AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 76150

1740 questions total · 24pages · All types, answers revealed

Page 1

Page 2 of 24

Page 3
76
Matchingmedium

Match each AWS compute or container service with its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Container orchestration service supporting Docker

Managed Kubernetes service

Serverless compute engine for containers

Serverless, event-driven compute service

Automatically adjusts EC2 capacity based on demand

Why these pairings

These are core compute and container services.

77
MCQmedium

A company uses AWS Lambda to process sensitive data stored in Amazon S3. The Lambda function is triggered by S3 object creation events. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The Lambda function currently uses the AWS SDK to download objects from S3 using HTTP (not HTTPS). The team also needs to ensure that the Lambda function only accesses S3 objects that are encrypted with a specific AWS KMS key. The Lambda execution role already has permissions to decrypt with that KMS key. Which combination of actions should the security team take to meet the requirements?

A.Configure the Lambda function to use HTTPS when calling S3, and add a bucket policy that requires the x-amz-server-side-encryption-aws-kms-key-id header to match the specific KMS key.
B.Configure the Lambda function to use a VPC endpoint for S3, and update the bucket policy to deny requests that do not use TLS 1.2.
C.Enable default encryption on the S3 bucket using the specific KMS key, and update the Lambda function to use the AWS SDK's default client, which uses HTTPS.
D.Place a CloudFront distribution in front of the S3 bucket, and configure the Lambda function to access S3 through CloudFront using HTTPS.
AnswerA

HTTPS ensures encryption in transit; bucket policy with condition on KMS key ensures objects are encrypted with the specified key.

Why this answer

Option B is correct because configuring the S3 client to use HTTPS and setting the endpoint to use TLS 1.2 ensures encryption in transit. Additionally, using an S3 bucket policy with a condition that requires the presence of the specific KMS key encrypts the object and restricts access. Option A is incorrect because S3 does not support VPC endpoints for TLS enforcement; VPC endpoints use AWS PrivateLink but do not enforce TLS version.

Option C is incorrect because CloudFront does not enforce TLS 1.2 by default and adds complexity. Option D is incorrect because enabling default encryption does not enforce TLS 1.2 for connections.

78
MCQhard

A company uses an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances in an Auto Scaling group. During an incident, the DevOps team notices that the ALB is returning 503 errors. The instances are healthy according to the target group health checks. What is the MOST likely cause?

A.The ALB has no listeners configured.
B.The security group for the ALB is blocking traffic from the clients.
C.The ALB is throttling requests due to a surge.
D.The ALB's surge queue is full, causing it to reject requests.
AnswerD

When the surge queue is full, ALB returns 503, even if targets are healthy.

Why this answer

Option D is correct because 503 errors from an ALB typically indicate that the target group has no healthy instances, or all instances are marked unhealthy. However, the question says instances are healthy according to health checks, so the issue might be that the ALB itself is at capacity (e.g., surge queue full). The most common cause when health checks are passing but 503s persist is that the ALB's connection surge queue is full, often due to too many connections or slow targets.

Option A is wrong because security group rules usually cause timeouts, not 503. Option B is wrong because an ALB with no listeners would return 502 or 504. Option C is wrong because 503 is not a typical throttling response; throttling returns 429.

79
Multi-Selectmedium

Which TWO actions can help protect against accidental deletion of an Amazon S3 bucket? (Select TWO.)

Select 2 answers
A.Enable versioning on the bucket.
B.Enable AWS CloudTrail to log delete events.
C.Enable MFA Delete on the bucket.
D.Configure a lifecycle policy to expire objects.
E.Add a bucket policy that explicitly denies the s3:DeleteBucket action.
AnswersC, E

Requires MFA to delete objects.

Why this answer

Options A (MFA Delete) and D (bucket policy denying s3:DeleteBucket) are correct. MFA Delete requires multi-factor authentication to delete objects. A bucket policy can deny the DeleteBucket action.

Option B is wrong because versioning does not prevent bucket deletion. Option C is wrong because lifecycle policies delete objects, not protect. Option E is wrong because CloudTrail is auditing, not prevention.

80
Multi-Selecthard

A company uses AWS CodePipeline with multiple stages: Source (CodeCommit), Build (CodeBuild), Test (CodeBuild), and Deploy (CodeDeploy to EC2). The Test stage runs integration tests that require network access to a private database in a VPC. The CodeBuild project is configured to use a VPC. However, the Test stage fails intermittently with timeout errors. Which TWO actions would MOST likely resolve the issue? (Choose 2)

Select 2 answers
A.Remove the VPC configuration from the CodeBuild project and use a public subnet instead.
B.Increase the timeout for the Test stage in the CodeBuild project to accommodate network delays.
C.Ensure the CodeBuild project's VPC configuration includes a NAT gateway for internet access.
D.Use a larger compute type for the CodeBuild project to improve network performance.
E.Configure the security group for the CodeBuild project to allow outbound traffic to the database security group on the required port.
AnswersB, C

Intermittent timeouts may be due to network congestion; increasing timeout provides buffer.

Why this answer

Options A and D are correct. Using a NAT gateway ensures outbound internet access if needed, and increasing the timeout prevents premature timeouts. Option B is incorrect because security groups should be permissive within the VPC.

Option C is incorrect because Subnet IDs are required for VPC configuration. Option E is incorrect because compute type does not affect network.

81
MCQmedium

During an incident, an engineer needs to quickly revoke access to a compromised IAM user. Which action should be taken FIRST?

A.Attach an AWS managed policy that explicitly denies all actions (e.g., AWSDenyAll).
B.Delete the IAM user immediately.
C.Disable the user's signing certificates.
D.Rotate the user's access keys.
AnswerA

A deny-all policy takes immediate effect, revoking all permissions.

Why this answer

Option B is correct because attaching a deny-all policy immediately blocks all actions. Option A is wrong because deleting the user may fail if there are dependencies. Option C is wrong because signing certificates are only for programmatic access, not console.

Option D is wrong because rotating keys does not revoke existing sessions.

82
Multi-Selecthard

A company uses Amazon CloudWatch Logs to store logs from multiple applications. The security team requires that logs are encrypted at rest using a customer-managed KMS key. Additionally, logs must be retained for 7 years for compliance. Which THREE steps should the DevOps engineer take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Set the log group retention policy to 2557 days (7 years).
B.Export logs to Amazon S3 and enable S3 Object Lock with a retention period of 7 years.
C.Create a new log group and specify the KMS key ID in the CloudWatch Logs console or API.
D.Modify the existing log group to use the KMS key by updating the log group settings.
E.Set the log group retention policy to 'Never expire' and use lifecycle policies to transition logs to Amazon S3 Glacier after 30 days.
AnswersA, B, C

Correct: Retention policy can be set to a specific number of days.

Why this answer

Option A is correct because CloudWatch Logs log group retention policies accept values in days, and 7 years equals 2557 days (7 × 365.25, accounting for leap years). Setting this retention policy ensures logs are automatically deleted after the compliance period, meeting the 7-year retention requirement without manual intervention.

Exam trap

The trap here is that candidates may think they can update an existing log group to use a KMS key (Option D), but CloudWatch Logs does not support modifying the encryption key after creation—the key must be set at creation time, and any attempt to change it requires creating a new log group and migrating data.

83
Multi-Selectmedium

A DevOps team is designing a monitoring solution for a multi-tier web application running on AWS. The application consists of an Application Load Balancer, EC2 instances in an Auto Scaling group, and an RDS database. Which TWO approaches provide centralized logging and monitoring across all tiers?

Select 2 answers
A.Enable AWS CloudTrail for all accounts and regions.
B.Configure all services to send logs to Amazon S3 and use Amazon Athena for ad-hoc querying.
C.Use AWS Config rules to monitor configuration changes across resources.
D.Enable VPC Flow Logs to capture network traffic.
E.Deploy the unified CloudWatch agent on all EC2 instances to collect system and application logs.
AnswersB, E

S3 can serve as a central log repository, and Athena can query logs across tiers using SQL.

Why this answer

Options B and D are correct. Option B: The unified CloudWatch agent can collect logs from EC2 instances and send them to CloudWatch Logs, enabling centralized log analysis. Option D: Sending all logs to Amazon S3 and using Amazon Athena to query them provides a cost-effective centralized solution.

Option A is wrong because CloudTrail only records API activity, not application logs. Option C is wrong because AWS Config focuses on resource configuration changes, not operational logs. Option E is wrong because VPC Flow Logs only capture network traffic metadata, not application logs.

84
MCQeasy

A startup runs a web application on EC2 instances behind an Application Load Balancer. They want to improve resilience by distributing instances across multiple Availability Zones. Currently, all instances are in us-east-1a. They create a launch template and an Auto Scaling group with a desired capacity of 2. They configure the Auto Scaling group to use two subnets: one in us-east-1a and one in us-east-1b. However, after updating, all instances remain in us-east-1a. What is the most likely reason?

A.The instance type is not available in us-east-1b.
B.The Auto Scaling group's subnet configuration was not updated to include the new subnet.
C.The new subnet in us-east-1b has no route to the internet.
D.The launch template specifies a single subnet in us-east-1a.
AnswerB

The group must have both subnets associated to distribute instances.

Why this answer

Auto Scaling group distributes instances across subnets specified. If only one subnet is used, it may be because the launch template specifies only one subnet or the Auto Scaling group's subnets were not updated. The most common cause is that the Auto Scaling group's subnet list still contains only the original subnet.

85
MCQmedium

A company runs a microservices architecture on Amazon ECS with Fargate. Services communicate via an internal Application Load Balancer. Recently, one service became unavailable due to a memory leak, causing cascading failures in downstream services. What design change would MOST effectively improve resilience and limit the blast radius?

A.Increase the memory limit for each ECS task to accommodate memory leaks.
B.Implement circuit breaker patterns in the service discovery and client libraries to stop calling unhealthy services.
C.Enable connection draining on the ALB to allow in-flight requests to complete.
D.Implement automatic scaling policies for ECS services based on memory utilization.
AnswerB

Circuit breakers isolate failures and prevent cascading.

Why this answer

Option C is correct because circuit breakers prevent cascading failures by stopping calls to unhealthy services. Option A is wrong because increasing task memory may delay but not prevent the failure. Option B is wrong while helpful for scaling, it does not prevent requests from being sent to failing services.

Option D is wrong because connection draining only manages in-flight connections during deregistration, not cascading failures.

86
MCQmedium

An application running on Amazon ECS Fargate is experiencing intermittent 503 errors. The task definition sets a soft limit of 512 CPU units and 1024 memory. The errors occur when traffic spikes. Which change is most likely to resolve the issue?

A.Increase the soft CPU limit to 1024 units.
B.Change the soft memory limit to a hard limit.
C.Increase the desired task count in the service.
D.Increase the soft memory limit to 2048 MiB.
AnswerD

Provides more memory, reducing out-of-memory errors.

Why this answer

Option D is correct because increasing the soft memory limit provides more memory to the container, reducing the likelihood of out-of-memory errors causing 503s. Option A is wrong because increasing CPU units may help if the issue is CPU-bound, but memory is more likely the cause of 503 errors. Option B is wrong because increasing desired count helps with load distribution but not if each task is resource-constrained.

Option C is wrong because changing to hard limit may cause the task to be killed if it exceeds memory.

87
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to implement a CI/CD pipeline that automatically deploys a containerized application to Amazon ECS using AWS CodePipeline and AWS CodeBuild? (Choose TWO.)

Select 2 answers
A.Use AWS CloudFormation to deploy the ECS service
B.Use AWS CodeDeploy to deploy the container to ECS with a blue/green deployment
C.Store the Docker image in AWS CodeCommit
D.Use CodeBuild to build the Docker image and push it to Amazon ECR
E.Configure CodePipeline to use Amazon ECR as a source for the container image
AnswersD, E

CodeBuild can run docker build and push to ECR as part of the pipeline.

Why this answer

Option D is correct because AWS CodeBuild can be configured to build the Docker image from source code and then push it to Amazon ECR using the `post_build` phase with commands like `docker push`. This is a standard pattern for containerized CI/CD pipelines, as ECR serves as the private registry for storing and versioning container images. Option E is correct because CodePipeline can use Amazon ECR as a source action, which triggers the pipeline automatically when a new image is pushed to the specified repository, enabling continuous deployment to ECS.

Exam trap

The trap here is that candidates often confuse the role of CodeDeploy (which is for EC2/on-premises deployments) with ECS deployment mechanisms, or mistakenly think CodeCommit can store Docker images instead of source code, leading them to select options B or C.

88
MCQmedium

A DevOps engineer needs to securely store and automatically rotate database credentials for a web application running on Amazon ECS. Which solution should be used?

A.Use AWS KMS to generate and rotate a data key for encrypting the credentials in a file on ECS.
B.Store the credentials in AWS Systems Manager Parameter Store as a SecureString. Use a Lambda function to rotate them.
C.Store the credentials in AWS Secrets Manager and configure rotation. Grant the ECS task IAM role permission to retrieve the secret.
D.Use AWS Certificate Manager to store the credentials as a certificate.
AnswerC

Secrets Manager supports automatic rotation and ECS can retrieve secrets.

Why this answer

AWS Secrets Manager can store database credentials and automatically rotate them on a schedule. The ECS task can retrieve the credentials using the Secrets Manager secret. Option A is correct.

Option B (SSM Parameter Store) can store secrets but does not support automatic rotation. Option C (AWS KMS) is for encryption keys, not credential rotation. Option D (AWS Certificate Manager) is for SSL/TLS certificates.

89
MCQhard

A company runs an application on EC2 with a shared Elastic IP. The instance fails and an engineer manually attaches the Elastic IP to a standby instance. To automate this failover, which service should be used?

A.Use an Auto Scaling group with a lifecycle hook
B.AWS Elastic Beanstalk
C.CloudWatch Events with a Lambda target
D.Configure a second Elastic IP
AnswerC

Can react to health check failures and reassign EIP.

Why this answer

AWS Route 53 health checks can trigger a Lambda function to reassociate the Elastic IP. Option A is wrong because it's a manual feature. Option B is wrong because CloudWatch cannot directly reassociate EIP.

Option D is wrong because ASG does not manage Elastic IPs.

90
Multi-Selecthard

A company runs a critical application on AWS that uses an Auto Scaling group of EC2 instances. The application must remain available even if an entire Availability Zone fails. Which THREE actions should the company take?

Select 3 answers
A.Configure an ALB health check to automatically replace unhealthy instances.
B.Use a single instance in each Availability Zone to minimize cost.
C.Use multiple subnets in each Availability Zone for the instances.
D.Configure the Auto Scaling group to launch instances in at least two Availability Zones.
E.Use an Elastic Load Balancer (ELB) to distribute traffic across the instances in different AZs.
AnswersA, D, E

Health checks ensure replacement of failed instances.

Why this answer

Options A, B, and D are correct. Using multiple AZs ensures AZ failure tolerance; an ELB distributes traffic across AZs; an ALB health check ensures unhealthy instances are replaced. Option C is wrong because a single instance in each AZ is not resilient to AZ failure of one AZ.

Option E is wrong because a single subnet per AZ is sufficient; multiple subnets per AZ are not required for resilience.

91
Multi-Selecteasy

A company uses AWS CodeCommit for source control. Developers need to automatically run tests on every push to a feature branch, but only if the push includes changes to the 'src/' directory. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CodePipeline
C.AWS CodeDeploy
D.AWS Lambda
E.AWS CodeBuild
AnswersB, D

CodePipeline can start on CodeCommit push with path filters

Why this answer

CodeCommit can trigger AWS Lambda via CloudWatch Events or via Amazon EventBridge. The Lambda function can check the commit details for changes in the 'src/' directory and then trigger CodeBuild to run tests. Alternatively, CodePipeline can be configured with a source trigger on the feature branch and a filter for path changes.

Option B (Lambda) and Option D (CodePipeline) are correct. Option A is wrong because CodeDeploy is for deployment, not testing. Option C is wrong because CloudWatch Logs is for log storage.

Option E is wrong because CodeBuild alone cannot listen to CodeCommit events.

92
Multi-Selecthard

Which THREE are features of AWS Key Management Service (KMS) that help with compliance requirements? (Choose 3)

Select 3 answers
A.Automatic password generation for databases.
B.Automatic key rotation every year (optional).
C.Key policies to control access to keys.
D.Integration with AWS CloudTrail for auditing key usage.
E.Automatic deletion of keys after a specified period.
AnswersB, C, D

Automated rotation helps meet compliance requirements for cryptographic key lifecycle.

Why this answer

Option B is correct because AWS KMS supports optional automatic annual key rotation for customer managed keys. This helps meet compliance frameworks (e.g., PCI DSS, SOC, HIPAA) that require periodic cryptographic key rotation to limit the amount of data encrypted under a single key. When enabled, KMS automatically rotates the key material once per year, creating a new backing key while retaining the old one for decryption of previously encrypted data.

Exam trap

The trap here is that candidates confuse KMS key rotation with the automatic deletion or expiry of keys, or they mistakenly associate KMS with password generation features that belong to other AWS services like Secrets Manager.

93
MCQmedium

A DevOps engineer needs to encrypt data at rest in an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption key be managed by AWS and rotated automatically. Which encryption option should be used?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Server-side encryption with AWS KMS managed keys (SSE-KMS) using a customer-managed key
C.Client-side encryption with an AWS KMS managed key
D.Server-side encryption with Amazon S3 managed keys (SSE-S3)
AnswerD

SSE-S3 uses AWS-managed keys with automatic rotation.

Why this answer

SSE-S3 uses AWS-managed keys and automatically rotates them, meeting the requirement. Option A (SSE-C) requires customer-managed keys and no automatic rotation. Option B (SSE-KMS with customer-managed key) does not automatically rotate unless configured.

Option D (client-side encryption) does not use AWS-managed keys.

94
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores session state in an RDS MySQL database. During a recent spike in traffic, the database CPU utilization reached 100%, causing slow responses. To improve resilience, what should a DevOps engineer do?

A.Migrate session state to Amazon ElastiCache for Memcached.
B.Increase the RDS instance size and enable Multi-AZ deployment.
C.Migrate session state to Amazon ElastiCache for Redis with replication.
D.Configure Auto Scaling groups for the EC2 instances based on CPU utilization.
AnswerC

Redis provides a resilient, in-memory session store that offloads the database and can handle high traffic with replication.

Why this answer

Option C is correct because Amazon ElastiCache for Redis provides a low-latency, in-memory session store that offloads the database, improving resilience under load. Option A (scaling RDS) only addresses database capacity, not offloading session state. Option B (ElastiCache Memcached) is possible but Redis is more commonly used for session state with persistence and replication.

Option D (Auto Scaling groups) does not address the database bottleneck.

95
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails because the new instances cannot connect to the database. The previous deployment succeeded. The DevOps engineer checks the CodeDeploy deployment configuration and finds that the deployment uses the 'CodeDeployDefault.AllAtOnce' configuration. What is the MOST likely cause of the failure?

A.The load balancer health check is misconfigured, causing new instances to be deregistered.
B.The deployment group is not configured to handle traffic routing, causing a routing loop.
C.The security group for the Auto Scaling group was updated during deployment, blocking database access.
D.The deployment replaced all instances at once, causing a temporary loss of connectivity if the new application version has incompatible changes.
AnswerD

AllAtOnce can cause full outage if changes are not backward compatible.

Why this answer

The 'CodeDeployDefault.AllAtOnce' deployment configuration causes CodeDeploy to attempt to deploy the new application revision to all instances in the Auto Scaling group simultaneously. If the new application version contains incompatible changes—such as a database schema mismatch, altered connection strings, or missing environment variables—all instances will fail at the same time, resulting in a complete loss of connectivity to the database. This contrasts with a rolling or canary deployment, which would limit the blast radius by updating only a subset of instances at a time.

Exam trap

The trap here is that candidates may assume the failure is due to a misconfiguration (like security groups or health checks) rather than recognizing that the deployment strategy itself—replacing all instances at once—amplifies the impact of any application-level incompatibility.

How to eliminate wrong answers

Option A is wrong because a misconfigured load balancer health check would cause instances to be deregistered from the target group, but the failure described is that new instances cannot connect to the database—a connectivity issue, not a registration issue. Option B is wrong because CodeDeploy deployment groups do not handle traffic routing in a way that creates routing loops; traffic routing is managed by the load balancer, and a routing loop would affect all traffic, not just database connections. Option C is wrong because security groups are not updated automatically during a CodeDeploy deployment; the engineer would have to manually modify them, and the question states the previous deployment succeeded, implying no security group changes occurred.

96
MCQmedium

A company uses AWS Lambda functions behind an Amazon API Gateway REST API. The DevOps team wants to monitor the end-to-end latency of API requests, including the time spent in API Gateway and Lambda. Which approach provides the most granular breakdown?

A.Enable Lambda Insights to get per-request latency breakdown.
B.Enable AWS X-Ray tracing on API Gateway and Lambda.
C.Enable VPC Flow Logs to capture network round-trip times.
D.Use CloudWatch metrics for API Gateway and Lambda, then add them together.
AnswerB

X-Ray provides end-to-end tracing with detailed segment times.

Why this answer

Option D is correct because AWS X-Ray provides tracing that shows the time spent in each component (API Gateway, Lambda, downstream calls) with detailed segments and subsegments. Option A is wrong because CloudWatch metrics give aggregate latency but no breakdown. Option B is wrong because Lambda Insights provides OS-level metrics, not request tracing.

Option C is wrong because VPC Flow Logs capture network traffic, not application latency.

97
MCQmedium

A large enterprise is using AWS CloudFormation to manage their infrastructure. They have a master template that orchestrates nested stacks for different components: VPC, application, and database. The VPC stack creates subnets, route tables, and security groups. The application stack creates EC2 instances and an Application Load Balancer. The database stack creates an RDS instance. The master template uses parameters to pass configuration values. Recently, when updating the application stack, the update failed because the security group ID from the VPC stack changed, and the application stack references the old security group ID. The team wants to ensure that when the VPC stack is updated, dependent stacks are automatically updated to use the new outputs. Which approach should they take?

A.Use the Fn::ImportValue intrinsic function in the application stack to import the security group ID from the VPC stack's exports.
B.Use the Fn::GetAtt intrinsic function in the application stack to directly reference the security group from the VPC stack.
C.Hardcode the security group ID in the application template to avoid changes.
D.Configure the master template to automatically update all nested stacks whenever any output changes.
AnswerA

Fn::ImportValue allows stacks to reference exported outputs from other stacks.

Why this answer

Option B is correct because using Fn::ImportValue to import exported outputs from other stacks ensures that the dependent stack always gets the latest value. Option A is wrong because hardcoding is error-prone. Option C is wrong because CloudFormation does not automatically update nested stacks when parent outputs change; the parent stack must be updated.

Option D is wrong because cross-stack references using Fn::ImportValue are the recommended pattern.

98
MCQmedium

A company wants to centralize IAM user management across multiple AWS accounts. The company currently uses individual IAM users in each account. What is the BEST practice for centralized access control?

A.Use AWS Organizations and AWS IAM Identity Center (AWS SSO) to manage users centrally.
B.Create the same IAM users in each account with identical permissions.
C.Create IAM roles in each account and allow cross-account access from a central account.
D.Use IAM federation with an external identity provider and assign permissions based on SAML attributes.
AnswerA

IAM Identity Center provides centralized user management and SSO.

Why this answer

Option B is correct because AWS Organizations with IAM Identity Center allows centralized user management and single sign-on. Option A is wrong because cross-account roles require individual user management. Option C is wrong because sharing IAM users across accounts is not supported.

Option D is wrong because federation alone does not centralize user management.

99
MCQhard

A company uses AWS Config to track resource changes. They want to automatically remediate non-compliant security group rules that allow public SSH access. What is the MOST effective approach?

A.Set up an AWS Config rule that triggers a Lambda function to remove the SSH rule.
B.Use Amazon CloudWatch Events to detect the change and invoke a Lambda function.
C.Use AWS Service Catalog to enforce security group templates.
D.Create an AWS Config rule with an automatic remediation action using AWS Systems Manager Automation.
AnswerD

Config remediation can run an SSM Automation document to remove the rule.

Why this answer

Option A is correct because AWS Config remediation with SSM Automation can automatically modify security group rules. Option B is wrong because AWS Config rules only evaluate, not remediate. Option C is wrong because CloudWatch Events cannot directly modify security groups.

Option D is wrong because Service Catalog is for provisioning, not remediation.

100
Multi-Selectmedium

A company is designing a secure CI/CD pipeline. Which TWO actions should be taken to protect secrets (e.g., API keys) used in the pipeline? (Choose TWO.)

Select 2 answers
A.Encrypt secrets with AWS KMS and store the encrypted value in the source code
B.Store secrets in AWS Secrets Manager
C.Use IAM roles to grant the CI/CD service access to secrets
D.Store secrets in plaintext in the buildspec file
E.Pass secrets as environment variables in the build
AnswersB, C

Secrets Manager provides secure storage and rotation.

Why this answer

AWS Secrets Manager stores and rotates secrets securely. IAM roles should be used to grant access to secrets without hardcoding. Storing secrets in buildspec or environment variables is insecure.

Using KMS to encrypt secrets is good, but the question asks for TWO best practices: using Secrets Manager and IAM roles.

101
MCQeasy

A company uses AWS CodeBuild to build and test code. They need to securely store sensitive parameters, such as database passwords, and inject them into the build process. Which AWS service should they use?

A.Storing them in the CodeBuild project environment variables
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerD

Parameter Store can securely store configuration data and secrets, and CodeBuild can reference them.

Why this answer

AWS Systems Manager Parameter Store is designed to store configuration data and secrets securely. Option D is correct. Option A is incorrect because Secrets Manager can also store secrets but is more expensive and not necessary for simple build parameters.

Option B is incorrect because KMS is a key management service, not a parameter store. Option C is incorrect because CodeBuild does not store secrets natively.

102
Multi-Selecteasy

A startup runs a stateless web application on AWS Elastic Beanstalk with a single environment. The application uses an Amazon RDS for MySQL database instance. The startup is preparing for a marketing campaign that is expected to increase traffic by 10x. The CTO is concerned about the application's ability to handle the load and wants to ensure high availability and resilience. The current architecture has a single RDS instance (db.t3.medium) and a single Elastic Beanstalk environment with one EC2 instance (t3.medium). The startup has a limited budget but wants to improve resilience without over-provisioning. Which combination of actions should the DevOps engineer recommend? (Choose THREE.)

Select 3 answers
A.Add an Amazon ElastiCache cluster to cache frequent database queries.
B.Use dedicated instances for the EC2 instances to ensure consistent performance.
C.Switch the Elastic Beanstalk environment to a load-balanced, auto-scaled environment with a minimum of 2 instances across 2 Availability Zones.
D.Enable Multi-AZ deployment for the RDS instance to provide a standby in another AZ.
E.Add Amazon RDS Proxy in front of the RDS instance to handle connection pooling.
AnswersC, D, E

Provides compute resilience and scalability.

Why this answer

Option A is correct because Elastic Beanstalk can be configured for load-balanced, auto-scaled environments. Option B is correct because Multi-AZ RDS provides high availability for the database. Option C is correct because RDS Proxy helps manage connections efficiently during traffic spikes.

Option D (dedicated instances) is costly and not necessary. Option E (ElastiCache) is additional cost; focus on core resilience first.

103
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The DevOps engineer wants to ensure that stack updates are rolled back if a new Amazon RDS instance fails to be created. Which CloudFormation feature should the engineer use?

A.Use a WaitCondition and a WaitHandle to pause creation
B.Set the RDS instance's DeletionPolicy to Retain
C.Define a StackPolicy that denies updates to the RDS instance
D.Add a CreationPolicy to the RDS instance with a timeout
AnswerD

CreationPolicy monitors resource creation and triggers rollback on failure.

Why this answer

Option D is correct because CreationPolicy with a timeout ensures that a resource is fully created before continuing; if it fails, the stack rolls back. Option A is incorrect because StackPolicy only prevents updates to specific resources. Option B is incorrect because WaitCondition is used for external signals, not for resource creation.

Option C is incorrect because it does not force a rollback if creation fails.

104
MCQeasy

The CloudFormation template in the exhibit deploys an S3 bucket with a bucket policy. After deployment, the DevOps team discovers that the bucket is publicly accessible. Which change should be made to prevent public access while allowing only authenticated users from a specific AWS account to read objects?

A.Enable AWS Organizations to block public access
B.Change the Principal to the AWS account ID of the allowed account
C.Change the Principal to "*" and add a condition for aws:SourceIp
D.Set the bucket's 'BlockPublicAccess' property to true
AnswerB

Restricts access to a specific account.

Why this answer

Option C is correct because restricting the Principal to a specific AWS account prevents public access. Option A is wrong because public access is enabled by Principal "*". Option B is wrong because blocking public access at the account level is an alternative, but the question asks to change the template.

Option D is wrong because blocking public access on the bucket is another approach, but the template change is required.

105
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate launch type. Each microservice is deployed using AWS CodePipeline with a source stage from CodeCommit, a build stage in CodeBuild, and a deploy stage that updates the ECS service. The team wants to implement a blue/green deployment strategy to reduce downtime and enable quick rollbacks. Which combination of AWS services and configurations should be used?

A.Use AWS CloudFormation with a 'DeploymentPreference' set to 'BlueGreen' for the ECS service.
B.Use AWS CodeDeploy with a deployment group configured for blue/green deployment, and an Application Load Balancer (ALB) to shift traffic between the blue and green target groups.
C.Use the ECS service's built-in rolling update with a 'minimumHealthyPercent' of 100 and 'maximumPercent' of 200.
D.Configure the ECS service with an 'AutoScaling' policy that replaces instances gradually.
AnswerB

CodeDeploy integrates with ECS and ALB to perform blue/green deployments with traffic shifting.

Why this answer

Option C is correct because CodeDeploy supports blue/green deployments for ECS with Fargate, using an Application Load Balancer (ALB) to shift traffic. Option A is incorrect because ECS does not support blue/green natively without CodeDeploy. Option B is incorrect because CloudFormation does not provide blue/green traffic shifting for ECS.

Option D is incorrect because ECS service auto scaling does not control deployment strategy.

106
MCQeasy

A DevOps team is deploying a new web application on AWS Elastic Beanstalk. They want to monitor the application's health and receive notifications when the environment's health status changes to 'Degraded' or 'Severe'. What is the simplest way to achieve this?

A.Use the Elastic Beanstalk management console to manually check the health status twice a day.
B.Create a CloudWatch alarm on the 'EnvironmentHealth' metric published by the Elastic Beanstalk environment.
C.Write a custom script that polls the Elastic Beanstalk DescribeEnvironmentHealth API and sends an email using Amazon SES.
D.Configure an AWS CloudTrail trail to monitor Elastic Beanstalk API calls and create a CloudWatch alarm on the trail.
AnswerB

Elastic Beanstalk publishes health metrics to CloudWatch; an alarm can trigger notifications.

Why this answer

Option A is correct because Elastic Beanstalk automatically publishes environment health metrics to CloudWatch, and you can create an alarm. Option B is wrong because CloudTrail does not monitor health. Option C is wrong because relying on Elastic Beanstalk console is not automated.

Option D is wrong because custom metrics add unnecessary complexity.

107
Multi-Selectmedium

A company uses AWS CloudTrail to log API calls. The security team needs to be alerted when an IAM user performs a ConsoleLogin event from an IP address outside the corporate network. Which TWO steps should be taken to achieve this? (Choose TWO.)

Select 2 answers
A.Create a CloudWatch Events rule that matches ConsoleLogin and publishes to an SNS topic.
B.Create an AWS Config rule to detect ConsoleLogin.
C.Configure S3 event notifications on the CloudTrail bucket.
D.Use CloudWatch Logs Insights to query for ConsoleLogin events.
E.Enable CloudTrail to log management events.
AnswersA, E

Real-time alerting based on event pattern.

Why this answer

Option A is correct because CloudTrail logs ConsoleLogin events. Option D is correct because a CloudWatch Events rule can filter for the ConsoleLogin event and check the source IP address, then trigger an SNS notification. Option B is wrong because CloudWatch Logs Insights is used for querying logs, not for real-time alerting.

Option C is wrong because S3 events are not triggered by CloudTrail log delivery. Option E is wrong because Config rules are for resource configuration, not API call events.

108
MCQmedium

A DevOps team is designing a deployment pipeline for a microservices application on Amazon ECS using AWS CodePipeline. They want to implement a canary deployment strategy where a small percentage of traffic is routed to the new version before fully promoting it. Which AWS service or feature should they use to achieve this?

A.Amazon ECS Service Auto Scaling
B.AWS CodeDeploy with ECS blue/green deployment
C.Amazon Route 53 weighted routing
D.AWS App Mesh with traffic shifting
AnswerB

Why this answer

AWS CodeDeploy with ECS blue/green deployment is the correct choice because it natively supports canary traffic shifting for Amazon ECS services. When integrated with AWS CodePipeline, CodeDeploy can route a small percentage of traffic (e.g., 10%) to the new task set, monitor it with CloudWatch alarms, and then automatically shift the remaining traffic after a specified interval. This is the only option that directly provides the canary deployment lifecycle within the ECS and CodePipeline context.

Exam trap

The trap here is that candidates often confuse Route 53 weighted routing (which operates at the DNS level and cannot shift traffic within a single ECS service) with the application-level traffic shifting needed for canary deployments, or they assume App Mesh is required when CodeDeploy already provides the native integration.

Why the other options are wrong

A

Auto Scaling adjusts the number of tasks, not traffic shifting between versions.

C

Route 53 can distribute traffic across multiple endpoints, but it's not the native way for ECS service deployments.

D

App Mesh provides traffic splitting, but ECS natively integrates with CodeDeploy for canary deployments.

109
MCQeasy

A company uses AWS Systems Manager to manage a fleet of EC2 instances. The operations team needs to run a script on all instances that are missing a specific security patch. Which Systems Manager capability should be used to accomplish this?

A.Automation
B.State Manager
C.Run Command
D.Patch Manager
AnswerB

State Manager can maintain desired state of instances, including running scripts to remediate missing patches.

Why this answer

State Manager is the correct capability because it is designed to maintain consistent configuration of EC2 instances by defining and enforcing a desired state. In this scenario, the operations team needs to ensure that all instances missing a specific security patch are brought into compliance, which is a classic desired-state management task. State Manager uses associations to define the desired state (e.g., a script to apply the patch) and automatically enforces it on a schedule or on-demand, making it ideal for ensuring all instances eventually reach the patched state.

Exam trap

The trap here is that candidates often confuse State Manager with Run Command, but State Manager is for ongoing state enforcement and compliance, while Run Command is for one-time, ad-hoc execution without any state tracking.

How to eliminate wrong answers

Option A is wrong because Automation is used for performing complex, multi-step workflows (e.g., AMI creation, instance recovery) and is not designed for ongoing state enforcement or running scripts on a fleet based on missing patches. Option C is wrong because Run Command executes scripts or commands on instances on-demand without any state tracking or enforcement; it does not check for missing patches or ensure compliance over time. Option D is wrong because Patch Manager is specifically for scanning and applying OS patches using predefined patch baselines, not for running custom scripts; it cannot execute arbitrary scripts to address a specific missing patch.

110
MCQeasy

A company uses AWS Elastic Beanstalk to deploy web applications. The DevOps team wants to implement a blue/green deployment strategy to minimize downtime. Which Elastic Beanstalk feature should be used?

A.Rolling update
B.Canary deployment
C.Environment URL swap
D.Immutable update
AnswerC

Swapping URLs between two environments implements blue/green.

Why this answer

Option C is correct because Elastic Beanstalk supports blue/green deployments by swapping environment URLs between two environments. Option A (Rolling update) updates instances incrementally, not blue/green. Option B (Immutable update) creates a new Auto Scaling group but does not swap URLs.

Option D (Canary deployment) is not supported natively in Elastic Beanstalk; it is for Lambda.

111
Multi-Selectmedium

Which THREE actions should a DevOps team take to ensure a CI/CD pipeline using AWS CodePipeline is secure? (Choose three.)

Select 3 answers
A.Require multi-factor authentication (MFA) for pipeline executions.
B.Use AWS KMS to encrypt artifacts in the pipeline.
C.Use AWS CodePipeline with a customer-managed S3 bucket for artifacts and restrict bucket access.
D.Enable pipeline-level IAM permissions to restrict who can modify the pipeline.
E.Enable AWS CloudTrail to log pipeline executions.
AnswersB, C, D

Encrypts sensitive data in transit and at rest.

Why this answer

Options A, C, and E are correct. Option A prevents unauthorized changes. Option C encrypts artifacts.

Option E ensures secure artifact storage. Option B is wrong because CloudTrail is for auditing, not pipeline security directly. Option D is wrong because MFA is for user access, not pipeline actions.

112
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. They want to ensure that configuration changes (e.g., environment variables, instance type) are version-controlled and can be rolled back. Which strategy should they use?

A.Use AWS CloudFormation to manage the Beanstalk environment outside of Beanstalk.
B.Use Elastic Beanstalk saved configurations to store environment settings.
C.Store configuration in a configuration file (e.g., .ebextensions) included with the application source code.
D.Manually change environment configuration using the Elastic Beanstalk console when needed.
AnswerC

Configuration files are versioned with the source code, enabling rollback.

Why this answer

Option D is correct because using a configuration file (e.g., .ebextensions) stored in the application source bundle allows versioning of configuration along with code. Option A is wrong because saved configurations are not tied to a specific application version. Option B is wrong because manually changing settings via the console is not version-controlled.

Option C is wrong because CloudFormation is not natively integrated with Beanstalk for this purpose.

113
MCQhard

A team uses AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Test stage runs integration tests against a staging environment. Occasionally, the tests fail due to environment issues, not code issues. The team wants to automatically retry the Test stage up to two times if it fails, but not the Deploy stage. How can this be achieved?

A.Create a CloudWatch Events rule that triggers a Lambda function to retry the failed stage.
B.Configure the Retry setting in the Test stage's action configuration.
C.Enable the 'Retry on failure' option in the CodePipeline pipeline settings.
D.Use AWS Step Functions to orchestrate the pipeline and implement retries.
AnswerB

CodePipeline supports per-stage retry configuration.

Why this answer

Option B is correct because CodePipeline allows configuring retry on a per-stage basis in the pipeline structure. Option A is wrong because there is no global retry setting. Option C is wrong because Step Functions would add complexity and is not native.

Option D is wrong because CloudWatch Events can trigger retries but not in a simple way; the native retry is simpler.

114
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group of Amazon EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The application is deployed to the instances using an in-place deployment. The instances are running Amazon Linux 2. What should the DevOps engineer check first?

A.Check the security group rules for the EC2 instances.
B.Check the application's port availability.
C.Verify that the AWS CodeDeploy agent is installed and running on each EC2 instance.
D.Verify that the IAM instance profile associated with the instances has the correct permissions.
AnswerC

Without the agent, the instance cannot receive deployment instructions.

Why this answer

Option A is correct because the CodeDeploy agent must be installed and running on the instances. If it is not, the deployment fails. Option B is wrong because security groups affect network access, not the agent.

Option C is wrong because IAM instance profile permissions are needed but the agent must be running to use them. Option D is wrong because the application port is not directly related to the agent.

115
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline that deploys a web application on Amazon ECS. The application must be compliant with PCI DSS, which requires encryption of data at rest and in transit, and logging of all access. Which THREE actions should the team implement to meet these requirements? (Choose THREE.)

Select 3 answers
A.Enable AWS CloudTrail and Amazon ECS logs to capture all API calls and container logs.
B.Store database credentials in AWS Systems Manager Parameter Store.
C.Use VPC endpoints to access ECS and ECR APIs.
D.Enable ECS task definition encryption using AWS KMS for environment variables and sensitive data.
E.Configure an Application Load Balancer (ALB) with an HTTPS listener using an SSL/TLS certificate.
AnswersA, D, E

Logging is required for auditing access.

Why this answer

Option A is correct because AWS CloudTrail captures all API calls to the AWS environment, providing an audit trail of who accessed what and when, which is required for PCI DSS logging. Amazon ECS logs (via CloudWatch Logs or FireLens) capture container-level access and application logs, ensuring comprehensive logging of all access to the application and underlying infrastructure.

Exam trap

The trap here is that candidates often confuse security best practices (like storing secrets in Parameter Store or using VPC endpoints) with mandatory compliance actions for encryption and logging, leading them to select options that are helpful but not directly required by PCI DSS for the specific three actions.

116
Multi-Selecteasy

A company uses AWS CodeBuild to run unit tests. The buildspec.yaml file includes commands to install dependencies and run tests. Which TWO environment variables are automatically set by CodeBuild and can be used in the build commands? (Choose TWO.)

Select 2 answers
A.CODEBUILD_SRC_DIR
B.AWS_REGION
C.CODEBUILD_BUILD_ID
D.CODEBUILD_BUILD_NUMBER
E.CI
AnswersA, C

This is automatically set to the source directory.

Why this answer

Options B and D are correct. CODEBUILD_BUILD_ID and CODEBUILD_SRC_DIR are automatically set by CodeBuild. Option A is wrong because AWS_REGION is automatically set, but it is an AWS CLI environment variable, not specific to CodeBuild.

Option C is wrong because CODEBUILD_BUILD_NUMBER is not an automatic environment variable; it is exposed but not automatically set. Option E is wrong because CI is not automatically set by CodeBuild.

117
Multi-Selecteasy

A DevOps engineer is designing a monitoring solution for a multi-tier web application hosted on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an Amazon RDS database. The engineer needs to monitor the health of each component and receive alerts when any component becomes unhealthy. Which of the following CloudWatch metrics should the engineer monitor? (Select THREE.)

Select 3 answers
A.RDS's ReadLatency metric.
B.Application Load Balancer's RequestCount metric.
C.EC2's StatusCheckFailed metric.
D.Application Load Balancer's HealthyHostCount metric.
E.RDS's DatabaseConnections metric.
AnswersC, D, E

Detects instance-level issues like hardware or software problems.

Why this answer

Option A is correct because ALB's HealthyHostCount indicates how many targets are healthy. Option B is correct because EC2's StatusCheckFailed (instance status) detects underlying issues. Option D is correct because RDS's DatabaseConnections can indicate if the database is overwhelmed.

Option C (ALB's RequestCount) measures traffic, not health. Option E (RDS's ReadLatency) is a performance metric, not a direct health indicator.

118
MCQhard

An application running on an EC2 instance in a private subnet needs to access an S3 bucket. The instance has an IAM role with S3 access. However, the application is failing with timeout errors. The security group allows all outbound traffic, and the NACL allows outbound ephemeral ports. What is the most likely cause?

A.No VPC endpoint for S3
B.Missing route in the route table to an Internet Gateway
C.IAM role does not have correct trust policy
D.Missing HTTP proxy configuration
AnswerA

A VPC endpoint enables private connectivity to S3 from a private subnet.

Why this answer

Option D is correct because a VPC endpoint for S3 (Gateway or Interface) is needed for private subnet access to S3 without NAT. Option A is wrong because the routing table is not typically an issue for S3 access via Internet Gateway. Option B is wrong because the IAM role is already configured.

Option C is wrong because no proxy is required.

119
Multi-Selecteasy

A DevOps engineer is setting up monitoring for an Amazon DynamoDB table that experiences high read traffic. They want to monitor the read capacity consumption and be alerted when the consumed read capacity exceeds 80% of the provisioned capacity for 5 consecutive minutes. Which TWO steps should they take? (Select TWO.)

Select 2 answers
A.Enable AWS CloudTrail to log DynamoDB read requests.
B.Set up an AWS Lambda function to monitor the DynamoDB ReadThrottleEvents metric.
C.Use CloudWatch to monitor the ConsumedReadCapacityUnits and ProvisionedReadCapacityUnits metrics.
D.Configure DynamoDB to stream all read events to CloudWatch Logs.
E.Create a CloudWatch alarm with a metric math expression that calculates (ConsumedReadCapacityUnits / ProvisionedReadCapacityUnits) and set the threshold to 0.8.
AnswersC, E

These metrics are emitted by DynamoDB to CloudWatch.

Why this answer

Option C is correct because CloudWatch directly exposes the ConsumedReadCapacityUnits and ProvisionedReadCapacityUnits metrics for DynamoDB, which are the exact metrics needed to calculate read capacity utilization. Monitoring these metrics allows the engineer to track how much of the provisioned capacity is being consumed over time, which is the foundation for setting up the desired alert.

Exam trap

The trap here is that candidates often confuse throttling metrics (like ReadThrottleEvents) with capacity utilization metrics, leading them to select Option B, which only detects throttling after it happens rather than providing a proactive alert based on capacity consumption.

120
MCQeasy

A DevOps engineer sets up a CloudWatch dashboard to monitor an application's performance. The application runs on EC2 instances in an Auto Scaling group. The engineer wants to display the average CPU utilization across all instances in the group. Which CloudWatch metric and statistic should be used?

A.CPUUtilization metric with the Sum statistic, filtered by Auto Scaling group.
B.CPUUtilization metric with the Average statistic, filtered by Auto Scaling group.
C.StatusCheckFailed metric with the Average statistic, filtered by Auto Scaling group.
D.NetworkOut metric with the Average statistic, filtered by Auto Scaling group.
AnswerB

Average statistic with the Auto Scaling group dimension gives the average CPU across all instances.

Why this answer

Option B is correct because the CPUUtilization metric with the Average statistic across the Auto Scaling group provides the desired average. Option A is wrong because the Sum statistic would total the CPU across instances, not average. Option C is wrong because NetworkOut is not CPU-related.

Option D is wrong because StatusCheckFailed is a different metric.

121
Multi-Selecthard

A DevOps engineer is managing a CI/CD pipeline using AWS CodePipeline with multiple stages: Source (CodeCommit), Build (CodeBuild), Test (CodeBuild), and Deploy (CodeDeploy). The engineer wants to add manual approval steps before the Test and Deploy stages. Additionally, the pipeline should automatically roll back the deployment if the Deploy stage fails. Which two actions should the engineer take to implement these requirements? (Choose two.)

Select 2 answers
A.Add an Approval action in the Test stage before the Test build action.
B.Insert a new stage between Build and Test, and add an Approval action to that stage.
C.In the CodeDeploy deployment group configuration, enable automatic rollback for deployment failure.
D.Add a Lambda function in the pipeline that triggers a rollback if the Deploy stage fails.
E.Configure the pipeline's Deploy stage to have a 'Rollback' action that runs on failure.
AnswersB, C

Why this answer

Option B is correct because manual approval actions in AWS CodePipeline must be added as a separate stage, not within an existing stage. By inserting a new stage between Build and Test and adding an Approval action, the pipeline pauses before the Test stage, allowing manual review. Option C is correct because CodeDeploy deployment groups support automatic rollback on deployment failure, which can be enabled in the deployment group configuration to revert to the last known good revision.

Exam trap

The trap here is that candidates often think approval actions can be inserted within an existing stage (like before a build action) or that rollback can be implemented as a pipeline action, rather than understanding that approvals require a separate stage and rollback is a deployment group configuration in CodeDeploy.

Why the other options are wrong

A

Approval actions are separate stages, not part of the same stage as build.

D

CodePipeline does not have a native rollback; rely on CodeDeploy's rollback feature.

E

CodePipeline does not support a rollback action type.

122
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes an Amazon RDS DB instance. The DevOps team wants to update the DB instance class without downtime. What should they do?

A.Use a CloudFormation stack update with a 'ReplaceOnDelete' deletion policy on the DB instance.
B.Create a new DB instance with the new class, update the application to point to the new endpoint, and delete the old instance.
C.Update the DBInstanceClass property in the CloudFormation template and set 'ApplyImmediately: true'.
D.Modify the DB instance class using an RDS blue/green deployment, then update the CloudFormation stack to match the new class.
AnswerD

RDS blue/green deployments allow changing instance class without downtime.

Why this answer

Option D is correct because modifying the DB instance class with 'ApplyImmediately: false' and enabling Multi-AZ allows a blue/green deployment via RDS. Option A is wrong because it causes downtime. Option B is wrong because it creates a new DB, not an update.

Option C is wrong because 'ReplaceOnDelete' would recreate the resource.

123
Multi-Selectmedium

A company wants to implement a CI/CD pipeline for an application that runs on Amazon ECS with Fargate. The pipeline should build a Docker image, push it to Amazon ECR, and deploy a new task definition to ECS. Which THREE AWS services are required to build this pipeline?

Select 3 answers
A.Amazon S3
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CodeCommit
E.AWS CodeBuild
AnswersB, C, E

Deploys the new task definition to ECS.

Why this answer

Options A, B, and D are correct. CodeBuild builds the Docker image and pushes it to ECR. CodePipeline orchestrates the stages.

CodeDeploy (or ECS directly) deploys the new task definition. Option C is not a deployment service. Option E is not needed because ECR is used.

124
MCQhard

A company's security team notices that an IAM user has permissions to terminate EC2 instances but should only be allowed to stop them. The current policy allows ec2:TerminateInstances. What is the most secure way to prevent termination while allowing stop?

A.Use an SCP to deny ec2:TerminateInstances for the entire account.
B.Modify the existing policy to include ec2:StopInstances and remove ec2:TerminateInstances.
C.Add a Deny statement for ec2:TerminateInstances with a condition for the user's ARN.
D.Attach a separate managed policy that denies ec2:TerminateInstances to the user.
AnswerC

Explicitly denies termination for that user while allowing stop via other policies.

Why this answer

Option B is correct because adding a Deny for ec2:TerminateInstances with a condition for the specific user explicitly blocks the action. Option A is wrong because changing the policy to allow ec2:StopInstances without removing ec2:TerminateInstances still allows termination. Option C is wrong because a service control policy (SCP) can also deny but is less targeted.

Option D is wrong because attaching a Deny policy to the user is effective, but using a Deny in the same policy is simpler.

125
MCQeasy

A company uses AWS CodePipeline to automate builds and deployments. The pipeline has a source stage (Amazon S3) and a build stage (AWS CodeBuild). The build stage is failing with the error: 'Error: Unable to download artifact from S3: Access Denied'. The artifacts are stored in an S3 bucket that is encrypted with AWS KMS. The CodeBuild service role has permissions to read from the S3 bucket and use the KMS key. The team checks that the S3 bucket policy and the KMS key policy allow the CodeBuild role. What is the most likely cause of the failure?

A.The S3 bucket does not have versioning enabled, so CodeBuild cannot retrieve the artifact.
B.The KMS key policy does not grant 'kms:Decrypt' permission to the CodeBuild service role.
C.The CodePipeline service role does not have permission to pass the artifact to CodeBuild.
D.The artifact is stored in the same S3 bucket used by CodePipeline for its artifacts, causing a conflict.
AnswerB

Correct: CodeBuild needs decrypt permission to read encrypted artifacts.

Why this answer

Option A is correct because CodeBuild needs permissions to decrypt the artifact; if the KMS key policy does not grant 'kms:Decrypt' to the CodeBuild role, access will be denied. Option B is wrong because bucket versioning is not required. Option C is wrong because the artifact bucket is separate from the pipeline bucket.

Option D is wrong because CodePipeline service role is not used by CodeBuild to download artifacts.

126
MCQmedium

A company is building a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must be resilient to sudden spikes in traffic without manual intervention. Which combination of services should be used?

A.API Gateway with throttling, Lambda with reserved concurrency, and DynamoDB auto scaling.
B.API Gateway with usage plans, Lambda with provisioned concurrency, and DynamoDB on-demand.
C.API Gateway with WAF, Lambda with function URLs, and DynamoDB Accelerator (DAX).
D.API Gateway with caching, Lambda with no concurrency limits, and DynamoDB global tables.
AnswerA

Throttling prevents overload, reserved concurrency ensures Lambda capacity, auto scaling handles DB load.

Why this answer

API Gateway with throttling and Lambda with reserved concurrency help manage spikes. DynamoDB auto scaling adjusts capacity.

127
MCQmedium

A DevOps engineer is designing a CI/CD pipeline that deploys to production. The security team mandates that all code changes must be reviewed and signed off by two senior developers before deployment. How can this be enforced?

A.Use CloudWatch Events to trigger a manual approval step in CodePipeline.
B.Restrict push access to the production branch to only the two senior developers.
C.Use AWS Lambda to send a notification when a change is pushed.
D.Set up a pull request approval rule in CodeCommit requiring two approvals.
AnswerD

Enforces code review and approval before merging.

Why this answer

Option D is correct because CodeCommit's pull request approval rules allow you to require a specific number of approvals before a pull request can be merged. By configuring an approval rule template that requires two approvals from senior developers, you enforce the mandatory code review and sign-off before any change is merged into the production branch, which then triggers the CI/CD pipeline.

Exam trap

The trap here is that candidates often confuse deployment-stage approvals (like CodePipeline manual approval) with pre-merge code review approvals, failing to recognize that the security requirement must be enforced at the source code repository level before the pipeline even starts.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events can trigger a manual approval step in CodePipeline, but this only enforces approval at the deployment stage, not the code review and sign-off requirement before the change is even merged into the production branch. Option B is wrong because restricting push access to only two senior developers does not enforce a mandatory two-person review process; a single developer could still push directly without any review. Option C is wrong because using Lambda to send a notification when a change is pushed does not enforce any approval or review requirement; it merely informs stakeholders without blocking the change.

128
MCQhard

A company is running a critical application on Amazon ECS with Fargate launch type. The application experiences periodic performance degradation. The DevOps team needs to set up monitoring to capture detailed metrics at a 1-second granularity. Which solution should be used?

A.Deploy a Prometheus server on Amazon EC2 and scrape metrics from the ECS tasks.
B.Enable CloudWatch detailed monitoring on the ECS service.
C.Use Amazon CloudWatch Container Insights with high-resolution metrics.
D.Enable VPC Flow Logs and analyze the logs with Amazon Athena.
AnswerC

Container Insights can collect metrics at 1-second intervals when high-resolution mode is enabled.

Why this answer

Option B is correct because CloudWatch Container Insights with high-resolution metrics can provide 1-second granularity. Option A is wrong because CloudWatch default metrics are at 1-minute granularity. Option C is wrong because Prometheus is not a managed AWS service for this purpose.

Option D is wrong because VPC Flow Logs capture network traffic, not application performance metrics.

129
Multi-Selectmedium

Which TWO best practices should be followed when configuring AWS CodeBuild projects to improve build performance and security? (Choose TWO.)

Select 2 answers
A.Run builds as the root user to avoid permission errors
B.Use the AWS managed policy 'AdministratorAccess' for the CodeBuild service role to avoid permission issues
C.Configure the build project to use a custom VPC to access resources like private Amazon RDS databases
D.Always use the 'latest' tag for the build environment image to ensure up-to-date software
E.Enable Amazon S3 cache to store dependencies and reuse them across builds
AnswersC, E

VPC enables secure access to private resources and is a best practice for security.

Why this answer

Option C is correct because configuring a CodeBuild project to use a custom VPC allows it to access resources that are not publicly accessible, such as private Amazon RDS databases or internal services, which is essential for building applications that depend on those resources. This also enhances security by keeping traffic within the VPC and avoiding exposure to the public internet.

Exam trap

The trap here is that candidates may confuse 'improving performance' with 'simplifying configuration' and choose options like using the 'latest' tag or granting broad permissions, overlooking the security and determinism trade-offs.

130
Multi-Selecteasy

A company wants to design a highly available web application using AWS services. The application must be resilient to the failure of an entire AWS Region. Which THREE components should the architecture include? (Choose THREE.)

Select 3 answers
A.An Application Load Balancer (ALB) deployed in one Region.
B.Amazon Route 53 with a failover routing policy.
C.Auto Scaling groups in each Region with appropriate instance types.
D.Amazon EC2 instances in a single Region.
E.Amazon RDS Multi-AZ deployment with a cross-Region read replica.
AnswersB, C, E

Failover routing directs traffic to a secondary Region if the primary fails.

Why this answer

Amazon Route 53 with a failover routing policy is correct because it enables DNS-based health checking and automatic traffic routing to a secondary region when the primary region becomes unavailable. This is essential for cross-region disaster recovery, as Route 53 can monitor endpoint health and update DNS records to direct users to the healthy region, ensuring application availability despite a full region failure.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments (which provide high availability within a single Region) with cross-Region disaster recovery, and they may incorrectly assume that a single-Region ALB or EC2 instances can survive a full Region failure without a multi-Region architecture.

131
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to secure an AWS account root user? (Choose 2.)

Select 2 answers
A.Share the root user password with the team.
B.Create an IAM role for the root user.
C.Delete or disable the root user access keys.
D.Use the root user for daily administrative tasks.
E.Enable multi-factor authentication (MFA) for the root user.
AnswersC, E

Root user access keys should be avoided.

Why this answer

Enabling MFA and not creating access keys for the root user are best practices. Options B and D are correct.

132
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The Operations team needs to update a stack that contains an EC2 instance. They want to change the instance type from t2.micro to t2.small without recreating the instance. Which CloudFormation stack update policy should they use?

A.Use a ChangeSet with Replacement set to False
B.Use a CreationPolicy with a Timeout
C.Use a DeletionPolicy with Retain
D.Use an UpdatePolicy with AutoScalingRollingUpdate
AnswerD

This policy allows rolling updates to instances without recreation.

Why this answer

Option D is correct because the 'UpdatePolicy: AutoScalingRollingUpdate' attribute can be used to update instance types without interruption when associated with an Auto Scaling group or EC2 instances with a creation policy. Option A is wrong because Replacement policy dictates whether to replace or update a resource. Option B is wrong because CreationPolicy is used to wait for signals before considering the resource created.

Option C is wrong because DeletionPolicy only defines what happens when a resource is deleted.

133
MCQeasy

A company wants to centrally manage and audit access to AWS KMS keys across multiple accounts. Which AWS feature should be used?

A.AWS Config aggregated rules
B.Cross-account IAM roles
C.AWS CloudTrail with organization trail
D.AWS Organizations tag policies
AnswerC

Organization trails aggregate logs from all accounts.

Why this answer

AWS CloudTrail can log KMS key usage across accounts and be aggregated in a central account. Option B is correct. Option A (IAM) is per-account.

Option C (AWS Config) does not audit key usage. Option D (AWS Organizations) does not audit.

134
MCQmedium

A company runs a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application is used by thousands of users. Recently, the operations team noticed an increase in 5xx errors from API Gateway. The team has enabled CloudWatch Logs for the Lambda functions and API Gateway. They see the errors are sporadic and not correlated with high traffic. The Lambda function's error count in CloudWatch is also increasing. The team wants to identify the specific requests that are failing and understand the error details. Which solution should the team implement?

A.Use CloudWatch Logs Insights to query the Lambda logs for ERROR messages and correlate with API Gateway logs
B.Enable VPC Flow Logs for the Lambda function's VPC to capture network traffic
C.Enable AWS X-Ray active tracing on the Lambda functions and API Gateway to capture detailed request traces and error details
D.Enable AWS CloudTrail to log API Gateway API calls and analyze the logs
AnswerC

X-Ray provides end-to-end visibility and error identification.

Why this answer

Option B is correct because X-Ray provides end-to-end tracing and can capture errors with detailed metadata. It integrates with Lambda and API Gateway to trace requests and identify failures. Option A is wrong because CloudWatch Logs Insights would require querying all logs, which is less efficient for tracing.

Option C is wrong because CloudTrail captures API calls, not application-level request details. Option D is wrong because VPC Flow Logs are for network traffic, not application errors.

135
MCQeasy

A company uses Amazon CloudWatch Logs to store application logs from EC2 instances. The security team requires that logs be retained for 5 years for compliance. Which action should be taken to meet this requirement cost-effectively?

A.Export the logs to Amazon S3 and use S3 Glacier Deep Archive for long-term storage.
B.Set a log retention policy of 5 years on the CloudWatch Logs log groups.
C.Disable log retention and let CloudWatch Logs keep the logs indefinitely.
D.Use AWS CloudTrail to store the logs for 5 years.
AnswerB

CloudWatch Logs supports setting a retention policy of 5 years, which is cost-effective.

Why this answer

Option A is correct because CloudWatch Logs supports setting a retention policy of 5 years, which is cost-effective. Option B is wrong because exporting to S3 and using S3 Glacier Deep Archive is more expensive than simply setting a retention policy. Option C is wrong because AWS CloudTrail is for API activity logs, not application logs.

Option D is wrong because disabling retention deletes logs, which fails compliance.

136
MCQmedium

A company is using Amazon CloudWatch Logs to monitor application logs from EC2 instances. The DevOps engineer notices that some log entries are missing. The CloudWatch agent is installed and configured. What is the most likely cause of the missing log entries?

A.The CloudWatch agent's rate limit is set too low, causing log entries to be dropped.
B.The CloudWatch agent is compressing logs before sending, causing some entries to be lost.
C.The log group retention policy is set to 1 day, and logs older than that are automatically deleted.
D.The log group's maximum size limit has been exceeded.
AnswerA

The CloudWatch agent can be configured with a rate limit; if exceeded, it drops logs.

Why this answer

If the CloudWatch agent cannot keep up with the log generation rate, it may drop entries. Option A is correct because the agent has a configurable rate limit. Option B is incorrect as CloudWatch Logs has no size limit on log events.

Option C is incorrect because the default log group retention never expires. Option D is incorrect because the agent does not compress logs by default.

137
MCQmedium

A company runs a critical web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application experiences periodic traffic spikes. To handle these spikes, the company wants to use a combination of proactive scaling based on a predictable schedule and reactive scaling based on CPU utilization. What is the MOST resilient scaling strategy?

A.Use a scheduled scaling policy for the predictable spikes and a step scaling policy for CPU utilization.
B.Use predictive scaling based on historical traffic patterns.
C.Use manual scaling by increasing the desired capacity before expected spikes.
D.Use a target tracking scaling policy based on average CPU utilization.
AnswerA

Combines proactive and reactive scaling for maximum resilience.

Why this answer

Option B is correct because it combines scheduled scaling for predictable traffic with dynamic scaling for reactive adjustments, ensuring both proactive and reactive resilience. Option A is wrong because target tracking alone may not respond quickly to sudden spikes. Option C is wrong because predictive scaling requires historical data and may not be accurate for new patterns.

Option D is wrong because manual scaling is not resilient for spikes.

138
MCQmedium

Refer to the exhibit. The DevOps engineer runs the commands and sees the output. What is the most likely issue with the instance?

A.The underlying hardware is having issues (system status check failed).
B.The instance is healthy and no issues exist.
C.The instance is stopped.
D.The instance has a failed status check due to OS-level issues.
AnswerA

SystemStatus is impaired, indicating hardware issues.

Why this answer

Option C is correct. The SystemStatus is 'impaired', meaning there is a problem with the underlying physical host (system status check). The instance status is 'ok', so the OS is fine.

Option A is wrong because the instance is running. Option B is wrong because instance status is ok. Option D is wrong because there is a system impairment.

139
MCQhard

A large enterprise uses a multi-account AWS strategy with a centralized DevOps account. The DevOps account hosts an AWS CodePipeline that deploys a critical application to production account (111111111111) using AWS CodeDeploy. The pipeline has three stages: Source (CodeCommit), Build (CodeBuild), and Deploy (CodeDeploy). The deploy stage uses a cross-account role (arn:aws:iam::111111111111:role/CrossAccountDeployRole) to perform the deployment. The trust policy on that role allows the DevOps account's CodePipeline service role (arn:aws:iam::222222222222:role/CodePipelineServiceRole) to assume it. The pipeline has been working for months, but after a recent security audit, the security team tightened permissions. Now the deploy stage fails with the error: 'User: arn:aws:sts::222222222222:assumed-role/CodePipelineServiceRole/AWS-CodePipeline-xxx is not authorized to perform: codedeploy:CreateDeployment on resource: arn:aws:codedeploy:us-east-1:111111111111:deploymentgroup:MyApp/MyDG'. The DevOps team has verified that the CrossAccountDeployRole has a permissions policy that allows 'codedeploy:*' on all resources. The CodePipelineServiceRole has a permissions policy that allows 'sts:AssumeRole' on the CrossAccountDeployRole. What is the most likely cause and what action should be taken to resolve the issue?

A.Add 'sts:AssumeRole' to the permissions policy of CodePipelineServiceRole.
B.Create the deployment group in the production account again to reset permissions.
C.Check the permissions boundary on CrossAccountDeployRole and add a boundary that allows CodeDeploy actions.
D.Update the trust policy of CrossAccountDeployRole to include the DevOps account ID.
AnswerC

A permissions boundary can override the permissions policy and must explicitly allow required actions.

Why this answer

Option C is correct because the error indicates that the assumed role (CrossAccountDeployRole) is not authorized to perform codedeploy:CreateDeployment, despite having a permissions policy that allows codedeploy:* on all resources. This typically occurs when a permissions boundary is attached to the role that restricts the effective permissions, overriding the permissions policy. Adding a permissions boundary that allows CodeDeploy actions resolves the issue by ensuring the role's effective permissions include the necessary CodeDeploy operations.

Exam trap

The trap here is that candidates often assume the error is due to missing sts:AssumeRole or trust policy misconfiguration, but the role was already assumed successfully (as shown by the assumed-role ARN in the error), so the real issue is a permissions boundary or service control policy limiting the role's effective permissions.

How to eliminate wrong answers

Option A is wrong because the CodePipelineServiceRole already has sts:AssumeRole in its permissions policy (as stated in the scenario), so adding it again would not resolve the issue. Option B is wrong because recreating the deployment group does not address the underlying permission restriction; the error is about authorization, not resource existence or configuration. Option D is wrong because the trust policy already allows the DevOps account's CodePipelineServiceRole to assume the role (the error shows the role was assumed successfully), so updating the trust policy is unnecessary.

140
MCQmedium

A DevOps team is designing a highly available multi-tier application on AWS. The application runs on EC2 instances in an Auto Scaling group across two Availability Zones. The team uses an Application Load Balancer (ALB) to distribute traffic. The application requires the ALB to be accessible via a single, static IP address for whitelisting by third-party partners. What is the most resilient solution?

A.Use a Network Load Balancer (NLB) with a static IP address and Route 53 weighted routing to multiple NLBs.
B.Use a Network Load Balancer (NLB) with an Elastic IP per Availability Zone and front it with AWS Global Accelerator.
C.Use a Network Load Balancer (NLB) with Elastic IP addresses attached to each subnet in each AZ.
D.Use an Application Load Balancer (ALB) with AWS Global Accelerator.
AnswerB

Global Accelerator provides two static IP addresses that act as a fixed entry point, routing traffic to the NLB endpoints in each AZ, offering high resilience and static IPs.

Why this answer

Option D is correct because using a Network Load Balancer (NLB) with static IPs in each AZ, fronted by a Global Accelerator, provides static IP addresses while leveraging the NLB's high availability and Global Accelerator's resilience. Option A (NLB with Elastic IPs) is simpler but requires managing IP failover. Option B (ALB with Global Accelerator) does not give static IPs directly; Global Accelerator provides static IPs but ALB's IPs change.

Option C (Route 53 weighted records) adds latency and complexity.

141
Multi-Selectmedium

A company runs a critical application on Amazon ECS with Fargate launch type. During an incident, the DevOps engineer notices that tasks are failing with 'CannotPullContainerError: API error (500)'. Which TWO steps should the engineer take to resolve this issue?

Select 2 answers
A.Attach an EBS volume to the Fargate task for caching.
B.Check that the ECS service role has the required permissions.
C.Ensure that the ECR repository policy allows the task execution role to pull images.
D.Increase the task memory to accommodate the image pull.
E.Verify that the task execution IAM role has the necessary permissions to pull from Amazon ECR.
AnswersC, E

Repository policy may block the pull if not configured correctly.

Why this answer

Options A and C are correct. A is correct because a missing or invalid task execution role can prevent ECS from pulling the image from ECR. C is correct because if the image is in a private ECR repository, the task execution role needs the ecr:GetDownloadUrlForLayer permission.

Option B is wrong because the service role is for load balancer integration, not image pulling. Option D is wrong because Fargate does not support EBS. Option E is wrong because increasing task memory is unrelated to pulling images.

142
MCQmedium

An organization uses AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Test stage runs integration tests in CodeBuild. Recently, the pipeline failed because the Test stage took longer than expected, causing a pipeline execution timeout. The pipeline has a default timeout of 7 days. What is the MOST efficient way to set a maximum execution time for the Test stage without affecting other stages?

A.Create an AWS Lambda function that stops the pipeline if the Test stage exceeds 1 hour.
B.Set the pipeline execution timeout to 1 hour in the pipeline settings.
C.Use Amazon CloudWatch Events to detect when the Test stage runs for more than 1 hour and then stop the pipeline.
D.Modify the CodeBuild project's build timeout (e.g., 1 hour) in the buildspec or project configuration.
AnswerD

CodeBuild allows setting a timeout; if the build exceeds it, the stage fails quickly.

Why this answer

Option D is correct because the CodeBuild project's build timeout setting directly controls the maximum duration a build can run before it is stopped. By setting this timeout to 1 hour in the CodeBuild project configuration or buildspec, the Test stage will automatically fail if it exceeds that limit, without affecting the pipeline's overall timeout or other stages. This is the most efficient and targeted approach, as it leverages a native CodeBuild feature rather than adding external monitoring or changing pipeline-wide settings.

Exam trap

The trap here is that candidates may confuse the pipeline-level execution timeout with stage-level or action-level timeouts, assuming that adjusting the pipeline timeout is the correct way to limit a specific stage, when in fact CodeBuild's own timeout is the precise and efficient mechanism for controlling build duration.

How to eliminate wrong answers

Option A is wrong because creating an AWS Lambda function to stop the pipeline adds unnecessary complexity, cost, and maintenance overhead; it is not the most efficient solution when a native CodeBuild timeout exists. Option B is wrong because setting the pipeline execution timeout to 1 hour applies to the entire pipeline, not just the Test stage, which would cause the entire pipeline to fail if any stage (e.g., Source, Build, or Deploy) takes longer than 1 hour, even if they are functioning correctly. Option C is wrong because using Amazon CloudWatch Events to detect a long-running Test stage and stop the pipeline introduces additional latency, complexity, and potential race conditions; it is less efficient than directly configuring the CodeBuild project's timeout.

143
Multi-Selecteasy

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is failing because the new instances are not passing the health checks. The team wants to automatically roll back the deployment if health checks fail. Which THREE steps should the team take?

Select 3 answers
A.Use a deployment configuration with a high minimum healthy host percentage.
B.Create a CloudWatch alarm based on the ELB health check metric.
C.Configure the deployment group to automatically roll back when a deployment fails.
D.Configure the Auto Scaling group to use an ELB health check with a sufficient grace period.
E.Store the deployment artifacts in an S3 bucket with versioning enabled.
AnswersB, C, D

Correct: Alarm can trigger rollback.

Why this answer

Option A configures rollback. Option B configures alarms. Option C configures health check grace period.

Option D is not needed. Option E is not for rollback.

144
MCQhard

A DevOps engineer needs to ensure that an S3 bucket policy enforces encryption in transit for all access. Which policy statement should be added?

A.{"Effect":"Deny","Condition":{"StringEquals":{"aws:SecureTransport":"true"}}}
B.{"Effect":"Allow","Condition":{"Bool":{"aws:SecureTransport":"false"}}}
C.{"Effect":"Allow","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
D.{"Effect":"Deny","Condition":{"Bool":{"aws:SecureTransport":"false"}}}
AnswerD

Denies access when SecureTransport is false, effectively requiring HTTPS.

Why this answer

To enforce encryption in transit, use a condition that denies access unless the request uses 'aws:SecureTransport' set to 'true'. This requires a Deny effect with the condition.

145
MCQmedium

A company runs a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application processes financial transactions. The DevOps team needs to monitor for duplicate transactions that could occur due to retries. The team wants to set up an alert when the number of duplicate transaction attempts exceeds 10 in a 5-minute window. The application logs each transaction attempt with a unique transaction ID to CloudWatch Logs. What is the most efficient way to achieve this?

A.Create a CloudWatch Logs metric filter that counts log events containing 'DuplicateTransaction' and set an alarm on the metric with a threshold of 10.
B.Use DynamoDB Streams to trigger a Lambda function that counts duplicates and publishes metrics.
C.Stream the CloudWatch Logs to Amazon Kinesis Data Analytics and use SQL queries to detect duplicates.
D.Modify the Lambda function to publish a custom metric to CloudWatch for each duplicate transaction, then set an alarm.
AnswerA

Metric filters are designed for real-time pattern matching on logs and can generate custom metrics.

Why this answer

Option A is correct because a metric filter on CloudWatch Logs can count occurrences of a pattern (e.g., duplicate transaction ID) and create a custom metric, which can then trigger an alarm. Option B is wrong because Lambda sends logs to CloudWatch Logs, not directly to CloudWatch Metrics. Option C is wrong because Kinesis Data Analytics would add unnecessary complexity and cost.

Option D is wrong because DynamoDB Streams and Lambda add latency and complexity for a simple counting task.

146
MCQhard

An organization uses AWS Elastic Beanstalk to deploy a web application. The deployment fails with a '502 Bad Gateway' error after the environment update. The health status shows 'Severe'. Investigation reveals that the application is not binding to the port that the nginx proxy expects. What is the most efficient way to diagnose and resolve this issue?

A.Rebuild the environment with a larger instance type to handle the load.
B.Use the Elastic Beanstalk console to update the environment's software configuration.
C.Review the application logs in CloudWatch Logs for error messages.
D.Check the application's listening port by viewing the nginx configuration files in the platform hooks and ensure the app listens on the expected port (e.g., 8080).
AnswerD

Elastic Beanstalk's nginx proxy forwards requests to the application on a specific port (usually 8080). If the app listens on a different port, it causes 502 errors.

Why this answer

Option A is correct: the nginx proxy expects the app to listen on port 8080 (or as defined in the proxy configuration). Option B is a workaround. Option C might not show the port.

Option D is not specific.

147
Multi-Selectmedium

A DevOps team uses AWS OpsWorks for Chef Automate to manage configuration. They want to ensure that all EC2 instances automatically register with OpsWorks and are assigned to the correct layer. Which THREE steps are required? (Choose THREE.)

Select 3 answers
A.Install the AWS OpsWorks agent on each EC2 instance.
B.Configure the instance's user data to run the Chef client.
C.Attach an IAM role with the AmazonEC2RoleforOpsWorks policy to the EC2 instance.
D.Register the EC2 instance with the OpsWorks stack using the AWS CLI or console.
E.Assign the registered instance to the appropriate layer (e.g., web, app).
AnswersA, D, E

The agent is required for communication with the OpsWorks service.

Why this answer

Options A, C, and E are correct: install agent, register stack, assign layer. Option B is not required. Option D is for other services.

148
MCQmedium

A company is using AWS Secrets Manager to store database credentials for a multi-tier application. The application runs on EC2 instances in an Auto Scaling group. The DevOps engineer has configured the instances to retrieve the secret at boot time using a script that calls the AWS CLI. Recently, the security team discovered that the secret was exposed in the instance's user data logs. The engineer needs to implement a more secure method to access the secret without storing it in user data. The application code can be modified. The environment uses IAM roles for EC2. Which solution best meets the security requirements?

A.Store the secret in a configuration file on the EC2 instance and encrypt the file system.
B.Store the secret in AWS Systems Manager Parameter Store and retrieve it via the AWS CLI at boot time.
C.Modify the application code to use the AWS SDK to retrieve the secret from Secrets Manager using the instance's IAM role.
D.Use a KMS key to encrypt the secret and store the encrypted value in user data.
AnswerC

This retrieves the secret at runtime without storing it in user data or on disk.

Why this answer

Option B is correct because using the AWS SDK with the IAM role attached to the EC2 instance retrieves the secret programmatically without storing it in user data. The IAM role should have permissions to access the secret. Option A is wrong because hardcoding still stores the secret in the code or configuration.

Option C is wrong because the EC2 Systems Manager Parameter Store is another option but the question is about Secrets Manager, and storing the secret in Parameter Store still requires retrieval at runtime; the same pattern applies, but using the SDK with IAM role is the standard secure method. Option D is wrong because the KMS key is used for encryption, not for retrieving the secret; the secret is already encrypted.

149
MCQhard

A company uses AWS CloudFormation to deploy infrastructure across multiple accounts. They want to reuse a set of resource definitions for a standard VPC configuration. Which approach minimizes duplication and maintains centralized control?

A.Create a CloudFormation module for the VPC resources and reference it in each stack.
B.Define the VPC resources in a CloudFormation macro and call the macro from each stack.
C.Publish the VPC template in AWS Service Catalog and have each account provision from it.
D.Use nested stacks by creating a separate template for the VPC and including it in each account's stack.
AnswerA

CloudFormation modules enable reuse and centralized management.

Why this answer

Option A is correct because AWS CloudFormation modules allow packaging reusable resource configurations that can be shared across stacks and accounts, reducing duplication and enabling centralized updates. Option B is wrong because nested stacks require separate templates, not reuse within a template. Option C is wrong because macros are for template processing, not reusable components.

Option D is wrong because Service Catalog is for end-user product provisioning, not infrastructure reuse.

150
MCQmedium

Refer to the exhibit. A network engineer reviews VPC Flow Logs. Which statement about the traffic is correct?

A.Internal traffic on port 80 is allowed.
B.Outbound HTTP traffic to the internet is blocked.
C.Outbound HTTPS traffic is being rejected.
D.All traffic is accepted.
AnswerB

Correct; third record shows REJECT for port 80 outbound to external IP.

Why this answer

First two records show accepted traffic between internal IPs on port 443 (HTTPS). The third record shows outbound traffic from 10.0.1.5 to an external IP on destination port 80 (HTTP) that is rejected. This indicates outbound HTTP is blocked.

Page 1

Page 2 of 24

Page 3