AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 12761350

1740 questions total · 24pages · All types, answers revealed

Page 17

Page 18 of 24

Page 19
1276
MCQeasy

A DevOps team is using AWS CloudFormation to manage infrastructure. They need to ensure that stack updates are reviewed and approved by a senior engineer before being executed. Which feature should they implement?

A.Stack policies
B.Drift detection
C.Change sets
D.Stack sets
AnswerC

Change sets allow you to review the proposed changes before executing a stack update.

Why this answer

Change sets allow you to preview proposed changes before applying them. Option B is correct. Option A is incorrect because stack policies protect stack resources during updates but do not provide a review mechanism.

Option C is incorrect because drift detection detects changes outside of CloudFormation. Option D is incorrect because stack sets deploy stacks across accounts/regions.

1277
Multi-Selectmedium

A company uses AWS Systems Manager to manage patching of EC2 instances. They want to ensure that instances in a specific Auto Scaling group are patched before being allowed to serve traffic. Which THREE steps should be part of the solution?

Select 3 answers
A.Create a new launch configuration with the patched AMI.
B.Update the Auto Scaling group to use the new launch configuration.
C.Deploy the patched version using AWS CodeDeploy.
D.Configure Amazon CloudWatch Events to trigger a Lambda function after patching.
E.Use an AWS Systems Manager Maintenance Window to apply patches to instances.
AnswersA, B, E

After patching, create a new AMI and launch configuration.

Why this answer

Options A, B, and E are correct. Option A ensures instances are patched before use. Option B creates new instances.

Option E updates the Auto Scaling group to use the new launch configuration. Option C (CodeDeploy) is not needed for patching. Option D (CloudWatch Events) is optional and not required.

1278
MCQeasy

A gaming company uses AWS Elastic Beanstalk to deploy a web application. The operations team needs to update environment configuration variables (e.g., database URL) without causing downtime. They want to change the value of an environment property. What is the CORRECT way to apply this change?

A.Update the environment properties in the Elastic Beanstalk console; the platform will perform a rolling update.
B.Terminate the environment and create a new one with the updated configuration.
C.Use an immutable update by deploying a new version with the changes.
D.Use AWS Lambda to directly modify the environment configuration without redeploying.
AnswerA

Elastic Beanstalk applies configuration changes via rolling updates without downtime.

Why this answer

Elastic Beanstalk supports rolling updates for environment configuration changes (B). Updating via the console or CLI triggers a rolling update. Option A (terminate) causes downtime; C (SQS) is not relevant; D (immutable) also causes replacement.

1279
MCQeasy

A DevOps team is configuring CloudWatch alarms for their production environment. They want to receive notifications when the CPUUtilization metric of an EC2 instance exceeds 90% for three consecutive 5-minute periods. Which combination of settings should they use?

A.Period: 5 minutes; Evaluation periods: 3; Datapoints to alarm: 3
B.Period: 5 minutes; Evaluation periods: 3; Datapoints to alarm: 1
C.Period: 5 minutes; Evaluation periods: 1; Datapoints to alarm: 3
D.Period: 5 minutes; Evaluation periods: 5; Datapoints to alarm: 3
AnswerA

This configuration ensures three consecutive 5-minute periods exceed the threshold.

Why this answer

Option A is correct because the evaluation period must be set to 3, and the datapoints to alarm must be 3 to require three consecutive periods. Option B is wrong because datapoints to alarm set to 1 would trigger on any single high reading. Option C is wrong because evaluation period 1 with datapoints 3 is impossible.

Option D is wrong because evaluation period 5 with datapoints 3 would require 3 out of 5, not necessarily consecutive.

1280
MCQmedium

A company uses AWS CodeDeploy for blue/green deployments to an Auto Scaling group. The deployment fails because the new instances do not pass health checks. The DevOps engineer discovers that the health check URL returns a 503 error. What is the MOST likely cause?

A.The target group health check path is '/health' but the application does not serve that endpoint
B.The CodeDeploy agent on the new instances is not running
C.The security group for the ALB does not allow inbound traffic on port 80
D.The Auto Scaling group health check type is set to EC2 instead of ELB
AnswerA

A 503 indicates the application is running but not handling the request correctly.

Why this answer

The health check URL returning a 503 error indicates that the application is not responding to the health check endpoint. Since the target group health check path is configured as '/health' but the application does not serve that endpoint, the ALB considers the instances unhealthy, causing CodeDeploy to fail the deployment. This is the most direct cause because the health check is failing at the application layer, not due to infrastructure issues.

Exam trap

The trap here is that candidates may confuse a 503 error with a network-level failure (like a security group blocking traffic) rather than recognizing it as an application-layer response indicating the health check endpoint is missing or misconfigured.

How to eliminate wrong answers

Option B is wrong because if the CodeDeploy agent were not running, the deployment would likely fail earlier (e.g., during the Install event) or the agent would not report success, but the health check failure (503) specifically indicates the application is running but not responding correctly. Option C is wrong because if the security group for the ALB did not allow inbound traffic on port 80, the health check would likely time out or return a connection refused error, not a 503 (Service Unavailable) which is an HTTP response from the application. Option D is wrong because the Auto Scaling group health check type (EC2 vs ELB) affects how ASG replaces unhealthy instances, but it does not directly cause the health check URL to return a 503; the 503 error is a symptom of the application not serving the correct endpoint.

1281
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific attribute in their SAML assertion can decrypt the data. Which KMS key policy should be used?

A.Create an S3 bucket policy that denies kms:Decrypt unless the request includes a specific tag.
B.Modify the KMS key policy to include a condition that allows kms:Decrypt only if the SAML assertion contains the specific attribute.
C.Attach a resource-based policy to the S3 bucket that allows decryption only for users with the specific attribute.
D.Use an IAM policy that grants kms:Decrypt only if the user has the specific attribute.
AnswerB

KMS key policies can use conditions based on SAML attributes to control decryption.

Why this answer

Option B is correct because KMS key policies can use the `kms:ViaService` or `kms:CallerPrincipal` conditions, but more importantly, they can reference SAML-based attributes using the `aws:PrincipalTag` or `saml:sub` conditions. By adding a condition in the KMS key policy that checks for a specific SAML assertion attribute (e.g., `saml:sub` or a custom SAML attribute mapped to an IAM role session tag), only users whose SAML assertion includes that attribute will be allowed to call `kms:Decrypt`. This directly enforces the security team's requirement at the key level, independent of S3 bucket policies or IAM policies.

Exam trap

The trap here is that candidates often confuse S3 bucket policies with KMS key policies, thinking they can control KMS decryption via S3 policies, when in reality KMS key policies are the only way to enforce conditions on the `kms:Decrypt` action at the key level.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies cannot deny `kms:Decrypt`; KMS API calls are governed by KMS key policies and IAM policies, not S3 resource policies. Option C is wrong because S3 bucket policies control access to S3 operations (e.g., `s3:GetObject`), not KMS decryption permissions; they cannot enforce conditions on the KMS `Decrypt` action itself. Option D is wrong because IAM policies alone cannot enforce conditions based on SAML assertion attributes unless those attributes are first mapped to IAM session tags or roles; the requirement is to control decryption at the KMS key level, and a KMS key policy with a SAML condition is the direct and correct mechanism.

1282
Multi-Selecthard

Which THREE actions should a DevOps engineer take to ensure that AWS CloudFormation stacks are securely managed? (Choose three.)

Select 3 answers
A.Set a DeletionPolicy on the stack to retain resources when the stack is deleted.
B.Use a service role with least privilege when creating the stack.
C.Use IAM policies to restrict CloudFormation actions to specific users and roles.
D.Define a StackSetPolicy to control permissions across accounts.
E.Apply a stack policy to prevent updates to sensitive resources during stack updates.
AnswersB, C, E

Service roles allow CloudFormation to perform actions on behalf of the user.

Why this answer

Option A is correct because IAM policies can restrict who can create/modify stacks. Option C is correct because stack policies protect critical resources during updates. Option D is correct because using service roles follows least privilege.

Option B is wrong because there is no 'StackSetPolicy' property. Option E is wrong because deletion policies are for individual resources, not the whole stack.

1283
MCQmedium

A company uses AWS WAF to protect a web application behind an Application Load Balancer. The security team notices an increase in false positives blocking legitimate traffic. Which action should be taken to reduce false positives while maintaining security?

A.Remove the rate-based rule that is causing false positives.
B.Replace AWS WAF with AWS Shield Advanced.
C.Adjust the rate-based rule threshold to a higher value.
D.Change the rule action from 'Block' to 'Count'.
AnswerC

Higher threshold reduces false positives while still blocking abuse.

Why this answer

Option B is correct because adjusting the rate-based rule threshold to a higher value will allow more legitimate traffic while still blocking excessive requests. Option A: Removing the rule would weaken security. Option C: Swapping to AWS Shield Advanced does not fine-tune rules.

Option D: Count mode logs but does not block; not maintaining security.

1284
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB) with Auto Scaling. Users report intermittent 503 errors. CloudWatch metrics show that the ALB's 'RequestCount' is normal, but 'HTTPCode_ELB_5XX_Count' spikes. The 'TargetResponseTime' metric shows occasional high latency. Which troubleshooting step should the DevOps engineer take FIRST?

A.Enable and analyze the ALB access logs stored in S3, filtering for 503 errors and correlating with target response times.
B.Increase the desired capacity of the Auto Scaling group to handle more requests.
C.Disable connection draining on the target group to prevent slow-draining instances from causing errors.
D.Review AWS CloudTrail logs for any recent configuration changes to the ALB.
AnswerA

Access logs provide detailed per-request data including timestamp, target status, and response time, enabling correlation of errors with slow targets.

Why this answer

Option C is correct because checking the ALB's access logs for 503 errors with their timestamps can reveal whether the errors coincide with high latency targets. Option A is wrong because increasing capacity does not address the root cause. Option B is wrong because CloudTrail logs API calls, not HTTP errors.

Option D is wrong because disabling connection draining could worsen the issue.

1285
MCQhard

A key policy for a KMS customer managed key includes the above statement. An IAM role 'AdminRole' in account 123456789012 is allowed to decrypt. However, when the role attempts to decrypt data, it receives an access denied error. What is the MOST likely cause?

A.The action should be 'kms:Decrypt*'.
B.The resource should be the key ARN, not '*'.
C.The condition 'kms:GrantIsForAWSResource' is preventing direct API calls.
D.The principal ARN is incorrect.
AnswerC

This condition only allows decryption when the request comes from an AWS service, not from the IAM role directly.

Why this answer

The condition 'kms:GrantIsForAWSResource' restricts the permission to requests that come from AWS services that integrate with KMS, not from direct API calls by the role. Option B is correct. Option A is wrong because the principal is correctly specified.

Option C is wrong because the action is correct. Option D is wrong because the wildcard resource is fine for KMS key policies.

1286
Multi-Selectmedium

A company uses Amazon CloudWatch Synthetics canaries to monitor its web application endpoints. The canaries are failing intermittently with 'ClientError' status codes. Which TWO actions should the engineer take to diagnose the issue? (Choose two.)

Select 2 answers
A.Modify the canary script to add more logging.
B.Review the canary's CloudWatch Logs for error details.
C.Inspect the Lambda function logs associated with the canary.
D.Examine CloudWatch metrics for the canary.
E.Check CloudTrail for CanaryRun API calls.
AnswersB, C

Canary logs contain detailed output of each step.

Why this answer

Option A is correct because canary logs are stored in CloudWatch Logs and can be analyzed. Option D is correct because canaries run on Lambda, and Lambda execution logs may contain additional error details. Option B is wrong because CloudTrail does not log canary execution details.

Option C is wrong because CloudWatch Metrics do not provide detailed error information. Option E is wrong because the canary code is not accessible for modification.

1287
Matchingmedium

Match each AWS CloudFormation concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collection of AWS resources managed as a single unit

JSON or YAML document describing AWS resources

Preview of changes before applying to a stack

Enables stack creation across multiple accounts and regions

Identifies differences between stack and actual resource configurations

Why these pairings

These are key CloudFormation constructs and operations.

1288
MCQhard

Match each AWS service or feature to its correct description in the context of SDLC automation. Drag and drop the items on the left to the matching descriptions on the right.

A.AWS CodeCommit
B.AWS CodeBuild
C.AWS CodeDeploy
D.AWS CodePipeline
E.AWS CloudFormation
F.Amazon EventBridge

Why this answer

AWS CodeCommit is a managed source control service. AWS CodeBuild is a fully managed build service. AWS CodeDeploy automates code deployments.

AWS CodePipeline orchestrates the CI/CD workflow. AWS CloudFormation is used for infrastructure as code. Amazon EventBridge (CloudWatch Events) can trigger pipelines based on events.

Exam trap

Candidates may confuse CodePipeline with CodeDeploy, or CodeBuild with CodeDeploy. Understanding the distinct roles is key.

1289
MCQeasy

A company uses Amazon Route 53 to route traffic to an Application Load Balancer. They want to improve availability by routing traffic to multiple ALBs in different AWS Regions. Which routing policy should they use?

A.Latency-based routing policy
B.Weighted routing policy
C.Geolocation routing policy
D.Simple routing policy
AnswerA

Routes to lowest latency region, and supports health checks.

Why this answer

Latency-based routing policy is correct because it directs traffic to the AWS Region that provides the lowest latency for the end user, improving availability and performance by distributing requests across multiple Application Load Balancers in different regions. This policy uses latency measurements between the user and each region to select the optimal endpoint, ensuring that if one region becomes unavailable, traffic is automatically routed to the next lowest-latency region.

Exam trap

The trap here is that candidates often confuse latency-based routing with geolocation routing, mistakenly thinking that geographic proximity equals low latency, but latency-based routing uses actual network measurements rather than fixed geographic boundaries.

How to eliminate wrong answers

Option B (Weighted routing policy) is wrong because it distributes traffic based on assigned weights (e.g., 80% to one region, 20% to another) and does not consider real-time latency or availability; it is designed for load balancing or testing, not for optimizing user-perceived performance across regions. Option C (Geolocation routing policy) is wrong because it routes traffic based on the geographic location of the user (e.g., country or continent), not on actual network latency or regional health; it can cause traffic to be sent to a distant region if the user's location is mapped there, even if that region is degraded. Option D (Simple routing policy) is wrong because it only supports a single record with multiple values (e.g., multiple IPs) and returns all values in a random order without any health checking or latency awareness, making it unsuitable for active-active multi-region failover.

1290
Multi-Selecteasy

A DevOps engineer is tasked with auditing all AWS API calls made in the account for compliance purposes. The engineer needs to ensure that the audit logs are tamper-proof and stored cost-effectively. Which TWO services should the engineer use?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.Amazon S3 with Object Lock enabled
D.Amazon CloudWatch Logs
E.AWS KMS
AnswersB, C

CloudTrail records API calls.

Why this answer

Option B is correct because CloudTrail logs API calls and can be configured to deliver to S3. Option D is correct because S3 with object lock prevents log tampering. Option A is wrong because CloudWatch Logs is for application logs, not API calls.

Option C is wrong because Config records resource changes, not API calls. Option E is wrong because KMS encrypts but does not provide tamper-proof storage; object lock does.

1291
Multi-Selecthard

A company is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline must deploy to an EC2 Auto Scaling group across multiple AWS accounts. The security requirements include: (1) no hardcoded credentials, (2) least privilege for cross-account access, (3) encrypted artifacts. Which THREE steps should the DevOps engineer implement? (Choose THREE.)

Select 3 answers
A.Use a customer-managed KMS key with a cross-account key policy to encrypt artifacts.
B.Store database credentials in AWS Secrets Manager and retrieve them in CodeBuild using the secrets manager action.
C.Store database credentials in AWS Systems Manager Parameter Store and retrieve them in CodeBuild.
D.Use AWS CodeCommit as the source repository with pull request approval rules.
E.Configure CodePipeline to assume an IAM role in the target account using a trust policy.
AnswersA, B, E

KMS cross-account key policies allow encryption across accounts.

Why this answer

Option A uses cross-account roles (correct). Option B uses KMS cross-account key (correct). Option D integrates CodeBuild with Secrets Manager (correct).

Option C (SSM parameter) is possible but Secrets Manager is more appropriate for credentials. Option E (CodeCommit) is not required.

1292
Multi-Selecthard

A company uses DynamoDB global tables for a multi-region application. They notice that write conflicts are occurring. Which TWO strategies can reduce write conflicts?

Select 2 answers
A.Reduce read capacity units to limit concurrent reads
B.Enable DynamoDB Streams with last writer wins
C.Use conditional writes in the application code
D.Increase write capacity units on the table
E.Implement application-level conflict resolution
AnswersC, E

Prevents overwriting if condition fails.

Why this answer

Using conditional writes ensures no overwrites unless condition is met, reducing conflicts. Application-level conflict resolution can handle conflicts when they occur. Option C is wrong because increasing WCU does not reduce conflicts.

Option D is wrong because last writer wins is default and may cause data loss. Option E is wrong because reducing read capacity is irrelevant.

1293
MCQmedium

A DevOps team is designing a CI/CD pipeline for a microservices application. Each microservice has its own CodeCommit repository and must be built and deployed independently. The team wants to minimize manual configuration and ensure that adding a new microservice automatically creates the corresponding pipeline stages. Which approach should the team use?

A.Create a separate AWS CodePipeline for each microservice manually using the AWS Management Console.
B.Use the AWS Cloud Development Kit (CDK) to define a pipeline that dynamically discovers repositories.
C.Use a single AWS CodePipeline with multiple stages, each triggered by a different branch of the same repository.
D.Define a CloudFormation template that creates a pipeline for a given repository and invoke it automatically when a new repository is created using EventBridge and Lambda.
AnswerD

This approach automates pipeline creation via event-driven infrastructure as code.

Why this answer

Option D is correct because AWS CloudFormation can define the pipeline infrastructure as code, and using nested stacks or a template that parameterizes the repository name allows for easy replication. Option A is wrong because manually updating a single pipeline is error-prone and not scalable. Option B is wrong because creating separate pipelines manually defeats automation.

Option C is wrong because the AWS CDK can define infrastructure but requires separate stacks per service unless using loops or constructs.

1294
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. The operations team wants to collect custom application metrics (e.g., request latency per service) and visualize them in CloudWatch dashboards. The team also needs to set CloudWatch alarms based on these metrics. Which solution requires the LEAST amount of code changes and operational overhead?

A.Use the CloudWatch Embedded Metric Format to emit custom metrics as JSON log entries.
B.Deploy a StatsD daemon as a sidecar container and configure the application to send metrics to StatsD, then forward to CloudWatch.
C.Modify the application code to use the AWS SDK to call PutMetricData API directly.
D.Install the CloudWatch Agent on each Fargate task as a sidecar container to collect custom metrics.
AnswerA

EMF allows emitting metrics via logs with minimal code changes.

Why this answer

Option A is correct because the CloudWatch Embedded Metric Format allows applications to emit metrics as structured JSON logs, which CloudWatch automatically extracts into metrics and logs. This requires minimal code changes (just log format). Option B is wrong because publishing to CloudWatch via PutMetricData requires the AWS SDK and more code changes.

Option C is wrong because CloudWatch Agent on Fargate is not supported (requires EC2). Option D is wrong because using a sidecar container for StatsD adds complexity and overhead.

1295
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user requests an object from the 'example-bucket' bucket, specifically from the 'confidential' folder, over HTTP (not HTTPS). The source IP is within the 10.0.0.0/24 range. What will be the result of this request?

A.Denied, because the user does not have s3:GetObject permission on the confidential folder.
B.Allowed, because the Deny statement only applies to HTTPS.
C.Allowed, because the source IP is within the allowed range.
D.Denied, because the request uses HTTP and the Deny statement blocks it.
AnswerD

The Deny applies when SecureTransport is false (HTTP).

Why this answer

The Deny statement with SecureTransport false applies to all s3 actions on the confidential folder. Even though the source IP is allowed, the Deny for HTTP access will override the Allow. The request will be denied.

1296
MCQhard

A company runs a critical application on Amazon ECS with Fargate. The application is deployed across multiple Availability Zones and uses an Application Load Balancer (ALB) as the front-end. During a recent incident, users experienced intermittent connectivity failures. The DevOps team suspects that tasks are being stopped due to resource exhaustion. Which combination of metrics and actions should the team use to diagnose and prevent recurrence?

A.Monitor CPU and memory utilization metrics in CloudWatch; increase the task size (CPU and memory) in the task definition.
B.Set up CloudWatch Logs for the application and check for out-of-memory errors; then increase the number of tasks.
C.Monitor NetworkPacketsIn and NetworkPacketsOut metrics in CloudWatch; increase the number of tasks.
D.Monitor the ALB error metrics (5xx count) and scale the ECS service based on request count.
AnswerA

D is correct because high CPU/memory utilization can cause tasks to be stopped; increasing task size provides more resources per task.

Why this answer

Option A is correct because CPU and memory utilization metrics in CloudWatch directly indicate resource exhaustion, which is the suspected cause of tasks being stopped. Increasing the task size (CPU and memory) in the task definition provides more resources per task, preventing the OOM killer or CPU throttling from stopping tasks, without changing the number of tasks or scaling logic.

Exam trap

The trap here is that candidates confuse horizontal scaling (increasing task count) with vertical scaling (increasing task size), assuming that adding more tasks resolves resource exhaustion when the actual issue is insufficient resources per task.

How to eliminate wrong answers

Option B is wrong because while CloudWatch Logs can show out-of-memory errors, increasing the number of tasks does not address resource exhaustion per task—it only distributes load across more tasks, which may still fail if each task is under-provisioned. Option C is wrong because NetworkPacketsIn and NetworkPacketsOut measure network throughput, not CPU or memory exhaustion; high network metrics do not cause tasks to be stopped due to resource exhaustion. Option D is wrong because ALB 5xx errors and request count scaling address load balancing and traffic spikes, not the root cause of tasks being stopped due to insufficient CPU or memory per task.

1297
MCQmedium

A company uses AWS CodeBuild to build and test code. The build process requires access to a private PyPI repository hosted on an internal network. The CodeBuild project is configured with a VPC. However, the build fails with a timeout error when trying to connect to the PyPI repository. The security group for the CodeBuild project allows outbound HTTPS to 0.0.0.0/0. What is the most likely cause?

A.CodeBuild does not support VPC connectivity.
B.The VPC subnet has a NAT gateway that routes traffic to the internet instead of the internal network.
C.The security group for the PyPI repository does not allow inbound traffic from the CodeBuild security group.
D.The VPC subnet does not have a route to the internal network.
AnswerC

The repository's security group must have an inbound rule allowing HTTPS traffic from the security group associated with the CodeBuild project's ENI.

Why this answer

The private PyPI repository is in the internal network, which is likely accessible via a VPC. However, if the repository's security group does not allow inbound traffic from the CodeBuild security group, the connection will be blocked. The CodeBuild project's outbound rules are correct, but the repository side needs to allow inbound.

Option A is wrong because the subnet must have a route to the internal network, which is usually via a VPC peering or VPN. Option C is wrong because if the subnet has a NAT gateway, the traffic would go to the internet, not to the internal network. Option D is wrong because a VPC endpoint is for AWS services, not for on-premises resources.

1298
MCQeasy

A security engineer reviews the CloudTrail log entry above and notices that a security group was modified to allow SSH access from anywhere. The engineer wants to ensure that such changes are automatically detected and remediated in the future. What should the engineer do?

A.Configure CloudTrail to send logs to CloudWatch Logs and create a metric filter that alerts on AuthorizeSecurityGroupIngress events with 0.0.0.0/0.
B.Create an IAM policy that denies the ec2:AuthorizeSecurityGroupIngress action if the source IP is 0.0.0.0/0.
C.Create an AWS Config rule that checks security group rules and triggers an AWS Systems Manager Automation document to revoke the ingress rule.
D.Enable Amazon GuardDuty to detect and block such changes in real time.
AnswerC

Config can evaluate and remediate security group rules.

Why this answer

Option C is correct because AWS Config can continuously evaluate security group rules against a custom or managed rule (e.g., restricted-ssh) and, upon detecting a noncompliant rule allowing 0.0.0.0/0 on port 22, trigger an AWS Systems Manager Automation document that automatically revokes the offending ingress rule. This provides both detection and remediation without manual intervention, meeting the requirement for automated detection and remediation.

Exam trap

The trap here is that candidates often confuse detection-only services (like CloudWatch alarms or GuardDuty) with services that can also perform automated remediation (like AWS Config with Systems Manager Automation), leading them to choose options that only alert but do not fix the issue.

How to eliminate wrong answers

Option A is wrong because while CloudTrail logs to CloudWatch Logs with a metric filter can alert on AuthorizeSecurityGroupIngress events with 0.0.0.0/0, this only provides notification (detection) but does not automatically remediate the change. Option B is wrong because an IAM policy that denies ec2:AuthorizeSecurityGroupIngress based on source IP 0.0.0.0/0 is not possible—IAM policies cannot inspect the contents of the API request parameters like the CIDR block; they operate on the action and resource ARN, not on the specific values of the request. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, but it cannot block or remediate security group changes in real time; it only generates findings.

1299
MCQhard

A DevOps engineer manages infrastructure using Terraform. The team needs to store secrets such as database passwords in a secure manner and reference them in Terraform configurations. They have configured AWS Secrets Manager. What is the recommended approach to reference secrets in Terraform without exposing them in state files?

A.Store the secret ARN in a Terraform variable and use 'var.secret_arn' in the resource.
B.Store the secret in AWS Systems Manager Parameter Store and reference it using 'data.aws_ssm_parameter'.
C.Pass the secret as an environment variable to Terraform and reference it with 'var.secret_value'.
D.Use the 'data.aws_secretsmanager_secret_version' data source and mark the attribute as 'sensitive = true' in the output.
AnswerD

The data source retrieves the secret, and marking outputs as sensitive prevents them from being shown in logs or state.

Why this answer

Option D is correct because using the `data.aws_secretsmanager_secret_version` data source retrieves the secret value at plan time without storing it in the Terraform state file. Marking the attribute as `sensitive = true` in the output prevents the value from being displayed in the CLI output, but the key protection is that the secret value itself is never written to the state file when using this data source — Terraform only stores the data source's ID and metadata, not the actual secret payload.

Exam trap

The trap here is that candidates assume marking an output as `sensitive = true` alone protects the secret, but the real protection comes from the data source not storing the secret value in the state file — the `sensitive` flag only controls CLI display, not state persistence.

How to eliminate wrong answers

Option A is wrong because storing the secret ARN in a variable does not retrieve or protect the secret value; it only references the ARN, and the actual secret must still be fetched and could be exposed in the state. Option B is wrong because while AWS Systems Manager Parameter Store can store secrets, the question explicitly states the team has configured AWS Secrets Manager, and using Parameter Store would be a different service; additionally, `data.aws_ssm_parameter` can expose the secret value in the state file if not handled carefully. Option C is wrong because passing the secret as an environment variable and referencing it with `var.secret_value` requires the secret to be defined as a Terraform variable, which will be stored in plaintext in the Terraform state file unless the variable is marked as sensitive and the state is encrypted, but the environment variable approach does not inherently prevent state exposure.

1300
MCQmedium

A company uses AWS Systems Manager to patch EC2 instances. After a patch window, several instances are unreachable. The engineer checks the SSM Agent logs and finds no errors. What should the engineer do next to diagnose the issue?

A.Restart the SSM Agent on the affected instances.
B.Verify that the patch baseline is associated with the instances.
C.Review the IAM role attached to the instances for sufficient permissions.
D.Check if the instances have outbound internet connectivity to the SSM endpoints.
AnswerD

SSM requires outbound connectivity; lack of connectivity prevents communication.

Why this answer

Option B is correct because checking if the instances have internet connectivity is essential for SSM Agent to communicate with the Systems Manager service. Option A is wrong because the state manager association is not directly related to connectivity. Option C is wrong because IAM roles are necessary for SSM, but the logs show no errors, so roles are likely correct.

Option D is wrong because the SSM Agent logs show no errors, so agent is running.

1301
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The deployment includes an EC2 instance running behind an Application Load Balancer. The security team requires that all data in transit to the application be encrypted. Which configuration best meets this requirement without breaking the deployment?

A.Configure CodePipeline to use an encrypted artifact bucket.
B.Enable AWS WAF on the ALB to enforce HTTPS.
C.Create an HTTPS listener on the ALB with a certificate from AWS Certificate Manager and redirect HTTP to HTTPS.
D.Place a CloudFront distribution in front of the ALB and configure it to require HTTPS.
AnswerC

HTTPS listener with ACM certificate provides encryption in transit.

Why this answer

Option C is correct because the Application Load Balancer supports SSL/TLS termination using certificates from AWS Certificate Manager, enabling HTTPS encryption. Option A is wrong because CodePipeline does not encrypt traffic at the ALB level. Option B is wrong because AWS WAF is a web application firewall, not for encryption.

Option D is wrong because CloudFront can handle HTTPS, but adding it changes the architecture unnecessarily and may break the pipeline if not properly configured.

1302
Multi-Selectmedium

A company uses Amazon CloudWatch Logs to store application logs. The DevOps team wants to search across multiple log groups for a specific error pattern. Which TWO options can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Use CloudWatch Logs Insights to run queries across multiple log groups.
B.Export the logs to Amazon S3 and use Amazon Athena to query the logs.
C.Install the CloudWatch Logs agent on an EC2 instance and tail the logs.
D.Create a Lambda function that reads logs from each log group and searches for the pattern.
E.Use Amazon Kinesis Data Analytics to process the log streams.
AnswersA, B

CloudWatch Logs Insights can query multiple log groups simultaneously.

Why this answer

CloudWatch Logs Insights is purpose-built for querying log data across multiple log groups. It uses a query language to search, filter, and aggregate log events, making it ideal for identifying error patterns across different sources. This option is correct because it directly supports cross-log-group queries without additional data movement or infrastructure.

Exam trap

The trap here is that candidates may think Lambda or Kinesis are suitable for ad-hoc log searching, but they are designed for real-time processing or custom workflows, not for efficient cross-log-group querying like CloudWatch Logs Insights or Athena.

1303
MCQhard

A company uses CloudFormation to manage infrastructure. They have a nested stack that creates an Amazon RDS instance. When updating the parent stack, the RDS instance is unexpectedly replaced even though no changes were made to its properties. The engineer suspects a 'Drift' detection issue. What is the most likely reason for the replacement?

A.The RDS instance has drifted from the template definition.
B.The deletion policy is set to 'Retain'.
C.The logical ID of the RDS resource was changed in the nested stack template.
D.The stack policy prevents updates to the RDS instance.
AnswerC

A change in logical ID causes CloudFormation to create a new resource and delete the old one.

Why this answer

Option D is correct because if the logical ID in the template changes, CloudFormation treats it as a new resource and replaces the old one. Option A is wrong because replacement may occur without drift. Option B is wrong because stack policy doesn't always prevent replacement.

Option C is wrong because deletion policy doesn't cause replacement.

1304
MCQhard

A company runs a containerized web application on Amazon ECS with AWS Fargate. The application is critical and requires high availability. The DevOps team has set up an Amazon CloudWatch alarm that triggers an auto scaling action when the average CPU utilization exceeds 75% for 5 minutes. However, during a recent traffic spike, the application became slow and some requests timed out, even though the CloudWatch alarm did not fire. The team checked the ECS service auto scaling configuration and found that the target tracking scaling policy based on average CPU utilization is set with a target value of 75%. The ECS service is configured with a minimum of 2 tasks and a maximum of 10 tasks. Upon investigation, they noticed that the CPU utilization metric for the service remained below 75% during the spike, but the memory utilization was high (over 90%). The application logs show that the tasks were running out of memory, causing garbage collection pauses and slow responses. Which course of action should the DevOps engineer take to prevent this issue in the future?

A.Add a second target tracking scaling policy based on average memory utilization with a target value of 75%.
B.Decrease the CPU target value to 50% to trigger scaling earlier.
C.Increase the minimum number of tasks from 2 to 5 to provide more capacity upfront.
D.Increase the task memory limit in the task definition to 8 GB.
AnswerA

Memory-based scaling will add tasks when memory is high, preventing memory exhaustion.

Why this answer

Option B is correct because the issue is memory pressure, not CPU. Adding a target tracking scaling policy based on memory utilization will scale the service when memory is high. Option A is wrong because increasing the minimum number of tasks would not dynamically respond to memory spikes.

Option C is wrong because the issue is not CPU. Option D is wrong because the application is already containerized; increasing task memory is a static change that may not handle dynamic spikes efficiently, and the best practice is to auto scale based on memory.

1305
MCQeasy

Refer to the exhibit. A KMS key policy is configured as shown. What does this policy allow?

A.The role to decrypt any KMS key.
B.The role to decrypt via any AWS service.
C.The role to decrypt data encrypted by S3 in us-east-1.
D.Any IAM role to decrypt using this key.
AnswerC

The condition kms:ViaService limits decrypt to requests from S3 in us-east-1.

Why this answer

The policy allows the CrossAccountRole to call kms:Decrypt only when the request comes through S3 in us-east-1. Option D is correct.

1306
MCQmedium

A company uses AWS Lambda to process messages from an SQS queue. They need to ensure that if the Lambda function fails, the message is not lost and can be processed again. Which configuration is required?

A.Set the visibility timeout to less than the Lambda function timeout.
B.Enable SQS redrive policy to retry messages.
C.Configure a dead-letter queue (DLQ) on the SQS queue.
D.Set the Lambda event source mapping to not delete messages from the queue on failure.
AnswerD

This ensures the message remains in the queue for retry.

Why this answer

Option C is correct because the Lambda event source mapping can be configured to delete messages only after successful processing; if the function fails, the message remains in the queue. Option A is incorrect because a DLQ is for messages that repeatedly fail, not for retry. Option B is incorrect because the visibility timeout should be set longer than the function timeout to avoid other consumers picking up the message.

Option D is incorrect because SQS itself does not retry; the Lambda service handles retries based on the event source mapping.

1307
MCQmedium

A company is running a stateful web application on Amazon EC2 instances. The application stores session data locally on the instance. The company wants to make the application stateless and improve resilience. The DevOps team decides to use Amazon ElastiCache for Redis to store session data. What additional step should the team take to ensure that the session data is highly available?

A.Deploy ElastiCache for Redis in a Multi-AZ configuration with automatic failover.
B.Use a single ElastiCache for Redis node and rely on the application to reconnect if the node fails.
C.Enable ElastiCache for Redis cluster mode with automatic failover across multiple Availability Zones.
D.Configure ElastiCache for Redis to back up session data to Amazon S3 every 5 minutes.
AnswerC

Cluster mode with automatic failover ensures HA.

Why this answer

Option B is correct. Enabling ElastiCache for Redis cluster mode with automatic failover ensures that if the primary node fails, a read replica is promoted, providing high availability. Option A is wrong because Multi-AZ for ElastiCache is for replication groups, not cluster mode.

Option C is wrong because backing up to S3 does not provide automatic failover. Option D is wrong because manually promoting a replica is not automatic.

1308
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. During a recent deployment, the stack failed to create an Amazon RDS DB instance because of a parameter validation error. The DevOps engineer fixed the parameter and wants to resume the stack creation without recreating the resources that were already successfully created. The stack template is parameterized and uses nested stacks. What is the MOST efficient way to resume the stack creation?

A.Use the CloudFormation stack update operation with the corrected parameter.
B.Manually create the RDS instance with the corrected parameter and update the stack to import it.
C.Delete the entire stack and redeploy with the corrected parameter.
D.Use the 'ContinueUpdateRollback' feature to rollback the failed stack and then redeploy.
AnswerA

Update will only modify the failed resource, preserving already created resources.

Why this answer

CloudFormation stack updates can be used to fix the issue. By updating the stack with the corrected parameters, CloudFormation will only modify the failed resource and not recreate already created resources.

1309
MCQeasy

A development team is using AWS CodeCommit as the source for a CI/CD pipeline. They want to automatically run unit tests when a pull request is created, but only for changes to the 'src' directory. Which approach should they use?

A.Use an AWS Lambda function that polls CodeCommit for new pull requests and invokes CodeBuild when changes in 'src' directory are detected.
B.Create an AWS CodeBuild project with a source provider of CodeCommit and configure 'WEBHOOK' events with a filter for pull requests and path filter for 'src/**'.
C.Set up an Amazon EventBridge rule that matches CodeCommit pull request events and invoke CodeBuild. Add a condition in the CodeBuild buildspec to check if changes are in 'src' directory.
D.Configure an AWS CodePipeline with a Source stage for CodeCommit and a Test stage for CodeBuild. Use a manual approval step to trigger on pull requests.
AnswerB

CodeBuild webhooks can trigger on pull request events with path filters.

Why this answer

Option B is correct because AWS CodeBuild can be triggered by a pull request event with a path filter. Option A is wrong because CodePipeline does not natively trigger on pull requests. Option C is wrong because Lambda alone cannot trigger on CodeCommit events without an additional trigger.

Option D is wrong because EventBridge can trigger on pull request events, but the path filtering should be done in the CodeBuild project configuration for efficiency.

1310
MCQhard

A company runs a critical application on Amazon ECS with Fargate. They use blue/green deployments via AWS CodeDeploy. During a recent deployment, the new task set failed health checks and CodeDeploy automatically rolled back. However, the old task set also became unhealthy shortly after rollback. What could explain this?

A.The CloudWatch alarm that triggered the rollback also stopped the old task set.
B.CodeDeploy did not drain connections from the Application Load Balancer before terminating the old task set.
C.The ECS service auto-scaling policy reduced the desired count of the old task set during the deployment.
D.The new application version changed the database schema, which broke the old version after rollback.
AnswerD

Database schema changes are not automatically rolled back, causing incompatibility.

Why this answer

Option A is correct because a shared resource like a database schema change by the new version could corrupt data for the old version. Option B is wrong because CodeDeploy does not drain connections from ALB before rollback by default, but that would not cause the old version to become unhealthy. Option C is wrong because CloudWatch alarms are not configured by CodeDeploy to stop old tasks.

Option D is wrong because ECS service auto-scaling does not stop tasks.

1311
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that when a stack update fails, the stack automatically rolls back to its previous state. However, they also want to preserve any resources that were created outside of CloudFormation (drift). What should they do?

A.Enable termination protection on the stack to prevent deletion during rollback.
B.Use a CloudFormation resource policy with a 'Retain' rule for resources that might have drifted. Then enable rollback on failure.
C.Use a stack policy that denies updates to resources created outside CloudFormation. Then enable rollback on failure.
D.Enable rollback on failure in the stack options. CloudFormation will automatically roll back, preserving all resources.
AnswerB

Resource policies allow retaining specific resources during stack updates and rollbacks.

Why this answer

Option B is correct because CloudFormation resource policies allow you to specify which resources should be retained on deletion. Option A is wrong because it would delete all resources. Option C is wrong because stack policies protect resources during updates, not for rollback.

Option D is wrong because termination protection prevents stack deletion, not resource deletion during rollback.

1312
MCQhard

A company uses AWS Elastic Beanstalk with a custom platform. They need to update the platform version to include a new security patch. Which approach should be used to create a new custom platform version?

A.Use the Elastic Beanstalk CLI to rebuild the platform with the new AMI.
B.Launch a new EC2 instance, apply the patch, and create an AMI, then update the platform version.
C.Modify the existing platform version's AMI ID using the Elastic Beanstalk console.
D.Create a new platform version using the aws elasticbeanstalk create-platform-version command with an updated platform definition file.
AnswerD

This creates a new custom platform version with the updated configuration.

Why this answer

Option D is correct. Custom platforms are created by packaging a platform definition file (a .zip) and using the aws elasticbeanstalk create-platform-version command. The platform definition includes the AMI ID and other configuration.

Option A is incorrect because you cannot update an existing platform; you must create a new version. Option B is incorrect because you cannot directly modify the AMI in the existing platform. Option C is incorrect because Beanstalk does not automatically rebuild platforms; you need to create a new version.

1313
MCQmedium

A DevOps team uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with an error 'The overall deployment failed because too many individual instances failed deployment'. The team checks the instance logs and finds that the 'BeforeInstall' lifecycle event script returned a non-zero exit code. What is the BEST approach to resolve this?

A.Set the 'ignoreScriptFailure' option to true in the AppSpec file and redeploy.
B.Manually run the script on an instance and then resume the deployment.
C.Fix the script error in the revision and redeploy.
D.Change the deployment configuration to 'AllAtOnce' to speed up deployment.
AnswerC

Correcting the script ensures the deployment succeeds.

Why this answer

Option B is correct because fixing the script and redeploying addresses the root cause. Option A is wrong because ignoring errors may cause application issues. Option C is wrong because using an in-place deployment does not fix the script.

Option D is wrong because altering the script on running instances is not a permanent fix and the deployment will still fail.

1314
MCQhard

Refer to the exhibit. A user outside the 192.0.2.0/24 IP range attempts to get an object from example-bucket. What will happen?

A.The request is allowed because the Allow statement matches
B.The request is allowed because there is no explicit Deny for GetObject
C.The request is denied because the policy is malformed
D.The request is denied because the Deny statement applies
AnswerD

Explicit Deny blocks the request.

Why this answer

The Deny statement explicitly denies all S3 actions if the IP is not in the allowed range. Since the user is outside, the Deny applies, overriding the Allow. Option A is wrong because the Deny blocks access.

Option B is wrong because the Deny is explicit. Option C is wrong because the policy is not malformed.

1315
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. After a deployment, some instances fail the health check and are terminated by the Auto Scaling group. What should the DevOps engineer do to prevent this?

A.Configure a CloudWatch alarm to stop the deployment if instances are unhealthy.
B.Modify the deployment configuration to deploy to only one instance at a time.
C.Update the deployment group to use an Elastic Load Balancer and configure health checks.
D.Increase the desired capacity of the Auto Scaling group to tolerate failures.
AnswerC

ELB health checks automatically replace unhealthy instances and work with CodeDeploy.

Why this answer

Option C is correct because configuring an Elastic Load Balancer (ELB) with health checks in the CodeDeploy deployment group allows CodeDeploy to monitor instance health during deployment. If an instance fails the ELB health check, CodeDeploy can automatically roll back or stop the deployment, preventing the Auto Scaling group from terminating unhealthy instances. This integrates the deployment lifecycle with load balancer health signals, ensuring only healthy instances serve traffic.

Exam trap

The trap here is that candidates often confuse Auto Scaling group health checks (which terminate instances) with CodeDeploy's deployment health checks (which can stop or roll back deployments), leading them to choose options that only address symptoms rather than integrating the two services properly.

How to eliminate wrong answers

Option A is wrong because a CloudWatch alarm can trigger actions like scaling or notifications, but it cannot directly stop a CodeDeploy deployment; CodeDeploy has its own built-in rollback and health check mechanisms that should be used. Option B is wrong because deploying to one instance at a time reduces risk but does not prevent instances from failing health checks and being terminated by the Auto Scaling group; it only limits blast radius. Option D is wrong because increasing the desired capacity of the Auto Scaling group does not address the root cause of health check failures; it only masks the problem by adding more instances, and unhealthy instances will still be terminated.

1316
MCQhard

A DevOps engineer is troubleshooting a slow AWS CodeBuild project. The build is a Java application that compiles source code and runs tests. The build environment uses a general1.large compute type. The build duration has increased from 5 minutes to 15 minutes over the past month. The engineer notices that the build logs show 'Downloading...' messages for Maven dependencies for several minutes. What is the most cost-effective way to reduce the build time?

A.Configure the build to use a VPC with a NAT gateway
B.Use AWS CodeArtifact as a proxy for Maven dependencies
C.Change the compute type to general1.2xlarge
D.Enable local caching in the CodeBuild project for dependencies
AnswerD

Local caching stores dependencies across builds.

Why this answer

Option C is correct by enabling local caching for Maven dependencies, which eliminates repeated downloads. Option A is incorrect because increasing compute type might not solve the download bottleneck. Option B is incorrect because VPC peering does not affect dependency download speed from public repositories.

Option D is incorrect because CodeArtifact would still require downloading from the repository.

1317
MCQeasy

A company uses Amazon DynamoDB as the database for a mobile application. The application requires single-digit millisecond read and write latency and must be resilient to the failure of an entire AWS Region. Which DynamoDB feature should the company use?

A.DynamoDB point-in-time recovery (PITR)
B.DynamoDB global tables
C.DynamoDB Accelerator (DAX)
D.DynamoDB on-demand capacity mode
AnswerB

Global tables replicate data across Regions, providing low latency and resilience to Region failures.

Why this answer

DynamoDB global tables provide multi-Region, multi-active replication, ensuring the application can withstand an entire AWS Region failure while maintaining single-digit millisecond read and write latency in each Region. This is achieved through DynamoDB Streams and a last-writer-wins conflict resolution mechanism, making it the correct choice for cross-Region resilience.

Exam trap

The trap here is that candidates often confuse high-availability features like DAX (caching) or PITR (backup) with true disaster recovery and multi-Region resilience, failing to recognize that only global tables replicate data across Regions for active-active failover.

How to eliminate wrong answers

Option A is wrong because point-in-time recovery (PITR) protects against accidental writes or deletions by enabling restoration to any point within the last 35 days, but it does not provide cross-Region resilience or continuous availability during a Region outage. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read latency but operates within a single Region and does not replicate data across Regions, offering no protection against a full Region failure. Option D is wrong because on-demand capacity mode handles traffic spikes automatically but is a scaling feature within a single Region, not a disaster recovery or multi-Region replication solution.

1318
MCQeasy

Refer to the exhibit. An IAM policy is attached to an EC2 instance role. The application on the instance fails to write logs to CloudWatch Logs in the log group 'MyAppLogs'. What is the most likely cause?

A.The policy does not grant permissions on the log stream resource.
B.The CloudWatch agent is not installed on the instance.
C.The policy specifies the wrong region in the resource ARN.
D.The policy does not include the 'logs:DescribeLogGroups' action.
AnswerA

PutLogEvents requires permissions on the log stream ARN.

Why this answer

Option B is correct because the resource ARN in the policy specifies the log group but does not include the log stream ARN. To write logs, the policy must also allow resources for the log streams. Option A is wrong because the actions are correct.

Option C is wrong because CloudWatch agent is not required if using the AWS SDK. Option D is wrong because the region is specified correctly.

1319
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to implement a GitFlow branching strategy for infrastructure as code using AWS CodeCommit and CodePipeline? (Choose two.)

Select 2 answers
A.Disable automatic triggers on the master branch to prevent accidental deployments.
B.Use CodeBuild to run unit tests on feature branches before merging.
C.Use a single pipeline that handles all branches.
D.Create separate pipelines for develop and master branches.
E.Configure CodePipeline to trigger on pull request creation.
AnswersB, D

Validates code before merge.

Why this answer

Options B and D are correct. Using separate pipelines for each branch allows different deployment behaviors. Option A is wrong because CodePipeline does not natively support pull request triggers; CodeBuild can be used for validation.

Option C is wrong because merging from develop to master should trigger a pipeline for release. Option E is wrong because using the same pipeline for all branches reduces flexibility.

1320
MCQhard

A company uses AWS CloudFormation to manage infrastructure. The development team wants to promote changes from a development environment to a production environment using change sets. They need to ensure that the production stack is not updated if there are any changes to the stack's IAM policies. Which approach should the team use?

A.Enable drift detection on the production stack and compare with the development stack.
B.Create a ChangeSet from the updated template, review the changes for IAM modifications, and execute only if no IAM changes are present.
C.Use AWS CloudFormation StackSets to deploy to multiple accounts and use stack instance filters.
D.Use a custom resource in the template that checks for IAM changes and fails the update.
AnswerB

ChangeSets provide a preview of all changes, including IAM resource modifications.

Why this answer

Option A is correct because ChangeSets allow reviewing changes before execution, and you can inspect changes to IAM resources. Option B is wrong because StackSets are for multi-account deployments. Option C is wrong because drift detection checks for manual changes, not intended updates.

Option D is wrong because a custom resource is overly complex.

1321
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet but must not be directly accessible from the internet. Which configuration allows this?

A.Set up a VPN connection to the company's on-premises network and route traffic through it.
B.Deploy a NAT gateway in a public subnet and route the private subnet's traffic through it.
C.Deploy a bastion host in the public subnet and configure the instance to use it.
D.Attach an internet gateway to the VPC and add a route to the private subnet route table.
AnswerB

NAT gateway enables outbound internet traffic while blocking inbound.

Why this answer

A NAT gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound connections. Option C is correct. Option A is wrong because an internet gateway alone does not provide outbound-only access for private instances.

Option B is wrong because a bastion host only provides SSH/RDP access, not general internet access. Option D is wrong because a VPN connection does not provide direct internet access.

1322
MCQeasy

An organization uses AWS CodeBuild to compile and test their code. They want to reuse build artifacts across multiple build projects to reduce build time. What is the BEST approach?

A.Use the local cache feature in CodeBuild to store artifacts on the build instance.
B.Store build artifacts in an Amazon S3 bucket and configure each build project to download them from S3.
C.Use Docker layer caching to store intermediate build layers.
D.Mount an Amazon EFS file system to each build environment to share artifacts.
AnswerB

S3 is a durable storage that can be accessed by multiple build projects to fetch shared artifacts.

Why this answer

Option C is correct because storing artifacts in S3 allows sharing across projects. Option A is wrong because local cache is per-project. Option B is wrong because Docker cache is for Docker images.

Option D is wrong because EFS is not used for build artifacts.

1323
MCQeasy

A company uses Amazon Route 53 for DNS. They want to ensure that if their primary website endpoint fails, traffic is automatically routed to a secondary endpoint in a different Region. Which routing policy should be used?

A.Latency routing
B.Simple routing
C.Failover routing
D.Weighted routing
AnswerC

Failover routing performs automatic failover based on health checks.

Why this answer

Failover routing policy allows you to configure an active-passive failover setup.

1324
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The DevOps team wants to set up real-time monitoring for specific error patterns and trigger remediation actions. Which TWO services can process the log events in real time and invoke an AWS Lambda function for remediation? (Choose two.)

Select 2 answers
A.Stream log events to Amazon Kinesis Data Streams and configure a Lambda function to process the stream.
B.Create a CloudWatch Logs subscription filter that delivers log events to a Lambda function.
C.Create an Amazon EventBridge rule that matches on CloudWatch Logs log group events.
D.Configure the log group to send log events to an Amazon SQS queue, and have the Lambda function poll the queue.
E.Publish log events to an Amazon SNS topic and subscribe the Lambda function.
AnswersA, B

Kinesis Data Streams can receive log events from a subscription filter, and Lambda can process the stream in real time.

Why this answer

Option A and Option C are correct. CloudWatch Logs can stream to Lambda via subscription filters (Option A) and also to Kinesis Data Streams which can then be processed by Lambda (Option C). Option B is wrong because EventBridge does not directly subscribe to log streams; it can receive events from other sources but not directly from CloudWatch Logs in real time.

Option D (SQS) would require a Lambda to poll, but real-time streaming is not native. Option E (SNS) is for push notifications, but cannot directly receive log events from CloudWatch Logs without a subscription filter.

1325
MCQmedium

A company uses Amazon CloudWatch Logs to store application logs from multiple EC2 instances. The DevOps team needs to create a real-time dashboard that displays the count of ERROR-level log entries across all instances. Which combination of services should be used?

A.Amazon Athena and Amazon QuickSight
B.Amazon Kinesis Data Analytics and Amazon Elasticsearch Service
C.Amazon S3 and Amazon QuickSight
D.CloudWatch Logs Insights and CloudWatch Dashboards
AnswerD

Logs Insights can query live log data and display results on CloudWatch Dashboards in real-time.

Why this answer

Option B is correct because CloudWatch Logs Insights can query logs and send results to CloudWatch Dashboards for real-time visualization. Option A is wrong because Athena is for querying data in S3, not real-time. Option C is wrong because Kinesis Data Analytics is for streaming data analytics but adds complexity.

Option D is wrong because QuickSight is for BI, not real-time log monitoring.

1326
MCQhard

A company uses AWS CloudFormation with a template that creates an Amazon RDS DB instance. The password for the master user is stored in AWS Secrets Manager. The CloudFormation stack creation fails with the error: 'Value of property MasterUserPassword must be of type String'. How should the DevOps engineer resolve this issue?

A.Use the Fn::ImportValue intrinsic function to import the secret value.
B.Use the Ref intrinsic function to reference the secret.
C.Use the dynamic reference '{{resolve:secretsmanager:MySecret:SecretString:password}}' in the CloudFormation template.
D.Use the Fn::GetAtt intrinsic function to retrieve the secret value from Secrets Manager.
AnswerC

Dynamic references allow CloudFormation to resolve secrets at stack creation.

Why this answer

Option C is correct because CloudFormation supports dynamic references, which allow you to retrieve secret values from AWS Secrets Manager at stack creation time using the syntax `{{resolve:secretsmanager:secret-id:secret-string:json-key}}`. This resolves the password as a plaintext string directly in the template, satisfying the `MasterUserPassword` property's requirement for a String type. Other intrinsic functions like `Ref` or `Fn::GetAtt` return ARNs or metadata, not the secret value itself, and cannot be used directly for this purpose.

Exam trap

The trap here is that candidates often confuse intrinsic functions like `Ref` or `Fn::GetAtt` with the ability to retrieve secret values, not realizing that only dynamic references (the `{{resolve:...}}` syntax) can directly inject a secret string into a resource property that expects a plaintext value.

How to eliminate wrong answers

Option A is wrong because `Fn::ImportValue` is used to import exported cross-stack output values, not to retrieve secret values from Secrets Manager. Option B is wrong because `Ref` on an AWS::SecretsManager::Secret resource returns the secret ARN, not the secret string value, so it cannot provide the password as a string. Option D is wrong because `Fn::GetAtt` on a Secrets Manager secret returns attributes like the ARN or the generated password metadata, but not the plaintext secret value, and it does not resolve to a string that can be used directly in the `MasterUserPassword` property.

1327
MCQeasy

Given the above IAM policy, which action is permitted?

A.Invoke the Lambda function MyFunction in us-east-1 account 123456789012
B.Read objects from an S3 bucket
C.Create a Lambda function
D.Start an EC2 instance
AnswerA

The policy allows lambda:InvokeFunction on that specific ARN.

Why this answer

The policy explicitly allows the lambda:InvokeFunction action on the specified function ARN. Option A is correct. It does not allow other Lambda actions (B), S3 actions (C), or EC2 actions (D).

1328
MCQeasy

A development team uses AWS CodeCommit as a Git repository. They want to automatically trigger a build in AWS CodeBuild when a pull request is created or updated. Which configuration should the team use?

A.Create a CodeCommit trigger that invokes CodeBuild on 'Pull Request Created' and 'Pull Request Updated' events.
B.Use Amazon SNS to notify CodeBuild when a pull request is created.
C.Use Amazon CloudWatch Events to detect CodeCommit pull request events and invoke CodeBuild.
D.Configure CodePipeline with a source action on CodeCommit and a build action, and set the pipeline to start on source changes.
AnswerA

CodeCommit supports triggers for CodeBuild.

Why this answer

Option A is correct because CodeCommit can trigger CodeBuild via a repository trigger. Option B is wrong because CodePipeline does not directly trigger on pull requests. Option C is wrong because CloudWatch Events can trigger on pull request events but CodeBuild can be invoked directly via triggers.

Option D is wrong because SNS cannot trigger CodeBuild directly.

1329
MCQhard

Refer to the exhibit. A CodeBuild project uses this buildspec. The build fails with the error: 'The runtime version specified is not supported in this environment.' What change should be made?

A.Add an install command to install Node.js 12 from source.
B.Remove the runtime-versions section and install Node.js manually.
C.Update the runtime-versions to nodejs: 14.
D.Change the build environment to use a custom image that includes Node.js 12.
AnswerC

Node.js 12 may be deprecated in the environment; using a supported version fixes the issue.

Why this answer

The build environment image may not support Node.js 12. The correct action is to update the runtime version to a supported one, such as 14 or 16, or change the build environment image to one that supports Node.js 12.

1330
Multi-Selectmedium

Which THREE steps should a DevOps engineer take to troubleshoot an EC2 instance that cannot be reached via SSH? (Choose three.)

Select 3 answers
A.Check the network ACL inbound rules for the subnet.
B.Verify that the corporate firewall allows SSH to the instance.
C.Create an AMI from the instance and launch a new one.
D.Check the security group inbound rules for port 22.
E.Verify that the instance has a public IP address.
AnswersA, D, E

NACLs control traffic at the subnet level.

Why this answer

Option A is correct because network ACLs (NACLs) are stateless firewall rules applied at the subnet level. If the inbound rule for ephemeral ports or port 22 is not explicitly allowed, SSH traffic will be dropped even if the security group permits it. Checking NACL inbound rules is a fundamental step in troubleshooting connectivity issues.

Exam trap

The trap here is that candidates often overlook network ACLs and focus only on security groups, or they mistake a recovery action (creating an AMI) for a troubleshooting step, when the correct approach is to systematically verify the layered network controls (NACLs, security groups, and public IP assignment).

1331
MCQeasy

A DevOps engineer needs to securely store and automatically rotate database credentials for a MySQL RDS instance. The credentials should be accessible to a Lambda function without hardcoding them. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.IAM roles for EC2
AnswerB

Secrets Manager offers automatic rotation for RDS databases and provides fine-grained access control via IAM.

Why this answer

AWS Secrets Manager provides the ability to store secrets and automatically rotate them for RDS databases. It also integrates with Lambda via the Secrets Manager API to retrieve secrets at runtime. Option A is wrong because Parameter Store can store secrets but does not support automatic rotation for RDS.

Option B is wrong because KMS is for encryption keys, not secret storage. Option D is wrong because IAM roles cannot store credentials; they provide permissions.

1332
MCQmedium

A team uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS instance. During an update, the stack fails with 'CREATE_FAILED' for the DB instance resource, and the error message indicates 'The DB instance already exists.' What is the most likely cause?

A.An RDS instance with the same identifier already exists in the account and region.
B.The stack update is trying to replace the DB instance without a proper UpdateReplace policy.
C.The stack has a DeletionPolicy of Retain on the RDS instance.
D.The RDS instance has deletion protection enabled.
AnswerA

DB instance identifiers must be unique per region; if one exists, creation fails.

Why this answer

Option B is correct because if the stack was previously deleted without retaining the resource, the DB instance may have been left behind. Option A is wrong because RDS does not have a deletion policy that prevents deletion. Option C is wrong because UpdateReplace policy would replace but not cause 'already exists' error.

Option D is wrong because deletion protection would prevent deletion but not cause 'already exists' if the stack is new.

1333
Multi-Selecteasy

A DevOps team needs to implement a solution to automatically remediate an S3 bucket that becomes publicly accessible. Which TWO services should they use together?

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.AWS Lambda
D.AWS Systems Manager Automation
E.Amazon GuardDuty
AnswersB, D

Config can evaluate bucket policies and trigger remediation.

Why this answer

AWS Config can continuously monitor S3 bucket configurations and trigger an AWS Lambda function via a custom rule or managed rule (e.g., s3-bucket-public-read-prohibited) when a bucket becomes publicly accessible. Lambda then executes the remediation logic, such as applying a bucket policy that blocks public access. This pair provides an automated, event-driven remediation pipeline without manual intervention.

Exam trap

AWS often tests the misconception that AWS CloudTrail or Amazon GuardDuty can perform automated remediation, but these services are purely detective or auditing tools and lack the ability to execute corrective actions.

1334
MCQhard

A DevOps engineer is configuring a centralized logging solution using Amazon CloudWatch Logs. They need to ensure that logs from multiple AWS accounts are aggregated into a single CloudWatch Logs account. Which approach meets this requirement?

A.Use Amazon Kinesis Data Firehose in each account to stream logs to a central Amazon S3 bucket, then use Amazon Athena to query.
B.Create a subscription filter in each account that delivers log events to a CloudWatch Logs destination in the central account.
C.Set up a cross-account destination using an Amazon Kinesis Data Streams stream in the central account and configure each account to send logs to that stream.
D.Configure each application to use the PutLogEvents API to send logs directly to the central account's log group.
AnswerB

Cross-account subscription filters allow real-time log aggregation from multiple accounts to a central account.

Why this answer

Option B is correct because CloudWatch Logs supports cross-account subscription filters that can deliver log events to a CloudWatch Logs destination in a central account. The destination is a logical resource that points to a Kinesis Data Stream or Lambda function in the central account, and the source account creates a subscription filter that sends matching log events to that destination. This allows centralized aggregation without requiring each account to manage separate streaming infrastructure.

Exam trap

The trap here is that candidates confuse the CloudWatch Logs destination (which is a cross-account subscription mechanism) with directly writing to a Kinesis stream or using PutLogEvents across accounts, both of which are not supported for cross-account log aggregation.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Firehose cannot directly stream logs from CloudWatch Logs in multiple accounts to a central S3 bucket without additional cross-account permissions and intermediate services; it also introduces unnecessary complexity and latency for real-time log aggregation. Option C is wrong because while a cross-account Kinesis Data Streams destination can be used, the correct implementation requires creating a CloudWatch Logs destination in the central account that points to the Kinesis stream, not configuring each account to send logs directly to the stream via PutRecord. Option D is wrong because the PutLogEvents API requires the log group and log stream to exist in the same account as the API call; cross-account PutLogEvents is not supported, and applications cannot send logs directly to a central account's log group.

1335
Matchingmedium

Match each AWS service health or performance concept to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum limits on resources per account

Shows events and changes affecting your AWS resources

Monitors a metric and performs actions based on thresholds

Provides recommendations for cost, performance, security, and fault tolerance

Recommends optimal AWS compute resources for workloads

Why these pairings

These are tools for managing performance and health.

1336
MCQmedium

An engineer uses AWS Elastic Beanstalk to deploy a web application. The application needs to read from an S3 bucket. The engineer has configured an instance profile with the necessary S3 permissions. However, the application returns an access denied error. What is the MOST likely cause?

A.The instance profile has not been assigned to the Elastic Beanstalk environment.
B.The S3 bucket policy denies access to the application.
C.The security group assigned to the environment does not allow outbound traffic to S3.
D.The S3 bucket is in a different region and the application is not configured to use the correct region.
AnswerA

The instance profile must be specified in the environment configuration.

Why this answer

Option B is correct because the instance profile must be associated with the EC2 instances launched by Elastic Beanstalk. Option A is incorrect because security groups control network traffic, not S3 permissions. Option C is incorrect because environment variables are not used for IAM permissions.

Option D is incorrect because a bucket policy is not needed if the instance profile grants access.

1337
Multi-Selecthard

Which THREE of the following are valid methods to enforce encryption at rest for Amazon EBS volumes? (Choose three.)

Select 3 answers
A.Enable EBS encryption by default in the account.
B.Use the AWS CLI to encrypt an existing volume in place.
C.Encrypt the volume when creating it through the AWS Management Console.
D.Attach the volume to an EC2 instance and use OS-level encryption.
E.Create an unencrypted snapshot of the volume, copy it with encryption, and create a new volume from the encrypted snapshot.
AnswersA, C, E

This automatically encrypts all new EBS volumes.

Why this answer

Enabling EBS encryption by default at the account level ensures all new volumes are encrypted. You can also encrypt volumes when creating them via the console or CLI. You cannot encrypt an existing volume directly; you must create a snapshot, copy it with encryption, and create a new volume.

Attaching a volume does not encrypt it.

1338
MCQeasy

A DevOps engineer needs to set up an alert for when the CPU utilization of an EC2 instance exceeds 90% for 5 consecutive minutes. Which CloudWatch features should be used?

A.CloudWatch Logs with a metric filter on CPU utilization logs.
B.CloudTrail to monitor EC2 instance CPU usage.
C.CloudWatch alarm on the CPUUtilization metric with a period of 5 minutes and threshold of 90.
D.Amazon S3 server access logs to check CPU utilization.
AnswerC

Alarms evaluate metrics over time and trigger actions.

Why this answer

Option B is correct because a CloudWatch alarm can monitor a metric and trigger an action when a threshold is breached for a specified period. Option A is wrong because CloudWatch Logs does not directly monitor CPU utilization. Option C is wrong because CloudTrail records API calls, not metrics.

Option D is wrong because S3 does not provide monitoring or alerting.

1339
MCQeasy

A DevOps engineer is tasked with ensuring that all Amazon S3 buckets in the account have server access logging enabled. The engineer needs to be automatically notified when a new bucket is created without logging enabled. Which AWS service should they use?

A.Use AWS CloudTrail to detect CreateBucket API calls and trigger a Lambda function to check logging.
B.Use AWS Trusted Advisor to check S3 bucket logging and send notifications via Amazon SNS.
C.Use Amazon S3 Event Notifications to trigger a Lambda function when a new bucket is created.
D.Use AWS Config with a managed rule to check if S3 bucket logging is enabled, and configure an SNS topic for notifications.
AnswerD

AWS Config evaluates configuration changes in near real time and can trigger notifications.

Why this answer

Option D is correct because AWS Config provides continuous monitoring and evaluation of your AWS resource configurations. By using the managed rule 's3-bucket-server-access-logging-enabled', AWS Config can automatically check all S3 buckets (including newly created ones) for server access logging. When a bucket is non-compliant, AWS Config can trigger an SNS notification to alert the DevOps engineer, meeting the requirement for automatic notification without custom code.

Exam trap

The trap here is that candidates often confuse event-driven services like CloudTrail or S3 Event Notifications with configuration compliance services, mistakenly thinking they can directly detect and react to resource misconfigurations without the need for custom evaluation logic.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls but does not evaluate resource configurations; triggering a Lambda function from CloudTrail would require custom code to parse the event and check logging, which is not the most efficient or managed solution. Option B is wrong because AWS Trusted Advisor checks S3 bucket logging only for buckets in the 'S3 Bucket Logging' check, but it does not provide real-time notifications for new bucket creation; it runs periodic checks and requires manual setup or custom automation for alerts. Option C is wrong because Amazon S3 Event Notifications cannot be configured on a bucket that does not exist yet; you cannot set up event notifications for 'new bucket creation' events, as S3 Event Notifications are per-bucket and only support events like object creation or deletion within an existing bucket.

1340
MCQmedium

A team is using AWS CloudFormation to manage infrastructure. They want to implement a change management process where any modifications to the stack must be reviewed and approved. Which feature should they use?

A.Change Sets
B.StackSets
C.Drift Detection
D.Stack Policy
AnswerA

Change Sets allow you to review changes before applying them, enabling an approval workflow.

Why this answer

Option B is correct because Change Sets allow you to preview changes and then execute them after manual approval. Option A is wrong because StackSets manage stacks across accounts/regions, not approval workflows. Option C is wrong because Drift Detection identifies changes but does not prevent them.

Option D is wrong because Stack Policies protect resources but do not enforce an approval process.

1341
MCQhard

Refer to the exhibit. A DevOps engineer runs the describe-target-health command and receives the output shown. The ALB target group has two instances. One instance is healthy, and the other is unhealthy with a 502 error. What is the most likely cause of the 502 error?

A.The security group for the instance does not allow inbound traffic on port 80 from the ALB.
B.The application running on the instance is not responding correctly or has crashed.
C.The instance's route table does not have a route to the internet gateway.
D.The health check path is configured to return a 404 status code.
AnswerB

A 502 Bad Gateway indicates the target closed the connection or the application is faulty.

Why this answer

Option D is correct because a 502 Bad Gateway error from an ALB indicates that the target (EC2 instance) has closed the connection or the application is not responding properly. Common causes include the web server or application crashing, or the target not being able to handle the request. Option A is wrong because security group rules would cause connection timeouts (504) or refused connections, not 502.

Option B is wrong because a missing route table would cause network unreachability, not a 502. Option C is wrong because the health check path returning a 404 would result in a 404, not a 502.

1342
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. The instances currently use a self-signed certificate for the backend HTTPS listener. The engineer notices that the ALB health checks are failing, and the error message indicates 'TLS handshake failed'. The health check is configured as HTTPS. What should the engineer do to resolve the health check failure while maintaining encryption?

A.Install a valid certificate from AWS Certificate Manager (ACM) on each EC2 instance and configure the ALB target group to use HTTPS with that certificate.
B.Change the health check to use HTTP on port 80 and allow HTTP traffic from the ALB to the instances.
C.Configure the ALB to ignore certificate verification for health checks by setting the health check protocol to HTTPS and enabling 'ignore certificate' option.
D.Disable health checks on the ALB and rely on CloudWatch alarms to detect instance failures.
AnswerA

A valid certificate trusted by the ALB will allow the TLS handshake to succeed.

Why this answer

The ALB health check expects a valid certificate from the target. Self-signed certificates cause health checks to fail unless the ALB is configured to ignore certificate verification. The ALB can be configured to verify or skip verification.

To fix, the engineer should either configure the target group to use HTTP for health checks (while using HTTPS for data traffic) or configure the target group to use HTTPS with a certificate that the ALB trusts (e.g., from ACM). The simplest is to use HTTP health checks, but the requirement is to maintain encryption. However, health checks can be over HTTP if the data traffic uses HTTPS.

Alternatively, the engineer can install a certificate from ACM on the instances, but that is more complex. The most practical solution is to use HTTP for health checks (which is not encrypted) but the question says maintain encryption. The best answer is to install a trusted certificate (e.g., from ACM) on the instances.

1343
Multi-Selectmedium

A company is implementing a CI/CD pipeline for a microservices architecture on Amazon ECS. The pipeline must deploy to multiple environments (dev, test, prod) in sequence with manual approval gates between environments. Which two AWS services should be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.AWS CodePipeline
B.AWS CodeBuild
C.AWS CloudFormation
D.AWS CodeDeploy
E.AWS Elastic Beanstalk
AnswersA, D

CodePipeline orchestrates the pipeline with stages for each environment and approval gates.

Why this answer

Option A (CodePipeline) is correct because it orchestrates the pipeline stages. Option D (CodeDeploy) is correct because it handles the deployment to ECS with blue/green or rolling updates. Option B (CodeBuild) is for building, not deployment.

Option C (CloudFormation) is for infrastructure, not deployment of microservices. Option E (Elastic Beanstalk) is a PaaS service, not suited for ECS microservices.

1344
Multi-Selectmedium

A DevOps team is using AWS CodeBuild to run unit tests and package a Java application. They want to cache the Maven local repository (~/.m2) between builds to improve build times. Which TWO steps are necessary to enable caching in CodeBuild? (Select TWO.)

Select 2 answers
A.Set the MAVEN_OPTS environment variable to use a custom repository path.
B.Configure the buildspec to upload the Maven repository as a build artifact.
C.Enable 'Local cache' mode in the CodeBuild project.
D.Add a 'cache' section in the buildspec file specifying the paths to cache.
E.Create an S3 bucket to store the cache.
AnswersD, E

The buildspec cache section tells CodeBuild which files to cache.

Why this answer

Option A is correct because caching requires an S3 bucket to store the cache. Option D is correct because the buildspec must specify the paths to cache. Option B (setting environment variable) is not required.

Option C (local cache mode) is a different feature for Docker layer caching. Option E (buildspec artifact) is for output artifacts, not caching.

1345
MCQhard

A company has a requirement to store audit logs for 7 years. The logs are currently stored in Amazon S3 and are accessed infrequently. Which storage class provides the lowest cost while meeting the retention requirement?

A.S3 Intelligent-Tiering
B.S3 Standard
C.S3 Glacier Deep Archive
D.S3 One Zone-Infrequent Access
AnswerC

Lowest cost for long-term archival.

Why this answer

S3 Glacier Deep Archive is the lowest-cost storage class for long-term retention of data that is accessed rarely. Option A (S3 Standard) is expensive for long-term. Option B (S3 Intelligent-Tiering) may move data but has monitoring costs.

Option D (S3 One Zone-IA) is not for long-term durability.

1346
MCQeasy

A company's DevOps team is designing a disaster recovery plan for a critical application. The application runs on EC2 instances with an RDS MySQL database. The Recovery Time Objective (RTO) is 15 minutes, and the Recovery Point Objective (RPO) is 1 hour. Which approach BEST meets these requirements?

A.Use backup and restore with daily snapshots stored in S3 and cross-Region replication.
B.Use a multi-Region application with Route 53 latency-based routing and RDS read replicas in the DR Region.
C.Use a warm standby strategy with a scaled-down copy of the production environment in the DR Region, and replicate data using RDS Multi-AZ with synchronous replication.
D.Use a pilot light strategy with EC2 instances stopped and RDS snapshots copied to the DR Region.
AnswerC

Warm standby allows quick failover; synchronous replication meets RPO of 1 hour.

Why this answer

Option C is correct because a warm standby strategy with a scaled-down copy of the production environment in the DR Region, combined with RDS Multi-AZ using synchronous replication, meets the RTO of 15 minutes and RPO of 1 hour. Multi-AZ synchronous replication ensures zero data loss (RPO of seconds) and automatic failover within minutes, while the warm standby environment can be scaled up quickly to handle production traffic, satisfying the RTO.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which is for high availability within a Region) with cross-Region disaster recovery, but the question's RTO/RPO requirements are met by combining Multi-AZ synchronous replication (for near-zero RPO) with a warm standby environment (for fast RTO), not by using asynchronous read replicas or snapshot-based approaches.

How to eliminate wrong answers

Option A is wrong because daily snapshots with cross-Region replication result in an RPO of up to 24 hours, far exceeding the 1-hour requirement, and the restore process takes longer than 15 minutes. Option B is wrong because Route 53 latency-based routing is for active-active traffic distribution, not disaster recovery failover, and RDS read replicas are asynchronous, leading to potential data loss and RPO that can exceed 1 hour during a failure. Option D is wrong because a pilot light strategy with stopped EC2 instances and RDS snapshots copied to the DR Region requires provisioning and restoring from snapshots, which typically takes longer than 15 minutes to become fully operational, and the RPO is limited by snapshot frequency.

1347
MCQmedium

A DevOps team uses AWS CloudFormation to deploy a web application. They want to receive notifications when a stack update fails. Which combination of services should they use?

A.Use AWS Config rules to monitor stack status and trigger an SNS notification.
B.Create a CloudWatch alarm on the CloudFormation stack event metric 'UPDATE_FAILED' and configure an SNS topic to send email notifications.
C.Use Amazon EventBridge to capture CloudFormation events and invoke an AWS Lambda function that sends an email.
D.Enable S3 event notifications on the CloudFormation template bucket and subscribe an SNS topic.
AnswerB

CloudWatch alarms can monitor stack events and trigger SNS notifications directly.

Why this answer

Option B is correct because you can create a CloudWatch alarm on the 'Stack Events' metric for 'UPDATE_FAILED' and send notifications via SNS. Option A is wrong because Lambda cannot directly receive CloudFormation events without a custom integration. Option C is wrong because EventBridge can capture CloudFormation events, but the question asks for notifications; the simplest approach is CloudWatch Alarm + SNS.

Option D is wrong because S3 does not trigger on stack events by default.

1348
MCQmedium

A DevOps team is deploying a web application on EC2 instances behind an ALB. The application must authenticate users using an external identity provider (IdP) that supports SAML 2.0. Which solution provides the simplest integration with the ALB?

A.Use Amazon Cognito user pools with SAML federation and integrate with ALB
B.Use AWS CloudFront with Lambda@Edge to validate SAML tokens
C.Install a SAML service provider library on each EC2 instance
D.Configure the ALB to use an SAML identity provider for authentication
AnswerD

ALB natively supports SAML IdP for user authentication.

Why this answer

ALB can authenticate users using SAML IdP. Option B is wrong because Cognito is for user pools, not direct SAML integration with ALB. Option C is wrong because CloudFront with Lambda@Edge adds complexity.

Option D is wrong because the application itself would need to handle SAML, adding overhead.

1349
MCQeasy

A developer is using AWS CodeCommit as a source repository for a CodePipeline. They want to automatically start the pipeline when changes are pushed to the main branch. What is the simplest way to achieve this?

A.Add a Lambda function that is invoked by CodeCommit triggers, which then starts the pipeline.
B.Configure the pipeline to poll the CodeCommit repository every 5 minutes.
C.Use a webhook from CodeCommit to the pipeline.
D.Create an Amazon EventBridge rule that triggers the pipeline on CodeCommit 'push to main' events.
AnswerD

This is the recommended and simplest method.

Why this answer

CodePipeline can use Amazon CloudWatch Events (EventBridge) to detect changes in CodeCommit and start the pipeline. Option A is correct.

1350
MCQhard

A company is using Amazon CloudWatch Logs to store application logs. The DevOps engineer needs to ensure that log data is encrypted at rest using a customer-managed KMS key. What step must be taken?

A.Use AWS CloudTrail to encrypt the log data before it is sent to CloudWatch Logs.
B.Create a KMS key and apply it to the IAM role used by the application.
C.Create a new KMS customer-managed key and associate it with the CloudWatch Logs log group.
D.Enable server-side encryption on the log group using the default CloudWatch Logs key.
AnswerC

You can associate a CMK with a log group to encrypt logs at rest.

Why this answer

Option C is correct because CloudWatch Logs supports encryption at rest using a customer-managed KMS key, which must be explicitly associated with the log group. When you create or update a log group, you can specify a KMS key ID (via the AWS CLI, SDK, or console) to encrypt all log data stored in that group. This ensures that the log data is encrypted using a key you control, not the default AWS-managed key.

Exam trap

The trap here is that candidates often confuse associating a KMS key with an IAM role (which controls access) with associating it directly with the log group (which controls encryption at rest), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is an auditing service that records API calls, not an encryption mechanism; it cannot encrypt log data before it is sent to CloudWatch Logs. Option B is wrong because applying a KMS key to an IAM role does not encrypt log data at rest; the key must be associated directly with the CloudWatch Logs log group, not with an IAM role. Option D is wrong because enabling server-side encryption with the default CloudWatch Logs key uses an AWS-managed key, not a customer-managed KMS key, which does not meet the requirement for a customer-managed key.

Page 17

Page 18 of 24

Page 19