AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 16511725

1740 questions total · 24pages · All types, answers revealed

Page 22

Page 23 of 24

Page 24
1651
MCQmedium

A company uses AWS Elastic Beanstalk for a web application. The DevOps engineer needs to ensure that environment configuration changes (e.g., instance type, environment variables) are version-controlled and can be rolled back quickly. Which approach should they use?

A.Use Elastic Beanstalk saved configurations stored in source control.
B.Manually update the environment configuration through the Elastic Beanstalk console.
C.Use the AWS CLI to apply configuration changes from a script.
D.Use AWS CloudFormation to manage the Elastic Beanstalk environment.
AnswerA

Saved configurations can be versioned and applied to environments for rollback.

Why this answer

Option C is correct because Elastic Beanstalk supports saved configurations that can be versioned in source control and applied to environments. Option A is wrong because manual changes in the console are not version-controlled. Option B is wrong because CloudFormation is for infrastructure, not Elastic Beanstalk configuration.

Option D is wrong because CLI commands are not version-controlled by default.

1652
MCQhard

A company uses Amazon RDS for MySQL with Multi-AZ deployment. During an incident, the primary DB instance becomes unreachable. The failover to the standby instance succeeds, but application connections are failing with 'Access denied for user'. What is the most likely cause?

A.The DNS CNAME for the RDS endpoint has not propagated to the application's DNS resolver
B.The standby instance has a different storage configuration than the primary
C.The application is using the old master user credentials that were changed on the primary but not replicated to the standby
D.The security group for the RDS instance does not allow inbound traffic from the application's new IP address
AnswerC

Credentials are not replicated across Multi-AZ; they must be the same.

Why this answer

Option A is correct because after failover, the standby instance may have different credentials if not using the same secret. Option B is incorrect because DNS propagation does not cause access denied errors. Option C is incorrect because the security group is associated with the RDS instance, not the endpoint.

Option D is incorrect because the standby instance has the same storage as the primary.

1653
MCQmedium

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer. The application is experiencing intermittent errors. The DevOps engineer needs to identify if the errors are caused by the application or the underlying infrastructure. Which solution provides the MOST detailed visibility into the application's behavior?

A.Enable VPC Flow Logs and analyze traffic patterns
B.Enable AWS CloudTrail and monitor for API errors
C.Instrument the application with AWS X-Ray SDK and analyze traces
D.Enable detailed CloudWatch metrics on the EC2 instances and ALB
AnswerC

X-Ray provides end-to-end tracing to pinpoint where errors occur in the application.

Why this answer

Option C is correct because AWS X-Ray provides end-to-end tracing of requests as they travel through the application, allowing the engineer to pinpoint where errors occur. Option A is wrong because CloudWatch metrics only show aggregate data, not per-request details. Option B is wrong because VPC Flow Logs capture network traffic metadata, not application-level errors.

Option D is wrong because CloudTrail records API calls, not application errors.

1654
MCQhard

A company uses AWS Lambda functions to process S3 events. After a recent deployment, some functions fail with timeout errors. The engineer needs to implement a solution that automatically captures and stores the function's input payload for all failed invocations without modifying the Lambda code. Which approach meets these requirements?

A.Enable CloudWatch Logs Insights on the Lambda function's log group.
B.Use CloudWatch Events to capture Lambda invocation errors.
C.Configure a dead-letter queue (DLQ) for the Lambda function.
D.Use AWS Lambda Destinations with a failure destination pointing to an SQS queue.
AnswerD

Lambda Destinations send invocation records with payload for failed async invocations.

Why this answer

Option D is correct because Lambda Destinations allow sending invocation records (including input payload) to SQS, SNS, Lambda, or EventBridge for failed events, without code changes. Option A is wrong because DLQs only capture messages for Lambda functions invoked asynchronously by SNS or SQS, not directly by S3 events. Option B is wrong because CloudWatch Logs does not capture payload by default; it only logs if the function writes to logs.

Option C is wrong because CloudWatch Events (EventBridge) can capture Lambda invocations but not the payload without custom code.

1655
MCQhard

A company uses AWS Secrets Manager to rotate secrets for an RDS database. The rotation Lambda function fails with a timeout error. Which configuration change is MOST likely to resolve the issue?

A.Increase the Lambda function timeout.
B.Increase the Lambda function memory.
C.Place the Lambda function in the same VPC as the RDS instance.
D.Configure the Lambda function to retry on failure.
AnswerA

A longer timeout can prevent timeout errors.

Why this answer

The Lambda function is timing out during the secret rotation process, which involves connecting to the RDS database, generating a new password, and updating the secret. Increasing the Lambda function timeout directly addresses the symptom by allowing more time for the rotation to complete, especially if the database response is slow or the network latency is high. This is the most direct fix for a timeout error, as the default Lambda timeout (3 seconds) is often insufficient for database operations.

Exam trap

The trap here is that candidates may confuse a timeout error with a connectivity error and incorrectly choose to place the Lambda in the same VPC, overlooking that the function must already be in the VPC to even attempt the rotation.

How to eliminate wrong answers

Option B is wrong because increasing memory can improve CPU performance but does not extend the maximum execution duration; timeout errors are resolved by increasing the timeout value, not memory. Option C is wrong because the Lambda function must already be in the same VPC as the RDS instance to connect to it; if it were not, the error would be a connection timeout or access denied, not a generic timeout. Option D is wrong because retrying on failure would only re-execute the same failing code, which would still timeout again; it does not address the root cause of insufficient execution time.

1656
Multi-Selectmedium

A company uses Amazon CloudFront with an S3 origin. Users in Europe report slow load times. The engineer needs to improve performance for European users. Which TWO actions should the engineer take?

Select 2 answers
A.Add additional price classes to the CloudFront distribution (e.g., Price Class 200).
B.Enable S3 Transfer Acceleration on the origin bucket.
C.Enable CloudFront access logs to identify slow requests.
D.Enable AWS WAF on the CloudFront distribution to block malicious traffic.
E.Enable CloudFront Origin Shield in a European region.
AnswersA, E

Price Class 200 includes more edge locations in Europe.

Why this answer

Option A is correct because adding additional price class can include more edge locations in Europe. Option C is correct because using origin shield reduces load on the origin and improves performance. Option B is wrong because S3 Transfer Acceleration is for uploads, not CloudFront.

Option D is wrong because enabling logging does not improve performance. Option E is wrong because enabling WAF does not improve performance.

1657
MCQeasy

The exhibit shows a CloudFormation stack event. The stack creation failed with 'Resource creation cancelled'. What is the most likely reason for this cancellation?

A.The stack template contains a syntax error.
B.The IAM role used for stack operations lacks permissions.
C.A stack creation timeout was reached.
D.The stack was manually cancelled by a user or an automation script.
AnswerD

'Resource creation cancelled' typically occurs when the stack creation is cancelled manually via the console or CLI.

Why this answer

Option B is correct: 'Resource creation cancelled' indicates a user-initiated cancellation or stack policy override. Option A would show a different error. Option C is not typical.

Option D is not related.

1658
MCQmedium

A company is migrating a legacy application to AWS. The application requires a shared file system accessible from multiple EC2 instances. The compliance team mandates encryption at rest and in transit, with automatic key rotation. Which storage solution meets these requirements?

A.Amazon EFS with encryption at rest and in transit
B.Amazon S3 with server-side encryption
C.Amazon EBS with encryption enabled
D.Amazon FSx for Windows File Server with encryption
AnswerA

EFS provides a shared file system with encryption at rest (KMS) and in transit, and supports automatic key rotation via KMS.

Why this answer

EFS supports encryption at rest with AWS KMS and encryption in transit via TLS, and can enable automatic key rotation by using a KMS key with automatic rotation. S3 is object storage, not a shared file system. FSx for Windows File Server requires manual key rotation.

EBS is block storage, not shared.

1659
MCQeasy

A company uses Amazon Route 53 for DNS and wants to ensure high availability for a web application hosted on two EC2 instances in different Availability Zones. The application uses an Application Load Balancer. What is the simplest way to achieve resilience if one Availability Zone becomes unavailable?

A.Launch both instances in the same Availability Zone.
B.Place the instances in different Availability Zones behind the ALB.
C.Configure Route 53 latency-based routing to each instance.
D.Configure Route 53 failover routing with health checks pointing to each instance.
AnswerB

ALB automatically distributes traffic and detects health, providing resilience.

Why this answer

Option B is correct because placing EC2 instances in different Availability Zones behind an Application Load Balancer (ALB) is the simplest and most effective way to achieve high availability. The ALB automatically distributes traffic across healthy targets in multiple AZs, and if one AZ becomes unavailable, the ALB stops routing requests to instances in that AZ, ensuring continued service from the remaining AZ.

Exam trap

The trap here is that candidates overcomplicate the solution by choosing DNS-level failover (Option D) when the ALB already provides built-in cross-AZ failover, making the simpler architecture the correct answer.

How to eliminate wrong answers

Option A is wrong because launching both instances in the same Availability Zone creates a single point of failure; if that AZ goes down, the application becomes completely unavailable. Option C is wrong because Route 53 latency-based routing directs traffic based on lowest latency, not availability; it does not automatically failover when an AZ becomes unavailable, and it requires additional health check configuration to be effective. Option D is wrong because Route 53 failover routing with health checks is more complex than necessary; the ALB already provides health checks and automatic failover across AZs, making this an overly complicated solution that adds unnecessary DNS-level complexity.

1660
MCQhard

A company is using AWS X-Ray to trace requests through a microservices application. Some traces are incomplete, showing only the root segment without any subsegments. The application uses the X-Ray SDK for Java. What is the most likely cause?

A.The application is missing the x-amzn-trace-id header in incoming requests.
B.The segment document size exceeds the maximum allowed size.
C.The X-Ray daemon is not running on the EC2 instances.
D.The sampling rate is set to a low value, causing many requests to be dropped.
AnswerD

Low sampling rate means fewer requests are traced, leading to incomplete traces.

Why this answer

Option A is correct because if the sampling rate is too low, many requests are not traced, resulting in incomplete traces. Option B is wrong because segment size limits do not cause missing subsegments. Option C is wrong because a missing annotation would not prevent subsegments from appearing.

Option D is wrong because the SDK automatically sends traces to the X-Ray daemon.

1661
Multi-Selecthard

A DevOps engineer is troubleshooting a CloudFormation stack that creates an Auto Scaling group with a launch configuration. The stack creation fails with the error 'Resource handler returned message: "Invalid IAM Instance Profile name" (Service: AutoScaling, Status Code: 400)'. Which TWO are possible causes?

Select 2 answers
A.The IAM instance profile has not been created yet.
B.The launch configuration references a deleted instance profile.
C.The instance profile is in a different AWS account.
D.The instance profile name in the launch configuration is misspelled.
E.The IAM role associated with the instance profile does not have sufficient permissions.
AnswersA, D

The instance profile must exist before being used.

Why this answer

Option A (IAM instance profile does not exist) and Option C (Instance profile name misspelled) are correct. Option B is wrong because insufficient IAM permissions would cause AccessDenied, not Invalid name. Option D is wrong because instance profile can be in same or different account? But cross-account would need ARN.

Option E is wrong because it would cause a different error.

1662
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. During an incident, a stack update fails with the error 'The following resource(s) failed to create: [AWS::RDS::DBInstance]'. Which AWS service should the engineer use to view detailed error messages for the failed resource creation?

A.AWS Config timeline
B.AWS CloudFormation console Events tab
C.AWS Service Catalog
D.AWS CloudTrail event history
AnswerB

CloudFormation events show detailed error messages for failed resources.

Why this answer

Option A is correct because CloudFormation events provide detailed error messages for resource creation failures. Option B (CloudTrail) records API calls but not CloudFormation-specific resource errors. Option C (Config) is for configuration compliance.

Option D (Service Catalog) is for product provisioning, not troubleshooting stack failures.

1663
MCQhard

Refer to the exhibit. A DevOps engineer is troubleshooting an issue where an IAM user is unable to stop an EC2 instance with the tag 'Environment: Development'. The attached IAM policy is shown. Which statement explains the failure?

A.The Deny statement condition incorrectly uses StringNotEquals, which denies all instances except those with the Production tag.
B.The Deny statement includes ec2:StopInstances implicitly because stop is a termination action.
C.The Allow statement only grants ec2:DescribeInstances, not start/stop.
D.The policy does not prevent stopping instances with the Development tag; the failure must be caused by another policy or service control policy.
AnswerD

The policy allows StopInstances on all instances, so the inability to stop is due to another factor.

Why this answer

Option D is correct. The Deny statement denies ec2:TerminateInstances for instances where the tag Environment is NOT Production. However, the user is trying to stop an instance, not terminate it.

The StopInstances action is allowed by the first statement. But wait, the user is unable to stop; that suggests there is an additional deny or the policy is not the issue. Actually, the policy allows StopInstances.

The problem might be that the user is trying to stop an instance that is part of an Auto Scaling group and the stop action is not allowed by the ASG. But based on the policy alone, the user should be able to stop. However, the question says 'unable to stop'.

Actually, the Deny statement only applies to TerminateInstances. So the correct answer is D: The policy does not restrict stop actions, so the issue is elsewhere. But the question asks 'Which statement explains the failure?' The options are about the policy.

Let's review: Option A says the Deny statement prevents stop, which is false. Option B says the Allow statement only gives describe, but it gives start and stop. Option C says the condition on the Deny statement incorrectly uses StringNotEquals.

Option D says the policy does not prevent stopping instances with Development tag. Actually, the user can stop Development instances because the Deny only applies to terminate. So the failure must be due to something else.

However, the question expects D as correct because the policy is not the cause. But that doesn't 'explain the failure'. Hmm.

I think the intended answer is D: The policy does not prevent stopping instances with the Development tag, so the failure is not due to this policy. But that doesn't explain why they can't stop. Maybe the exhibit is about a different issue.

Let me re-read: 'unable to stop an EC2 instance with the tag Environment: Development'. The policy allows StopInstances on all resources. So why can't they stop? Possibly because there is another policy denying it.

But the question is to explain based on the exhibit. The best answer is D because the policy shown does not deny stop. So the failure must be due to another reason.

I'll go with D.

1664
MCQhard

A DevOps engineer is troubleshooting why an AWS Lambda function is not writing logs to the CloudWatch Logs log group 'MyAppLogs'. The Lambda function's execution role includes the IAM policy shown in the exhibit. What is the MOST likely reason the logs are not being written?

A.The log group is in a different AWS Region.
B.The policy does not grant permission to create the log group or put log events to the log group itself.
C.The policy has an incorrect action name.
D.The policy is missing the 'logs:CreateLogGroup' action.
AnswerB

The resource ARN should be the log group ARN, not the log stream pattern.

Why this answer

Option B is correct. The policy allows actions on log streams within the log group, but it does not allow creating the log group itself (logs:CreateLogGroup) or putting events to the log group resource. The resource ARN should be the log group ARN without the wildcard for log streams.

Option A is incorrect because the region is correct. Option C is incorrect because the policy allows CreateLogGroup, but the resource is wrong. Option D is incorrect because the actions are correct but the resource is insufficient.

1665
MCQhard

A DevOps engineer is designing a deployment pipeline for a microservices application on Amazon ECS. The team wants to use blue/green deployments with automatic rollback if CloudWatch alarms are triggered during the deployment. Which combination of services and configurations should the engineer use?

A.Use AWS CodeDeploy with a blue/green deployment configuration on the ECS service, and configure automatic rollback when CloudWatch alarms are breached.
B.Use AWS CloudFormation with a ChangeSet and a custom rollback Lambda function triggered by CloudWatch alarms.
C.Use AWS CodeBuild to run a build that creates a new task definition, then update the ECS service manually, and use CloudWatch alarms to trigger a rollback via a Lambda function.
D.Use Amazon ECS service auto scaling with step scaling policies based on CloudWatch alarms.
AnswerA

CodeDeploy supports blue/green deployments on ECS with automatic rollback based on alarms.

Why this answer

Option D is correct because CodeDeploy supports blue/green deployments on ECS with automatic rollback based on CloudWatch alarms. Option A is wrong because ECS service auto scaling is for scaling, not deployment. Option B is wrong because CloudFormation does not natively support blue/green with automatic rollback based on alarms.

Option C is wrong because CodeBuild is for building, not deploying.

1666
Multi-Selecteasy

A DevOps engineer is troubleshooting a performance issue with an Amazon RDS for MySQL database. The engineer suspects that slow queries are causing high CPU utilization. Which TWO actions can the engineer take to identify the slow queries?

Select 2 answers
A.Create an RDS event subscription for 'low storage' events.
B.Monitor the 'CPUUtilization' metric in CloudWatch.
C.Enable the slow query log and publish it to CloudWatch Logs.
D.Enable Performance Insights to visualize database load and identify top SQL statements.
E.Enable Enhanced Monitoring to view process list and SQL queries.
AnswersC, D

Slow query logs capture queries that exceed a specified time threshold, and sending them to CloudWatch Logs enables querying and analysis.

Why this answer

Options A and C are correct. Option A: Enabling the slow query log and sending it to CloudWatch Logs allows analysis. Option C: Enabling Performance Insights provides a dashboard to view database load and identify slow queries.

Option B is wrong because Enhanced Monitoring provides OS-level metrics, not query details. Option D is wrong because the RDS event subscription notifies about database events, not slow queries. Option E is wrong because CloudWatch database metrics include CPU, but not query text.

1667
MCQeasy

A Lambda function is timing out. The log above shows a recent invocation. What is the most likely cause?

A.The function is running out of memory.
B.The function is being invoked too frequently.
C.The function is experiencing a cold start.
D.The function timeout is set too low.
AnswerD

The duration is 3000 ms, which is the default timeout.

Why this answer

Option B is correct because the function timed out at 3000 ms, which is the default timeout (3 seconds). The function needs a longer timeout or optimization. Option A is wrong because memory usage is only 64 MB out of 128 MB.

Option C is wrong because there was only one invocation. Option D is wrong because the init duration is normal.

1668
MCQhard

A company has a Lambda function that processes sensitive data and needs to access an RDS database. The security team requires that the database credentials are automatically rotated every 30 days. Which service should be used to store and rotate the credentials?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon DynamoDB
D.AWS IAM roles
AnswerA

Secrets Manager provides automatic rotation of credentials.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, manage, and automatically rotate database credentials for services like RDS. It supports native, built-in rotation for Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB) without requiring custom Lambda functions. The automatic rotation can be scheduled at a desired interval (e.g., every 30 days) using a rotation schedule defined in the secret's configuration, and it integrates directly with RDS to update the credentials on both the secret and the database.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation and RDS integration, making it unsuitable for the 30-day rotation requirement.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of credentials; it is a hierarchical store for configuration data and secrets but requires custom automation (e.g., a Lambda function) to rotate values, and it lacks native integration with RDS for credential rotation. Option C is wrong because Amazon DynamoDB is a NoSQL database service, not a secrets management service; it cannot natively store or rotate credentials, and using it would require building custom encryption and rotation logic, violating the security team's requirement for automated rotation. Option D is wrong because AWS IAM roles are used to grant permissions to AWS resources (e.g., Lambda to access RDS) but cannot store or rotate database credentials; IAM roles provide temporary credentials for AWS API calls, not for database user passwords, and RDS database authentication via IAM is possible but does not involve storing or rotating static credentials.

1669
MCQmedium

A team uses AWS CodePipeline with a multi-branch strategy. They want to run different build projects based on the branch name: 'main' triggers a production build, 'develop' triggers a staging build, and feature branches trigger a test build. Which CodePipeline feature should they use?

A.Use AWS Lambda to dynamically change the pipeline definition.
B.Create separate pipelines for each branch and use tags.
C.Configure the source action with a branch filter using a regular expression.
D.Use a manual approval action to select the branch.
AnswerC

CodePipeline source actions for CodeCommit support branch filters (e.g., using GitBranchPattern) to trigger pipelines based on branch names.

Why this answer

Option A is correct: use a filter with branch conditions. Option B is not a pipeline feature. Option C is manual.

Option D is not a feature.

1670
MCQhard

A company manages a fleet of EC2 instances using AWS Systems Manager State Manager. They have a State Manager association that ensures a specific software package is installed on all instances. Recently, they noticed that some instances are reporting the association as 'Success' even though the software is not installed. The association uses a custom document that runs a script to install the package. The engineer checks the association execution history and sees that the script exited with code 0 on those instances. What is the most likely cause?

A.The association is not targeting those instances.
B.The instances are not configured to send compliance data to Systems Manager.
C.The instances do not have the SSM Agent installed.
D.The script does not check the exit code of the installation command and always returns 0.
AnswerD

If the script doesn't propagate failure exit codes, State Manager sees success.

Why this answer

Option B is correct because the script may exit with code 0 even if installation fails, making State Manager think it succeeded. Option A is wrong because compliance reporting is not the issue. Option C is wrong because the association is running.

Option D is wrong because the script ran.

1671
Multi-Selecthard

Which TWO metrics should be monitored in Amazon CloudWatch to detect a potential memory leak in an EC2 instance? (Choose two.)

Select 2 answers
A.DiskReadOps
B.MemoryUtilization (custom metric published via CloudWatch Agent).
C.NetworkIn
D.SwapUsage (custom metric published via CloudWatch Agent).
E.CPUUtilization
AnswersB, D

Directly measures memory usage.

Why this answer

MemoryUtilization is a custom metric that must be published via the CloudWatch Agent because EC2 does not expose memory metrics by default. Monitoring this metric over time can reveal a steady upward trend in memory usage that does not drop after processes complete, which is a classic symptom of a memory leak.

Exam trap

The trap here is that candidates assume EC2 provides memory metrics by default (like CPUUtilization), but they must be explicitly enabled via the CloudWatch Agent, and they overlook SwapUsage as a complementary indicator of memory pressure from a leak.

1672
MCQmedium

Refer to the exhibit. A DevOps engineer runs the AWS CLI command to list deployments for an application. The output shows only 2 deployments, but the team knows there are more. How can the engineer retrieve the remaining deployments?

A.Use the --starting-token parameter with the value 'abc123' from the output.
B.Increase the --max-items value to a larger number.
C.Run the command without --max-items to get all deployments.
D.Use the --no-paginate option.
AnswerA

The nextToken should be used as the starting-token to get the next page.

Why this answer

The output includes a nextToken, indicating there are more results. The engineer should use the --starting-token parameter with the nextToken value to get the next page.

1673
Drag & Dropmedium

Drag and drop the steps to set up an AWS CloudFormation stack with a nested stack.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First upload the nested stack template, then create the parent template, then validate, then create stack, then monitor.

1674
MCQeasy

A company wants to ensure its data in Amazon S3 is protected against accidental deletion. The bucket stores critical documents. Which approach provides the HIGHEST level of resilience?

A.Apply a bucket policy that denies s3:DeleteObject for all users.
B.Enable S3 lifecycle policies to archive objects to Glacier.
C.Enable versioning and MFA delete on the bucket.
D.Configure cross-region replication (CRR) to another bucket.
AnswerC

Versioning allows recovery of deleted objects, and MFA delete adds extra protection.

Why this answer

Option D is correct because enabling versioning and MFA delete provides protection against both accidental overwrites and malicious deletions. Option A is wrong because lifecycle policies do not protect against deletion. Option B is wrong because cross-region replication protects against region failure but not accidental deletion.

Option C is wrong because bucket policies only control access, not deletion recovery.

1675
Multi-Selecteasy

A DevOps engineer needs to collect and analyze logs from multiple AWS services, including EC2, Lambda, and API Gateway. The logs must be stored in a central location for long-term retention and analyzed using SQL queries. Which TWO services should be combined to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.Amazon Kinesis Data Firehose
D.Amazon SQS
E.Amazon Athena
AnswersB, E

CloudWatch Logs can aggregate logs from many services.

Why this answer

Correct options: B and E. Option B: CloudWatch Logs can collect logs from many AWS services. Option E: Exporting logs to S3 and using Athena allows SQL-based analysis.

Option A is wrong because CloudTrail is for API logs, not all service logs. Option C is wrong because Kinesis Data Firehose is for real-time streaming, not for ad-hoc SQL queries. Option D is wrong because SQS is a message queue, not a log store.

1676
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts are encrypted with AES-256 (SSE-S3) and that public access is blocked. The team wants to use a preventive control that automatically remediates non-compliant buckets. Which solution should the security team implement?

A.Create a Service Control Policy (SCP) that denies s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption if the bucket is not configured correctly.
B.Enable CloudTrail to log all S3 API calls and set up a CloudWatch Events rule to notify the security team.
C.Use AWS Identity and Access Management (IAM) policies to deny access to S3 buckets that do not have encryption enabled.
D.Use AWS Config rules to detect non-compliant buckets and trigger a Lambda function to remediate.
AnswerA

SCPs are preventive controls that block non-compliant actions before they happen.

Why this answer

Option C is correct because an SCP can deny actions that create or modify buckets without encryption or with public access enabled. This is a preventive control that applies to all accounts in the organization. Option A is incorrect because AWS Config rules are detective, not preventive; they can trigger auto-remediation but after the fact.

Option B is incorrect because CloudTrail is for logging, not enforcement. Option D is incorrect because Service Control Policies can only be applied to accounts or OUs, not to resources directly; but they can deny the bucket creation/modification actions.

1677
MCQhard

A company's production environment consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances run a web application that stores session data in an ElastiCache Redis cluster. The company has enabled detailed CloudWatch metrics and set up a dashboard. The operations team notices that the average CPU utilization across the Auto Scaling group spikes to 95% every 15 minutes, coinciding with a high number of Redis connections. What is the MOST likely cause?

A.The application is using Memcached instead of Redis, causing increased load.
B.The Auto Scaling group's scaling policy is based on memory utilization instead of CPU.
C.The ALB has session stickiness enabled, causing traffic to be routed to the same instances.
D.The ElastiCache cluster is not large enough to handle the number of requests.
AnswerC

Stickiness can overload specific instances.

Why this answer

Option B is correct because session persistence can lead to uneven load distribution. Option A is wrong because Redis itself doesn't cause CPU spikes. Option C is wrong because memcached is not used.

Option D is wrong because it doesn't explain the periodic spikes.

1678
MCQmedium

A company uses Terraform with an S3 backend to manage infrastructure. The DevOps engineer notices that after a colleague runs 'terraform apply' locally, the state file in S3 becomes corrupted and subsequent runs fail. What is the BEST way to prevent this issue?

A.Store the state file locally and commit it to version control.
B.Use DynamoDB for state locking and enable consistency checks.
C.Use S3 server-side encryption to protect the state file.
D.Enable S3 versioning on the state bucket to recover previous versions.
AnswerB

Prevents concurrent modifications that cause corruption.

Why this answer

Option B is correct because enabling DynamoDB state locking prevents concurrent modifications that can corrupt the state file. Option A is wrong because versioning only allows recovery, not prevention. Option C is wrong because encryption does not prevent corruption.

Option D is wrong because it is not a best practice for state management.

1679
MCQeasy

A company uses AWS CodeBuild to compile a Java application. The build specification includes a pre-build phase to download dependencies. Which file defines the commands for each build phase?

A.pipeline.json
B.buildspec.yml
C.config.xml
D.appspec.yml
AnswerB

buildspec.yml defines build phases for CodeBuild.

Why this answer

In AWS CodeBuild, the build specification file named 'buildspec.yml' defines the commands that CodeBuild runs during each phase of the build process, including the pre-build phase for downloading dependencies. This YAML file is placed in the root of the source code or specified in the build project configuration, and it contains structured sections for install, pre_build, build, and post_build phases. Option B is correct because buildspec.yml is the standard file that CodeBuild uses to orchestrate build commands.

Exam trap

The trap here is that candidates often confuse the build specification file for CodeBuild (buildspec.yml) with the deployment specification file for CodeDeploy (appspec.yml), especially since both services are part of the AWS CI/CD pipeline and have similar naming patterns.

How to eliminate wrong answers

Option A is wrong because pipeline.json is not a file used by AWS CodeBuild; it is associated with AWS CodePipeline for defining pipeline stages and actions, not for specifying build phase commands. Option C is wrong because config.xml is a configuration file commonly used by Jenkins (a different CI/CD tool) for job configuration, not by AWS CodeBuild. Option D is wrong because appspec.yml is used by AWS CodeDeploy to define deployment lifecycle hooks and file mappings, not for CodeBuild build phases.

1680
MCQhard

A company has a multi-account strategy using AWS Organizations. The security team needs to respond to incidents across all accounts. They want to ensure that all CloudTrail trails are enabled and logging to a central S3 bucket in the management account. What is the MOST efficient way to monitor compliance?

A.Create a CloudTrail organization trail and use CloudTrail Insights to detect configuration changes.
B.Use AWS Config conformance packs with a managed rule to check CloudTrail is enabled.
C.Set up CloudWatch Events rules in each account to detect trail disabling.
D.Use AWS Trusted Advisor to check CloudTrail configuration in each account.
AnswerB

Conformance packs can be applied to all accounts in the organization.

Why this answer

Option D is correct because AWS Config conformance packs can evaluate whether CloudTrail trails are enabled across accounts using managed rules. Option A is wrong because Trusted Advisor does not monitor CloudTrail configuration across all accounts. Option B is wrong because CloudTrail itself does not monitor trail configuration.

Option C is wrong because CloudWatch Events can be used but require custom rules per account; Config is more efficient.

1681
MCQeasy

Refer to the exhibit. A DevOps engineer attaches the IAM policy to an IAM user. The user reports being unable to download objects from the S3 bucket. What is the likely cause?

A.The bucket policy denies access to the user
B.The policy is malformed because the Resource element is incorrect
C.The policy does not allow s3:ListBucket, which is required for the AWS CLI to list objects
D.The user's access key is expired
AnswerC

Many CLI commands like 'aws s3 cp' require ListBucket to list objects first.

Why this answer

The policy only allows s3:GetObject, but the user may be trying to list objects or access a bucket that requires additional permissions. Option A is wrong because the policy allows GetObject. Option B is wrong because the policy is not malformed.

Option D is wrong because the user is allowed to access the bucket.

1682
MCQmedium

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The pipeline includes a build stage using AWS CodeBuild. Developers notice that the deployed application occasionally crashes due to missing environment variables that were configured in the Elastic Beanstalk environment but not passed from CodeBuild. What is the MOST efficient way to ensure the environment variables are consistently applied?

A.Define environment variables in the source code using .ebextensions configuration files.
B.Update the environment variables manually in the Elastic Beanstalk console after each deployment.
C.Use the aws elasticbeanstalk update-environment CLI command after the pipeline completes.
D.Store environment variables in AWS Systems Manager Parameter Store and have the application retrieve them at runtime.
AnswerA

.ebextensions files are processed during deployment, ensuring consistency.

Why this answer

Option A is correct because .ebextensions configuration files allow you to define environment variables declaratively in the source code, ensuring they are consistently applied during every deployment via CodePipeline. This approach eliminates the dependency on runtime or manual steps, as the Elastic Beanstalk environment automatically reads these files during environment creation and updates. It integrates seamlessly with CodeBuild and CodePipeline, making it the most efficient and reliable method for maintaining environment variable consistency.

Exam trap

The trap here is that candidates often assume runtime parameter retrieval (e.g., from Parameter Store or Secrets Manager) is the best practice for all scenarios, but for environment variables required at process startup in Elastic Beanstalk, .ebextensions provide a more reliable and simpler solution that avoids application code changes and ensures variables are set before the application runs.

How to eliminate wrong answers

Option B is wrong because manually updating environment variables in the Elastic Beanstalk console after each deployment is error-prone, not scalable, and violates the principle of infrastructure as code, leading to configuration drift. Option C is wrong because using the aws elasticbeanstalk update-environment CLI command after the pipeline completes introduces an extra post-deployment step that can fail or be forgotten, and it does not tie the variables to the source code version, making rollbacks inconsistent. Option D is wrong because while Parameter Store can be used for runtime retrieval, it requires application code changes to fetch variables at startup, adds latency, and does not guarantee the variables are present during the Elastic Beanstalk environment initialization, potentially causing crashes before the application code runs.

1683
Multi-Selectmedium

A company uses AWS CodePipeline with a source stage from Amazon S3 and a deploy stage to AWS Elastic Beanstalk. The pipeline has been working for months, but recently the deploy stage started failing with the error 'The S3 object does not exist.' The source artifact is uploaded to the S3 bucket by an external system. Which TWO actions should be taken to resolve this issue? (Choose TWO.)

Select 2 answers
A.Ensure the external system does not overwrite the object after the pipeline execution starts.
B.Change the source stage to use AWS CodeCommit instead of S3.
C.Enable versioning on the S3 bucket and configure the pipeline to use the specific version ID.
D.Use server-side encryption with AWS KMS (SSE-KMS) on the S3 bucket.
E.Increase the timeout for the deploy stage in the pipeline.
AnswersA, C

Preventing overwrites ensures the object remains available.

Why this answer

Option A is correct because the deploy stage fails with 'The S3 object does not exist' when the external system overwrites the source artifact after the pipeline execution starts. CodePipeline references the object by its key at the time the pipeline is triggered; if the object is replaced (i.e., deleted and re-uploaded with the same key), the pipeline may attempt to download a version that no longer exists, especially if the S3 bucket is not versioned. Ensuring the external system does not overwrite the object during execution prevents this race condition.

Exam trap

The trap here is that candidates often assume the error is due to a permission or encryption issue (like SSE-KMS) rather than recognizing it as a classic race condition caused by object overwriting in a non-versioned bucket.

1684
MCQhard

A large enterprise uses AWS Systems Manager to manage configuration drift on thousands of EC2 instances. The compliance team requires that instances must have a specific security configuration enforced by a Systems Manager State Manager association. The association is configured to run every 30 minutes. However, some instances consistently report a status of 'Failed' in the association compliance dashboard. The instances are running and have the SSM Agent installed. What is the MOST likely cause of the failures?

A.The instances do not have the required IAM instance profile to execute the association document.
B.The instances are behind a firewall that blocks communication with the Systems Manager endpoint.
C.The association is configured to run at a specific time that conflicts with the instance's maintenance window.
D.The SSM Agent version on the instances is outdated and not compatible with the association document.
AnswerA

Without proper permissions, the association cannot run.

Why this answer

State Manager associations require the SSM Agent and appropriate IAM permissions (B). If the instance profile lacks the required permissions, the association will fail. Option A (agent version) would cause a different error; C (timing) is unlikely; D (firewall) would affect communication overall.

1685
MCQhard

A company runs a web application on Amazon ECS with Fargate launch type behind an Application Load Balancer (ALB). The application uses an RDS MySQL database. The security team performed a penetration test and discovered that the application is vulnerable to SQL injection. The development team has deployed a WAF web ACL to the ALB that includes rules to block SQL injection attacks. However, after the deployment, the application started returning 403 errors for legitimate requests, and the security team needs to investigate. The team also wants to ensure that only approved AWS services can access the RDS database. The current security groups are configured with a rule that allows inbound traffic from the ALB security group to the RDS database on port 3306. Which combination of actions should the security team take to resolve the issue and improve the security posture?

A.Disable the WAF rules that are causing false positives and add network ACLs to block all traffic to the database except from the ALB.
B.Remove the WAF web ACL and rely on security group ingress rules that allow all traffic from the VPC CIDR to the database.
C.Switch the WAF web ACL to count mode and add a second ALB in front of the database to filter traffic.
D.Switch the WAF web ACL to count mode while tuning the rules, and implement an IAM policy to restrict database access to specific AWS services using the aws:SourceArn condition key.
AnswerD

Count mode allows safe tuning; IAM policies can restrict access to the database from approved services.

Why this answer

Option C is correct because counting mode allows the team to see which requests would be blocked without actually blocking them, allowing fine-tuning of the WAF rules. Also, using an IAM policy with condition keys to restrict access to the database from only approved services (like Lambda or specific EC2 instances) adds a layer of defense. Option A is incorrect because disabling the WAF rule is not a security best practice; it would leave the application vulnerable.

Option B is incorrect because adding a second ALB does not solve the problem and increases complexity. Option D is incorrect because allowing all traffic to the database from the VPC defeats the purpose of security groups and increases the attack surface.

1686
MCQeasy

A company experiences an unexpected spike in network traffic to a web application hosted on EC2 instances behind an Application Load Balancer. The DevOps team needs to investigate the source IP addresses generating the traffic. Which AWS service should they use to capture the traffic?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture network traffic information.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information including source and destination IPs. Option A is wrong because CloudTrail logs API calls, not network traffic; C is wrong because CloudWatch Logs captures application logs; D is wrong because AWS Config records resource configuration changes.

1687
MCQmedium

A company is using AWS OpsWorks for configuration management. They have a stack with a PHP application layer and a MySQL layer. The DevOps team needs to update the PHP version across all instances. They create a custom Chef recipe that updates the PHP package and add it to the lifecycle events. After running the 'Setup' lifecycle event on the layer, the instances are updated but the application stops working because the new PHP version is incompatible with some custom PHP extensions. The team needs to roll back the PHP version to the previous one quickly and minimize downtime. The instances are in an Auto Scaling group with a desired count of 4. What should the team do?

A.Re-run the old 'Setup' recipe that installs the previous PHP version on the layer.
B.Create a new AMI with the old PHP version, launch new instances, and terminate the old ones.
C.Use the OpsWorks 'Rollback' feature to revert the stack to a previous state.
D.Manually SSH into each instance and downgrade the PHP package, then restart the web server.
AnswerA

Correct: Re-running the old recipe will reinstall the old PHP version.

Why this answer

Option D is correct because OpsWorks supports rollback by running a previous setup recipe. Option A is wrong because it would cause downtime during re-provisioning. Option B is wrong because it takes time and may not restore the exact state.

Option C is wrong because replacing instances is slow and may cause data loss.

1688
Multi-Selectmedium

A company is designing a disaster recovery plan for an RDS PostgreSQL database. They have a cross-region read replica. Which THREE steps should they take to ensure a successful failover?

Select 3 answers
A.Enable automated backups on the replica before promotion
B.Configure applications to use the new database endpoint
C.Update Route 53 DNS record to point to the new master
D.Promote the read replica to a standalone database instance
E.Enable Multi-AZ on the read replica before promotion
AnswersB, C, D

Required for connectivity.

Why this answer

Promoting the read replica makes it a standalone master. Updating Route 53 DNS to point to the new master ensures traffic routing. Ensuring applications can connect to the new endpoint is critical.

Option D is wrong because automated backups are separate. Option E is wrong because read replica does not have Multi-AZ by default, but can be enabled after promotion.

1689
MCQhard

A company runs a production application on Amazon ECS with Fargate launch type. The application uses an RDS MySQL database. The security team requires that all traffic between the application and the database be encrypted in transit. Currently, the database security group allows inbound traffic from the ECS tasks' security group on port 3306 (MySQL). The application uses the standard MySQL client connection without SSL. After enabling SSL on the RDS instance, the application starts failing to connect. The error logs show 'SSL connection error: protocol version mismatch'. The application runs on a custom Docker image based on Amazon Linux 2. The DevOps engineer needs to fix the connection issue. Which course of action should the engineer take?

A.Update the Docker image to include the latest MySQL client libraries that support TLS 1.2.
B.Update the application code to connect using SSL with the --ssl-mode=REQUIRED flag.
C.Modify the RDS parameter group to allow TLS 1.0 and 1.1.
D.Create a VPC peering connection and route traffic through a VPN.
AnswerA

Fixes the protocol version mismatch by using a client that supports required TLS version.

Why this answer

The error indicates that the MySQL client in the container does not support the TLS version required by RDS. The simplest solution is to modify the application connection string to use the '--ssl-mode=REQUIRED' flag or equivalent, but the error persists even after that. The actual fix is to update the MySQL client libraries in the container image to a version that supports TLS 1.2, as RDS requires TLS 1.2 or higher.

Alternatively, the engineer can configure RDS to accept TLS 1.0, but that is not secure. Changing the security group or using SSH tunneling does not address the TLS version mismatch.

1690
MCQhard

A company runs a containerized microservices application on Amazon EKS. The application includes a critical service that processes real-time financial transactions. This service must be highly available and resilient to node failures. The current setup uses a Deployment with 3 replicas and a ClusterIP service. During a recent node failure, the application experienced a brief period of unavailability. Which action should the DevOps engineer take to improve resilience without changing the underlying infrastructure?

A.Change the service type from ClusterIP to NodePort and configure an external load balancer.
B.Increase the number of replicas to 10 and use a node selector to schedule all pods on the largest instance type.
C.Configure a PodDisruptionBudget with a maxUnavailable of 1, and add pod anti-affinity rules to spread pods across different nodes.
D.Enable HorizontalPodAutoscaler with a target CPU utilization of 50% to automatically scale the Deployment.
AnswerC

These steps ensure that a single node failure does not take down all replicas, and voluntary disruptions are limited.

Why this answer

Option C is correct because a PodDisruptionBudget with maxUnavailable=1 ensures that at most one pod is unavailable during voluntary disruptions, while pod anti-affinity rules force the scheduler to distribute pods across different nodes. This combination prevents a single node failure from taking down all replicas, maintaining service availability without altering the underlying infrastructure.

Exam trap

The trap here is that candidates often confuse scaling (HPA or more replicas) with resilience, failing to realize that without proper pod distribution and disruption budgets, scaling alone cannot prevent downtime from node failures.

How to eliminate wrong answers

Option A is wrong because changing to NodePort with an external load balancer adds network complexity and does not address pod distribution or node failure resilience; the ClusterIP service already provides internal load balancing. Option B is wrong because increasing replicas to 10 and using node selector to pin pods to the largest instance type actually reduces resilience by creating a single point of failure on that node. Option D is wrong because HorizontalPodAutoscaler scales based on CPU utilization, which does not protect against node failures; it may even exacerbate the problem by scaling pods onto the same failing nodes.

1691
Multi-Selecthard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The application generates logs that are sent to Amazon CloudWatch Logs. The DevOps team needs to configure a metric filter to monitor for error patterns and trigger an alarm when the error rate exceeds 5% of total requests over a 5-minute period. Which TWO steps should the team take? (Choose TWO.)

Select 2 answers
A.Create a CloudWatch Logs log group for the error metric.
B.Create a metric filter on the log group to count occurrences of the error pattern.
C.Create a CloudWatch Logs subscription filter to stream errors to a Lambda function that calculates the error rate.
D.Create a CloudWatch metric for the error count.
E.Create a CloudWatch alarm that uses a math expression to calculate the error rate (error count / total request count) and compare it to the threshold of 5%.
AnswersB, E

This creates a custom metric for error count.

Why this answer

Options A and D are correct. A metric filter on the log group creates a custom metric for the error count. The alarm then uses that metric and the math expression to calculate the error rate.

Option B is wrong because creating a log group is not the step; the filter is on an existing log group. Option C is wrong because you create a metric filter, not a metric. Option E is wrong because CloudWatch Logs does not directly create a metric for error rate; you need a filter and alarm.

1692
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that critical resources, such as an RDS database, are not accidentally deleted when a stack is updated or deleted. Which CloudFormation feature should be used to prevent this?

A.DeletionPolicy attribute with Retain
B.Stack policy
C.Termination protection
D.DependsOn attribute
AnswerA

DeletionPolicy with Retain preserves the resource when the stack is deleted.

Why this answer

Option D is correct because DeletionPolicy with Retain prevents the resource from being deleted when the stack is deleted. Option A (Stack policy) controls updates to stack resources, not deletion prevention. Option B (Termination protection) is an EC2 feature, not native to CloudFormation.

Option C (DependsOn) only defines resource creation order, not deletion behavior.

1693
Multi-Selectmedium

A company needs to ensure that an EC2 instance can only be launched using a specific Amazon Machine Image (AMI) that has been approved by the security team. Which TWO actions should be taken?

Select 2 answers
A.Tag the approved AMI and use resource-based policies to allow only tagged AMIs.
B.Create an IAM policy that denies ec2:RunInstances unless the AMI ID matches the approved AMI.
C.Use an AWS Organizations service control policy (SCP) to restrict AMI usage across accounts.
D.Create an AWS Config rule to check that EC2 instances are launched from the approved AMI.
E.Enable CloudTrail to log all EC2 RunInstances calls and alert on unapproved AMIs.
AnswersB, C

IAM policy can conditionally allow or deny actions based on AMI ID.

Why this answer

Option B is correct because an IAM policy with a condition for ec2:Owner or ec2:ImageId can restrict which AMIs can be used. Option C is correct because an SCP in AWS Organizations can enforce this across accounts. Option A is wrong because Config rules only detect non-compliance, not prevent.

Option D is wrong because tagging does not enforce AMI usage. Option E is wrong because CloudTrail is for logging.

1694
MCQeasy

A DevOps engineer is reviewing a CloudFormation template for an S3 bucket that stores application logs. The bucket has versioning enabled and a lifecycle rule to expire noncurrent versions after 30 days. The bucket policy allows public read access to all objects. The company's security policy requires that all S3 buckets block public access. Which change should the engineer make to comply?

A.Change the bucket name to include 'private'.
B.Enable default encryption on the bucket.
C.Remove the bucket policy statement that grants public access.
D.Remove the lifecycle rule that expires noncurrent versions.
AnswerC

The bucket policy allows s3:GetObject from anyone (*). Removing it blocks public read access.

Why this answer

Option A is correct because the bucket policy currently allows public read access. To block public access, the engineer can either remove the bucket policy statement that grants public access or enable the 'Block all public access' setting on the bucket. Option B (removing the lifecycle rule) is unrelated.

Option C (enabling encryption) is a good practice but does not block public access. Option D (changing bucket name) does not affect public access.

1695
MCQhard

A company's security team suspects that an attacker has compromised an IAM user's access keys. The keys were used to launch instances in an unauthorized region. What is the FASTEST way to mitigate the threat?

A.Delete the IAM user.
B.Change the IAM user's password.
C.Rotate the access keys immediately.
D.Attach an AWS WAF to block the attacker's IP address.
AnswerC

Rotating keys invalidates the old keys and stops unauthorized use.

Why this answer

Rotating the access keys immediately invalidates the compromised keys, preventing further unauthorized use without disrupting the IAM user's other permissions or requiring a full user recreation. This is the fastest mitigation because it directly revokes the attacker's access while allowing the legitimate user to continue using new keys after rotation.

Exam trap

The trap here is that candidates confuse password changes (console access) with access key rotation (programmatic access), or they overcorrect by deleting the entire user instead of simply rotating the compromised keys.

How to eliminate wrong answers

Option A is wrong because deleting the IAM user is an overly drastic measure that removes all permissions and associated resources, causing unnecessary downtime and operational overhead; it is not the fastest way to stop key-based access. Option B is wrong because changing the IAM user's password only affects console login credentials, not access keys, so it does nothing to mitigate the threat from compromised programmatic keys. Option D is wrong because AWS WAF is a web application firewall that operates at the application layer (HTTP/HTTPS) and cannot block IAM access key usage, which occurs at the AWS API level via Signature Version 4 signing.

1696
MCQeasy

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer. During a security incident, the security team needs to isolate a compromised instance for forensic analysis without affecting the application's availability. What is the MOST effective action to take?

A.Deregister the instance from the target group and stop the instance for forensic analysis.
B.Modify the security group of the instance to deny all inbound and outbound traffic.
C.Terminate the compromised instance immediately to prevent further damage.
D.Change the subnet route table to route traffic away from the compromised instance.
AnswerA

Isolates the instance while maintaining availability.

Why this answer

Deregistering the instance from the target group removes it from the Application Load Balancer's routing, ensuring no new traffic is sent to it while existing connections drain (connection draining). Stopping the instance preserves its memory and disk state for forensic analysis without impacting application availability, as the remaining healthy instances continue to serve traffic.

Exam trap

The trap here is that candidates confuse network-level isolation (security groups or route tables) with application-level isolation (target group deregistration), failing to recognize that the ALB continues to route traffic to a registered instance regardless of its security group or subnet routing.

How to eliminate wrong answers

Option B is wrong because modifying the security group to deny all traffic only blocks network-level access; the instance remains registered in the target group, and the ALB may still attempt to route traffic to it, potentially causing connection timeouts or errors. Option C is wrong because terminating the instance immediately destroys volatile data (e.g., memory contents, running processes) needed for forensic analysis and could cause a sudden loss of capacity if the instance was handling active requests. Option D is wrong because changing the subnet route table affects all instances in that subnet, not just the compromised one, and does not prevent the ALB from sending traffic to the instance via its private IP; route tables control layer-3 routing, not load balancer target group membership.

1697
Multi-Selectmedium

Which TWO approaches can be used to manage configuration files (e.g., application.properties) across multiple AWS accounts and regions using AWS Systems Manager? (Select TWO.)

Select 2 answers
A.Use AWS AppConfig to create, manage, and deploy application configurations across accounts and regions.
B.Use AWS OpsWorks for Chef Automate to store configuration data in Chef data bags.
C.Store configuration files in AWS Secrets Manager and retrieve them using the Secrets Manager API.
D.Store configuration parameters in AWS Systems Manager Parameter Store and reference them from applications using the AWS SDK.
E.Use AWS Systems Manager Run Command to push configuration files to EC2 instances on demand.
AnswersA, D

AppConfig is designed for application configuration management with validation and deployment strategies.

Why this answer

AWS AppConfig is a feature of AWS Systems Manager that allows you to create, manage, and deploy application configurations across accounts and regions. It supports staged rollouts, validation, and monitoring, making it suitable for managing configuration files like application.properties in multi-account, multi-region environments.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with Parameter Store for configuration management, or assume Run Command is suitable for configuration deployment, when in fact AppConfig and Parameter Store are the correct Systems Manager services for managing and deploying configuration files across multiple accounts and regions.

1698
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The operations team wants to ensure that the environment's configuration (e.g., instance type, scaling limits) is version-controlled and reproducible. Which practice should they adopt?

A.Manually recreate the environment from the Elastic Beanstalk console when needed.
B.Use the Elastic Beanstalk saved configuration feature to download a configuration file and store it in version control.
C.Use AWS CloudFormation to define the environment and store the template in a Git repository.
D.Document the configuration in a wiki and apply it manually through the AWS Management Console.
AnswerB

Saved configurations allow versioning and reproducibility.

Why this answer

Option B is correct because Elastic Beanstalk's saved configuration feature allows you to download the environment's configuration as a YAML or JSON file, which can be stored in version control and used to recreate identical environments. This directly addresses the need for version-controlled, reproducible environment configuration without requiring additional infrastructure-as-code tools.

Exam trap

The trap here is that candidates may overthink and choose CloudFormation (Option C) because it is a powerful IaC tool, but the question specifically asks for a practice within Elastic Beanstalk's own features to version-control its configuration, not to replace the deployment service entirely.

How to eliminate wrong answers

Option A is wrong because manually recreating an environment from the console is error-prone, not version-controlled, and violates the principle of reproducibility. Option C is wrong because while AWS CloudFormation can define Elastic Beanstalk environments, the question specifically asks for a practice within Elastic Beanstalk's native capabilities; using CloudFormation adds unnecessary complexity and is not the recommended practice for version-controlling Elastic Beanstalk environment configuration. Option D is wrong because documenting configuration in a wiki and applying it manually is not version-controlled, is prone to human error, and does not enable automated or reproducible deployments.

1699
MCQeasy

A company uses Amazon CloudWatch Logs to store application logs. The security team requires that logs be encrypted at rest using a customer-managed AWS KMS key. The team has enabled encryption on the CloudWatch Logs log group using a KMS key. However, after enabling encryption, the application fails to write logs to the log group. The application uses an IAM role that has the following permissions: logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams. Which additional permission does the application need?

A.kms:Encrypt
B.kms:GenerateDataKey
C.kms:CreateGrant
D.kms:Decrypt
AnswerA

The role needs encrypt permission to write to the encrypted log group.

Why this answer

Option A is correct because to write to an encrypted log group, the IAM role needs kms:Encrypt permission for the KMS key. Option B is incorrect because kms:Decrypt is for reading, not writing. Option C is incorrect because kms:GenerateDataKey is used for envelope encryption, but CloudWatch Logs encryption uses direct encryption.

Option D is incorrect because kms:CreateGrant is used to grant access to a key, not to write logs.

1700
Drag & Dropmedium

Drag and drop the steps to perform a disaster recovery failover from a primary region to a secondary region using AWS Route 53 and RDS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First configure health checks, then lower TTL, then promote RDS, then update DNS, then verify.

1701
Multi-Selectmedium

A DevOps engineer is designing a centralized logging solution for a multi-account AWS environment. The solution must be cost-effective and provide real-time log analysis. Which THREE services should they consider?

Select 3 answers
A.Amazon OpenSearch Service (Elasticsearch)
B.Amazon Kinesis Data Firehose
C.Amazon S3
D.Amazon CloudWatch Logs
E.AWS CloudTrail
AnswersA, B, D

Provides real-time log search and analysis.

Why this answer

Option A is correct because CloudWatch Logs can collect logs from various sources. Option C is correct because Kinesis Data Firehose can stream logs to destinations like S3 or Elasticsearch. Option E is correct because Amazon OpenSearch Service can be used for log analysis.

Option B is wrong because S3 is for storage, not real-time analysis. Option D is wrong because CloudTrail is for API logs only.

1702
MCQeasy

A DevOps engineer must ensure that all API calls in an AWS account are logged for compliance. The logs should be stored in an S3 bucket with server-side encryption enabled. Which two services should be used together to meet these requirements?

A.AWS CloudTrail and Amazon CloudWatch Logs
B.AWS CloudTrail and Amazon S3
C.Amazon VPC Flow Logs and Amazon S3
D.AWS Config and AWS CloudTrail
AnswerB

CloudTrail logs API calls and delivers to S3, which supports server-side encryption.

Why this answer

Option C is correct because AWS CloudTrail logs API calls and can deliver logs to an S3 bucket. S3 server-side encryption can be enabled on the bucket. Option A: Config records resource changes, not API calls.

Option B: CloudWatch Logs can store logs but not automatically encrypt; also not the primary service for API logging. Option D: VPC Flow Logs capture network traffic, not API calls.

1703
MCQhard

A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet that needs to download patches from the internet. Which solution is MOST secure and scalable?

A.Create a NAT Gateway in a public subnet and update the private route table.
B.Launch a proxy server in a public subnet and route traffic through it.
C.Assign an Elastic IP to the instance in the private subnet.
D.Use a VPC endpoint to the Amazon Linux repository.
AnswerA

Secure and scalable outbound internet access.

Why this answer

Option C is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet and receive responses, without allowing inbound traffic. Option A is wrong because a public subnet exposes the instance to inbound traffic. Option B is wrong because a proxy server is less scalable and requires management.

Option D is wrong because a VPC endpoint is for AWS services, not general internet.

1704
MCQhard

A financial services company runs a critical application on Amazon ECS with Fargate launch type. The application consists of three microservices: Service A (frontend), Service B (processing), and Service C (database access). Services communicate via REST APIs. The application stores data in Amazon Aurora PostgreSQL Serverless v2. The company has a disaster recovery (DR) requirement: RTO of 30 minutes and RPO of 15 minutes. The primary region is us-east-1 and the DR region is us-west-2. The DevOps team has configured cross-region replication for the Aurora database using an Aurora Global Database. The ECS services are deployed with a service-linked role for Fargate. The team wants to automate the failover process to meet the RTO. Which solution should the team implement?

A.Use AWS CloudFormation StackSets to deploy the ECS services and supporting resources in the DR region. Configure an Aurora Global Database for cross-region replication. Use Amazon Route 53 with health checks and failover routing to automatically redirect traffic to the DR region when the primary region health check fails.
B.Take daily snapshots of the Aurora database and copy them to the DR region. In the event of a disaster, restore the snapshot and use AWS CloudFormation to launch the ECS services.
C.Use AWS Backup to schedule cross-region backups of the Aurora database every 15 minutes. In the event of a disaster, restore the latest backup and use Elastic Beanstalk to deploy the application in the DR region.
D.Configure AWS Global Accelerator with an endpoint group in each region. Use AWS Lambda to periodically check the health of the primary region and update the DNS records manually to point to the DR region.
AnswerA

StackSets automates infrastructure deployment, Aurora Global Database provides low RPO, and Route 53 failover routing provides automatic DNS failover within minutes.

Why this answer

Option A is correct because using CloudFormation StackSets to deploy the infrastructure in both regions and using Route 53 with health checks and failover routing allows automated failover with DNS propagation. The Aurora Global Database provides managed replication. Option B (snapshot restore) is too slow.

Option C (manual runbooks) won't meet RTO. Option D (ECS Service Auto Scaling across regions) is not directly possible with Fargate cross-region.

1705
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM roles in member accounts have a maximum session duration of 1 hour. They need a way to detect any roles that violate this policy. What should they do?

A.Use IAM Access Analyzer to validate the roles against a policy template.
B.Use AWS Config with the managed rule iam-role-max-session-duration to evaluate roles.
C.Run AWS Trusted Advisor and check the IAM report for roles with long session durations.
D.Enable AWS CloudTrail and create a metric filter to detect role creation with session duration greater than 1 hour.
AnswerB

C is correct because AWS Config can continuously evaluate role configurations against this rule.

Why this answer

AWS Config provides a managed rule called `iam-role-max-session-duration` that specifically evaluates IAM roles to ensure their `MaxSessionDuration` setting does not exceed a specified threshold (default 1 hour). This rule can be deployed across all member accounts in AWS Organizations using a conformance pack or AWS Config aggregator, allowing the security team to continuously detect and report any roles that violate the policy without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to evaluate resource configurations (like IAM role session duration) with CloudTrail's event logging or IAM Access Analyzer's policy analysis, leading them to choose options that detect creation events rather than continuously assess the current state of all roles.

How to eliminate wrong answers

Option A is wrong because IAM Access Analyzer is designed to analyze resource-based policies (like S3 bucket policies or KMS key policies) for unintended public or cross-account access, not to validate IAM role session duration settings against a policy template. Option C is wrong because AWS Trusted Advisor checks for IAM use (e.g., unused IAM users, MFA on root) but does not include a specific check for IAM role maximum session duration. Option D is wrong because while CloudTrail can log `CreateRole` and `UpdateAssumeRolePolicy` events, a metric filter cannot directly evaluate the `MaxSessionDuration` parameter from the event; it would require complex custom parsing and still not provide ongoing compliance evaluation like AWS Config.

1706
MCQhard

A company runs a fleet of EC2 instances behind an Auto Scaling group. The DevOps team wants to detect and respond to memory leaks in their application. They have configured CloudWatch agent to collect memory metrics. However, the metric shows unpredictable spikes. The team needs to correlate these spikes with application logs to identify the root cause. Which solution provides the BEST correlation?

A.Export the memory metric and application logs to Amazon S3 and use Amazon Athena to join them
B.Enable AWS X-Ray on the application to trace requests and identify memory-heavy requests
C.Use CloudWatch Logs Insights to query application logs for error patterns around the time of memory spikes
D.Use Amazon EventBridge to capture EC2 instance state changes and correlate with memory spikes
AnswerC

Logs Insights allows time-based correlation between metrics and logs.

Why this answer

Option C is correct because CloudWatch Logs Insights allows you to query application logs directly in CloudWatch Logs using a purpose-built query language. By filtering logs around the timestamps of memory spikes, you can correlate specific error patterns or log entries with the metric data, enabling root cause analysis without moving data or adding complexity.

Exam trap

The trap here is that candidates often confuse AWS X-Ray's request tracing with OS-level metric correlation, or assume that exporting to S3 and using Athena is a universal solution, when in fact CloudWatch Logs Insights provides the most direct and efficient correlation within the same monitoring ecosystem.

How to eliminate wrong answers

Option A is wrong because exporting metrics and logs to S3 and using Athena to join them introduces unnecessary latency, cost, and complexity; Athena is designed for ad-hoc analysis of structured data, not real-time correlation of streaming metrics and logs. Option B is wrong because AWS X-Ray traces requests and identifies latency or errors, but it does not capture memory metrics or correlate them with memory leaks; it focuses on distributed tracing, not OS-level resource usage. Option D is wrong because EventBridge captures EC2 instance state changes (e.g., start, stop, terminate), which are unrelated to memory spikes caused by application-level memory leaks; state changes do not provide the granular log correlation needed.

1707
MCQeasy

A company is designing a resilient architecture for a web application using AWS Global Accelerator and two Application Load Balancers in different AWS Regions. The application is stateless and uses a global DynamoDB table for data. What is the primary benefit of using Global Accelerator in this architecture?

A.It replaces the need for an Application Load Balancer.
B.It provides static IP addresses and automatically routes traffic to the closest healthy ALB, improving availability and performance.
C.It provides DNS-based failover between Regions.
D.It caches static content at AWS edge locations.
AnswerB

Global Accelerator improves resilience by routing to healthy endpoints.

Why this answer

Option B is correct because Global Accelerator provides static IP addresses and directs traffic to the nearest healthy endpoint, improving resilience and performance. Option A is wrong because Global Accelerator does not cache content. Option C is wrong because DNS routing is not the primary benefit; Global Accelerator uses anycast.

Option D is wrong because Global Accelerator does not replace ALB; it works with ALBs.

1708
MCQeasy

A developer needs to allow an EC2 instance to read from an S3 bucket. Which is the most secure way to grant this access?

A.Use the root user credentials of the AWS account.
B.Store AWS access keys in the instance's user data and use them in the application.
C.Create an S3 bucket policy that allows the EC2 instance's public IP address.
D.Create an IAM role with an S3 read policy and attach it to the EC2 instance profile.
AnswerD

This is the best practice for granting permissions to AWS services.

Why this answer

Option A is correct because an IAM role attached to the EC2 instance allows temporary credentials without hardcoding keys. Option B is wrong because storing keys in the instance is insecure. Option C is wrong because root credentials are highly privileged and should never be used.

Option D is wrong because resource-based policies on S3 can grant access to IAM roles, but the role must still be attached to the instance.

1709
MCQhard

A DevOps team is implementing a blue/green deployment strategy for a microservice running on Amazon ECS with AWS CodeDeploy. They want to shift 10% of traffic to the new task set for 5 minutes, then shift the remaining 90%. Which deployment configuration should they use?

A.CodeDeployDefault.ECSAllAtOnce
B.CodeDeployDefault.ECSLinear10PercentEvery1Minutes
C.CodeDeployDefault.ECSCanary10Percent5Minutes
D.Custom configuration with 10% initial traffic and 100% after 5-minute interval
AnswerD

Custom configuration allows exact specification.

Why this answer

Option D is correct because the requirement specifies a 10% traffic shift for 5 minutes, followed by the remaining 90%. AWS CodeDeploy does not provide a built-in configuration that matches this exact pattern; the built-in canary option (C) shifts 10% for 5 minutes but then automatically completes the deployment after that interval, not waiting for a manual or additional step. Therefore, a custom configuration must be created with a 10% initial traffic percentage and a 100% final traffic percentage after a 5-minute interval to achieve the desired two-step linear shift.

Exam trap

The trap here is that candidates often confuse the built-in canary configuration (Option C) with a custom configuration, assuming the canary's 5-minute interval includes a hold at 10% before the final shift, when in reality it automatically completes the deployment after the canary step without an additional wait.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.ECSAllAtOnce shifts 100% of traffic to the new task set immediately, which does not match the 10% then 90% gradual shift requirement. Option B is wrong because CodeDeployDefault.ECSLinear10PercentEvery1Minutes shifts 10% of traffic every 1 minute until 100%, resulting in a linear progression over 10 minutes, not a 5-minute wait at 10% followed by a single 90% shift. Option C is wrong because CodeDeployDefault.ECSCanary10Percent5Minutes shifts 10% for 5 minutes and then automatically shifts the remaining 90% immediately after the 5-minute interval, which does not allow the 5-minute hold at 10% before the final shift as specified; it completes the deployment in one canary step.

1710
MCQmedium

An organization uses AWS Elastic Beanstalk for deploying a web application. They have a custom platform extension that modifies the nginx configuration. After a recent deployment, the custom configuration is not applied. The environment logs show that the platform extension script ran successfully. What should the engineer check first?

A.Review the application source code for errors.
B.Ensure the script has execute permissions.
C.Check if the nginx configuration file is being overwritten by later deployment phases.
D.Verify that the platform extension is in the correct folder.
AnswerC

The extension script may run early, and later steps may overwrite the config.

Why this answer

Option A is correct because if the file is overwritten after the script runs, the changes are lost. Option B is wrong because the script ran successfully. Option C is wrong because the script ran.

Option D is wrong because it is less likely the first check.

1711
Multi-Selectmedium

A company wants to implement a configuration management strategy for their EC2 instances that are part of an Auto Scaling group. They need to ensure that new instances are automatically configured with the latest software packages and settings without manual intervention. Which TWO approaches meet these requirements? (Choose TWO.)

Select 2 answers
A.Use AWS OpsWorks to manage configurations and associate with the Auto Scaling group.
B.Use AWS CodeDeploy with an Auto Scaling lifecycle hook to deploy applications to new instances.
C.Use EC2 user data scripts to install software at launch.
D.Use AWS Config rules to enforce configuration settings.
E.Use AWS Systems Manager Run Command on a schedule to apply configurations.
AnswersB, C

Lifecycle hooks can trigger CodeDeploy deployments on launch.

Why this answer

Options A and C are correct. Option A uses a bootstrapping script in the user data to install packages on launch. Option C uses AWS CodeDeploy to automatically deploy applications to new instances.

Option B is incorrect because AWS Config is for compliance, not configuration management. Option D is incorrect because AWS OpsWorks is a separate service, not directly integrated with Auto Scaling groups. Option E is incorrect because Systems Manager Run Command is manual, not automatic on launch.

1712
Multi-Selecthard

A DevOps engineer is building a CI/CD pipeline for a PHP application that uses Amazon RDS for MySQL. The pipeline must run database migrations as part of the deployment. The team wants to ensure that if a migration fails, the deployment is rolled back and the database is restored to its previous state. Which THREE steps should the engineer implement?

Select 3 answers
A.Take a snapshot of the RDS database before the migration.
B.Use CloudFormation with a custom resource to run the migration.
C.Use CodeDeploy's AppSpec file to run a migration script in the AfterInstall lifecycle hook.
D.Use AWS Database Migration Service (DMS) to replicate the database continuously.
E.Configure the CodeDeploy deployment group to automatically roll back on failure.
AnswersA, C, E

Allows restoration if migration fails.

Why this answer

Option A is correct because a snapshot provides a restore point. Option B is correct because CodeDeploy can run scripts, including migration scripts. Option D is correct because rollback can be configured in CodeDeploy.

Option C is not typically used for database migrations. Option E is not a standard practice for rollback.

1713
Multi-Selecthard

Which THREE actions should be taken to ensure that an AWS CloudFormation stack update does not cause downtime for a production application that runs on an Auto Scaling group behind an Application Load Balancer? (Select THREE.)

Select 3 answers
A.Configure an 'UpdateWaitCondition' in the CloudFormation template to pause the stack update until a healthy signal is received from the new instances.
B.Add a custom resource that triggers an AWS Lambda function to take a snapshot of the database before the update.
C.Ensure that the Auto Scaling group spans at least three Availability Zones to distribute instances.
D.Set the Auto Scaling group's UpdatePolicy to 'AutoScalingRollingUpdate' with a 'BatchSize' of 1 and 'MinInstancesInService' equal to the desired capacity.
E.Define a lifecycle hook for the Auto Scaling group that delays instance termination until the new instance is fully registered and healthy with the load balancer.
AnswersA, D, E

Wait conditions allow you to verify that new instances are healthy before proceeding.

Why this answer

Option A is correct because an 'UpdateWaitCondition' in a CloudFormation template can pause the stack update until a healthy signal is received from the new instances. This ensures that the update proceeds only after the new instances have passed health checks, preventing premature traffic routing and potential downtime.

Exam trap

The trap here is that candidates may confuse general high-availability practices (like multi-AZ distribution) with specific update-time actions that prevent downtime, or they may think database snapshots are relevant to instance-level availability during a stack update.

1714
MCQmedium

A company uses AWS CloudFormation to manage infrastructure as code. They have a stack that creates an Amazon RDS database instance. The database password is stored as a parameter in AWS Systems Manager Parameter Store. The CloudFormation template references the parameter using the 'resolve:ssm' dynamic reference. Recently, a security audit found that the password was exposed in plaintext in the CloudFormation stack outputs. The team wants to prevent sensitive information from being displayed in stack outputs or logs. Which approach should be taken?

A.Set the 'NoEcho' property to 'true' for the parameter in the template
B.Store the password in AWS Secrets Manager and reference it in the template
C.Remove the output from the CloudFormation stack
D.Encrypt the output value using AWS KMS
AnswerA

NoEcho masks the parameter value in outputs and logs

Why this answer

To prevent sensitive data from being shown in outputs or logs, use the 'NoEcho' property set to 'true' in the CloudFormation template parameter. This will mask the value in outputs. Option B is correct.

Option A (encrypt the output) is not possible because outputs are not encrypted. Option C (remove the output) would prevent exposure but may break automation that depends on the output. Option D (use AWS Secrets Manager) is good but does not directly solve the output exposure issue.

1715
Multi-Selecthard

A security audit reveals that an S3 bucket contains objects that are publicly accessible. The DevOps engineer must prevent any future public access to the bucket and all objects within it. Which THREE actions should the engineer take? (Choose THREE.)

Select 3 answers
A.Enable Block Public Access settings on the bucket.
B.Disable object ACLs on the bucket.
C.Remove any bucket policy that grants public read access.
D.Apply an SCP that denies s3:PutBucketPolicy that would make objects public.
E.Enable S3 server access logging.
AnswersA, C, D

Prevents any future public access at bucket level.

Why this answer

Option A is correct because blocking public access at the bucket level prevents future public access. Option B is correct because using an SCP can enforce no public access for all accounts. Option C is correct because removing the bucket policy that grants public access is necessary.

Option D is wrong because ACLs are not the only method; bucket policy can also grant public access. Option E is wrong because enabling server access logging does not affect public access.

1716
MCQhard

A company needs to audit all changes to security groups in a multi-account environment. The logs must be centrally stored and immutable. Which solution meets these requirements with minimal operational overhead?

A.Enable VPC Flow Logs in each VPC and aggregate them in Amazon CloudWatch Logs
B.Enable AWS CloudTrail in all accounts, deliver logs to a central S3 bucket with S3 Object Lock enabled
C.Enable Amazon GuardDuty and send findings to a central S3 bucket
D.Enable AWS Config rules to detect security group changes and store results in a central S3 bucket
AnswerB

CloudTrail captures API calls and S3 Object Lock provides immutability.

Why this answer

AWS CloudTrail logs all API calls, including security group changes. Sending CloudTrail logs from all accounts to a central S3 bucket with Object Lock enabled ensures immutability. Option A is correct.

Option B (AWS Config) records state changes but not API calls. Option C (VPC Flow Logs) logs network traffic, not security group changes. Option D (Amazon GuardDuty) is for threat detection.

1717
MCQhard

A company runs a containerized application on Amazon EKS. The application uses an ALB Ingress Controller. During a cluster upgrade, the ingress controller stops responding, causing downtime. The team wants to ensure resilience during upgrades. Which approach is BEST?

A.Use a horizontal pod autoscaler for the ingress controller.
B.Enable cluster autoscaler to add more nodes during the upgrade.
C.Use a managed node group with a higher instance count.
D.Schedule the ingress controller pod on a dedicated node with a taint that prevents node upgrades.
AnswerD

Dedicated nodes can be excluded from upgrades, ensuring ingress availability.

Why this answer

Option A is correct because running the ingress controller on a node that is not upgraded (e.g., using taints/tolerations) ensures the controller remains available. Option B is wrong because a managed node group does not guarantee availability. Option C is wrong because cluster autoscaler does not protect against upgrade.

Option D is wrong because HPA does not help with upgrades.

1718
Matchingmedium

Match each AWS Config rule to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks that resources have specified tags

Ensures EBS volumes are encrypted

Prevents public read access on S3 buckets

Verifies CloudTrail is enabled

Checks for IAM policies granting full admin access

Why these pairings

These are common managed Config rules for compliance.

1719
MCQeasy

A DevOps engineer receives a CloudWatch alarm that an Auto Scaling group has been in an 'Insufficient data' state for 20 minutes. What does this indicate?

A.All instances in the Auto Scaling group are unhealthy
B.The Auto Scaling group needs to scale up
C.The alarm has not received enough metric data to evaluate
D.The CloudWatch agent is not installed on the instances
AnswerC

Insufficient data means not enough data points.

Why this answer

The 'Insufficient data' state in CloudWatch alarms indicates that the alarm has not received enough metric data points to determine whether the threshold has been breached. This can occur when the metric is not being published, the data collection period is too short, or the metric namespace is misconfigured. It does not directly indicate instance health, scaling needs, or agent installation status.

Exam trap

The trap here is that candidates confuse 'Insufficient data' with a problem state (like unhealthy instances or scaling failures), when it actually means the alarm simply lacks enough data to make a determination.

How to eliminate wrong answers

Option A is wrong because 'Insufficient data' does not imply unhealthy instances; it means the alarm lacks metric data to evaluate, whereas unhealthy instances would trigger 'ALARM' state if health check metrics are configured. Option B is wrong because the alarm state does not indicate a scaling need; scaling decisions are based on threshold breaches, not insufficient data. Option D is wrong because the CloudWatch agent is not required for all metrics; many metrics (e.g., EC2 basic monitoring) are published automatically without an agent, and 'Insufficient data' can occur even with the agent installed if data is not flowing.

1720
MCQeasy

A DevOps engineer receives an alert that an Amazon EC2 instance’s CPU utilization has been above 90% for the past hour. The instance is part of an Auto Scaling group with a step scaling policy based on average CPU. The engineer checks the CloudWatch alarm and sees that it is in the ALARM state. What should the engineer do to verify that the Auto Scaling group is scaling out properly?

A.Ensure the scaling policy is configured to scale in
B.Check the CloudWatch Logs for the instance
C.Verify that the CloudWatch alarm is in INSUFFICIENT_DATA state
D.Review the Auto Scaling group’s activity history in the EC2 console
AnswerD

Activity history shows scaling actions taken.

Why this answer

Option A is correct because checking the Auto Scaling activity history will show if scaling actions were triggered. Option B is wrong because CloudWatch logs show instance logs, not scaling actions. Option C is wrong because the alarm state indicates it’s triggered.

Option D is wrong because the scaling policy is for scale-out on high CPU.

1721
Multi-Selecteasy

Which TWO actions can help protect an AWS account's root user? (Choose TWO.)

Select 2 answers
A.Do not create access keys for the root user; use IAM users instead
B.Delete the root user after creating administrative IAM users
C.Enable multi-factor authentication (MFA) on the root user
D.Rotate the root user password every 30 days
E.Change the root user's email address to a group email
AnswersA, C

Avoid using root user for programmatic access.

Why this answer

Option A is correct: enable MFA on the root user. Option B is correct: avoid using root user for daily tasks. Option C is wrong: root user credentials cannot be rotated automatically.

Option D is wrong: root user cannot be deleted. Option E is wrong: root user email can't be changed easily and is not a security best practice.

1722
MCQhard

A company uses AWS Lambda with Amazon DynamoDB to process orders. During peak hours, the Lambda function sometimes fails with throttling errors from DynamoDB. The system must be resilient and cost-effective. What should a DevOps engineer do?

A.Use Amazon SQS to buffer the requests and have Lambda pull from the queue with a reserved concurrency limit.
B.Increase the DynamoDB provisioned read and write capacity units to a high fixed value.
C.Provision DynamoDB Accelerator (DAX) to cache reads and reduce throttling.
D.Configure DynamoDB auto scaling and implement a dead-letter queue in Lambda to retry failed events.
AnswerD

Auto scaling handles peaks; DLQ ensures no data loss.

Why this answer

Configuring DynamoDB auto scaling allows the table to handle increased throughput during peaks, reducing throttling. Adding a dead-letter queue and retries helps manage failed events without losing data.

1723
MCQeasy

A DevOps engineer needs to grant an IAM user temporary access to an S3 bucket for exactly one hour. Which AWS service should be used to generate temporary credentials?

A.Amazon Cognito
B.AWS SSO
C.AWS STS
D.AWS IAM
AnswerC

STS generates temporary credentials with a specified duration.

Why this answer

AWS STS (Security Token Service) is used to generate temporary, limited-privilege credentials for IAM users or federated users. IAM roles provide temporary credentials but are assumed, not generated for a specific user. Cognito is for identity federation with mobile/web apps.

SSO provides single sign-on access.

1724
MCQeasy

A company is using Amazon RDS for MySQL and needs to encrypt the database at rest. Which action should be taken to enable encryption?

A.Create a read replica with encryption enabled
B.Use AWS Secrets Manager to encrypt the data
C.Enable encryption when creating the DB instance
D.Modify the existing DB instance and enable encryption
AnswerC

Encryption at rest must be enabled during creation.

Why this answer

Encryption at rest for RDS can only be enabled at creation time. Option B is wrong because encryption cannot be added later. Option C is wrong because enabling encryption on an existing instance is not supported.

Option D is wrong because client-side encryption is not native and requires application changes.

1725
MCQeasy

A DevOps engineer needs to ensure that an application running on EC2 can automatically recover from an underlying hardware failure without manual intervention. Which AWS feature should be enabled?

A.Enable termination protection
B.Configure EC2 Auto Recovery with a CloudWatch alarm
C.Configure an Auto Scaling group with a minimum size of 1
D.Enable CloudWatch detailed monitoring
AnswerB

Recovers instance automatically on hardware failure.

Why this answer

EC2 Auto Recovery automatically recovers an instance if it becomes impaired due to underlying hardware failure. Option B is wrong because termination protection prevents accidental deletion, not recovery. Option C is wrong because detailed monitoring is for CloudWatch.

Option D is wrong because placement groups affect performance, not recovery.

Page 22

Page 23 of 24

Page 24