AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 226300

1740 questions total · 24pages · All types, answers revealed

Page 3

Page 4 of 24

Page 5
226
MCQhard

A company is using AWS CodePipeline for CI/CD with CloudFormation as the deployment action. The pipeline fails intermittently with the error 'Rate exceeded' when creating or updating stacks. What is the most likely cause and solution?

A.The stack has a stack policy that prevents updates; modify the stack policy.
B.The IAM role used by CloudFormation does not have sufficient permissions; update the role policy.
C.The CloudFormation API rate limit is being hit; request a limit increase from AWS Support.
D.The pipeline is exceeding the CodePipeline execution frequency limit; reduce the number of pipeline executions.
AnswerC

Rate exceeded errors indicate API throttling; increasing the limit resolves it.

Why this answer

Option D is correct because CloudFormation has an account-level rate limit for API calls, and the error indicates the limit is being exceeded. The solution is to request a limit increase. Option A is wrong because CodePipeline does not have a rate limit that would cause this specific error.

Option B is wrong because IAM permissions would cause an 'AccessDenied' error, not 'Rate exceeded'. Option C is wrong because stack policies do not cause rate limit errors.

227
MCQmedium

A company uses AWS OpsWorks for Chef Automate. They have a stack that includes a PHP application layer. The application requires a custom PHP configuration file. The DevOps engineer creates a custom Chef cookbook with a recipe that deploys the configuration file. The recipe is assigned to the layer's Setup lifecycle event. The engineer notices that the configuration file is not being created on new instances when they are added to the layer. The cookbook is stored in a private S3 bucket. The engineer has verified that the cookbook is correctly associated with the stack. What should the engineer do to fix the issue?

A.Assign the recipe to the Configure lifecycle event instead of Setup
B.Verify that the recipe is included in the cookbook's default.rb file
C.Update the cookbook version to the latest
D.Ensure that the instance profile has permissions to read from the S3 bucket where the cookbook is stored
AnswerD

Without S3 read access, the cookbook cannot be downloaded.

Why this answer

Option C is correct because OpsWorks requires that the cookbook be installed on the instance before the lifecycle event runs. The cookbook is in a private S3 bucket, so the instance needs permission to access it. The engineer should ensure that the stack's custom cookbooks source is configured with the correct S3 bucket and that the instance profile has permissions to read from the bucket.

Option A is wrong because the recipe is assigned to the correct lifecycle event. Option B is wrong because the cookbook version is not the issue. Option D is wrong because the recipe is in the cookbook.

228
MCQhard

A company runs a stateful application on EC2 instances with instance store volumes. The application requires low-latency access to data. The operations team needs to ensure that instance failure does not result in data loss. Which solution is MOST resilient?

A.Use instance store volumes with RAID 1 across multiple instances.
B.Replicate data in real time to an EBS volume and take periodic snapshots.
C.Use larger instance types with more instance store capacity.
D.Create an AMI of the instance periodically to capture the data.
AnswerB

EBS provides persistent storage and snapshots enable recovery.

Why this answer

Option D is correct because replicating data to EBS and taking snapshots provides persistent storage and disaster recovery. Option A is wrong because instance store volumes are ephemeral. Option B is wrong because increasing instance size does not prevent data loss.

Option C is wrong because an AMI does not capture data from instance store volumes.

229
MCQmedium

A company runs a critical application on Amazon ECS with Fargate launch type. The application is deployed across multiple Availability Zones. The DevOps team needs to ensure that if an entire Availability Zone fails, the application continues to serve traffic without manual intervention. What should the team do?

A.Use an Amazon ECS service auto-scaling policy to automatically replace tasks in the failed AZ.
B.Configure the ALB to enable cross-zone load balancing and enable the ECS service's AZ rebalancing feature.
C.Configure the ECS service to run tasks in at least two Availability Zones and enable the ECS service auto-recovery feature.
D.Set the ECS service's minimum healthy percent to 100 and maximum percent to 200.
AnswerC

Multi-AZ deployment plus auto-recovery ensures resilience.

Why this answer

Option C is correct because the ECS service's AZ rebalancing feature automatically redistributes tasks across Availability Zones when an imbalance is detected, such as after an AZ failure. By configuring the service to run tasks in at least two AZs and enabling this feature, the ECS service will automatically launch replacement tasks in the remaining healthy AZs to maintain the desired count, ensuring continued traffic serving without manual intervention.

Exam trap

The trap here is that candidates often confuse auto-scaling (which adjusts capacity based on demand) with AZ rebalancing (which redistributes tasks after an AZ failure), leading them to choose Option A or B, or they mistakenly think deployment configuration settings like minimum/maximum percent (Option D) can handle AZ failures.

How to eliminate wrong answers

Option A is wrong because ECS service auto-scaling policies adjust the desired task count based on metrics like CPU or memory, but they do not automatically replace tasks lost due to an AZ failure; they only scale based on demand, not availability. Option B is wrong because ALB cross-zone load balancing distributes traffic across all AZs but does not replace failed tasks; the ECS service's AZ rebalancing feature is the correct mechanism for task redistribution after an AZ failure. Option D is wrong because setting minimum healthy percent to 100 and maximum percent to 200 controls deployment behavior (e.g., rolling updates) but does not address AZ failure recovery; it prevents task replacement during deployments but does not trigger automatic task redistribution after an AZ outage.

230
MCQhard

A company uses Terraform to manage AWS infrastructure. They have a state file stored in an S3 bucket with DynamoDB locking. After a failed 'terraform apply', the state file is locked. The DevOps engineer tries to run 'terraform plan' but gets an error: 'Error acquiring the state lock'. What should the engineer do to resolve this issue?

A.Manually delete the lock item from the DynamoDB table
B.Wait for the lock to expire automatically
C.Run 'terraform force-unlock' with the lock ID
D.Delete the state file from S3 and re-run terraform init
AnswerC

This is the intended way to remove a stuck lock.

Why this answer

Option D is correct because the lock is stored in DynamoDB and can be forcefully removed using 'terraform force-unlock' after verifying no other process is using it. Option A is wrong because deleting the S3 bucket would lose the state. Option B is wrong because modifying the DynamoDB table directly is not recommended.

Option C is wrong because waiting indefinitely is not a solution.

231
Multi-Selecteasy

Which TWO are best practices for securing an Amazon RDS database? (Choose 2)

Select 2 answers
A.Enable public accessibility for easy management.
B.Use a single Availability Zone to reduce complexity.
C.Launch the RDS instance in a private subnet.
D.Enable encryption at rest using AWS KMS.
E.Grant direct IAM user access to the database.
AnswersC, D

Placing the database in a private subnet restricts direct internet access.

Why this answer

Option A (private subnet) and Option C (encryption at rest) are correct. Option B is wrong because public accessibility should be disabled. Option D is wrong because a single Availability Zone reduces availability, not security.

Option E is wrong because IAM users are not used for database authentication directly; RDS supports IAM database authentication but it's not a best practice for all cases.

232
Multi-Selecteasy

A DevOps engineer notices that a critical Lambda function occasionally times out. The engineer wants to monitor the function's duration and log the timeout errors for analysis. Which TWO steps should the engineer take to achieve this? (Select TWO.)

Select 2 answers
A.Enable CloudWatch Logs for the Lambda function to capture logs.
B.Store Lambda logs in an Amazon S3 bucket for analysis.
C.Create a CloudWatch metric filter to monitor the Duration metric and set an alarm.
D.Use AWS X-Ray to trace the function and view duration in the X-Ray console.
E.Enable AWS CloudTrail to log all Lambda function invocations.
AnswersA, C

CloudWatch Logs captures Lambda execution logs, including timeout errors.

Why this answer

Option A is correct because CloudWatch Logs can capture Lambda function logs including error messages. Option B is correct because CloudWatch metrics can track the Duration metric. Option C is wrong because X-Ray traces requests but does not directly log errors or track duration in CloudWatch.

Option D is wrong because CloudTrail logs API calls, not function execution. Option E is wrong because S3 is not a monitoring service.

233
MCQeasy

A development team uses AWS CodeBuild to compile a Java application and run unit tests. The build takes 30 minutes, but the team wants to reduce build time. The codebase has not changed significantly, and dependencies are stable. Which action would be MOST effective in reducing build time?

A.Configure CodeBuild to cache dependencies in an Amazon S3 bucket.
B.Move the build process to a local developer machine to avoid CodeBuild overhead.
C.Reduce the number of unit tests executed in the build phase.
D.Increase the compute type of the build environment to a larger instance.
AnswerA

Caching avoids re-fetching dependencies every build.

Why this answer

Caching dependencies in an Amazon S3 bucket allows CodeBuild to reuse previously downloaded Maven/Gradle dependencies across builds, eliminating the need to re-download them each time. Since the codebase and dependencies are stable, this directly reduces the build time by avoiding repeated network transfers of large artifact repositories.

Exam trap

The trap here is that candidates assume a larger compute instance always speeds up builds, overlooking that network-bound operations like dependency downloads are not significantly improved by CPU or memory upgrades.

How to eliminate wrong answers

Option B is wrong because moving the build to a local developer machine sacrifices consistency, scalability, and auditability, and does not address the core issue of dependency download overhead in CodeBuild. Option C is wrong because reducing unit tests compromises code quality and test coverage, and the question states the team wants to reduce build time without changing the codebase significantly — removing tests is not a valid optimization. Option D is wrong because increasing the compute type primarily accelerates CPU-bound tasks (compilation), but the bottleneck here is likely network-bound dependency downloads; a larger instance does not reduce the time spent downloading unchanged dependencies.

234
MCQeasy

A company is using Amazon RDS for MySQL with Multi-AZ deployment. During a recent failover, the application experienced a brief downtime because the DNS cache on the application servers still pointed to the old primary. How can a DevOps engineer minimize this downtime?

A.Use an RDS Proxy to manage connections and reduce DNS dependency.
B.Configure the application to use the Multi-AZ endpoint instead of the primary endpoint.
C.Configure application servers to use a hardcoded IP address instead of the RDS endpoint.
D.Increase the TTL on the RDS DNS record.
AnswerA

RDS Proxy provides a stable endpoint and handles failover transparently.

Why this answer

Option C is correct because using an RDS proxy provides a stable endpoint and connection pooling, reducing failover impact. Option A is wrong because increasing TTL increases the caching duration, worsening the issue. Option B is wrong because the CNAME is automatically updated by RDS, but DNS propagation takes time.

Option D is wrong because there is no dedicated endpoint for Multi-AZ; the same CNAME is used.

235
MCQeasy

A company wants to receive real-time notifications when their Auto Scaling group launches or terminates EC2 instances. Which AWS service should they use?

A.Amazon CloudWatch alarm on the GroupTotalInstances metric.
B.AWS Config rules to detect changes in Auto Scaling groups.
C.AWS CloudTrail to monitor Auto Scaling API calls.
D.Amazon SNS notifications from the Auto Scaling group.
AnswerD

Auto Scaling can publish to SNS on instance launch/terminate.

Why this answer

Option B is correct because Auto Scaling groups can send lifecycle notifications to Amazon SNS, which can then send emails or invoke Lambda. Option A is wrong because CloudWatch alarms are for metric thresholds, not lifecycle events. Option C is wrong because Config evaluates resource configurations.

Option D is wrong because CloudTrail records API calls, but not real-time notifications.

236
Multi-Selecthard

Which THREE actions are best practices for managing secrets in AWS CloudFormation templates? (Choose three.)

Select 3 answers
A.Use AWS CloudFormation parameters with the NoEcho property set to true.
B.Use AWS Systems Manager Parameter Store secure string parameters with dynamic references.
C.Use AWS Secrets Manager dynamic references to retrieve secrets at deployment time.
D.Encrypt the CloudFormation template file with AWS KMS.
E.Store secrets as plaintext in the template parameters.
AnswersA, B, C

Prevents secrets from being displayed in console.

Why this answer

Option A is correct because setting the NoEcho property to true on a CloudFormation parameter prevents the parameter value from being returned in API calls or displayed in the console, which is a basic mechanism for masking secrets. However, this alone does not encrypt the value at rest or in transit, and the value is still passed as plaintext in the template, so it is considered a best practice only when combined with other secure methods like dynamic references.

Exam trap

The trap here is that candidates often think encrypting the template file (Option D) is sufficient for secret protection, but they overlook that secrets remain exposed during stack operations unless dynamic references or NoEcho are used.

237
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail logs. What is the most effective way to enforce this control?

A.Require all accounts to use the same CloudTrail trail.
B.Apply a Service Control Policy that denies cloudtrail:DeleteTrail and cloudtrail:StopLogging.
C.Create an IAM policy in each account that denies cloudtrail:DeleteTrail.
D.Configure CloudTrail to log to an S3 bucket in a centralized logging account and deny access to the bucket from member accounts.
AnswerB

SCPs are applied at the organization level and cannot be overridden by account admins.

Why this answer

Option D is correct because a Service Control Policy (SCP) can deny actions like cloudtrail:DeleteTrail and cloudtrail:StopLogging across all accounts in the organization. Option A is wrong because CloudTrail is a regional service, and disabling in one region would still affect logs. Option B is wrong because IAM policies are per-account and can be overridden by account admins.

Option C is wrong because limiting to one trail is not a control; accounts could still modify that trail.

238
MCQmedium

A company uses Amazon RDS Multi-AZ for disaster recovery. The primary DB instance in us-east-1a fails. What happens next?

A.The standby DB instance in us-east-1b is promoted automatically and the CNAME record is updated
B.The administrator must manually promote the standby instance
C.The primary instance is automatically rebuilt in the same AZ
D.A read replica in us-east-1b is automatically promoted to primary
AnswerA

RDS Multi-AZ performs automatic failover.

Why this answer

RDS Multi-AZ automatically fails over to the standby in a different Availability Zone within minutes. Option A is wrong because no manual intervention is needed. Option B is wrong because the CNAME automatically updates.

Option D is wrong because Multi-AZ provides automatic failover.

239
MCQhard

An organization uses AWS CodePipeline with multiple stages: Source, Build, Deploy to Test, Deploy to Prod. They want to implement a canary deployment strategy for the production deployment. Which approach should they use?

A.Use a Lambda function in CodePipeline to manually adjust weights in Route53.
B.Use CodeDeploy with a canary deployment configuration in the Deploy to Prod stage.
C.Use an Elastic Load Balancer to gradually shift traffic using weighted target groups.
D.Use CloudFormation with a canary update policy in the Deploy to Prod stage.
AnswerB

CodeDeploy provides built-in canary traffic shifting for both EC2/On-Premises and Lambda.

Why this answer

CodeDeploy supports canary deployments with a deployment configuration that specifies a percentage of traffic to shift to the new version initially.

240
Multi-Selecthard

A company is using AWS Lambda to process sensitive data. The security team requires that the Lambda function only be invoked from within a specific VPC and that the function's environment variables be encrypted at rest. Which TWO actions should the DevOps engineer take to meet these requirements?

Select 2 answers
A.Enable AWS KMS encryption for the Lambda function's environment variables using a customer-managed key.
B.Enable encryption for CloudWatch Logs using a KMS key.
C.Configure the Lambda function to be VPC-enabled and set up a VPC endpoint for Lambda.
D.Assign an IAM execution role with permissions to access a KMS key.
E.Attach a resource-based policy to the Lambda function that denies invoke unless the request comes from the VPC.
AnswersA, C

KMS encryption protects environment variables at rest.

Why this answer

Option A is correct because configuring the Lambda function to access a VPC and using a VPC endpoint for Lambda ensures invocation only from within the VPC. Option D is correct because using AWS KMS to encrypt environment variables meets the encryption requirement. Option B is wrong because resource-based policies control which principals can invoke, but cannot restrict to VPC origin alone.

Option C is wrong because CloudWatch Logs encryption is separate from environment variables. Option E is wrong because execution role permissions do not encrypt environment variables.

241
MCQmedium

A team uses AWS CodePipeline to deploy a microservices application. The pipeline has a deploy action that uses AWS CloudFormation. The CloudFormation template creates an Amazon ECS service. The deployment fails because the ECS service cannot be updated. What is the most likely cause?

A.The CloudFormation stack already exists and is in a previous failed state.
B.The ECS service is in a steady state and cannot be modified.
C.The CodePipeline deploy action is configured with the wrong action type.
D.The IAM role used by CloudFormation does not have permission to update ECS services.
AnswerA

A failed stack must be deleted or updated with a changeset.

Why this answer

When a CloudFormation stack update fails, the stack enters a ROLLBACK_COMPLETE or UPDATE_ROLLBACK_COMPLETE state. In this state, the stack is considered to be in a 'failed' state and cannot be updated again until it is either deleted or the stack is manually continued with a rollback. CodePipeline's CloudFormation deploy action will attempt to perform a stack update, but CloudFormation rejects the request because the existing stack is in a non-updatable state, causing the pipeline deployment to fail.

Exam trap

The trap here is that candidates often assume the error is due to missing IAM permissions or a misconfigured action type, but the real issue is CloudFormation's requirement that stacks be in a valid state before updates can proceed.

How to eliminate wrong answers

Option B is wrong because an ECS service in a steady state (e.g., ACTIVE) can be modified via CloudFormation updates; the error is not due to the service being immutable. Option C is wrong because the deploy action type (CloudFormation) is correct for deploying infrastructure; the failure is not related to a misconfigured action type. Option D is wrong because if the IAM role lacked permissions, the error would be an access denied or authorization failure, not a generic 'cannot be updated' error from CloudFormation.

242
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The network team manages the VPC and subnets using a separate CloudFormation stack. The application team needs to reference the VPC ID and subnet IDs from the network stack. Which approach should the application team use to obtain these values?

A.Hardcode the VPC and subnet IDs in the application template.
B.Export the VPC ID and subnet IDs from the network stack using the 'Export' field and import them in the application stack using Fn::ImportValue.
C.Create the network stack as a nested stack inside the application stack.
D.Store the VPC and subnet IDs in AWS Systems Manager Parameter Store and retrieve them using dynamic references.
AnswerB

Cross-stack references allow sharing outputs between independent stacks.

Why this answer

Option B is correct because CloudFormation's Export and Fn::ImportValue mechanism allows cross-stack references without hardcoding or duplicating values. The network stack exports the VPC ID and subnet IDs using the Export field, and the application stack imports them via Fn::ImportValue, ensuring that changes in the network stack propagate automatically to dependent stacks.

Exam trap

The trap here is that candidates may confuse cross-stack references with nested stacks or parameter stores, but the exam specifically tests the Export/ImportValue pattern for decoupled stacks managed by different teams.

How to eliminate wrong answers

Option A is wrong because hardcoding VPC and subnet IDs creates brittle templates that break if the network stack is recreated or updated, violating infrastructure-as-code best practices. Option C is wrong because nesting the network stack inside the application stack would tightly couple the two teams' responsibilities, defeating the purpose of separate management and making it harder to update the network independently. Option D is wrong because while Systems Manager Parameter Store can store values, dynamic references in CloudFormation (e.g., '{{resolve:ssm:...}}') are resolved at stack creation time and do not automatically update when the parameter changes, unlike Fn::ImportValue which tracks the exported value across stacks.

243
Multi-Selecteasy

A DevOps engineer is monitoring an Amazon EC2 Auto Scaling group. The engineer wants to receive notifications when instances are launched or terminated. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS X-Ray
B.AWS Config
C.Amazon CloudWatch Alarms
D.AWS CloudTrail
E.Amazon Simple Notification Service (SNS)
AnswersD, E

Correct: CloudTrail logs Auto Scaling API calls and can be used with EventBridge for notifications.

Why this answer

AWS CloudTrail captures API calls made to the EC2 Auto Scaling service, including RunInstances and TerminateInstances events. By sending these events to Amazon CloudWatch Logs, you can create metric filters that trigger CloudWatch Alarms, which then publish notifications to an SNS topic. This combination allows you to receive real-time notifications when instances are launched or terminated.

Exam trap

The trap here is that candidates often confuse CloudWatch Alarms as a standalone solution, but they require a data source (like CloudTrail logs) to detect instance lifecycle events, making the combination of CloudTrail and SNS the correct pairing.

244
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team wants to receive notifications when a stack creation fails due to a resource limit exceeded error. Which approach should be used?

A.Create an Amazon EventBridge rule that matches CloudFormation resource limit exceeded events and sends to SQS.
B.Configure an SNS topic as a notification option in the CloudFormation stack, and subscribe an email endpoint.
C.Use AWS Config to detect when a stack is in a failed state.
D.Enable CloudTrail and create a CloudWatch alarm on the CreateStack API call.
AnswerB

CloudFormation can send stack events to SNS, which emails subscribers.

Why this answer

Option B is correct because CloudFormation natively supports sending stack events (including creation failures) to an SNS topic. By configuring an SNS topic as a notification option in the stack creation request, the DevOps team can subscribe an email endpoint to receive real-time notifications when a resource limit exceeded error occurs, without needing additional services or custom logic.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing EventBridge or CloudTrail-based monitoring, missing the fact that CloudFormation has a built-in, straightforward SNS notification feature specifically designed for real-time stack event alerts.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge does not natively emit a specific 'resource limit exceeded' event from CloudFormation; CloudFormation events in EventBridge are generic stack-level events (e.g., CREATE_FAILED) and would require custom filtering and parsing to detect the specific error message, making it less direct than using SNS. Option C is wrong because AWS Config is designed for resource compliance and configuration tracking, not for real-time monitoring of CloudFormation stack creation failures; it cannot trigger notifications for transient stack events like resource limit exceeded errors. Option D is wrong because enabling CloudTrail and creating a CloudWatch alarm on the CreateStack API call would only detect that a CreateStack call was made, not whether the stack creation failed due to a resource limit exceeded error; the alarm would fire on every CreateStack call, not on failures, and would require additional log filtering and metric filters to isolate the specific error.

245
MCQeasy

A team uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment.' The instances are healthy and can connect to the CodeDeploy service. What is the most likely cause?

A.The Auto Scaling group launch configuration is incorrect.
B.The deployment group is not configured with the correct service role.
C.The appspec.yml file or lifecycle event scripts have errors.
D.The target revision is not accessible from the instances.
AnswerC

Lifecycle event scripts must succeed; otherwise the deployment fails per instance.

Why this answer

The appspec.yml file defines hooks like BeforeBlockTraffic, AfterInstall, etc. If these scripts exit with a non-zero code, the deployment fails.

246
MCQmedium

A company uses AWS Lambda functions for data processing. The operations team notices that some functions are taking longer to execute than expected. They want to analyze the execution durations to identify functions that exceed the 75th percentile latency. Which CloudWatch feature should be used?

A.Use AWS X-Ray to trace the Lambda functions and analyze latency percentiles.
B.Use CloudWatch metrics with the percentile statistic for 'Duration'.
C.Use CloudWatch dashboards with a percentile widget on the 'Duration' metric.
D.Use CloudWatch Logs Insights to query the Lambda log groups and calculate custom percentiles using the `stats` command.
AnswerD

CloudWatch Logs Insights can parse duration from logs and calculate percentiles using the `stats` command.

Why this answer

Option B is correct because CloudWatch Logs Insights can query Lambda logs to calculate percentiles. Option A is wrong because CloudWatch metrics do not natively support percentile statistics for Lambda; they only provide p50, p90, etc., but not custom percentiles. Option C is wrong because X-Ray traces latency but not from logs.

Option D is wrong because CloudWatch dashboards display metrics but do not calculate percentiles from logs.

247
Multi-Selecthard

A company wants to monitor and detect anomalous API calls in their AWS account. Which THREE AWS services should they use together to achieve this?

Select 3 answers
A.AWS CloudTrail
B.Amazon Inspector
C.Amazon CloudWatch Logs
D.AWS Config
E.Amazon GuardDuty
AnswersA, C, E

Logs API calls.

Why this answer

AWS CloudTrail is correct because it records all API calls made in the AWS account, providing the raw data needed to detect anomalous activity. By enabling CloudTrail on all regions and logging to a centralized S3 bucket, you capture the identity, source IP, and request parameters for every API call, which is essential for anomaly detection.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which tracks API calls), or they think Amazon Inspector (a vulnerability scanner) can detect anomalous API behavior when it is designed for a completely different purpose.

248
Multi-Selectmedium

A company is using Amazon CloudWatch to monitor a production environment. The DevOps team wants to receive notifications when the CPU utilization of an EC2 instance exceeds 90% for 5 consecutive minutes. Which TWO steps should the team take to achieve this? (Choose TWO.)

Select 2 answers
A.Enable detailed monitoring on the EC2 instance to get 1-minute metrics.
B.Configure an Amazon SNS topic and subscribe the team's email address to it, then set the alarm to send notifications to the SNS topic.
C.Create a CloudWatch alarm on the CPUUtilization metric with a threshold of 90% and an evaluation period of 5 consecutive minutes.
D.Create a CloudWatch Logs metric filter to count CPU utilization errors.
E.Create a CloudWatch dashboard to visualize CPU utilization.
AnswersB, C

SNS provides the notification channel for the alarm.

Why this answer

Option A (Create a CloudWatch alarm) and Option C (Configure an SNS topic) are correct. A CloudWatch alarm monitors the metric and triggers an action (e.g., SNS notification) when the condition is met. Option B (Create a CloudWatch dashboard) is for visualization, not notification.

Option D (Enable detailed monitoring) is not required for this alarm; basic monitoring (5-minute) is sufficient for 5-minute evaluation periods. Option E (Create a CloudWatch Logs metric filter) is for logs, not EC2 metrics.

249
MCQeasy

A company is using AWS CloudTrail to track API calls. They want to be notified immediately when an IAM user creates a new access key. Which combination of AWS services should be used?

A.Amazon CloudWatch Logs with a metric filter and alarm.
B.AWS Config with an AWS Lambda function.
C.Amazon CloudWatch Events (Amazon EventBridge) with an AWS Lambda function that sends an email via Amazon SES.
D.Amazon CloudWatch Events (Amazon EventBridge) with an Amazon SNS topic.
AnswerD

EventBridge can match CloudTrail events and trigger SNS for immediate notification.

Why this answer

Option A is correct: CloudTrail logs the event, CloudWatch Events (now Amazon EventBridge) can filter for that event, and SNS can send the notification. Option B is wrong because Lambda is not needed to filter; EventBridge can do it. Option C is wrong because CloudWatch Logs is not the native way to trigger on specific events; EventBridge is better.

Option D is wrong because Config is not for real-time event notification.

250
MCQmedium

A company uses AWS CodePipeline to deploy a static website to an S3 bucket. The pipeline includes a source stage (S3), a build stage (CodeBuild) that minifies assets, and a deploy stage that copies files to the production S3 bucket. The deploy stage uses 's3 sync' command. After a recent deployment, some users report seeing old content. What is the MOST likely cause?

A.The website is served through Amazon CloudFront, and the CloudFront distribution cache was not invalidated after the deployment.
B.The S3 bucket policy blocks public read access, so users get a 403 error.
C.The IAM role for CodeBuild does not have permissions to write to the S3 bucket.
D.The deploy stage uses 's3 cp' instead of 's3 sync', so new files are not uploaded.
AnswerA

CloudFront caches content; without invalidation, users see stale files.

Why this answer

Option C is correct because S3 does not automatically invalidate CloudFront cache; old cached files are served. Option A is incorrect because 's3 sync' does sync new files. Option B is incorrect because bucket policies don't affect content freshness.

Option D is incorrect because CodeBuild would fail if permissions were insufficient.

251
MCQmedium

A company uses AWS CodeCommit for source control. Developers frequently push large binary files (e.g., compiled JARs) to the repository, causing the repository size to grow rapidly and slowing down clone operations. The team wants to enforce a policy to reject pushes that contain files larger than 50 MB. Which approach should be used?

A.Configure a CodeCommit trigger that invokes an AWS Lambda function to validate file sizes and reject the push.
B.Set up an Amazon CloudWatch Events rule to monitor repository size and alert when it exceeds a threshold.
C.Create an IAM policy that denies the `codecommit:GitPush` action if the file size exceeds 50 MB.
D.Use a pre-receive hook in the repository to reject large files by generating an S3 pre-signed URL.
AnswerA

CodeCommit triggers allow custom validation before accepting a push.

Why this answer

Option A is correct because AWS CodeCommit supports custom triggers that invoke AWS Lambda functions on repository events, including pushes. By configuring a trigger for the 'push' event, a Lambda function can inspect each file in the push payload, check its size against the 50 MB threshold, and programmatically reject the push by returning an error response. This approach enforces the policy at the repository level without requiring client-side changes.

Exam trap

The trap here is that candidates confuse CodeCommit triggers with Git hooks (like pre-receive hooks) or assume IAM policies can enforce content-based rules, when in fact IAM cannot inspect file contents and CodeCommit does not support server-side Git hooks.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Events can monitor repository metrics and send alerts, but it cannot actively reject a push; it only provides post-hoc notification after the push has already occurred. Option C is wrong because IAM policies evaluate permissions based on the principal, action, and resource, but they cannot inspect the content or size of files being pushed; the `codecommit:GitPush` action does not support condition keys for file size. Option D is wrong because CodeCommit does not support pre-receive hooks; that feature is specific to self-managed Git servers or AWS CodeCommit's hosted Git does not expose hook mechanisms like pre-receive scripts, and generating an S3 pre-signed URL is unrelated to rejecting pushes.

252
MCQeasy

A company runs a stateless web application on EC2 instances behind an Application Load Balancer. To improve resilience, which configuration should be used for the EC2 instances?

A.Use one EC2 instance with a larger instance type
B.Use a single, large EC2 instance in one Availability Zone
C.Use multiple EC2 instances in one Availability Zone with health checks disabled
D.Use multiple EC2 instances across two or more Availability Zones
AnswerD

Provides fault tolerance across AZs.

Why this answer

D is correct because deploying multiple EC2 instances across two or more Availability Zones (AZs) ensures high availability and fault tolerance. If one AZ fails, the Application Load Balancer (ALB) automatically routes traffic to healthy instances in other AZs, maintaining service continuity. This aligns with the AWS Well-Architected Framework's resilience best practices for stateless applications.

Exam trap

The trap here is that candidates may think scaling vertically (larger instance) or using multiple instances in a single AZ is sufficient, but the DOP-C02 exam specifically tests the requirement for multi-AZ deployment to achieve resilience against AZ failures.

How to eliminate wrong answers

Option A is wrong because using a single, larger EC2 instance creates a single point of failure; if that instance fails, the entire application goes down. Option B is wrong because placing a single large instance in one AZ does not protect against AZ-level failures, such as power outages or network disruptions. Option C is wrong because using multiple instances in one AZ with health checks disabled means the ALB cannot detect and route away from failed instances, and a single AZ failure still takes down all instances.

253
MCQeasy

A DevOps engineer is troubleshooting a failed build in AWS CodeBuild. The build log shows: 'Error: Cannot find module 'lodash'.' The buildspec.yml file lists 'npm install' as a command. What is the most likely cause?

A.The npm install command is running before the source is downloaded.
B.The lodash package is not compatible with the Node.js version.
C.The package.json file is missing or does not include lodash.
D.The build environment does not have internet access to download packages.
AnswerC

npm install reads package.json; if lodash is not listed, it won't be installed.

Why this answer

npm install may fail if the package.json file is not present or has errors. The missing module indicates that dependencies were not installed properly.

254
MCQhard

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group of Amazon EC2 instances. The deployment strategy is Blue/Green. After a successful deployment, the team notices that the new instances are receiving traffic but the application returns errors. The old instances are still serving traffic correctly. The team wants to roll back immediately. What should be done?

A.Stop the current deployment using the AWS CLI.
B.Manually update the Auto Scaling group to associate new instances with the old launch configuration.
C.Configure the deployment group to automatically roll back when a deployment fails, then manually trigger a rollback.
D.Redeploy the same application revision to the same Auto Scaling group.
AnswerC

CodeDeploy supports automatic rollback; triggering a rollback will reroute traffic back to the blue environment.

Why this answer

Option B is correct because in a Blue/Green deployment, CodeDeploy can automatically roll back by re-routing traffic to the original (blue) environment if a deployment fails. Option A is wrong because redeploying the same revision would redeploy the faulty code. Option C is wrong because stopping the deployment terminates the process but does not restore traffic to the old instances.

Option D is wrong because while you could manually reassociate instances, CodeDeploy provides a built-in rollback mechanism.

255
Multi-Selecthard

A company runs a critical application on AWS Lambda functions that process real-time streaming data from Amazon Kinesis Data Streams. Each Lambda function processes a batch of records and writes results to an Amazon DynamoDB table. The application is sensitive to data loss and requires exactly-once processing semantics. Recently, the operations team observed that the Lambda function is failing intermittently with 'ProvisionedThroughputExceededException' errors from DynamoDB. The Lambda function's batch size is 100, and the function is configured with a reserved concurrency of 500. The DynamoDB table has 100 read capacity units (RCUs) and 100 write capacity units (WCUs) with auto scaling enabled up to 1000 WCUs. The function's execution role has the necessary DynamoDB permissions. The Kinesis stream has 10 shards. The DevOps engineer needs to resolve the throttling errors without losing data. Which combination of actions should the engineer take? (Choose THREE.)

Select 3 answers
A.Set the Lambda function's batch size to a lower value (e.g., 10) and enable parallelization factor per shard.
B.Increase the DynamoDB table's read capacity units to 1000.
C.Configure the Lambda function event source mapping to retry with a maximum retry count and set the function to not discard failed records.
D.Increase the Lambda function's reserved concurrency to 1000.
E.Increase the DynamoDB table's write capacity units maximum auto scaling limit to 5000.
AnswersA, C, E

Reduces the number of concurrent writes per shard, decreasing throttling.

Why this answer

Option A is correct because Kinesis supports retries and can reprocess records after failures, ensuring no data loss. Option B is correct because mapping iterator age and using a lower batch size reduces the number of concurrent writes. Option E is correct because enabling DynamoDB auto scaling with a higher maximum WCU ensures the table can handle bursts.

Option C (increasing RCU) is not needed for writes. Option D (increasing Lambda concurrency) may increase throttle.

256
MCQhard

An organization uses AWS CodePipeline to deploy a web application to Amazon EC2 instances behind an Application Load Balancer. The deployment uses a CodeDeploy action with an in-place deployment configuration. After a recent deployment, some instances are running the old version while others are running the new version. What is the most likely cause?

A.The deployment group is associated with an Auto Scaling group that launched new instances during the deployment.
B.The deployment group was configured with the 'AllAtOnce' deployment configuration, and the deployment failed partway through.
C.A lifecycle hook is configured to pause the deployment until manual approval.
D.The deployment was configured to use a blue/green strategy, but the target group is misconfigured.
AnswerB

AllAtOnce deploys to all instances simultaneously; a failure may leave some instances updated.

Why this answer

Option A is correct because if the deployment group is set to deploy to all instances at once (AllAtOnce), there is no rolling update, and if the deployment fails partway, some instances may be updated and others not. Option B is wrong because a lifecycle hook would not cause partial deployment; it would pause. Option C is wrong because CodeDeploy does not depend on Auto Scaling for in-place deployments.

Option D is wrong because a failed health check would cause the deployment to fail entirely, not partially.

257
MCQhard

A company runs a critical application on Amazon EKS. The DevOps team uses Prometheus for monitoring and Grafana for visualization. The team has set up a Prometheus server on an EC2 instance to scrape metrics from the EKS cluster. However, they are experiencing high memory usage on the Prometheus server, and some metrics are being dropped because of the retention period. The team wants to implement a scalable and managed monitoring solution that can store metrics for longer durations without the operational overhead of managing the Prometheus server. The team also wants to retain the ability to use PromQL queries and Grafana dashboards. What should the team do?

A.Use Amazon Managed Grafana to visualize metrics directly from the EKS cluster without a Prometheus server.
B.Migrate to Amazon Managed Service for Prometheus to ingest and store metrics, and use Amazon Managed Grafana for visualization.
C.Increase the EC2 instance size for the Prometheus server and extend the retention period.
D.Set up Amazon CloudWatch Container Insights to collect metrics from the EKS cluster and store them in CloudWatch Logs.
AnswerB

This provides a scalable, managed Prometheus-compatible backend with long-term storage and integration with Grafana.

Why this answer

Option D is correct because Amazon Managed Service for Prometheus is a scalable, managed service compatible with PromQL and can be used with Grafana. Option A is wrong because Amazon CloudWatch Container Insights provides metrics but not PromQL. Option B is wrong because moving Prometheus to a larger instance does not solve the scalability issue.

Option C is wrong because Amazon Managed Grafana is a visualization service, not a metrics storage backend.

258
MCQeasy

A company wants to ensure that its Amazon S3 bucket can withstand the loss of an entire AWS Availability Zone. Which configuration meets this requirement?

A.Use the S3 Standard storage class.
B.Configure cross-Region replication to another bucket.
C.Enable S3 Versioning on the bucket.
D.Use the S3 One Zone-IA storage class.
AnswerA

S3 Standard automatically stores data in at least three AZs.

Why this answer

Option C is correct because S3 Standard storage class automatically replicates data across at least three AZs. Option A is wrong because versioning does not provide AZ resilience. Option B is wrong because cross-Region replication is for geographic resilience, not AZ.

Option D is wrong because S3 One Zone-IA stores data in a single AZ.

259
MCQmedium

A company's application runs on Amazon ECS with Fargate launch type. The application must be resilient to an Availability Zone failure. Which configuration should be used?

A.Create an ECS service with tasks distributed across multiple Availability Zones using a spread placement strategy
B.Use an ECS cluster with a cluster placement strategy that prefers the same Availability Zone
C.Define multiple task definitions, one for each Availability Zone
D.Use an ECS service with a single task in one Availability Zone and rely on auto-scaling
AnswerA

Spread strategy across AZs ensures resilience.

Why this answer

Option A is correct because ECS services using the Fargate launch type can distribute tasks across multiple Availability Zones (AZs) by defining a spread placement strategy with the 'availabilityZone' dimension. This ensures that if one AZ fails, the tasks in the other AZs continue to serve traffic, providing resilience to an AZ failure. The spread strategy explicitly instructs ECS to place tasks evenly across AZs, which is essential for high availability.

Exam trap

The trap here is that candidates often confuse 'spread placement strategy' with 'binpack' or 'random' strategies, or they assume that simply using multiple subnets automatically distributes tasks without explicitly setting the spread strategy.

How to eliminate wrong answers

Option B is wrong because a cluster placement strategy that prefers the same Availability Zone would concentrate tasks in a single AZ, creating a single point of failure and violating the requirement for AZ resilience. Option C is wrong because defining multiple task definitions, one for each AZ, is unnecessary and does not inherently distribute tasks across AZs; task definitions are templates for containers, not placement mechanisms, and ECS services handle AZ distribution via placement strategies. Option D is wrong because a single task in one AZ cannot provide resilience to an AZ failure—if that AZ fails, the application becomes unavailable, and auto-scaling cannot react quickly enough to prevent downtime during an AZ outage.

260
MCQhard

An application running on Amazon EKS generates logs that need to be sent to CloudWatch Logs for central monitoring. The DevOps team deploys the CloudWatch agent as a DaemonSet in the cluster. However, logs from some pods are not appearing in CloudWatch. Which configuration issue is most likely causing this?

A.The IAM role associated with the worker nodes does not have the necessary permissions to write to CloudWatch Logs.
B.The pods are using the fluentd sidecar instead of the CloudWatch agent.
C.The CloudWatch agent is configured to collect logs from stdout, but the application writes logs to files.
D.The DaemonSet is not scheduled on all nodes due to taints and tolerations.
AnswerA

The CloudWatch agent needs permissions like logs:PutLogEvents, logs:CreateLogStream, etc. Missing these permissions will prevent log delivery.

Why this answer

Option B is correct because the CloudWatch agent requires IAM permissions to put logs to CloudWatch Logs; if the node's IAM role lacks these permissions, logs will not be sent. Option A is wrong because the agent typically collects from the pod's log files, not stdout directly. Option C is wrong because a DaemonSet runs on all nodes by default.

Option D is wrong because the agent can forward logs without a sidecar if it has access to the log files.

261
Multi-Selecthard

A company is experiencing intermittent connectivity issues between an EC2 instance and an RDS database. The EC2 instance is in a public subnet, and the RDS instance is in a private subnet. The security group for the RDS instance allows inbound traffic from the EC2 instance's security group. The network ACLs are default (all traffic allowed). Which THREE steps should the engineer take to troubleshoot the connectivity issue? (Choose THREE.)

Select 3 answers
A.Enable VPC Flow Logs for the subnets involved and analyze logs for dropped packets.
B.Check the network ACL for the private subnet to ensure it allows inbound and outbound traffic for the database port.
C.Check if the RDS security group allows inbound traffic on the database port (e.g., 3306) from the EC2 security group.
D.Verify that the EC2 instance can resolve the RDS endpoint via DNS.
E.Check the RDS security group for any deny rules that might block the EC2 instance.
AnswersA, B, C

Flow Logs can identify blocked traffic.

Why this answer

Option A is correct because VPC Flow Logs capture traffic. Option C is correct because the database port must be open. Option D is correct because NACL rules must allow both inbound and outbound.

Option B is wrong because the issue is not DNS. Option E is wrong because the security group already allows the EC2 security group.

262
MCQeasy

A DevOps engineer is designing an AWS Lambda function that needs to read secrets from AWS Secrets Manager. What is the most secure way to provide the Lambda function access to the secret?

A.Assign an IAM execution role to the Lambda function with a policy that allows secretsmanager:GetSecretValue on the specific secret.
B.Store the secret in AWS Systems Manager Parameter Store and grant the Lambda function access to the parameter.
C.Encrypt the secret using AWS KMS and pass the encrypted value as an environment variable.
D.Store the secret in an environment variable in the Lambda function.
AnswerA

This follows least privilege and uses IAM permissions.

Why this answer

Option B is correct because the Lambda execution role should have an IAM policy with permissions to access the specific secret. Option A is wrong because hardcoding secrets is insecure. Option C is wrong because SSM Parameter Store is separate; if using Secrets Manager, permissions should be on that service.

Option D is wrong because environment variables are not encrypted by default and are visible in the console.

263
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team has implemented a service control policy (SCP) that denies the creation of IAM users and roles with full admin access. The SCP is attached to all accounts. However, a DevOps engineer in a member account reports that they are able to create an IAM role with an administrator access policy attached. The engineer uses the AWS Management Console to create the role. The SCP is confirmed to be in place. What is the most likely reason the SCP is not preventing the role creation?

A.SCPs are not inherited by member accounts from the root.
B.The SCP is not attached to the member account's root organizational unit.
C.The engineer's IAM policy allows iam:CreateRole and overrides the SCP.
D.The SCP only denies iam:CreateUser, but the engineer is creating a role (iam:CreateRole).
AnswerD

If the SCP statement only specifies iam:CreateUser, it would not prevent creating IAM roles. The engineer could create a role with admin privileges.

Why this answer

SCPs do not affect the management account. If the member account is the management account or if the SCP was not applied correctly, it might not work. However, the most common reason is that SCPs only deny actions if the SCP explicitly denies them.

If the SCP denies the creation of IAM roles with full admin access, but the engineer is creating the role in the AWS Management Console, the SCP should block it. However, SCPs are evaluated before IAM policies, so if the SCP denies the action, it should be blocked. The likely issue is that the SCP is not applied to the specific account or the SCP statement is incorrect.

But among the options, the most plausible is that the SCP does not apply to the management account, and the engineer might be using the management account. However, the question says member account. Another possibility is that the SCP does not deny the iam:CreateRole action with the administrator policy; it might deny only the iam:AttachRolePolicy action.

Option A suggests the SCP only denies iam:CreateUser, not iam:CreateRole. Option B suggests the SCP is not attached to the account. Option C suggests the SCP is applied to the root but not inherited.

Option D suggests the engineer has an IAM policy that overrides the SCP, which is false because SCPs cannot be overridden by IAM policies. The correct answer is A: the SCP only denies iam:CreateUser, not iam:CreateRole.

264
MCQmedium

A company uses AWS CodePipeline to deploy a serverless application with AWS Lambda and Amazon API Gateway. The pipeline includes a beta and a production stage. The DevOps team wants to automatically promote the application from beta to production after successful testing. Which action should be taken in the pipeline?

A.Configure a CloudWatch Events rule to automatically trigger the production deployment after beta completion
B.Use AWS CodeDeploy to create a deployment group that promotes the application
C.Add a manual approval step between the beta and production stages
D.Configure an AWS Config rule to automatically approve the promotion
AnswerC

Manual approval action allows human review before promotion.

Why this answer

Option C is correct because CodePipeline requires an explicit manual approval action to gate promotions between stages. Without a manual approval step, the pipeline would automatically transition from beta to production upon successful testing, which bypasses the necessary human validation for production deployments. Adding a manual approval step ensures that a designated approver reviews the beta stage results before promoting to production, aligning with safe deployment practices.

Exam trap

The trap here is that candidates may confuse event-driven triggers (CloudWatch Events) or compliance checks (AWS Config) with the need for a human-in-the-loop approval gate, overlooking that CodePipeline's native manual approval action is the only way to pause and require explicit authorization between stages.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events can trigger pipeline executions but cannot insert a manual approval gate within a pipeline; it would start a new execution rather than pause the existing one for approval. Option B is wrong because CodeDeploy is a deployment service for managing application deployments to compute platforms (e.g., EC2, Lambda), but it does not provide pipeline-level approval gates between CodePipeline stages. Option D is wrong because AWS Config rules evaluate resource compliance and cannot approve or block pipeline transitions; they are not designed for workflow approval actions.

265
MCQmedium

A company runs a microservices application on Amazon ECS with Fargate. The application uses an Application Load Balancer (ALB) to route traffic to services. Each service has a required number of tasks for capacity. The company recently experienced a prolonged outage when a bug caused all tasks of the critical 'payment' service to crash simultaneously. The DevOps team needs to implement a deployment strategy that reduces the risk of a full service outage during updates. The strategy must also allow for quick rollback if a deployment fails. Which deployment strategy should the team implement?

A.Implement a rolling update with a fixed number of tasks to replace at a time.
B.Use a canary deployment by creating a new service with a small number of tasks, test, then shift all traffic.
C.Deploy changes during maintenance windows with manual approval steps.
D.Implement blue/green deployment using ECS with target tracking alarms to automate traffic shifting.
AnswerD

Blue/green with automated traffic shifting and rollback capability.

Why this answer

Blue/green deployment with target tracking allows you to gradually shift traffic to the new version while monitoring. If issues arise, you can instantly rollback by switching traffic back to the old version.

266
MCQhard

An incident response team is analyzing an IAM policy attached to a role used by a forensic tool. The tool needs to create snapshots of EBS volumes during an incident. However, when the tool runs from an IP address in the 203.0.113.0/24 range, the CreateSnapshot API call fails with an access denied error. What is the MOST likely cause?

A.The policy does not grant ec2:CreateSnapshot on specific resource ARNs, only on all resources.
B.The aws:ViaAWSService condition is set to false, but the tool is invoked by an AWS service such as Systems Manager, making the condition evaluate to true and denying access.
C.The Deny statement explicitly denies ec2:DeleteSnapshot, but the error is for CreateSnapshot, so it is unrelated.
D.The source IP address 203.0.113.0/24 is not included in the Condition block, so access is implicitly denied.
AnswerB

If the tool runs via an AWS service, ViaAWSService is true, failing the condition, so the Allow statement does not apply.

Why this answer

The aws:ViaAWSService condition key evaluates to true when an API call is made by an AWS service on behalf of a principal. If the policy sets this condition to false, it denies any call that originates from an AWS service (e.g., Systems Manager Automation). In this scenario, the forensic tool is likely invoked by Systems Manager, causing the condition to evaluate to true and triggering the deny, even though the source IP is allowed.

This explains why CreateSnapshot fails with access denied despite the IP being in the allowed range.

Exam trap

The trap here is that candidates focus on the IP address condition and assume the error is due to an IP mismatch, overlooking the subtle aws:ViaAWSService condition that denies calls made through AWS services even when the source IP is allowed.

How to eliminate wrong answers

Option A is wrong because granting ec2:CreateSnapshot on all resources ("*") would not cause an access denied error; the error is due to a condition key, not resource ARN specificity. Option C is wrong because a deny on ec2:DeleteSnapshot is unrelated to the CreateSnapshot failure; IAM evaluates deny statements independently per action. Option D is wrong because the source IP 203.0.113.0/24 is included in the Condition block (as stated in the question), so implicit denial does not apply; the error is caused by the aws:ViaAWSService condition, not the IP condition.

267
Multi-Selectmedium

Which TWO options are valid approaches for managing configuration drift in an AWS environment? (Choose two.)

Select 2 answers
A.Use AWS Config rules to evaluate resource configurations against desired policies.
B.Use AWS CodePipeline to automatically redeploy infrastructure when changes are detected.
C.Use AWS Systems Manager Patch Manager to keep instances patched.
D.Use AWS CloudTrail to monitor API calls that modify resources.
E.Use AWS CloudFormation drift detection to identify resources that have been modified outside of CloudFormation.
AnswersA, E

AWS Config can evaluate compliance and detect drift.

Why this answer

Option A is correct because AWS Config can detect drift from desired configuration. Option D is correct because CloudFormation drift detection identifies changes to resources. Option B is wrong because Systems Manager Patch Manager is for patching, not drift detection.

Option C is wrong because CloudTrail is for API logging. Option E is wrong because CodePipeline is for CI/CD.

268
MCQmedium

An organization uses AWS Organizations with multiple accounts. The Security team needs to enforce a policy that prohibits the creation of S3 buckets with public access in any account. Which policy type should be used?

A.Service control policy (SCP)
B.IAM permissions boundary
C.AWS CloudTrail trail
D.AWS Config rule
AnswerA

SCPs can be applied to organizational units or the entire organization to deny actions like s3:PutBucketPublicAccessBlock.

Why this answer

Service control policies (SCPs) allow you to centrally control permissions across all accounts in an organization. SCPs can deny actions like creating public buckets. IAM policies are account-specific.

AWS Config rules can detect but not prevent.

269
Multi-Selecthard

A DevOps team is investigating a performance issue where an application's response time spiked during a deployment. The deployment used AWS CodeDeploy to update an Auto Scaling group. Which THREE actions should the team take to identify the root cause? (Choose THREE.)

Select 3 answers
A.Review the CodeDeploy deployment logs for errors.
B.Examine application logs on the new EC2 instances launched during the deployment.
C.Review the CodeDeploy deployment group configuration.
D.Check AWS CloudTrail for any unauthorized API calls during the deployment.
E.Compare CloudWatch metrics for the Auto Scaling group before and after the deployment.
AnswersA, B, E

Shows deployment-specific issues.

Why this answer

Option A is correct because CodeDeploy deployment logs provide details of the deployment process. Option B is correct because comparing CloudWatch metrics before and after the deployment can show changes. Option D is correct because application logs from the new instances can reveal errors.

Option C is wrong because CloudTrail logs API calls, not application performance. Option E is wrong because the deployment group configuration is unlikely to change performance directly.

270
Multi-Selecteasy

A company uses Amazon CloudFront to distribute content globally. Users in certain geographic regions report slow load times. Which TWO configurations can improve performance for these users? (Choose TWO.)

Select 2 answers
A.Implement Lambda@Edge to optimize content delivery.
B.Use Amazon ElastiCache to cache content.
C.Switch the origin to a Network Load Balancer.
D.Use additional CloudFront edge locations.
E.Enable S3 Transfer Acceleration on the origin bucket.
AnswersA, D

Custom logic at edge improves performance.

Why this answer

Option A is correct because CloudFront edge locations cache content closer to users. Option C is correct because Lambda@Edge can perform custom processing at edge locations, such as URL rewriting or A/B testing, which can optimize content delivery. Option B is wrong because S3 Transfer Acceleration speeds up uploads, not downloads.

Option D is wrong because a Network Load Balancer is for TCP/UDP traffic, not HTTP/HTTPS content. Option E is wrong because ElastiCache is for database caching, not CDN.

271
Multi-Selecthard

An e-commerce platform uses Amazon DynamoDB as its primary database. During a flash sale, the application experiences throttling errors. The operations team needs to implement a solution to handle sudden traffic spikes while keeping costs under control. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Increase the read and write capacity units manually before the sale.
B.Switch from on-demand to provisioned capacity with auto scaling.
C.Implement DynamoDB Accelerator (DAX) to cache read-intensive data.
D.Use application-level retry logic with exponential backoff to handle throttling gracefully.
E.Enable DynamoDB Streams and replicate data to a read replica.
AnswersC, D

DAX reduces read traffic to the table.

Why this answer

Option C is correct because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency from milliseconds to microseconds, offloading read requests from the main DynamoDB table. During a flash sale, caching read-intensive data (e.g., product details) with DAX reduces the number of read capacity units consumed, helping to avoid throttling while keeping costs under control by not requiring a permanent increase in provisioned capacity.

Exam trap

The trap here is that candidates often confuse DynamoDB Streams with read replicas, or assume that provisioned capacity with auto scaling is always cost-effective for spikes, when in fact on-demand capacity is designed for unpredictable traffic and avoids the cold-start throttling risk of auto scaling.

272
MCQmedium

A DevOps team is troubleshooting a CloudFormation stack creation failure. The error message states: 'CREATE_FAILED: Resource handler returned message: "You have attempted to create more resources than the current AWS account limit"'. Which step should the team take to resolve this issue?

A.Delete the failed stack and recreate it with the same template.
B.Review the IAM permissions for the CloudFormation service role.
C.Modify the CloudFormation template to use a different resource type.
D.Check the current service limits for the resource type and request a limit increase from AWS Support.
AnswerD

The error explicitly states that the account limit has been reached.

Why this answer

Option C is correct because the error indicates a service limit has been reached, and the team should request a limit increase. Option A is wrong because the error is not about permissions. Option B is wrong because retrying will fail again.

Option D is wrong because the error is specific to resource limits, not stack names.

273
Multi-Selectmedium

A company uses Amazon CloudWatch Logs to store application logs. They have a requirement to retain logs for 90 days for operational analysis and then archive them to Amazon S3 for compliance purposes for an additional 5 years. Which of the following steps are necessary to meet this requirement? (Select TWO.)

Select 2 answers
A.Set the CloudWatch Logs retention policy on the log group to 90 days.
B.Set an S3 lifecycle policy on the destination bucket to transition objects to Glacier after 90 days.
C.Create a CloudWatch Logs subscription filter to stream logs to Amazon S3 in real time.
D.Configure a CloudWatch Logs lifecycle policy to transition logs to Amazon S3 after 90 days.
E.Create a CloudWatch Logs export task to export logs to Amazon S3 before the retention period expires.
AnswersA, E

This ensures logs are deleted after 90 days.

Why this answer

Option D is correct because you can set a retention policy on the log group to expire logs after 90 days (e.g., 90 days). Option E is correct because to archive logs to S3, you can use CloudWatch Logs export task to S3 (manual or automated). Option A is wrong because CloudWatch Logs does not have a lifecycle policy directly to S3; export is needed.

Option B is wrong because S3 lifecycle transitions are for objects already in S3, not for logs in CloudWatch. Option C is wrong because CloudWatch does not automatically archive; you must export.

274
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The operations team wants to analyze application access logs and error rates. They need to identify the top IP addresses making requests, as well as the distribution of HTTP status codes over time. Which THREE steps should the team take to achieve this? (Select THREE.)

Select 3 answers
A.Enable access logs on the Application Load Balancer and store them in an Amazon S3 bucket.
B.Use Amazon CloudWatch Logs Insights to run queries on the access logs.
C.Enable AWS CloudTrail to log all API calls.
D.Enable VPC Flow Logs to capture IP traffic data.
E.Use Amazon CloudWatch Contributor Insights to analyze the top IP addresses.
AnswersA, B, E

ALB access logs contain detailed request data including IP and HTTP status codes.

Why this answer

Enabling access logs on the Application Load Balancer and storing them in an S3 bucket captures detailed HTTP request data, including client IPs, request paths, and HTTP status codes. This raw log data is essential for analyzing top IP addresses and status code distributions over time.

Exam trap

The trap here is confusing AWS CloudTrail (management plane logging) with application-level access logging, leading candidates to select CloudTrail instead of ALB access logs for HTTP request analysis.

275
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A Security Engineer needs to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. Which solution meets these requirements?

A.Attach a bucket policy to the S3 bucket that allows access only from the ALB's security group.
B.Create an IAM role with a policy that grants s3:PutObject and s3:GetObject access to the specific bucket, and attach the role to the EC2 instances as an instance profile.
C.Configure a VPC endpoint for S3 and modify the route table to route S3 traffic through the endpoint.
D.Create a security group that allows outbound HTTPS traffic only to the S3 bucket's IP address range.
AnswerB

This grants the EC2 instances only the permissions needed for that bucket, and they cannot access other AWS services unless additional policies are attached.

Why this answer

Using an instance profile with an IAM role that has a policy granting s3:PutObject and s3:GetObject only to the specific bucket ensures that the EC2 instances can only access that bucket. Option A is wrong because an S3 bucket policy restricting access to the ALB cannot enforce what the instances themselves do. Option B is wrong because security groups do not filter S3 access.

Option D is wrong because a VPC endpoint alone does not restrict which resources the instances can access; it only provides private connectivity.

276
MCQeasy

A DevOps engineer needs to automate the creation of a new AWS CodeCommit repository when a new project starts. The engineer wants to use infrastructure as code. Which service should be used?

A.AWS CloudFormation
B.AWS CodePipeline
C.AWS CodeStar
D.AWS CodeBuild
AnswerA

CloudFormation can define CodeCommit repositories as resources.

Why this answer

Option A is correct because AWS CloudFormation can manage CodeCommit repositories as resources. Option B is wrong because CodePipeline orchestrates CI/CD, not resource creation. Option C is wrong because CodeStar is a project management tool, not infrastructure as code.

Option D is wrong because CodeBuild is a build service.

277
Multi-Selecteasy

Which AWS services can be used to protect a web application from common web exploits like SQL injection and cross-site scripting? (Select TWO.)

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon CloudFront with AWS WAF
D.Amazon Inspector
E.Amazon Cognito
AnswersA, C

WAF can inspect HTTP requests and block SQL injection and XSS.

Why this answer

AWS WAF is a web application firewall that filters malicious requests. CloudFront can be integrated with WAF to provide protection at the edge. Shield Advanced provides DDoS protection, not application-layer exploits.

Cognito is for authentication. Inspector is for vulnerability scanning.

278
Multi-Selecthard

A company runs a critical application on AWS using Amazon EC2 instances in an Auto Scaling group, an Application Load Balancer (ALB), and an Amazon RDS for PostgreSQL Multi-AZ DB cluster. The application must maintain an RTO of 5 minutes and an RPO of 1 second for database transactions. The current setup meets these requirements, but the DevOps team wants to improve the resilience of the application tier to withstand a regional failure. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Replace the RDS Multi-AZ cluster with Amazon Aurora Global Database to replicate data across regions.
B.Use an active-passive architecture with a second Auto Scaling group and ALB in another region.
C.Use Amazon EFS Replication to replicate application data across regions with a recovery point objective (RPO) of 1 second.
D.Extend the existing Auto Scaling group to launch instances in two regions by specifying a second region in the launch template.
E.Set up Amazon Route 53 with health checks and failover routing policy to direct traffic to the secondary region if the primary fails.
AnswersA, B, E

Aurora Global Database provides cross-region replication with low RPO.

Why this answer

Amazon Aurora Global Database is the correct choice because it provides cross-region replication with a typical RPO of 1 second and RTO of 1 minute, meeting the stated requirements. Unlike standard RDS Multi-AZ, which is limited to a single region, Aurora Global Database replicates data asynchronously across multiple regions with minimal lag, ensuring the database tier can survive a regional failure while maintaining the required RPO of 1 second.

Exam trap

The trap here is that candidates often confuse Multi-AZ with cross-region disaster recovery, assuming Multi-AZ alone provides regional failover, when in fact it only protects against Availability Zone failures within a single region.

279
Multi-Selectmedium

A company is designing a disaster recovery (DR) strategy for a critical application that runs on EC2 instances with an RDS database. The DR site must be in a different AWS Region. The Recovery Point Objective (RPO) is 15 minutes, and Recovery Time Objective (RTO) is 1 hour. Which TWO actions should the company take to meet these objectives? (Choose TWO.)

Select 2 answers
A.Use AWS Backup to copy EC2 AMIs and RDS snapshots to the DR region every 15 minutes.
B.Use AWS CloudFormation to pre-provision resources in the DR region manually.
C.Configure Amazon Route 53 with health checks and failover routing to the DR region.
D.Create an RDS cross-Region read replica in the DR region.
E.Configure S3 cross-Region replication for application data stored in S3.
AnswersC, D

Route 53 can automatically redirect traffic, meeting RTO.

Why this answer

Options C and D are correct. C: RDS cross-Region read replicas can be promoted to become the primary in the DR region, meeting the RPO with minimal data loss. D: Amazon Route 53 health checks and failover routing can redirect traffic to the DR region within the RTO.

A is wrong because AMI copying and instance launch can exceed 1 hour. B is wrong because S3 cross-Region replication does not help with EC2 and RDS. E is wrong because CloudFormation alone does not automatically failover.

280
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The team wants to ensure that all stack updates are reviewed and approved before execution. Which mechanism should the team implement?

A.Create a stack policy that denies all updates unless approved.
B.Use AWS CloudFormation drift detection to identify changes before updating.
C.Enable termination protection on the stack to prevent accidental updates.
D.Use AWS CloudFormation change sets to review the proposed changes before executing the update.
AnswerD

Change sets allow you to preview how changes will affect running resources.

Why this answer

AWS CloudFormation change sets allow you to preview how proposed changes to a stack will be applied before you execute them. This includes a summary of additions, modifications, and deletions of resources, enabling you to review and approve the changes in a controlled manner. By generating a change set, the team can ensure that no update is executed without prior review and approval, meeting the requirement for a gated deployment process.

Exam trap

The trap here is that candidates confuse stack policies (which control resource-level permissions) with change sets (which provide a preview of changes), or they mistakenly think termination protection or drift detection can gate updates, when neither is designed for that purpose.

How to eliminate wrong answers

Option A is wrong because a stack policy controls permissions for stack resources (e.g., preventing updates to specific resources) but does not provide a review-and-approve workflow for the entire stack update; it cannot block the update itself. Option B is wrong because drift detection identifies whether the stack's actual resources have deviated from the template, but it does not preview or gate proposed updates; it is a detective, not a preventive, control. Option C is wrong because termination protection prevents accidental deletion of the entire stack, not updates; it has no effect on stack updates or change review.

281
MCQeasy

A company uses Amazon RDS for PostgreSQL and wants to monitor database performance metrics such as CPU utilization, memory, and disk I/O. Which AWS service should be used to set up custom dashboards and alarms for these metrics?

A.AWS X-Ray
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerD

CloudWatch collects RDS metrics and supports dashboards and alarms.

Why this answer

Option A is correct because CloudWatch provides metrics for RDS and allows dashboards and alarms. Option B is wrong because CloudTrail logs API calls, not performance metrics. Option C is wrong because VPC Flow Logs capture network traffic.

Option D is wrong because X-Ray is for tracing requests.

282
Multi-Selecthard

A company runs a microservices architecture on Amazon EKS. The DevOps team wants to monitor application performance and detect anomalies in request latency. They need to collect metrics, logs, and traces from all services. Which THREE AWS services should the team use together to implement a complete observability solution? (Choose three.)

Select 3 answers
A.AWS X-Ray
B.AWS CloudWatch ServiceLens
C.AWS CloudTrail
D.Amazon Managed Service for Prometheus
E.Amazon CloudWatch Container Insights
AnswersA, B, E

Provides distributed tracing to trace requests across services.

Why this answer

Options A, B, and D are correct. CloudWatch Container Insights provides metrics and logs for EKS (Option A). AWS X-Ray provides distributed tracing (Option B).

CloudWatch ServiceLens integrates CloudWatch metrics/logs and X-Ray traces into a single view (Option D). Option C (Prometheus) is not a native AWS service; Amazon Managed Service for Prometheus would be the AWS service, but the question asks for AWS services. Option E (CloudTrail) is for API activity, not application performance.

283
MCQmedium

A company uses AWS CodeDeploy for application deployments to EC2 instances. The team recently noticed that deployments are failing because some instances do not have the CodeDeploy agent installed. Which configuration management approach should the team implement to ensure the CodeDeploy agent is installed and running on all instances before deployment?

A.Use an AWS Config rule to detect instances without the agent and trigger a Lambda function to install it.
B.Use the CodeDeploy deployment configuration to skip instances that do not have the agent.
C.Create a custom AMI with the CodeDeploy agent pre-installed, or use a user data script to install the agent at launch.
D.Configure the CodeDeploy deployment group to automatically install the agent on new instances.
AnswerC

Pre-installing the agent in the AMI or using user data ensures the agent is ready before deployment.

Why this answer

Option C is correct because it ensures the CodeDeploy agent is present on every EC2 instance from the moment it is launched, either by baking the agent into a custom AMI or by installing it via a user data script. This approach aligns with immutable infrastructure and configuration management best practices, preventing deployment failures caused by missing agents. AWS CodeDeploy requires the agent to be installed and running on target instances before any deployment can proceed.

Exam trap

The trap here is that candidates may assume CodeDeploy can automatically install its own agent on instances (Option D), but AWS CodeDeploy has no such built-in capability; the agent must be provisioned independently through AMI, user data, or a configuration management tool like AWS Systems Manager or Chef.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are reactive and can only detect non-compliance after an instance is launched, not proactively ensure the agent is installed before deployment; additionally, relying on a Lambda function to install the agent introduces latency and potential race conditions. Option B is wrong because CodeDeploy deployment configurations do not support skipping instances based on agent presence; if an instance lacks the agent, the deployment will fail for that instance, and the overall deployment may fail depending on the failure threshold. Option D is wrong because CodeDeploy deployment groups do not have a built-in feature to automatically install the agent on new instances; the agent must be installed separately via AMI, user data, or an external configuration management tool.

284
MCQmedium

A company runs a web application behind an Application Load Balancer (ALB) in a production AWS account. The DevOps team needs to analyze HTTP request patterns and identify the top IP addresses generating errors. They want to store the data cost-effectively for querying with SQL. Which solution meets these requirements?

A.Use CloudWatch Metrics to monitor error rates and top IPs via custom metrics.
B.Enable CloudWatch Logs for the ALB and use CloudWatch Logs Insights to query the logs.
C.Stream the ALB logs to Amazon Kinesis Data Analytics and use SQL applications.
D.Enable ALB access logs and store them in Amazon S3, then use Amazon Athena to query the logs with SQL.
AnswerD

This is cost-effective and allows SQL querying of historical logs.

Why this answer

Option D is correct because ALB access logs provide detailed HTTP request data (including source IP, request URI, response code, etc.) and are stored in Amazon S3, which is cost-effective for long-term storage. Amazon Athena allows querying these logs directly with standard SQL without needing to load data into a database, meeting the requirement for SQL-based analysis of top IP addresses generating errors.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs (which for ALB only contain error logs, not full request details) with ALB access logs (which are stored in S3 and contain all request data), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because CloudWatch Metrics cannot capture individual HTTP request details like source IP addresses; custom metrics are aggregated and cannot be used to identify top IPs generating errors. Option B is wrong because CloudWatch Logs for ALB capture only error-level logs (e.g., 5xx responses) and do not include request-level details such as source IP; CloudWatch Logs Insights cannot query for top IP addresses from these logs. Option C is wrong because Kinesis Data Analytics is designed for real-time stream processing with SQL, but the requirement is to store data cost-effectively for querying, not real-time analysis; streaming logs to Kinesis incurs ongoing costs and is overkill for batch querying of historical patterns.

285
MCQeasy

A company wants to monitor the number of messages in an Amazon SQS queue and send an alert if the queue depth exceeds 1000 for more than 5 minutes. Which AWS service should be used to create the alarm?

A.Amazon EventBridge
B.Amazon CloudWatch Alarms
C.AWS X-Ray
D.Amazon CloudWatch Logs
AnswerB

Correct: CloudWatch Alarms monitor metrics and trigger actions.

Why this answer

Amazon CloudWatch Alarms is the correct service because it can monitor SQS queue metrics (such as ApproximateNumberOfMessagesVisible) and trigger an alarm when the metric exceeds a threshold (e.g., 1000) for a specified evaluation period (e.g., 5 minutes). CloudWatch Alarms directly integrate with SQS via the AWS/SQS namespace and support actions like sending notifications through Amazon SNS.

Exam trap

The trap here is that candidates may confuse EventBridge's ability to react to SQS metric changes (via CloudWatch metric streams) with the actual alarm evaluation logic, but EventBridge cannot perform threshold-based monitoring over a time window—only CloudWatch Alarms can.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge is a serverless event bus used for routing events between services (e.g., reacting to state changes), not for monitoring metric thresholds over time or creating alarms based on sustained conditions. Option C is wrong because AWS X-Ray is a distributed tracing service for analyzing and debugging application requests, not for monitoring queue depth or setting metric alarms. Option D is wrong because Amazon CloudWatch Logs is used for storing, monitoring, and querying log data, not for creating alarms on numeric metrics like SQS queue depth.

286
MCQmedium

Refer to the exhibit. An EC2 instance with the IAM role MyAppRole is running. An application on the instance tries to delete an object from the S3 bucket 'example-bucket'. What will happen?

A.The request is allowed because the instance has full access to the bucket.
B.The request is denied because the bucket policy overrides the IAM role.
C.The request is denied because the IAM role does not have the s3:DeleteObject permission.
D.The request is allowed because the role has s3:GetObject permission, which includes delete.
AnswerC

The policy only allows s3:ListBucket and s3:GetObject.

Why this answer

Option A is correct because the policy does not grant s3:DeleteObject permission. The request will be denied. Option B is wrong because the role does not have the required permission.

Option C is wrong because the request will not be allowed. Option D is wrong because the error is different.

287
MCQhard

A DevOps team is using Amazon CloudWatch Logs to collect application logs from multiple EC2 instances. They notice that some log entries are missing and that the CloudWatch agent is consuming high CPU. The log group has a retention policy of 30 days. Which action should the team take to reduce CPU usage without losing log data?

A.Increase the batch size in the CloudWatch agent configuration.
B.Use JSON format for logs instead of plain text.
C.Set the agent's timezone to UTC.
D.Change the log group retention policy to 7 days.
AnswerA

Correct: Larger batch size reduces API calls and CPU usage.

Why this answer

Increasing the batch size in the CloudWatch agent configuration reduces the number of HTTP API calls made to CloudWatch Logs, which lowers CPU overhead from frequent network I/O and serialization. The agent buffers log events and sends them in larger, less frequent batches, directly addressing high CPU consumption without discarding any log data.

Exam trap

The trap here is that candidates may confuse log retention policies with operational performance tuning, incorrectly assuming that reducing retention frees resources, when in fact it only deletes historical data and has no impact on agent CPU usage.

How to eliminate wrong answers

Option B is wrong because using JSON format instead of plain text does not reduce CPU usage; it may increase parsing overhead and does not affect the agent's batching or transmission behavior. Option C is wrong because setting the agent's timezone to UTC only affects timestamp interpretation, not CPU consumption or log delivery efficiency. Option D is wrong because reducing the log group retention policy from 30 to 7 days deletes older log data permanently, which violates the requirement to not lose log data and does not reduce CPU usage.

288
MCQmedium

An IAM policy is attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' even though they are connecting from within the 10.0.0.0/16 IP range. What is the MOST likely reason?

A.The policy needs an additional condition for VPC endpoint.
B.The policy does not allow the s3:ListBucket action.
C.The user is accessing S3 through a VPC endpoint, but the condition only works for public IP addresses.
D.The resource ARN is missing the bucket-level permission.
AnswerC

The aws:SourceIp condition does not work for VPC endpoint traffic; use aws:VpcSourceIp instead.

Why this answer

The condition 'aws:SourceIp' evaluates the IP address of the requester. However, if the user is accessing S3 through a VPC endpoint, the source IP is a private IP from the VPC, but the condition works only for public IP addresses. Option C is correct.

Option A is wrong because the policy allows GetObject. Option B is wrong because the resource is correct. Option D is wrong because the condition is for source IP, not VPC endpoint.

289
Multi-Selecthard

A company uses Amazon CloudWatch to monitor a fleet of EC2 instances. The DevOps team wants to receive notifications when the CPU utilization exceeds 90% for 5 minutes and also when the status check fails. Which THREE steps should be taken to set up these alerts?

Select 3 answers
A.Create a CloudWatch alarm on the CPUUtilization metric with a period of 300 seconds and threshold 90
B.Set the CPUUtilization alarm with a period of 60 seconds and 5 evaluation periods
C.Create a CloudWatch alarm on the StatusCheckFailed metric
D.Create a single composite alarm that combines both conditions
E.Create an Amazon SNS topic and subscribe the team's email addresses to it
AnswersA, C, E

300 seconds = 5 minutes, triggering on average CPU > 90%.

Why this answer

Options A, B, and D are correct. A creates an alarm for CPU utilization with a period of 300 seconds. B creates an alarm for StatusCheckFailed.

D creates an SNS topic for notifications. Option C is wrong because you should create one alarm per metric. Option E is wrong because period of 60 seconds with 5 evaluation periods would trigger after 5 minutes only if each period is above threshold, but the requirement says 5 consecutive minutes, not necessarily 5 data points.

290
MCQeasy

A company wants to monitor CPU utilization of its EC2 instances and receive an alert when utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to create this alarm?

A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon CloudWatch Alarms
D.AWS Config
AnswerC

CloudWatch Alarms monitor metrics and trigger actions based on thresholds.

Why this answer

Option A is correct because CloudWatch Alarms can monitor metrics like CPUUtilization and trigger actions. Option B is wrong because CloudTrail tracks API calls. Option C is wrong because AWS Config tracks resource configurations.

Option D is wrong because VPC Flow Logs capture network traffic.

291
MCQhard

An IAM policy is attached to a role used by an operations team. The team reports that they are unable to start or stop EC2 instances tagged with Environment=Production. Other instances can be described. What is the MOST likely reason for this failure?

A.The condition key ec2:ResourceTag/Environment is not valid for ec2:StartInstances and ec2:StopInstances.
B.The role does not have permission to describe instances, so the condition cannot be evaluated.
C.The policy's Resource element is set to '*' and must be restricted to specific instance ARNs.
D.The policy does not include the ec2:RebootInstances action.
AnswerA

These actions do not support resource-level conditions; they require request-based conditions.

Why this answer

Option A is correct because the `ec2:ResourceTag` condition key is not supported for the `ec2:StartInstances` and `ec2:StopInstances` actions in IAM policy evaluation. AWS documentation explicitly states that these actions do not support resource-level permissions based on tags; they only support the `ec2:ResourceTag` condition key for certain read-only or tagging actions. Therefore, the condition in the policy cannot be evaluated, causing the operations team to fail when attempting to start or stop Production-tagged instances.

Exam trap

The trap here is that candidates assume all EC2 actions support resource-level condition keys like `ec2:ResourceTag`, but AWS explicitly restricts tag-based conditions to specific actions, and `ec2:StartInstances` and `ec2:StopInstances` are not among them.

How to eliminate wrong answers

Option B is wrong because the team can describe other instances, indicating they have the `ec2:DescribeInstances` permission; the issue is not a lack of describe permission but the unsupported condition key. Option C is wrong because setting the Resource element to '*' is not the cause of the failure; the policy's condition key is the problem, and restricting to specific instance ARNs would not resolve the unsupported condition key issue. Option D is wrong because the `ec2:RebootInstances` action is irrelevant to the failure to start or stop instances; the missing action is not the root cause.

292
MCQhard

A company uses AWS Elastic Beanstalk for application deployments. They want to integrate infrastructure-as-code practices using AWS CloudFormation. Which approach allows them to manage the Elastic Beanstalk environment and underlying resources as part of a CloudFormation stack?

A.Use a custom resource backed by a Lambda function to create the Elastic Beanstalk environment.
B.Use the CloudFormation import feature to bring the existing Elastic Beanstalk environment into the stack.
C.Export the Elastic Beanstalk environment configuration as a CloudFormation template from the console.
D.Define the Elastic Beanstalk environment in the CloudFormation template using the AWS::ElasticBeanstalk::Environment resource.
AnswerD

CloudFormation natively supports Elastic Beanstalk.

Why this answer

Option B is correct because CloudFormation supports the AWS::ElasticBeanstalk::Environment resource type, which can be used to create and manage Elastic Beanstalk environments within a stack. Option A is wrong because Elastic Beanstalk environments are not directly compatible with CloudFormation custom resources. Option C is wrong because CloudFormation does not import existing Elastic Beanstalk environments.

Option D is wrong because Elastic Beanstalk does not generate CloudFormation templates automatically.

293
MCQmedium

A financial services company uses AWS CloudFormation to deploy a multi-tier application. The security team mandates that all data at rest must be encrypted using KMS CMKs. The CloudFormation template creates an RDS instance with encryption enabled using a KMS key. After deployment, the security team reports that the RDS instance is not using the specified KMS key. The DevOps engineer checks the template and finds the KMS Key ID is correct. What is the MOST likely cause?

A.The RDS instance was created without enabling encryption; encryption cannot be added later.
B.The KMS key is in a different AWS region.
C.The IAM role used by CloudFormation lacks permissions to use the KMS key.
D.The RDS instance is inside a VPC that does not have a KMS key policy.
AnswerA

RDS encryption can only be enabled at creation time.

Why this answer

RDS encryption cannot be enabled after creation (B). The template must set the StorageEncrypted property and the KmsKeyId. If encryption is not enabled at creation, it cannot be added later.

Option A (region) is less likely; C (IAM) is irrelevant; D (VPC) is unrelated.

294
Multi-Selecteasy

Which THREE AWS services can be used as a source action in AWS CodePipeline? (Choose three.)

Select 3 answers
A.Amazon S3
B.Amazon DynamoDB
C.AWS CodeCommit
D.AWS CloudFormation
E.GitHub (via webhook)
AnswersA, C, E

S3 can be a source for zip files.

Why this answer

Options A, B, and D are correct. Option C is wrong because DynamoDB is not a source. Option E is wrong because CloudFormation is not a source.

295
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. They need a preventive control that applies to all current and future accounts. Which approach should they use?

A.Use a service control policy (SCP) in the Organizations root to deny PutBucketEncryption actions when encryption settings do not include AES256 or aws:kms.
B.Use AWS Config rules to detect unencrypted buckets and automatically apply encryption using a remediation action.
C.Enable AWS CloudTrail to log all S3 API calls and send alerts when non-compliant buckets are created.
D.Create an IAM policy in each account that denies PutBucketEncryption unless encryption is enabled.
AnswerA

SCPs are preventive controls that apply organization-wide, including future accounts.

Why this answer

A service control policy (SCP) applied at the Organizations root can deny the creation or modification of S3 buckets that do not have encryption enabled, specifically requiring AES256 or aws:kms. This is a preventive control that applies to all current and future accounts in the organization, as SCPs are inherited by all accounts and cannot be overridden by IAM policies within those accounts.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config or CloudTrail) with preventive controls (like SCPs), or assume that IAM policies applied per account are sufficient for organization-wide enforcement, failing to recognize that SCPs are the only mechanism that applies uniformly to all accounts, including future ones.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are detective, not preventive; they can detect non-compliant buckets and trigger remediation, but they do not prevent the non-compliant action from occurring in the first place. Option C is wrong because CloudTrail is a logging service that records API calls after they happen; it cannot prevent the creation of unencrypted buckets, only alert on them. Option D is wrong because IAM policies are account-specific and must be manually applied to each account; they do not scale to future accounts automatically and can be overridden by account administrators with sufficient permissions.

296
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. They want to enforce mandatory tags on all resources created by CloudFormation. Which TWO approaches can achieve this? (Choose TWO.)

Select 2 answers
A.Use CloudFormation stack tags that propagate to all resources in the stack.
B.Create an AWS Config rule to automatically tag resources after creation.
C.Use an AWS Organizations service control policy (SCP) to deny creation of resources that are not tagged.
D.Add an IAM policy that denies cloudformation:CreateStack unless the template includes the required tags.
E.Enable AWS CloudTrail to log all API calls and monitor for untagged resources.
AnswersA, C

Stack tags are automatically applied to all resources that support tagging.

Why this answer

Option A is correct because CloudFormation stack tags propagate to all resources that support tagging within the stack. When you specify tags at the stack level, CloudFormation automatically applies them to each resource it creates, ensuring mandatory tags are enforced without additional configuration.

Exam trap

The trap here is that candidates often confuse reactive detection (AWS Config) with proactive prevention (SCPs or stack tags), or mistakenly believe IAM policies can parse template content to enforce tagging rules.

297
MCQeasy

A DevOps engineer is designing a CI/CD pipeline for a serverless application using AWS Lambda and Amazon API Gateway. The team wants to automate deployment across multiple environments (dev, test, prod) with environment-specific configuration. Which approach should the engineer use?

A.Use the AWS Serverless Application Model (SAM) with CodePipeline, and pass environment parameters as CloudFormation parameter overrides.
B.Use CodeBuild to package the Lambda code and then use CloudFormation with parameters for each environment.
C.Use CodeDeploy with a deployment configuration that deploys to all environments sequentially.
D.Use CodePipeline with separate CodeBuild projects for each environment.
AnswerA

SAM integrates with CodePipeline and allows parameter overrides per environment.

Why this answer

Option D is correct because AWS SAM supports environment parameterization and is designed for serverless. Option A is not environment-aware. Option B requires manual variable managing.

Option C lacks environment-specific config.

298
Multi-Selectmedium

A company is designing a disaster recovery plan for an application running on AWS. The plan must meet an RTO of 1 hour and an RPO of 15 minutes. Which TWO strategies can achieve these objectives? (Select TWO.)

Select 2 answers
A.Backup and restore using daily snapshots to a different Region
B.Warm standby in a different AWS Region with database replication
C.Cold standby in a different Region with infrastructure deployed on demand
D.Pilot light in a different Region with database replication
E.Multi-AZ deployment in the same Region
AnswersB, D

Can meet RTO 1 hr and RPO 15 min.

Why this answer

Option B (Warm standby) is correct because it maintains a scaled-down but fully functional copy of the production environment in a different AWS Region, with database replication (e.g., Amazon RDS cross-Region read replicas or Aurora Global Database) ensuring an RPO of 15 minutes or less. The standby infrastructure can be scaled up within the 1-hour RTO, as it is already running and configured.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments (which are high availability within a Region) with cross-Region disaster recovery, failing to recognize that Multi-AZ does not protect against a full Regional outage.

299
Multi-Selectmedium

A DevOps team uses AWS CloudFormation to manage infrastructure. They want to implement a change management process that requires approval before making changes to production stacks. Which TWO approaches can be used to enforce this?

Select 2 answers
A.Use CloudFormation StackSets to manage approvals.
B.Use CloudFormation Stack Policies to prevent updates.
C.Use CloudFormation Drift Detection to detect changes.
D.Use AWS CodePipeline with a manual approval stage.
E.Use CloudFormation Change Sets to review and manually execute changes.
AnswersD, E

Manual approval stage enforces review before deployment.

Why this answer

Option D is correct because AWS CodePipeline can include a manual approval stage that pauses the pipeline and requires explicit approval before proceeding to deploy changes to production stacks. Option E is correct because CloudFormation Change Sets allow you to review the proposed changes and then manually execute them, ensuring that no changes are applied without human review and approval.

Exam trap

The trap here is that candidates may confuse Stack Policies (which prevent updates to specific resources) with an approval workflow, or think that Drift Detection can be used to block changes, when in fact it only reports drift after the fact.

300
MCQhard

A company uses AWS CodePipeline to deploy a serverless application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). The deployment consistently fails because the Lambda function's IAM role is not created before the function. The team uses a single CloudFormation template. Which action should be taken to resolve this dependency issue?

A.Add a DependsOn attribute in the CloudFormation template to ensure the IAM role is created before the Lambda function.
B.Create the IAM role in a separate CodeBuild action before the deploy stage.
C.Add a wait condition in the CloudFormation template.
D.Separate the IAM role into a nested stack and reference it.
AnswerA

DependsOn explicitly sets creation order.

Why this answer

Option A is correct because CloudFormation handles resource dependencies via the DependsOn attribute. The issue is that the template likely lacks a DependsOn on the Lambda function resource to wait for the IAM role. Adding DependsOn ensures the role is created first.

Option B is wrong because nested stacks add complexity but don't inherently fix dependency ordering. Option C is wrong because the role should be in the same template. Option D is wrong because wait conditions are for external signals, not resource dependencies.

Page 3

Page 4 of 24

Page 5