AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 151225

1740 questions total · 24pages · All types, answers revealed

Page 2

Page 3 of 24

Page 4
151
Multi-Selecthard

A company has an IAM policy that allows users to manage their own passwords and MFA devices. The policy includes a condition that requires MFA for all API operations except for changing passwords and MFA. Which THREE statements are true about this policy? (Choose THREE.)

Select 3 answers
A.The policy creates an IAM role for MFA enforcement.
B.The policy applies to the AWS account root user.
C.The policy uses NotAction to exclude password and MFA actions.
D.The policy uses the aws:MultiFactorAuthPresent condition key.
E.The policy must be attached to IAM users or groups.
AnswersC, D, E

NotAction allows those actions without MFA.

Why this answer

Options A, C, and E are correct. The condition with Bool: aws:MultiFactorAuthPresent ensures that if MFA is not present (except for allowed actions), access is denied. The policy uses NotAction to allow password and MFA changes without MFA.

The policy must be attached to users or groups to take effect. Option B: The policy does not apply to the root user. Option D: The policy does not create an IAM role; it is an identity-based policy.

152
MCQeasy

A DevOps engineer is configuring AWS Config rules to detect non-compliant security groups. The rule should trigger if any security group allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS managed Config rule should be used?

A.vpc-sg-open-only-to-authorized-ports
B.ec2-security-group-attached-to-eni
C.restricted-ssh
D.incoming-ssh-disabled
AnswerC

Checks for SSH from 0.0.0.0/0.

Why this answer

Option A is correct because 'restricted-ssh' is the managed rule that checks for SSH access from 0.0.0.0/0. Option B is wrong because 'incoming-ssh-disabled' is not a managed rule. Option C is wrong because 'vpc-sg-open-only-to-authorized-ports' is not specific to SSH.

Option D is wrong because 'ec2-security-group-attached-to-eni' checks attachment, not rules.

153
MCQmedium

An IAM policy attached to a user is shown in the exhibit. The user reports that they are unable to delete an object in the 'example-bucket' bucket. What is the reason for this?

A.The resource ARN does not match the bucket name
B.The explicit Deny statement overrides the Allow
C.The user does not have permissions to perform s3:DeleteObject
D.The policy has a syntax error
AnswerB

Deny always takes precedence over Allow.

Why this answer

Option B is correct because an explicit Deny overrides any Allow. The Deny action s3:DeleteObject explicitly denies the delete, even though the Allow all s3 actions includes delete. Option A is wrong because the resource ARN matches.

Option C is wrong because the policy allows all s3 actions, but the Deny blocks delete. Option D is wrong because the policy is valid.

154
MCQmedium

A development team uses AWS CodeCommit and wants to enforce that all commits include a JIRA issue key in the commit message. They want to reject any push that does not contain a valid JIRA key. Which approach should the engineer use?

A.Create a CloudWatch Events rule that triggers a Lambda function on push
B.Use AWS CodeCommit hooks to validate commit messages
C.Use a Lambda function triggered by CodeCommit push events that calls codecommit:PutRepositoryTriggers to reject
D.Configure a pre-commit hook in the Git client
AnswerC

Lambda can validate and reject the push using CodeCommit API.

Why this answer

Option D is correct because CodeCommit can trigger a Lambda function on push events, and the Lambda can validate commit messages and reject the push. Option A is incorrect because pre-commit hooks are client-side and not enforced by AWS. Option B is incorrect because CodeCommit does not support server-side hooks natively.

Option C is incorrect because CloudWatch Events can trigger Lambda but not reject pushes directly.

155
MCQmedium

A company uses AWS CodePipeline to orchestrate builds and deployments. The build stage uses CodeBuild to run unit tests and generate a report. The team wants to fail the pipeline if the test coverage drops below 80%. How should the engineer configure this?

A.Add a post-build action in the buildspec that checks coverage and exits with non-zero if below threshold.
B.Configure CodeBuild to fail the build if the test report indicates coverage below 80% using the buildspec's reports section.
C.Enable CodeBuild's 'Test Reporting' feature and set a threshold in the CodeBuild project configuration.
D.Use a CodePipeline condition to check the test report artifact and fail the pipeline if coverage is low.
AnswerB

CodeBuild can evaluate test report metrics and fail the build.

Why this answer

Option B is correct because CodeBuild can be configured to fail based on test report criteria. Option A requires custom scripting. Option C uses CodePipeline condition, which is not for test reports.

Option D is not a CodeBuild feature.

156
MCQmedium

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The database experiences a failover due to an availability zone outage. After the failover, the application team reports that the database endpoint is not resolving to the new primary. What is the most likely reason?

A.The RDS CNAME record was not updated by AWS after the failover.
B.The application is using the read replica endpoint instead of the primary endpoint.
C.The application is using a Route 53 health check that failed and redirected traffic away from the endpoint.
D.The application is using a cached DNS resolution that points to the old primary.
AnswerD

DNS caching can cause the old IP to be used until the TTL expires.

Why this answer

Option D is correct because after an RDS Multi-AZ failover, the DNS CNAME record for the DB instance is updated to point to the new primary in the standby AZ. However, if the application or its DNS resolver has cached the previous DNS resolution, it will continue to use the old IP address, which is no longer reachable. This is a common issue that can be resolved by reducing the TTL on the DNS record or implementing retry logic with DNS re-resolution in the application.

Exam trap

The trap here is that candidates may assume AWS automatically handles DNS propagation instantly or that the CNAME record is not updated, but the real issue is client-side DNS caching, which is a common operational oversight in failover scenarios.

How to eliminate wrong answers

Option A is wrong because AWS automatically updates the RDS CNAME record to point to the new primary after a failover; it is not a manual process. Option B is wrong because the read replica endpoint is a separate endpoint used for read-only traffic; using it would not cause the primary endpoint to fail to resolve, and the application team reported the database endpoint is not resolving, not that it is resolving to the wrong instance. Option C is wrong because Route 53 health checks are not used for RDS DNS resolution; RDS uses its own internal DNS system with CNAME records, and Route 53 health checks are typically used for custom domain names pointing to RDS, not for the default RDS endpoint.

157
MCQmedium

The IAM policy above is attached to a user. The user tries to stop an EC2 instance. What will happen?

A.The user is denied due to an implicit deny.
B.The user cannot stop the instance because there is no explicit allow for all instances.
C.The user cannot stop the instance because the Deny statement overrides the Allow.
D.The user can stop the instance.
AnswerD

Explicit allow for StopInstances.

Why this answer

Option A is correct because the policy explicitly allows ec2:StopInstances and does not deny it. Option B is wrong because there is no explicit deny for StopInstances. Option C is wrong because the deny only applies to TerminateInstances.

Option D is wrong because the policy allows StopInstances.

158
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a web application. The pipeline has a manual approval step. During an incident, the deployment is stuck at the approval step because the approver is on leave. The team needs to unblock the pipeline quickly. What is the BEST action to take?

A.Update the pipeline definition to remove the manual approval step temporarily.
B.Use the CodePipeline console to approve the action directly as a different user.
C.Disable the transition to the approval stage and manually run the remaining stages.
D.Retry the action in the approval stage from the CodePipeline console.
AnswerD

Retrying resends the approval request to the approver group.

Why this answer

Option C is correct because the pipeline can be manually retried from the approval step, which re-initiates the approval action. Option A is wrong because changing the pipeline definition requires a stack update. Option B is wrong because the console allows approving or rejecting directly.

Option D is wrong because the manual approval is a step, not a stage.

159
MCQhard

A company uses AWS CloudTrail to log API calls. An IAM user's credentials are compromised, and the attacker launches multiple EC2 instances in regions that are not typically used. The security team wants to receive near-real-time notifications of any API calls from this user. What is the MOST effective solution?

A.Create an AWS Config rule that checks for EC2 instances in unauthorized regions
B.Configure CloudTrail to deliver logs to an S3 bucket and enable S3 event notifications to SQS
C.Create a CloudTrail trail that delivers to CloudWatch Logs, then set up a CloudWatch Events rule to invoke a Lambda function that sends an SNS notification
D.Use CloudWatch Logs Insights to query CloudTrail logs every 5 minutes and send results via email
AnswerC

This provides near-real-time notification.

Why this answer

Option A is correct because CloudTrail can send events to CloudWatch Events (now Amazon EventBridge) in near real-time, which can trigger a Lambda function to send notifications. Option B is wrong because CloudWatch Logs Insights is for querying historical logs; C is wrong because S3 events are not near-real-time; D is wrong because Config rules are for configuration compliance, not API call monitoring.

160
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. They want to implement a change management process that requires approval before any stack update is executed. Which TWO approaches can achieve this? (Choose TWO.)

Select 2 answers
A.Use AWS CodePipeline with a manual approval stage before the CloudFormation deployment action.
B.Use CloudFormation StackSets with approval tokens.
C.Use CloudFormation Change Sets and require a separate user to execute them.
D.Use AWS Service Catalog to manage CloudFormation templates and require approval for product launches.
E.Implement a custom AWS Lambda function that checks a ticketing system before allowing the update to proceed.
AnswersA, E

CodePipeline supports manual approval gates.

Why this answer

Options A and D are correct. Option A uses a manual approval step in CodePipeline before the CloudFormation deployment action. Option D uses a Lambda function to check for approval before executing the update.

Option B is wrong because CloudFormation does not have a built-in approval mechanism. Option C is wrong because Change Sets are for review, not for requiring external approval. Option E is wrong because it does not enforce approval.

161
MCQmedium

Refer to the exhibit. After a deployment at 10:00, the error rate increases steadily. What is the MOST likely cause?

A.An external dependency became unavailable after the deployment.
B.A bug in the new release causes errors to accumulate over time.
C.The database connection limit was reached immediately after deployment.
D.The deployment triggered a scaling event that overloaded the application.
AnswerB

The steady increase suggests a defect that worsens with time, like a memory leak or resource exhaustion.

Why this answer

The error count increases after deployment and continues to rise, suggesting a code defect or configuration issue introduced by the deployment that causes progressively more errors (e.g., memory leak, connection pool exhaustion).

162
MCQhard

Refer to the exhibit. A CloudFormation template creates a Lambda function. After deployment, the function fails with a timeout error. Logs are not being created in CloudWatch. What is the most likely cause?

A.The IAM role does not grant sufficient permissions to write logs.
B.The runtime is not supported.
C.The Lambda execution role has a trust policy that is missing the lambda service.
D.The Lambda function code is faulty.
AnswerA

The log group ARN should include a log group name pattern like '/aws/lambda/*'.

Why this answer

Option C is correct because the Lambda function does not have permission to create log groups in the correct log group ARN. The log group ARN pattern is missing the log group name. Option A is wrong because the code is not the issue.

Option B is wrong because the runtime is correct. Option D is wrong because the role is correctly assumed.

163
Multi-Selecteasy

A team uses AWS CodeBuild to build a Node.js application. The buildspec.yml file is at the root of the repository. The build fails with 'Error: Cannot find module 'aws-sdk''. Which TWO actions could resolve the issue? (Choose TWO.)

Select 2 answers
A.Ensure 'aws-sdk' is listed in the 'dependencies' section of package.json.
B.Specify a different Node.js runtime version in the buildspec.
C.Add a 'pre_build' phase that runs 'npm test'.
D.Add a 'install' phase that runs 'npm install'.
E.Add a 'build' phase command to compile the code.
AnswersA, D

Without it, npm install will not install aws-sdk.

Why this answer

B and E are correct. B: Including 'npm install' installs dependencies from package.json. E: Adding aws-sdk to package.json ensures it is installed.

A is incorrect because pre_build runs after install. C is incorrect because runtime version does not affect module availability. D is incorrect because build commands are for building, not installing dependencies.

164
MCQeasy

A development team uses AWS CodeCommit for source control and wants to automatically run unit tests on every push to the main branch. Which AWS service should they use to trigger the tests?

A.AWS CodeBuild
B.Amazon CloudWatch Events
C.AWS CodePipeline
D.AWS CodeDeploy
AnswerC

CodePipeline can be configured to start on CodeCommit push and run tests.

Why this answer

AWS CodePipeline is the correct service because it provides a fully managed continuous delivery service that can be configured to automatically trigger a build action (such as running unit tests in AWS CodeBuild) whenever a change is pushed to a specified branch in AWS CodeCommit. This is achieved by setting the source stage to the CodeCommit repository and branch, and then adding a build stage that invokes CodeBuild to execute the tests, enabling an automated CI/CD workflow.

Exam trap

The trap here is that candidates often confuse AWS CodeBuild as a standalone trigger because it can run tests, but they overlook that CodeBuild lacks native event-driven triggers and requires an orchestrator like CodePipeline or EventBridge to automate the start on a repository push.

How to eliminate wrong answers

Option A is wrong because AWS CodeBuild is a build service that compiles source code and runs tests, but it does not have native event-driven triggers to automatically start on a CodeCommit push; it requires an external trigger like CodePipeline or Amazon EventBridge. Option B is wrong because Amazon CloudWatch Events (now part of Amazon EventBridge) can capture CodeCommit repository events (e.g., push to branch) but cannot directly run unit tests; it would need to invoke a target like AWS Lambda or CodeBuild, making it an indirect and less integrated solution compared to CodePipeline. Option D is wrong because AWS CodeDeploy is a deployment service that automates application deployments to compute services (e.g., EC2, Lambda) and does not include functionality to run unit tests or trigger builds from source code changes.

165
MCQmedium

A company uses AWS Elastic Beanstalk for deploying web applications. They want to automate deployments whenever a new commit is pushed to the master branch of their CodeCommit repository. Which AWS service should they use to trigger the deployment?

A.AWS CloudTrail
B.AWS OpsWorks
C.Amazon CloudWatch Events
D.AWS CodePipeline
AnswerD

CodePipeline integrates with CodeCommit and Elastic Beanstalk for continuous delivery.

Why this answer

AWS CodePipeline is a fully managed continuous delivery service that can be configured to automatically trigger a deployment pipeline when a new commit is pushed to a CodeCommit repository's master branch. It integrates directly with CodeCommit as a source action and Elastic Beanstalk as a deployment provider, enabling end-to-end automation without custom scripting.

Exam trap

The trap here is that candidates confuse CloudWatch Events (EventBridge) as a direct trigger for Elastic Beanstalk deployments, but it lacks the built-in pipeline orchestration and artifact management that CodePipeline provides for CI/CD workflows.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is an auditing service that records API calls for governance and compliance, not a service for triggering automated deployments. Option B is wrong because AWS OpsWorks is a configuration management service using Chef or Puppet, not designed for event-driven deployment triggers from CodeCommit. Option C is wrong because Amazon CloudWatch Events (now Amazon EventBridge) can detect CodeCommit events but requires a custom target (e.g., a Lambda function) to invoke Elastic Beanstalk; it does not natively orchestrate the deployment pipeline as CodePipeline does.

166
MCQeasy

An application running on AWS Lambda is experiencing increased error rates. The DevOps engineer needs to quickly identify the root cause. Which AWS service should the engineer use to analyze the logs and errors?

A.AWS X-Ray
B.AWS Trusted Advisor
C.AWS Config
D.AWS CloudTrail
AnswerA

X-Ray traces requests through Lambda and can pinpoint errors.

Why this answer

Option B is correct because AWS X-Ray provides end-to-end tracing and can identify errors and performance issues in Lambda functions. Option A is wrong because CloudTrail logs API calls, not application errors. Option C is wrong because Config is for resource compliance.

Option D is wrong because Trusted Advisor provides best-practice checks, not real-time error analysis.

167
MCQmedium

A company uses Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The operations team notices that some instances are failing health checks but are not being terminated by Auto Scaling. What should be investigated to resolve this issue?

A.Confirm that the load balancer's health check target is pointing to the correct port and path on the instances.
B.Check the health check grace period setting in the Auto Scaling group. If it is too long, instances failing health checks may not be terminated quickly.
C.Ensure the instances are sending health check requests to the load balancer.
D.Verify that the security group for the instances allows inbound traffic from the load balancer on the health check port.
AnswerB

The health check grace period defines how long after launch before Auto Scaling starts checking health. If set too high, failing instances may persist.

Why this answer

Option C is correct because if the health check grace period is too long, instances that fail shortly after launch may not be terminated promptly. Option A is wrong because security groups allow traffic but do not affect health check initiation. Option B is wrong because ELB health checks are sent to the instances, not the other way.

Option D is wrong because the load balancer is the one performing health checks.

168
MCQeasy

A DevOps team uses AWS CodeBuild to compile a Java application. The build environment is managed by AWS and runs on Linux. The team wants to speed up the build process by caching dependency directories across builds. Which configuration should the team use?

A.Configure the buildspec file to use Docker layer caching
B.Use the CodeBuild cache configuration to store the entire build output in a custom Docker image
C.Store dependencies in an Amazon S3 bucket and download them at the start of each build
D.Enable local caching in the CodeBuild project and specify the cache location as /root/.m2
AnswerD

Local caching reuses files from previous builds on the same build agent.

Why this answer

Option B is correct because CodeBuild supports local caching, which can be configured to cache specific directories like the Maven local repository. Option A is wrong because S3 caching is not a built-in CodeBuild feature. Option C is wrong because it is not specific to dependency caching.

Option D is wrong because Docker layer caching is for Docker builds, not Java dependencies.

169
MCQeasy

A DevOps engineer receives an alert that an Amazon S3 bucket has become publicly accessible. The engineer needs to identify who made the bucket public. Which AWS service should the engineer use to find the API call that changed the bucket policy?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon GuardDuty
AnswerB

CloudTrail records API calls with identity.

Why this answer

Option B is correct because CloudTrail records all S3 API calls, including bucket policy changes. Option A is wrong because CloudWatch monitors metrics. Option C is wrong because Config records configuration changes but not the identity.

Option D is wrong because GuardDuty detects threats but doesn't log API calls.

170
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. They want to ensure that if a stack update fails, the stack is automatically rolled back to the last known good state. However, they also want to preserve any resources that were created successfully before the failure. Which CloudFormation stack policy should be used?

A.Define a creation policy with a resource signal.
B.Use a stack policy that denies update actions on resources that should be preserved.
C.Use a stack policy that allows all actions except delete.
D.Set the RollbackConfiguration property with a monitoring time.
AnswerB

Stack policies can prevent modification of critical resources during stack updates.

Why this answer

Option C is correct because setting a stack policy that denies updates on specific resources can protect those resources during rollback. Option A is wrong because RollbackConfiguration is not a stack policy. Option B is wrong because stack policies define allowed actions, not rollback behavior.

Option D is wrong because stack policies are not tied to creation time.

171
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM role used by an EC2 instance. The instance is part of an Auto Scaling group. During a scale-in event, the instance fails to stop itself. What is the MOST likely cause?

A.The policy allows ec2:StopInstances but not ec2:StartInstances.
B.The policy does not allow ec2:DescribeInstanceStatus.
C.The policy does not allow ec2:TerminateInstances.
D.The policy does not allow ec2:ModifyInstanceAttribute.
AnswerC

Auto Scaling uses TerminateInstances, not StopInstances.

Why this answer

The policy allows StopInstances but does not allow ec2:TerminateInstances, which is required for Auto Scaling to terminate instances during scale-in.

172
MCQmedium

Refer to the exhibit. A DevOps engineer attaches this IAM policy to a user. The user reports that they cannot start a pipeline execution for 'my-pipeline' using the AWS CLI. What is the MOST likely reason?

A.The IAM policy does not allow the 'codepipeline:StartPipelineExecution' action.
B.The user is missing the 'codepipeline:ListPipelines' permission needed to list pipelines before execution.
C.The resource ARN for the pipeline is incorrect.
D.The policy has a condition that restricts execution to certain times.
AnswerB

The AWS CLI may need to list pipelines first, requiring additional permissions.

Why this answer

Option C is correct because the user needs 'codepipeline:StartPipelineExecution' permission, which is allowed. But the CLI command may require 'codepipeline:ListPipelines' to list pipelines, which is missing. Option A is wrong because the actions are allowed.

Option B is wrong because resource ARN is correct. Option D is wrong because there is no such condition.

173
Multi-Selecthard

A company is using AWS CodeBuild to compile and test code. The buildspec.yml file includes a pre_build phase that installs dependencies and a build phase that runs the compilation. The tests are run in the post_build phase. The team wants to improve the security of the build process by ensuring that sensitive information such as database passwords is not exposed in the build logs. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Use AWS Systems Manager Parameter Store to store the secrets and reference them in the buildspec using the 'parameter-store' field.
B.Use AWS Secrets Manager to store the secrets and reference them in the buildspec using the 'secrets-manager' field.
C.Restrict access to the build logs by using IAM policies to only allow specific users to view them.
D.Enable encryption at rest for the CodeBuild project's S3 logs.
E.Store the secrets as plain-text environment variables in the CodeBuild project.
AnswersA, B

Parameter Store can store secrets securely and references are not displayed in logs.

Why this answer

Options B and D are correct. Using AWS Systems Manager Parameter Store or AWS Secrets Manager to store secrets and referencing them in the buildspec using parameter-store or secrets-manager prevents secrets from being printed in logs. Option A is wrong because environment variables in plain text can be logged.

Option C is wrong because build logs are accessible to authorized users, but the issue is exposure in plain text. Option E is wrong because encryption at rest does not prevent secrets from being logged in plain text.

174
MCQhard

A DevOps engineer is troubleshooting a CloudFormation stack that failed to update. The error message indicates a circular dependency among resources. The template includes an Auto Scaling group, a launch template, and an IAM instance profile. The launch template references the IAM instance profile, and the Auto Scaling group references the launch template. The IAM instance profile's role references the Auto Scaling group name in its trust policy. How can the engineer resolve the circular dependency?

A.Use DependsOn clauses to explicitly order the resource creation
B.Pass the Auto Scaling group name as a parameter to the IAM role's trust policy, and create the Auto Scaling group with a condition that depends on the role
C.Place the launch template and Auto Scaling group in a nested stack
D.Hardcode the Auto Scaling group name in the IAM role's trust policy
AnswerB

Using a parameter breaks the circular reference by not requiring the actual Auto Scaling group resource to exist when the role is created.

Why this answer

Option B resolves the circular dependency by decoupling the Auto Scaling group name from the IAM role's trust policy at template creation time. By passing the group name as a parameter and using a condition to create the Auto Scaling group only after the role exists, CloudFormation can determine the correct creation order without a circular reference. This approach allows the trust policy to reference a value that is not yet known at template parsing, breaking the dependency cycle.

Exam trap

The trap here is that candidates often assume DependsOn can override any dependency issue, but CloudFormation still validates the entire dependency graph and will reject any cycle regardless of explicit DependsOn clauses.

How to eliminate wrong answers

Option A is wrong because DependsOn clauses only specify explicit ordering but do not resolve circular dependencies; if two resources depend on each other, DependsOn cannot break the cycle. Option C is wrong because placing resources in a nested stack does not eliminate circular dependencies; the nested stack still has the same logical references, and CloudFormation would still detect the cycle across stack boundaries. Option D is wrong because hardcoding the Auto Scaling group name makes the template non-portable and brittle, and it does not solve the circular dependency if the group name is used elsewhere in a way that creates a reference loop.

175
MCQmedium

A development team uses AWS CodeCommit as a source repository for their AWS CodePipeline. They want to automatically trigger a pipeline execution when a new branch is created. Which solution should they implement?

A.Create an S3 event notification to invoke the pipeline when a branch is created.
B.Use Amazon CloudWatch Events to trigger the pipeline on a CodeCommit 'Reference Created' event.
C.Configure a webhook in CodePipeline to detect branch creation events.
D.Set up a polling mechanism in CodePipeline to check for new branches every minute.
AnswerB

CloudWatch Events can capture CodeCommit events such as branch creation and trigger the pipeline.

Why this answer

Option B is correct because CloudWatch Events can trigger on code commit events like branch creation. Option A is wrong because webhooks are for third-party sources. Option C is wrong because polling is inefficient and not best practice.

Option D is wrong because S3 events are for S3 source, not CodeCommit.

176
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team wants to receive notifications when a stack fails to create or update. What is the MOST efficient way to achieve this?

A.Configure an SNS topic in the stack's notification options.
B.Create a custom resource in the stack that publishes to Amazon SNS.
C.Create a CloudWatch alarm on the StackStatus metric.
D.Use Amazon EventBridge to capture CloudFormation events and publish to SNS.
AnswerA

CloudFormation allows specifying SNS topic ARNs for stack events.

Why this answer

Option A is correct because AWS CloudFormation natively supports specifying Amazon SNS topic ARNs in the stack's notification options. When a stack operation (create, update, or delete) fails, CloudFormation automatically publishes a notification to the configured SNS topic without requiring any custom code, additional resources, or external event processing. This is the most efficient approach as it leverages built-in functionality with zero maintenance overhead.

Exam trap

The trap here is that candidates overthink the solution by choosing EventBridge or custom resources, missing the fact that CloudFormation has a built-in, one-step SNS notification feature that is both simpler and more reliable for failure alerts.

How to eliminate wrong answers

Option B is wrong because creating a custom resource in the stack to publish to SNS introduces unnecessary complexity, requires a Lambda function or other compute resource to handle the custom resource lifecycle, and does not reliably capture all stack failure scenarios (e.g., failures during stack creation before the custom resource is processed). Option C is wrong because CloudFormation does not emit a 'StackStatus' metric to CloudWatch; CloudWatch alarms cannot directly monitor CloudFormation stack status without custom metrics or log-based metrics, making this approach infeasible. Option D is wrong because while EventBridge can capture CloudFormation events (e.g., via AWS API calls or CloudTrail), this requires additional configuration, incurs EventBridge costs, and is less efficient than the native SNS notification option that requires no extra services or rules.

177
MCQmedium

The exhibit shows the output of the AWS CLI command 'batch-get-builds' for a CodeBuild build. The build failed. What is the most likely cause of the failure?

A.The source code has compilation errors.
B.The buildspec file is malformed.
C.The build project does not have sufficient memory.
D.The S3 bucket 'my-bucket' does not exist or the build project lacks permissions to access it.
AnswerD

The DOWNLOAD_SOURCE phase failed, suggesting an issue with accessing the source artifact in S3.

Why this answer

Option D is correct: the DOWNLOAD_SOURCE phase failed, indicating the source could not be downloaded from S3. Option A is not supported by the output. Option B is not the failed phase.

Option C is not indicated.

178
Multi-Selecteasy

A DevOps engineer needs to restrict access to an S3 bucket so that only users from a specific AWS account can read objects. Which TWO methods can achieve this?

Select 2 answers
A.Create an IAM role in the source account with read access to the bucket, and allow users in that account to assume the role.
B.Enable S3 Block Public Access on the bucket.
C.Generate pre-signed URLs for each object and distribute them only to users in the target account.
D.Write a bucket policy that uses the aws:SourceAccount condition to allow access only from the specific account.
E.Set a bucket ACL that grants read access to the target account's canonical ID.
AnswersA, D

Assuming a role in the source account grants cross-account access.

Why this answer

Options A and D are correct. Bucket policy with condition can restrict to specific source account. IAM roles in the source account can grant cross-account access.

Option B (pre-signed URLs) works for individual objects but not as a general restriction. Option C (block public access) does not restrict to a specific account. Option E (ACL) is legacy and less secure.

179
MCQeasy

A DevOps team uses AWS Systems Manager Incident Manager to manage incidents. They have configured a response plan that sends notifications to an SNS topic, which triggers an AWS Lambda function to post messages to a Slack channel. Recently, the Slack notifications have stopped working. The CloudWatch logs for the Lambda function show no invocations when an incident is created. The SNS topic has a subscription to the Lambda function, and the Lambda function's resource policy allows invocation from SNS. What is the MOST likely cause?

A.The Lambda function has a reserved concurrency of 0.
B.The response plan is not configured to send notifications to the correct SNS topic ARN.
C.The Lambda function's execution role does not have permission to post to Slack.
D.The SNS topic's access policy does not allow the Incident Manager to publish to it.
AnswerB

If the ARN is incorrect, SNS never receives the message.

Why this answer

Option C is correct because the response plan must have the correct ARN of the SNS topic. Option A is wrong because the logs show no invocations, so the function is not being triggered. Option B is wrong if the function policy allows SNS.

Option D is wrong because the function is not invoked.

180
MCQhard

A company uses AWS CodePipeline with an Amazon S3 source action. The pipeline deploys to an Amazon ECS Fargate service. The engineer notices that the pipeline does not automatically start when a new object is uploaded to the S3 bucket. The S3 bucket versioning is enabled. What is the most likely cause?

A.The pipeline has manual approval required before the source stage
B.The S3 bucket does not have event notifications configured for the pipeline
C.S3 versioning is not enabled on the bucket
D.The ECS service is not configured for blue/green deployments
AnswerB

CodePipeline needs S3 events to trigger automatically.

Why this answer

Option A is correct because CodePipeline S3 source action requires change detection via Amazon CloudWatch Events or S3 Event Notifications. If the S3 bucket does not have event notifications configured, the pipeline will not trigger automatically. Option B is incorrect because versioning is not required for triggering.

Option C is incorrect because the pipeline can still start manually. Option D is incorrect because Fargate does not affect pipeline triggering.

181
MCQhard

An organization uses AWS CloudFormation to manage infrastructure. During an incident, a stack update fails with 'UPDATE_ROLLBACK_FAILED' status. The engineer needs to bring the stack to a consistent state without losing data. What is the BEST approach?

A.Use the 'ContinueUpdateRollback' API to skip the resource that caused the failure.
B.Create a new stack from the same template and migrate resources.
C.Manually correct the resource configuration that caused the failure, then perform a stack update.
D.Delete the stack and then recreate it from the same template.
AnswerA

This is the designed method to resolve rollback failures.

Why this answer

The 'ContinueUpdateRollback' API is the best approach because it allows the stack to resume the rollback process, skipping the resource that caused the failure, and bringing the stack to a consistent 'UPDATE_ROLLBACK_COMPLETE' state without manual intervention or data loss. This API is specifically designed for the 'UPDATE_ROLLBACK_FAILED' status, enabling you to skip resources that cannot be rolled back (e.g., due to a non-reversible change) while preserving the rest of the stack's state.

Exam trap

The trap here is that candidates often choose manual correction (Option C) thinking they can fix the resource and retry the update, but they overlook that the stack is in a failed rollback state that blocks further updates until the rollback is resolved, making 'ContinueUpdateRollback' the only viable path to a consistent state without data loss.

How to eliminate wrong answers

Option B is wrong because creating a new stack from the same template and migrating resources is time-consuming, risks data loss during migration, and does not address the immediate need to recover the existing stack to a consistent state. Option C is wrong because manually correcting the resource configuration and then performing a stack update assumes the failure is fixable via a new update, but the stack is stuck in 'UPDATE_ROLLBACK_FAILED' and cannot accept further updates until the rollback is completed or continued; this approach may also lead to configuration drift and potential data loss. Option D is wrong because deleting the stack would destroy all resources, including any data stored in them (e.g., databases, EBS volumes), which violates the requirement to avoid data loss.

182
MCQhard

A company is building a global application that requires low-latency access to static content across multiple AWS Regions. The content changes infrequently. Which solution is MOST resilient and cost-effective?

A.Use Amazon S3 Transfer Acceleration
B.Set up a VPN to a single Region
C.Deploy EC2 instances in each Region with a global load balancer
D.Use Amazon CloudFront with an S3 bucket as origin
AnswerD

CloudFront caches content at edge locations, improving latency and resilience.

Why this answer

CloudFront with an S3 origin provides global edge caching, low latency, and high resilience at low cost.

183
Multi-Selectmedium

Which TWO options are valid ways to trigger an AWS CodePipeline execution automatically? (Choose two.)

Select 2 answers
A.A scheduled CloudWatch Logs metric filter.
B.Completion of a CodeDeploy deployment.
C.Changes to a CodeCommit repository.
D.Manual approval action in the pipeline.
E.Upload of a new object to an S3 bucket.
AnswersC, E

CodePipeline can be configured to start on push to a branch.

Why this answer

Options B and D are correct. Option A is wrong because manual approval does not trigger execution; it pauses. Option C is wrong because CodeDeploy is a deployment service, not a trigger.

Option E is wrong because CloudWatch Logs do not trigger pipelines.

184
MCQmedium

A DevOps engineer needs to encrypt data in transit between an Application Load Balancer (ALB) and backend EC2 instances. The application uses HTTPS. What is the simplest way to achieve this encryption?

A.Use an AWS Private Certificate Authority to issue certificates for the instances.
B.Use a Network Load Balancer instead with TLS listeners.
C.Place both ALB and instances in a VPC with default security groups.
D.Configure the ALB listener to use HTTPS, and configure the target group to use HTTPS with a self-signed certificate on the instances.
AnswerD

This encrypts traffic between ALB and instances.

Why this answer

An ALB can terminate HTTPS at the listener and then communicate with backend instances using HTTP if desired. However, to encrypt in transit, you can use HTTPS between ALB and instances as well. The simplest way is to install the same certificate on both ALB and instances, but ALB can use a self-signed certificate.

Using an internal CA or ACM Private CA is more complex. Using a TCP listener does not provide encryption.

185
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. A developer tries to upload an object to s3://my-bucket/confidential/report.pdf without specifying server-side encryption. What will happen?

A.The upload succeeds because the Allow statement grants PutObject.
B.The upload succeeds because the Deny condition uses a wrong condition key.
C.The upload fails because the Deny statement requires SSE-KMS.
D.The upload fails only if the object name matches the prefix.
AnswerC

The Deny condition requires SSE-KMS; without it, the request is denied.

Why this answer

Option B is correct because the Deny statement explicitly denies PutObject if SSE-KMS is not used. Since the developer did not specify SSE, the Deny applies and the request fails. Option A is wrong because the Allow statement does not override the Deny.

Option C is wrong because the Deny uses s3:x-amz-server-side-encryption condition, not kms:EncryptionContext. Option D is wrong because the Deny is not limited to AES256.

186
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The security team requires that all S3 buckets have versioning enabled. A DevOps engineer needs to enforce this policy across all accounts in an AWS Organization. Which solution is MOST operationally efficient?

A.Add a CloudFormation custom resource to each template that enables versioning and attaches a Lambda function to re-enable it if disabled.
B.Create an SCP in AWS Organizations that denies s3:PutBucketVersioning with a condition that versioning is not enabled.
C.Create a Service Catalog portfolio with a product that enforces versioning and require all users to launch stacks from it.
D.Use AWS Config with a managed rule 's3-bucket-versioning-enabled' and an automatic remediation action that enables versioning.
AnswerB

D: SCPs prevent actions that disable versioning at the organization level, covering all accounts and existing buckets.

Why this answer

Option D is correct because using SCPs at the organizational level allows you to centrally deny actions that disable versioning, which is more efficient than per-account Lambda functions or IAM policies. Option A is wrong because a custom resource in each stack would require modification of every template. Option B is wrong because AWS Config rules require remediations that are not as immediate as SCPs.

Option C is wrong because Service Catalog only helps with new stacks, not existing ones.

187
MCQeasy

A company uses AWS Secrets Manager to store database credentials. The security team needs to automatically rotate the secrets every 30 days. Which action should be taken?

A.Enable automatic rotation on the secret and configure the rotation interval to 30 days
B.Manually rotate the secret every 30 days using the AWS Management Console
C.Store the secret in AWS Systems Manager Parameter Store and use a scheduled Lambda to update it
D.Use AWS KMS to rotate the secret by re-encrypting with a new key
AnswerA

Secrets Manager supports automatic rotation with a Lambda function.

Why this answer

Secrets Manager can automatically rotate secrets using a Lambda function. Option A is wrong because rotation is not enabled by default. Option C is wrong because manual rotation is not automatic.

Option D is wrong because Systems Manager Parameter Store does not natively rotate secrets.

188
MCQmedium

A company is using AWS Systems Manager to manage configuration drift on EC2 instances. They want to automatically apply a baseline configuration to instances that have drifted from the desired state. Which Systems Manager capability should they use?

A.AWS Systems Manager Patch Manager
B.AWS Systems Manager Parameter Store
C.AWS Systems Manager Run Command
D.AWS Systems Manager State Manager
AnswerD

State Manager enforces configuration and remediates drift.

Why this answer

Option A is correct because State Manager uses associations to automatically apply configurations and remediate drift. Option B is wrong because Patch Manager only handles patches. Option C is wrong because Run Command is for manual execution.

Option D is wrong because Parameter Store stores configuration data but does not apply it.

189
MCQeasy

A DevOps engineer is setting up an alarm to notify the team when the average CPU utilization of an EC2 instance exceeds 80% for 5 consecutive minutes. Which CloudWatch alarm configuration should be used?

A.Metric: CPUUtilization, Statistic: Average, Period: 300 seconds, Threshold: 80, Evaluation Periods: 1
B.Metric: CPUUtilization, Statistic: Average, Period: 300 seconds, Threshold: 80, Evaluation Periods: 1, Comparison: LessThanThreshold
C.Metric: CPUUtilization, Statistic: Average, Period: 60 seconds, Threshold: 80, Evaluation Periods: 5
D.Metric: CPUUtilization, Statistic: Sum, Period: 60 seconds, Threshold: 80, Evaluation Periods: 5
AnswerA

This matches the requirement: 5 consecutive minutes = 1 evaluation period of 300 seconds.

Why this answer

Option A is correct because it configures a CloudWatch alarm with a 300-second (5-minute) period and 1 evaluation period, meaning the alarm triggers when the average CPU utilization exceeds 80% for a single 5-minute data point. This directly matches the requirement of 'exceeds 80% for 5 consecutive minutes' since the metric is evaluated over a 5-minute window.

Exam trap

The trap here is confusing 'Evaluation Periods' with 'Period' — candidates often think 5 evaluation periods with a 60-second period is needed for 5 consecutive minutes, but that actually requires 5 separate 1-minute data points all breaching the threshold, not a single 5-minute average.

How to eliminate wrong answers

Option B is wrong because it uses the comparison operator 'LessThanThreshold', which would trigger the alarm when CPU utilization is below 80%, not above. Option C is wrong because it uses a 60-second period with 5 evaluation periods, which would require the condition to be met for 5 consecutive minutes (5 data points), but the alarm would evaluate each 1-minute data point individually, not a single 5-minute average; this is a common misinterpretation of 'consecutive minutes'. Option D is wrong because it uses the 'Sum' statistic instead of 'Average', which would aggregate CPU utilization over the period rather than providing the mean value, and the threshold of 80 is meaningless for a sum statistic on CPU utilization.

190
MCQmedium

A company uses AWS CloudFormation StackSets to deploy a VPC with subnets across multiple accounts and regions. Recently, a new account was added to the organization, and the DevOps team wants to deploy the stack set to this new account without affecting existing stacks. The stack set has self-managed permissions. The engineer creates a new stack instance for the account and region, but the operation fails with an 'Access Denied' error when CloudFormation tries to create resources in the new account. The engineer has verified that the stack set's IAM roles exist in the new account. What is the most likely cause?

A.The stack set template contains a resource that is not supported in the target region.
B.The trust policy of the IAM role in the target account does not grant permissions to the administrator account.
C.The target account has reached a service limit for VPCs.
D.The IAM roles in the target account are not named correctly.
AnswerB

The target account's role must trust the administrator account to assume it.

Why this answer

Option A is correct because self-managed permissions require a trust relationship between the administrator and target accounts. Option B is wrong because the roles exist. Option C is wrong because the stack set is already deployed to other accounts, so template is valid.

Option D is wrong because service limits would give a different error.

191
MCQhard

A company runs a containerized microservices application on Amazon ECS with Fargate. The application is deployed using AWS CodePipeline with CodeBuild as the build stage and ECS as the deploy stage. The pipeline uses a deployment controller of type CODE_DEPLOY with a blue/green deployment strategy. Recently, the team noticed that during deployments, the new task set fails health checks and the deployment is rolled back. The application logs indicate that the new containers fail because they cannot connect to the Redis cluster, which is a required dependency. The Redis cluster is running on Amazon ElastiCache and is in the same VPC as the ECS tasks. The team has verified that the security group for the ElastiCache cluster allows inbound traffic from the ECS tasks' security group. The ECS task definition includes the Redis endpoint as an environment variable. What is the MOST likely cause of the connection failure?

A.The new task set is being launched in different private subnets that do not have a route to the ElastiCache cluster.
B.The Redis endpoint environment variable is not being passed correctly to the new task set because of a misconfiguration in the task definition.
C.The security group for the ElastiCache cluster only allows inbound traffic from the security group of the original task set, not the new task set created during deployment.
D.The new task set is using a different VPC than the ElastiCache cluster.
AnswerC

During a blue/green deployment, the new task set uses a different security group (or the same group but with a new rule) and the ElastiCache security group must be updated to allow traffic from the new tasks.

Why this answer

Option B is correct because in a blue/green deployment with CODE_DEPLOY, the new task set is created in a separate target group, and the security group for the ElastiCache cluster must allow traffic from the new task set's security group. If the security group rule is only attached to the original task set's security group, the new task set cannot connect. Option A is wrong because the ECS service uses the same subnets; the issue is not subnet-related.

Option C is wrong because if the environment variable is correctly set, DNS resolution should work. Option D is wrong because the security group for ECS tasks is typically attached to the service, and adding a new security group rule is necessary.

192
MCQmedium

A DevOps engineer executes the above CloudWatch Logs Insights query. What will the output contain?

A.The count of ERROR messages per 1-minute interval for the most recent 20 intervals
B.The count of ERROR messages per 5-minute interval for the most recent 20 intervals
C.The total count of ERROR messages in the log group
D.A list of the 20 most recent log entries that contain the word 'ERROR'
AnswerB

The query groups by 5-minute bins and returns 20 rows.

Why this answer

Option C is correct because the query filters for 'ERROR' messages, counts them in 5-minute bins, and returns the 20 most recent bins sorted by timestamp descending. Option A is wrong because it returns error messages, not all messages. Option B is wrong because it counts, not lists individual messages.

Option D is wrong because it bins by 5 minutes, not 1 minute.

193
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot push to the 'MyRepo' repository. What is the likely reason?

A.The policy does not allow GitPush on the repository's branches.
B.The user is not in the correct IAM group.
C.The user does not have GitPull permission on the repository.
D.The policy must include codecommit:CreateRepository action.
AnswerA

GitPush requires permission on the branch resource, not just the repository.

Why this answer

The policy allows GitPush on the MyRepo repository, but does not include the branch-specific permissions or may require additional actions like 'codecommit:CreateBranch' or 'codecommit:PutFile'. However, the most common issue is that the policy does not allow the required GitPull action on the same repository. But it does allow GitPull on all resources.

The user might be trying to push to a branch that doesn't exist? Actually, the policy should work. The error might be due to missing 'codecommit:GitPush' on the repository's default branch? No. Wait, the exhibit shows GitPush on arn:aws:codecommit:us-east-1:123456789012:MyRepo.

That should work. Let me think: perhaps the user is not authenticated properly? But the question is about the policy. The policy grants GitPush on MyRepo, but the user might need additional actions like 'codecommit:GetBranch' or 'codecommit:ListBranches'.

The policy is too restrictive. The correct answer is that the policy does not allow necessary read actions like 'codecommit:GitPull' on the specific repository? But it does via the wildcard. Another issue: the resource ARN for GitPush is for the repository, but GitPush also requires permissions on the repository's branches? Actually, the action GitPush is allowed on the repository resource, which should be sufficient.

I think the policy is missing the 'codecommit:GetBranch' action for the branch being pushed to. But the typical error is that the policy does not include the 'codecommit:GitPush' on the repository's branches. However, the resource ARN for branches is different: arn:aws:codecommit:region:account:repository-name/branch-name.

So the policy only allows GitPush on the repository, not on any branch. Therefore, the user cannot push to any branch because the resource is the repository, not the branch. The correct fix is to add a branch resource.

But the options must reflect this. I'll set the correct answer to: The policy does not grant GitPush on branch resources.

194
Multi-Selecthard

A company is using AWS Elastic Beanstalk with a custom platform. The DevOps team wants to automate the creation of a new platform version whenever changes are pushed to a Git repository. The pipeline should run tests, build the platform, and then update the Elastic Beanstalk environment to use the new platform version. Which services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS CloudFormation
B.AWS CodeBuild
C.AWS CodePipeline
D.HashiCorp Packer (run in CodeBuild)
E.AWS CodeDeploy
AnswersB, C, D

C: CodeBuild can run tests and build artifacts, including using Packer.

Why this answer

Options A, C, and D are correct. A: CodePipeline orchestrates the pipeline. C: CodeBuild can run tests and build the platform AMI.

D: Packer (through CodeBuild) can create a custom AMI for the platform. Option B is wrong because CodeDeploy is for deploying applications, not for creating platform versions. Option E is wrong because CloudFormation is not directly used to create a custom platform; Packer and CodeBuild handle that.

195
MCQmedium

A DevOps engineer notices that an EC2 instance running a critical application is unresponsive. CloudWatch alarms for CPU utilization and memory usage did not trigger. The engineer checks the system logs and finds an 'Out of memory: Kill process' error. What is the MOST likely cause of the missed alarms?

A.The CloudWatch agent is not installed or configured to collect memory metrics.
B.The instance is using instance store volumes instead of EBS, which prevents metric collection.
C.The CloudWatch metrics retention period is set to 1 day, so old alarms were deleted.
D.The EC2 instance's root EBS volume is encrypted, blocking CloudWatch agent logs.
AnswerA

Memory metrics require the CloudWatch agent; default monitoring only collects CPU, disk, and network.

Why this answer

Option D is correct because the CloudWatch agent must be configured to collect memory metrics; CPU metrics are collected by default. Option A is wrong because instance store volumes would not affect CloudWatch metrics. Option B is wrong because CloudWatch metrics are stored for 15 months.

Option C is wrong because the root volume size does not prevent metric collection.

196
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline for a microservices application that runs on Amazon ECS. They need to implement automated canary deployments. Which TWO AWS services would be essential for this implementation?

Select 2 answers
A.AWS CodeDeploy
B.AWS CloudFormation
C.AWS CodeBuild
D.Amazon CloudWatch
E.Amazon EC2 Auto Scaling
AnswersA, D

CodeDeploy supports canary deployments for ECS.

Why this answer

Options B and D are correct. AWS CodeDeploy supports canary deployments for ECS, and AWS CloudWatch provides metrics for monitoring. Option A is wrong because CodeBuild is for building, not deployment.

Option C is wrong because CloudFormation can deploy but does not natively support canary. Option E is wrong because EC2 Auto Scaling is not directly used for canary.

197
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application experiences periodic spikes in response times. The CloudWatch metrics show high CPU and memory usage for the tasks during these spikes. What is the MOST effective approach to handle these spikes?

A.Use a larger Fargate task size to handle the spikes
B.Increase the CPU and memory limits for the ECS task definition
C.Set up a scheduled scaling action to add tasks during peak hours
D.Configure target tracking scaling policies for the ECS service using CPU or memory utilization
AnswerD

This dynamically scales tasks based on actual utilization.

Why this answer

Option D is correct because using Application Auto Scaling with target tracking based on CPU or memory utilization dynamically adjusts the task count. Option A is wrong because it does not address scaling; B is wrong because it does not scale automatically; C is wrong because it does not use metrics for scaling.

198
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to collect logs from multiple applications. The DevOps team wants to create a metric filter to count the number of ERROR log entries and trigger an alarm when the count exceeds 10 in 5 minutes. Which TWO steps must the team take? (Choose TWO.)

Select 2 answers
A.Create a subscription filter to stream logs to Amazon Kinesis Data Firehose.
B.Create a metric filter on the log group that extracts ERROR count.
C.Create a CloudWatch alarm on the metric with the threshold of 10.
D.Set a log group retention policy to retain logs indefinitely.
E.Create a CloudWatch dashboard to visualize the ERROR count.
AnswersB, C

Metric filters extract metrics from log events.

Why this answer

Options B and D are correct. A metric filter must be created (B) and then an alarm on that metric (D). Option A is incorrect because a subscription filter is for streaming logs, not metric filtering.

Option C is incorrect because a dashboard does not trigger alarms. Option E is incorrect because log group retention policy does not affect metric filtering.

199
MCQeasy

A company uses AWS CodePipeline with a GitHub source action. The pipeline triggers on changes to the master branch. However, the pipeline does not trigger when changes are pushed to the master branch. What is the MOST likely cause?

A.The pipeline uses a different branch name.
B.The GitHub repository is not in the same AWS region as the pipeline.
C.The webhook in GitHub is not properly configured or has been removed.
D.The pipeline does not have permission to access the GitHub repository.
AnswerC

Webhooks are required for automatic triggering.

Why this answer

Option B is correct because CodePipeline uses webhooks to detect changes in GitHub. If the webhook is not properly configured, changes may not trigger the pipeline. Option A is incorrect because the branch is specified.

Option C is incorrect because the pipeline can access public repositories. Option D is incorrect because the pipeline does not need to be in the same region as GitHub.

200
MCQhard

A company runs a critical e-commerce application on AWS. The architecture includes an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances running a web server, and an Amazon RDS MySQL Multi-AZ database. The DevOps team has implemented CloudWatch dashboards to monitor key metrics. Recently, customers have reported that the website becomes unresponsive for a few minutes during peak traffic hours. The team reviews the CloudWatch metrics and observes that during the incidents, the ALB's 'TargetResponseTime' metric spikes, and the RDS 'ReadLatency' and 'WriteLatency' metrics also spike. However, the EC2 CPU utilization and memory usage remain normal. The ALB health check shows 'Healthy' for all targets. The team needs to identify the root cause. Which course of action should the team take?

A.Configure the ALB to add a second listener and distribute traffic across multiple target groups.
B.Review the ALB access logs to identify if there are any unusual request patterns causing the latency.
C.Enable Performance Insights on the RDS instance to analyze database performance and identify slow queries.
D.Increase the desired capacity of the Auto Scaling group to add more EC2 instances to handle the load.
AnswerC

Performance Insights will help identify the root cause of database latency.

Why this answer

Option C is correct because the symptoms point to database contention (spikes in read/write latency) while the application servers are healthy. Enabling Performance Insights on RDS will help identify the specific queries causing the latency, such as slow queries or locks. Option A is wrong because adding more EC2 instances doesn't address the database bottleneck.

Option B is wrong because the issue is not related to ALB configuration. Option D is wrong because scaling the ALB is not the issue.

201
MCQeasy

A company wants to use AWS Elastic Beanstalk to deploy a web application. They need to ensure that the application can be updated with zero downtime. Which deployment policy should they use?

A.Immutable
B.All at once
C.Rolling
D.Traffic splitting
AnswerC

Rolling updates can achieve zero downtime if health checks are used.

Why this answer

The Rolling deployment policy in AWS Elastic Beanstalk updates instances in batches, replacing a subset of the current environment's instances with new ones while keeping the rest serving traffic. This ensures that the application remains available throughout the update process, achieving zero downtime as long as the health check passes for each batch before proceeding.

Exam trap

The trap here is that candidates often confuse 'Rolling' with 'Immutable' or 'Traffic splitting' because they all aim for zero downtime, but only Rolling updates instances in-place without creating a full parallel environment, while Immutable incurs a brief CNAME swap delay and Traffic splitting is not a native Elastic Beanstalk deployment policy.

How to eliminate wrong answers

Option A is wrong because Immutable deployment launches a completely new Auto Scaling group with new instances, then swaps the environment's CNAME to point to the new group, which can cause a brief period of traffic disruption during the swap and is not strictly zero-downtime if the new instances fail health checks. Option B is wrong because All at once terminates all existing instances and deploys the new version simultaneously, causing downtime until the new instances pass health checks and become available. Option D is wrong because Traffic splitting (also known as canary testing) is not a standard Elastic Beanstalk deployment policy; it is a feature of AWS CodeDeploy and AWS AppConfig, and Elastic Beanstalk does not natively support traffic splitting for zero-downtime updates.

202
MCQmedium

A company runs a containerized application on Amazon ECS with Fargate launch type. The application is behind an Application Load Balancer (ALB). The operations team notices that the ALB's 5xx error rate increases periodically. The ECS service is configured with a target tracking scaling policy based on CPU utilization. The CloudWatch logs from the application show no errors. The health check on the ALB is configured to hit the /health endpoint. What is the MOST likely cause of the 5xx errors?

A.The ECS tasks are running on an underlying host that is being patched.
B.The health check endpoint is returning a 503 status due to a dependency failure.
C.The target tracking scaling policy is not responding quickly enough to traffic spikes.
D.The application is throwing exceptions that are not logged.
AnswerB

If the health check fails, the ALB returns 503.

Why this answer

Option D is correct because if the health check endpoint is not returning a 200 status, the ALB will consider the target unhealthy and return 503. Option A is wrong because scaling based on CPU would not directly cause 5xx. Option B is wrong because Fargate has no OS patching.

Option C is wrong because the application logs show no errors.

203
MCQeasy

A company has an S3 bucket with sensitive data. The security team requires that all data uploaded to the bucket be automatically encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). How can this be enforced?

A.Enable default encryption on the S3 bucket with SSE-KMS.
B.Use an S3 bucket policy that denies PutObject requests without the x-amz-server-side-encryption header.
C.Enable AWS CloudTrail to monitor uploads and alert on unencrypted objects.
D.Create an IAM policy that requires all S3 operations to use SSE-KMS.
AnswerB

Bucket policy can enforce encryption headers.

Why this answer

Option B is correct because S3 bucket policies can deny uploads that do not include the x-amz-server-side-encryption header. Option A is wrong because default encryption applies to objects without encryption headers, but doesn't enforce encryption. Option C is wrong because IAM policies can require encryption but bucket policies are more direct.

Option D is wrong because CloudTrail logs actions but does not enforce encryption.

204
MCQhard

A company uses AWS Organizations with multiple accounts. The security team requires that all newly created S3 buckets in any account automatically have default encryption enabled and block public access. Which solution is MOST operationally efficient?

A.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to apply settings
B.Apply a service control policy (SCP) that denies creation of buckets without encryption and public access block
C.Create a bucket policy on each existing bucket and rely on developers to apply it to new buckets
D.Use AWS Config rules to detect non-compliant buckets and send notifications
AnswerB

SCPs are preventive and apply organization-wide automatically.

Why this answer

Using an SCP in AWS Organizations allows enforcing policies across all accounts. Option A is wrong because it only works at account level per bucket. Option B is wrong because CloudTrail only logs, it doesn't enforce.

Option D is wrong because Config can detect but not automatically remediate without additional automation.

205
MCQeasy

A development team uses AWS CodeBuild to compile a Java application. The build fails during the 'Install' phase with an error: 'Error: JAVA_HOME is not set'. How should the team fix this?

A.Set the environment variable 'JAVA_HOME' in the buildspec file's 'env' section.
B.Use the managed image 'aws/codebuild/standard:5.0' which has Java pre-installed.
C.Install Java in the pre_build phase using a command.
D.Use a custom Docker image that has Java pre-installed.
AnswerA

Setting JAVA_HOME in the 'env' section ensures it is available in all build phases.

Why this answer

Option B is correct: each build phase uses a separate shell, so environment variables set in one phase do not persist. Option A is wrong because it's not needed. Option C is not the cause.

Option D is not necessary.

206
MCQmedium

An organization uses AWS Systems Manager Incident Manager for incident response. They have created a response plan with an engagement plan that pages the on-call engineer via SMS. The engineer acknowledges the incident but then does not take any further action. What is the BEST way to automate escalation?

A.Manually re-page the on-call engineer with a higher urgency.
B.Use Amazon CloudWatch Events to trigger a second SMS if the incident is not resolved within a time frame.
C.Create an AWS Lambda function that checks the incident status and pages the next responder if no action is taken.
D.Configure an escalation plan in the response plan that pages a secondary contact after a specified timeout.
AnswerD

This is a built-in feature.

Why this answer

Option D is correct because Systems Manager Incident Manager supports escalation plans with timeouts and multiple engagement levels. Option A is wrong because Lambda is not needed. Option B is wrong because CloudWatch Events is not the escalation mechanism.

Option C is wrong because it requires manual re-paging.

207
MCQeasy

A DevOps engineer runs this command to list resources of a CloudFormation stack. The stack status is 'CREATE_COMPLETE'. However, the EC2 instance 'i-0abcd1234efgh5678' was manually terminated by another team. The engineer wants to restore the stack to its intended state without deleting the stack. What should the engineer do?

A.Import the terminated instance back into the stack.
B.Update the stack with the original template.
C.Create a new stack with the same template and delete the old one.
D.Perform a stack drift detection and then manually fix the drift.
AnswerB

CloudFormation will detect that the instance is missing and recreate it.

Why this answer

Option D is correct because updating the stack with the original template will cause CloudFormation to recreate the terminated instance. Option A is wrong because the stack is not in a failed state. Option B is wrong because creating a new stack would cause duplication.

Option C is wrong because the instance is not managed outside the stack.

208
Multi-Selectmedium

A DevOps engineer is investigating a security incident where an EC2 instance was compromised. The engineer needs to collect forensic data without losing volatile information. Which TWO actions should the engineer take? (Choose two.)

Select 2 answers
A.Detach the EBS volumes and attach them to a forensic instance.
B.Retrieve the instance metadata from the console.
C.Create a snapshot of the attached EBS volumes.
D.Collect a memory dump from the instance before stopping it.
E.Terminate the instance immediately to prevent further access.
AnswersC, D

Snapshot preserves disk state for later analysis.

Why this answer

Option B is correct because taking a snapshot of the EBS volume preserves the disk state for analysis. Option C is correct because collecting memory dump captures volatile data like running processes and network connections. Option A is wrong because terminating the instance destroys evidence.

Option D is wrong because detaching the volume stops the instance, but if the instance is stopped, memory is lost; better to snapshot while running. Option E is wrong because the instance metadata is not volatile and can be retrieved later.

209
MCQhard

A company runs a critical application on Amazon RDS for PostgreSQL. The database experiences periodic slowdowns. The team wants to monitor the number of active connections and the query execution time. Which approach is most cost-effective?

A.Install the CloudWatch agent on the RDS instance to collect custom metrics.
B.Use the RDS console to view the 'DatabaseConnections' and 'QueryExecutionTime' metrics.
C.Enable Performance Insights and set up CloudWatch alarms on the 'DBLoad' metric.
D.Enable Enhanced Monitoring and publish metrics to CloudWatch, then create alarms on relevant metrics.
AnswerD

Enhanced Monitoring provides detailed metrics at no extra cost.

Why this answer

Option C is correct because Enhanced Monitoring provides metrics like active connections and query execution time at no additional cost beyond CloudWatch. Option A is wrong because Performance Insights incurs additional cost. Option B is wrong because the RDS console shows basic metrics but not query-level detail.

Option D is wrong because using a custom solution is more complex and may incur extra costs.

210
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that any changes to IAM roles must be reviewed and approved by a security engineer before deployment. The DevOps engineer needs to implement a gating mechanism. Which approach should the engineer use?

A.Use AWS Config to detect changes to IAM roles and trigger a Lambda function that reverts the change.
B.Apply a service control policy that denies iam:CreateRole and iam:UpdateAssumeRolePolicy across the organization.
C.Add a condition to the IAM policy that requires MFA for any CloudFormation action.
D.Create a CodePipeline that deploys CloudFormation stacks and include a manual approval step for changes that modify IAM resources.
AnswerD

Manual approval step enforces review before deployment.

Why this answer

Option B is correct because CloudFormation StackSets with approval gates in CodePipeline allow manual approval steps before applying updates. Option A is wrong because AWS Config detects changes but does not prevent them. Option C is wrong because IAM policy conditions cannot prevent CloudFormation from creating roles.

Option D is wrong because service control policies affect all actions, not just IAM changes, and are too broad.

211
MCQhard

A company uses DynamoDB global tables in two AWS Regions with strong consistency reads. They observe occasional write conflicts that are not being resolved automatically. The application uses DynamoDBMapper with optimistic locking. What should the DevOps engineer do to ensure conflict resolution?

A.Implement a custom conflict resolution using DynamoDB Streams and AWS Lambda.
B.Switch to eventual consistency reads to reduce conflicts.
C.Add a third global table region to increase redundancy.
D.Use conditional writes with a version number attribute to ensure updates are applied only to the latest version.
AnswerD

Conditional writes with versioning enable optimistic locking, allowing only the latest version to be updated, which aligns with LWW.

Why this answer

Option D is correct because DynamoDB global tables use last-writer-wins (LWW) for conflict resolution by default, but when using DynamoDBMapper with optimistic locking, the application must implement conditional writes with a version number attribute to ensure updates are applied only to the latest version. This prevents stale updates from overwriting newer data, as the conditional write will fail if the version number in the request does not match the current version in the table, allowing the application to retry with the updated version.

Exam trap

The trap here is that candidates may think DynamoDB global tables automatically resolve all conflicts, but they overlook that DynamoDBMapper's optimistic locking requires explicit conditional writes with a version attribute to prevent lost updates in multi-region scenarios.

How to eliminate wrong answers

Option A is wrong because DynamoDB Streams and Lambda can be used for custom conflict resolution, but the question states that the application uses DynamoDBMapper with optimistic locking, which already provides a built-in mechanism (conditional writes with versioning) that should be used instead of introducing unnecessary complexity. Option B is wrong because switching to eventual consistency reads does not resolve write conflicts; it only reduces the likelihood of reading stale data, but conflicts still occur and must be handled at the write level. Option C is wrong because adding a third region does not resolve write conflicts; it increases the number of regions where concurrent writes can occur, potentially increasing conflict frequency, and global tables still rely on LWW or conditional writes for conflict resolution.

212
Multi-Selectmedium

Which THREE are components of the AWS Shared Responsibility Model? (Choose THREE.)

Select 3 answers
A.AWS is responsible for patching customer applications on EC2
B.Customers are responsible for managing IAM users and permissions
C.AWS is responsible for managing customer IAM roles
D.Customers are responsible for securing their data in the cloud
E.AWS is responsible for the security of the cloud infrastructure
AnswersB, D, E

IAM is customer-managed.

Why this answer

Option A is correct: AWS secures the infrastructure. Option B is correct: customers secure their data. Option C is correct: customers manage IAM.

Option D is wrong: AWS does not manage customer IAM. Option E is wrong: AWS does not patch customer applications.

213
Multi-Selectmedium

A company uses AWS CodePipeline to automate deployments. The pipeline consists of Source, Build, and Deploy stages. The Build stage uses CodeBuild, and the Deploy stage uses CodeDeploy. Recently, the pipeline failed at the Deploy stage with an error: 'The deployment group does not exist'. Which TWO actions should the team take to resolve this issue?

Select 2 answers
A.Verify that the deployment group name specified in the pipeline's Deploy stage matches the actual deployment group name in CodeDeploy.
B.Confirm that the pipeline and the CodeDeploy deployment group are in the same AWS Region.
C.Increase the timeout for the Deploy stage to allow more time for the deployment group to be created.
D.Ensure that the CodeBuild project has permissions to access the CodeDeploy deployment group.
E.Check that the CodeDeploy application exists in the same AWS account as the pipeline.
AnswersA, B

A typo or mismatch in the deployment group name causes this error.

Why this answer

Options A and D are correct: the deployment group name must match exactly, and the pipeline must be in the same region. Option B is not required. Option C is not a common cause.

Option E is not related.

214
MCQeasy

A DevOps engineer is troubleshooting an issue where an EC2 instance running Amazon Linux 2 is not receiving commands from AWS Systems Manager Run Command. The instance has the SSM Agent installed and is running. What should the engineer verify FIRST?

A.Verify the instance has outbound internet access to the SSM endpoints.
B.Confirm the instance's clock is synchronized with NTP.
C.Ensure the SSM Agent is the latest version.
D.Check that the instance has an IAM role with the AmazonSSMManagedInstanceCore policy.
AnswerD

Without the correct IAM role, the instance cannot authenticate with SSM.

Why this answer

Option C is correct because the instance needs an IAM role with the AmazonSSMManagedInstanceCore policy to communicate with Systems Manager. Without it, the SSM Agent cannot call the SSM API. Option A is wrong because the agent is already running.

Option B is wrong because outbound internet access is not strictly required if using VPC endpoints. Option D is wrong because time synchronization is important but not the first thing to check.

215
MCQmedium

A company is using AWS Lambda functions for data processing. The operations team needs to monitor the number of invocations, duration, and error counts for each function. They also want to set alarms when the error rate exceeds 5% in a 5-minute period. Which combination of AWS services should the team use to achieve this with minimal effort?

A.Use AWS CloudTrail to log Lambda invocations and configure CloudWatch alarms on the log events.
B.Enable Lambda Insights to collect detailed metrics and use CloudWatch dashboards to monitor error rates.
C.Stream Lambda logs to CloudWatch Logs and use CloudWatch Logs Insights to query error rates, then create alarms.
D.Use CloudWatch metrics published by Lambda and create a CloudWatch alarm on the ErrorCount metric with a math expression to calculate error rate.
AnswerD

Lambda emits metrics automatically; alarms can be set directly.

Why this answer

Option B is correct because Lambda automatically publishes metrics to CloudWatch (invocations, duration, errors, etc.). CloudWatch Alarms can be set on the ErrorCount metric, and a math expression can calculate error rate. Option A is wrong because CloudTrail logs API calls, not function execution metrics.

Option C is wrong because CloudWatch Logs Insights is for log analysis, but the metrics are already available. Option D is wrong because Lambda Insights is for detailed performance monitoring but is not necessary for basic metrics and alarms.

216
MCQmedium

An S3 bucket has the above bucket policy. What is the net effect on GetObject requests?

A.All anonymous users can read objects
B.All requests are denied
C.Only requests from IP range 192.0.2.0/24 are allowed
D.Only authenticated users can read objects
AnswerC

Deny with condition allows only that IP range.

Why this answer

The Allow statement grants public read access. The Deny statement denies all S3 actions when the source IP is not in 192.0.2.0/24. Since a Deny overrides an Allow, only requests from within that IP range are allowed.

Option C is correct.

217
MCQhard

An AWS account owner (Account A) owns an S3 bucket named my-bucket. The bucket policy shown in the exhibit is attached to the bucket. A user from Account B attempts to upload an object to the bucket without specifying the x-amz-acl header. What will happen?

A.The upload fails because the bucket policy requires the object ACL to be set, but the default ACL allows the upload anyway.
B.The upload succeeds because the bucket policy does not explicitly deny the request.
C.The upload succeeds because the bucket policy allows s3:PutObject for any principal.
D.The upload fails because the bucket policy requires the x-amz-acl header to be set to bucket-owner-full-control.
AnswerD

Without the header, the condition fails.

Why this answer

Option D is correct. The condition requires the x-amz-acl header to be set to bucket-owner-full-control. If the header is not specified, the condition fails, and the request is denied.

Option A is wrong because the condition is not met. Option B is wrong because the policy does not grant permission without the header. Option C is wrong because the bucket policy evaluates before the object ACL.

218
MCQmedium

A DevOps engineer created the IAM policy shown in the exhibit and attached it to a user. The user tries to upload an object to my-bucket without specifying the ACL. Why does the upload fail?

A.The Effect should be Deny for this policy to work
B.The resource ARN is incorrect; it should be arn:aws:s3:::my-bucket
C.The user does not have permission to list the bucket
D.The policy condition requires the ACL to be bucket-owner-full-control, but the user did not specify it
AnswerD

The condition is not met, so the request is implicitly denied.

Why this answer

The policy condition requires the ACL to be 'bucket-owner-full-control'. If the user does not specify an ACL, the default is usually 'private', which does not satisfy the condition. Therefore the action is denied.

The resource ARN is correct. The action is allowed. The condition specifies StringEquals, which is correct for comparison.

219
MCQhard

An IAM policy is attached to a user who needs to create a CloudFormation stack that provisions an EC2 instance and an S3 bucket. The user receives an 'Access Denied' error when running the 'aws cloudformation create-stack' command. Which additional permission is required?

A.ec2:RunInstances and s3:CreateBucket
B.s3:PutObject
C.cloudformation:DescribeStacks
D.iam:PassRole
AnswerA

CloudFormation uses the user's permissions to create the resources defined in the template.

Why this answer

Option B is correct because to create a stack that provisions EC2 and S3 resources, the user must have permissions for those resource types (ec2:RunInstances, s3:CreateBucket) in addition to cloudformation:CreateStack. Option A is incorrect because the user already has cloudformation:CreateStack. Option C is incorrect because the user already has s3:GetObject.

Option D is incorrect because iam:PassRole is needed only if a role is passed, which is not mentioned.

220
MCQmedium

A company uses AWS CodePipeline with Amazon S3 as the source stage. The pipeline triggers on object creation events in the S3 bucket. The development team notices that the pipeline does not trigger when multiple files are uploaded simultaneously. What is the most likely cause?

A.Amazon S3 event notifications are not guaranteed to be delivered for bulk operations.
B.The S3 event notification filter is set to only include objects with a specific prefix or suffix that does not match the uploaded files.
C.CodePipeline does not support triggering from S3 event notifications when multiple files are uploaded simultaneously.
D.The S3 bucket versioning is not enabled, causing events to be lost.
AnswerB

Why this answer

Option B is correct because Amazon S3 event notifications can be filtered by prefix and suffix. If the filter is configured to only match objects with a specific prefix or suffix (e.g., `images/` or `.zip`), and the uploaded files do not match that filter, the event notification will not be sent to CodePipeline, causing the pipeline not to trigger. This is the most likely cause when the pipeline fails to trigger on simultaneous uploads, as the filter configuration is a common misconfiguration.

Exam trap

The trap here is that candidates may incorrectly attribute the issue to a limitation of S3 event notifications or CodePipeline with bulk uploads, rather than recognizing that the most likely cause is a misconfigured event notification filter that excludes the uploaded files.

Why the other options are wrong

A

S3 event notifications are designed to deliver events for each object creation, though there may be occasional delays or duplicates.

C

CodePipeline supports S3 event notifications and can handle multiple triggers.

D

Versioning is not required for event notifications; events are sent regardless.

221
Multi-Selectmedium

A company is using Amazon CloudWatch to monitor its production environment. The operations team receives alerts for the same underlying issue from multiple alarms, causing alert fatigue. The team wants to reduce noise and consolidate alerts into actionable notifications. Which TWO steps should the team take? (Choose two.)

Select 2 answers
A.Configure the CloudWatch alarms to publish to an SNS topic, and use SNS subscription filter policies to route only critical notifications.
B.Use CloudWatch Evidently to run experiments and filter out false alarms.
C.Use CloudWatch composite alarms to combine multiple alarms into a single alarm that triggers only when certain conditions are met.
D.Use CloudWatch Logs Insights to query logs and create alarms based on the query results.
E.Use AWS Config rules to automatically suppress alarms that are not compliant.
AnswersA, C

SNS filter policies can reduce noise by sending only relevant messages.

Why this answer

Options A and D are correct. CloudWatch Alarm composite alarms can combine multiple alarms into a single alarm with OR/AND logic (Option A). CloudWatch can publish to an SNS topic, and you can filter messages to reduce noise (Option D).

Option B (CloudWatch Logs Insights) is for querying logs, not for alert consolidation. Option C (CloudWatch Evidently) is for feature flags. Option E (Config rules) is for compliance, not alerting.

222
MCQhard

A company uses AWS CodePipeline with multiple stages: Source (Amazon S3), Build (AWS CodeBuild), and Deploy (AWS CodeDeploy). The build stage runs a series of tests, and if they pass, the pipeline proceeds to deploy. Recently, a developer committed a change that passed all tests but caused a production outage. The team wants to add an approval step before the deploy stage, but they also want to ensure that only changes from specific branches can be deployed. What is the MOST secure and maintainable way to enforce this?

A.Use a Lambda function in the pipeline to check the branch name and fail if not allowed.
B.Add a manual approval step in the pipeline and rely on the approver to verify the branch.
C.Create a separate pipeline for each allowed branch, with the approval step only in the production pipeline.
D.Tag the source artifacts with the branch name and use a condition in CodePipeline to allow only specific tags.
AnswerC

Isolating pipelines prevents direct deployment from unauthorized branches.

Why this answer

Option C is correct because it enforces branch-based deployment at the pipeline level, ensuring that only changes from specific branches trigger the production pipeline with the approval step. This approach is secure and maintainable as it leverages AWS CodePipeline's native ability to trigger on branch events, avoiding custom logic or manual verification. By isolating production deployments to a dedicated pipeline, the team reduces the risk of unauthorized or untested code reaching production.

Exam trap

The trap here is that candidates often overestimate the flexibility of CodePipeline's built-in filtering or underestimate the security and maintainability benefits of using separate pipelines per branch, leading them to choose a custom Lambda solution (Option A) that introduces unnecessary complexity and risk.

How to eliminate wrong answers

Option A is wrong because using a Lambda function to check the branch name and fail the pipeline introduces custom code that must be maintained, tested, and secured, increasing complexity and potential failure points; it also fails the pipeline after the build stage, wasting resources. Option B is wrong because relying on a manual approver to verify the branch is error-prone and not automated, violating the principle of secure, maintainable enforcement; it depends on human diligence rather than system-level controls. Option D is wrong because CodePipeline does not support conditions that filter based on artifact tags; tagging source artifacts with branch names does not natively restrict pipeline execution, and such a condition would require custom logic, making it less secure and maintainable.

223
MCQeasy

A company uses AWS OpsWorks for configuration management. They need to automate the installation of a custom package on all instances in a layer. Which OpsWorks feature should they use?

A.AWS CodeDeploy AppSpec file
B.AWS CloudFormation custom resources
C.Custom Chef recipes associated with lifecycle events
D.AWS Systems Manager Run Command
AnswerC

Custom recipes run on lifecycle events like Setup to install packages.

Why this answer

Custom recipes in OpsWorks allow running Chef recipes on instance lifecycle events. Option B is correct. Lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) trigger the recipes.

Options A, C, and D are not OpsWorks features.

224
MCQhard

A DevOps engineer is troubleshooting an AWS Lambda function that processes messages from an Amazon SQS queue. The function is invoked successfully, but it frequently times out after 15 seconds. The function's CloudWatch Logs show that the timeout occurs while the function is making an HTTP request to an external API. The function's reserved concurrency is set to 5, and the SQS queue has a visibility timeout of 30 seconds. Which change would MOST effectively reduce the number of timeouts?

A.Increase the Lambda function's timeout to 30 seconds.
B.Increase the SQS queue's visibility timeout to 60 seconds.
C.Decrease the SQS batch size to 1.
D.Increase the Lambda function's reserved concurrency to 10.
AnswerA

Increasing the timeout gives the HTTP request more time to complete, reducing timeouts.

Why this answer

Option B is correct because increasing the Lambda function timeout to 30 seconds gives the HTTP request more time to complete, reducing timeouts. Option A is wrong because increasing concurrency would not help if the issue is the timeout duration. Option C is wrong because decreasing batch size might reduce load but not address the timeout for individual invocations.

Option D is wrong because increasing the visibility timeout could cause duplicate processing but does not fix the Lambda timeout.

225
MCQeasy

A company uses AWS CodeBuild for CI/CD. The build project needs to access a private S3 bucket to download artifacts. What is the MOST secure way to grant access?

A.Embed the access keys in the buildspec.yml file.
B.Create an IAM role with read access to the bucket and attach it to the CodeBuild project.
C.Use an S3 bucket policy that grants public read access.
D.Store AWS access keys in CodeBuild environment variables.
AnswerB

IAM roles provide temporary credentials and are more secure.

Why this answer

Using an IAM role with a trust policy for CodeBuild is the most secure method because it avoids long-term credentials. Option B is correct. Option A is wrong because storing access keys in environment variables is less secure.

Option C is wrong because embedding keys in the buildspec file is insecure. Option D is wrong because bucket policies can be used but require the principal to be an IAM user/role; still, the build project should use a role.

Page 2

Page 3 of 24

Page 4