AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 14261500

1740 questions total · 24pages · All types, answers revealed

Page 19

Page 20 of 24

Page 21
1426
MCQeasy

A company uses AWS Key Management Service (KMS) to encrypt data at rest. The security team needs to know who attempted to decrypt data using a specific KMS key and whether the attempt succeeded. Which AWS service should the team use?

A.AWS Config
B.KMS key policies
C.AWS CloudTrail
D.CloudWatch Logs
AnswerC

CloudTrail logs all KMS API calls.

Why this answer

AWS CloudTrail is the correct service because it records all KMS API calls, including Decrypt, Encrypt, and GenerateDataKey, as events in the CloudTrail logs. By examining CloudTrail events for the specific KMS key ID, the security team can see who called the Decrypt API and whether the call succeeded (HTTP 200) or failed (e.g., AccessDenied). This provides the exact audit trail needed for incident response.

Exam trap

The trap here is that candidates confuse AWS Config (which tracks resource configuration) with CloudTrail (which tracks API activity), or they assume KMS key policies themselves provide audit logs, when in fact policies only control permissions and do not generate event records.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource compliance against rules and records configuration changes, but it does not capture API-level actions like decryption attempts. Option B is wrong because KMS key policies define who can use the key and under what conditions, but they do not generate logs or provide historical audit records of decryption attempts. Option D is wrong because CloudWatch Logs can store log data from various sources, but it is not the native service for capturing KMS API calls; CloudTrail is the service that generates those logs, which can optionally be sent to CloudWatch Logs.

1427
MCQmedium

A development team is implementing a CI/CD pipeline using AWS CodePipeline. The pipeline has a Source stage connected to an Amazon S3 bucket, a Build stage using AWS CodeBuild, and a Deploy stage that deploys to an Amazon ECS cluster. The team notices that the pipeline fails intermittently during the Build stage with a 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE' error. What is the most likely cause?

A.The CodeBuild project is in a different AWS Region than the CodePipeline pipeline.
B.The CodeBuild project is configured to run in a VPC without a NAT gateway, and the build image is pulled from a public registry.
C.The S3 bucket where the source code is stored has a bucket policy denying access to the CodeBuild service role.
D.The CodeBuild project does not have enough memory or vCPU allocated.
AnswerB

Without a NAT gateway, the build container cannot access the public internet to pull the image.

Why this answer

Option C is correct because CodeBuild builds run in a VPC that must have a route to pull Docker images from public registries; if the VPC does not have a NAT gateway or internet gateway, the build container cannot pull the base image. Option A is wrong because CodePipeline does not require CodeBuild to be in the same region. Option B is wrong because the error is about pulling the image, not insufficient resources.

Option D is wrong because S3 policy does not affect image pulling.

1428
MCQmedium

A company's incident response process requires that all changes to production resources are automatically paused when a P1 incident is declared. Which AWS service can be used to enforce this by preventing modifications to CloudFormation stacks?

A.AWS Systems Manager Change Manager
B.AWS CloudFormation StackSets with a service control policy (SCP)
C.AWS Config rules with remediation
D.AWS CloudTrail with Insights
AnswerB

A SCP can deny UpdateStack operations during an incident.

Why this answer

Option B is correct because CloudFormation StackSets with a service control policy (SCP) can prevent stack updates. Option A is wrong because CloudTrail is logging. Option C is wrong because Config evaluates compliance, does not prevent changes.

Option D is wrong because Systems Manager Change Manager requires manual approval, not automatic pause.

1429
MCQmedium

A DevOps engineer runs the above command and sees that one target is unhealthy with reason 'Target.Timeout'. The target is an EC2 instance running a web server on port 80. The security group for the instance allows inbound traffic on port 80 from the ALB's security group. What is the most likely cause of the health check failure?

A.The instance does not have a public IP address.
B.The instance's network ACL is blocking inbound traffic from the internet.
C.The web server on the instance is not responding to health check requests on port 80.
D.The security group for the ALB does not allow outbound traffic to the instance.
AnswerC

Timeout indicates no response from the web server.

Why this answer

Option B is correct. The 'Target.Timeout' reason indicates that the health check request timed out, meaning the instance is not responding within the timeout period. The most common cause is that the web server is not running or is not listening on the correct port.

Option A is wrong because the security group already allows traffic from the ALB. Option C is wrong because the health check is from the ALB, not the internet. Option D is wrong because the health check is to the instance's IP, not a public IP.

1430
MCQeasy

A company runs a production web application on Amazon EC2 instances that are part of an Auto Scaling group. The instances are behind an Application Load Balancer. The DevOps team has enabled detailed CloudWatch metrics and set up a CloudWatch dashboard to monitor the application. Recently, the team noticed that the CPU Utilization metric for the Auto Scaling group shows a spike every day at 2:00 PM, but the application performance remains normal. The team wants to investigate the cause of the CPU spike. What should the team do FIRST to identify the root cause?

A.Enable AWS CloudTrail to log all API calls to the instances.
B.Use CloudWatch Logs Insights to query the application logs on the instances to identify any scheduled tasks or jobs running at 2:00 PM.
C.Disable any scheduled tasks on the instances to see if the spike stops.
D.Increase the instance size to provide more CPU capacity to handle the spike.
AnswerB

Logs Insights allows querying logs from EC2 instances, which can reveal scheduled tasks causing CPU spikes.

Why this answer

Option A is correct because CloudWatch Logs Insights can query instance logs to identify processes causing high CPU. Option B is wrong because increasing instance size is not a first step for investigation. Option C is wrong because a cron job may be the cause, but the first step is to check logs.

Option D is wrong because CloudTrail logs API calls, not CPU usage.

1431
MCQeasy

A developer wants to use AWS CloudFormation to create an Amazon RDS DB instance. The template includes a DB instance resource. Which property is required for the DB instance to be created successfully?

A.DBInstanceClass and Engine
B.AllocatedStorage
C.DBInstanceIdentifier
D.MasterUsername and MasterUserPassword
AnswerA

These are required properties for the DB instance resource.

Why this answer

In AWS CloudFormation, when creating an Amazon RDS DB instance using the AWS::RDS::DBInstance resource, the only truly required properties are DBInstanceClass (the compute and memory capacity) and Engine (the database engine, e.g., MySQL, PostgreSQL). These two properties are mandatory in the CloudFormation resource specification; without them, the template will fail validation. All other properties, such as AllocatedStorage, DBInstanceIdentifier, MasterUsername, and MasterUserPassword, have default behaviors or can be omitted under certain conditions (e.g., AllocatedStorage defaults to 20 GB for some engines, and MasterUsername/MasterUserPassword are not required if you use a snapshot or a source DB instance).

Exam trap

The trap here is that candidates often assume MasterUsername and MasterUserPassword are always required because they are mandatory in the AWS Management Console wizard, but CloudFormation allows omitting them when the DB instance is created from a snapshot or as a read replica, making DBInstanceClass and Engine the only universally required properties.

How to eliminate wrong answers

Option B is wrong because AllocatedStorage is not required; CloudFormation will use a default value (typically 20 GB) if not specified, and the DB instance can still be created successfully. Option C is wrong because DBInstanceIdentifier is optional; if omitted, CloudFormation automatically generates a unique identifier for the DB instance. Option D is wrong because MasterUsername and MasterUserPassword are not required when creating a DB instance from a snapshot or when specifying a source DB instance identifier; they are only required for a fresh, empty DB instance creation.

1432
MCQhard

A DevOps engineer observes the CloudWatch alarm output shown in the exhibit. The alarm is in ALARM state for instance i-0abcd1234efgh5678. The engineer checks the EC2 console and sees that the instance's CPU utilization is currently 10%. What is the MOST likely explanation?

A.The alarm is misconfigured with wrong metric
B.The threshold was set too low
C.The alarm has not yet evaluated enough low datapoints to change state
D.The CPUUtilization metric is not being emitted
AnswerC

Alarm remains ALARM until it evaluates consecutive OK datapoints.

Why this answer

Option D is correct because the alarm evaluated only 1 datapoint (EvaluationPeriods=1) and the CPU spiked to 100% at 09:55, triggering the alarm. It has since dropped, but the alarm state persists until manually reset or until it transitions to OK after enough low datapoints. Option A is wrong because the metric exists.

Option B is wrong because the threshold is 90%. Option C is wrong because the alarm is correctly configured.

1433
Multi-Selecthard

A security team wants to automatically detect and remediate S3 buckets that are publicly accessible across multiple AWS accounts. Which solution is MOST efficient and scalable? (Choose THREE.)

Select 3 answers
A.Use AWS Trusted Advisor to check for open S3 buckets and send alerts.
B.Apply a service control policy (SCP) to deny s3:PutBucketAcl that makes buckets public.
C.Manually review each account's S3 bucket permissions weekly.
D.Use AWS Config with a managed rule to detect publicly accessible S3 buckets.
E.Use Amazon CloudWatch Events to trigger a Lambda function that remediates non-compliant buckets.
AnswersB, D, E

SCPs can prevent actions that make buckets public.

Why this answer

Options A, C, and E are correct. AWS Config can evaluate rules across accounts. SCPs can prevent public access.

Centralized logging via CloudWatch Events enables automation. Option B is wrong because manual review is not scalable. Option D is wrong because Trusted Advisor is per-account and manual.

1434
Multi-Selectmedium

A DevOps engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must collect logs from all accounts into a centralized Amazon S3 bucket for analysis. Which THREE steps are required to set up this centralized logging?

Select 3 answers
A.Enable VPC Flow Logs for all VPCs in every account and send them to the centralized bucket
B.Create an S3 bucket in the central logging account with bucket policies allowing cross-account writes
C.Enable AWS CloudTrail in each account and configure it to deliver logs to the centralized S3 bucket
D.Set up Amazon Kinesis Data Streams in the central account to ingest logs from all accounts
E.Configure Amazon CloudWatch Logs subscription filters to stream logs from each account to the centralized S3 bucket via Kinesis Data Firehose
AnswersB, C, E

The bucket must allow other accounts to write logs.

Why this answer

Options A, B, and D are correct. Creating a log archive bucket with appropriate cross-account permissions, enabling CloudTrail in all accounts with the same S3 bucket, and configuring CloudWatch Logs to export to the centralized bucket. Option C is wrong because VPC Flow Logs are not required for all accounts.

Option E is wrong because Kinesis is not necessary; S3 is sufficient.

1435
MCQhard

A company uses an NLB to distribute traffic to a fleet of EC2 instances in a single Availability Zone. During a recent AWS outage in that zone, the application became completely unavailable. The company wants to achieve high availability without rearchitecting the application. Which change is MOST appropriate?

A.Use a larger instance type and enable detailed CloudWatch monitoring
B.Replace the NLB with an Application Load Balancer and enable cross-zone load balancing
C.Create an Auto Scaling group with a scheduled scaling policy to add instances during peak hours
D.Launch EC2 instances in a second Availability Zone and register them with the NLB target group
AnswerD

Distributes traffic across zones, providing high availability.

Why this answer

Option D is correct because NLB automatically routes traffic to healthy targets across Availability Zones when targets are registered. Option A is wrong because ALB is not required; NLB can handle multi-AZ. Option B is wrong because instance type does not affect availability.

Option C is wrong because it does not address zone failure.

1436
MCQeasy

A development team uses AWS CodeCommit as a Git repository. They want to automatically trigger a build in AWS CodeBuild whenever a pull request is created or updated. Which AWS service should be used to detect the pull request events and start the build?

A.Amazon Simple Notification Service (SNS)
B.AWS CodePipeline
C.Amazon CloudWatch Logs
D.Amazon EventBridge
AnswerD

Amazon EventBridge can detect CodeCommit events and trigger CodeBuild.

Why this answer

Option A is correct because Amazon EventBridge can monitor AWS CodeCommit events (like pull request creation) and trigger an AWS CodeBuild build using a rule. Option B is incorrect because CodePipeline is a continuous delivery service, not an event detection service. Option C is incorrect because CloudWatch Logs does not detect events; it stores logs.

Option D is incorrect because SNS is a notification service, not a trigger for CodeBuild.

1437
MCQmedium

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM user or role in any account can create or modify VPCs. Which SCP should be applied to the root OU?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:ModifyVpc","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:CreateVpc","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":["ec2:CreateVpc","ec2:ModifyVpc"],"Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ec2:CreateVpc","ec2:ModifyVpc"],"Resource":"*"}]}
AnswerC

Correctly denies both CreateVpc and ModifyVpc.

Why this answer

Option C is correct because it denies both the ec2:CreateVpc and ec2:ModifyVpc actions, which covers all operations that could create or modify VPCs. A service control policy (SCP) with a Deny effect overrides any Allow permissions, ensuring that no IAM user or role in any account under the root OU can perform these actions, even if attached IAM policies grant them.

Exam trap

The trap here is that candidates often focus on only one action (Create or Modify) and forget that both are needed to fully prevent VPC creation and modification, or they mistakenly think an Allow SCP can restrict access when SCPs are primarily used for Deny boundaries.

How to eliminate wrong answers

Option A is wrong because it only denies ec2:ModifyVpc, leaving the ec2:CreateVpc action unblocked, so users could still create new VPCs. Option B is wrong because it only denies ec2:CreateVpc, leaving ec2:ModifyVpc unblocked, so existing VPCs could still be modified. Option D is wrong because an Allow statement in an SCP does not restrict access; SCPs are used to deny or allow permissions, but an Allow SCP does not override other Deny policies and, more importantly, does not prevent the actions—it would actually permit them, which is the opposite of the security team's requirement.

1438
MCQmedium

A company uses AWS CodePipeline for CI/CD. A recent deployment to an Amazon ECS service failed because the new task definition referenced an ECR image that does not exist. The pipeline uses a source stage (CodeCommit), build stage (CodeBuild), and deploy stage (ECS). The engineer wants to catch such errors earlier. What should the engineer add to the pipeline?

A.Add an invoke action that calls a Lambda function to check the image.
B.Add a manual approval step before the deploy stage.
C.Add a test stage that runs a script to verify the image exists in ECR.
D.Add a second build stage that re-builds the image.
AnswerC

A test stage can validate the image tag before deployment.

Why this answer

Option C is correct because adding a test stage after the build stage to validate the image existence in ECR would catch the error before deployment. Option A is wrong because adding a manual approval does not automatically catch the error. Option B is wrong because adding a second build stage does not validate the image.

Option D is wrong because adding an invoke action to run a Lambda function would require custom code and is possible but not a built-in validation; however, Option C is more straightforward.

1439
Multi-Selecthard

A company manages multiple AWS accounts using AWS Organizations. The DevOps team needs to enforce that all newly created S3 buckets in any account automatically have versioning enabled and are encrypted with SSE-S3. Which THREE steps should the team take to achieve this using Infrastructure as Code and policy-based controls?

Select 3 answers
A.Create an SCP that denies s3:PutObject if the bucket does not have encryption enabled.
B.Configure AWS CodePipeline to run a script that checks bucket configurations after creation.
C.Manually configure each new bucket via the AWS Management Console.
D.Use AWS CloudFormation StackSets to deploy a template that creates S3 buckets with required settings in all accounts.
E.Deploy an AWS Config managed rule to check that S3 buckets have versioning enabled, with automatic remediation using SSM Automation.
AnswersA, D, E

SCPs can restrict API calls across accounts, enforcing encryption at creation time.

Why this answer

Using a Service Control Policy (SCP) (A) prevents creation of buckets without encryption. AWS Config Rules (B) can remediate non-compliant buckets. CloudFormation StackSets (D) deploy a baseline template to all accounts.

Option C (manual) is not scalable; E (CodePipeline only) does not enforce policies.

1440
MCQhard

A company uses RDS Multi-AZ with a read replica. During a failover test, the application experiences a 30-second write outage. The application uses a single DB endpoint. How can the outage be minimized?

A.Increase the instance class to improve failover performance.
B.Use RDS Proxy to handle database connections and failover.
C.Use a Route 53 weighted record with health checks to point to both instances.
D.Configure the application to use the read replica endpoint for writes.
AnswerB

RDS Proxy reduces failover impact by pooling connections and rerouting quickly.

Why this answer

Option C is correct because using the RDS proxy with connection pooling and failover handling reduces the outage window by automatically rerouting connections. Option A is wrong because Multi-AZ already provides a standby, but DNS propagation takes time. Option B is wrong because multiple write endpoints are not supported.

Option D is wrong because increasing instance size does not reduce failover time.

1441
MCQhard

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to stop an EC2 instance in us-east-1. What will happen?

A.The action is denied because the policy does not explicitly allow stopping an instance that is running.
B.The action is denied because the Deny statement is ambiguous and could apply to StopInstances.
C.The action is allowed only if the instance is in a stopped state.
D.The action is allowed because StopInstances is explicitly allowed and not denied.
AnswerD

Explicit Allow overrides implicit Deny.

Why this answer

Option D is correct because the policy explicitly allows ec2:StopInstances for all resources, and there is no explicit deny for StopInstances. The Deny only applies to TerminateInstances. Option A is incorrect because StopInstances is allowed.

Option B is incorrect because the Deny is not ambiguous. Option C is incorrect because there is no condition key about instance state.

1442
MCQeasy

A company is designing a multi-region active-active architecture for a stateless web application. The application uses a DynamoDB table as its data store. The company wants to minimize write latency and ensure that writes are accepted in any region with eventual consistency. Which DynamoDB feature should they use?

A.DynamoDB read replicas in each region.
B.Cross-region replication using AWS Lambda function.
C.DynamoDB global tables.
D.DynamoDB Accelerator (DAX) with multi-region endpoints.
AnswerC

Global tables provide multi-region, multi-master replication for active-active.

Why this answer

Option B is correct because DynamoDB global tables provide multi-region, multi-master replication for active-active applications. Option A is wrong because DynamoDB Accelerator (DAX) is a cache for read-heavy workloads, not multi-region writes. Option C is wrong because cross-region replication with Lambda is not built-in and adds complexity.

Option D is wrong because read replicas do not accept writes.

1443
MCQhard

Refer to the exhibit. A developer runs this buildspec in CodeBuild to deploy a CDK application. The build succeeds, but the CDK stack is not deployed. What is the MOST likely reason?

A.The 'npx cdk deploy' command should be in the build phase, not post_build.
B.The CDK application has not been bootstrapped in the target account.
C.The Node.js runtime version 14 is incompatible with the CDK version.
D.The IAM role for CodeBuild does not have permission to create CloudFormation stacks.
AnswerB

CDK requires bootstrapping to deploy stacks; otherwise, the deploy command fails silently or with an error.

Why this answer

Option A is correct because CDK synth outputs to 'cdk.out' by default, but the artifacts specify 'cdk.out' as base-directory, so the deploy command runs in the build environment, not from the artifacts. However, the issue is that 'cdk deploy' runs in the build phase but the artifacts are collected after; but actually the deploy should happen in post_build. The more likely reason is that the CDK stack requires bootstrapping.

Option B is incorrect because the runtime is sufficient. Option C is incorrect because the commands are valid. Option D is incorrect because the permissions might be missing, but the error would be different.

1444
MCQmedium

A company is using AWS CloudTrail to log API activity. The security team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and alerted. What is the MOST secure and efficient way to achieve this?

A.Use AWS Trusted Advisor to check CloudTrail configuration and email the security team.
B.Enable Amazon GuardDuty and configure a custom threat list to monitor CloudTrail API calls.
C.Create an AWS Config rule to detect changes to CloudTrail configuration and send an SNS notification.
D.Create an Amazon CloudWatch Events rule that matches the UpdateTrail API call and triggers an SNS notification.
AnswerD

CloudWatch Events can match API calls in real time and trigger actions.

Why this answer

Option C is correct because a CloudWatch Events rule can capture the UpdateTrail API call and trigger an SNS notification for immediate alerting. Option A is wrong because Config rules evaluate resource configurations but do not provide real-time notifications. Option B is wrong because GuardDuty focuses on threat detection, not configuration changes.

Option D is wrong because Trusted Advisor provides best-practice checks but not real-time alerts.

1445
MCQhard

A company uses AWS Lambda functions to process events from Amazon SQS. Recently, the Lambda function has been throttled, causing messages to accumulate in the dead-letter queue (DLQ). The function’s reserved concurrency is set to 100, and the account’s regional concurrency limit is 1000. What is the MOST likely cause of the throttling?

A.The function’s concurrency is fully utilized due to long-running invocations
B.The Lambda function has a cold start issue
C.The SQS queue is not configured as a FIFO queue
D.The reserved concurrency is set too high, exceeding the account limit
AnswerA

If invocations overlap, they consume the reserved concurrency and cause throttling.

Why this answer

Option D is correct because if the function’s reserved concurrency is 100 and the account-level limit is 1000, throttling could be due to the function exhausting its own concurrency if it has long-running invocations. Option A is wrong because 100 reserved is not above the account limit. Option B is wrong because SQS standard queue does not require FIFO.

Option C is wrong because cold starts cause latency but not throttling.

1446
Multi-Selecthard

A company is designing a disaster recovery plan for a MySQL database running on Amazon RDS. The database is critical and must have an RPO of 5 minutes and an RTO of 1 hour. The primary Region is us-east-1, and the DR Region is us-west-2. Which TWO steps should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Create a cross-Region read replica in us-west-2.
B.Enable automated backups with a 5-minute backup window.
C.Configure cross-Region automated snapshot copy to us-west-2.
D.Set up a process to promote the read replica to a standalone instance in us-west-2 during a disaster.
E.Enable Multi-AZ deployment in us-east-1.
AnswersA, D

Cross-Region read replicas replicate with low lag, achieving RPO under 5 minutes.

Why this answer

A cross-Region read replica in us-west-2 provides a near-real-time copy of the primary database, with replication lag typically measured in seconds, easily meeting the 5-minute RPO. During a disaster, promoting this read replica to a standalone instance in us-west-2 can be completed in minutes, satisfying the 1-hour RTO. This approach avoids the recovery time needed to restore from a snapshot or backup.

Exam trap

The trap here is that candidates confuse Multi-AZ (which provides automatic failover within a Region) with cross-Region disaster recovery, or assume that automated backups or snapshot copies can meet a low RPO/RTO when they actually require time-consuming restore operations.

1447
MCQhard

A company is using AWS CodePipeline to deploy applications. The pipeline source is an S3 bucket that receives artifacts from a third-party vendor. The DevOps team needs to ensure that only artifacts signed by the vendor's KMS key are deployed. Which approach meets this requirement?

A.Use an IAM policy to restrict s3:GetObject to objects encrypted with the vendor's KMS key.
B.Use CodePipeline's built-in artifact signing feature.
C.Use S3 pre-signed URLs to download artifacts.
D.Configure S3 server-side encryption with AWS KMS using the vendor's KMS key and allow only that key.
AnswerD

Enables verification that objects are encrypted with the expected key.

Why this answer

Option C is correct because S3 supports envelope encryption with KMS, and the pipeline can verify the KMS key. Option A is wrong because S3 signed URLs do not verify the origin of the content. Option B is wrong because IAM policies can't enforce encryption on specific keys.

Option D is wrong because CodePipeline does not natively support artifact signing verification.

1448
MCQeasy

A DevOps engineer needs to deploy a configuration management solution that can manage both Windows and Linux servers across on-premises and AWS environments. The solution must support a Git-based workflow for version control of configurations. Which AWS service should the engineer choose?

A.AWS CloudFormation
B.AWS OpsWorks for Chef Automate
C.AWS Elastic Beanstalk
D.AWS CodeDeploy
AnswerB

Chef Automate supports Git-based workflows and manages both Windows and Linux servers.

Why this answer

AWS OpsWorks for Chef Automate is the correct choice because it provides a fully managed Chef Automate server that supports configuration management for both Windows and Linux servers across on-premises and AWS environments. Chef uses a Git-based workflow for version control of cookbooks, enabling DevOps teams to store, version, and manage configurations as code in a Git repository.

Exam trap

The trap here is that candidates often confuse Infrastructure as Code services like CloudFormation with configuration management tools, failing to recognize that CloudFormation manages AWS resource provisioning while Chef Automate handles OS-level configuration drift across both Windows and Linux servers.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service for provisioning AWS resources using templates, not a configuration management tool for managing OS-level settings on existing servers. Option C is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) for deploying web applications, not a configuration management solution for managing server configurations across hybrid environments. Option D is wrong because AWS CodeDeploy is a deployment service for automating application code deployments to compute instances, not a configuration management tool for enforcing desired state configurations on servers.

1449
MCQmedium

A DevOps team is using AWS CodePipeline to automate deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The team wants to add a manual approval step before the deploy stage to ensure that only authorized personnel can approve production deployments. Which action should be taken to implement this requirement?

A.Add an AWS Lambda function as a transition action between the build and deploy stages that sends an email to the approver and waits for a response.
B.Create a CodeDeploy deployment group with a manual approval step in the deployment configuration.
C.Configure an Amazon SNS topic to send an approval request email to the approver, and use a Lambda function to resume the pipeline upon approval.
D.Add a manual approval action to the pipeline between the build and deploy stages, and configure the SNS topic to notify the approvers.
AnswerD

CodePipeline supports manual approval actions that pause the pipeline until approved.

Why this answer

Option D is correct because AWS CodePipeline natively supports a manual approval action that can be inserted as a stage between build and deploy. This action pauses the pipeline and sends a notification via an SNS topic to the configured approvers. The pipeline only resumes when an authorized user clicks the 'Approve' button in the CodePipeline console or API, ensuring that only authorized personnel can approve production deployments.

Exam trap

The trap here is that candidates often confuse CodeDeploy's deployment configuration options (like traffic shifting or validation hooks) with pipeline-level approval actions, or they assume a custom Lambda function can replace the native approval action, missing the fact that CodePipeline provides a fully managed, auditable approval workflow.

How to eliminate wrong answers

Option A is wrong because AWS Lambda cannot act as a transition action in CodePipeline; transitions are automatic and cannot be replaced by custom functions. Option B is wrong because CodeDeploy deployment groups do not have a manual approval step in their deployment configuration; manual approvals are a pipeline-level feature, not a CodeDeploy feature. Option C is wrong because while an SNS topic can send approval emails, using a Lambda function to resume the pipeline bypasses the built-in approval workflow and security controls of CodePipeline, and the pipeline would not properly wait for the approval response.

1450
MCQmedium

A DevOps engineer needs to securely store database credentials for an application running on EC2. The credentials must be rotated automatically every 30 days. Which solution meets these requirements?

A.Use AWS Secrets Manager to store the credentials and configure automatic rotation with the RDS rotation Lambda blueprint.
B.Store credentials in AWS Systems Manager Parameter Store and use a Lambda function to rotate them.
C.Store credentials in an S3 bucket encrypted with KMS and use S3 Lifecycle policies to rotate the objects.
D.Use IAM roles to grant the EC2 instance access to the database, eliminating the need for credentials.
AnswerA

Secrets Manager supports automatic rotation via Lambda, including a built-in RDS rotation template.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, managing, and automatically rotating database credentials. It provides a built-in RDS rotation Lambda blueprint that can be configured to rotate credentials every 30 days without custom code. This fully managed rotation capability meets the requirement for automatic, scheduled rotation with minimal operational overhead.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store's ability to store secrets (with SecureString) with the automatic rotation capability, but Parameter Store lacks built-in rotation scheduling and requires custom Lambda code, making Secrets Manager the only fully managed solution for automatic credential rotation.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not natively support automatic rotation of credentials; while you can use a Lambda function to rotate them, this requires custom development and lacks the built-in rotation scheduling and integration with RDS that Secrets Manager provides. Option C is wrong because S3 Lifecycle policies are designed for object expiration and transition, not for rotating credential values; they cannot update the content of an object or trigger a credential change. Option D is wrong because IAM roles grant permissions to AWS services, not to databases; while IAM database authentication is supported for RDS (using an auth token), it eliminates the need for static credentials but does not involve rotating stored credentials every 30 days, and the question explicitly requires storing and rotating credentials.

1451
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an S3 bucket. The Security team requires that the application never uses long-term credentials and that access is scoped to the specific ECS task. Which approach should be used?

A.Embed the IAM user credentials in the container image
B.Store AWS access keys in AWS Secrets Manager and retrieve them at runtime
C.Use an IAM role for the EC2 instance if using EC2 launch type
D.Create an IAM role for the ECS task and reference it in the task definition
AnswerD

The task IAM role provides temporary credentials automatically, scoped to the task.

Why this answer

Option D is correct because ECS tasks using the Fargate launch type can assume an IAM role that is specified in the task definition. This IAM role provides temporary credentials via the ECS task metadata endpoint, ensuring that the application never uses long-term credentials and that permissions are scoped precisely to that task. The Security team's requirements are fully met by this approach.

Exam trap

The trap here is that candidates may confuse the IAM role for the EC2 instance (Option C) with the ECS task role, or assume that Secrets Manager (Option B) is acceptable despite it still using long-term credentials, failing to recognize that Fargate tasks require a task-level IAM role for scoped, temporary access.

How to eliminate wrong answers

Option A is wrong because embedding IAM user credentials in the container image violates the requirement to never use long-term credentials and creates a security risk if the image is compromised. Option B is wrong because while Secrets Manager can securely store AWS access keys, those keys are still long-term credentials, which the Security team explicitly prohibits. Option C is wrong because the question specifies Fargate launch type, not EC2; an IAM role for the EC2 instance would not apply to Fargate tasks, and even with EC2 launch type, it would not scope access to the specific ECS task.

1452
MCQhard

A DevOps engineer is troubleshooting an AWS OpsWorks for Chef Automate deployment. The Chef server is configured with a custom run list that includes a recipe to install and configure an application. The test environment works correctly, but in the production environment, the application fails to start. The Chef client logs show that the recipe executed successfully, but the application process is not running. What is the most likely cause of this issue?

A.The OpsWorks stack is configured to use 'auto-healing' which automatically terminates and replaces instances that fail to start the application.
B.The Chef server in production is running a different version of Chef than the test environment, causing the recipe to behave differently.
C.The IAM instance profile attached to the production EC2 instance does not have the necessary permissions to start the application service.
D.The Chef recipe does not include a 'service' resource to start the application; it only installs the package.
AnswerC

The instance profile must allow actions like ec2:StartInstances or ssm:StartAutomationExecution if the recipe uses those, or the application may need permissions to access resources.

Why this answer

Option C is correct because the IAM instance profile determines the AWS API permissions available to the EC2 instance. If the profile lacks permissions to call the service startup API (e.g., `ec2:StartInstances` or `autoscaling:CompleteLifecycleAction`), or to access required resources like an EFS mount target or Secrets Manager secret, the Chef recipe's service resource may execute without error but the underlying systemd or init daemon cannot actually start the application process. The Chef client logs only show recipe execution success, not the outcome of the service start, so the application fails silently.

Exam trap

The trap here is that candidates assume a successful Chef client run guarantees the application is running, but the exam tests the distinction between recipe execution success and the actual outcome of system commands that depend on IAM permissions.

How to eliminate wrong answers

Option A is wrong because auto-healing in OpsWorks replaces instances that fail health checks, not instances where an application fails to start after successful recipe execution; the scenario describes a post-deployment failure, not an instance-level health failure. Option B is wrong because Chef server version differences would typically cause syntax or resource errors during recipe compilation, not a silent failure where the recipe executes successfully but the application does not run; the logs confirm successful execution. Option D is wrong because the question states the recipe includes a custom run list to install and configure the application, and the logs show successful execution; if the recipe lacked a service resource, the application would never be started, but the logs would not show a successful start attempt—the issue is that the start attempt fails due to permissions.

1453
MCQmedium

A company uses AWS CodeBuild to build and test code. The build process needs to access a private Amazon RDS database to run integration tests. What is the most secure way to provide database credentials to the build project?

A.Store the credentials as environment variables in the build project configuration.
B.Store the credentials in AWS Systems Manager Parameter Store as a SecureString parameter.
C.Store the credentials in AWS Secrets Manager and grant the CodeBuild service role permission to retrieve them.
D.Store the credentials in an encrypted S3 bucket and download them during the build phase.
AnswerC

Secrets Manager provides secure, auditable access to secrets.

Why this answer

Option B is correct because AWS Secrets Manager provides secure storage and retrieval of secrets, and CodeBuild can access them using a service role. Option A is wrong because environment variables are visible in plain text. Option C is wrong because storing credentials in S3 is less secure and requires additional access.

Option D is wrong because parameter store does not support automatic rotation.

1454
MCQeasy

A company is using Amazon RDS for MySQL and wants to monitor database connections. They need to set up an alarm when the number of connections exceeds 80% of the maximum connections for more than 5 minutes. Which CloudWatch metric and statistic should be used?

A.DatabaseConnections metric with Maximum statistic
B.DatabaseConnections metric with Average statistic
C.DatabaseConnections metric with Sum and then divide by the number of data points
D.DatabaseConnections metric with Sum statistic
AnswerB

Average of DatabaseConnections over 5 minutes gives a good indication of sustained connection usage.

Why this answer

Option B is correct because the Average statistic of the DatabaseConnections metric over a 5-minute period provides a smoothed representation of connection usage, which is appropriate for detecting sustained breaches of the 80% threshold. Using Average reduces sensitivity to transient spikes, ensuring the alarm triggers only when the average number of connections remains above the threshold for the entire evaluation period, aligning with the requirement of 'more than 5 minutes'.

Exam trap

The trap here is that candidates often choose Maximum because they think it is the most conservative for detecting high usage, but they overlook that the requirement is for sustained breaches over 5 minutes, not instantaneous spikes, making Average the correct choice for avoiding false alarms.

How to eliminate wrong answers

Option A is wrong because the Maximum statistic captures the highest single data point within the period, which would trigger alarms on brief spikes even if the average stays below 80%, causing false positives. Option C is wrong because dividing the Sum by the number of data points is mathematically equivalent to the Average statistic, but this approach is unnecessarily complex and not a standard CloudWatch metric statistic; CloudWatch directly supports Average. Option D is wrong because the Sum statistic aggregates the total number of connections over the period, which is not meaningful for comparing against a percentage of maximum connections—Sum values scale with the number of data points and do not represent a per-moment connection count.

1455
MCQeasy

A company wants to ensure that its application can recover from an Amazon S3 service disruption. The application reads and writes data to S3. Which strategy should the application implement to achieve resilience?

A.Store all data in a single S3 bucket with versioning enabled
B.Implement application logic to fall back to an S3 bucket in a different Region if the primary bucket is unavailable
C.Enable S3 Cross-Region Replication with automatic failover
D.Use S3 Transfer Acceleration to improve data transfer speed
AnswerB

Cross-Region fallback provides resilience.

Why this answer

Option B is correct because implementing application logic to fall back to an S3 bucket in a different Region provides resilience against a regional S3 service disruption. S3 buckets are regional resources, so if one Region experiences an outage, the application can redirect reads and writes to a bucket in another Region. This approach requires the application to handle errors from the primary bucket and switch to the secondary bucket, ensuring continued availability without relying on automatic failover mechanisms that may not be instantaneous.

Exam trap

The trap here is that candidates often confuse S3 Cross-Region Replication (CRR) with automatic failover, but CRR is asynchronous and does not provide built-in failover; the application must still implement its own fallback logic to achieve resilience.

How to eliminate wrong answers

Option A is wrong because storing all data in a single S3 bucket with versioning enabled protects against accidental deletion or overwrite, but it does not provide resilience against a regional S3 service disruption, as the bucket is still tied to a single Region. Option C is wrong because S3 Cross-Region Replication (CRR) replicates objects asynchronously to another Region, but it does not include automatic failover; the application must still implement logic to detect the primary bucket's unavailability and switch to the replicated bucket. Option D is wrong because S3 Transfer Acceleration improves data transfer speed over long distances by using AWS edge locations, but it does not provide any resilience or failover capability during a regional S3 service disruption.

1456
MCQmedium

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. What is the most likely cause?

A.The Lambda function's execution role lacks the required IAM permissions.
B.The Lambda function is not configured to access the VPC where the RDS instance resides.
C.The secret rotation schedule is set to less than 24 hours.
D.The Lambda function does not have permission to access the S3 bucket.
AnswerB

Without VPC access, Lambda cannot reach the database, causing timeout.

Why this answer

The most likely cause of the timeout error is that the Lambda function is not configured to access the VPC where the RDS instance resides. When Secrets Manager rotates a secret for an RDS database, the rotation Lambda function must connect to the database to update the credentials. If the Lambda function is not attached to the same VPC (or a VPC with proper routing and security group rules), it cannot reach the RDS instance, causing network connection attempts to hang until the function times out.

Exam trap

The trap here is that candidates often confuse IAM permission errors (which produce immediate failures) with network connectivity issues (which cause timeouts), leading them to incorrectly select the IAM role option when the symptom is a timeout rather than an access denied error.

How to eliminate wrong answers

Option A is wrong because IAM permission issues typically result in an access denied error, not a timeout; the Lambda function would fail immediately with a 403 or similar, not hang until the timeout limit. Option C is wrong because the rotation schedule (e.g., every 24 hours or less) does not cause individual rotation executions to timeout; the schedule only controls how often rotation is triggered, not the duration of the Lambda invocation. Option D is wrong because Secrets Manager rotation for RDS does not require S3 bucket access; the Lambda function only needs network connectivity to the database and permissions to call Secrets Manager APIs, not S3.

1457
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to automatically isolate a compromised EC2 instance by removing it from its security group and attaching a quarantine security group that only allows traffic to a forensic instance. Which combination of actions should be implemented?

A.Use Amazon GuardDuty to automatically modify the security group membership of the instance.
B.Use AWS Shield Advanced to automatically apply the quarantine security group to the instance.
C.Use AWS Lambda functions triggered by Amazon EventBridge to remove the instance from the security group and attach the quarantine group.
D.Use AWS Config rules with AWS Systems Manager Automation documents to automatically remove the instance from the security group and attach the quarantine group when non-compliant.
AnswerD

AWS Config can detect non-compliant instances (e.g., missing required tags) and trigger SSM Automation to perform remediation actions.

Why this answer

Option D is correct because AWS Config rules can evaluate security group membership compliance, and when a non-compliant EC2 instance is detected, an AWS Systems Manager Automation document can be triggered via a remediation action. This automation document can execute the steps to remove the instance from its current security group and attach a quarantine security group, providing a fully automated, event-driven isolation workflow without requiring custom code for orchestration.

Exam trap

The trap here is that candidates often assume any event-driven automation (like Lambda + EventBridge) is always the best answer, but AWS Config with Systems Manager Automation is the native, fully managed, and auditable solution for compliance-driven remediation without custom code.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that generates findings but cannot directly modify security group membership; it requires an integration with AWS Lambda or EventBridge to perform remediation actions. Option B is wrong because AWS Shield Advanced is a DDoS protection service and has no capability to modify EC2 security group associations or apply quarantine groups. Option C is wrong because while Lambda functions triggered by EventBridge can technically perform the remediation, the question asks for a combination of actions that should be implemented, and AWS Config with Systems Manager Automation is the recommended, fully managed, and auditable approach that avoids the operational overhead of maintaining custom Lambda code and IAM permissions.

1458
MCQmedium

A company uses AWS Lambda functions to process incoming events. The DevOps team notices that some functions are timing out after 30 seconds, but the configured timeout is 1 minute. They want to capture the actual invocation duration for all invocations to analyze performance. What is the most efficient way to achieve this?

A.Add custom metrics using the AWS SDK within the Lambda function code to record the duration.
B.Configure Amazon Kinesis Data Streams to receive Lambda invocation records and compute duration using a consumer application.
C.Enable detailed CloudWatch Logs for the Lambda functions and parse the 'REPORT' log entries to extract the 'Duration' value.
D.Use AWS CloudTrail to capture Lambda execution events and analyze the 'duration' field.
AnswerC

Lambda automatically logs duration in the REPORT line; parsing these logs is efficient.

Why this answer

Option C is correct because Lambda automatically writes a REPORT log entry to CloudWatch Logs at the end of each invocation, which includes the exact 'Duration' in milliseconds. Parsing these logs is the most efficient approach since it requires no code changes, no additional infrastructure, and leverages existing logging with no extra cost beyond standard CloudWatch Logs ingestion.

Exam trap

The trap here is that candidates may confuse CloudTrail's 'duration' field (which measures API call latency) with the actual function execution duration, leading them to incorrectly select option D.

How to eliminate wrong answers

Option A is wrong because adding custom metrics via the AWS SDK within the function code requires modifying every function, introduces latency from SDK calls, and incurs additional CloudWatch custom metrics costs, making it less efficient than using built-in logs. Option B is wrong because configuring Kinesis Data Streams to receive invocation records is overly complex and costly; Lambda does not natively send invocation records to Kinesis, and building a consumer application to compute duration from streamed data is far less efficient than parsing existing logs. Option D is wrong because CloudTrail captures API calls (e.g., Invoke actions) but does not record the actual function execution duration; the 'duration' field in CloudTrail events refers to the API call latency, not the function's runtime.

1459
Multi-Selectmedium

A company is using AWS CloudFormation to deploy a critical application stack. The company wants to ensure that the stack can be recovered quickly in case of a failure. Which THREE strategies should the company implement? (Choose THREE.)

Select 3 answers
A.Disable rollback on stack creation failure to preserve resources for debugging.
B.Use StackSets to deploy the stack across multiple Regions.
C.Define the entire application in a single CloudFormation template.
D.Use nested stacks to separate components into reusable templates.
E.Use change sets to review changes before updating the stack.
AnswersB, D, E

StackSets enable multi-Region deployment for resilience.

Why this answer

Option B is correct because AWS CloudFormation StackSets allow you to deploy stacks across multiple AWS Regions and accounts from a single template, enabling multi-Region disaster recovery. By deploying the critical application stack in multiple Regions, you can quickly fail over to a secondary Region if the primary fails, meeting the requirement for rapid recovery.

Exam trap

The trap here is that candidates often confuse 'recovery' with 'debugging' and select disabling rollback (Option A) thinking it helps preserve resources, but it actually hinders recovery by leaving failed resources in place.

1460
MCQhard

An organization uses a multi-account AWS environment with AWS Organizations. During an incident, the security team needs to isolate a compromised account by preventing all API calls from that account's root user and IAM users. Which action should be taken?

A.Create a new IAM group with a deny-all policy and add all users to it.
B.Apply a service control policy (SCP) that denies all actions to the affected account's root user and all IAM users.
C.Attach an IAM policy denying all actions to all IAM users in that account.
D.Apply an SCP that denies all actions to the root user only.
AnswerB

SCPs can restrict both root and IAM users in the account.

Why this answer

Option D is correct because an SCP can deny all actions from the root user and IAM users in the affected account. Option A is wrong because it only affects the root user. Option B is wrong because IAM policies cannot restrict root user.

Option C is wrong because it only affects IAM users, not root.

1461
MCQeasy

A DevOps engineer notices that an EC2 instance running a critical application is unresponsive. The instance is part of an Auto Scaling group with a minimum size of 2. What is the quickest way to restore service with minimal data loss?

A.Stop and start the instance from the EC2 console.
B.Create a new AMI from the instance and launch a replacement manually.
C.Terminate the instance and let the Auto Scaling group launch a new one.
D.Restore the instance from the most recent EBS snapshot.
AnswerC

Auto Scaling will automatically replace the instance.

Why this answer

Option C is correct because terminating the unresponsive instance triggers the Auto Scaling group to automatically launch a replacement instance, restoring service with minimal data loss. Since the Auto Scaling group has a minimum size of 2, it will immediately detect the terminated instance and launch a new one using the launch template or configuration, ensuring the desired capacity is maintained without manual intervention.

Exam trap

The trap here is that candidates may think stopping and starting the instance (Option A) is the quickest fix, but they overlook that the Auto Scaling group's automated self-healing is designed exactly for this scenario and is faster than any manual recovery method.

How to eliminate wrong answers

Option A is wrong because stopping and starting the instance does not resolve the unresponsive state if the underlying issue is a software or OS hang; it also requires manual action and does not leverage the Auto Scaling group's self-healing capabilities. Option B is wrong because creating a new AMI from the unresponsive instance and manually launching a replacement is time-consuming, may propagate the failure state, and bypasses the automated recovery provided by the Auto Scaling group. Option D is wrong because restoring from the most recent EBS snapshot would revert the instance to a previous state, potentially causing significant data loss, and requires manual steps to attach the volume and launch a new instance, which is slower than letting the Auto Scaling group handle the replacement.

1462
MCQeasy

A DevOps engineer receives an alert that an EC2 instance's CPU utilization has been above 90% for the last 30 minutes. The engineer needs to investigate the root cause. Which AWS service should the engineer use to get OS-level process details and identify which process is consuming the CPU?

A.AWS Config
B.AWS CloudTrail
C.AWS Systems Manager Run Command
D.Amazon CloudWatch
AnswerC

Run Command can execute scripts on EC2 instances to collect OS-level details like running processes.

Why this answer

Option D is correct because Systems Manager Run Command can run scripts (e.g., 'top' or 'ps') on EC2 instances to get process-level details. Option A is wrong because CloudWatch metrics only show aggregated CPU utilization. Option B is wrong because CloudTrail logs API calls.

Option C is wrong because Config records configuration changes.

1463
Matchingmedium

Match each AWS service to its primary function in a DevOps pipeline.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Continuous delivery service for release pipelines

Fully managed continuous integration build service

Automates code deployments to any instance

Unified user interface for managing software development activities

Fully managed source control service hosting Git repositories

Why these pairings

These are the core AWS developer tools for CI/CD.

1464
MCQmedium

A company runs a serverless application using AWS Lambda functions that process messages from an Amazon SQS queue. The function scales up to handle high traffic but sometimes experiences throttling errors (HTTP 429) from Lambda. The company wants to improve the resilience of the application by reducing throttling. The SQS queue is configured as a Lambda event source with a batch size of 10. The Lambda function has a reserved concurrency of 100. Which combination of actions will best reduce throttling? (Choose the single best answer.)

A.Change the SQS queue to use a FIFO queue to guarantee exactly-once processing.
B.Increase the SQS batch size to 50 to process more messages per invocation.
C.Use a dead-letter queue (DLQ) for unprocessed messages and set up a CloudWatch alarm to trigger a second Lambda function to reprocess them.
D.Increase the Lambda function's reserved concurrency to 500.
AnswerD

Higher reserved concurrency allows more concurrent executions, reducing throttling.

Why this answer

Throttling errors (HTTP 429) occur when Lambda function invocations exceed the account-level concurrency limit or the function's reserved concurrency. By increasing the reserved concurrency from 100 to 500, the function can handle more concurrent invocations, reducing the likelihood of throttling when traffic spikes. This directly addresses the scaling bottleneck without changing the event source or message processing pattern.

Exam trap

The trap here is that candidates often confuse throttling with message processing failures and choose a dead-letter queue or batch size change, but the core issue is insufficient concurrency allocation, which only reserved concurrency adjustment can fix.

How to eliminate wrong answers

Option A is wrong because changing to a FIFO queue does not affect concurrency or throttling; FIFO queues guarantee exactly-once processing and message ordering but do not increase the invocation capacity of Lambda. Option B is wrong because increasing the batch size to 50 may reduce the number of invocations but does not prevent throttling if the reserved concurrency is still too low; it could even cause timeouts or processing delays if messages accumulate. Option C is wrong because a dead-letter queue and a second Lambda function handle failed messages after throttling occurs, but they do not prevent the initial throttling errors; they add complexity without addressing the root cause of insufficient concurrency.

1465
MCQhard

A company uses AWS CodeCommit for source control. Developers frequently push large binary files (e.g., compiled binaries, datasets) to the repository, causing repository size to grow and clone operations to become slow. What is the BEST approach to manage this?

A.Use S3 as the source in CodePipeline and skip CodeCommit for binaries.
B.Store binaries in a separate CodeCommit repository.
C.Increase the repository size limit by requesting a quota increase.
D.Enable Git LFS in CodeCommit and configure the large files to use LFS.
AnswerD

Git LFS is supported in CodeCommit and stores large files in S3, reducing repository size.

Why this answer

AWS CodeCommit repositories have a size limit (2 GB per repository) and are not optimized for large binaries. Using a separate S3 bucket with Git LFS is the standard approach.

1466
MCQmedium

A CloudFormation template includes the following resource: MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: My security group SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 MyInstance: Type: AWS::EC2::Instance Properties: ImageId: ami-0abcdef1234567890 InstanceType: t2.micro SecurityGroupIds: !Ref MySecurityGroup The stack creation fails with the error shown. What is the cause?

A.The SecurityGroupIds property must be a list, but !Ref returns a single value.
B.The SecurityGroupIds property must be a list of security group names, not IDs.
C.The security group ingress rule is invalid because it allows all traffic.
D.The ImageId is missing, so the security group validation fails first.
AnswerA

!Ref returns a string, not a list.

Why this answer

Option C is correct. The SecurityGroupIds property expects a list of security group IDs, but the !Ref MySecurityGroup returns a single string (the security group ID). To pass a list, you must use !Sub or a list literal like [!Ref MySecurityGroup].

Option A is incorrect because the security group definition is correct. Option B is incorrect because security groups can be referenced by ID. Option D is incorrect because the error is about format, not missing property.

1467
MCQmedium

A company runs a microservices application on Amazon ECS with Fargate. The application includes a service that processes messages from an Amazon SQS queue. Recently, the processing time has increased, and the SQS queue depth is growing. The CloudWatch metrics show that the ECS service's CPU utilization is consistently around 70%, memory utilization is 80%, and the number of running tasks is at the maximum allowed (10). The service is configured with a target tracking scaling policy based on CPU utilization with a target value of 50%. However, the auto scaling does not seem to be adding tasks. The engineer checks the ECS service events and finds no scaling activity. What is the MOST likely reason the auto scaling is not working, and what action should be taken to resolve the issue?

A.The service has reached the maximum number of tasks defined in the auto scaling configuration; increase the maximum tasks.
B.The scaling policy is not properly configured; recreate it with a lower target value.
C.The CloudWatch metric is not being emitted correctly; check the metric namespace.
D.The ECS service is using Fargate, which does not support target tracking scaling policies.
AnswerA

The max tasks is 10 and the service is at 10, so scaling cannot occur. Increasing the max allows scaling.

Why this answer

The auto scaling is not adding tasks because the ECS service has already reached the maximum number of tasks defined in the auto scaling configuration (10). With CPU utilization at 70% and the target tracking policy set to 50%, the policy would normally trigger scale-out actions, but since the maximum task count is already hit, no scaling activity occurs. The engineer must increase the maximum tasks in the auto scaling configuration to allow further scale-out.

Exam trap

The trap here is that candidates may assume the scaling policy itself is misconfigured or that Fargate lacks support for target tracking, when in reality the issue is the hard cap on the maximum number of tasks preventing any scale-out action.

How to eliminate wrong answers

Option B is wrong because the target value of 50% is appropriate; lowering it would not resolve the issue since the policy is not being triggered due to the max task limit, not the target value. Option C is wrong because CloudWatch metrics are being emitted correctly (CPU utilization is visible at 70%), so the metric namespace is not the problem. Option D is wrong because Fargate fully supports target tracking scaling policies for ECS services; this is a supported and common configuration.

1468
MCQmedium

A company runs a containerized application on Amazon EKS. The application uses an Application Load Balancer (ALB) as the ingress controller. The DevOps team wants to ensure that the application can automatically recover from node failures. The cluster consists of managed node groups across three Availability Zones. The team noticed that when a node fails, the pods on that node are not rescheduled for several minutes. The team wants to reduce the time to reschedule pods. Which configuration change should the team make?

A.Increase the pod disruption budget for the application deployments.
B.Enable the AWS node auto-repair feature on the managed node group.
C.Enable cluster autoscaler to add new nodes quickly.
D.Configure the kubelet on the nodes to have a lower node-monitor-grace-period and pod-eviction-timeout.
AnswerD

Reduces the time the control plane waits before marking the node as unhealthy and evicting pods.

Why this answer

Option B is correct because configuring the kubelet with a lower node-monitor-grace-period (e.g., 40 seconds) and pod-eviction-timeout reduces the time before the node is considered unhealthy and pods are evicted. Option A (increasing pod disruption budgets) would delay rescheduling. Option C (node auto-repair) is a managed feature but doesn't directly reduce pod rescheduling time.

Option D (cluster autoscaler) adds nodes but does not reduce rescheduling time for existing pods.

1469
MCQhard

A company uses AWS CodePipeline with an Amazon S3 source, AWS CodeBuild, and AWS CodeDeploy. The deployment stage fails intermittently with the error 'Deployment failed because the deployment group does not exist'. The pipeline has been working for months. What is the MOST likely cause?

A.The deployment group name contains a typo in the pipeline definition.
B.The IAM role for CodePipeline does not have sufficient permissions in all regions.
C.The pipeline's cross-region action configuration references the deployment group in a different region without specifying the region.
D.The pipeline was recreated without specifying the deployment group.
AnswerC

If the pipeline uses a cross-region action and the region is not specified, it defaults to the pipeline region, which may not have the deployment group, causing intermittent failures when the region changes.

Why this answer

Option D is correct because the deployment group ARN is passed as a parameter; if the region is not specified, the default region may differ from the pipeline's region. Option A is wrong because IAM permissions are not tied to region. Option B is wrong because the deployment group name is not case-sensitive.

Option C is wrong because the pipeline is not being recreated, only the deployment group reference changes.

1470
MCQmedium

A company is using AWS Elastic Beanstalk with a custom platform. They need to install a third-party agent on all instances. The agent requires a configuration file that contains sensitive credentials. How should the DevOps engineer provide the configuration file to the agent?

A.Use instance user data to write the configuration file during instance launch.
B.Embed the configuration file in the application source code and deploy it with the application.
C.Use .ebextensions configuration files to download the configuration from a secure S3 bucket using an IAM instance role.
D.Use AWS Systems Manager Run Command to distribute the configuration file after instances are launched.
AnswerC

Secure and automated.

Why this answer

Option C is correct because .ebextensions configuration files allow you to run custom commands and scripts during instance provisioning, and by combining this with an IAM instance role that grants read access to a secure S3 bucket, you can securely download the sensitive configuration file without embedding credentials in the source code or user data. This approach follows AWS best practices for handling secrets by avoiding hard-coded credentials and leveraging IAM roles for temporary, scoped access.

Exam trap

The trap here is that candidates often choose Option A (user data) because it seems like a simple provisioning step, but they overlook that user data is not encrypted and is visible in the EC2 console, making it unsuitable for secrets, whereas .ebextensions with S3 and IAM roles provide a secure, auditable method that aligns with the AWS shared responsibility model.

How to eliminate wrong answers

Option A is wrong because instance user data is stored in plain text and can be viewed by anyone with access to the EC2 console or instance metadata, making it insecure for sensitive credentials. Option B is wrong because embedding the configuration file in the application source code exposes the credentials in version control systems and deployment artifacts, violating security best practices. Option D is wrong because AWS Systems Manager Run Command is an operational tool for ad-hoc or scheduled tasks, not a provisioning mechanism; it would introduce a race condition if the agent starts before the configuration is delivered, and it does not integrate with the Elastic Beanstalk lifecycle hooks to ensure the file is present at boot.

1471
MCQmedium

A DevOps engineer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role attached with a policy that allows s3:GetObject. The S3 bucket policy explicitly denies access to the instance's role. What is the result?

A.Access is denied only if the bucket is encrypted
B.Access is allowed only if the instance is in the same region
C.Access is allowed because the IAM role allows it
D.Access is denied because the bucket policy explicitly denies
AnswerD

The explicit deny in the bucket policy takes precedence over the allow.

Why this answer

An explicit deny in any policy overrides any allow. The bucket policy deny takes precedence over the IAM role allow, so access is denied. Evaluation logic is that an explicit deny prevents access.

1472
MCQhard

A company has a multi-account AWS environment managed by AWS Organizations. The DevOps team uses AWS CloudFormation StackSets to deploy a standard VPC across all member accounts. The security team has noticed that in some accounts, the VPC is being modified after deployment, allowing inbound SSH access from the internet. The team wants to automatically detect and remediate these changes. The current setup includes: AWS Config enabled in all accounts with a rule that checks for unrestricted SSH access; an SNS topic in the management account that receives compliance change notifications; and a Lambda function in the management account that can remediate by updating the security group rules. However, the remediation is not working consistently. What is the most likely reason, and what is the best solution?

A.The AWS Config rule is not evaluating correctly in member accounts.
B.The Lambda function's IAM role does not have permissions to modify security groups in member accounts.
C.The SNS topic is not delivering messages to the Lambda function due to cross-account access issues.
D.CloudFormation StackSets is overriding the changes, causing a race condition.
AnswerB

Remediation requires appropriate IAM permissions in each account.

Why this answer

Option C is correct because AWS Config rules in member accounts cannot directly trigger cross-account remediation via SNS unless the Lambda function has permission to modify resources in those accounts. The most likely issue is that the Lambda function's IAM role does not have permissions to modify security groups in member accounts. The best solution is to use AWS Config conformance packs with remediation actions that are deployed to each member account, which can then execute remediation locally.

Option A is wrong because the Config rule itself is working (it detects changes). Option B is wrong because the SNS topic is receiving notifications, but the Lambda function's role lacks cross-account permissions. Option D is wrong because StackSets are for initial deployment, not for ongoing compliance.

1473
MCQeasy

A company uses CloudWatch Logs to store application logs. The security team requires that logs be encrypted at rest using a customer-managed KMS key. What must be done to enable this?

A.Enable encryption on the log group using the default AWS managed key.
B.Use a third-party encryption tool before sending logs to CloudWatch.
C.Create a new log group in a region where KMS is enabled.
D.Associate a customer-managed KMS key with the log group and update the key policy to allow CloudWatch Logs to use it.
AnswerD

Associating a CMK and updating the key policy enables encryption.

Why this answer

Option D is correct because CloudWatch Logs supports encryption at rest using a customer-managed KMS key. To enable this, you must associate the KMS key with the log group via the CloudWatch Logs console or API, and you must update the key policy to grant CloudWatch Logs the necessary permissions (kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey). Without this key policy update, CloudWatch Logs cannot use the key to encrypt the log data at rest.

Exam trap

The trap here is that candidates often assume encryption is automatically applied when a KMS key exists in the account, but they overlook the critical step of updating the key policy to grant CloudWatch Logs service principal permissions to use the key.

How to eliminate wrong answers

Option A is wrong because using the default AWS managed key does not meet the security team's requirement for a customer-managed KMS key; the default key is AWS-owned and not customer-managed. Option B is wrong because using a third-party encryption tool before sending logs to CloudWatch would result in encrypted log data that CloudWatch Logs cannot index, search, or process natively, defeating the purpose of centralized logging. Option C is wrong because KMS is available in all AWS regions where CloudWatch Logs is supported; creating a new log group in a different region does not enable customer-managed KMS encryption—you must explicitly associate a customer-managed key with the log group.

1474
MCQhard

A DevOps engineer is troubleshooting an AWS CloudFormation stack that failed to create. The error message indicates that a resource 'AWS::Lambda::Function' timed out while being created. The Lambda function code is packaged as a ZIP file in Amazon S3. What is the most likely cause?

A.The Lambda function has a very short timeout (e.g., 3 seconds) configured in the function properties.
B.The Lambda function's execution role does not have permission to download the ZIP file from S3.
C.The Lambda deployment package is very large, causing the S3 download to exceed the resource creation timeout.
D.The CloudFormation service role does not have permissions to create Lambda functions.
AnswerC

Large packages can cause timeouts during creation.

Why this answer

Option C is correct because Lambda function creation can time out if the deployment package is very large and the S3 download takes too long. Option A is wrong because execution role permissions cause access denied errors, not timeouts. Option B is wrong because the Lambda function's timeout setting is for execution, not creation.

Option D is wrong because CloudFormation service role permissions affect the stack operations but not the resource creation timeout specifically.

1475
MCQeasy

A startup uses AWS CloudFormation to manage its infrastructure. The team stores stack templates in an S3 bucket and creates stacks using the AWS CLI. Recently, a developer accidentally deleted a CloudFormation stack, causing a production outage. The team wants to prevent accidental stack deletions while allowing authorized users to delete stacks after approval. What is the MOST effective solution?

A.Enable termination protection on the stack.
B.Implement a manual review process for all stack deletion requests.
C.Apply a Service Control Policy that denies the cloudformation:DeleteStack action.
D.Use an IAM policy that denies DeleteStack for all users.
AnswerC

SCPs can prevent deletion across the entire account, with exceptions for authorized roles via permissions boundaries.

Why this answer

Using an SCP to deny DeleteStack actions (B) prevents accidental deletion at the account level. Option A (manual) is not automated; C (termination protection) can be disabled; D (IAM policy only) can be bypassed by users with full admin.

1476
Multi-Selectmedium

A company is designing a resilient architecture for a web application that uses Amazon RDS for MySQL. The application must be able to withstand the loss of an entire AWS Region. Which TWO actions should the company take?

Select 2 answers
A.Use RDS Proxy to pool database connections.
B.Configure automated backups to be copied to another Region.
C.Enable Multi-AZ deployment for the RDS instance.
D.Create a Cross-Region Read Replica.
E.Enable deletion protection on the RDS instance.
AnswersB, D

Allows recovery from backups in another Region.

Why this answer

Cross-Region Read Replica provides a standby in another Region for failover. Cross-Region automated backup copy allows recovery from backups in another Region.

1477
MCQhard

A company is using AWS CodePipeline with a deployment stage that uses AWS CloudFormation to deploy infrastructure. The team wants to ensure that if the CloudFormation stack update fails, the pipeline automatically rolls back to the previous version of the stack. Which configuration should the DevOps engineer implement?

A.Configure the CodeDeploy deployment group to automatically roll back on failure.
B.In the CodePipeline CloudFormation deployment action, set 'Stack failure behavior' to 'ROLLBACK'.
C.Configure a CloudFormation stack policy to prevent updates and force rollback.
D.Use CloudFormation change sets and manually execute them after review.
AnswerB

This configures automatic rollback on stack update failure.

Why this answer

Option D is correct because CloudFormation deployment actions in CodePipeline can be configured with 'Stack failure behavior' set to 'ROLLBACK'. Option A is wrong because CloudFormation stack policy does not control rollback. Option B is wrong because change sets are for manual review.

Option C is wrong because rollback triggers in CodeDeploy are for CodeDeploy, not CloudFormation.

1478
MCQhard

A DevOps team is designing a CI/CD pipeline for a microservices application. Each service is stored in a separate repository. The team wants to build and test only the services that changed in a given commit. Which AWS solution is MOST efficient and cost-effective?

A.Use AWS CodeCommit triggers with Amazon SNS to send notifications and then manually trigger builds.
B.Use AWS CodeBuild with a webhook that triggers builds only for repositories where files changed, using buildspec filters.
C.Use AWS CodePipeline with a single pipeline that builds all services on every commit.
D.Use Amazon EventBridge to detect repository changes and trigger AWS Lambda functions that determine which services changed.
AnswerB

CodeBuild webhooks can filter by file paths, triggering builds only for relevant services.

Why this answer

Option C is correct because AWS CodeBuild can use webhook events and filter by changed files to trigger builds only for affected services. Option A is incorrect because building all services wastes resources. Option B is incorrect because Lambda functions add unnecessary complexity.

Option D is incorrect because it is not a native integration.

1479
Multi-Selectmedium

A company uses AWS CodePipeline with multiple stages. The pipeline includes a Beta stage that deploys to a test environment and a Prod stage. The team wants to require manual approval before the Prod stage. Which TWO actions should be taken to implement this? (Choose TWO.)

Select 2 answers
A.Ensure that the IAM user or role performing the approval has codepipeline:PutApprovalResult permissions.
B.Use CloudWatch Events to trigger a Lambda function that requires manual sign-off.
C.Set the Prod stage to only run on manual invocation.
D.Add a manual approval action in the pipeline stage between Beta and Prod.
E.Configure a CodeCommit approval rule template to require approval before merging.
AnswersA, D

The approver needs permissions to submit the approval result.

Why this answer

Options B and E are correct. The approval action must be added to the pipeline structure as a stage with an approval action, and the IAM policy must allow the approver to perform the approval. Option A is wrong because CodeCommit approval rules are for pull requests.

Option C is wrong because CloudWatch Events does not provide manual approval. Option D is wrong because the pipeline must be configured to use the manual approval action, not just restrict triggers.

1480
MCQhard

Refer to the exhibit. A developer runs the AWS CLI command to start a build in AWS CodeBuild. The build project 'my-project' uses an S3 bucket as the source. What is the MOST likely cause of the error?

A.The CodeBuild service role does not have s3:GetObject permission on the source bucket.
B.The S3 bucket name is misspelled in the build project configuration.
C.The developer's IAM user does not have s3:GetObject permission.
D.The S3 bucket is in a different region than the CodeBuild project.
AnswerA

CodeBuild assumes a service role to access sources; that role needs S3 read permission.

Why this answer

Option B is correct because the CodeBuild service role needs S3 access. Option A is wrong because the error is about the role. Option C is wrong because the error says 'provided role'.

Option D is wrong because the bucket is specified.

1481
MCQmedium

A company uses AWS Lambda functions to process streaming data from Amazon Kinesis Data Streams. The Lambda function processes records in batches and writes the results to an Amazon DynamoDB table. Recently, the operations team noticed that the Lambda function is experiencing a high number of throttling errors (HTTP 400) when writing to DynamoDB. The DynamoDB table has on-demand capacity mode enabled. The CloudWatch metrics show that the DynamoDB consumed write capacity is well below the provisioned limits, but the Lambda function's error rate is increasing. The Lambda function's reserved concurrency is set to 100, and the function's timeout is 1 minute. The Kinesis stream has 10 shards. What is the MOST likely cause of the throttling errors?

A.The DynamoDB table is experiencing hot partitions due to uneven access patterns.
B.The Lambda function's timeout is too short, causing the function to retry and overload DynamoDB.
C.The Lambda function's reserved concurrency is too high, causing too many concurrent invocations.
D.The Kinesis stream's batch size is too large, causing the Lambda function to write too many records at once.
AnswerA

On-demand capacity still has per-partition throughput limits; hot partitions can cause throttling.

Why this answer

Option C is correct because the DynamoDB table has on-demand capacity, but throttling can still occur due to per-partition throughput limits. When many writes target the same partition key, the partition can throttle even if overall capacity is not exceeded. Option A is wrong because the function's concurrency is not the issue; throttling is from DynamoDB.

Option B is wrong because the function timeout is not causing throttling. Option D is wrong because the batch size affects the number of records per invocation but not DynamoDB throttling directly.

1482
MCQmedium

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a patching window, some instances fail to apply patches. The engineer checks the SSM Agent logs and sees 'ERROR: Failed to download patch files from the source.' What is the most likely cause?

A.The IAM instance profile does not grant ssm:UpdateInstanceInformation.
B.The SSM Agent is outdated.
C.The patch baseline is configured incorrectly.
D.The security group or NACL is blocking outbound HTTPS traffic (port 443).
AnswerD

Patch download requires outbound HTTPS to patch repositories.

Why this answer

The error 'Failed to download patch files from the source' indicates that the SSM Agent on the instance cannot reach the patch source repositories (e.g., Windows Update, Amazon Linux repos, or custom patch sources). Systems Manager Patch Manager requires outbound HTTPS (port 443) connectivity to download patch metadata and binaries. If a security group or NACL blocks this traffic, the download fails, producing this exact error in the agent logs.

Exam trap

The trap here is that candidates often assume the error is due to IAM permissions or patch baseline misconfiguration, overlooking that the specific 'Failed to download' message is a classic symptom of network egress blocking, not authorization or configuration issues.

How to eliminate wrong answers

Option A is wrong because ssm:UpdateInstanceInformation is required for the instance to register and send heartbeat data to Systems Manager, but it does not control the ability to download patch files; the error is about download failure, not registration. Option B is wrong because an outdated SSM Agent would typically produce errors about agent version incompatibility or missing features, not a specific 'Failed to download patch files from the source' message; the agent can still attempt downloads. Option C is wrong because a misconfigured patch baseline might cause patches to be incorrectly approved or rejected, but the error message points to a network connectivity issue preventing download, not a baseline configuration problem.

1483
MCQeasy

A DevOps engineer is tasked with setting up monitoring for a serverless application that uses AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The engineer needs to create a centralized dashboard that displays the number of Lambda invocations, API Gateway request counts, and DynamoDB consumed read/write capacity units. The dashboard should be accessible to the operations team without requiring AWS Management Console login. The engineer also wants to set up email alerts when the DynamoDB consumed capacity exceeds 80% of the provisioned capacity. Which solution meets these requirements with the LEAST operational overhead?

A.Use Amazon QuickSight to connect to CloudWatch metrics and create a dashboard with email alerts.
B.Use CloudWatch Logs Insights to query the logs of each service and create a dashboard from the results.
C.Create a CloudWatch dashboard and share it using Amazon Cognito to grant access to the operations team.
D.Create a CloudWatch dashboard with the relevant metrics and set CloudWatch alarms on DynamoDB consumed capacity. Share the dashboard as a public read-only dashboard.
AnswerD

CloudWatch dashboards can be shared publicly, and alarms can send email via SNS.

Why this answer

Option D is correct because CloudWatch Dashboards can be shared publicly as a read-only dashboard without AWS credentials. The metrics for Lambda, API Gateway, and DynamoDB are automatically available in CloudWatch. Alarms can be set on DynamoDB's ConsumedReadCapacityUnits and ConsumedWriteCapacityUnits metrics.

Option A is wrong because CloudWatch Logs Insights is for log analysis, not metrics. Option B is wrong because sharing CloudWatch dashboards does not require Cognito; dashboards can be shared via a public URL. Option C is wrong because QuickSight requires additional setup and cost.

1484
Multi-Selecteasy

A company uses AWS CodeCommit to store source code. The development team wants to automatically trigger a build in AWS CodeBuild whenever a pull request is created or updated. Which TWO resources must be configured to accomplish this? (Select TWO.)

Select 2 answers
A.An AWS Lambda function to process the pull request event.
B.An AWS CodePipeline pipeline with a source stage for CodeCommit.
C.An Amazon CloudWatch Events rule that listens for CodeCommit pull request events.
D.An Amazon Simple Notification Service (SNS) topic to send notifications.
E.An AWS CodeBuild project with a webhook configured.
AnswersC, E

EventBridge can trigger a build on pull request events.

Why this answer

Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can capture CodeCommit pull request state changes (e.g., created, updated) and route them to targets like AWS CodeBuild. This allows you to automatically trigger a build when a pull request event occurs, without needing a separate polling mechanism.

Exam trap

The trap here is that candidates often think they need a Lambda function or CodePipeline to bridge the event, but AWS natively supports direct event-driven triggers from CodeCommit to CodeBuild via CloudWatch Events and webhooks.

1485
MCQmedium

An S3 bucket has the above bucket policy. What is the effect of this policy?

A.It allows anonymous access to the bucket over HTTPS
B.It denies all access to the bucket regardless of protocol
C.It denies access to the bucket if the request is not sent over HTTPS
D.It allows access only from specific IP addresses
AnswerC

The Deny effect with condition aws:SecureTransport false blocks non-HTTPS requests.

Why this answer

The policy denies all S3 actions when aws:SecureTransport is false, i.e., when the request is not using HTTPS. This effectively enforces HTTPS for all access to the bucket. Option A is correct.

It does not allow anonymous access (B). It does not deny all access (C). It does not allow only specific IPs (D).

1486
MCQhard

A DevOps team is implementing a CI/CD pipeline for a microservices architecture on AWS ECS. They want to ensure zero-downtime deployments and automatic rollback if health checks fail. Which combination of services should they use?

A.AWS CodePipeline with ECS rolling update and manual rollback.
B.AWS CodeDeploy with ECS blue/green deployment and CloudWatch alarms for automatic rollback.
C.AWS Elastic Beanstalk with rolling deployment and enhanced health reporting.
D.AWS CloudFormation with ECS service update and SNS notification on failure.
AnswerB

Blue/green provides zero-downtime; CloudWatch alarm triggers automatic rollback.

Why this answer

CodeDeploy with ECS blue/green deployment and CloudWatch alarms for rollback provides zero-downtime and automatic rollback. Option B is correct.

1487
MCQmedium

Refer to the exhibit. A DevOps engineer created an IAM role 'MyLambdaRole' for a Lambda function. The Lambda function needs to write logs to CloudWatch Logs. However, the function is not able to create log streams. What is the most likely missing configuration?

A.The role name is not prefixed with 'AWSLambda'.
B.The role does not have an inline or managed policy that grants permissions for CloudWatch Logs.
C.The role ARN is incorrectly formatted.
D.The trust policy does not allow Lambda to assume the role.
AnswerB

Missing permissions for logging.

Why this answer

Option A is correct because the role lacks an attached policy for CloudWatch Logs permissions (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents). Option B is wrong because the trust policy is correct. Option C is wrong because the role name is fine.

Option D is wrong because the ARN is correct.

1488
MCQmedium

An organization uses AWS CodeBuild to run integration tests. The tests require a large amount of memory and CPU, and they often timeout after the default 60 minutes. What is the MOST efficient way to increase the timeout and allocate more resources?

A.Use Amazon CloudWatch to monitor the build and automatically restart it if it times out.
B.Use AWS Lambda instead of CodeBuild, as it can run up to 15 minutes.
C.Select a larger instance type in the CodeBuild project configuration, such as 'BUILD_GENERAL1_LARGE'.
D.Modify the buildspec.yml file to include 'compute-type' and 'timeout-in-minutes' overrides.
AnswerD

The buildspec can specify higher compute resources and timeout values.

Why this answer

Option D is correct because the buildspec allows setting compute type and timeout via 'compute-type' and 'timeout-in-minutes' overrides. Option A is incorrect because Lambda has a 15-minute limit. Option B is incorrect because only large instance types are suitable.

Option C is incorrect because CloudWatch does not control build resources.

1489
Matchingmedium

Match each AWS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Deploys a CloudFormation stack from a template

Syncs directories and S3 buckets

Retrieves information about EC2 instances

Updates the code of a Lambda function

Starts a new build project run

Why these pairings

These are essential CLI commands for DevOps tasks.

1490
MCQhard

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline to deploy a serverless application. The application uses AWS Lambda functions and Amazon API Gateway. The engineer wants to implement a canary deployment strategy for the Lambda functions to reduce risk. Which AWS service or feature should be used to achieve this?

A.AWS Lambda traffic shifting using aliases
B.AWS CodeDeploy with an AWS Lambda deployment configuration
C.AWS CloudFormation with UpdatePolicy attribute
D.AWS SAM with AutoPublishAlias and DeploymentPreference
AnswerA, B, D

Lambda aliases can be used to shift traffic gradually between two versions.

Why this answer

Option B is correct because AWS Lambda supports traffic shifting using aliases with weighted targets, enabling canary deployments. Option A (CodeDeploy with Lambda) is correct but more specific: CodeDeploy can orchestrate canary deployments for Lambda, but it uses Lambda's built-in traffic shifting. Option C (SAM with AutoPublishAlias) is also correct but is a feature within SAM, not a separate service.

However, the question asks for an AWS service or feature; both CodeDeploy and SAM's AutoPublishAlias are valid. But CodeDeploy is the native service for deployment strategies. Option D (CloudFormation with UpdatePolicy) is not applicable for Lambda canary deployments.

1491
MCQhard

A company uses AWS CodePipeline with a cross-account action where the source account (Account A) triggers a deploy action in a target account (Account B). The pipeline is failing with an 'Access Denied' error when trying to assume the deployment role. What is the MOST likely cause?

A.The S3 artifact bucket in Account A does not have a bucket policy allowing Account B.
B.The deployment role in Account B does not exist.
C.The CloudFormation service role in Account B is missing.
D.The KMS key used to encrypt artifacts is not shared with Account B.
AnswerD

To decrypt artifacts, Account B needs decrypt permission on the KMS key.

Why this answer

Option C is correct because cross-account pipelines require the source account to have a KMS key to encrypt artifacts and the target account to have permissions to decrypt. Option A is wrong because the error is 'Access Denied', not missing role. Option B is wrong because S3 bucket policy might be needed but often not the primary cause.

Option D is wrong because CloudFormation role is for stack operations, not for the pipeline artifact decryption.

1492
MCQhard

A company uses AWS CodePipeline to deploy a web application to an Auto Scaling group. The security team requires that all artifacts in the pipeline be encrypted at rest. The pipeline uses an S3 bucket as the artifact store. Which combination of actions should the DevOps engineer take to meet this requirement with minimal operational overhead?

A.Use AWS Certificate Manager to encrypt the artifacts.
B.Enable S3 default encryption with SSE-S3 on the artifact bucket.
C.Use an AWS Lambda function to encrypt artifacts after each pipeline stage.
D.Create a customer-managed KMS key and configure the pipeline to use it for artifact encryption.
AnswerB

Simplest method with minimal overhead.

Why this answer

Option D is correct because enabling default encryption on the S3 bucket with SSE-S3 is the simplest way to encrypt all objects at rest. Option A is wrong because SSE-KMS requires managing a KMS key and additional permissions. Option B is wrong because client-side encryption is not natively supported by CodePipeline.

Option C is wrong because it only encrypts new objects, not existing; but default encryption applies to all new objects, and existing ones can be copied.

1493
Multi-Selecthard

A security team wants to enforce that all Amazon S3 buckets in the organization are encrypted at rest. Which actions can achieve this? (Select THREE.)

Select 3 answers
A.Enable S3 Block Public Access at the account level
B.Set up Cross-Region Replication for all buckets
C.Configure an AWS Config rule to detect unencrypted buckets and trigger remediation
D.Apply a bucket policy that denies PutObject requests without the x-amz-server-side-encryption header
E.Use an SCP to require encryption on all S3 buckets
AnswersC, D, E

Config can automatically remediate by applying encryption.

Why this answer

You can create an SCP to deny creation of buckets without encryption, use a Config rule to detect noncompliant buckets, and use a bucket policy to deny PutObject without encryption headers. S3 Block Public Access is for preventing public access, not encryption. Cross-Region Replication does not enforce encryption.

1494
MCQeasy

An application running on Amazon RDS for PostgreSQL is experiencing slow query performance. The DevOps team suspects a specific query is causing high CPU usage. Which tool should they use to identify the problematic query?

A.Amazon RDS Event Subscriptions
B.Amazon RDS Performance Insights
C.Amazon CloudWatch Logs with metric filters
D.Amazon RDS Enhanced Monitoring
AnswerB

Performance Insights shows database load, top queries, and waits.

Why this answer

Option C is correct because Performance Insights provides a dashboard to identify top SQL queries. Option A is wrong because Enhanced Monitoring shows OS metrics, not queries. Option B is wrong because CloudWatch Logs might not capture query text.

Option D is wrong because RDS Event Subscriptions are for instance events.

1495
MCQmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all unused IAM users are automatically identified and removed after 90 days of inactivity. What is the MOST effective solution?

A.Use the IAM credential report to review last activity dates and manually delete users.
B.Enable CloudTrail Insights to detect inactive users and send alerts.
C.Use an AWS Config rule to detect IAM users and trigger a Lambda function to delete them after 90 days.
D.Use IAM Access Analyzer to generate findings for unused access and automate user removal with a Lambda function.
AnswerD

Access Analyzer tracks unused access and can trigger automation.

Why this answer

Option C is correct because IAM Access Analyzer can track unused access and generate findings, which can be used to automate user removal. Option A is wrong because IAM credential report is manual. Option B is wrong because Config can detect user creation but not inactivity.

Option D is wrong because CloudTrail logs API calls but requires custom analysis.

1496
MCQeasy

A DevOps engineer wants to ensure that all EC2 instances launched in an AWS account automatically have a specific set of tags applied for cost allocation. Which AWS service should they use to enforce this?

A.AWS Service Catalog
B.AWS Config
C.Amazon EC2 Auto Scaling
D.AWS CloudFormation
AnswerB

AWS Config rules can evaluate and enforce tagging on all resources.

Why this answer

Option D is correct because AWS Config rules can be used to check for required tags and trigger remediation. Option A is wrong because CloudFormation is for infrastructure as code, not automatic enforcement. Option B is wrong because Service Catalog allows users to provision products but does not enforce tags on all instances.

Option C is wrong because EC2 Auto Scaling does not enforce tagging across all instances.

1497
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. The DevOps team wants to deploy a stack across multiple accounts using AWS CodePipeline. Which approach is BEST for automating cross-account deployments?

A.Use AWS CloudFormation StackSets to deploy the stack across accounts.
B.Create a separate pipeline in each account and trigger them manually.
C.Use a single pipeline in the management account with IAM roles that assume cross-account roles.
D.Use an S3 bucket with cross-account access and Lambda to invoke CloudFormation.
AnswerC

This is the standard pattern for cross-account pipelines.

Why this answer

Option D is correct because cross-account CodePipeline uses a KMS key and IAM roles in each account. Option A is wrong because cross-account roles are needed. Option B is wrong because CloudFormation StackSets are for multiple regions/accounts but not directly integrated with CodePipeline.

Option C is wrong because separate pipelines in each account increase management overhead.

1498
Multi-Selecteasy

A company is using AWS CloudTrail to log API activity in their AWS account. They want to ensure that any modification to CloudTrail configuration itself is logged and that the logs are immutable. Which combination of actions should they take? (Choose TWO.)

Select 2 answers
A.Enable S3 Object Lock on the destination S3 bucket in governance mode.
B.Enable log file validation to guarantee integrity of log files.
C.Disable log file validation to reduce overhead.
D.Store CloudTrail logs in a CloudWatch Logs log group with a retention policy.
E.Enable CloudTrail Insights to detect configuration changes.
AnswersA, B

S3 Object Lock prevents objects from being deleted or overwritten for a specified period, ensuring immutability.

Why this answer

Option A is correct because enabling S3 Object Lock in governance mode on the destination S3 bucket prevents any user, including the root user, from overwriting or deleting CloudTrail log objects during the retention period, ensuring immutability. Option B is correct because enabling log file validation creates a digest file that uses SHA-256 hashing to verify that log files have not been modified, deleted, or tampered with after delivery, providing integrity assurance.

Exam trap

The trap here is that candidates often confuse CloudTrail Insights (which detects configuration changes) with the actual mechanisms for ensuring log immutability and integrity, leading them to select option E instead of the correct combination of S3 Object Lock and log file validation.

1499
MCQmedium

A company uses a third-party backup solution to back up its EC2 instances daily. The backups are stored in an S3 bucket with default settings. The company wants to ensure that backups are protected from accidental deletion and are available for at least one year. Which combination of S3 features should the DevOps engineer implement?

A.Enable MFA Delete and set a lifecycle policy to transition to S3 Glacier after 30 days.
B.Enable versioning and set a lifecycle policy to expire noncurrent versions after 365 days.
C.Enable cross-Region replication to a bucket with versioning enabled.
D.Enable S3 Object Lock with Governance mode and a retention period of 365 days, and set a lifecycle policy to transition to S3 Glacier Deep Archive after 30 days.
AnswerD

Object Lock prevents deletion during the retention period, and lifecycle transition reduces costs.

Why this answer

Option D is correct because S3 Object Lock with Governance mode prevents objects from being deleted or overwritten by any user (including the root user) for the specified retention period of 365 days, meeting the one-year availability requirement. The lifecycle policy to transition to S3 Glacier Deep Archive after 30 days reduces storage costs while still keeping the data accessible for retrieval within 12 hours, which is acceptable for backup retention. This combination ensures immutability and cost-effective long-term storage.

Exam trap

The trap here is that candidates often confuse versioning with immutability, assuming that versioning alone prevents deletion, but versioning only creates multiple versions and does not prevent the current version from being deleted (it becomes a delete marker), whereas S3 Object Lock provides true immutability by preventing any deletion or overwrite during the retention period.

How to eliminate wrong answers

Option A is wrong because MFA Delete only protects against accidental deletion of objects and versioning suspension, but it does not enforce a minimum retention period or prevent overwrites, so backups could still be deleted after the MFA-authenticated action. Option B is wrong because versioning with expiration of noncurrent versions after 365 days does not prevent deletion of the current version; a user could delete the current version (which becomes a delete marker), and the noncurrent versions would expire after 365 days, but the data could be lost before that if the delete marker is not handled. Option C is wrong because cross-Region replication to a bucket with versioning enabled provides redundancy but does not protect against accidental deletion in the source bucket; if an object is deleted in the source, the replication delete marker is replicated, and the destination bucket may also lose the object unless additional safeguards like S3 Object Lock are used.

1500
MCQhard

A company runs a web application on EC2 instances behind an ALB. The security team notices that the ALB is receiving a large number of requests from a single IP address, causing high CPU on the instances. They want to block this IP at the load balancer level without affecting other traffic. The ALB currently has a default action of forwarding to the target group. What is the MOST effective way to block this IP?

A.Update the network ACL for the VPC subnets to deny inbound traffic from that IP.
B.Add a deny rule in the ALB's security group for the source IP.
C.Change the listener rule to forward requests from that IP to a different target group with no instances.
D.Create an AWS WAF web ACL with an IP match condition and associate it with the ALB.
AnswerD

WAF can block requests based on source IP.

Why this answer

Option B is correct because AWS WAF can be integrated with ALB to create a rule that blocks requests from a specific IP address. Option A is wrong because security groups cannot deny traffic; they only allow. Option C is wrong because modifying the listener rule's target group would not block the IP; it would just route elsewhere.

Option D is wrong because the network ACL is for subnets, not for the ALB directly, and would affect all traffic to the subnets.

Page 19

Page 20 of 24

Page 21