AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 451525

1740 questions total · 24pages · All types, answers revealed

Page 6

Page 7 of 24

Page 8
451
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. They want to update a stack but need to ensure that critical database resources are not accidentally replaced during the update. What is the BEST way to protect these resources?

A.Use a CreationPolicy on the database resources.
B.Use a DeletionPolicy of Retain on the database resources.
C.Define a stack policy that denies updates to the database resources.
D.Set an UpdatePolicy with AutoScalingReplacingUpdate.
AnswerC

Stack policies control update permissions; a Deny on replace prevents replacement.

Why this answer

CloudFormation stack policies allow you to specify which resources can be updated or replaced. Setting a stack policy with Deny for the database resources prevents replacement.

452
MCQhard

A company uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment is set to 'AllAtOnce'. The application revision is a simple index.html. What is the most likely cause?

A.The CodeDeploy agent is not installed or running on the EC2 instances.
B.The IAM instance profile does not have permissions to download from Amazon S3.
C.The application revision is not a compressed archive.
D.The deployment configuration 'AllAtOnce' is incompatible with Auto Scaling groups.
AnswerA

Without the agent, instances cannot run deployment scripts.

Why this answer

Option D is correct because the CodeDeploy agent must be installed on each EC2 instance in the Auto Scaling group to receive and execute deployments. Option A is wrong because AllAtOnce means all instances deploy simultaneously. Option B is wrong because S3 permissions are needed but would cause a different error.

Option C is wrong because the revision is a single file, not a zip, but CodeDeploy requires a revision format; however, the error message suggests instance failure.

453
Multi-Selecteasy

A DevOps engineer is troubleshooting a Lambda function that is timing out. Which TWO actions should the engineer take to diagnose the issue?

Select 2 answers
A.Set reserved concurrency to 1 to isolate the function.
B.Increase the function timeout in the Lambda configuration.
C.Check the VPC configuration for the Lambda function.
D.Increase the function memory allocation.
E.Review the function's CloudWatch Logs for timeout errors.
AnswersB, E

Increasing timeout can help if the function is close to completing.

Why this answer

Option A is correct because increasing timeout may allow the function to complete. Option D is correct because CloudWatch Logs show execution details and errors. Option B is wrong because memory allocation doesn't directly affect timeout.

Option C is wrong because VPC configuration is not directly related to timeout unless network issues. Option E is wrong because reserved concurrency affects scaling, not timeout.

454
MCQmedium

A company uses Chef for configuration management of their EC2 instances. They want to use AWS OpsWorks for Chef Automate to manage the Chef server. What is the primary benefit of using OpsWorks for Chef Automate compared to running a self-managed Chef server?

A.It provides a graphical user interface to author cookbooks.
B.It creates cookbooks based on the instance configuration.
C.It reduces operational overhead by managing the Chef server's infrastructure.
D.It automatically applies cookbooks to all instances in the account.
AnswerC

AWS manages the Chef server, reducing maintenance.

Why this answer

Option B is correct. OpsWorks for Chef Automate is a managed service that handles the Chef server maintenance, patching, and high availability. It integrates with AWS services like CloudWatch and IAM.

Option A is incorrect because OpsWorks does not provide a GUI for cookbooks; Chef has its own tools. Option C is incorrect because OpsWorks manages the server, not the nodes' cookbooks. Option D is incorrect because OpsWorks does not automatically create cookbooks; they must be developed by the user.

455
MCQeasy

An organization wants to ensure that all API calls made in their AWS account are logged for security analysis. Which AWS service should be enabled to meet this requirement?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerA

CloudTrail records API activity for governance and audit.

Why this answer

Option A is correct because AWS CloudTrail records all API calls made in the account. Option B is wrong because CloudWatch Logs stores logs but does not capture API calls. Option C is wrong because VPC Flow Logs capture network traffic.

Option D is wrong because AWS Config tracks resource configuration changes.

456
MCQeasy

A DevOps engineer runs the command shown in the exhibit. The output shows the stack status as ROLLBACK_COMPLETE. Which statement best describes the current state of the stack?

A.The stack was created successfully and is in a steady state.
B.The stack update failed and has been rolled back to the previous state.
C.The stack is currently in the process of rolling back after a failed creation.
D.The stack creation failed and has been rolled back. No resources remain.
AnswerD

ROLLBACK_COMPLETE means all resources were cleaned up after failure.

Why this answer

Option B is correct because ROLLBACK_COMPLETE means the stack creation failed and rolled back, leaving no resources. Option A is wrong because that would be CREATE_COMPLETE. Option C is wrong because UPDATE_ROLLBACK_COMPLETE is for updates.

Option D is wrong because ROLLBACK_IN_PROGRESS is the intermediate state.

457
Multi-Selecthard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to be resilient to Availability Zone failures. Which THREE actions should the company take? (Choose THREE.)

Select 3 answers
A.Configure the ECS service to spread tasks across multiple Availability Zones.
B.Disable managed service scaling to avoid resource contention.
C.Use a multi-AZ Amazon RDS or DynamoDB for persistent data.
D.Deploy an Application Load Balancer (ALB) with targets in multiple Availability Zones.
E.Use a single service discovery namespace for all tasks.
AnswersA, C, D

Spreading tasks across AZs prevents total loss from a single AZ failure.

Why this answer

Option A is correct because spreading tasks across multiple AZs ensures that an AZ failure does not affect all tasks. Option C is correct because using a multi-AZ ALB distributes traffic across AZs. Option E is correct because storing state in a multi-AZ database like DynamoDB or RDS ensures data durability.

Option B is wrong because a single service discovery namespace does not provide AZ resilience. Option D is wrong because disabling managed scaling may reduce availability.

458
MCQmedium

An application runs on EC2 instances behind an ALB. Users report intermittent 503 errors. The engineer checks ALB metrics and sees 'SurgeQueueLength' increasing periodically. What is the most likely cause?

A.The application instances are not able to process requests quickly enough, causing the request queue to back up.
B.The target group health checks are failing, causing the ALB to route traffic to unhealthy instances.
C.The SSL certificate on the ALB has expired.
D.The ALB security group is blocking traffic from the clients.
AnswerA

Slow processing leads to queue buildup and eventual 503 errors.

Why this answer

Option B is correct because a high SurgeQueueLength indicates that the ALB is receiving more requests than the instances can handle, and the queue is filling up, leading to 503 errors when the queue overflows. Option A is wrong because unhealthy hosts would cause errors but not necessarily an increasing queue. Option C is wrong because a misconfigured security group would block traffic entirely.

Option D is wrong because an SSL certificate issue would cause TLS errors, not 503.

459
MCQmedium

A company uses Amazon CloudWatch to monitor its EC2 instances. A DevOps engineer notices that some metrics (e.g., memory utilization) are not available in the CloudWatch console. The engineer wants to collect these metrics. What should the engineer do?

A.Enable VPC Flow Logs for the instance's subnet.
B.Install and configure the CloudWatch Agent on the EC2 instances.
C.Send the metrics to CloudWatch Logs and create a metric filter.
D.Enable detailed monitoring on the EC2 instances.
AnswerB

The CloudWatch Agent collects custom metrics including memory and disk utilization.

Why this answer

Option C is correct because EC2 does not report memory metrics by default; you need to install the CloudWatch Agent to collect custom metrics like memory. Option A is wrong because detailed monitoring only provides more frequent data for built-in metrics. Option B is wrong because CloudWatch Logs is for logs, not metrics.

Option D is wrong because VPC Flow Logs capture network traffic, not instance-level metrics.

460
MCQhard

A DevOps engineer uses AWS CloudFormation to manage infrastructure. The stack creation fails with the error: 'Circular dependency between resources'. The template includes an EC2 instance, an Elastic IP, and an internet gateway. The instance is associated with the Elastic IP, and the Elastic IP uses the internet gateway for the VPC. Which resource relationship is MOST likely causing the circular dependency?

A.The security group depends on the EC2 instance, and the EC2 instance depends on the security group.
B.The Elastic IP depends on the internet gateway, and the internet gateway depends on the Elastic IP.
C.The EC2 instance depends on the Elastic IP, and the Elastic IP depends on the EC2 instance.
D.The internet gateway depends on the VPC, and the VPC depends on the internet gateway.
AnswerC

This creates a circular dependency.

Why this answer

Option C is correct because the circular dependency arises when the EC2 instance depends on the Elastic IP (via an Association resource) and the Elastic IP depends on the EC2 instance (via the InstanceId property). CloudFormation cannot resolve the creation order when two resources each require the other to exist first. This is a classic circular dependency in CloudFormation templates when using an AWS::EC2::EIP with an InstanceId that references the EC2 instance, while the instance itself has a DependsOn or a reference to the Elastic IP.

Exam trap

The trap here is that candidates confuse the Elastic IP's dependency on the internet gateway (which is not direct) with the mutual dependency between the EC2 instance and the Elastic IP when the EIP uses the InstanceId property.

How to eliminate wrong answers

Option A is wrong because a security group does not depend on an EC2 instance; the instance depends on the security group, and CloudFormation handles this as a one-way dependency. Option B is wrong because an Elastic IP does not depend on an internet gateway; the Elastic IP is associated with a VPC or instance, and the internet gateway is attached to the VPC independently. Option D is wrong because an internet gateway depends on the VPC (via VpcId), but the VPC does not depend on the internet gateway; the VPC is created first, and the gateway is attached to it.

461
MCQmedium

A DevOps engineer is responsible for managing infrastructure as code for multiple microservices. The team uses AWS CloudFormation and wants to reuse common resource definitions across multiple stacks. Which approach should the engineer use to promote reusability and reduce code duplication?

A.Create nested stacks that include the common resources and pass parameters as needed.
B.Store the common resource definitions in an AWS CodeCommit repository and copy them into each template.
C.Use cross-stack references by exporting outputs from a central stack and importing them in other stacks.
D.Develop CloudFormation modules that encapsulate common resource configurations and publish them in a registry.
AnswerD

Modules are designed for reusability and can be shared across accounts and regions.

Why this answer

Option D is correct because AWS CloudFormation modules allow you to encapsulate common resource configurations into reusable, versioned components that can be published in the CloudFormation registry. This promotes reusability and reduces code duplication across multiple stacks without the overhead of managing nested stack templates or manual copying.

Exam trap

The trap here is that candidates often confuse cross-stack references (Fn::ImportValue) with reusable resource definitions, but cross-stack references only share output values, not the underlying resource configuration, so they do not reduce code duplication.

How to eliminate wrong answers

Option A is wrong because nested stacks still require you to maintain separate template files for the common resources, and they do not inherently reduce duplication if the same nested stack template is copied across projects. Option B is wrong because copying common resource definitions from a CodeCommit repository into each template leads to code duplication and version drift, defeating the purpose of reusability. Option C is wrong because cross-stack references (using Fn::ImportValue) only allow sharing output values, not entire resource definitions, so they do not reduce duplication of the resource configuration itself.

462
MCQeasy

A DevOps engineer needs to store secrets such as database passwords for a serverless application. Which AWS service is most appropriate?

A.Amazon DynamoDB with encryption
B.Amazon S3 with server-side encryption
C.AWS Systems Manager Parameter Store (SecureString)
D.AWS Secrets Manager
AnswerD

Designed for secrets with rotation and fine-grained access.

Why this answer

Option C is correct because AWS Secrets Manager is designed for managing secrets with automatic rotation. Option A is wrong because Systems Manager Parameter Store can store secrets but lacks built-in rotation. Option B is wrong because S3 is not secure by default for secrets.

Option D is wrong because DynamoDB is a database, not a secrets manager.

463
MCQeasy

A team uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a deployment stage that uses AWS CodeDeploy to copy files to an S3 bucket. However, the deployment fails because the S3 bucket is not configured for static website hosting. What is the MOST likely cause of the failure?

A.The IAM role for CodeDeploy does not have permissions to write to the S3 bucket.
B.The S3 bucket does not have static website hosting enabled.
C.The S3 bucket is not configured as a public bucket.
D.AWS CodeDeploy cannot deploy to S3 buckets.
AnswerB

Static website hosting must be enabled to serve the website.

Why this answer

Option A is correct because CodeDeploy for S3 does not require bucket policy changes; the failure is due to missing static website hosting configuration. Option B is wrong because IAM roles should be fine. Option C is wrong because CodeDeploy does not need the bucket to be public.

Option D is wrong because S3 is not a deployment target for CodeDeploy? Actually CodeDeploy can deploy to EC2/On-premises/Lambda, not directly to S3. The question assumes CodeDeploy is used incorrectly. But the best answer is A as per typical issues.

464
MCQmedium

Refer to the exhibit. A CloudTrail trail named ManagementTrail is configured as shown. Which events will be logged?

A.Only read management events.
B.Only write management events.
C.Only S3 data events.
D.All management events for the account.
AnswerD

ReadWriteType: All and IncludeManagementEvents: true logs all management events.

Why this answer

The CloudTrail trail named ManagementTrail is configured to log management events, and by default, when you create a trail in the CloudTrail console, it logs both read and write management events unless you specifically choose to log only one type. The exhibit shows no filtering for read-only or write-only events, so all management events (both read and write) for the account will be logged. This is the standard behavior for a trail that does not have an event selector restricting the event type.

Exam trap

AWS often tests the misconception that a trail named 'ManagementTrail' only logs management events of a specific type (read or write), but the default behavior is to log all management events unless an explicit event selector is configured to filter them.

How to eliminate wrong answers

Option A is wrong because selecting 'Only read management events' would require explicitly configuring an event selector with ReadOnly set to true, which is not shown in the exhibit. Option B is wrong because selecting 'Only write management events' would require explicitly configuring an event selector with ReadOnly set to false, which is not shown. Option C is wrong because S3 data events are not management events; they are a separate category that must be explicitly enabled via event selectors, and the exhibit shows no such configuration.

465
MCQhard

A company is designing a multi-region active-active architecture for a stateless web application using Route 53 latency-based routing. The application uses an RDS MySQL database. What should be done to ensure database resilience across regions?

A.Configure automated snapshots and copy them to the secondary region
B.Use RDS Cross-Region Synchronous Replication
C.Create cross-region read replicas and promote to master during failover
D.Enable Multi-AZ deployment in each region
AnswerC

Read replicas can be promoted for cross-region DR.

Why this answer

Cross-region read replicas can be promoted to master in disaster. Option A is wrong because Aurora Global Database is better but not listed as an option; but read replica promotion is supported. Option B is wrong because Multi-AZ is single-region.

Option C is wrong because RDS doesn't support synchronous cross-region replication. Option D is wrong because snapshot restore is manual and slow.

466
Multi-Selecthard

A company is using AWS Elastic Beanstalk for a production environment. They have observed that during deployments, the environment's health status intermittently becomes 'Severe' even though the application is functioning correctly. The deployment uses rolling updates with a batch size of 50%. Which TWO configuration changes would improve deployment stability without completely redesigning the deployment process? (Select TWO.)

Select 2 answers
A.Switch from rolling to immutable updates.
B.Increase the health check interval to allow more time for the application to stabilize.
C.Increase the batch size to 75%.
D.Decrease the deployment cooldown time.
E.Decrease the batch size to 25%.
AnswersB, E

Longer health check interval prevents premature health status degradation.

Why this answer

Option A is correct because decreasing the batch size reduces the number of instances updated at once, limiting the impact of potential issues. Option D is correct because increasing the health check interval gives the application more time to stabilize before Elastic Beanstalk marks it as unhealthy. Option B (immutable updates) completely changes the deployment strategy, which may not be desired.

Option C (decreasing cooldown) could worsen stability. Option E (increasing batch size) would increase instability.

467
MCQhard

A company runs a production e-commerce platform on AWS. The architecture includes an Application Load Balancer (ALB) distributing traffic across EC2 instances in an Auto Scaling group. The application uses a custom configuration stored in an S3 bucket. The DevOps team uses AWS CodeDeploy to deploy application updates. Recently, a deployment failed because new instances launched by the Auto Scaling group did not have the latest configuration from S3. The team had manually updated the configuration in S3 but the deployment did not pull the new version. The team wants to ensure that all instances always have the latest configuration at launch. Current setup: The Auto Scaling group uses a launch template that specifies an IAM instance profile with permissions to read from S3. The user data script runs at launch to download configuration from S3. However, the user data script is static and does not account for configuration updates. The team wants a solution that automatically applies configuration changes to both existing and new instances without manual intervention.

A.Use AWS Config with a custom rule to detect instances that do not have the latest configuration and trigger a Lambda function to update them.
B.Update the launch template with a new user data script that always fetches the latest configuration from S3. Then, update the Auto Scaling group to use the new launch template version.
C.Configure AWS CodeDeploy to deploy the configuration to all instances whenever the S3 object is updated, using an S3 event notification.
D.Use AWS Systems Manager State Manager to associate a document that runs on all instances to fetch the latest configuration from S3 on a schedule and at instance startup.
AnswerD

State Manager can enforce configuration on both existing and new instances.

Why this answer

Option B is correct because AWS Systems Manager State Manager can enforce configuration on instances, pull the latest config from S3, and apply it to both existing and new instances. Option A is incorrect because updating the user data script in the launch template only affects new instances, not existing ones. Option C is incorrect because CodeDeploy does not run at instance launch unless triggered by a lifecycle hook, and it requires additional setup.

Option D is incorrect because AWS Config is for compliance, not for pushing configurations.

468
MCQhard

A company uses Amazon Inspector to scan EC2 instances for vulnerabilities. The security team discovers that a critical vulnerability is present on an instance, but the instance is part of an Auto Scaling group. What is the MOST efficient way to remediate this vulnerability while ensuring the Auto Scaling group remains operational?

A.Patch the instance manually via SSH, then create a new AMI from it and update the launch configuration.
B.Detach the instance from the Auto Scaling group, patch it, and reattach it.
C.Use AWS Systems Manager Patch Manager to patch the instance and then set the instance to not receive future updates.
D.Create a new AMI with the patch, update the Auto Scaling group's launch template, and terminate instances one by one to trigger replacement.
AnswerD

This ensures all new instances are patched with minimal disruption.

Why this answer

The most efficient way is to create a new Amazon Machine Image (AMI) with the vulnerability patched, update the Auto Scaling group's launch configuration/template to use the new AMI, and then perform a rolling update (e.g., by terminating instances one by one). Manually patching each instance is inefficient because Auto Scaling will launch new instances from the old AMI. Using AWS Systems Manager Patch Manager can patch on the fly but does not update the launch template for future instances.

Isolating the instance does not fix the root cause.

469
MCQhard

A company is designing a multi-Region disaster recovery strategy for a stateless web application. The application runs on EC2 instances in an Auto Scaling group behind an ALB in us-east-1. The recovery point objective (RPO) is 15 minutes and recovery time objective (RTO) is 30 minutes. The application data is stored in Amazon RDS for PostgreSQL. Which combination of actions should the company take to meet the RPO and RTO?

A.Use RDS cross-Region replication to a standby DB instance in another Region. Maintain a warm standby environment (Auto Scaling group, ALB) in the disaster Region. Configure Route 53 health checks to fail over automatically.
B.Use RDS cross-Region snapshot copy every 15 minutes. In the disaster Region, manually launch a new environment and restore the latest snapshot.
C.Use RDS Multi-AZ in us-east-1. In the disaster Region, keep a standby Auto Scaling group and ALB. On failure, promote the Multi-AZ standby to primary and update DNS.
D.Use RDS read replicas in another Region. On failure, promote the read replica to a standalone instance and update the application.
AnswerA

Cross-Region replication provides low RPO; warm standby with automatic failover meets RTO.

Why this answer

Option A is correct because it meets both the 15-minute RPO and 30-minute RTO. RDS cross-Region replication provides continuous asynchronous replication with minimal lag, typically well under 15 minutes, ensuring data is nearly up-to-date. The warm standby environment (pre-provisioned Auto Scaling group and ALB) in the disaster Region allows automatic failover via Route 53 health checks, enabling recovery within the 30-minute RTO without manual intervention.

Exam trap

The trap here is confusing Multi-AZ (single-Region HA) with cross-Region DR, leading candidates to choose Option C, which fails to protect against a Regional outage.

How to eliminate wrong answers

Option B is wrong because manual snapshot copies every 15 minutes cannot guarantee a 15-minute RPO due to snapshot creation and transfer delays, and manually launching a new environment and restoring the latest snapshot far exceeds the 30-minute RTO. Option C is wrong because RDS Multi-AZ in us-east-1 provides high availability within a single Region only; it does not replicate data to another Region, so a Regional failure would result in complete data loss and no DR capability. Option D is wrong because promoting a cross-Region read replica to a standalone instance can take several minutes and requires manual DNS updates, which together exceed the 30-minute RTO; also, read replicas may have replication lag that could violate the 15-minute RPO.

470
MCQhard

A company uses AWS Systems Manager to manage a fleet of EC2 instances. They need to run a custom script on all instances every time the instance is started. The script is stored in an S3 bucket. Which approach ensures the script runs automatically on every instance start with minimal administrative overhead?

A.Create a State Manager association with the AWS-RunDocument document, targeting the instances, and set the schedule to 'On Instance Start'.
B.Place the script in /etc/rc.local on a custom AMI.
C.Use AWS Config rules to invoke a Lambda function that runs the script.
D.Create an EC2 launch template that includes the script in user data.
AnswerA

State Manager can be configured to run a document on instance start automatically.

Why this answer

Associating a State Manager association with the AWS-RunDocument document and targeting the instances ensures the script runs on every instance start. Option A is correct because State Manager can be configured to run on instance start. Options B, C, and D are either manual or not triggered automatically on start.

471
Multi-Selectmedium

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

Select 2 answers
A.Use the root user for daily administrative tasks
B.Create access keys for the root user to use with CLI
C.Create an IAM user with administrator access and use that instead
D.Enable multi-factor authentication (MFA) for the root user
E.Delete the root user after creating an IAM admin user
AnswersC, D

Avoid using root user for daily tasks.

Why this answer

Best practices for root user include enabling MFA, using a strong password, and not using root for daily tasks. Deleting the root user is not possible. Access keys should not be created for root user.

472
MCQmedium

A DevOps team uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with a 'HealthCheckFailed' error. The application is running, but the health check endpoint returns HTTP 500. What should the team do to resolve this issue?

A.Change the deployment configuration to use AllAtOnce to avoid health checks.
B.Increase the health check grace period in the Auto Scaling group.
C.Disable the health check in the CodeDeploy deployment configuration.
D.Modify the application to handle the health check endpoint correctly and return HTTP 200.
AnswerD

The health check endpoint must return a successful status (e.g., 200) for CodeDeploy to consider the instance healthy.

Why this answer

Option A is correct: fix the application to return a healthy status. Option B ignores the issue. Option C does not fix the application.

Option D is not possible.

473
Multi-Selecthard

A company uses Amazon ECS with Fargate for containerized applications. They need to ensure that if a task fails, it is automatically restarted and the application remains available. Which THREE actions should they take? (Choose THREE.)

Select 3 answers
A.Configure the ECS service to automatically restart failed tasks.
B.Place tasks across multiple Availability Zones.
C.Use an Application Load Balancer with health checks.
D.Set up a CloudWatch alarm to trigger AWS Lambda to restart tasks.
E.Configure an EC2 Auto Scaling group for the ECS cluster.
AnswersA, B, C

Service auto-restart replaces failed tasks.

Why this answer

Options B, C, and E are correct. Service auto-restart ensures tasks are replaced. Deploying tasks across multiple AZs provides AZ resilience.

Using an ALB with health checks ensures traffic is routed to healthy tasks. Option A is incorrect because ECS does not use EC2 Auto Scaling for Fargate. Option D is incorrect because CloudWatch alarms are not needed for automatic restart.

474
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The CloudFormation template includes a custom resource backed by an AWS Lambda function that validates a condition and returns a value. During a stack update, the custom resource fails, and the stack rolls back. The DevOps engineer needs to debug the issue. Which steps should be taken to troubleshoot the custom resource failure?

A.View the Amazon CloudWatch Logs log group for the Lambda function to see the function's output and error messages.
B.Update the Lambda function code to include additional logging and then re-execute the stack update.
C.Check the Amazon S3 bucket where the Lambda function code is stored for any access denied errors.
D.Review the CloudFormation stack events in the AWS Management Console for detailed error messages from the Lambda function.
AnswerA

Custom resource Lambda functions log to CloudWatch Logs; reviewing those logs helps identify the failure.

Why this answer

Option A is correct because AWS Lambda functions invoked by CloudFormation custom resources automatically send their logs to Amazon CloudWatch Logs. By examining the log group named `/aws/lambda/<function-name>`, the DevOps engineer can view the function's `stdout`, `stderr`, and any `print()` or `console.log()` statements, which will contain the exact error messages or return values that caused the custom resource to fail. This is the most direct and reliable method to debug the failure without modifying the stack or waiting for a new update.

Exam trap

The trap here is that candidates often assume CloudFormation stack events provide detailed error messages from the Lambda function, but in reality, they only show generic failure statuses, while the actual debugging data resides in CloudWatch Logs.

How to eliminate wrong answers

Option B is wrong because updating the Lambda function code and re-executing the stack update does not help debug the original failure; it changes the code and may mask the root cause, and the stack update would still need to be triggered again. Option C is wrong because the Lambda function code is stored in Amazon S3 only for deployment; access denied errors on the S3 bucket would prevent the function from being created or updated, but they would not cause a custom resource failure during a stack update — the function is already deployed and running. Option D is wrong because CloudFormation stack events only show high-level status messages like 'CREATE_FAILED' or 'UPDATE_FAILED' for the custom resource, but they do not include the detailed error messages or return values from the Lambda function itself; those details are only available in CloudWatch Logs.

475
Drag & Dropmedium

Drag and drop the steps to troubleshoot an AWS CloudTrail that is not logging API calls.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First verify CloudTrail is enabled, then check bucket policy, then check integrity, then check IAM role, then test.

476
Multi-Selecthard

A company is running a production application on Amazon ECS with Fargate. The DevOps team needs to monitor the application's performance and set up alerts for high memory usage. Which THREE steps should the team take to achieve this?

Select 3 answers
A.Configure CloudWatch to automatically collect memory metrics from Fargate tasks
B.Create a custom CloudWatch metric and publish memory usage data from the application
C.Set up a CloudWatch alarm on the custom memory metric with appropriate threshold and actions
D.Enable the ECS task metadata endpoint and configure the application to publish memory metrics to CloudWatch
E.Enable Amazon CloudWatch Container Insights for the ECS cluster
AnswersB, C, D

Custom metrics allow monitoring of memory usage in Fargate.

Why this answer

Options B, C, and E are correct. To monitor memory usage in ECS Fargate, you must enable the ECS task metadata endpoint, which allows the container to publish memory metrics to CloudWatch. Then create a custom CloudWatch metric from the container, and set up a CloudWatch alarm on that metric.

Option A is wrong because Container Insights requires the CWAgent configuration. Option D is wrong because CloudWatch does not automatically collect memory metrics from Fargate; custom metrics are needed.

477
MCQeasy

A company uses Amazon RDS for MySQL and has enabled automated backups. The database administrator accidentally deleted a critical row from a table. The deletion occurred 15 minutes ago. What is the fastest way to recover the lost data?

A.Perform a Point-in-Time Restore to a time just before the deletion.
B.Use the RDS console to undo the last transaction.
C.Use the binary log to replay transactions before the deletion.
D.Create a manual snapshot of the current instance and restore it.
AnswerA

Fastest AWS-native method to recover to a specific point.

Why this answer

Option C is correct because Point-in-Time Restore (PITR) allows restoring to any time within the backup retention period, down to the second. Option A is wrong because a manual snapshot from before the deletion would need to be created, which is slower. Option B is wrong because the binlog contains changes, but replaying requires manual effort and is not the fastest AWS-native method.

Option D is wrong because RDS does not have a native 'undo' feature.

478
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from the S3 bucket 'example-bucket' from an IP address of 10.1.2.3. What will happen?

A.The request is denied because the policy does not include a Deny statement.
B.The request is denied because the policy does not explicitly allow the action.
C.The result depends on the bucket policy.
D.The request is allowed because the condition matches the IP address.
AnswerD

The IP 10.1.2.3 is within the 10.0.0.0/8 CIDR range.

Why this answer

Option B is correct because the policy allows s3:GetObject only if the condition matches. The IP 10.1.2.3 falls within 10.0.0.0/8, so the condition is satisfied. Option A is wrong because the condition is met.

Option C is wrong because the policy does not specify a Deny. Option D is wrong because the bucket policy is not shown.

479
Multi-Selectmedium

A DevOps team is setting up centralized logging for a multi-account AWS environment. They want to aggregate logs from all accounts into a single S3 bucket. Which services should be used to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon Kinesis Data Firehose
E.Amazon S3 replication
AnswersA, C

Correct. CloudTrail can be configured to deliver logs from multiple accounts to a central S3 bucket.

Why this answer

AWS CloudTrail is correct because it can be configured to deliver log files from multiple accounts to a single S3 bucket by setting up a trail in the management account and using the 'Enable for all accounts in my organization' option, which automatically applies the trail to all member accounts in AWS Organizations. This centralizes CloudTrail logs without requiring per-account configuration.

Exam trap

The trap here is that candidates often confuse Amazon Kinesis Data Firehose as a log aggregation service, but it is a delivery stream that requires a log source to send data to it, not a service that natively collects logs from multiple accounts.

480
Multi-Selecteasy

A DevOps engineer is investigating a performance issue in a serverless application using AWS Lambda. The engineer wants to view the duration of each invocation and identify cold starts. Which TWO AWS services should be used? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Metrics for Lambda (duration, invocations)
B.AWS X-Ray to trace invocations and detect cold starts
C.AWS CloudTrail to record Lambda API calls
D.Amazon CloudWatch Logs for Lambda execution logs
E.AWS Config to track Lambda configuration changes
AnswersA, D

CloudWatch Metrics shows duration and invocation counts.

Why this answer

Amazon CloudWatch Metrics for Lambda (option A) provides built-in metrics such as duration and invocations, which are essential for analyzing performance trends and identifying slow invocations. AWS X-Ray (option B) traces individual requests through the Lambda function and can explicitly detect cold starts by showing the initialization phase duration, making it the correct complementary service.

Exam trap

The trap here is that candidates often assume CloudWatch Logs (option D) is needed for performance analysis, but Lambda execution logs contain custom log output and error messages, not structured duration or cold start data—those are provided by CloudWatch Metrics and X-Ray respectively.

481
Multi-Selecthard

Which THREE practices help ensure the security of a CI/CD pipeline that deploys to production? (Choose three.)

Select 3 answers
A.Integrate static code analysis and vulnerability scanning into the pipeline.
B.Require manual approval for all deployments to production.
C.Use IAM roles with least privilege for pipeline actions.
D.Store deployment credentials in the source repository for traceability.
E.Encrypt artifacts in transit and at rest using AWS KMS.
AnswersA, C, E

Automated scanning catches security issues early.

Why this answer

A: Encryption of artifacts in transit and at rest protects sensitive data. B: Scanning for vulnerabilities in dependencies and code helps prevent insecure deployments. D: Using least privilege IAM roles minimizes risk.

C is wrong because storing credentials in the source repository is insecure. E is wrong because manual approval alone does not ensure security; automated checks are also needed.

482
MCQmedium

A company is implementing a CI/CD pipeline using AWS CodePipeline. The source code is stored in an AWS CodeCommit repository. The pipeline must automatically start whenever a change is pushed to any branch. Which configuration is required?

A.Add a branch creation trigger in CodeCommit that starts the pipeline.
B.Create a CloudWatch Events rule that matches CodeCommit push events and targets the CodePipeline pipeline.
C.Create an SNS topic and subscribe the pipeline to it, then configure CodeCommit to publish to the topic on push.
D.Configure the pipeline to poll the CodeCommit repository every few minutes.
AnswerB

CloudWatch Events can detect pushes to any branch and trigger the pipeline.

Why this answer

Option D is correct because CodePipeline can use Amazon CloudWatch Events to detect changes in CodeCommit repositories and trigger the pipeline. Option A is wrong because CodePipeline does not have a built-in trigger for branch creation. Option B is wrong because polling is not recommended and may not detect changes immediately.

Option C is wrong because CodeCommit does not send SNS notifications for pushes.

483
MCQmedium

A company uses AWS Lambda functions to process messages from an Amazon SQS queue. The Lambda function is configured with a reserved concurrency of 5. The SQS queue has a large backlog of messages, and the Lambda function is processing them slowly. The DevOps team wants to increase throughput without making changes to the Lambda code. The team decides to increase the reserved concurrency to 10. However, after the change, the Lambda function starts to experience throttling errors (RateExceeded). The team also notices that other Lambda functions in the same account are also being throttled. What is the MOST likely cause?

A.The SQS queue's polling interval is too high, causing Lambda to poll infrequently.
B.The account's Lambda concurrency limit has been reached due to the increased reserved concurrency.
C.The Lambda function's execution role does not have permission to invoke the function.
D.The SQS queue's visibility timeout is too short, causing messages to be processed multiple times.
AnswerB

Reserved concurrency consumes from the account limit.

Why this answer

Option B is correct because the account-level Lambda concurrency limit may be reached. Increasing reserved concurrency for one function reduces the pool available for others. Option A is wrong because SQS batch size does not cause throttling.

Option C is wrong because SQS polling interval is controlled by Lambda. Option D is wrong because IAM permissions would cause access denied errors, not throttling.

484
MCQhard

Refer to the exhibit. An IAM policy is attached to a CodeBuild service role. The CodeBuild project is used to build code from a CodeCommit repository and output artifacts to an S3 bucket. However, the build fails with an error: 'Unable to download source from CodeCommit'. What is the missing permission?

A.Permissions to read from the CodeCommit repository.
B.Permissions to create CloudWatch Logs for build output.
C.Permissions to decrypt the KMS key used to encrypt artifacts.
D.Permissions to write to the S3 artifact bucket.
AnswerA

The policy lacks CodeCommit actions like codecommit:GitPull.

Why this answer

Option D is correct because the policy does not include CodeCommit actions like 'codecommit:GitPull' or 'codecommit:GetBranch'. Option A is wrong because the policy already has S3 permissions. Option B is wrong because KMS is not mentioned.

Option C is wrong because Logs permissions would be for CloudWatch, not for source download.

485
MCQhard

A company uses AWS CodeCommit and wants to enforce that all commits to the 'main' branch are signed with a GPG key. Which steps should the DevOps engineer take to enforce this?

A.Create an IAM policy that denies git push actions unless the commit is signed.
B.Use the AWS CLI to verify commit signatures and reject pushes.
C.Enable CloudWatch Logs to monitor commits and trigger a Lambda to rollback.
D.Configure a pre-receive hook in CodeCommit to reject unsigned commits.
AnswerA

IAM policies can enforce signing using the 'codecommit:ReferenceType' and 'codecommit:SourceCommit' conditions.

Why this answer

Option B is correct because CodeCommit can use IAM policies with conditions to require signed commits. Option A is wrong because hooks are not supported in CodeCommit. Option C is wrong because the commit ID does not enforce signing.

Option D is wrong because CloudWatch Logs cannot enforce signing.

486
MCQeasy

A DevOps engineer needs to grant cross-account access to an S3 bucket. The source account is 111111111111 and the destination account is 222222222222. Which policy should be attached to the S3 bucket?

A.Attach an IAM policy to the user in account 111111111111 allowing s3:GetObject.
B.Set the bucket ACL to grant full control to account 222222222222.
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::222222222222:root"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111111111111:root"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}
AnswerC

Bucket policy grants cross-account access to objects.

Why this answer

Option C is correct because it uses a bucket policy to grant cross-account access to the S3 bucket. The policy specifies the destination account (222222222222) as the principal, allowing s3:GetObject on the bucket's objects. This is the standard AWS approach for cross-account S3 access, as bucket policies can grant permissions to principals in other AWS accounts.

Exam trap

The trap here is that candidates often confuse which account's ARN to use in the Principal field, mistakenly using the source account (111111111111) instead of the destination account (222222222222), or they incorrectly assume an IAM policy in the source account can grant cross-account access.

How to eliminate wrong answers

Option A is wrong because attaching an IAM policy to a user in the source account (111111111111) does not grant access to the destination account; it only grants permissions to that specific user within the source account. Option B is wrong because bucket ACLs are legacy and do not support granting cross-account access to objects in a bucket that has S3 Object Ownership enabled (default since April 2023), and they are less secure and flexible than bucket policies. Option D is wrong because it specifies the source account (111111111111) as the principal, which would only grant access to the source account itself, not the destination account (222222222222).

487
MCQmedium

A company uses AWS CloudTrail to audit API activity. During an incident investigation, they find that a user with the IAM policy 'AdministratorAccess' deleted an S3 bucket. The security team wants to know the source IP address and user agent used for the delete operation. Which action should the team take to obtain this information?

A.View the CloudTrail event history for the delete-bucket event.
B.Check the S3 server access logs for the deleted bucket.
C.Use CloudWatch Logs to search for the event in the CloudTrail log group.
D.Query AWS Config to find the configuration item for the bucket deletion.
AnswerA

D is correct because CloudTrail event history contains the source IP address and user agent for each API call.

Why this answer

CloudTrail event history captures all management events, including DeleteBucket, and records the source IP address and user agent for each API call. By viewing the event history for the specific delete-bucket event, the security team can directly retrieve the required metadata without needing additional log sources or configurations.

Exam trap

The trap here is that candidates confuse S3 server access logs (which log object-level operations) with CloudTrail management events, leading them to incorrectly choose option B for a bucket deletion that is a management API call.

How to eliminate wrong answers

Option B is wrong because S3 server access logs record object-level requests (e.g., GET, PUT, DELETE on objects), not management-level API calls like DeleteBucket, and they do not capture the user agent or IAM user identity. Option C is wrong because CloudTrail does not automatically deliver events to a CloudWatch Logs log group unless a specific trail is configured with CloudWatch Logs integration; the default event history is not searchable via CloudWatch Logs. Option D is wrong because AWS Config records configuration changes to resources (e.g., bucket existence), but it does not capture the source IP address or user agent of the API call that triggered the change.

488
MCQhard

A company is using AWS CodePipeline to deploy a web application across multiple AWS accounts using CloudFormation stack sets. The pipeline is in the tools account, and it deploys to production account. The security team requires that all CloudFormation changes to production account be reviewed and approved by a senior engineer. Which approach meets this requirement?

A.Use AWS CloudTrail to monitor deployments and send notifications for review.
B.Configure an IAM policy that denies CloudFormation actions in the production account except for a specific role used by the senior engineer.
C.Add a manual approval step in the CodePipeline before the CloudFormation deployment stage.
D.Use a service control policy (SCP) to prevent CloudFormation changes from the tools account.
AnswerC

This allows a designated approver to review the deployment and approve or reject it before the stack set update is executed.

Why this answer

Using a manual approval action in CodePipeline before the CloudFormation deployment allows a senior engineer to review and approve changes. Option A is wrong because CloudTrail is not a review mechanism; it logs actions after they occur. Option C is wrong because restricting IAM permissions would prevent the pipeline from deploying at all.

Option D is wrong because SCPs are for preventive controls, not for manual approval workflows.

489
MCQmedium

A company has a CI/CD pipeline using AWS CodePipeline that deploys a critical web application to an Auto Scaling group of EC2 instances. The pipeline includes a deploy stage using AWS CodeDeploy. Recently, the deployment failed because the new application version caused an increase in HTTP 500 errors. The operations team manually rolled back the deployment by redeploying the previous version. However, the team wants to automate this process so that future failed deployments are automatically rolled back. Additionally, they want to ensure that if the rollback itself fails, the system should alert the on-call engineer. Currently, the deployment group is configured with 'rollback when a deployment fails' disabled. The team has also set up a CloudWatch alarm that triggers when the HTTP 500 error rate exceeds a threshold. What should a DevOps engineer do to meet these requirements with minimal operational overhead?

A.Configure the deployment group to automatically roll back when a CloudWatch alarm is triggered, and also enable automatic rollback on deployment failure. Set up a CloudWatch alarm on the deployment group's failure metric to notify the on-call engineer
B.Create a CloudWatch Events rule that triggers an AWS Lambda function to roll back the deployment when the alarm state is reached, and configure the Lambda function to send an SNS notification on failure
C.Add a manual approval step before the deploy stage in CodePipeline and require the on-call engineer to approve or reject the deployment
D.Enable the 'rollback when a deployment fails' option in the deployment group and create a CloudWatch alarm on the deployment group's failure metric to notify the on-call engineer via Amazon SNS
AnswerA

Provides both automatic rollback on alarm and failure, and alerting on rollback failure.

Why this answer

Option C is correct because enabling automatic rollback on alarm in CodeDeploy will trigger a rollback when the CloudWatch alarm is in ALARM state. Additionally, enabling automatic rollback on deployment failure ensures that if the rollback itself fails, the deployment group status will indicate failure, and a CloudWatch alarm can be set on the deployment group's failure metric to alert the on-call engineer. Option A is wrong because it does not address rollback on alarm.

Option B is wrong because a manual approval step would require human intervention. Option D is wrong because SNS notification alone does not perform the rollback.

490
MCQhard

A company runs a containerized application on Amazon ECS Fargate. The DevOps team wants to collect custom application metrics (e.g., request count, error rate) and send them to Amazon CloudWatch. The team wants to minimize changes to the application code. Which solution should be used?

A.Have the application call the CloudWatch PutMetricData API directly.
B.Run the CloudWatch agent as a sidecar container in the ECS task definition, configured to collect StatsD metrics from the application container.
C.Use the ECS agent's built-in metric collection feature.
D.Modify the application to send logs using the embedded metric format.
AnswerB

Correct: The CloudWatch agent can collect StatsD metrics without code changes.

Why this answer

Option B is correct because the CloudWatch agent can run as a sidecar container in the same ECS task definition and listen for StatsD metrics (over UDP port 8125) from the application container. This approach requires zero changes to the application code—the application simply emits StatsD-formatted metrics, and the CloudWatch agent forwards them to CloudWatch via the PutMetricData API. It minimizes operational overhead while enabling custom metric collection from containerized workloads on Fargate.

Exam trap

The trap here is that candidates often assume the ECS agent or CloudWatch agent must be installed on the host, but in Fargate, the sidecar pattern is the only way to run the CloudWatch agent without modifying the application code.

How to eliminate wrong answers

Option A is wrong because it requires modifying the application code to call the CloudWatch PutMetricData API directly, which contradicts the requirement to minimize code changes. Option C is wrong because the ECS agent's built-in metric collection feature only gathers infrastructure-level metrics (CPU, memory, network) for the task, not custom application metrics like request count or error rate. Option D is wrong because it requires modifying the application to emit logs in the embedded metric format and then configuring a log subscription filter to extract metrics, which still involves code changes and adds complexity compared to the sidecar approach.

491
Multi-Selectmedium

A company runs a stateful web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session data in local instance memory. To improve resiliency, the company wants to make the application stateless and distribute the load across multiple Availability Zones. Which THREE actions should the company take? (Choose three.)

Select 3 answers
A.Enable sticky sessions (session affinity) on the ALB.
B.Replace the ALB with a Network Load Balancer (NLB) to improve performance.
C.Configure the ALB to distribute traffic across EC2 instances in multiple Availability Zones.
D.Implement an Amazon ElastiCache cluster to store session data externally.
E.Use Amazon DynamoDB to store session state.
AnswersC, D, E

Provides high availability and fault tolerance.

Why this answer

Option A is correct because ElastiCache provides a centralized, highly available session store. Option B is correct because using an ALB with multiple AZs distributes traffic and provides high availability. Option D is correct because DynamoDB is a fully managed, durable session store.

Option C is wrong because sticky sessions (session affinity) are used to route requests to the same instance, which is not ideal for stateless architecture. Option E is wrong because an NLB operates at layer 4 and does not support path-based routing or session management for HTTP applications as effectively as an ALB.

492
MCQhard

A company has a stateless web application on EC2 instances behind an ALB. They want to ensure that if an entire Availability Zone fails, the application remains available with minimal impact. Which architecture best meets this requirement?

A.Use a global secondary index in DynamoDB to replicate data across regions
B.Deploy EC2 instances in two AZs but use a single-AZ ALB
C.Deploy the application in two AZs with an Auto Scaling group and an ALB that is enabled for multiple AZs
D.Deploy the application in a single AZ with an Auto Scaling group that launches instances in the same AZ
AnswerC

Multi-AZ ALB and Auto Scaling provide resilience.

Why this answer

Using Auto Scaling with multiple AZs and a multi-AZ ALB ensures that if one AZ fails, the ALB routes traffic to healthy instances in other AZs. Option A is wrong because a single AZ is a single point of failure. Option B is wrong because ALB does not automatically shift traffic to another region without Route53.

Option D is wrong because spreading instances across AZs but using a single-AZ ALB still risks ALB failure.

493
MCQeasy

A DevOps team uses Ansible for configuration management of EC2 instances. They want to ensure that the Ansible control node can connect to managed nodes securely without storing SSH keys in plaintext. Which AWS service should they integrate with Ansible to securely manage SSH keys?

A.AWS KMS to encrypt the SSH keys at rest.
B.AWS Secrets Manager to store the SSH private keys and retrieve them dynamically.
C.AWS IAM roles to grant Ansible access to the instances.
D.AWS Systems Manager Parameter Store to store the keys.
AnswerB

Secrets Manager stores secrets securely and supports automatic retrieval.

Why this answer

Option B is correct because AWS Secrets Manager can store SSH private keys securely and Ansible can retrieve them via API. Option A is wrong because AWS KMS is for encryption keys, not for storing secrets directly. Option C is wrong because IAM roles are for permissions, not storing keys.

Option D is wrong because Systems Manager Parameter Store can store secrets but is less feature-rich for secret rotation.

494
MCQhard

A company runs a critical application on a fleet of EC2 instances managed by an Auto Scaling group. The application generates logs that are sent to CloudWatch Logs using the CloudWatch agent. Recently, the operations team noticed that some instances are missing logs for certain periods. The CloudWatch agent is configured to batch log events and send them every 5 seconds. The instances have high CPU utilization (90%+) during the missing periods. The DevOps engineer suspects that the agent is being throttled or failing. Which of the following is the MOST likely cause and the BEST course of action?

A.The network bandwidth is saturated, causing log delivery to fail. Increase instance network performance.
B.The CloudWatch Logs retention policy is set to 1 day, so older logs are deleted. Increase retention.
C.The CloudWatch agent is being starved of CPU resources, causing it to drop logs. Increase the CPU credits or instance size.
D.The instances are running out of disk space, preventing log buffering. Add more EBS volume space.
AnswerC

High CPU can prevent the agent from processing log batches in time.

Why this answer

Option A is correct because high CPU utilization can cause the CloudWatch agent to miss its scheduled batch upload, leading to log loss. Option B is wrong because disk space issues would cause different symptoms (disk full errors). Option C is wrong because the log group retention does not cause missing logs.

Option D is wrong because network bandwidth, while possible, is less likely than CPU starvation given the high CPU utilization.

495
MCQmedium

A security audit reveals that an IAM user has long-term access keys that have not been rotated in over 90 days. What is the most secure way to enforce key rotation?

A.Use an AWS Lambda function to automatically rotate keys.
B.Manually rotate keys every 90 days.
C.Use IAM roles instead of long-term access keys.
D.Delete the user and create a new one.
AnswerC

IAM roles provide temporary credentials that do not require rotation.

Why this answer

Option C is correct because the most secure way to eliminate the risk of long-term access key compromise is to avoid using them altogether. IAM roles provide temporary security credentials via AWS Security Token Service (STS), which automatically expire (default 1 hour, max 12 hours) and are rotated transparently by the AWS SDK or CLI. This removes the need for manual or automated key rotation, aligning with the AWS Well-Architected Framework's principle of using temporary credentials.

Exam trap

The trap here is that candidates focus on 'rotation' as a process (automated or manual) rather than recognizing that the most secure solution is to eliminate the need for rotation entirely by using IAM roles with temporary credentials.

How to eliminate wrong answers

Option A is wrong because while a Lambda function can automate key rotation, it still relies on long-term access keys (the user still exists with keys that must be rotated), and implementing such a solution introduces complexity, potential security gaps (e.g., Lambda execution role permissions), and does not eliminate the fundamental risk of long-term credentials. Option B is wrong because manual rotation every 90 days is error-prone, relies on human compliance, and does not address the underlying security issue that long-term keys can be exfiltrated and used for extended periods before detection. Option D is wrong because deleting and recreating the user does not solve the problem—the new user would still have long-term access keys that require rotation, and this approach disrupts workflows without addressing the root cause.

496
MCQhard

A DevOps engineer is designing a CI/CD pipeline for a microservices architecture on AWS. They want to use AWS CodeDeploy to deploy applications to an Auto Scaling group. The pipeline must ensure that only a small percentage of instances are updated at a time, and if health checks fail, the deployment is automatically rolled back. Which deployment configuration should be used?

A.Blue/green deployment with a fixed number of instances.
B.In-place deployment with 'CodeDeployDefault.AllAtOnce' configuration.
C.In-place deployment with 'CodeDeployDefault.HalfAtATime' configuration.
D.In-place deployment with 'CodeDeployDefault.OneAtATime' configuration and automatic rollback enabled.
AnswerD

OneAtATime updates one instance at a time; automatic rollback reverts if health checks fail.

Why this answer

The 'CodeDeployDefault.OneAtATime' configuration deploys to one instance at a time, minimizing impact. Combined with automatic rollback on health check failure, this meets the requirement. Option C is correct.

Options A, B, and D either deploy too many instances at once or do not provide rollback.

497
Multi-Selectmedium

A company is designing a multi-region disaster recovery strategy for a stateless web application. They want to minimize RTO and RPO. Which TWO of the following should they implement? (Choose TWO.)

Select 2 answers
A.Use cross-region replication for data stores.
B.Use a passive standby in a single Availability Zone.
C.Perform periodic backups and restore in the DR region.
D.Configure cross-region read replicas for the database.
E.Deploy an active-active workload using Route 53 weighted routing.
AnswersA, E

Cross-region replication keeps data synchronized, reducing RPO.

Why this answer

Options A and D are correct. Active-active with Route 53 weighted records provides immediate failover with minimal RTO. Cross-region replication of data keeps the data in sync, reducing RPO.

Option B is incorrect because standby in a single AZ does not help for regional failures. Option C is incorrect because backup and restore has high RTO/RPO. Option E is incorrect because read replicas are for read scaling, not DR.

498
Multi-Selecthard

A DevOps engineer needs to set up a monitoring solution for an application running on Amazon EKS. The application emits custom metrics that need to be stored in Amazon CloudWatch and visualized on a dashboard. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Configure the CloudWatch agent to emit custom metrics to CloudWatch.
B.Use CloudWatch Logs Insights to analyze the custom metrics.
C.Create a CloudWatch dashboard to visualize the collected metrics.
D.Install the CloudWatch agent on the EKS cluster using a DaemonSet.
E.Use Amazon Managed Service for Prometheus to scrape the metrics.
AnswersA, C, D

The agent must be configured to send custom metrics.

Why this answer

Option A is correct because the CloudWatch agent can be configured to emit custom application metrics to Amazon CloudWatch, which is the required destination for storing the metrics. The agent uses the CloudWatch PutMetricData API to send these metrics, enabling centralized monitoring and alerting within CloudWatch.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs Insights (for logs) with CloudWatch Metrics (for numeric data), or assume Amazon Managed Service for Prometheus is a direct replacement for CloudWatch metrics, when the question specifically requires storing custom metrics in CloudWatch.

499
MCQhard

An administrator attaches the IAM policy shown in the exhibit to an IAM user. What is the effect on the user's ability to launch an EC2 instance in eu-west-1?

A.The user is allowed because the request region matches the condition exception.
B.The user is denied from launching instances in eu-west-1.
C.The user is allowed because the policy does not explicitly deny.
D.The user is allowed only if they also have an explicit allow policy.
AnswerA

The deny does not apply to eu-west-1.

Why this answer

Option D is correct because the policy denies all EC2 actions when the requested region is NOT us-east-1 or eu-west-1. Since the requested region is eu-west-1, the condition is not met, so the deny does not apply. By default, actions are allowed if not explicitly denied.

Option A is wrong because the deny only applies when the region is not in the list. Option B is wrong because the policy does not explicitly allow. Option C is wrong because there is no explicit allow, but the default allow applies.

500
MCQhard

A DevOps engineer creates a CloudFormation stack with the above template. After creation, they want to update the Lambda function code by uploading a new zip file to the S3 bucket and updating the S3Key property. However, the stack update fails because the Lambda function is published as a version and the alias points to that version. What is the most likely reason for the update failure?

A.The AWS::Lambda::Version resource is immutable and cannot be updated.
B.The alias must be deleted before updating the function code.
C.The IAM role does not have permission to update the function.
D.The function code cannot be updated because the S3 bucket is in a different region.
AnswerA

Versions are immutable; CloudFormation cannot update them.

Why this answer

Option A is correct. When you update a Lambda function's code, CloudFormation updates the $LATEST version. However, if you have created a version (AWS::Lambda::Version) and an alias pointing to that version, the alias does not automatically point to the new version.

CloudFormation tries to update the function code, but the version resource is immutable; once created, it cannot be updated. The update will fail because CloudFormation cannot modify the existing version. Option B is wrong because the alias does not need to be recreated, but the version does.

Option C is wrong because the function code can be updated, but the version resource blocks it. Option D is wrong because the IAM role is not the issue.

501
MCQhard

A DevOps engineer is troubleshooting a CloudFormation stack that is in UPDATE_ROLLBACK_FAILED state. The stack attempted to update an Auto Scaling group but failed due to insufficient capacity in the Availability Zone. What is the recommended next step?

A.Execute a new stack update with the same template
B.Manually increase the Auto Scaling group capacity in the affected AZ
C.Use the ContinueUpdateRollback operation to skip the resources that failed
D.Delete the Auto Scaling group and recreate it
AnswerC

This allows you to resume the rollback and skip the resources that caused the failure.

Why this answer

When a stack is in UPDATE_ROLLBACK_FAILED, you can continue the rollback by using the 'ContinueUpdateRollback' API or by deleting the stack. Option D is correct. Option A is incorrect because continuing the rollback will not fix the underlying capacity issue.

Option B is incorrect because you cannot update the stack while it is in a failed rollback state. Option C is incorrect because you should not manually fix the resource while the stack is in this state.

502
Multi-Selecthard

An organization uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment strategy is 'Blue/Green'. After a successful deployment, traffic is routed to the new instances. However, the application experiences errors because the new instances cannot connect to the database. Which TWO configuration changes could resolve this issue?

Select 2 answers
A.Update the security group of the new instances to allow outbound traffic to the database security group.
B.Modify the CodeDeploy deployment group to include the database security group.
C.Configure the database to use a DNS name that resolves to the new instances after the deployment.
D.Increase the number of instances in the Auto Scaling group.
E.Reinstall the CodeDeploy agent on the new instances.
AnswersA, C

The new instances likely have different security groups that are not permitted to access the database.

Why this answer

Option B is correct because the new instances need proper security group rules to access the database. Option D is correct because if the database uses an internal DNS that resolves to old instances, updating it ensures connectivity. Option A is wrong because increasing instance count does not fix connectivity.

Option C is wrong because CodeDeploy agent does not affect network connectivity. Option E is wrong because the deployment group is already configured; the issue is network.

503
MCQeasy

A company wants to design a resilient architecture for a web application using AWS services. Which of the following is a best practice for improving resilience?

A.Deploy EC2 instances in multiple Availability Zones.
B.Use an Auto Scaling group in a single AZ.
C.Use a single AZ with RDS Multi-AZ.
D.Use one large EC2 instance to handle all traffic.
AnswerA

Multi-AZ deployment prevents single AZ failures from impacting availability.

Why this answer

Option A is correct because deploying across multiple Availability Zones ensures that if one AZ fails, the application remains available. Option B is incorrect because a single EC2 instance in one AZ is not resilient. Option C is incorrect because a single AZ with RDS Multi-AZ still has a single point of failure at the AZ level.

Option D is incorrect because Auto Scaling in one AZ is still vulnerable to AZ failure.

504
Multi-Selectmedium

A company uses AWS CloudFormation StackSets to deploy a common network infrastructure across multiple AWS accounts. They need to ensure that all StackSet operations are audited and any failed stack instances are automatically retried. Which THREE configurations should be implemented? (Select THREE.)

Select 3 answers
A.Enable automatic rollback on failure.
B.Configure Amazon SNS notifications for StackSet events.
C.Use AWS Config rules to monitor StackSet compliance.
D.Set the 'Retry on failure' option in StackSet operation preferences.
E.Enable AWS CloudTrail to log StackSet API calls.
AnswersB, D, E

SNS can notify administrators of failures so they can take action.

Why this answer

Option A is correct because enabling StackSet operation preferences includes retry on failure. Option C is correct because AWS CloudTrail logs all StackSet API calls for auditing. Option D is correct because SNS notifications can alert on failures.

Option B is incorrect because automatic rollback on failure is an option, but the question asks for retry, not rollback. Option E is not needed for auditing/retry.

505
Multi-Selectmedium

Which TWO AWS services can be used as sources in an AWS CodePipeline? (Choose two.)

Select 2 answers
A.AWS Lambda
B.AWS CodeCommit
C.AWS CloudFormation
D.Amazon S3
E.AWS CodeBuild
AnswersB, D

CodeCommit is a source provider.

Why this answer

CodePipeline supports Amazon S3 and AWS CodeCommit as source providers. AWS CodeBuild is a build provider, not a source. AWS CloudFormation is a deploy provider.

AWS Lambda can be used as a custom action but not as a built-in source.

506
MCQmedium

A company runs a microservices application on Amazon ECS with Fargate launch type. The application experiences intermittent failures when calling an external API. The errors are transient and usually resolve within a few seconds. How should the company improve resilience?

A.Increase the timeout of the external API call to 60 seconds.
B.Implement retry logic with exponential backoff in the application code.
C.Increase the number of tasks in the ECS service to handle failures.
D.Use an Amazon SQS queue to decouple the API call from the application.
AnswerB

Retries with backoff are best practice for transient failures.

Why this answer

Option B is correct because implementing retry logic with exponential backoff handles transient failures gracefully. Option A is wrong because scaling up may not help with API failures. Option C is wrong because increasing timeouts could worsen latency.

Option D is wrong because async processing adds complexity and does not directly address API failures.

507
Multi-Selecthard

A DevOps team is troubleshooting an application that occasionally throws 'Connection reset by peer' errors when connecting to an RDS MySQL instance. The errors are intermittent and seem to correlate with high traffic. Which TWO steps should the team take to diagnose the issue?

Select 2 answers
A.Check the RDS error log for messages about connection timeouts or aborted connections.
B.Increase the max_connections parameter in the DB parameter group.
C.Enable Multi-AZ deployment to provide a standby instance.
D.Enable Performance Insights to analyze database load and find bottlenecks.
E.Review the security group rules to ensure the application can connect.
AnswersA, D

Error logs can show why connections are being reset.

Why this answer

Option B is correct because RDS performance insights can show database load and identify if connections are being dropped. Option E is correct because checking the RDS error log can reveal connection-related errors. Option A is wrong because increasing max_connections may not help if the issue is resource contention.

Option C is wrong because enabling Multi-AZ does not fix connection resets. Option D is wrong because security group changes are unlikely to be the cause of intermittent resets.

508
MCQeasy

A DevOps engineer needs to rotate database credentials stored in AWS Secrets Manager automatically every 30 days. What is the simplest way to achieve this?

A.Enable automatic rotation in Secrets Manager with a rotation interval of 30 days.
B.Store the credentials in Systems Manager Parameter Store and use a scheduled automation to update them.
C.Create a CloudWatch Events rule that triggers a Lambda function to rotate the secret.
D.Write a custom Lambda function that rotates the secret and schedule it with CloudWatch Events.
AnswerA

Secrets Manager supports automatic rotation for supported services.

Why this answer

Option A is correct because Secrets Manager has built-in automatic rotation with customizable rotation intervals. Option B is wrong because Lambda functions are used for custom rotation, not automatic. Option C is wrong because Parameter Store does not support automatic rotation.

Option D is wrong because CloudWatch Events can trigger rotation but the simplest way is to use Secrets Manager's built-in feature.

509
MCQmedium

An IAM policy is attached to a user who needs to manually start a CodePipeline execution. The pipeline uses an S3 bucket named 'my-artifact-bucket' for artifacts. The user reports that they cannot start the pipeline. Which action is missing from the policy?

A.iam:PassRole
B.codepipeline:ListPipelines
C.codepipeline:GetPipelineExecution
D.s3:PutObject
AnswerB

The user likely needs to list pipelines in the console to find the pipeline.

Why this answer

The user needs to manually start a CodePipeline execution, which requires the `codepipeline:StartPipelineExecution` action. However, the question asks which action is missing from the policy, and the correct answer is `codepipeline:ListPipelines` because the user cannot even see the pipeline to start it. Without `codepipeline:ListPipelines`, the AWS Management Console or CLI will not return the pipeline in the list, preventing the user from selecting it to start execution.

The other actions are either not directly required for starting a pipeline or are unrelated to the permission needed to list pipelines.

Exam trap

The trap here is that candidates often focus on the action needed to start the pipeline (`StartPipelineExecution`) and overlook the prerequisite `ListPipelines` action, which is required to discover the pipeline in the first place.

How to eliminate wrong answers

Option A is wrong because `iam:PassRole` is needed when a service (like CodePipeline) needs to assume a role to access resources, but the user is manually starting the pipeline, not configuring it; the pipeline already has its role assigned. Option C is wrong because `codepipeline:GetPipelineExecution` is used to retrieve details about a specific execution, not to list or start pipelines. Option D is wrong because `s3:PutObject` is required for the pipeline to write artifacts to the S3 bucket, but the user is only starting the pipeline, not uploading artifacts directly.

510
MCQeasy

A DevOps engineer needs to securely store database credentials for an application running on Amazon ECS. Which AWS service should be used to manage the credentials and provide them to the ECS tasks?

A.AWS Secrets Manager
B.Amazon S3 with server-side encryption
C.AWS Systems Manager
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager provides secure storage, automatic rotation, and fine-grained access control for secrets.

Why this answer

Option C is correct because AWS Secrets Manager is designed to securely store and rotate secrets, and can be integrated with ECS via task roles. Option A is wrong because Parameter Store can store parameters but is not as focused on secrets management. Option B is wrong because Systems Manager is broader and not specifically for secrets.

Option D is wrong because S3 is not secure for storing secrets without encryption and access control.

511
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB). The application stores session state in an Amazon DynamoDB table. During a recent traffic spike, users experienced session timeouts and the application became unavailable. Which design change would BEST improve resilience?

A.Move session state to Amazon ElastiCache for Redis with cluster mode disabled.
B.Enable DynamoDB global tables or use a Multi-AZ deployment for the table.
C.Add a read replica to the DynamoDB table.
D.Increase the EC2 instance sizes to handle more traffic.
AnswerB

Multi-AZ provides automatic failover and high availability for session data.

Why this answer

Option C is correct because using a Multi-AZ deployment for DynamoDB provides automatic failover and higher availability. Option A is wrong because increasing instance size does not address session state persistence. Option B is wrong because read replicas do not improve write availability.

Option D is wrong because ElastiCache for Redis is not as resilient as DynamoDB Multi-AZ for session state.

512
MCQmedium

A company uses AWS Lambda to process messages from an Amazon SQS queue. The Lambda function occasionally times out after 15 seconds. To improve resilience, the team wants to ensure messages are not lost and are retried. Which configuration is MOST appropriate?

A.Reduce the Lambda timeout to 5 seconds to fail fast and retry quickly.
B.Set the SQS queue visibility timeout to less than the Lambda timeout.
C.Increase the batch size and remove the DLQ to speed up processing.
D.Increase the Lambda timeout to 30 seconds and configure a dead-letter queue (DLQ) for the SQS queue.
AnswerD

Longer timeout accommodates processing, DLQ captures failures for later analysis.

Why this answer

Option B is correct because increasing the visibility timeout to allow Lambda to process and leveraging dead-letter queue for failed messages ensures no messages are lost. Option A is wrong because reducing timeout worsens the issue. Option C is wrong because removing the DLQ loses failed messages.

Option D is wrong because batching does not help with timeout.

513
MCQmedium

A DevOps engineer wants to use AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment must ensure that only a certain percentage of instances are taken out of service at a time. Which deployment configuration supports this requirement?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.LambdaCanary10Percent5Minutes
C.CodeDeployDefault.AllAtOnce
D.CodeDeployDefault.LambdaLinear10PercentEvery1Minute
AnswerA

Takes out one instance at a time.

Why this answer

CodeDeployDefault.OneAtATime is the correct deployment configuration because it ensures that only one instance in the Auto Scaling group is taken out of service at a time, which directly satisfies the requirement of limiting the percentage of instances removed during deployment. This configuration is designed for EC2/On-Premises deployments and uses a fixed number of instances (one) rather than a percentage, making it ideal for gradual, safe rollouts.

Exam trap

The trap here is that candidates often confuse deployment configurations designed for Lambda functions (like Canary and Linear) with those for EC2/On-Premises, or they mistakenly think AllAtOnce limits the percentage of instances taken out of service, when in fact it takes all instances out at once.

How to eliminate wrong answers

Option B is wrong because CodeDeployDefault.LambdaCanary10Percent5Minutes is a deployment configuration for AWS Lambda functions, not for EC2/On-Premises deployments to an Auto Scaling group; it shifts 10% of traffic to the new version and then waits 5 minutes before shifting the remaining 90%. Option C is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, which would take all instances out of service at once, violating the requirement to limit the percentage removed at a time. Option D is wrong because CodeDeployDefault.LambdaLinear10PercentEvery1Minute is also a Lambda-specific configuration that increments traffic by 10% every minute, and it does not apply to EC2/On-Premises deployments with Auto Scaling groups.

514
MCQeasy

A company is running a critical application on Amazon RDS for PostgreSQL. The DevOps team needs to set up monitoring to detect when database connections exceed 80% of the maximum connections for more than 5 minutes. Which CloudWatch metric should be used to create an alarm?

A.DatabaseConnections
B.FreeableMemory
C.CPUUtilization
D.DiskQueueDepth
AnswerA

The DatabaseConnections metric directly provides the number of current connections, which can be compared to the maximum connections to determine threshold breaches.

Why this answer

Option A is correct because the DatabaseConnections metric shows the number of connections to the DB instance. Option B is wrong because CPUUtilization measures CPU usage, not connections. Option C is wrong because FreeableMemory measures available memory.

Option D is wrong because DiskQueueDepth measures disk I/O.

515
MCQeasy

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The application experiences increased latency during peak hours. The DevOps engineer investigates and notices that the Read Replicas are not being utilized effectively. The application is configured to use the primary database endpoint. The engineer wants to offload read traffic to the Read Replicas without changing the application code. What is the BEST solution?

A.Increase the instance size of the primary database to handle the load.
B.Modify the application to use separate endpoints for read and write operations.
C.Create a new Multi-AZ cluster with a read-only endpoint.
D.Configure Amazon RDS Proxy in front of the database and enable read/write splitting.
AnswerD

RDS Proxy can automatically route read queries to Read Replicas.

Why this answer

Option A is correct because Amazon RDS Proxy provides connection pooling and can direct read/write traffic appropriately. Option B is wrong because it requires code changes. Option C is wrong because there is no such thing as a read-only endpoint for a Multi-AZ cluster.

Option D is wrong because it does not offload read traffic.

516
MCQhard

A company runs a critical batch processing workload on Amazon EMR that must complete within a 2-hour window each night. The workload is fault-tolerant but must be resilient to instance failures. Currently, the EMR cluster uses instance fleets with Spot Instances. Recently, Spot Instance interruptions caused the cluster to take over 3 hours to complete. Which change will MOST effectively ensure the workload completes within the 2-hour window despite Spot interruptions?

A.Increase the number of core nodes to 20 to improve parallelism.
B.Switch to using On-Demand instances for all nodes.
C.Use a mixed instances policy that includes multiple instance types across different Availability Zones.
D.Configure the cluster to terminate idle nodes after 5 minutes to reduce costs.
AnswerC

Diversified instance types reduce the chance of simultaneous interruptions.

Why this answer

Option C is correct because a mixed instances policy across multiple Availability Zones increases the diversity of Spot capacity pools. When one instance type or zone experiences interruptions, the cluster can fall back to other pools, reducing the likelihood of prolonged delays. This approach directly addresses Spot interruption risk without sacrificing cost efficiency, as On-Demand instances would.

Exam trap

The trap here is that candidates may assume increasing parallelism (Option A) or using On-Demand instances (Option B) are the only ways to handle Spot interruptions, overlooking the cost-effective and resilient design of mixed instances across zones.

How to eliminate wrong answers

Option A is wrong because simply increasing core nodes to 20 does not mitigate Spot interruptions; it only adds parallelism, which may not help if all nodes are interrupted simultaneously. Option B is wrong because switching entirely to On-Demand instances eliminates Spot interruption risk but significantly increases cost, which is not the most effective solution given the fault-tolerant nature of the workload. Option D is wrong because terminating idle nodes after 5 minutes reduces cost but does not address the root cause of Spot interruptions causing delays; it may even worsen performance by removing nodes that could be reused.

517
MCQhard

Refer to the exhibit. An S3 bucket policy is configured as shown. A user from IP 192.0.2.10 is unable to download an object from the bucket. What is the most likely cause?

A.The bucket policy requires HTTPS, but the user is using HTTP.
B.The policy does not allow s3:ListBucket, so the user cannot list objects.
C.The bucket policy does not allow s3:GetObjectVersion.
D.The IP address is not in the allowed range.
AnswerB

Without ListBucket, the user cannot see the objects to download them via the console.

Why this answer

The bucket policy does not grant the s3:ListBucket action, so the user cannot list objects. The GetObject action allows reading a specific object if the key is known, but the user might be trying to list first, or the bucket is not public. However, the most common issue is that the user needs s3:ListBucket to navigate.

Option B is correct.

518
MCQmedium

Your company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to a fleet of Amazon EC2 instances running a web server. The web servers write access logs to a shared Amazon EFS filesystem. The operations team needs to monitor the web server logs in real-time to detect and alert on 5xx error spikes. Currently, the team manually SSHes into instances to tail logs, which is inefficient and doesn't provide real-time alerting. The team wants a centralized, near-real-time logging solution with minimal operational overhead. They have asked you to design a solution that ingests logs from the EFS filesystem into a centralized log analytics platform. Which solution would you recommend?

A.Enable AWS CloudTrail data events for the EC2 instances to capture log file modifications.
B.Configure an Amazon EventBridge scheduled rule to invoke an AWS Lambda function that reads new log lines from EFS and publishes them to Amazon CloudWatch Logs.
C.Stream the log files to Amazon Kinesis Data Streams using a custom producer, then use a Lambda function to analyze and alert on 5xx errors.
D.Install and configure the Amazon CloudWatch Logs agent on each EC2 instance to tail the log files from the EFS mount and send them to CloudWatch Logs. Create a metric filter and alarm for 5xx errors.
AnswerD

The CloudWatch agent provides near-real-time log ingestion and built-in support for metric filters and alarms.

Why this answer

Option D is correct because installing the CloudWatch Logs agent on each EC2 instance allows it to tail the log files from the shared EFS mount point and stream them to CloudWatch Logs in near real-time. This provides centralized log ingestion with minimal operational overhead, and you can create a metric filter and alarm to detect and alert on 5xx error spikes without manual SSH access.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Kinesis or Lambda-based approaches (Options B and C) when a simple agent-based solution (Option D) is sufficient, or they may confuse CloudTrail data events (Option A) with log file monitoring, not realizing CloudTrail captures API activity, not file content changes.

How to eliminate wrong answers

Option A is wrong because CloudTrail data events for EC2 instances capture API calls (e.g., RunInstances, TerminateInstances), not log file modifications on EFS; they cannot ingest or analyze web server log content. Option B is wrong because an EventBridge scheduled rule with a Lambda function that reads new log lines from EFS would introduce latency (scheduled intervals) and complexity in tracking file offsets, making it unsuitable for near-real-time monitoring. Option C is wrong because streaming logs to Kinesis Data Streams requires a custom producer to be deployed and managed, adding significant operational overhead compared to the agent-based approach, and it does not directly integrate with CloudWatch Logs for metric filtering and alerting without additional Lambda processing.

519
MCQmedium

A company needs to store audit logs for 7 years to meet compliance requirements. Which S3 storage class is the most cost-effective for long-term archival?

A.S3 Glacier Deep Archive
B.S3 Intelligent-Tiering
C.S3 Standard
D.S3 Glacier Flexible Retrieval
AnswerA

Deep Archive is the lowest-cost storage class for long-term retention.

Why this answer

S3 Glacier Deep Archive is the lowest-cost storage class for long-term archival. Option D is correct.

520
MCQeasy

A company wants to centralize logging of all API calls made within their AWS account for auditing. Which service should they use?

A.Amazon S3 access logs
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerB

Records all API calls for auditing and compliance.

Why this answer

Option B is correct because AWS CloudTrail records API calls for auditing. Option A is wrong because CloudWatch Logs is for log storage, not API call recording. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because S3 is storage, not a logging service.

521
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The Security team requires that all encryption keys be automatically rotated annually. Which key type should be used to meet this requirement?

A.Asymmetric KMS key
B.AWS managed symmetric key
C.Customer managed symmetric key
D.Custom key store backed by AWS CloudHSM
AnswerB

AWS managed keys are automatically rotated every year, meeting the requirement without additional configuration.

Why this answer

AWS managed KMS keys (AWS managed keys) are automatically rotated every year. Customer managed keys require manual rotation or key rotation configuration. AWS managed keys are used for services like S3, EBS, and RDS.

522
Multi-Selectmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices architecture. The pipeline must ensure that only code that passes security scanning can proceed to deployment. Which TWO actions should the engineer take? (Choose TWO.)

Select 2 answers
A.Use Amazon CloudWatch Events to trigger a rollback if vulnerabilities are found after deployment.
B.Add a security scanning stage in the pipeline after the build stage and before the deploy stage.
C.Use AWS CodeDeploy to perform security scanning during deployment.
D.Configure the pipeline to run security scanning only in the deploy stage.
E.Configure the pipeline to fail if the security scanning stage returns a non-zero exit code.
AnswersB, E

Gates deployment after security scan.

Why this answer

A and D are correct. A: Adding a security scanning stage in CodePipeline ensures scanning before deployment. D: Failing the pipeline if the scanning stage fails is standard practice.

B is incorrect because scanning after deployment defeats the purpose. C is incorrect because CodeDeploy does not perform scanning. E is incorrect because CloudWatch Events do not gate the pipeline.

523
MCQeasy

A company uses Amazon CloudFront to serve static content from an S3 bucket. Users report that they see outdated content even after the engineer invalidated the CloudFront cache. What is the MOST likely reason?

A.The origin is an Application Load Balancer that returns stale content.
B.The invalidation has not propagated to all edge locations.
C.The S3 bucket policy does not allow CloudFront to access the updated objects.
D.The CloudFront distribution has a default TTL of 86400 seconds set.
AnswerB

Invalidations take time to propagate globally.

Why this answer

Option B is correct because by default, CloudFront does not invalidate objects in edge locations immediately; invalidation requests can take minutes to complete. Also, users may be hitting a different edge location that still has cached content. Option A is wrong because S3 bucket policies do not affect cache.

Option C is wrong because TTL settings affect how long content is cached, but invalidation should override that. Option D is wrong because the origin is S3, not an ALB.

524
MCQhard

A company uses AWS Config to evaluate compliance of their AWS resources. They have a custom rule that checks whether EC2 instances have a specific tag. They notice that the rule is not triggering on existing instances. What is a possible reason?

A.The rule is not configured with a trigger type of 'Configuration changes' or 'Periodic'
B.AWS Config does not support custom rules
C.The Lambda function does not have permission to describe EC2 instances
D.The EC2 instances are not in the resource types being recorded by AWS Config
AnswerA

Without a trigger, the rule will not evaluate any resources.

Why this answer

AWS Config custom rules evaluate resources only when they are created or changed, or during periodic evaluations. If the rule is not configured for periodic evaluation, it won't check existing resources until a change occurs. Option C is correct.

Option A is incorrect because permissions are needed for the rule to invoke the Lambda function, but if it's not triggering at all, it's not a permission issue. Option B is incorrect because AWS Config supports custom rules with Lambda. Option D is incorrect because resource types must be recorded, but that is usually set up initially.

525
MCQeasy

A company runs a critical web application on EC2 instances behind an Application Load Balancer. To improve resilience, they want to automatically replace unhealthy instances. Which AWS feature should they use?

A.Auto Scaling group with ELB health checks
B.CloudWatch alarm that terminates the instance
C.AWS Lambda function that checks health and launches new instances
D.Elastic Load Balancer health checks
AnswerA

Auto Scaling groups automatically replace instances that fail health checks.

Why this answer

Auto Scaling groups with health checks automatically replace unhealthy instances. Option A is wrong because ELB health checks only mark instances unhealthy; replacement requires Auto Scaling. Option C is wrong because CloudWatch alarms trigger actions but not instance replacement.

Option D is wrong because Lambda can invoke API calls but is not the native mechanism.

Page 6

Page 7 of 24

Page 8