AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 15011575

1740 questions total · 24pages · All types, answers revealed

Page 20

Page 21 of 24

Page 22
1501
MCQmedium

A company uses Amazon CloudWatch Logs to store application logs from multiple EC2 instances. The security team requires that logs be encrypted at rest using a customer-managed KMS key. Which configuration step should the engineer perform to meet this requirement?

A.Configure the CloudWatch agent to encrypt logs before sending
B.Create a KMS key and attach a policy allowing CloudWatch Logs to use it
C.Enable default encryption on the S3 bucket that stores logs
D.Associate the KMS key with the CloudWatch log group using the console or CLI
AnswerD

Associating the KMS key encrypts the log group at rest.

Why this answer

Option C is correct because you must associate a KMS key with the log group to encrypt logs. Option A is wrong because the CloudWatch Agent does not handle encryption at rest. Option B is wrong because KMS key policy alone is insufficient; you must specify the key.

Option D is wrong because S3 encryption does not apply to CloudWatch Logs.

1502
Multi-Selectmedium

A company is using AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that all CloudTrail logs are delivered to a central Amazon S3 bucket and that the logs are encrypted and cannot be deleted. Which THREE steps should the team take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Enable MFA Delete on the central S3 bucket to require multi-factor authentication for deletions.
B.Enable default encryption (SSE-S3) on the central S3 bucket.
C.Enable S3 Object Lock on the central S3 bucket to prevent log file deletion.
D.Enable CloudTrail log file integrity by using AWS KMS.
E.Enable CloudTrail log file validation to ensure log integrity.
AnswersB, C, E

SSE-S3 encrypts log files at rest.

Why this answer

Options A, C, and D are correct. Enabling log file validation (A) ensures integrity. Enabling SSE-S3 encryption (C) encrypts logs at rest.

Enabling S3 Object Lock (D) prevents deletion. Option B (enable log file integrity) is duplicate of A? Actually, CloudTrail log file validation provides integrity. Option E (enable MFA Delete) is not supported on S3 buckets for this purpose; Object Lock is used.

1503
MCQmedium

Refer to the exhibit. An IAM policy is attached to an EC2 instance role. The application on the instance is unable to send logs to CloudWatch Logs. The log group 'MyAppLogs' exists in the same account and region. What is the most likely reason for the failure?

A.The resource ARN is incorrect; it should include the log stream name.
B.The log group does not exist in the specified region.
C.The policy does not allow the logs:PutLogEvents action.
D.The policy is missing permissions to create log streams.
AnswerD

The application likely needs to create a log stream first, which requires logs:CreateLogStream.

Why this answer

Option B is correct because the policy only allows PutLogEvents, but the instance needs permissions for CreateLogStream and DescribeLogStreams as well. Option A is wrong because the log group exists. Option C is wrong because the resource ARN includes log-stream wildcard, which is correct.

Option D is wrong because the policy explicitly allows the action.

1504
MCQeasy

A developer wants to grant an EC2 instance read-only access to a specific S3 bucket. Which AWS mechanism should they use to securely provide credentials to the instance?

A.Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables in the AMI.
B.Create an IAM role with the required permissions and attach it to the EC2 instance as an instance profile.
C.Store AWS access keys in the EC2 user data script.
D.Retrieve the credentials from AWS Systems Manager Parameter Store using a custom script.
AnswerB

Instance profiles provide automatic rotation of temporary credentials and are the recommended best practice.

Why this answer

Option B is correct because IAM roles with instance profiles provide temporary, automatically rotated credentials to EC2 instances via the AWS STS service. This eliminates the need to hardcode or store long-term access keys on the instance, adhering to the principle of least privilege and improving security posture.

Exam trap

The trap here is that candidates may think storing credentials in user data or an AMI is acceptable for automation, but the exam emphasizes that any static, long-term credentials on an instance are insecure and violate AWS best practices, whereas IAM roles provide secure, temporary, and automatically rotated credentials.

How to eliminate wrong answers

Option A is wrong because embedding AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in an AMI creates static, long-term credentials that are difficult to rotate, can be exposed if the AMI is shared or copied, and violate security best practices. Option C is wrong because storing access keys in EC2 user data is insecure—user data is visible to anyone with access to the instance metadata (e.g., via http://169.254.169.254/latest/user-data) and keys are not automatically rotated. Option D is wrong because while Systems Manager Parameter Store can store credentials, it requires the instance to have an IAM role or static keys to retrieve them, and it does not natively provide automatic credential rotation or direct integration with EC2's credential provider chain; a custom script adds complexity and potential security gaps.

1505
MCQmedium

A DevOps engineer uses AWS Secrets Manager to rotate database credentials. The rotation fails because the Lambda function used for rotation does not have network access to the database. The database is in a private VPC. How should the engineer fix this?

A.Configure the Lambda function to be VPC-enabled and place it in the same subnet as the database.
B.Assign a public IP address to the database and update the security group to allow access from the Lambda function.
C.Set up a VPC Peering connection between the Lambda service and the VPC.
D.Add a NAT Gateway to the VPC to allow Lambda to reach the database.
AnswerA

VPC-enabled Lambda can access resources within the VPC.

Why this answer

Option A is correct because the Lambda function must be configured to run in the same VPC and subnet as the database to access it. Option B is incorrect because Secrets Manager uses Lambda for rotation, not direct access. Option C is incorrect because VPC Peering adds complexity and is unnecessary.

Option D is incorrect because NAT Gateway is for outbound internet access, not inbound.

1506
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. An engineer needs to ensure that any changes to the production stack are reviewed and approved before they are applied. The engineer also wants to prevent unauthorized changes. Which solution should the engineer implement?

A.Use CloudFormation StackSets to manage the production stack across multiple accounts.
B.Use CloudFormation Change Sets and require manual approval to execute the change set.
C.Use AWS Service Catalog to create a product for the stack and require approval for any portfolio changes.
D.Use AWS CodePipeline to deploy the stack and require manual approval at the deploy stage.
AnswerB

Change Sets allow you to review proposed changes before applying them.

Why this answer

CloudFormation Change Sets allow you to preview how proposed changes to a stack will impact running resources before you apply them. By requiring manual approval to execute the change set, the engineer ensures that all modifications are reviewed and approved, preventing unauthorized changes. This directly meets the requirement for a review-and-approval workflow without introducing unnecessary complexity.

Exam trap

The trap here is that candidates often confuse the purpose of StackSets (multi-account deployment) or CodePipeline (CI/CD pipeline) with the need for a simple change review mechanism, overlooking the direct and built-in capability of CloudFormation Change Sets to preview and require approval before applying changes.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets are designed to deploy stacks across multiple accounts and regions, not to enforce a review-and-approval workflow for changes to a single production stack. Option C is wrong because AWS Service Catalog products and portfolio changes control the provisioning of pre-defined templates, not the approval of changes to an already-deployed stack; it does not provide a change review mechanism for existing stacks. Option D is wrong because while CodePipeline can include a manual approval stage, it is a CI/CD orchestration tool that adds unnecessary overhead and complexity for a simple change review requirement; CloudFormation Change Sets provide a more direct and lightweight solution.

1507
Multi-Selectmedium

A company uses AWS CodeCommit as a source repository and AWS CodeBuild for building artifacts. The DevOps team wants to ensure that all commits to the main branch trigger a build. Which steps should be taken? (Choose THREE.)

Select 3 answers
A.Configure the CodeBuild project to use the CodeCommit repository as the source and specify the main branch
B.Configure a webhook in the CodeCommit repository to notify CodeBuild
C.Create a CloudWatch Events rule that listens for CodeCommit repository state changes on the main branch
D.Set the CodeBuild project's trigger to use the CloudWatch Events rule
E.Use AWS CodeDeploy to trigger the build on commits
AnswersA, C, D

The CodeBuild project must know the source and branch.

Why this answer

Option A is correct because configuring the CodeBuild project to use the CodeCommit repository as the source and specifying the main branch ensures that CodeBuild knows which repository and branch to monitor for changes. This is the foundational step that links the source code to the build project, enabling automated builds when commits are pushed to the main branch.

Exam trap

The trap here is that candidates confuse CodeCommit's lack of native webhook support with other Git providers, leading them to select Option B, or they mistakenly think CodeDeploy can trigger builds instead of deployments.

1508
Multi-Selecthard

A DevOps engineer is investigating a performance issue with an Amazon RDS for MySQL instance. The engineer has enabled Performance Insights and CloudWatch Enhanced Monitoring. Which THREE metrics should the engineer examine to identify whether the issue is due to a resource bottleneck? (Choose THREE.)

Select 3 answers
A.ReadLatency from CloudWatch.
B.FreeableMemory from Enhanced Monitoring.
C.CPUUtilization from Enhanced Monitoring.
D.ReadIOPS from Enhanced Monitoring.
E.DatabaseConnections from Enhanced Monitoring.
AnswersB, C, D

Indicates memory pressure.

Why this answer

Options A, B, and C are correct. These metrics from Enhanced Monitoring help identify CPU, memory, and disk bottlenecks. Option D is incorrect because database connections is not a resource metric.

Option E is incorrect because read latency is a database metric, not a resource metric.

1509
MCQhard

An organization uses AWS CloudFormation StackSets to deploy resources across multiple accounts. They notice that a stack instance in one account is in a 'FAILED' status because of a permissions issue. After fixing the permissions, what is the most efficient way to retry the stack instance operation?

A.Manually create the stack in the failed account using the same template.
B.Use the 'Update stack instances' operation for the failed target account.
C.Update the entire stack set to retry all stack instances.
D.Delete the stack instance from the stack set and add it again.
AnswerB

Targets only the failed instance.

Why this answer

Option B is correct because StackSets allow you to update stack instances individually; you can retry the specific failed instance without affecting others. Option A is wrong because updating the entire stack set would affect all accounts, which is inefficient. Option C is wrong because deleting and recreating the stack instance is disruptive.

Option D is wrong because manual stack creation outside StackSets defeats the purpose.

1510
Multi-Selectmedium

A DevOps engineer is troubleshooting a failed CodePipeline execution. The pipeline has a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy. The build stage succeeds, but the deploy stage fails with 'No deployments found for the specified deployment group.' Which TWO actions should the engineer take to resolve this?

Select 2 answers
A.Update the IAM role for CodePipeline to allow it to list deployment groups.
B.Confirm that the CodeDeploy deployment group exists in the same AWS Region as the pipeline.
C.Check the CodeBuild build logs for errors.
D.Verify that the deploy stage in CodePipeline is configured with the correct deployment group name.
E.Ensure the CodeCommit repository has a valid commit.
AnswersB, D

Cross-region mismatches can cause this error.

Why this answer

Options A and D are correct. The error suggests the pipeline cannot find the deployment group, often due to incorrect configuration or region mismatch. Checking the deploy stage configuration ensures the deployment group name is correct.

Verifying the deployment group exists confirms it's not deleted. Option B is unnecessary if the build succeeded. Option C is unrelated.

Option E is about IAM, but the error message is about missing deployment group.

1511
Multi-Selectmedium

A company is experiencing a DDoS attack on their web application hosted on Amazon EC2 behind an Application Load Balancer (ALB). The attack is causing high CPU utilization on the instances. The security team needs to mitigate the attack with minimal disruption to legitimate users. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Configure AWS WAF rate-based rules to block excessive requests from specific IP addresses.
B.Enable AWS Shield Advanced on the ALB for additional DDoS protection.
C.Enable VPC Flow Logs to analyze traffic patterns and identify the source of the attack.
D.Scale up the EC2 instances by increasing their instance size.
E.Place an Amazon CloudFront distribution in front of the ALB to cache content.
AnswersA, C

Rate-based rules can block IPs that exceed a threshold.

Why this answer

AWS WAF rate-based rules are designed to automatically block IP addresses that exceed a specified request rate, which directly mitigates DDoS attacks by limiting excessive traffic from specific sources. This approach minimizes disruption to legitimate users because it only blocks IPs that exceed the threshold, preserving access for normal traffic patterns.

Exam trap

The trap here is that candidates often confuse AWS Shield Advanced as a direct mitigation for application-layer DDoS attacks, when it primarily protects against infrastructure-layer attacks (e.g., SYN floods) and requires WAF for application-layer control.

1512
Multi-Selectmedium

A DevOps team is designing a monitoring strategy for a microservices application deployed on Amazon EKS. The application emits custom metrics, and the team needs to collect them with minimal latency and at high resolution. The team also needs to retain logs for 90 days for compliance. Which THREE steps should the team take to meet these requirements? (Choose three.)

Select 3 answers
A.Use Fluent Bit daemonset to send application logs to CloudWatch Logs.
B.Stream logs to Amazon Kinesis Data Firehose for transformation before landing in CloudWatch Logs.
C.Enable CloudWatch Container Insights for the EKS cluster.
D.Configure a CloudWatch metric filter or an alarm to alert on high error rates.
E.Deploy the CloudWatch agent with Prometheus metric collection configuration.
AnswersA, D, E

Fluent Bit is a common log collector for EKS that can send logs to CloudWatch Logs for retention.

Why this answer

Option A is correct because Fluent Bit is a lightweight, high-performance log processor that can be deployed as a DaemonSet on Amazon EKS to collect application logs with minimal latency. It sends logs directly to CloudWatch Logs, which supports a retention policy of up to 10 years, easily meeting the 90-day compliance requirement. Fluent Bit's low resource footprint and efficient data pipeline ensure high-resolution log collection without impacting application performance.

Exam trap

The trap here is that candidates often confuse CloudWatch Container Insights (which provides infrastructure-level metrics) with a solution for custom application metrics and logs, leading them to select Option C instead of the correct combination of Fluent Bit, metric filters/alarms, and the CloudWatch agent with Prometheus configuration.

1513
MCQeasy

A company wants to automatically detect and respond to suspicious activity in their AWS account. Which service should be used to generate alerts based on threat intelligence?

A.Amazon GuardDuty
B.AWS Config
C.Amazon Inspector
D.Amazon CloudWatch
AnswerA

GuardDuty uses threat intelligence to detect suspicious activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using threat intelligence. Inspector is for vulnerability scanning. Config is for resource configuration.

CloudWatch is for monitoring metrics and logs but does not have built-in threat intelligence.

1514
Multi-Selectmedium

An organization uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild that minifies assets), and a deploy stage (S3 deployment). The team wants to add a stage for running security vulnerability scans on the code. Which TWO options are viable?

Select 2 answers
A.Add a custom action in the pipeline that invokes a third-party scanning service via AWS Lambda.
B.Enable AWS Shield Advanced to scan for vulnerabilities.
C.Use Amazon Inspector to scan the source code.
D.Add an S3 event notification to trigger a Lambda function that scans the S3 bucket.
E.Modify the buildspec in the build stage to include commands that run security scanning tools.
AnswersA, E

Custom actions allow integration with external tools.

Why this answer

Correct answers are B and D. B: CodeBuild can run security scans as part of the build. D: Third-party tools can be integrated via CodePipeline custom actions.

A is wrong because S3 cannot run scans. C is wrong because Inspector is for EC2 instances, not code. E is wrong because Shield is for DDoS protection.

1515
Multi-Selectmedium

Which TWO AWS services can be used to monitor and detect unauthorized access to AWS resources? (Choose two.)

Select 2 answers
A.AWS Shield
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS CloudTrail
E.AWS Config
AnswersB, D

GuardDuty is a threat detection service that uses machine learning and anomaly detection to identify unauthorized behavior.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior by analyzing VPC Flow Logs, DNS logs, and AWS CloudTrail management and data events. It uses machine learning and integrated threat intelligence to detect anomalies such as unusual API calls, crypto-mining activity, or compromised credentials, making it a correct choice for detecting unauthorized access.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with a security monitoring service, but Config does not analyze logs or detect unauthorized access; it only records resource state changes and evaluates compliance rules.

1516
MCQeasy

A company is using AWS CodeCommit for source control and wants to automatically trigger a build in AWS CodeBuild whenever a pull request is created against the main branch. Which AWS service should be used to connect CodeCommit events to CodeBuild?

A.AWS CodePipeline
B.Amazon EventBridge
C.AWS Lambda
D.Amazon Simple Notification Service (SNS)
AnswerB

EventBridge can capture CodeCommit events and trigger CodeBuild directly.

Why this answer

Option C is correct because Amazon EventBridge can capture CodeCommit repository events (like pull request creation) and route them to targets such as CodeBuild projects. Option A is wrong because AWS CodePipeline is a CI/CD orchestration service, not a direct event trigger. Option B is wrong because Amazon SNS is a notification service, not a build trigger.

Option D is wrong because AWS Lambda can be used as an intermediary but is not the direct connection; EventBridge is the correct native integration.

1517
MCQhard

A company uses AWS CloudFormation StackSets to deploy a VPC across multiple AWS accounts in AWS Organizations. The StackSet is created with self-managed permissions. The deployment fails in some accounts with the error: 'Insufficient IAM permissions to create resources'. What is the most likely cause of this failure?

A.The StackSet does not support deploying to more than one account
B.The execution IAM role is not created in the target accounts
C.The administrator account does not have a service-linked role for StackSets
D.The target accounts have reached their resource service quotas
AnswerB

Self-managed permissions require an execution role in each target account.

Why this answer

With self-managed permissions in AWS CloudFormation StackSets, the administrator account does not automatically create the necessary IAM roles in target accounts. The execution IAM role must be manually created in each target account to grant StackSets the permissions required to create resources. The error 'Insufficient IAM permissions to create resources' directly indicates that this execution role is missing or lacks the required policies.

Exam trap

The trap here is that candidates often confuse self-managed and service-managed permissions, assuming that StackSets automatically handle IAM roles in target accounts, when in fact self-managed requires manual role creation in each target account.

How to eliminate wrong answers

Option A is wrong because StackSets are specifically designed to deploy stacks across multiple accounts and regions, so deploying to more than one account is a core feature, not a limitation. Option C is wrong because service-linked roles are not required for StackSets with self-managed permissions; they are used with service-managed permissions when StackSets integrates with AWS Organizations. Option D is wrong because resource service quotas would produce a different error message (e.g., 'Resource limit exceeded'), not an IAM permissions error.

1518
Multi-Selecteasy

A DevOps engineer needs to receive notifications when an EC2 instance's status check fails. Which TWO services should the engineer use? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.Amazon Simple Notification Service (SNS)
C.AWS CloudTrail
D.AWS Config
E.Amazon CloudWatch Alarm
AnswersB, E

SNS sends notifications when the alarm triggers.

Why this answer

Amazon CloudWatch Alarms (Option E) can monitor EC2 instance status checks (both system and instance checks) and trigger an action when the alarm state changes to ALARM. Amazon SNS (Option B) is the service that delivers the notification by publishing messages to subscribers (e.g., email, SMS, HTTP endpoints) when the CloudWatch alarm triggers. Together, they provide a complete monitoring and notification pipeline for status check failures.

Exam trap

The trap here is that candidates often select AWS Lambda or AWS Config because they associate them with automation or compliance, but the question explicitly asks for services to 'receive notifications' when a status check fails, which requires a notification delivery service (SNS) and a monitoring service (CloudWatch Alarm), not compute or configuration tracking.

1519
Multi-Selectmedium

A company runs a production database on Amazon RDS for MySQL. The database experiences a sudden spike in connections, causing the application to time out. The DevOps team needs to diagnose the issue quickly. Which combination of actions should be taken? (Choose two.)

Select 2 answers
A.Check CloudWatch metrics for DatabaseConnections and CPUUtilization.
B.Immediately scale up the RDS instance to handle the load.
C.Analyze VPC Flow Logs to identify the source IPs of connections.
D.Use the RDS console to view the number of active connections per user.
E.Enable Performance Insights and review the top SQL statements.
AnswersA, E

These metrics show connection count and resource usage.

Why this answer

Option A is correct because CloudWatch RDS metrics provide real-time connection count. Option D is correct because Performance Insights helps identify SQL queries causing the spike. Option B is wrong because increasing instance size is a mitigation, not diagnosis.

Option C is wrong because the RDS console does not show individual connections. Option E is wrong because VPC Flow Logs show network traffic, not database connections.

1520
MCQeasy

A company wants to centrally manage user access to multiple AWS accounts using federated identity. Which AWS service should be used to create a single sign-on (SSO) solution?

A.AWS IAM Identity Center (AWS SSO)
B.AWS Organizations
C.AWS Directory Service for Microsoft Active Directory
D.Amazon Cognito
AnswerA

IAM Identity Center provides SSO across multiple AWS accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it is purpose-built to centrally manage user access and permissions across multiple AWS accounts and applications from a single place. It allows you to create or connect your existing identity source (e.g., Active Directory, Okta, Azure AD) and then define fine-grained permission sets that map users or groups to specific roles in each account, enabling a true single sign-on (SSO) experience without needing to create IAM users in every account.

Exam trap

The trap here is that candidates often confuse AWS Organizations (which manages accounts and policies) with IAM Identity Center (which manages user identities and SSO), or they think that Directory Service alone provides SSO across accounts, when in fact it only provides the directory backend and requires an additional federation service like IAM Identity Center to bridge authentication to multiple AWS accounts.

How to eliminate wrong answers

Option B (AWS Organizations) is wrong because it provides centralized governance and policy management for multiple AWS accounts (e.g., via Service Control Policies), but it does not handle user authentication or SSO; it is a prerequisite for using IAM Identity Center but not the SSO solution itself. Option C (AWS Directory Service for Microsoft Active Directory) is wrong because it is a managed Microsoft AD directory service that can serve as an identity source, but it does not natively provide the multi-account permission management or SSO portal; you would still need IAM Identity Center to federate access across accounts. Option D (Amazon Cognito) is wrong because it is designed for customer-facing identity and access management for web and mobile applications, not for managing workforce access to AWS accounts or providing SSO across multiple AWS accounts.

1521
MCQmedium

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. The pipeline has a Source stage that polls the repository for changes. Recently, developers have noticed that the pipeline does not always trigger when code is pushed to the main branch. What is the most likely cause?

A.The number of pushes to the repository has exceeded the CodePipeline poll rate limit.
B.The repository does not have a webhook configured to notify CodePipeline of changes.
C.The IAM role used by CodePipeline does not have permission to read from CodeCommit.
D.CloudWatch Events is not enabled for the repository.
AnswerA

CodePipeline polls at a fixed interval; if many pushes occur, some may be missed due to throttling.

Why this answer

Option B is correct because excessive pushes to the repository can cause throttling of CodePipeline's polling mechanism. Option A is wrong because CodePipeline does not require a webhook; polling is a valid method. Option C is wrong because CloudWatch Events are not used for polling.

Option D is wrong because IAM permissions for CodeCommit are separate from CodePipeline's service role.

1522
MCQmedium

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The pipeline includes a build stage that runs 'npm install' and 'npm test'. The team notices that the build stage often fails due to network timeouts when downloading npm packages. Which action would MOST reliably resolve this issue?

A.Configure the CodeBuild project to use a VPC with a NAT gateway to the internet.
B.Use a custom Docker image that includes pre-installed npm packages.
C.Enable local dependency caching in the buildspec file.
D.Increase the build timeout to the maximum value.
AnswerA

Provides reliable internet access from CodeBuild.

Why this answer

Option B is correct because using a VPC with a NAT gateway ensures consistent outbound internet access for CodeBuild. Option A is wrong because npm packages are not cached by default. Option C is wrong because increasing timeout may not resolve timeouts.

Option D is wrong because using a custom image does not fix network issues.

1523
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

A.AWS owned key
B.Custom key store backed by CloudHSM
C.Customer managed key (CMK)
D.AWS managed key (aws/s3)
AnswerC

Customer managed keys allow you to enable automatic rotation with a customizable period (default 365 days).

Why this answer

AWS managed keys (aws/s3) are automatically rotated every year (365 days). Customer managed keys allow you to set a custom rotation period (any length between 90 days and 10 years) but require enabling rotation. The key is that aws/s3 keys rotate automatically without any configuration.

However, the question says 'all encryption keys' and 'every 365 days' - both options can achieve that, but aws/s3 keys are automatically rotated, while customer managed keys need rotation enabled. The best practice is to use the most appropriate. But note: customer managed keys can be rotated automatically if you enable it.

The question might be ambiguous, but typical exam scenario: use customer managed keys for more control. However, the security team requires automatic rotation; both can do it. The nuance: customer managed keys have a rotation period that you can set, but the default is 365 days when you enable rotation.

So both work. But the question says 'which type' - likely they want customer managed because it allows you to control the policy. However, aws/s3 keys are automatically rotated and cannot be customized.

Since the requirement is 'every 365 days', which is the default for both, but aws/s3 keys are already rotated on that schedule. I think the answer is 'Customer managed key' because it's a key you own and have control over the rotation policy. Actually, aws/s3 keys are rotated annually, but you cannot view or manage them.

For compliance, you might need to control the key. So I'll go with customer managed key.

1524
Multi-Selecthard

A company uses Amazon RDS for MySQL and wants to monitor slow queries to optimize performance. Which actions should the DevOps engineer take to capture and analyze slow query logs? (Choose THREE.)

Select 3 answers
A.Use AWS CloudTrail to capture SQL queries
B.Enable the slow query log parameter in the RDS DB parameter group
C.Enable RDS Performance Insights
D.Configure RDS to publish logs to Amazon CloudWatch Logs
E.Use CloudWatch Logs Insights to query and analyze the slow query logs
AnswersB, D, E

Correct. This generates slow query logs.

Why this answer

Option A (enable slow query log) is necessary. Option B (publish to CloudWatch Logs) allows centralized access. Option D (use CloudWatch Logs Insights) enables analysis.

Option C (RDS Performance Insights) is for performance but not slow queries specifically. Option E (CloudTrail) is not relevant.

1525
Multi-Selectmedium

A company is designing a secure CI/CD pipeline using AWS CodePipeline. The pipeline must comply with the principle of least privilege for IAM permissions. Which TWO actions should the DevOps engineer take? (Choose TWO.)

Select 2 answers
A.Use the same IAM role for all pipeline stages to simplify management.
B.Use an SCP to deny all pipeline actions except those explicitly allowed.
C.Attach an IAM policy to the pipeline itself that grants full access to all services.
D.Scope IAM policies to specific resources, such as specific S3 buckets and CodeBuild projects.
E.Create separate IAM roles for CodeBuild and CodeDeploy with only the permissions they require.
AnswersD, E

Resource-level scope limits permissions.

Why this answer

Option A is correct because using separate roles for each action limits permissions. Option D is correct because scoping permissions to specific resources follows least privilege. Option B is wrong because a single role with all permissions is not least privilege.

Option C is wrong because using the same role is not secure. Option E is wrong because SCPs are for organization-level, not pipeline.

1526
Multi-Selecthard

A company's Security team wants to detect and alert on the creation of IAM users with console access. Which THREE services should be used?

Select 3 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon GuardDuty
E.Amazon CloudWatch Alarms
AnswersA, B, E

CloudTrail records all IAM user creation events.

Why this answer

CloudTrail logs the CreateUser and CreateLoginProfile API calls. CloudWatch Logs can receive CloudTrail logs and create metric filters. CloudWatch Alarms can trigger on the metric.

Config can track resource changes but not as efficient for alerting on API calls. GuardDuty does not specifically focus on IAM user creation.

1527
Multi-Selectmedium

A company uses AWS Config to evaluate resource compliance. They have a custom AWS Config rule that checks whether EC2 instances have a specific tag. The rule is triggered by configuration changes. The DevOps engineer notices that the rule evaluation results show 'NON_COMPLIANT' for some instances that actually have the tag. Which TWO could be causes? (Choose TWO.)

Select 2 answers
A.The rule's maximum execution frequency is set to 24 hours
B.The Lambda function that evaluates the rule has a logic error
C.The rule is not being triggered by CloudTrail events
D.The rule is configured to evaluate only for a specific resource type that does not include EC2
E.The AWS Config service role does not have permission to invoke the Lambda function
AnswersB, D

A bug in the Lambda function can cause incorrect evaluations.

Why this answer

Options A and D are correct. A: The custom lambda function might have a bug. D: The AWS Config rule might not be using the correct resource type.

Option B is wrong because AWS Config does not use CloudTrail for triggering. Option C is wrong because the rule's maximum execution frequency is not relevant for change-triggered rules. Option E is wrong because the IAM role for AWS Config might not have permission to invoke the Lambda function, but that would cause a different error.

1528
Multi-Selectmedium

A DevOps engineer is designing an AWS CloudFormation template to deploy a three-tier web application. The application must be highly available across multiple Availability Zones. The engineer needs to ensure that the database layer uses a Multi-AZ deployment. Which TWO options should the engineer implement to meet these requirements? (Choose TWO.)

Select 2 answers
A.Define a separate 'AWS::RDS::DBSubnetGroup' resource with subnets from at least two Availability Zones.
B.Deploy the database with multiple read replicas in different Availability Zones.
C.Select a database engine that supports Multi-AZ deployments.
D.Configure the database to use a DB subnet group with subnets in a single Availability Zone.
E.Set the 'MultiAZ' property of the 'AWS::RDS::DBInstance' resource to 'true'.
AnswersC, E

Not all engines support Multi-AZ; e.g., Microsoft SQL Server requires specific editions.

Why this answer

Option C is correct because not all AWS RDS database engines support Multi-AZ deployments; for example, Amazon Aurora uses a different high-availability mechanism (cluster volume) and does not use the standard Multi-AZ feature. The engineer must verify that the chosen engine (e.g., MySQL, PostgreSQL, Oracle, SQL Server) explicitly supports Multi-AZ to enable synchronous standby replication across Availability Zones. Option E is correct because setting the 'MultiAZ' property to 'true' on the 'AWS::RDS::DBInstance' resource directly instructs CloudFormation to provision a primary DB instance in one AZ and a standby in another AZ, with automatic failover.

Exam trap

The trap here is that candidates often assume any database engine can be made Multi-AZ by simply setting the flag, but the exam tests the knowledge that engines like Aurora have a different architecture and require a cluster-based approach, not the standard MultiAZ property.

1529
Multi-Selecteasy

A company uses AWS OpsWorks for Chef to manage its configuration. The company is planning to migrate to AWS Systems Manager. Which AWS Systems Manager capabilities can replace OpsWorks Chef functionalities? (Choose THREE.)

Select 3 answers
A.Patch Manager
B.Session Manager
C.Run Command
D.State Manager
E.Inventory
AnswersA, D, E

B: Patch Manager automates patching.

Why this answer

Options A, B, and D are correct. A: State Manager can enforce configuration state. B: Patch Manager can manage patching.

D: Inventory can collect software inventory. Option C is wrong because Run Command is for ad-hoc commands, not state enforcement. Option E is wrong because Session Manager is for interactive access, not configuration management.

1530
MCQeasy

A company uses AWS CodeBuild to run unit tests and package a Java application. The build environment needs to have a specific version of Java installed that is not available in the standard build images. The team wants to minimize build time. How should the engineer configure the build environment?

A.Use AWS Lambda to run the tests and package the application.
B.Use a standard build image and include a pre-build command to install the required Java version.
C.Use a custom build image that already includes the required Java version, stored in Amazon ECR.
D.Use the pre-build phase to download and install Java from an S3 bucket.
AnswerC

B: A custom image eliminates the need to install software each time, reducing build time.

Why this answer

Option B is correct because using a custom Docker image with the required Java version avoids installing it during each build, reducing build time. Option A is wrong because installing during build increases time. Option C is wrong because installing at the start of the build phase also increases time.

Option D is wrong because Lambda is not suitable for running a build server.

1531
MCQeasy

A DevOps engineer wants to receive an alert when the total number of error logs in an application exceeds 100 within a 5-minute period. The application writes logs to CloudWatch Logs. How can this be achieved?

A.Create a CloudWatch dashboard with a line chart for error count and manually monitor it.
B.Use CloudWatch Logs Insights to run a query every 5 minutes and trigger an alert based on the result.
C.Create a CloudWatch Logs subscription filter to send matching logs to a Lambda function, which counts errors and sends an alert.
D.Create a metric filter on the log group for 'ERROR', then create a CloudWatch alarm on the resulting metric with a threshold of 100.
AnswerD

Metric filters extract metrics from logs, and alarms can be set on those metrics to trigger actions when thresholds are breached.

Why this answer

Option A is correct because a metric filter in CloudWatch Logs can count the occurrence of 'ERROR' in log events and create a metric. A CloudWatch alarm can then be set on that metric with a threshold of 100. Option B is wrong because CloudWatch Logs subscription filters send logs to destinations, not trigger alarms.

Option C is wrong because CloudWatch Logs Insights is for querying, not real-time alerting. Option D is wrong because CloudWatch dashboards are for visualization, not alerting.

1532
MCQeasy

A team uses AWS CloudFormation to manage infrastructure. They want to reuse a common set of resources (e.g., VPC, subnets) across multiple stacks. Which CloudFormation feature should they use?

A.Custom resources
B.StackSets
C.Cross-stack references
D.Nested stacks
AnswerD

Nested stacks allow a template to reference another template, enabling reuse.

Why this answer

Option A is correct because nested stacks allow reusing a common template. Option B is wrong because cross-stack references allow passing values but not reusing resource definitions. Option C is wrong because custom resources are for extending CloudFormation.

Option D is wrong because StackSets deploy across accounts/regions.

1533
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The DevOps team wants to enforce a policy that prevents creating S3 buckets with public read access. They plan to use AWS CloudFormation StackSets to deploy a stack across all accounts. What is the BEST way to enforce this policy?

A.Use AWS CloudFormation Guard to validate templates before deployment and reject those with public access.
B.Create an IAM policy that denies s3:PutBucketAcl and attach it to all IAM users.
C.Create a service control policy (SCP) in the root organizational unit that denies the s3:PutBucketPublicAccessBlock action.
D.Create an S3 bucket policy in each account that denies public read access.
AnswerC

SCPs can deny actions across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) applied at the root organizational unit in AWS Organizations can centrally deny the s3:PutBucketPublicAccessBlock action across all accounts, effectively preventing any user or role from disabling the bucket-level public access block settings. This approach works even if an IAM principal has full administrative permissions, as SCPs act as a guardrail that cannot be overridden by account-level policies. It enforces the policy at the organization level without requiring per-account configuration or modifying individual IAM users.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies or resource-based policies, assuming that an SCP can only restrict IAM users and not API actions like s3:PutBucketPublicAccessBlock, or they mistakenly think that denying s3:PutBucketAcl is sufficient to prevent public read access when in reality bucket policies are a more common vector for granting public access.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation Guard is a policy-as-code validation tool that can reject templates before deployment, but it only applies to the account where the StackSet is deployed and does not prevent manual creation of S3 buckets via the console, CLI, or SDK in other accounts; it also cannot enforce the policy retroactively. Option B is wrong because attaching an IAM policy that denies s3:PutBucketAcl to all IAM users does not prevent public read access via bucket policies (which use s3:PutBucketPolicy) or via the S3 Block Public Access settings; it also fails to cover roles, service-linked roles, or root user actions. Option D is wrong because creating an S3 bucket policy in each account that denies public read access only applies to existing buckets and does not prevent the creation of new buckets with public read access; it also requires manual deployment and maintenance in every account, which is not scalable or centrally enforceable.

1534
Multi-Selecthard

A gaming company runs a real-time multiplayer game on AWS using Amazon EC2 instances in an Auto Scaling group behind a Network Load Balancer. The game state is stored in Amazon ElastiCache for Redis. The team needs to ensure that the architecture can survive a regional failure with minimal data loss and recovery time. The RTO is 15 minutes and RPO is 5 minutes. The game currently uses a single Redis cluster in us-east-1.

Select 2 answers
A.Enable Multi-AZ on the ElastiCache cluster to improve availability within the region.
B.Use Amazon ElastiCache for Redis with cluster mode disabled to simplify failover.
C.Configure Amazon ElastiCache for Redis with Global Datastore to replicate data to a second region.
D.Configure the application to write to the local Redis replica in the secondary region and then sync back.
E.Create a second Auto Scaling group in the secondary region and use Route 53 failover routing to direct traffic to the healthy region.
AnswersC, E

Global Datastore provides cross-region replication with <5-minute RPO.

Why this answer

To survive regional failure, you need cross-region replication for Redis. Global Datastore for Redis provides cross-region replication. Also, you need to be able to promote the replica in the secondary region.

Finally, you need to redirect traffic to the secondary region, which can be done with Route 53 failover routing.

1535
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS instance. The stack creation fails with the error: 'The following resource(s) failed to create: [DBInstance]'. The CloudFormation template includes a parameter for the DB instance class. Which troubleshooting step should be taken FIRST?

A.Increase the stack creation timeout to allow more time for the database to be created.
B.Check the CloudFormation stack events for a detailed status message from the DBInstance resource.
C.Verify that the VPC has at least two public subnets in different Availability Zones.
D.Use the Amazon RDS console to check if a DB instance with the same identifier already exists.
AnswerB

Stack events provide the specific reason for failure, such as 'DBInstance class not supported'.

Why this answer

Option B is correct because the most common reason for RDS creation failure is an invalid instance class (e.g., not available in the region). Option A is wrong because the VPC configuration is less likely. Option C is wrong because checking the RDS console will show the error, but checking the events is more direct.

Option D is wrong because increasing timeout won't fix a configuration error.

1536
MCQhard

A company has a CI/CD pipeline that deploys to Amazon ECS using AWS CodePipeline. The pipeline includes a manual approval step before deployment to production. The security team requires that all approvals be logged in AWS CloudTrail and that the approver's identity be verified. Which action should the DevOps engineer take to meet these requirements?

A.Ensure that the manual approval action is configured as a CodePipeline approval action; CloudTrail will log the 'Approval' event with the IAM user ARN.
B.Create a custom CloudTrail trail specifically for CodePipeline API calls.
C.Enable CloudTrail Insights to detect unusual approval activity.
D.Configure the approval action to send a notification to an Amazon SNS topic, and log the SNS delivery to CloudWatch Logs.
AnswerA

CodePipeline approval actions are logged in CloudTrail as PutApprovalResult events.

Why this answer

Option C is correct because CodePipeline manual approval actions are already logged in CloudTrail with the approver's IAM user ARN. Option A is wrong because CloudWatch Logs do not capture approval actions. Option B is wrong because CloudTrail is sufficient.

Option D is wrong because enabling CloudTrail is not needed if already enabled.

1537
MCQeasy

A DevOps engineer is investigating a security incident where an EC2 instance was used to launch an outbound DDoS attack. Which AWS service can provide details about the source IP addresses and network traffic from the instance?

A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerA

VPC Flow Logs capture IP traffic metadata.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information for network interfaces. Option A (CloudTrail) records API calls, not network traffic. Option C (GuardDuty) is a threat detection service but does not provide raw traffic logs.

Option D (Config) records configuration changes.

1538
Multi-Selectmedium

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS DB instance and an EC2 instance that connects to it. The DB instance has a deletion policy of 'Retain'. The stack fails to delete because the DB instance is retained and still exists. Which TWO actions would allow the stack to be deleted successfully? (Select TWO.)

Select 2 answers
A.Use the AWS CLI to force delete the stack with the --force option.
B.Manually delete the DB instance using the RDS console.
C.Disable termination protection on the EC2 instance.
D.Change the deletion policy of the DB instance to 'Delete' and then update the stack before deleting.
E.Modify the DB instance to allow deletion by setting DeletionProtection to false.
AnswersB, D

After manual deletion, the stack can be deleted.

Why this answer

Option B is correct because manually deleting the retained DB instance removes the resource that is blocking the stack deletion. CloudFormation cannot delete a stack that contains a resource with a 'Retain' deletion policy until that resource is manually removed, as the stack expects the resource to no longer exist for the deletion to complete.

Exam trap

The trap here is that candidates often confuse 'Retain' deletion policy with 'DeletionProtection' or assume that termination protection on EC2 instances is relevant, when in fact the core issue is that the retained resource must be either manually removed or its policy changed to allow CloudFormation to delete it.

1539
MCQmedium

A company uses AWS CodeDeploy with a blue/green deployment strategy for an Amazon EC2 Auto Scaling group. During deployment, the new instances are failing health checks and the deployment is rolling back. What is the MOST likely cause?

A.The new instances are not passing the configured health check grace period.
B.The application is not registered with an Elastic Load Balancer.
C.The deployment group is not configured to use an Auto Scaling group.
D.The CodeDeploy agent is not installed on the new instances.
AnswerA

If health checks fail during the grace period, CodeDeploy rolls back.

Why this answer

Option C is correct because failing health checks indicate the new instances are not ready. Option A is incorrect because CodeDeploy agent not running would cause a different error. Option B is incorrect because blue/green typically uses an ELB.

Option D is incorrect because the deployment group already targets the ASG.

1540
MCQmedium

A DevOps team is designing a disaster recovery plan for a production RDS for PostgreSQL database. The RPO must be less than 5 minutes and the RTO less than 1 hour. The database size is 2 TB. Which solution is MOST cost-effective?

A.Enable cross-Region automated backups with a retention period of 1 day
B.Take manual snapshots every 5 minutes and copy them to another Region
C.Use AWS Database Migration Service (DMS) for continuous replication to another Region
D.Create a cross-Region read replica and promote it during disaster
AnswerA

Automated backups are replicated to another Region with typical lag of seconds.

Why this answer

Option C is correct because RDS cross-Region automated replication provides low RPO without manual intervention. Option A is wrong because copying snapshots takes longer than RPO requirement. Option B is wrong because read replicas have a small replication lag but can be promoted quickly.

Option D is wrong because DMS requires extra infrastructure and cost.

1541
MCQhard

A company runs a critical application on Amazon EC2 instances managed by an Auto Scaling group behind an Application Load Balancer. They use AWS CodeDeploy for blue/green deployments. The deployment process creates a new Auto Scaling group (green) and routes traffic to it after a successful deployment. Recently, the deployment succeeded but the green instances are not receiving traffic; users are still served by the old (blue) instances. The deployment logs show that the 'AllowTraffic' step succeeded. The team checked the ALB target groups; the green target group has healthy instances but the ALB listener default action still points to the blue target group. What is the most likely cause and remediation?

A.The ALB has sticky sessions enabled, causing traffic to stick to the blue instances. Disable sticky sessions.
B.The deployment configuration uses 'AllAtOnce' traffic shifting, which is not supported for blue/green with an ALB. Change to 'Canary' or 'Linear'.
C.The deregistration delay on the blue target group is too long, preventing traffic from shifting. Reduce the deregistration delay to 0 seconds.
D.The CodeDeploy deployment group is not configured to update the ALB listener rule. Update the deployment group to include the ALB listener ARN so that CodeDeploy can switch the listener to the green target group.
AnswerD

Correct: CodeDeploy must be configured with the listener ARN to update routing.

Why this answer

Option A is correct because CodeDeploy blue/green with an ALB uses a target group for the green environment, and the listener rule should be updated to route traffic to the green target group. Option B is about deregistration delay, which affects traffic drain, not routing. Option C is about stickiness, which doesn't prevent new traffic.

Option D is about deployment configuration, which doesn't affect traffic routing.

1542
MCQeasy

A company uses AWS Secrets Manager to rotate database credentials automatically. The rotation is configured to occur every 30 days. The DevOps engineer notices that the latest secret version is not being used by the application after rotation. The application is an EC2 instance that retrieves the secret using the AWS SDK. The engineer checks the secret and sees that the rotation succeeded and the new version is marked as 'AWSCURRENT'. The EC2 instance role has permissions to retrieve the secret. What is the most likely reason the application is still using the old secret?

A.The application caches the secret value and does not refresh it until the cache expires or the application is restarted.
B.The secret is in a different AWS Region than the application.
C.The EC2 instance does not have permission to call secretsmanager:GetSecretValue.
D.The rotation Lambda function is not updating the secret version label to AWSCURRENT.
AnswerA

Caching is a common cause of stale secrets.

Why this answer

The application might be caching the secret and not refreshing it after rotation. Option A is correct. Option B is about rotation function, but rotation succeeded.

Option C is about the secret being in different region, but the application uses same region. Option D is about the application's IAM role missing permission, but it has permissions.

1543
MCQhard

A DevOps team uses AWS Lambda functions to process events from an SQS queue. The Lambda function occasionally fails due to transient errors, and the team wants to capture and analyze the full error details, including stack traces, for debugging. The errors are not always related to invocation failures (e.g., timeouts) but include exceptions thrown within the function code. Which approach will capture the MOST comprehensive error information?

A.Configure a DLQ on the SQS queue to capture failed messages and inspect them.
B.Enable CloudWatch Logs and rely on the automatic logging of invocation results.
C.Ensure the Lambda function code returns a meaningful error object (e.g., throws an exception) so that the error is logged in CloudWatch Logs with a stack trace.
D.Use AWS X-Ray to trace the function execution and analyze the traces.
AnswerC

Throwing an exception causes Lambda to log the error with stack trace in CloudWatch Logs.

Why this answer

Option D is correct because returning the error object from the Lambda handler (either by throwing an exception or returning a structured error) will cause Lambda to record the error details in CloudWatch Logs, including stack traces. Option A is wrong because CloudWatch Logs streams all logs, including console log statements, but capturing stack traces requires explicit logging. Option B is wrong because DLQ captures failed events (messages), not error details.

Option C is wrong because X-Ray traces requests but may not capture full stack traces of application errors.

1544
MCQhard

A company is using AWS CodeBuild to compile a Java application. The build takes over 30 minutes, which is too long. The project uses the standard build environment. The source code is stored in an S3 bucket. What is the most effective way to reduce build time?

A.Use a custom build environment with pre-installed Java.
B.Enable local caching for dependencies in the buildspec.yml.
C.Store the source code in AWS CodeCommit instead of S3.
D.Increase the compute type to a larger instance.
AnswerB

Caching dependencies avoids re-downloading them each build.

Why this answer

Option D is correct because caching the Maven dependencies can significantly reduce build time by reusing downloaded artifacts. Option A is wrong because it adds overhead. Option B is wrong because S3 is already the source.

Option C is wrong because it does not address the compilation time.

1545
MCQmedium

A CloudFormation stack update failed with the error shown. What is the most likely cause?

A.The instance type t2.micro is not available in the region.
B.The IAM role used by CloudFormation lacks ec2:RunInstances permissions.
C.The AMI ID specified in the template is incorrect or has been deregistered.
D.The stack name does not match the existing stack.
AnswerC

The error clearly states the imageId is invalid.

Why this answer

Option B is correct. The error message indicates that the AMI ID specified in the resource properties is invalid. This typically happens when the AMI ID does not exist in the region or has been deregistered.

The stack update is trying to update the EC2 instance with a new AMI, but the AMI ID is incorrect. Option A is incorrect because the error is about the AMI ID, not the instance type. Option C is incorrect because the error is not about permissions.

Option D is incorrect because the error is not about the stack name.

1546
MCQhard

A DevOps engineer notices that an EC2 instance in an Auto Scaling group is repeatedly failing health checks and being terminated. The engineer needs to capture the root cause by collecting memory dumps and system logs before termination. What should the engineer do?

A.Configure the CloudWatch Agent to collect memory and system logs and publish them to CloudWatch Logs.
B.Use EC2Rescue for Windows Server or Linux, configure it to run at instance startup, and extend the Auto Scaling health check grace period.
C.Use AWS Systems Manager Run Command to execute a script on the instance that collects diagnostics before it is terminated.
D.Enable EC2 instance metadata service (IMDS) to capture diagnostic data that persists after termination.
AnswerB

EC2Rescue can run diagnostics at startup; extending the grace period gives time for the tool to collect data before termination.

Why this answer

Option B is correct because EC2Rescue is specifically designed to collect memory dumps and system logs from EC2 instances, and by configuring it to run at startup and extending the Auto Scaling health check grace period, the engineer ensures diagnostics are captured before the instance is terminated for failing health checks. This approach directly addresses the need to gather root cause data from a failing instance that is about to be replaced.

Exam trap

The trap here is that candidates often assume Systems Manager Run Command (Option C) can reliably execute scripts on failing instances, but they overlook that the instance must be in a running and reachable state, which is not guaranteed when health checks are repeatedly failing and termination is imminent.

How to eliminate wrong answers

Option A is wrong because the CloudWatch Agent collects logs and metrics during normal operation but does not capture memory dumps or system logs at the point of failure before termination; it cannot guarantee data collection from an instance that is being terminated due to health check failures. Option C is wrong because AWS Systems Manager Run Command requires the instance to be running and reachable to execute commands, but the instance is repeatedly failing health checks and may be terminated before the command can run, making it unreliable for capturing pre-termination diagnostics. Option D is wrong because EC2 instance metadata service (IMDS) provides metadata about the instance (e.g., instance ID, AMI ID) but does not capture diagnostic data like memory dumps or system logs, and it does not persist after termination.

1547
MCQhard

A company uses AWS CodeDeploy for application deployments. They want to ensure that if a deployment fails, the system automatically rolls back to the previous version. Which configuration should they set?

A.Define a 'Failure' lifecycle event hook that calls a Lambda function to revert the deployment.
B.Configure the deployment group to enable automatic rollback when a deployment fails.
C.Set the 'auto-rollback' property in the CodeDeploy deployment group to 'true'.
D.Use a CloudFormation stack with a rollback configuration.
AnswerB

CodeDeploy supports automatic rollback on failure.

Why this answer

Option D is correct because CodeDeploy has a built-in rollback configuration that can automatically trigger when a deployment fails. Option A is wrong because CloudFormation is for infrastructure. Option B is wrong because 'auto-rollback' is not a valid CodeDeploy property.

Option C is wrong because the 'Failure' hook is for custom scripts, not automatic rollback.

1548
MCQmedium

A company uses AWS Lambda functions to process data from an Amazon SQS queue. The Lambda function sometimes fails due to timeouts. The DevOps team wants to monitor the number of function timeouts and receive alerts. What is the MOST efficient way to achieve this?

A.Create an Amazon EventBridge rule that captures Lambda execution results and triggers an SNS topic
B.Enable AWS X-Ray on the Lambda function and analyze traces for timeouts
C.Create a CloudWatch Logs Insights query to search for 'Task timed out' and run it periodically
D.Configure a CloudWatch alarm on the 'Timeouts' metric from AWS/Lambda namespace
AnswerD

Lambda publishes Timeout metric natively, and alarm can be set directly.

Why this answer

Option D is correct because Lambda automatically publishes 'Timeout' metrics to CloudWatch, and a CloudWatch alarm can be configured on that metric. Option A is wrong because CloudWatch Logs Insights requires querying logs, which is not real-time. Option B is wrong because EventBridge can capture Lambda events but requires creating a rule and target.

Option C is wrong because X-Ray is for tracing, not metrics.

1549
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS. Which approach should be used to ensure compliance?

A.Attach a service control policy (SCP) to all accounts that denies s3:PutBucketEncryption or s3:PutObject without encryption.
B.Apply an S3 bucket policy on each account's buckets to deny unencrypted object uploads.
C.Create an IAM policy in the master account that denies S3:PutObject without encryption.
D.Use AWS Config rules to evaluate S3 bucket encryption and trigger a remediation action via AWS Systems Manager Automation.
AnswerA

SCPs can centrally prevent actions across all accounts in the organization.

Why this answer

Option D is correct because a service control policy (SCP) can deny actions that create or modify S3 buckets without encryption. Option A is wrong because Config rules only detect non-compliance, they don't enforce. Option B is wrong because bucket policies are per-bucket and cannot be applied globally.

Option C is wrong because an IAM policy in the master account does not affect member accounts.

1550
MCQhard

A team uses AWS CodeBuild to run integration tests that require access to an Amazon RDS database. The database is in a private subnet. The CodeBuild project is configured to use a VPC. However, the builds are failing with a timeout connecting to the database. What could be the issue?

A.The CodeBuild project's VPC configuration does not include the subnet IDs where the database resides.
B.The security group for the CodeBuild project does not allow outbound traffic to the RDS database.
C.The security group for the RDS database does not allow inbound traffic from the security group assigned to the CodeBuild project.
D.The CodeBuild project does not have a route to the internet via an internet gateway, so it cannot reach the RDS endpoint.
AnswerC

The database's security group must allow inbound from the CodeBuild security group.

Why this answer

Option B is correct because security group rules must allow inbound traffic from the security group associated with the CodeBuild project. Option A is wrong because CodeBuild VPC support requires subnets, not just the VPC ID. Option C is wrong because CodeBuild does not need an internet gateway for VPC-based builds; it can use VPC endpoints for AWS services.

Option D is wrong because the security group for CodeBuild should allow outbound to the database, but the database's security group must allow inbound from CodeBuild.

1551
MCQmedium

A DevOps team uses Elastic Beanstalk to deploy a web application. They want to configure environment variables without modifying the application code. Where should they define these variables?

A.As environment properties in the Elastic Beanstalk environment
B.In the EC2 User Data script
C.In the instance metadata
D.In the application code
AnswerA

Elastic Beanstalk natively supports environment properties that are injected as environment variables.

Why this answer

Elastic Beanstalk allows environment properties to be set in the console, CLI, or via .ebextensions. These are exposed as environment variables to the application. Option C is correct.

Option A is incorrect because the application code is the wrong place. Option B is incorrect because User Data is for EC2 initialization, not for application environment variables. Option D is incorrect because Instance Metadata does not expose custom environment variables automatically.

1552
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The DevOps team needs to search and analyze logs from multiple EC2 instances in real time. Which TWO services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon OpenSearch Service.
B.Amazon Athena.
C.Amazon QuickSight.
D.Amazon Kinesis Data Analytics.
E.CloudWatch Logs Insights.
AnswersA, E

CloudWatch Logs can stream to OpenSearch for real-time search.

Why this answer

Option A is correct because CloudWatch Logs Insights allows real-time querying of log groups. Option C is correct because CloudWatch Logs can stream to Amazon OpenSearch Service for real-time search and analytics. Option B is wrong because Athena is for ad-hoc querying of S3 data, not real-time.

Option D is wrong because Kinesis Data Analytics is for streaming data analysis, not directly for log search. Option E is wrong because QuickSight is for visualization, not real-time search.

1553
MCQmedium

Refer to the exhibit. A DevOps engineer runs the above CloudWatch Logs Insights query on a log group containing application logs. The query returns an empty result set. The engineer knows that the application logs contain ERROR entries. Which of the following is the most likely cause?

A.The stats function cannot be used with the filter command.
B.The log group does not have any log streams.
C.The filter pattern is case-sensitive and the log entries use lowercase 'error'.
D.The limit of 20 results is too low and the query times out.
AnswerC

The 'like' operator is case-sensitive by default.

Why this answer

Option B is correct because the query uses 'like /ERROR/' which is case-sensitive. If the logs contain 'error' in lowercase, the filter will not match. Option A is wrong because the timestamp field is present.

Option C is wrong because the stats function is valid. Option D is wrong because the limit is fine.

1554
MCQhard

Refer to the exhibit. A DevOps engineer deploys this CloudFormation template. The EC2 instance launches, but the httpd service does not start. The engineer connects to the instance and finds that the user data script did not run. What is the most likely cause?

A.The UserData is not base64 encoded correctly
B.The AMI does not have yum installed
C.The tags prevent user data from executing
D.The AMI uses a different init system than systemd
AnswerB

Amazon Linux 2 may not have yum by default.

Why this answer

Option D is correct because the default AMI for t2.micro may be Amazon Linux 2, which uses 'dnf' or 'amazon-linux-extras' instead of 'yum'. Option A is incorrect because the syntax looks correct. Option B is incorrect because SystemD is used.

Option C is incorrect because tags do not affect user data execution.

1555
Multi-Selecteasy

Which TWO AWS services can be used to monitor for unauthorized API calls in an AWS account? (Choose two.)

Select 2 answers
A.AWS Config
B.Amazon S3
C.Amazon CloudWatch Logs
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersD, E

CloudTrail records API calls and can be used to detect unauthorized calls.

Why this answer

AWS CloudTrail records API calls and can be used to monitor for unauthorized activity. AWS Config evaluates resource configurations against rules. GuardDuty provides intelligent threat detection using CloudTrail logs, VPC Flow Logs, and DNS logs.

CloudWatch Logs can store logs but does not directly monitor for unauthorized calls. S3 is for storage.

1556
MCQmedium

A DevOps engineer needs to automate the creation of an AWS CodeStar project for a new microservice. The engineer wants to use AWS CloudFormation to define the project and its resources. Which CloudFormation resource should be used?

A.AWS::CodeStar::Project
B.AWS::ServiceCatalog::CloudFormationProduct
C.AWS::CodePipeline::Pipeline
D.AWS::CodeBuild::Project
AnswerA

This resource creates a CodeStar project with associated resources.

Why this answer

Option A is correct because AWS::CodeStar::Project is the CloudFormation resource for creating a CodeStar project. Option B is wrong because AWS::ServiceCatalog::CloudFormationProduct is for Service Catalog products. Option C is wrong because AWS::CodePipeline::Pipeline creates a pipeline, not a CodeStar project.

Option D is wrong because AWS::CodeBuild::Project creates a build project, not a CodeStar project.

1557
MCQeasy

A DevOps engineer receives a CloudWatch alarm indicating that an EC2 instance's CPU utilization has exceeded 90% for 10 minutes. The instance is part of an Auto Scaling group behind an Application Load Balancer. What is the MOST efficient initial step to troubleshoot the high CPU usage?

A.Review the EC2 instance's CloudWatch metrics for CPU credit balance and network utilization.
B.Modify the Auto Scaling group to use a larger instance type.
C.Check the ALB's HTTP 5xx error rate metric for the target group.
D.Immediately increase the desired capacity of the Auto Scaling group.
AnswerA

This helps identify resource contention.

Why this answer

Option C is correct because CloudWatch metrics provide historical data to identify the root cause. Option A is wrong because no alarm exists for HTTP 5xx. Option B is wrong because scaling has not yet occurred.

Option D is wrong because increasing instance size does not address the cause.

1558
MCQhard

Refer to the exhibit. The IAM policy above is attached to an EC2 instance role. The CloudWatch agent on the instance is configured to send logs to the 'MyAppLogs' log group. However, logs are not appearing in CloudWatch. What is the most likely issue?

A.The instance role needs additional permissions to write to S3 for log delivery.
B.The log group name in the policy does not match the log group name configured in the agent.
C.The policy does not allow the 'logs:PutLogEvents' action on the specific log stream resource.
D.The region in the policy ARN does not match the region where the log group is created.
AnswerC

The resource ARN for PutLogEvents should include the log stream, e.g., 'arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogs:log-stream:*'. The current policy only allows actions on the log group itself, not on log streams.

Why this answer

Option C is correct because the policy only grants permissions for log streams under the log group (using the * wildcard for log streams), but it does not include permission to describe or interact with the log group itself. However, the real issue is that the resource ARN for PutLogEvents requires a log stream resource, not just the log group. The correct resource should be "arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogs:log-stream:*" for PutLogEvents.

Option A is wrong because the log group name matches. Option B is wrong because the region is correct. Option D is wrong because CloudWatch Logs agent does not require S3 permissions.

1559
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to centrally monitor and analyze VPC Flow Logs from all accounts. The solution must be cost-effective and allow querying across accounts. Which approach should they take?

A.Use Amazon Elasticsearch Service (Amazon OpenSearch Service) with a cross-account ingestion pipeline.
B.Stream VPC Flow Logs from each account to Amazon Kinesis Data Analytics for real-time analysis.
C.Send VPC Flow Logs from each account to a centralized Amazon S3 bucket, then use Amazon Athena to query the logs.
D.Configure each account to send VPC Flow Logs to a central CloudWatch Logs group using cross-account subscription.
AnswerC

This approach is cost-effective, scalable, and allows cross-account queries using Athena.

Why this answer

Option C is correct because it uses a centralized Amazon S3 bucket to aggregate VPC Flow Logs from all accounts, which is cost-effective (S3 storage costs are low) and enables cross-account querying via Amazon Athena using standard SQL. This approach avoids per-ingestion costs of services like CloudWatch Logs or Kinesis and provides a serverless, scalable query engine for analyzing logs across accounts.

Exam trap

The trap here is that candidates may overestimate the complexity of cross-account S3 access or underestimate the cost of CloudWatch Logs ingestion, leading them to choose Option D (central CloudWatch Logs group) which seems simpler but is actually more expensive and less query-friendly than S3+Athena.

How to eliminate wrong answers

Option A is wrong because Amazon OpenSearch Service (formerly Elasticsearch Service) incurs significant costs for ingestion and storage, and cross-account ingestion pipelines require complex setup with Lambda or Kinesis, making it less cost-effective than S3+Athena. Option B is wrong because Amazon Kinesis Data Analytics is designed for real-time stream processing, not for cost-effective historical querying across accounts; it would be overkill and expensive for periodic analysis of VPC Flow Logs. Option D is wrong because CloudWatch Logs cross-account subscriptions require each account to send logs to a central account's CloudWatch Logs group, which incurs per-ingestion costs and does not natively support SQL-based querying like Athena; querying across accounts would require additional tools or cross-account log group access, increasing complexity and cost.

1560
MCQeasy

Refer to the exhibit. This S3 bucket policy allows the root user of account 111122223333 to perform which actions?

A.Change the bucket policy
B.Delete objects from the bucket
C.Read and write objects in the bucket
D.List objects in the bucket
AnswerC

GetObject and PutObject allow reading and writing objects.

Why this answer

The policy grants s3:GetObject and s3:PutObject to the root user of the specified account. It does not grant other actions. The resource is objects under my-bucket.

The principal is the root user of the other account.

1561
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The pipeline includes a deploy action that uses AWS CloudFormation to update a stack. The deployment occasionally fails because of a transient resource limit error. Which automatic retry strategy should a DevOps engineer implement?

A.Use an AWS Step Function to orchestrate the deployment with retry logic
B.Set the deploy action's retry count to 3 in the pipeline definition
C.Modify the CloudFormation stack to include a retry policy
D.Configure the pipeline to retry the entire pipeline execution on failure
AnswerB

CodePipeline action retry handles transient failures.

Why this answer

Option B is correct because CodePipeline supports automatic retry of actions; the retry count can be set to 3. Option A is wrong because the pipeline execution itself should not be retried entirely. Option C is wrong because CloudFormation does not have a built-in retry mechanism; it fails the action.

Option D is wrong because Step Functions adds complexity and cost.

1562
MCQhard

A company has a requirement to rotate database credentials every 30 days for an Amazon RDS for MySQL instance. The credentials are currently stored in AWS Secrets Manager. The DevOps engineer needs to implement automatic rotation without modifying the application code. Which solution should be used?

A.Create a scheduled job that runs every 30 days to update the secret in Secrets Manager with a new password.
B.Store the credentials in AWS Systems Manager Parameter Store and configure automatic rotation using a Lambda function.
C.Use the AWS RDS automatic password rotation feature, which automatically updates the password every 30 days.
D.Configure Secrets Manager to automatically rotate the secret every 30 days using a Lambda rotation function, and have the application retrieve the secret using the Secrets Manager API.
AnswerD

Secrets Manager provides built-in rotation for RDS with a Lambda function, and the application can retrieve credentials on-the-fly.

Why this answer

Option D is correct because AWS Secrets Manager natively supports automatic rotation of secrets using a Lambda function that updates both the secret in Secrets Manager and the password in the RDS MySQL instance. This solution meets the 30-day rotation requirement without modifying application code, as the application retrieves the current secret via the Secrets Manager API, which automatically handles versioning and caching.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager's automatic rotation with a simple scheduled update of the secret value, or mistakenly believe that RDS or Parameter Store have built-in rotation capabilities, when in fact only Secrets Manager with a Lambda rotation function provides a fully automated, code-free solution.

How to eliminate wrong answers

Option A is wrong because creating a scheduled job to update the secret in Secrets Manager does not change the password in the RDS instance, leaving the database credential out of sync. Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of database credentials; it lacks the built-in rotation mechanism and Lambda integration that Secrets Manager provides. Option C is wrong because Amazon RDS does not have an automatic password rotation feature; password rotation must be implemented manually or via Secrets Manager with a Lambda function.

1563
Multi-Selectmedium

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) across multiple Availability Zones. The application stores session data in a shared Amazon ElastiCache for Redis cluster. The operations team reports that during a recent AZ failure, users experienced session loss and application errors. Which combination of actions should the company take to improve resilience and maintain session state during an AZ failure? (Choose TWO.)

Select 2 answers
A.Configure the ALB with cross-zone load balancing enabled and connection draining set to a suitable timeout.
B.Deploy an Auto Scaling group with a dynamic scaling policy that adds instances in the remaining AZs.
C.Enable cluster mode for the ElastiCache for Redis cluster and configure replica nodes in different Availability Zones.
D.Configure the application to use a custom DNS name with a low TTL pointing to the ElastiCache cluster endpoint.
E.Enable Multi-AZ for the ElastiCache cluster to automatically fail over to a replica in another AZ.
AnswersA, C

Cross-zone load balancing distributes traffic evenly, and connection draining allows in-flight requests to complete during instance replacement.

Why this answer

Option A is correct because enabling cross-zone load balancing on the ALB ensures traffic is distributed evenly across all EC2 instances in all AZs, and connection draining with a suitable timeout allows in-flight requests to complete before instances are deregistered, preventing session loss during an AZ failure. Option C is correct because enabling cluster mode for ElastiCache for Redis with replica nodes in different AZs provides automatic sharding and replication, ensuring session data remains available and consistent even if a primary node in one AZ fails.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which provides a single standby replica) with cluster mode (which provides sharded, distributed replication across AZs), and fail to recognize that Multi-AZ alone does not protect session data if the primary and replica are in the same AZ or if the failure affects the entire AZ containing both nodes.

1564
Multi-Selectmedium

A DevOps engineer is managing infrastructure as code using AWS CloudFormation. The engineer wants to automatically update a stack when changes are pushed to a Git repository. Which THREE services can be used together to achieve this?

Select 3 answers
A.AWS CloudFormation
B.Amazon CloudWatch Events
C.AWS CodeBuild
D.AWS CodeCommit
E.AWS CodePipeline
AnswersA, D, E

CloudFormation is used to update the stack.

Why this answer

Option A is correct because CodePipeline can orchestrate the deployment. Option B is correct because CodeCommit is the repository. Option D is correct because CloudFormation is the deployment action.

Option C is wrong because CloudWatch Events can trigger pipelines but is not a primary service for this scenario. Option E is wrong because CodeBuild is for building, not directly applying CloudFormation stacks.

1565
MCQhard

A team uses AWS CodePipeline with multiple parallel actions in a stage. They notice that when one action fails, the entire stage fails and no further actions are attempted. They want the pipeline to continue with the remaining actions even if one fails, and then report the failure at the end. Which feature should they use?

A.Configure each action with a 'RunOrder' of 1 and set 'On failure' to 'ABORT'.
B.Configure each action with 'On failure' set to 'CONTINUE'.
C.Set the stage's 'On failure' to 'ROLLBACK'.
D.Use a custom Lambda function to catch failures and resume the pipeline.
AnswerB

CONTINUE allows the pipeline to proceed with other actions even if this action fails.

Why this answer

CodePipeline supports a 'RunOrder' but also a 'Failure mode' per action. However, to allow continuation, they need to set the 'On failure' for the stage to 'ROLLBACK' or 'FAIL'. Actually, the correct approach is to use a custom action or set the 'RunOrder' such that actions are independent.

The best practice is to use 'FAILURE' mode as 'CONTINUE' is not available; instead, they should set the stage's 'On failure' to 'FAIL' and use a separate stage for error handling. But the question asks for a specific feature: 'Retry on failure' with a maximum count. Option C is correct because setting retry allows the pipeline to continue after a transient failure, but for permanent failure, they need to use 'Failure mode' per action.

Actually, CodePipeline now supports 'On failure' for actions: 'ABORT' or 'CONTINUE'. So using 'CONTINUE' on failure for the action will let the pipeline continue. Option C is correct.

1566
MCQhard

Refer to the exhibit. An AWS CloudFormation template includes a Lambda function with the ARN shown. The function is part of a custom resource to create an S3 bucket. The stack creation fails with the error 'Function not found: arn:aws:lambda:us-east-1:123456789012:function:my-function'. The Lambda function exists in the same account and region. What is the most likely cause?

A.The Lambda function is defined in the same template and has a circular dependency
B.The Lambda function is not in the same AWS region
C.The Lambda function lacks necessary IAM permissions
D.The Lambda function ARN is malformed
AnswerA

CloudFormation cannot use a resource that is being created in the same stack as a custom resource without proper DependsOn

Why this answer

The error indicates that CloudFormation cannot find the Lambda function. Since the function exists in the same account and region, the issue could be that the function is not deployed yet because of a circular dependency. CloudFormation may be trying to invoke the function before it is created.

Option C is correct. Option A is wrong because the ARN is correct. Option B is wrong because IAM permissions would cause a different error.

Option D is wrong because the function exists.

1567
Multi-Selecthard

A company experiences a security incident where an IAM user's access key is compromised. Which THREE steps should the DevOps engineer take immediately?

Select 3 answers
A.Review AWS CloudTrail logs for any unauthorized API calls
B.Rotate the access key by creating a new key and deleting the old one
C.Change the IAM user's password
D.Delete the IAM user and recreate it
E.Revoke any temporary security credentials issued to the user
AnswersA, B, E

Investigation is critical to understand the impact.

Why this answer

Options A, C, and D are correct. Rotating the access key invalidates the old key. Revoking temporary credentials ensures no active sessions.

Reviewing CloudTrail logs helps assess the impact. Option B is incorrect because deleting the user is too drastic and not necessary. Option E is incorrect because changing the password does not affect access keys.

1568
MCQeasy

A company wants to ensure that all code changes are reviewed before being merged to the main branch in AWS CodeCommit. Which feature should be enabled?

A.Configure a Lambda function to validate commits and block pushes.
B.Enable branch protection rules on the repository.
C.Create an approval rule template and associate it with the main branch.
D.Use CloudWatch Events to notify when a push occurs.
AnswerC

Approval rules require pull request approvals before merging.

Why this answer

Option D is correct because CodeCommit supports approval rule templates that can require pull request approvals. Option A is wrong because branches are not protected by default; approval rules are needed. Option B is wrong because Lambda triggers can be used but are not the built-in solution.

Option C is wrong because CloudWatch Events can send notifications but not block merges.

1569
MCQeasy

A DevOps engineer needs to deploy a serverless application using AWS CodeDeploy with a Lambda deployment group. The application uses AWS Lambda functions. The engineer wants to shift 10% of traffic to the new version initially, then gradually increase to 100%. Which deployment configuration should be used?

A.CodeDeployDefault.LambdaAllAtOnce
B.CodeDeployDefault.LambdaCanary10Percent5Minutes
C.CodeDeployDefault.LambdaCanary10Percent10Minutes
D.CodeDeployDefault.LambdaLinear10PercentEvery10Minutes
AnswerB

This shifts 10% initially and then the rest after 5 minutes.

Why this answer

Option B is correct because CodeDeployDefault.LambdaCanary10Percent5Minutes shifts 10% traffic initially and then every 5 minutes. Option A is wrong because it shifts all at once. Option C is wrong because it shifts 10% then every 10 minutes.

Option D is wrong because it shifts linearly over 10 minutes.

1570
MCQeasy

Refer to the exhibit. A team uses this buildspec.yml in AWS CodeBuild. The build fails because the 'dist' directory does not exist after the build phase. What is the most likely cause?

A.The build command outputs to a 'build' directory, but the artifacts base-directory is set to 'dist'.
B.The buildspec version is incorrect.
C.The Python runtime version 3.8 is not available in CodeBuild.
D.The requirements.txt file is missing from the source code.
AnswerA

Mismatch between output directory and artifacts base-directory.

Why this answer

Option B is correct. The 'python setup.py build' command typically outputs to a 'build' directory, not 'dist'. The artifacts base-directory should match the actual output directory.

Option A is wrong because runtime version is correct. Option C is wrong because requirements.txt is not related to output directory. Option D is wrong because the version field is fine.

1571
MCQmedium

A company runs a serverless application using AWS Lambda and Amazon API Gateway. The application processes user uploads to an S3 bucket. The operations team uses CloudWatch Logs for monitoring, but they are finding it difficult to correlate logs across multiple Lambda functions that handle different parts of the workflow. The team wants to trace requests as they flow through the application and identify bottlenecks or errors. The team has already enabled CloudWatch Logs for all Lambda functions. What should the team do to achieve end-to-end request tracing?

A.Use CloudWatch Contributor Insights to analyze the log data and identify the top contributors to latency.
B.Use AWS CloudTrail to log all API calls and correlate them with CloudWatch Logs.
C.Create a CloudWatch ServiceLens service map to visualize the application components.
D.Enable AWS X-Ray on the Lambda functions and API Gateway to trace requests end-to-end.
AnswerD

X-Ray provides distributed tracing to follow requests through services.

Why this answer

Option C is correct because AWS X-Ray provides end-to-end tracing and integrates with Lambda and API Gateway. Option A is wrong because CloudWatch Contributor Insights analyzes top contributors but does not trace requests across services. Option B is wrong because CloudWatch ServiceLens provides service maps but relies on X-Ray for tracing.

Option D is wrong because CloudTrail logs API calls, not application-level tracing.

1572
MCQeasy

A company uses AWS CodeDeploy with a blue/green deployment configuration. The engineer wants to automatically roll back the deployment if the new instances fail the health check for 5 minutes. Which setting should the engineer configure?

A.Create a CloudWatch alarm that monitors the health check endpoint
B.Configure the deployment group to roll back when a CloudWatch alarm is triggered
C.Set the Auto Scaling group health check grace period to 5 minutes
D.Set the deployment configuration's 'timeout' to 5 minutes
AnswerB

CodeDeploy can roll back based on CloudWatch alarms.

Why this answer

Option B is correct because CodeDeploy blue/green deployments can automatically roll back based on CloudWatch alarms. Option A is incorrect because creating an alarm alone does not trigger rollback; CodeDeploy must be configured to use it. Option C is incorrect because Auto Scaling group health checks are separate.

Option D is incorrect because CodeDeploy does not have a built-in timeout for health checks; it uses alarms.

1573
MCQeasy

A developer wants to automatically run unit tests when a pull request is created in AWS CodeCommit. Which AWS service should be used to trigger the tests?

A.AWS CodePipeline with source polling.
B.AWS CodeBuild with webhooks from CodeCommit.
C.AWS CloudWatch Logs subscription filter for repository logs.
D.Amazon EventBridge rule for CodeCommit pull request state changes targeting AWS Lambda.
AnswerD

EventBridge can capture pull request events and invoke Lambda.

Why this answer

CodeCommit can trigger Amazon EventBridge events on pull request creation, which can invoke a Lambda function to run tests. Option C is correct.

1574
MCQmedium

A company runs a stateful application on EC2 instances. The application stores session data locally. The instances are behind an ALB with sticky sessions enabled. A scaling event terminates an instance, causing loss of session data. How can the company prevent this while maintaining performance?

A.Use Amazon ElastiCache to store session data
B.Use a dedicated EC2 instance for sessions
C.Disable sticky sessions
D.Increase the sticky session duration
AnswerA

ElastiCache provides a resilient, high-performance session store.

Why this answer

Using ElastiCache for session storage externalizes session data, making it resilient to instance termination.

1575
MCQeasy

A DevOps engineer is using AWS CloudFormation to deploy a stack that includes a VPC with public and private subnets. The engineer wants to ensure that the public subnets automatically get a public IP address assigned to instances launched in them. Which property should be set?

A.EnableDnsSupport on the VPC
B.MapPublicIpOnLaunch on the subnet
C.EnableDnsHostnames on the VPC
D.AssociatePublicIpAddress on the instance
AnswerB

MapPublicIpOnLaunch automatically assigns public IPs to instances in the subnet.

Why this answer

Option D is correct because MapPublicIpOnLaunch set to true allows public IP assignment. Option A (AssociatePublicIpAddress) is not a subnet property. Option B (EnableDnsHostnames) is for VPC DNS.

Option C (EnableDnsSupport) is also for VPC DNS.

Page 20

Page 21 of 24

Page 22