnits metric.
C.DAX's CacheHitLatency metric.
D.DynamoDB's SuccessfulRequestLatency metric for GetItem operations.
AnswerC

This metric measures the latency of cache hits from DAX.

Why this answer

Option C is correct. With DAX enabled, the application reads from DAX, so the relevant latency metric is the DAX cache hit latency. Option A is incorrect because DynamoDB read latency does not reflect DAX caching.

Option B is incorrect because DynamoDB consumed read capacity is not a latency metric. Option D is incorrect because DAX cache hit count is a count, not a latency measure.

1231
MCQeasy

A DevOps team uses AWS OpsWorks for configuration management. They want to run a custom recipe on all instances in a layer during the setup lifecycle event. What should they do?

A.Add the recipe commands to the instance's user data.
B.Store the recipe in an S3 bucket and reference it in the stack configuration.
C.Define a custom lifecycle event in the stack settings.
D.Assign the custom recipe to the Setup lifecycle event in the layer's Recipes settings.
AnswerD

This is the correct way to run a recipe during setup.

Why this answer

In AWS OpsWorks, lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) are predefined hooks that run Chef recipes on instances. To run a custom recipe during the Setup event on all instances in a layer, you must assign that recipe to the Setup lifecycle event in the layer's Recipes settings. This ensures the recipe executes automatically when an instance enters the online state after bootstrapping.

Exam trap

The trap here is that candidates confuse OpsWorks lifecycle events with EC2 user data or assume recipes can be triggered arbitrarily via stack configuration, but OpsWorks strictly requires recipes to be assigned to predefined lifecycle events at the layer level.

How to eliminate wrong answers

Option A is wrong because user data is an EC2 feature that runs scripts at instance launch, but OpsWorks manages instances via its agent and Chef runs; user data is not integrated with OpsWorks lifecycle events or its recipe execution order. Option B is wrong because while recipes can be stored in S3, simply referencing a recipe in the stack configuration does not tie it to a specific lifecycle event; recipes must be assigned to a lifecycle event in the layer's settings to execute. Option C is wrong because OpsWorks does not support defining custom lifecycle events; the five lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) are fixed and cannot be extended or renamed.

1232
MCQmedium

A DevOps team uses AWS OpsWorks for configuration management. They have a stack with a custom cookbook that installs and configures an application. After updating the cookbook on GitHub, they need to apply the changes to existing instances without creating new ones. What should the team do?

A.Clone the stack and assign the updated cookbook to the new stack.
B.Use the 'Execute Recipes' feature to run the updated custom recipe on the instances.
C.Update the layer's custom cookbook settings and then reboot the instances.
D.Update the stack's custom cookbook source and click 'Update Dependencies' on the stack.
AnswerB

Correct. 'Execute Recipes' runs the specified recipe on selected instances, applying the changes.

Why this answer

Option C (run a custom recipe using 'Execute Recipes' on the instances) is correct because it applies the updated cookbook without replacing instances. Option A is wrong because cloning creates a new stack, not updating existing instances. Option B is wrong because updating the stack configuration does not trigger cookbook execution.

Option D is wrong because it updates the layer, but does not run the updated cookbook automatically.

1233
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices application using AWS CodePipeline. Each microservice has its own CodeCommit repository. The engineer wants to run unit tests in parallel for all services when any repository receives a push, then run integration tests only after all unit tests pass. Which pipeline structure should the engineer use?

A.Create a single pipeline with a parallel action for unit tests, then a serial stage for integration tests
B.Create a single pipeline with a serial stage for unit tests, then integration tests
C.Create one pipeline per microservice, each triggering integration tests via SNS
D.Use AWS CodeBuild batch builds with a fan-out/fan-in pattern
AnswerA

Parallel unit tests reduce time; integration tests run after all unit tests succeed.

Why this answer

Option C is correct because having a single pipeline with a parallel action for unit tests and then a serial integration test stage is the simplest and most straightforward design. Option A is incorrect because it suggests separate pipelines, which would require complex coordination. Option B is incorrect because a serial stage for unit tests would increase overall time.

Option D is incorrect because CodeBuild does not have built-in fan-out/fan-in; the pipeline provides that.

1234
MCQhard

A company uses AWS CodeBuild to run integration tests as part of a pipeline. The tests require access to an Amazon RDS database. The RDS instance is in a private subnet with no public access. The CodeBuild project is configured with a VPC. Which additional configuration is necessary to ensure the build can connect to the database?

A.Add an IAM policy that grants the CodeBuild service role access to the RDS instance.
B.Configure the security group for the RDS instance to allow inbound traffic from the security group associated with the CodeBuild project.
C.Create a VPC endpoint for Amazon RDS.
D.Attach a NAT gateway to the private subnet.
AnswerB

Security group rules must allow traffic between CodeBuild and RDS for connectivity.

Why this answer

Option C is correct because CodeBuild needs security group rules that allow outbound traffic to the RDS instance and the RDS security group must allow inbound traffic from CodeBuild. Option A is wrong because NAT gateway is for internet access, not for database connectivity within VPC. Option B is wrong because VPC endpoints are for AWS services, not for RDS connectivity.

Option D is wrong because IAM roles do not control network connectivity.

1235
MCQmedium

A company uses AWS CodeDeploy with a blue/green deployment configuration. After a deployment, the new instances are not registered with the load balancer, causing downtime. What is the MOST likely cause?

A.The IAM role for CodeDeploy does not have permission to register instances with the load balancer.
B.The original instances are still registered with the load balancer.
C.The load balancer health check is misconfigured.
D.The CodeDeploy deployment group does not have a load balancer configured or the deregistration delay is too long.
AnswerD

CodeDeploy needs a load balancer configured to register new instances; without it, instances may not be registered.

Why this answer

Option C is correct because without a health check, CodeDeploy doesn't know when to register. Option A is wrong because ELB health checks are separate. Option B is wrong because original instances are deregistered after.

Option D is wrong because CodeDeploy does registration.

1236
Multi-Selecteasy

A company uses AWS CodePipeline to automate their software release process. They want to add a stage that runs security scanning on the code before deployment. Which two AWS services can be integrated into the pipeline for this purpose? (Choose TWO.)

Select 2 answers
A.Amazon Inspector
B.Amazon GuardDuty
C.Amazon Detective
D.AWS CodeBuild
E.AWS CodeDeploy
AnswersA, D

Inspector can scan code for vulnerabilities and integrate with CodePipeline.

Why this answer

Option A (CodeBuild) is correct because it can run custom security scanning tools. Option D (Amazon Inspector) is correct because it can be integrated as a test action to scan for vulnerabilities. Option B (CodeDeploy) is for deployment, not scanning.

Option C (GuardDuty) is for threat detection in the AWS environment, not code scanning. Option E (Detective) is for analyzing security findings, not scanning code.

1237
MCQmedium

A DevOps engineer is reviewing the IAM policy attached to a CodeBuild service role. The policy allows starting builds and viewing logs. However, when CodeBuild tries to download artifacts from an S3 bucket in the same account, it fails with an access denied error. What is the missing permission?

A.s3:GetObject
B.kms:Decrypt
C.s3:PutObject
D.logs:DescribeLogGroups
AnswerA

To download artifacts from S3, GetObject permission is required.

Why this answer

The error occurs because CodeBuild needs to download artifacts from S3, which requires the s3:GetObject permission on the bucket or object. Without this permission, the service role cannot read the artifact files, even though it can start builds and view logs. The s3:GetObject action is the specific permission that grants read access to S3 objects.

Exam trap

The trap here is that candidates may confuse s3:GetObject with s3:PutObject or assume KMS decryption is always required, but the direct cause is the lack of read access to the S3 object.

How to eliminate wrong answers

Option B is wrong because kms:Decrypt is only needed if the S3 bucket uses server-side encryption with AWS KMS (SSE-KMS), but the question does not mention encryption, so the missing permission is not KMS-related. Option C is wrong because s3:PutObject is for uploading objects to S3, not downloading them; the error is about downloading artifacts, not uploading. Option D is wrong because logs:DescribeLogGroups is for listing CloudWatch log groups, which is unrelated to S3 access; it would not cause an S3 access denied error.

1238
MCQmedium

A DevOps engineer is creating a CloudFormation template that includes an AWS Lambda function. The function code is stored in an S3 bucket. The engineer wants to ensure that the Lambda function is updated whenever the code in S3 changes. What should the engineer do?

A.Use AWS CodeDeploy to deploy the Lambda function
B.Reference the S3 object version in the Lambda function's Code property to force an update when the version changes
C.Add a DependsOn clause to the Lambda function resource
D.Use AWS CodePipeline to automatically update the stack when the S3 object changes
AnswerB

Changing the version triggers a stack update.

Why this answer

Option B is correct because referencing the S3 object version in the Lambda function's Code property (e.g., `S3ObjectVersion`) creates a dependency on that specific version. When the S3 object is updated, its version changes, which triggers CloudFormation to detect a change in the template and update the Lambda function during the next stack update. This ensures the function code is refreshed without manual intervention.

Exam trap

The trap here is that candidates assume any automation tool (CodePipeline or CodeDeploy) can replace the need for explicit version tracking, but CloudFormation requires a property change to trigger an update, and only referencing the S3 object version achieves that directly.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a deployment service for managing traffic shifting and rollbacks, not a mechanism to detect S3 object changes and trigger CloudFormation updates. Option C is wrong because a DependsOn clause only controls resource creation order, not update triggers based on S3 object version changes. Option D is wrong because AWS CodePipeline can automate stack updates, but it requires an external trigger (e.g., S3 event notification or webhook) and does not inherently detect S3 object version changes to update the Lambda function directly.

1239
Multi-Selectmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The engineer wants to ensure that the stack is not accidentally deleted and that critical resources like databases are retained even if the stack is deleted. Which THREE steps should the engineer take?

Select 3 answers
A.Create a StackPolicy that denies updates to the RDS instance
B.Use nested stacks to isolate the database
C.Use a StackPolicy to deny delete actions
D.Set the DeletionPolicy attribute to Retain on the RDS instance
E.Enable termination protection on the stack
AnswersA, D, E

Protects the database from accidental updates.

Why this answer

Options A, C, and D are correct. Option A: Enable termination protection to prevent stack deletion. Option C: Set DeletionPolicy to Retain on the RDS instance so it is not deleted.

Option D: Use a StackPolicy to protect resources from updates. Option B is incorrect because stack policy does not prevent deletion. Option E is incorrect because nested stacks do not provide protection.

1240
MCQmedium

A company uses AWS CloudTrail to monitor API activity. During an incident, they need to quickly identify any unauthorized IAM role assumption attempts. Which CloudTrail feature should be used to filter and alert on this specific event?

A.Configure VPC Flow Logs to capture traffic to the IAM endpoint.
B.Use S3 event notifications on the CloudTrail bucket for PutObject events.
C.Set up a CloudWatch Logs metric filter on the CloudTrail log group for 'AssumeRole' events.
D.Enable CloudTrail Insights to detect anomalous AssumeRole events.
AnswerD

CloudTrail Insights uses machine learning to detect unusual patterns in management events.

Why this answer

Option A is correct because CloudTrail Insights identifies unusual API activity like role assumption anomalies. Option B is wrong because CloudWatch Logs filters would require manual setup. Option C is wrong because S3 event notifications are for object-level events.

Option D is wrong because VPC Flow Logs track network traffic, not API calls.

1241
Multi-Selecthard

A company is migrating a monolithic application to a microservices architecture on Amazon EKS. The application uses a relational database. The team wants to ensure that database connections are managed efficiently and that the database can withstand a sudden spike in connections from multiple microservices. Which solution should the DevOps engineer implement? (Choose THREE.)

Select 3 answers
A.Use direct database connections from each microservice pod.
B.Use Amazon ElastiCache for Redis to cache database query results.
C.Deploy Amazon RDS Proxy in front of the database.
D.Configure the database to have a higher max_connections and enable Auto Scaling.
E.Implement a connection pool sidecar container (e.g., PgBouncer) in each EKS pod.
AnswersC, D, E

RDS Proxy manages connection pooling and reduces database load.

Why this answer

Option A is correct because RDS Proxy pools and shares database connections, reducing the number of connections to the database. Option D is correct because configuring the database with appropriate max_connections and using Auto Scaling (e.g., Aurora Auto Scaling) helps handle spikes. Option E is correct because using a connection pool sidecar (e.g., PgBouncer) in the EKS pods adds connection pooling at the application level.

Option B (direct connections) would increase load. Option C (ElastiCache) is for caching, not connection management.

1242
MCQeasy

A DevOps engineer needs to manage the configuration of a large number of EC2 instances that are part of a cluster. The instances should have consistent software packages, services, and settings. The engineer wants to use a configuration management tool that integrates with AWS and supports a push-based model. Which service should be used?

A.AWS OpsWorks Stacks
B.AWS CodeCommit
C.AWS Systems Manager Run Command
D.AWS CloudFormation
AnswerC

Run Command pushes commands to instances.

Why this answer

Option D is correct because AWS Systems Manager Run Command uses a push-based model to execute commands and manage configuration on instances. Option A (OpsWorks) is pull-based. Option B (CloudFormation) is for infrastructure, not configuration.

Option C (CodeCommit) is a source control service.

1243
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB) across multiple Availability Zones. During a recent failure of one AZ, the application experienced downtime because the Auto Scaling group did not launch new instances quickly enough. What should a DevOps engineer do to improve resilience?

A.Configure the Auto Scaling group to span multiple AZs and enable health checks to replace unhealthy instances.
B.Use a larger AMI to reduce boot times.
C.Increase the instance size of the EC2 instances to handle more traffic.
D.Configure the Auto Scaling group to launch instances in a single AZ with a larger instance count.
AnswerA

Multiple AZs provide high availability and health checks ensure quick replacement.

Why this answer

Option D is correct because distributing instances across multiple AZs ensures that failure of one AZ does not affect the entire application, and using a multi-AZ deployment with proper Auto Scaling group configuration is a best practice for high availability. Option A is wrong because increasing instance size does not mitigate AZ failure. Option B is wrong because a single AZ still presents a single point of failure.

Option C is wrong because using a larger AMI does not help with resilience.

1244
Multi-Selecteasy

A DevOps engineer is troubleshooting an issue where an EC2 instance in a private subnet cannot reach the internet. The instance has a route to a NAT gateway. Which TWO of the following should the engineer check? (Choose TWO.)

Select 2 answers
A.The NAT gateway is in the same subnet as the instance
B.The route table of the private subnet has a route to the NAT gateway
C.The internet gateway is attached to the private subnet
D.The instance has a public IP address
E.The security group allows outbound traffic to the internet
AnswersB, E

Required for traffic to reach NAT gateway.

Why this answer

Option A is correct because the route table must have a route to the NAT gateway. Option B is correct because the security group must allow outbound traffic (e.g., HTTPS). Option C is wrong because the internet gateway is attached to the VPC, not the subnet.

Option D is wrong because public IP is not needed for instances in private subnet using NAT. Option E is wrong because the NAT gateway is in a public subnet, but the instance is in private; the instance does not have a public IP.

1245
Multi-Selecthard

A company uses AWS CodePipeline to deploy a serverless application using AWS SAM. The pipeline includes a build stage that runs 'sam build' and a deploy stage that runs 'sam deploy'. The team wants to automatically test the deployed application before promoting it to production. Which THREE steps should be included in the pipeline?

Select 3 answers
A.Add a stage that runs a performance or load test.
B.Add a stage that automatically rolls back the deployment if tests fail.
C.Add a manual approval stage after testing before promoting to production.
D.Add a stage that deploys the application to a separate production environment.
E.Add a stage after deployment that runs integration tests against the deployed API.
AnswersA, C, E

Load testing validates performance.

Why this answer

Options A, C, and D are correct. After deployment, an integration test stage validates the deployment. A manual approval stage allows review before promotion.

Additional testing (e.g., load test) can be added. Option B is wrong because a separate deployment to a different environment is not necessary. Option E is wrong because rolling back is not a testing step.

1246
Multi-Selecteasy

A DevOps team is implementing a CI/CD pipeline for a microservices application deployed on Amazon ECS. They want to automatically build, test, and deploy container images to Amazon ECR and then update the ECS service. Which TWO steps are essential to achieve this goal?

Select 2 answers
A.Use AWS CodeDeploy to update the ECS service with a new task definition.
B.Use AWS Secrets Manager to store Docker credentials.
C.Use AWS CodeBuild to build the Docker image and push it to Amazon ECR.
D.Use AWS X-Ray for tracing.
E.Use Amazon CodeGuru for code review.
AnswersA, C

Correct: CodeDeploy can deploy to ECS.

Why this answer

Option A is needed to build and push the image. Option D is needed to update the ECS service. Option B is for secrets retrieval, but not essential for the pipeline flow.

Option C is for static analysis, not required. Option E is for load testing, not required.

1247
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team needs to deploy a stack that includes a Lambda function and an S3 bucket. The Lambda function's code is stored in the S3 bucket. How can the team ensure that the Lambda function is created after the S3 bucket and the code is uploaded?

A.Upload the code to the S3 bucket before creating the stack.
B.Use the Fn::GetAtt intrinsic function to retrieve the bucket name.
C.Define the S3 bucket resource before the Lambda function resource in the template.
D.Use the DependsOn attribute on the Lambda function to depend on the S3 bucket.
AnswerD

DependsOn ensures creation order.

Why this answer

Option D is correct because the DependsOn attribute explicitly instructs CloudFormation to create the S3 bucket before the Lambda function. Even though CloudFormation automatically determines resource dependencies for certain intrinsic functions, it does not infer dependencies based on code uploads. Using DependsOn ensures the bucket exists and the code is uploaded before the Lambda function is created, preventing a deployment failure when the Lambda references code that is not yet available.

Exam trap

The trap here is that candidates assume CloudFormation automatically orders resources based on template order or implicit references like Fn::GetAtt, but it does not infer dependencies from code uploads or resource definition order, so explicit DependsOn is required for non-attribute-based dependencies.

How to eliminate wrong answers

Option A is wrong because it requires manual intervention outside of the CloudFormation stack, breaking the principle of infrastructure as code and making the deployment non-repeatable and error-prone. Option B is wrong because Fn::GetAtt retrieves an attribute of a resource (e.g., the bucket ARN) but does not create a dependency that ensures the bucket is fully created and the code is uploaded before the Lambda function is created. Option C is wrong because the order of resource definitions in the template does not guarantee creation order; CloudFormation may create resources in parallel or in a different order unless explicit dependencies are defined.

1248
MCQhard

A company is running a critical application on Amazon ECS with Fargate. The application generates custom metrics that are published to CloudWatch using the PutMetricData API. Recently, the metrics have been delayed by up to 5 minutes. The DevOps team needs to reduce the latency. What should the team do?

A.Install the CloudWatch agent on the Fargate tasks to collect metrics.
B.Set the StorageResolution parameter to 1 when calling PutMetricData.
C.Publish the metrics as structured logs to CloudWatch Logs and use metric filters.
D.Increase the frequency of PutMetricData calls to every 5 seconds.
AnswerB

High-resolution metrics are available faster than standard resolution.

Why this answer

Option D is correct because the storage resolution parameter allows metrics to be stored at a higher resolution (1 second) which can be retrieved faster. Option A is wrong because the CloudWatch agent is not needed for custom API calls. Option B is wrong because increasing the PutMetricData frequency may cause throttling.

Option C is wrong because CloudWatch Logs does not replace custom metrics.

1249
Multi-Selectmedium

A DevOps engineer needs to set up a monitoring solution that can detect and alert on unusual patterns in application metrics. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.Amazon CloudWatch Alarms
C.Amazon CloudWatch Anomaly Detection
D.AWS CloudTrail
E.AWS Config
AnswersB, C

Alarms can trigger notifications when anomaly detection breaches thresholds.

Why this answer

CloudWatch Anomaly Detection creates a model of expected metric behavior and alerts on anomalies. CloudWatch alarms can then trigger actions. Option A and D are correct.

Option B is incorrect because AWS Config is for configuration compliance. Option C is incorrect because AWS CloudTrail is for API auditing. Option E is incorrect because Amazon GuardDuty is for security threats.

1250
MCQmedium

A company uses AWS CloudFormation to deploy a three-tier web application. The deployment includes an Application Load Balancer (ALB), an Auto Scaling group, and an Amazon RDS database. The operations team reports that updates to the database security group rules are not being applied correctly during stack updates. The CloudFormation template uses AWS::RDS::DBInstance and AWS::EC2::SecurityGroup resources. What is the most likely cause of this issue?

A.The DBInstance resource has a DeletionPolicy attribute set to 'Retain', causing CloudFormation to skip updates to dependent resources.
B.The CloudFormation stack has a stack policy that denies updates to the security group resources.
C.The security group rules are defined inline within the AWS::EC2::SecurityGroup resource, and CloudFormation does not update inline rules after initial creation.
D.The RDS database is in a VPC that requires a VPC endpoint for CloudFormation to update security groups.
AnswerA

When DeletionPolicy is Retain, CloudFormation may not update the DBInstance and its dependencies correctly during updates.

Why this answer

Option A is correct because when a DBInstance resource has a DeletionPolicy set to 'Retain', CloudFormation treats the resource as a 'non-updatable' resource during stack updates. This means CloudFormation will not modify the DBInstance or its dependent resources, such as the security group rules, even if the template changes. The 'Retain' policy prevents CloudFormation from replacing or updating the resource, causing updates to associated security group rules to be silently skipped.

Exam trap

The trap here is that candidates often assume security group rule updates fail due to inline rule limitations or VPC networking issues, but the real cause is the DeletionPolicy on a dependent resource (DBInstance) that blocks the update chain.

How to eliminate wrong answers

Option B is wrong because a stack policy that denies updates to security group resources would cause the entire stack update to fail with an explicit error, not silently skip updates. Option C is wrong because CloudFormation does update inline security group rules defined within the AWS::EC2::SecurityGroup resource when the template changes; the issue is not about inline vs. separate rules but about the DeletionPolicy on the DBInstance. Option D is wrong because VPC endpoints are not required for CloudFormation to update security groups; CloudFormation uses the AWS API directly, and VPC endpoints are only needed if the stack operations are performed from within a private subnet without internet access, which is not indicated here.

1251
MCQmedium

A DevOps engineer needs to enforce encryption in transit for all traffic between a fleet of EC2 instances and an Application Load Balancer (ALB). The ALB is configured with a TLS listener. Which step should the engineer take to ensure end-to-end encryption?

A.Configure the target group to use HTTP protocol
B.Configure the target group to use HTTPS protocol and install a certificate on each EC2 instance
C.Use security group rules to enforce encryption
D.Terminate TLS at the ALB and use HTTP to instances
AnswerB

HTTPS ensures encryption between ALB and instances.

Why this answer

To enforce encryption in transit, the ALB target group should use HTTPS protocol, which requires the instances to present a certificate. Option A is wrong because HTTP does not encrypt traffic. Option B is wrong because the TLS termination should be at the ALB, not re-encrypted.

Option D is wrong because security groups do not enforce encryption.

1252
Multi-Selecteasy

A DevOps engineer wants to monitor the health of an Auto Scaling group and receive notifications when instances are launched or terminated. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.AWS CloudTrail.
B.AWS Config.
C.Amazon EventBridge.
D.Amazon SNS.
E.AWS Lambda.
AnswersC, D

EventBridge can match Auto Scaling events and publish to SNS.

Why this answer

Option A and Option C are correct. Amazon SNS can send notifications, and CloudWatch Events (now Amazon EventBridge) can capture Auto Scaling lifecycle events and trigger SNS. Option B (CloudTrail) logs API calls but does not directly trigger notifications.

Option D (Lambda) can be used but is not required; SNS alone is sufficient. Option E (Config) records configuration changes but is not the primary choice for real-time notifications.

1253
MCQeasy

A company uses AWS Secrets Manager to store database credentials. The security team wants to automatically rotate secrets every 30 days. The database is an Amazon RDS for PostgreSQL instance. The team has configured automatic rotation with a Lambda function that updates the password in RDS and Secrets Manager. However, after the first rotation, the application starts getting database connection errors. The application uses a connection string with the secret ARN and retrieves the secret from Secrets Manager at startup using the AWS SDK. Which of the following is the most likely cause of the connection errors?

A.The Lambda function is not configured with a sufficient timeout and is being throttled.
B.The application caches the secret at startup and does not refresh it after rotation.
C.The Lambda function does not have permission to update the secret in Secrets Manager.
D.The RDS instance has automatic password rotation enabled, which conflicts with Secrets Manager rotation.
AnswerB

Caching the secret prevents the application from using the new password.

Why this answer

Option B is correct because if the application caches the secret, it will not pick up the new password after rotation, leading to connection errors. Option A is incorrect because RDS automatic password rotation is not a feature; Secrets Manager handles rotation. Option C is incorrect because KMS permissions are needed to decrypt the secret, but if the application could access the secret initially, it likely has permissions.

Option D is incorrect because Lambda function concurrency is unlikely to cause connection errors; it would affect the rotation process itself.

1254
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. They use Amazon CloudFront for content delivery. The DevOps team notices that some requests are returning HTTP 503 errors intermittently. After checking the CloudFront and ALB logs, they find that the errors originate from the ALB. What is the most likely cause?

A.The SSL certificate on the ALB is expired.
B.The security group for the ALB is blocking traffic from CloudFront.
C.CloudFront is configured to forward an HTTP method that the ALB does not support.
D.The ALB is experiencing a surge in traffic and is scaling up, but during the scaling activity, some requests are rejected.
AnswerD

ALB returns 503 when it cannot handle the request load, often during scaling.

Why this answer

Option D is correct because when an Application Load Balancer (ALB) experiences a sudden surge in traffic that exceeds its current capacity, it may temporarily reject requests with HTTP 503 errors while it scales up. During the scaling activity, the ALB's target group might not have enough healthy registered targets to handle the load, causing the ALB to return 503 responses until new instances are provisioned and pass health checks. This matches the intermittent nature of the errors described in the scenario.

Exam trap

The trap here is that candidates often confuse 503 errors with SSL certificate issues or security group misconfigurations, but the intermittent nature of the errors and the fact that they originate from the ALB (not CloudFront) points directly to capacity scaling limitations rather than configuration errors.

How to eliminate wrong answers

Option A is wrong because an expired SSL certificate on the ALB would cause SSL/TLS handshake failures (e.g., ERR_CERT_DATE_INVALID) and result in 502 Bad Gateway errors from CloudFront, not 503 errors from the ALB. Option B is wrong because if the security group for the ALB were blocking traffic from CloudFront, the ALB would not receive the requests at all, and CloudFront would return 502 errors (or connection timeouts) instead of the ALB returning 503 errors. Option C is wrong because CloudFront forwarding an unsupported HTTP method would cause the ALB to return a 405 Method Not Allowed error, not a 503 Service Unavailable error.

1255
MCQmedium

A CloudFormation stack is created with the template above and the parameter Environment set to 'dev'. Later, the stack is deleted. What happens to the S3 bucket?

A.The bucket is retained only if it contains objects.
B.The bucket is retained.
C.The bucket is deleted.
D.The bucket is deleted but the objects are retained.
AnswerC

DeletionPolicy evaluates to Delete.

Why this answer

Option B is correct because the condition 'IsProd' is false when Environment is 'dev', so the DeletionPolicy evaluates to 'Delete', meaning the bucket will be deleted when the stack is deleted. Option A is wrong because the DeletionPolicy is set to Delete. Option C is wrong because the condition is evaluated at stack creation and deletion.

Option D is wrong because the bucket is deleted.

1256
MCQmedium

A Lambda function processes SQS messages but sometimes times out after 15 seconds. The function performs a database call that occasionally takes longer. What is the best way to handle this without losing messages?

A.Decrease the SQS visibility timeout to retry faster.
B.Split the batch into smaller batches using partial batch response.
C.Increase the Lambda timeout and increase the SQS visibility timeout, and add a dead-letter queue.
D.Reduce the Lambda reserved concurrency to limit invocations.
AnswerC

Longer timeout allows processing; DLQ captures failed messages.

Why this answer

Option D is correct because increasing the visibility timeout allows the function more time to process, and using a DLQ ensures that messages that repeatedly fail are captured. Option A is wrong because decreasing visibility timeout would cause messages to reappear sooner. Option B is wrong because reducing reserved concurrency would cause throttling.

Option C is wrong because splitting the batch does not address the timeout.

1257
Multi-Selecteasy

A company is designing a CI/CD pipeline for a serverless application using AWS CodePipeline. Which TWO actions are valid ways to deploy an AWS Lambda function?

Select 2 answers
A.Use AWS CloudFormation to update the Lambda function's stack.
B.Use Amazon S3 to trigger the Lambda function deployment.
C.Use AWS CodeBuild to directly deploy the Lambda function.
D.Use AWS CodeCommit to push the Lambda code.
E.Use AWS CodeDeploy to deploy the Lambda function with traffic shifting.
AnswersA, E

CloudFormation can manage Lambda deployments.

Why this answer

Option A is correct because AWS CloudFormation can manage Lambda function deployments as part of a stack update. By defining the Lambda function resource in a CloudFormation template, CodePipeline can trigger a stack update that creates or updates the function, ensuring infrastructure-as-code best practices and consistent deployments.

Exam trap

The trap here is that candidates often confuse build or source control actions (CodeBuild, CodeCommit) with deployment actions, or mistake event-driven invocations (S3 triggers) for deployment mechanisms, leading them to select options that are valid for other purposes but not for deploying Lambda functions.

1258
MCQeasy

A company runs a web application on EC2 instances behind an ALB. To improve resilience, they want to automatically replace failed instances and maintain a minimum number of instances. Which AWS service should be used?

A.Amazon EC2 Auto Scaling
B.AWS CloudFormation
C.AWS Elastic Beanstalk
D.AWS Systems Manager
AnswerA

Auto Scaling automatically replaces unhealthy instances and maintains a minimum count.

Why this answer

Auto Scaling is designed to automatically replace failed instances and maintain a desired capacity, improving resilience.

1259
MCQmedium

A development team is using AWS CodeCommit as a source repository and AWS CodePipeline to automate their CI/CD pipeline. The pipeline includes a build stage that runs on AWS CodeBuild. The team wants to automatically trigger the pipeline when changes are pushed to the 'develop' branch of the CodeCommit repository. Which configuration change should be made to the pipeline?

A.Enable S3 event notifications on the repository to invoke the pipeline.
B.Add a manual approval action before the build stage.
C.Configure the source action to use CodeCommit as the source provider and specify the 'develop' branch.
D.Create a CodeBuild webhook on the CodeCommit repository.
AnswerC

This sets up a CloudWatch Events rule to start the pipeline on changes to that branch.

Why this answer

Option B is correct because CodePipeline can be configured with a source action that uses the 'Amazon S3' (via CodeCommit webhook) or directly with CodeCommit as the source provider, and a cloudwatch event rule is automatically created to trigger the pipeline on changes to the specified branch. Option A is wrong because manual approval is not needed for automatic triggering. Option C is wrong because CodeBuild can be triggered independently, but the pipeline itself needs a source trigger.

Option D is wrong because S3 events are not used for CodeCommit.

1260
MCQmedium

A company uses AWS CodePipeline with a multi-branch strategy. The pipeline deploys a Lambda function using CloudFormation. The DevOps engineer notices that when a new branch is created, the pipeline executes but the CloudFormation stack fails because the stack name already exists. What is the MOST efficient way to resolve this issue?

A.Modify the pipeline to use a dynamic stack name parameter, such as the branch name.
B.Hardcode a different stack name for each branch in the pipeline.
C.Delete the existing stack before each deployment.
D.Use the CloudFormation 'Override' parameter to reuse the same stack.
AnswerA

This creates unique stacks per branch, avoiding conflicts.

Why this answer

Option B is correct because using a dynamic stack name based on the branch name or a unique identifier ensures each pipeline execution creates a separate stack, avoiding name conflicts. Option A is wrong because deleting the stack before creation may cause downtime. Option C is wrong because CloudFormation does not support stack name overrides; a new name must be used.

Option D is wrong because hardcoding a different stack name per branch is not scalable.

1261
MCQeasy

A developer is using AWS CodeBuild to compile code. The build takes a long time because dependencies are downloaded each time. What can the developer do to reduce build time?

A.Split the build into multiple parallel build actions.
B.Use multiple build environments to distribute the work.
C.Enable caching in the build project to store dependencies in Amazon S3.
D.Use a larger compute type for the build project.
AnswerC

Caching avoids re-downloading dependencies.

Why this answer

Option C is correct because caching dependencies in a S3 bucket allows subsequent builds to reuse them. Option A is wrong because upgrading instance type may not help if the bottleneck is network. Option B is wrong because parallel builds don't reduce single build time.

Option D is wrong because multiple build environments don't reduce time.

1262
MCQeasy

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to ensure that infrastructure changes are reviewed and approved before deployment. The code is stored in AWS CodeCommit, and the pipeline uses AWS CodePipeline and AWS CloudFormation. What is the BEST way to implement an approval process for infrastructure changes?

A.Use CodeCommit approval rules to require a pull request before any change is merged.
B.Configure IAM policies to require MFA before any CloudFormation stack update.
C.Use CodeBuild to run a script that sends an approval request via Amazon SNS and waits for a response.
D.Add a manual approval step in CodePipeline between the build and deploy stages.
AnswerD

C: Manual approval actions in CodePipeline allow a reviewer to approve or reject before deployment.

Why this answer

Option C is correct because CodePipeline supports manual approval actions that can be inserted between stages. Option A is wrong because CodeCommit approval rules only apply to code merges, not pipeline execution. Option B is wrong because IAM policies cannot create approval gates in the pipeline.

Option D is wrong because CodeBuild does not have native approval capabilities.

1263
MCQhard

The exhibit shows an IAM policy attached to an AWS Lambda execution role. The Lambda function is triggered by an S3 event and writes to the same bucket. However, the function fails with a permission error when trying to write to 'my-bucket'. What is the likely issue?

A.The S3 bucket is in a different region than the Lambda function.
B.The policy is missing the 'lambda:InvokeFunction' permission on the function itself.
C.The Lambda function does not have an S3 trigger configured.
D.The policy grants s3:PutObject only on objects (my-bucket/*), but the action also requires permission on the bucket (my-bucket) for certain operations like s3:PutObject with ACLs.
AnswerD

Some S3 operations require bucket-level permissions; adding a statement for the bucket ARN without /* can resolve.

Why this answer

Option A is correct: the policy is missing s3:PutObject on the bucket itself (not just the objects). Option B is not relevant. Option C is not relevant.

Option D is not relevant.

1264
MCQmedium

A DevOps engineer runs the command shown in the exhibit to view stack events. The stack update failed. What is the most likely cause of the failure?

A.The IAM role for the Lambda function is missing required permissions.
B.The Lambda function specifies a runtime that is not available in the region.
C.The Lambda function code exceeds the maximum size limit.
D.The S3 bucket containing the template is not accessible.
AnswerB

B: The error clearly states 'The runtime parameter 'nodejs18.x' is not supported.'

Why this answer

Option B is correct because the error message indicates that the runtime 'nodejs18.x' is not supported. Option A is wrong because the error is about runtime, not S3 access. Option C is wrong because the error is specific to Lambda runtime, not IAM.

Option D is wrong because the error is about an invalid parameter, not a timeout.

1265
Multi-Selectmedium

A company runs a stateful web application on EC2 instances behind an ALB. The application stores session data in memory. The company wants to make the application stateless to improve resilience. Which TWO changes should the company make?

Select 2 answers
A.Increase the instance memory to store more sessions
B.Disable sticky sessions on the ALB
C.Enable sticky sessions (session affinity) on the ALB
D.Store session data in Amazon ElastiCache for Redis
E.Use an NLB instead of an ALB
AnswersB, D

Without stickiness, any instance can serve any request if state is external.

Why this answer

B and E are correct. Storing session data externally (ElastiCache) makes instances stateless. Enabling sticky sessions is not needed if state is external; however, the question asks for statelessness, so removing stickiness is correct.

Option A is wrong because stickiness contradicts statelessness. Option C is wrong because in-memory storage is the problem. Option D is wrong because it doesn't address session state.

1266
MCQmedium

A company has deployed a containerized application on Amazon ECS with Fargate. The application is fronted by an Application Load Balancer (ALB). The DevOps team is using CloudWatch Container Insights to monitor the ECS cluster. They notice that the 'MemoryUtilized' metric for the service is consistently above 80%, and the 'CPUUtilized' is around 50%. The ALB's 'TargetResponseTime' is increasing over time. The team wants to resolve the performance issue. Which action should the team take?

A.Increase the memory limit for the ECS task definition to allow the container to use more memory.
B.Increase the CPU limit for the ECS task definition to improve performance.
C.Increase the number of ALB targets by adding more availability zones.
D.Increase the desired count of the ECS service to distribute the load across more tasks.
AnswerA

Memory utilization is above 80%, indicating a memory bottleneck.

Why this answer

Option B is correct because the high memory utilization (above 80%) is likely causing performance degradation. Increasing the memory limit for the task definition will allow the container to handle more load. Option A is wrong because CPU is not the bottleneck.

Option C is wrong because scaling the ALB does not address the container's resource limits. Option D is wrong because increasing the desired count without fixing the memory limit may not help if each task is memory-constrained.

1267
MCQmedium

A DevOps engineer deploys the CloudFormation snippet shown in the exhibit. After the stack is deleted, the engineer checks for the S3 bucket. Which statement best describes the outcome?

A.The bucket is deleted because the stack deletion overrides the DeletionPolicy.
B.The bucket is retained (not deleted) after the stack deletion.
C.The stack deletion fails because the bucket has versioning enabled.
D.The bucket is deleted along with the stack because the DeletionPolicy is not supported for S3 buckets.
AnswerB

DeletionPolicy: Retain preserves the bucket.

Why this answer

Option C is correct because the DeletionPolicy: Retain ensures the bucket is not deleted when the stack is deleted. Option A is wrong because the bucket is retained. Option B is wrong because the bucket exists.

Option D is wrong because the stack deletion succeeds, but the bucket remains.

1268
MCQhard

A company's application on Amazon ECS experiences intermittent failures when the task attempts to access an S3 bucket. The task role has the correct S3 permissions. What is the most likely cause?

A.The task is using the wrong IAM role
B.The S3 bucket is in a different region
C.The S3 bucket has public access blocked
D.The S3 bucket policy explicitly denies access from the task's VPC
AnswerD

Bucket policies can override IAM permissions and cause failures.

Why this answer

If the S3 bucket policy denies access from the task's VPC or source, it can cause intermittent failures.

1269
MCQhard

Refer to the exhibit. Why does the build fail?

A.The CodeBuild role does not have permission to create CloudFront invalidations.
B.The S3 bucket policy denies write access to the CodeBuild role.
C.The CodeBuild project is not associated with the correct service role.
D.The CloudFront distribution ID is incorrect.
AnswerA

The error message explicitly states AccessDenied for CreateInvalidation.

Why this answer

The CodeBuild role lacks the cloudfront:CreateInvalidation permission. The error message clearly indicates AccessDenied for that action.

1270
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a web application. Security scanning must be integrated into the pipeline to check for vulnerabilities before deployment to production. Which action should be taken?

A.Add an Amazon Inspector scan action as a test stage in the pipeline
B.Enable AWS GuardDuty in the account
C.Activate AWS Trusted Advisor for security checks
D.Use AWS Config rules to check for vulnerabilities
AnswerA

Amazon Inspector can scan for software vulnerabilities and is integrated with CodePipeline.

Why this answer

Amazon Inspector can be integrated as a test action in CodePipeline to scan for vulnerabilities. GuardDuty is a threat detection service, not a scanning tool for code or containers. Config evaluates resource configurations.

Trusted Advisor provides best practice checks, not vulnerability scanning.

1271
MCQhard

During a deployment, a new application version on an ECS service starts failing health checks. The previous version is still running. The deployment is a rolling update with a 200% percent start. Which ECS feature should the engineer use to automatically revert to the previous version?

A.ECS deployment circuit breaker
B.ECS service auto recovery
C.ECS managed scaling
D.CloudWatch alarm actions
AnswerA

Circuit breaker automatically rolls back on deployment failure.

Why this answer

Option D is correct because a circuit breaker automatically detects deployment failures and rolls back. Option A is wrong because ECS service auto recovery is for underlying infrastructure. Option B is wrong because managed scaling adjusts desired count, not rollback.

Option C is wrong because CloudWatch alarms can trigger rollback but are not automatic within ECS itself.

1272
Multi-Selecthard

Which THREE considerations are important when designing a CI/CD pipeline for a microservices architecture using AWS CodePipeline? (Choose three.)

Select 3 answers
A.All microservices should be deployed using a single pipeline to ensure consistency.
B.Include automated integration tests that validate service-to-service interactions.
C.Use manual approval gates at every stage to ensure quality.
D.Each microservice should have its own pipeline to enable independent deployment.
E.Implement blue/green deployments to reduce downtime and allow quick rollback.
AnswersB, D, E

Automated tests catch issues early in the pipeline.

Why this answer

Options A, C, and E are correct. Independent pipelines, automated testing, and blue/green deployments are key. Option B is wrong because a monolith pipeline contradicts microservices.

Option D is wrong because manual gates slow down deployment.

1273
MCQeasy

A DevOps team receives a CloudWatch alarm that an RDS DB instance's CPU utilization has exceeded 90% for 5 minutes. The application is experiencing latency. What is the best immediate step to mitigate the issue?

A.Analyze slow query logs and optimize queries.
B.Enable Multi-AZ deployment for failover.
C.Modify the RDS instance to a larger instance class.
D.Add a read replica to offload read traffic.
AnswerC

Immediately increases CPU capacity.

Why this answer

Option C is correct because when an RDS instance's CPU utilization exceeds 90% for 5 minutes and the application is experiencing latency, the immediate step is to scale up the instance to a larger class to provide more CPU capacity. This directly addresses the resource bottleneck without requiring time-consuming analysis or architectural changes, making it the fastest mitigation for an ongoing incident.

Exam trap

The trap here is that candidates often confuse reactive scaling (immediate mitigation) with proactive optimization or architectural changes, leading them to choose slow query analysis or read replicas, which are valid but not immediate fixes for a CPU bottleneck.

How to eliminate wrong answers

Option A is wrong because analyzing slow query logs and optimizing queries is a long-term corrective action, not an immediate mitigation step during an active incident where latency is already occurring. Option B is wrong because enabling Multi-AZ deployment provides high availability and automatic failover, but does not increase CPU capacity or resolve performance issues caused by high utilization. Option D is wrong because adding a read replica offloads read traffic but does not reduce CPU utilization on the primary instance, which is the source of the latency.

1274
MCQeasy

A company wants to protect its S3 bucket data from accidental deletion or overwrite. Which feature should be enabled?

A.Enable cross-region replication
B.Apply a bucket policy that denies DeleteObject
C.Enable S3 Versioning
D.Enable MFA Delete
AnswerC

Preserves previous versions.

Why this answer

S3 Versioning keeps all versions, allowing recovery from deletes and overwrites. Option B is wrong because MFA Delete is an additional protection but not the primary. Option C is wrong because bucket policies control access.

Option D is wrong because replication is for cross-region copies.

1275
Multi-Selecthard

Which THREE steps are required to set up a cross-account CodePipeline that deploys to an EC2 instance in a target account? (Choose three.)

Select 3 answers
A.Create an IAM role in the target account with permissions to deploy to EC2.
B.Add a trust policy to the target account role allowing the pipeline account to assume it.
C.Grant the pipeline service role permission to assume the target account role.
D.Configure the pipeline to use the target account's default KMS key for artifacts.
E.Create a CodePipeline in the target account.
AnswersA, B, C

The pipeline will assume this role to deploy.

Why this answer

A: The pipeline needs an IAM role to assume in the target account. C: The target account must trust the pipeline account to allow role assumption. D: The pipeline service role must have permission to assume the target role.

B is not required because the pipeline can be in the source account. E is not required because the pipeline uses the assumed role, not the target account's pipeline.

Page 16

Page 17 of 24

Page 18