CCNA Configuration Management and IaC Questions

75 of 281 questions · Page 3/4 · Configuration Management and IaC · Answers revealed

151
Multi-Selecthard

A company uses AWS Elastic Beanstalk to deploy a web application. The application experiences high traffic during business hours and low traffic at night. The company wants to configure automatic scaling based on CPU utilization. Which THREE steps are required to achieve this? (Select THREE.)

Select 3 answers
A.Create a CloudWatch alarm that triggers a scaling policy.
B.Set the minimum and maximum number of instances for the auto scaling group.
C.Configure the load balancer health check interval.
D.Set the scale-up and scale-down cooldown periods.
E.Define a scaling trigger based on average CPU utilization.
AnswersB, D, E

Defines the capacity range.

Why this answer

Option B is correct because Elastic Beanstalk uses Auto Scaling groups to manage the EC2 instances for the application. Setting the minimum and maximum number of instances defines the boundaries within which the Auto Scaling group can scale, ensuring the application can handle high traffic during business hours and scale down during low traffic at night.

Exam trap

The trap here is that candidates often think creating a CloudWatch alarm manually is required, but Elastic Beanstalk handles this automatically when you define the scaling trigger, making Option A an unnecessary step.

152
MCQhard

A DevOps engineer is troubleshooting an AWS CodeDeploy deployment that fails during the 'BeforeInstall' lifecycle event. The deployment group uses an in-place deployment to an Auto Scaling group. The engineer reviews the logs on the instance and sees that the 'BeforeInstall' script exits with code 1. The script is a shell script that compiles application code. What is the most likely cause of the failure?

A.The script exited with a non-zero exit code
B.The script is not included in the 'files' section of the appspec.yml
C.The script requires dependencies that are not installed on the instance
D.The script is not owned by the root user
AnswerA

Any non-zero exit code is interpreted as a failure by CodeDeploy.

Why this answer

Option B is correct because CodeDeploy expects scripts to exit with 0 for success; any non-zero exit code is treated as a failure and the deployment stops. Option A is wrong because missing dependencies would typically cause compilation errors, but the script still exits with non-zero. Option C is wrong because CodeDeploy does not require scripts to be owned by root; any user with execute permission can run them.

Option D is wrong because the script should be in the appspec.yml's 'files' section.

153
Multi-Selecteasy

Which TWO tools can be used to manage configuration drift detection for AWS resources? (Choose two.)

Select 2 answers
A.AWS Config
B.AWS Systems Manager Inventory
C.AWS Trusted Advisor
D.AWS CloudTrail
E.AWS CloudFormation Drift Detection
AnswersA, E

Monitors and evaluates resource configurations.

Why this answer

AWS Config continuously monitors and records AWS resource configurations and can detect changes against desired baselines, enabling drift detection through rules and compliance checks. AWS CloudFormation Drift Detection directly compares the current state of a stack's resources with the expected template-defined state to identify configuration drift. Both tools provide native mechanisms to detect when resources deviate from their intended configuration.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Inventory (which collects instance-level software inventory) with configuration drift detection, or they mistakenly think AWS CloudTrail's API logging is sufficient to detect drift, when in fact drift detection requires comparing current state to a desired baseline, not just recording changes.

154
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Java web application. The DevOps team wants to ensure that configuration changes are tracked and can be rolled back if needed. Which Elastic Beanstalk feature should they use?

A.Use AWS CodeCommit to store configuration files and version them.
B.Use AWS CodePipeline with a manual approval stage to track changes.
C.Use AWS CloudFormation change sets to review changes before deployment.
D.Use Elastic Beanstalk saved configurations to capture environment settings and restore them if needed.
AnswerD

Saved configurations allow you to save and restore environment settings.

Why this answer

Option B is correct because Elastic Beanstalk saved configurations allow you to capture and restore environment settings. Option A is wrong because CloudFormation change sets are for CloudFormation stacks, not Elastic Beanstalk. Option C is wrong because Jenkins is a CI/CD tool, not a configuration management feature.

Option D is wrong because CodeCommit is a source control service.

155
MCQmedium

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The database password is stored in AWS Secrets Manager. The CloudFormation template needs to reference the secret value dynamically during stack creation. How should the template retrieve the secret?

A.Use a CloudFormation mapping to store the secret ARN.
B.Use a dynamic reference with '{{resolve:secretsmanager:secret-id:secret-string}}' in the template.
C.Hardcode the password in the template as a literal string.
D.Use a CloudFormation parameter with a default value referencing the secret ARN.
AnswerB

Dynamic references retrieve the secret value securely at stack creation.

Why this answer

CloudFormation dynamic references using 'resolve:secretsmanager' allow the template to retrieve secret values at stack creation time. Option D is correct. Options A, B, and C do not retrieve the secret value dynamically.

156
MCQeasy

A CloudFormation template includes the above snippet. The stack creation fails with the error 'Unable to validate the following destination configurations'. What is the most likely cause?

A.The template has a syntax error in the PolicyDocument section.
B.The bucket name is not globally unique.
C.S3 Bucket Policy is not supported for this bucket region.
D.The account has a public access block that denies public bucket policies.
AnswerD

The error indicates validation failure, often due to public access blocks.

Why this answer

The error 'Unable to validate the following destination configurations' typically occurs when a bucket policy grants public access but the bucket's public access block settings are enabled. By default, S3 blocks public access. Option B is correct.

Option A is incorrect because the bucket name is unique. Option C is incorrect because bucket policies are supported. Option D is incorrect because the template is valid YAML.

157
MCQhard

A team uses Terraform to manage AWS infrastructure. After a recent update, a state file shows that a security group rule was created, but the rule does not exist in AWS. Running 'terraform plan' shows no changes. What is the most likely cause?

A.The security group rule was imported into state but not defined in configuration.
B.The 'terraform refresh' command was not run before the plan.
C.There is a conflict between multiple Terraform workspaces.
D.The security group rule was added manually via the AWS console and is not managed by Terraform, causing state to be out of sync.
AnswerD

Terraform state thinks the rule exists, but it doesn't. Plan shows no changes because Terraform believes it's already there.

Why this answer

Option A is correct because if the rule was created outside Terraform, the state file may be out of sync, and Terraform detects no drift if the rule is not managed. Option B is wrong because 'terraform refresh' would update state, but plan shows no changes. Option C is wrong because if import is needed, plan would show changes.

Option D is wrong because it would cause errors, not missing rules.

158
MCQeasy

A company uses AWS OpsWorks for configuration management. They want to ensure that whenever a new instance is added to a layer, it automatically installs the latest security patches and joins a central logging system. What is the most efficient way to achieve this?

A.Schedule a cron job on each instance to check and apply patches daily.
B.Use Chef recipes in a custom OpsWorks layer's Setup lifecycle event.
C.Configure user data scripts in the launch configuration.
D.SSH into each instance and run the commands manually.
AnswerB

Chef recipes in Setup run on every new instance added to the layer.

Why this answer

Option B is correct because Chef recipes in OpsWorks lifecycle events (Setup) run on new instances. Option A is wrong because user data runs only at launch and may not run again if instance is stopped/started. Option C is wrong because it requires manual intervention.

Option D is wrong because it is not real-time.

159
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team notices that stack updates sometimes fail because of resource conflicts. The team wants to prevent concurrent updates to the same stack. What should they do?

A.Use an AWS Organizations service control policy to restrict updates
B.Create an IAM policy that denies cloudformation:UpdateStack if a stack update is in progress
C.No action needed; CloudFormation already prevents concurrent stack updates
D.Enable CloudTrail to log all stack update attempts and manually review
AnswerC

CloudFormation automatically serializes updates to the same stack.

Why this answer

AWS CloudFormation inherently prevents concurrent updates to the same stack. When an update operation is initiated, CloudFormation places a lock on the stack, rejecting any subsequent update requests until the current operation completes. This behavior is built into the service and requires no additional configuration, making option C correct.

Exam trap

The trap here is that candidates overthink the problem and assume they need to implement custom concurrency controls (like IAM policies or SCPs), when in fact CloudFormation already handles this natively, making the 'no action needed' answer the correct one.

How to eliminate wrong answers

Option A is wrong because AWS Organizations service control policies (SCPs) are used to centrally control permissions across accounts, not to prevent concurrent stack updates within a single account; they cannot enforce operation-level concurrency controls. Option B is wrong because IAM policies evaluate permissions at the time of the API call, but CloudFormation already rejects concurrent updates at the service level, so an IAM policy denying UpdateStack during an in-progress update is redundant and would require custom logic (e.g., using condition keys like cloudformation:StackStatus) that is not natively supported for this purpose. Option D is wrong because CloudTrail logs API calls for auditing but does not prevent concurrent updates; manual review after the fact does not address the real-time conflict.

160
MCQhard

A team uses AWS CloudFormation to manage a multi-tier application. They update the stack and receive this error: 'UPDATE_ROLLBACK_FAILED'. The stack is in a state where some resources were updated, then rollback failed. What is the best course of action?

A.Use the 'ContinueUpdateRollback' API or AWS Management Console to resume rollback, and fix any underlying issues.
B.Ignore the error and use the stack as-is.
C.Attempt to continue the update again.
D.Delete the stack and recreate it.
AnswerA

This is the designed recovery action.

Why this answer

Option D is correct because when a rollback fails, the stack may have resources that could not be rolled back. The recommended approach is to continue rolling back the stack, which may require manual intervention to fix the failing resource. Option A is wrong because continuing update may cause further issues.

Option B is wrong because deleting the stack may lose data. Option C is wrong because the stack is not in a healthy state.

161
MCQeasy

A DevOps engineer needs to create an IAM policy that allows a user to start and stop EC2 instances, but only for instances that have a specific tag 'Environment=Production'. The current policy allows all actions on all instances. Which modification must be made to enforce the tag-based restriction?

A.Add a Condition block: "Condition": {"StringEquals": {"aws:PrincipalTag/Environment": "Production"}}
B.Change the Action to "ec2:Describe*" and add a NotAction element.
C.Add a Condition block: "Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}}
D.Add a Condition block: "Condition": {"StringEquals": {"aws:RequestTag/Environment": "Production"}}
AnswerC

This condition restricts the allowed actions to instances with the specified tag.

Why this answer

Option C is correct because the `ec2:ResourceTag` condition key allows you to restrict actions based on the tags already attached to the EC2 instance. By using `StringEquals` with `ec2:ResourceTag/Environment` set to `Production`, the policy will only permit the `ec2:StartInstances` and `ec2:StopInstances` actions on instances that currently have that tag. This is the standard AWS mechanism for tag-based resource-level authorization in IAM policies.

Exam trap

The trap here is confusing `ec2:ResourceTag` (tag on the resource) with `aws:RequestTag` (tag in the API request) or `aws:PrincipalTag` (tag on the user), leading candidates to pick a condition key that does not evaluate the instance's existing tags.

How to eliminate wrong answers

Option A is wrong because `aws:PrincipalTag/Environment` checks the tag on the IAM user or role making the request, not the tag on the EC2 instance; this would allow any user with that principal tag to act on any instance, regardless of the instance's tags. Option B is wrong because changing the Action to `ec2:Describe*` would only permit read-only actions (like listing instances), not start/stop operations, and adding a `NotAction` element does not enforce tag-based restrictions—it inverts the action scope, which is irrelevant here. Option D is wrong because `aws:RequestTag/Environment` checks tags that are passed in the API request itself (e.g., when creating a resource), not the tags already present on an existing resource; this would not restrict start/stop actions on existing instances based on their current tags.

162
MCQhard

An organization uses AWS System Manager Patch Manager to patch EC2 instances. The patches are not being applied to some instances. The instances are running Amazon Linux 2 and have the SSM Agent installed. What is the MOST likely reason for the failure?

A.The instances do not have internet access to reach the Systems Manager endpoint.
B.The SSM Agent is out of date and needs to be updated.
C.The instances are missing the required IAM role for Systems Manager.
D.The instances are not running a supported operating system.
AnswerC

An IAM role with AmazonSSMManagedInstanceCore policy is needed.

Why this answer

Option C is correct because instances must have an IAM role that allows SSM to manage patches. Without the role, SSM Agent cannot communicate with the service. Option A is incorrect because SSM Agent does not require internet access if using VPC endpoints.

Option B is incorrect because Patch Manager supports Amazon Linux 2. Option D is incorrect because SSM Agent is not patched, it is used to apply patches.

163
Drag & Dropmedium

Drag and drop the steps to set up an AWS Lambda function triggered by an S3 event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the bucket, then create the Lambda function, then add trigger, then configure notification, then test.

164
Multi-Selectmedium

A company is designing a CI/CD pipeline for a microservices architecture using AWS CodePipeline. They want to use infrastructure as code to manage the pipeline itself. Which TWO services can be used together to achieve this?

Select 2 answers
A.AWS Service Catalog
B.AWS CodePipeline
C.AWS CloudFormation
D.AWS CodeDeploy
E.AWS Elastic Beanstalk
AnswersB, C

CodePipeline is the service that orchestrates the pipeline itself.

Why this answer

Option A (CloudFormation) and Option D (CodePipeline) are correct because CloudFormation can define the pipeline resource, and CodePipeline is the service being defined. Option B (CodeDeploy) is for deployment, not pipeline definition. Option C (Elastic Beanstalk) is for application deployment.

Option E (Service Catalog) is for product portfolios.

165
MCQeasy

A company uses AWS OpsWorks to manage a set of EC2 instances. They need to ensure that a custom recipe runs on all instances during the 'Configure' lifecycle event. What is the correct way to achieve this?

A.Modify the stack's CloudFormation template to include the recipe.
B.Upload the recipe to a custom cookbook repository and assign it to the 'Configure' lifecycle event in the stack settings.
C.Add the recipe commands to the instance's user data script.
D.Use AWS CodeDeploy to trigger the recipe during the Configure event.
AnswerB

This is the standard way to run custom recipes on OpsWorks lifecycle events.

Why this answer

In AWS OpsWorks, lifecycle events (such as Configure) are tied to layers, not individual instances. To run a custom recipe on all instances during the Configure event, you must upload the recipe to a custom cookbook repository (e.g., S3 or Git) and then assign that recipe to the Configure lifecycle event in the stack's layer settings. This ensures OpsWorks Chef runs the recipe on every instance in that layer whenever the Configure event fires (e.g., after scaling or instance state changes).

Exam trap

The trap here is that candidates confuse the one-time execution of user data scripts (Option C) with the recurring, event-driven nature of OpsWorks lifecycle events, or mistakenly think CloudFormation (Option A) or CodeDeploy (Option D) can directly manage OpsWorks recipe execution.

How to eliminate wrong answers

Option A is wrong because AWS OpsWorks does not use CloudFormation templates to define lifecycle recipes; OpsWorks uses Chef cookbooks and lifecycle event assignments within the stack/layer configuration. Option C is wrong because user data scripts run only once at instance boot, whereas the Configure lifecycle event fires repeatedly (e.g., on instance start, stop, or scaling), so a user data script cannot handle recurring Configure events. Option D is wrong because AWS CodeDeploy is a deployment service for application code, not a mechanism to trigger OpsWorks lifecycle events; it cannot directly invoke Chef recipes during the Configure event.

166
MCQhard

An organization manages multiple AWS accounts using AWS Organizations. They want to use AWS CloudFormation StackSets to deploy a standard VPC configuration across all accounts. However, some accounts require specific CIDR blocks that differ from the default. What is the most efficient way to handle this variation?

A.Create separate StackSets for each CIDR range and assign accounts accordingly.
B.Create a nested stack for each account that overrides the default parameters.
C.Use a single StackSet with parameters and pass account-specific parameter files via AWS CloudFormation parameter overrides in the StackSet instance.
D.Maintain separate templates per account with hardcoded CIDR blocks.
AnswerC

Parameter overrides allow per-account customization efficiently.

Why this answer

Option C is correct because AWS CloudFormation StackSets support parameter overrides at the stack instance level, allowing you to deploy a single StackSet template across multiple accounts while specifying account-specific CIDR blocks without duplicating infrastructure. This approach minimizes management overhead by using one template and one StackSet, with parameter overrides applied per target account or organizational unit (OU) via the StackSet instance configuration.

Exam trap

The trap here is that candidates often confuse StackSet parameter overrides with nested stacks or separate templates, not realizing that StackSets natively support per-instance parameter values without requiring multiple StackSets or template duplication.

How to eliminate wrong answers

Option A is wrong because creating separate StackSets for each CIDR range defeats the purpose of using StackSets for centralized management, leading to operational complexity and increased maintenance burden. Option B is wrong because nested stacks are not designed to override parameters per account in a StackSet; they are used for modular template composition, not for passing account-specific values across multiple StackSet instances. Option D is wrong because maintaining separate templates per account with hardcoded CIDR blocks violates IaC best practices, introduces drift risk, and eliminates the reusability and consistency that StackSets provide.

167
MCQeasy

A DevOps engineer is using AWS OpsWorks for configuration management. They need to ensure that custom recipes are applied to all instances in a layer in a specific order. What should the engineer do?

A.Assign the recipes to the appropriate lifecycle events in the layer configuration.
B.Use AWS CloudFormation Init with cfn-init to order the scripts.
C.Include all recipes in a single wrapper recipe and use include_recipe with the desired order.
D.Add the recipes to the instance's user data script.
AnswerA

Lifecycle events allow ordered execution of recipes.

Why this answer

AWS OpsWorks uses lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) to control when custom recipes run on instances within a layer. By assigning recipes to the appropriate lifecycle events in the layer configuration, the engineer ensures they execute in the defined order for that event across all instances in the layer, which is the native mechanism for ordering in OpsWorks.

Exam trap

The trap here is that candidates may confuse OpsWorks lifecycle events with Chef's include_recipe directive, assuming that ordering within a wrapper recipe is sufficient, when OpsWorks actually enforces order through lifecycle event assignments.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation Init with cfn-init is used for bootstrapping EC2 instances in CloudFormation stacks, not for managing recipe execution order within an OpsWorks layer, which is a separate configuration management service. Option C is wrong because while include_recipe can be used in Chef to include other recipes, placing all recipes in a single wrapper recipe does not inherently enforce a specific order across lifecycle events; OpsWorks relies on lifecycle event assignments to control execution sequence, not Chef's include_recipe order alone. Option D is wrong because user data scripts run only at instance launch and are not integrated with OpsWorks lifecycle events; they cannot manage the ordered execution of custom recipes across the instance's operational lifecycle.

168
MCQmedium

A DevOps team uses AWS CodeCommit and AWS CodePipeline for CI/CD. They need to ensure that sensitive configuration parameters such as database passwords are not stored in plaintext in the source code repository. Which solution meets these requirements with minimal operational overhead?

A.Store the parameters in a separate encrypted Git repository and use Git submodules.
B.Use AWS KMS to encrypt the parameters and include the encrypted blob in the source code.
C.Store the parameters in an S3 bucket with server-side encryption, and have the pipeline download them.
D.Use AWS Systems Manager Parameter Store with secure strings, and reference them in the pipeline using parameter-store action.
AnswerD

Parameter Store securely stores secrets and integrates with CodePipeline.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store with secure strings provides a native, fully managed service for storing sensitive configuration data like database passwords. By using the parameter-store action in CodePipeline, the pipeline can retrieve the secure parameter at runtime without exposing it in the source code or requiring manual encryption/decryption logic, minimizing operational overhead.

Exam trap

The trap here is that candidates may think storing an encrypted blob in the repository (Option B) is acceptable because it is 'encrypted,' but the exam tests the principle that secrets should never be stored in the source code repository at all, even in encrypted form, due to key management and exposure risks.

How to eliminate wrong answers

Option A is wrong because maintaining a separate encrypted Git repository and using Git submodules adds significant complexity, does not natively integrate with CodePipeline, and still risks exposing sensitive data in the submodule reference or during cloning. Option B is wrong because including an encrypted blob in the source code requires manual key management and decryption logic in the pipeline, and the encrypted blob itself is still stored in the repository, which violates the principle of not storing secrets in the codebase. Option C is wrong because storing parameters in an S3 bucket with server-side encryption requires additional pipeline steps to download the file, manage bucket permissions, and handle potential race conditions or stale data, increasing operational overhead compared to a direct parameter store reference.

169
MCQmedium

A company uses AWS CloudFormation to deploy a web application across multiple AWS accounts using StackSets. The DevOps team notices that stack instance updates are failing in some accounts with the error: 'Insufficient IAM permissions to perform the action'. The team has already verified that the StackSet IAM role has the necessary permissions. What is the most likely cause of this issue?

A.The target accounts have reached the limit of 200 stacks per region.
B.The target accounts do not have the necessary trust policy to allow the StackSet IAM role to assume the execution role.
C.AWS Organizations has a service control policy (SCP) that denies the required action, but the StackSet IAM role has full admin permissions.
D.The StackSet name contains invalid characters that are not allowed in some accounts.
AnswerB

StackSets require a trust relationship between the StackSet IAM role and the execution role in target accounts.

Why this answer

Option B is correct because StackSets require that the target accounts have a trust policy allowing the StackSet IAM role to assume a role in those accounts. Option A is wrong because the error is about permissions, not limit. Option C is wrong because the stack set name is not relevant.

Option D is wrong because SCPs can block permissions even if the IAM role has them.

170
MCQhard

An organization uses AWS OpsWorks for configuration management. They want to migrate to AWS Systems Manager to reduce costs and improve flexibility. Their current stack includes custom Chef recipes that manage package installations and service configurations. What is the MOST effective migration strategy?

A.Use AWS CloudFormation to recreate the entire infrastructure and manage configurations.
B.Use AWS CodeDeploy to replace OpsWorks and manage configurations.
C.Translate Chef recipes into Systems Manager State Manager associations and use Run Command for ad-hoc tasks.
D.Keep OpsWorks but integrate it with Systems Manager for hybrid management.
AnswerC

State Manager manages configurations similarly to Chef, and Run Command provides ad-hoc execution.

Why this answer

Option C is correct because Systems Manager State Manager can manage configurations using association documents that are equivalent to Chef recipes, and Run Command can execute ad-hoc commands. Option A is wrong because it does not address existing recipes. Option B is wrong because CodeDeploy is for application deployments, not configuration management.

Option D is wrong because it adds complexity and cost.

171
Multi-Selecthard

A DevOps team uses Ansible for configuration management of EC2 instances. They want to ensure that the latest security patches are applied to all instances. Which THREE steps should they include in their Ansible playbook? (Choose THREE.)

Select 3 answers
A.Use the 'service' module to restart services after patching
B.Use the 'command' module to run 'yum update -y'
C.Use the 'copy' module to download patch files
D.Use the 'package' module with state=latest
E.Use the 'yum' module with state=latest
AnswersB, D, E

This is a valid way to update packages.

Why this answer

Options A, B, and D are correct. A: Using the 'yum' module to update packages. B: Using the 'command' module to run 'yum update -y'.

D: Using the 'package' module to update all packages. Option C is wrong because the 'service' module is for managing services, not patching. Option E is wrong because 'copy' is for files, not package updates.

172
Multi-Selectmedium

An organization uses AWS Elastic Beanstalk to manage a production web application. The application uses a custom AMI that needs to be updated periodically. The team wants to automate the process of updating the AMI and deploying it to the environment with zero downtime. Which THREE steps should the team include in the automation? (Choose THREE.)

Select 3 answers
A.Delete the environment and recreate it with the new AMI.
B.Build a new AMI using a tool like Packer and store it in EC2 Image Builder.
C.Use Elastic Beanstalk's immutable update policy to replace instances with new ones.
D.Update the Elastic Beanstalk environment configuration to use the new AMI ID.
E.Terminate all existing instances and allow Auto Scaling to launch new ones with the new AMI.
AnswersB, C, D

Packer or Image Builder can create updated AMIs.

Why this answer

Options A, C, and E are correct. Option A creates a new AMI version. Option C updates the environment configuration with a rolling update to minimize downtime.

Option E uses an immutable update for zero downtime. Option B is incorrect because terminating instances without a deployment strategy causes downtime. Option D is incorrect because deleting the environment is disruptive.

173
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline for a microservices application deployed on Amazon ECS. The application uses multiple AWS services including RDS, ElastiCache, and SQS. Which TWO strategies should the team implement to ensure secure and auditable configuration management across environments?

Select 2 answers
A.Use AWS Secrets Manager to store and rotate database credentials.
B.Implement AWS Config rules to enforce tagging and compliance standards.
C.Store database credentials in a version-controlled configuration file.
D.Manually review configuration changes before deployment.
E.Grant developers direct S3 access to upload configuration files.
AnswersA, B

Secrets Manager securely stores secrets and supports automatic rotation.

Why this answer

Using AWS Secrets Manager for database credentials (B) avoids hardcoding secrets and enables rotation. AWS Config rules (C) ensure resources comply with policies and provide audit trail. Option A (hardcoded) is insecure; D (developer S3 access) violates least privilege; E (manual check) is not scalable.

174
MCQhard

A company uses AWS CodePipeline to orchestrate a multi-stage CI/CD pipeline. The build stage uses AWS CodeBuild and the deploy stage uses AWS CodeDeploy. The pipeline includes a manual approval step between build and deploy. The team wants to automatically trigger the pipeline when changes are pushed to a Git repository hosted in AWS CodeCommit. Which pipeline configuration is required for automatic triggers?

A.Configure the source stage to use periodic polling of the CodeCommit repository.
B.Set up an SNS topic to notify the pipeline when code changes occur.
C.Add a Lambda function that calls StartPipelineExecution in response to CodeCommit events.
D.Configure the source stage to use CodeCommit as the source provider and enable 'Amazon CloudWatch Events' (EventBridge) to detect changes.
AnswerD

EventBridge rules automatically start the pipeline when changes are pushed to CodeCommit.

Why this answer

To automatically trigger the pipeline on code changes, the source stage must use CodeCommit as a source action with 'Amazon CloudWatch Events' (now Amazon EventBridge) configured to detect changes. CodePipeline integrates with EventBridge to start the pipeline on repository events. Option D is correct.

Options A, B, and C are not sufficient alone.

175
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They have a template that creates an Amazon RDS DB instance. The template includes a 'DeletionPolicy' attribute set to 'Retain' on the DB instance resource. The DevOps team deletes the stack. Later, they notice that the DB instance still exists and is incurring costs. What is the MOST cost-effective way to remove the DB instance?

A.Create a new CloudFormation stack that includes the same DB instance but with a DeletionPolicy of 'Delete', then delete that stack.
B.Manually delete the DB instance using the AWS Management Console or AWS CLI.
C.Use the 'aws cloudformation delete-change-set' command to remove the resource.
D.Update the stack: change the DeletionPolicy to 'Delete' and then delete the stack again.
AnswerB

Correct. The instance was retained, so manual deletion is the simplest and most cost-effective approach.

Why this answer

Option C (manually delete the DB instance via the AWS Management Console or CLI) is correct because the DeletionPolicy set to Retain prevents CloudFormation from deleting the resource; manual deletion is the simplest and cost-effective. Option A is wrong because updating the stack with deletion policy 'Delete' and then deleting again would work but is unnecessary extra steps. Option B is wrong because creating a new stack to delete the resource is overly complex.

Option D is wrong because the RDS instance is not in a change set; it exists independently.

176
MCQeasy

A company uses AWS CodeBuild to compile and test code. The buildspec.yml file includes commands that require access to a private S3 bucket. The DevOps engineer wants to securely provide AWS credentials to the build project. What is the recommended approach?

A.Use a service role for CodeBuild with appropriate permissions
B.Store the AWS access key ID and secret access key in the buildspec.yml file
C.Use an EC2 instance profile attached to the build environment
D.Pass the credentials as environment variables in the build project configuration
AnswerA

Service roles are the secure way to grant permissions.

Why this answer

Option C is correct because the recommended approach is to use a CodeBuild service role that grants access to the S3 bucket. Option A is wrong because access keys should not be hardcoded. Option B is wrong because instance profiles are for EC2, not CodeBuild.

Option D is wrong because environment variables are not secure.

177
MCQhard

A company uses AWS CodePipeline to deploy a static website to an S3 bucket. The pipeline has a Source stage (GitHub), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The deployment fails intermittently with the error: 'Bucket does not allow ACLs'. The S3 bucket is configured to use the 'bucket-owner-enforced' setting for Object Ownership. The team wants to resolve the failure while maintaining security best practices. What should the team do?

A.Update the CodeDeploy deployment action to use a bucket policy and disable ACLs.
B.Make the S3 bucket publicly accessible to allow CodeDeploy to write objects.
C.Add a step in CodeBuild to copy the artifacts to the S3 bucket using the AWS CLI.
D.Change the Object Ownership setting to 'ObjectWriter' to enable ACLs.
AnswerA

Bucket policies are the recommended way to manage permissions when ACLs are off.

Why this answer

When Object Ownership is set to bucket-owner-enforced, ACLs are disabled (C). The CodeDeploy action must be configured to use bucket policies instead of ACLs. Option A (remove setting) weakens security; B (public) is insecure; D (CodeBuild) is not the issue.

178
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline using AWS CodeBuild and CodePipeline. They want to use infrastructure as code to define the build environment. Which TWO options are valid approaches to define the build environment in CodeBuild?

Select 2 answers
A.Configure CodeDeploy to set up the build environment before the build starts.
B.Define the build environment using a buildspec.yml file that includes runtime versions and environment variables.
C.Use an Elastic Beanstalk environment to run the build.
D.Use a custom Docker image stored in Amazon ECR as the build environment.
E.Use an AWS CloudFormation template to specify the build environment configuration.
AnswersB, D

The buildspec file is the primary way to define build commands and environment.

Why this answer

Option B is correct because the buildspec.yml file is the primary mechanism in AWS CodeBuild to define the build environment, including runtime versions (e.g., runtime: nodejs:18) and environment variables. This file is placed at the root of the source code and instructs CodeBuild on how to execute the build phases, making it a valid infrastructure-as-code approach for environment configuration.

Exam trap

The trap here is that candidates may think CloudFormation or CodeDeploy can define the build environment, but CodeBuild only accepts environment definitions via buildspec.yml or a custom Docker image, not through external IaC services.

179
Multi-Selecteasy

A company uses AWS CodeBuild to run tests as part of their CI/CD pipeline. They want to store build artifacts in an S3 bucket and ensure that only the latest successful build artifacts are retained. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Configure CodeBuild to output artifacts to a specific S3 bucket.
B.Use an S3 lifecycle policy to delete objects after a certain number of days.
C.Store artifacts in an AWS CodeCommit repository.
D.Enable versioning on the S3 bucket to keep all versions.
E.Use CloudWatch Logs to store build logs.
AnswersA, B

CodeBuild can directly store artifacts in S3.

Why this answer

Options B and D are correct. Option B configures CodeBuild to store artifacts in S3. Option D sets a lifecycle policy to expire old artifacts.

Option A is wrong because it would retain all artifacts. Option C is wrong because CodeCommit is for source code, not artifacts. Option E is wrong because CloudWatch Logs are for logs, not artifacts.

180
Multi-Selecteasy

Which TWO are benefits of using AWS CloudFormation for infrastructure as code? (Select TWO.)

Select 2 answers
A.Manages both AWS and on-premises resources.
B.Enables declarative infrastructure definition.
C.Automates resource provisioning and reduces manual error.
D.Provides a graphical interface for designing infrastructure.
E.Automatically optimizes resource costs.
AnswersB, C

Users declare the desired state.

Why this answer

Option B is correct because CloudFormation provides a declarative way to define infrastructure. Option D is correct because it automates provisioning and reduces manual effort. Option A is wrong because CloudFormation does not provide a graphical interface for drag-and-drop.

Option C is wrong because it manages AWS resources, not on-premises. Option E is wrong because it does not automatically optimize costs.

181
MCQeasy

A company uses AWS OpsWorks for configuration management of its EC2 instances. The DevOps team wants to apply a new security patch to all instances in a specific layer. What is the most efficient way to accomplish this?

A.Create a new OpsWorks stack with the patch and migrate instances to it.
B.SSH into each instance and run the patch command manually.
C.Update the layer's custom Chef recipe to include the patch and trigger a lifecycle event to execute the recipe on all instances.
D.Use AWS Systems Manager Run Command to run a patch command on each instance individually.
AnswerC

OpsWorks runs Chef recipes on instances based on lifecycle events.

Why this answer

Option C is correct because OpsWorks allows running custom Chef recipes as lifecycle events. Option A is wrong because it requires manual login. Option B is wrong because it is not automated across all instances.

Option D is wrong because a new stack is unnecessary.

182
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline for a microservices application using AWS CodePipeline. They want to incorporate infrastructure as code (IaC) using AWS CloudFormation. Which three practices should they follow to ensure reliable and repeatable deployments? (Choose THREE.)

Select 3 answers
A.Use the same CloudFormation template across all environments, with parameterization for environment-specific values.
B.Implement rollback triggers to automatically roll back failed stack updates.
C.Create a single monolithic template for all microservices to simplify management.
D.Skip change sets during stack updates to speed up the pipeline.
E.Use CloudFormation stack sets to deploy stacks across multiple accounts and regions consistently.
AnswersA, B, E

Parameterization allows reuse of the same template.

Why this answer

Options A, C, and E are correct. Option A ensures consistency across environments. Option C prevents configuration drift.

Option E ensures stack updates are safe. Option B is wrong because creating a single large template is not a best practice; modular templates are recommended. Option D is wrong because skipping change sets can lead to unintended changes.

183
MCQeasy

A company uses AWS CodeCommit to store its infrastructure as code templates. The DevOps team wants to automatically validate CloudFormation templates before merging changes to the main branch. Which service should be used to implement this validation?

A.AWS CodeBuild
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CodeStar
AnswerA

CodeBuild can run validation scripts as part of a pull request approval rule.

Why this answer

AWS CodeBuild is the correct service because it can be configured as a pre-merge check in a pull request workflow. By integrating CodeBuild with CodeCommit, the DevOps team can automatically run a build project that validates CloudFormation templates (e.g., using `aws cloudformation validate-template` or `cfn-lint`) before the merge is allowed. This provides a serverless, automated validation step without requiring a full pipeline or deployment.

Exam trap

The trap here is that candidates often confuse CodePipeline's orchestration capabilities with the need for a simple pre-merge validation, overlooking that CodeBuild can be directly triggered by CodeCommit pull request events without a full pipeline.

How to eliminate wrong answers

Option B (AWS CodeDeploy) is wrong because CodeDeploy is designed for deploying application code to compute services (EC2, Lambda, ECS) and does not provide a mechanism to validate CloudFormation templates before merging. Option C (AWS CodePipeline) is wrong because CodePipeline orchestrates continuous delivery workflows but does not natively trigger on pull request events in CodeCommit; it requires manual setup with webhooks and is overkill for a simple pre-merge validation. Option D (AWS CodeStar) is wrong because CodeStar is a project management and collaboration dashboard that simplifies setting up CI/CD pipelines, but it does not itself perform template validation or enforce pre-merge checks.

184
MCQmedium

A DevOps engineer is designing a configuration management strategy for a fleet of EC2 instances running Amazon Linux 2. The instances must be bootstrapped with custom software and continuously managed to ensure desired state compliance. Which combination of services should the engineer use?

A.AWS CloudFormation for bootstrapping and Amazon CloudWatch Events to enforce desired state
B.AWS OpsWorks for Chef Automate for configuration management and AWS CodeDeploy for deployments
C.AWS Systems Manager State Manager for desired state configuration and AWS Systems Manager Run Command for initial bootstrapping
D.AWS Config for configuration management and Amazon CloudWatch Events for remediation
AnswerC

State Manager maintains desired state, Run Command executes one-time scripts.

Why this answer

Option C is correct because AWS Systems Manager State Manager provides a policy-driven mechanism to define and maintain desired state configuration for EC2 instances, while AWS Systems Manager Run Command enables ad-hoc or initial bootstrapping by executing scripts or commands (e.g., installing custom software) without requiring SSH. Together, they cover both the initial setup and ongoing compliance enforcement for Amazon Linux 2 instances, aligning with the requirement for continuous management.

Exam trap

The trap here is that candidates often confuse AWS Config (a compliance auditing service) with a configuration management tool, or assume CloudWatch Events can enforce state, when in fact Systems Manager State Manager is the native AWS service for desired state configuration.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Events (now Amazon EventBridge) is an event bus service for routing events, not a tool for enforcing desired state; it cannot apply or remediate configuration drift on EC2 instances. Option B is wrong because AWS OpsWorks for Chef Automate is a managed Chef server, but it is not the recommended approach for Amazon Linux 2 instances that are better served by native AWS Systems Manager capabilities, and AWS CodeDeploy handles application deployments, not configuration management or desired state enforcement. Option D is wrong because AWS Config is a service for evaluating resource compliance against rules and recording configuration history, but it does not perform remediation actions itself; while it can trigger remediation via Systems Manager Automation, it is not a configuration management tool for bootstrapping or continuous desired state enforcement.

185
MCQmedium

A DevOps engineer attempted to create a CloudFormation stack and it failed. The engineer runs the 'describe-stack-events' command and sees the output above. What is the most likely cause of the failure?

A.The EC2 key pair 'myKeyPair' does not exist in the region where the stack is being created.
B.The AMI ID specified in the template is not available in the region.
C.The CloudFormation template has a syntax error in the EC2 instance definition.
D.The security group specified for the EC2 instance does not exist.
AnswerA

The error message clearly states the key name is invalid.

Why this answer

The 'describe-stack-events' output shows a 'CREATE_FAILED' event for the EC2 instance resource with the status reason indicating that the key pair 'myKeyPair' was not found. CloudFormation validates the existence of the specified EC2 key pair in the target region at creation time; if the key pair does not exist, the stack creation fails immediately. This is a common validation error when the key pair name is misspelled, belongs to a different region, or has not been created beforehand.

Exam trap

The trap here is that candidates may confuse a missing key pair with other common EC2 launch failures like AMI unavailability or security group issues, but the specific error message in the stack events directly points to the key pair name as the root cause.

How to eliminate wrong answers

Option B is wrong because if the AMI ID were not available in the region, CloudFormation would fail with a specific error message like 'AMI ID does not exist' or 'AMI not found', not a key pair error. Option C is wrong because a syntax error in the template would cause a validation error before any resource creation attempts, typically reported as 'Template validation error' or 'Template format error', not a resource-specific failure. Option D is wrong because a missing security group would produce an error referencing the security group ID or name, such as 'Security group does not exist', not a key pair error.

186
MCQmedium

A company uses AWS CodeCommit and CodePipeline. The pipeline triggers on commits to the main branch. The DevOps engineer wants to add a stage that runs unit tests in a build environment. After the tests pass, the pipeline should deploy to a staging environment. If the tests fail, the pipeline should stop and notify the team. Which AWS service should be used to implement this workflow?

A.AWS CodeBuild
B.AWS CodeStar
C.AWS Lambda
D.AWS CodeDeploy
AnswerA

CodeBuild can run unit tests and fail the pipeline if tests fail.

Why this answer

Option D is correct because AWS CodeBuild integrates with CodePipeline to run tests and can be configured to fail the pipeline if tests fail. Option A is wrong because CodeDeploy is for deployments, not testing. Option B is wrong because Lambda can run tests but CodeBuild is more appropriate for build and test.

Option C is wrong because CodeStar is a project management tool.

187
MCQeasy

A company is using AWS OpsWorks for configuration management of their application stack. The stack includes a PHP application layer and a MySQL database layer. The DevOps team wants to automate the deployment of a new PHP version across all instances in the PHP layer. The team has created a custom Chef recipe that updates PHP. They want to run this recipe on all instances in the PHP layer in a rolling update fashion to avoid downtime. Which OpsWorks feature should they use?

A.Use the OpsWorks 'Run Command' feature to execute the recipe on the PHP layer with rolling update settings.
B.Create a custom Chef cookbook and enable automatic updates in OpsWorks.
C.Add the recipe to the Setup lifecycle event for the PHP layer.
D.Modify the PHP layer's lifecycle configuration to include the recipe in the Configure event.
AnswerA

Run Command allows on-demand execution with rolling update configuration.

Why this answer

Option C is correct. OpsWorks allows you to run a custom Chef recipe on a layer using the 'Run Command' feature, and you can specify a rolling update by setting the 'Batch size' and 'Install on all instances' options. Option A is wrong because Setup runs at boot, not on demand.

Option B is wrong because automatic updates are not a feature. Option D is wrong because lifecycle events are for automatic execution, not on-demand rolling updates.

188
MCQmedium

A team uses CloudFormation to deploy a multi-container Docker environment on Amazon ECS. They need to pass environment variables to the containers from Parameter Store. How should they reference these values in the CloudFormation template?

A.Using the 'Ref' function with the parameter name
B.Using the 'Fn::ParamStore' intrinsic function
C.Using 'Fn::GetAtt' on the Parameter Store resource
D.Using the 'resolve:ssm' dynamic reference
AnswerD

Dynamic references allow you to retrieve values from Parameter Store or Secrets Manager.

Why this answer

CloudFormation has a dynamic reference resolution feature that allows you to use the 'resolve:ssm' or 'resolve:ssm-secure' syntax to fetch values from Parameter Store at stack creation/update time. Option B is correct. Option A is incorrect because there is no 'aws:paramstore' intrinsic function.

Option C is incorrect because Ref returns the parameter name, not its value. Option D is incorrect because Fn::GetAtt is for resource attributes, not for Parameter Store values.

189
MCQeasy

A DevOps engineer needs to manage configuration files across a fleet of Amazon EC2 instances running Amazon Linux. The configuration files must be updated whenever they change in an S3 bucket. Which AWS service is most suitable for this task?

A.AWS OpsWorks for Chef Automate
B.AWS Systems Manager State Manager
C.AWS CloudFormation
D.AWS Config
AnswerB

State Manager can manage and update configurations automatically.

Why this answer

AWS Systems Manager State Manager is the most suitable service because it provides a configuration management solution that can automatically apply and maintain the desired state of EC2 instances. It can be configured to run associations on a schedule or in response to events, such as changes to an S3 bucket, using an AWS Lambda trigger or EventBridge rule to invoke the association. This ensures that configuration files are updated whenever they change in the S3 bucket, without requiring manual intervention or a full configuration management platform.

Exam trap

The trap here is that candidates often confuse AWS Config (which only audits and records configuration changes) with Systems Manager State Manager (which actively enforces and applies desired configurations), leading them to select AWS Config as the answer.

How to eliminate wrong answers

Option A is wrong because AWS OpsWorks for Chef Automate is a managed Chef server that requires Chef cookbooks and a Chef client agent, which is overkill for simple file synchronization and does not natively integrate with S3 bucket events for automatic updates. Option C is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service used to provision and manage AWS resources, not to manage runtime configuration files on running instances; it would require custom resources or additional automation to react to S3 changes. Option D is wrong because AWS Config is a service for evaluating resource compliance against rules and recording configuration history, not for actively pushing or updating configuration files on EC2 instances.

190
MCQhard

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The DevOps engineer notices that the pipeline fails intermittently during the deploy stage with the error: 'The deployment failed because the deployment group does not exist'. What is the most likely cause?

A.The deployment group was deleted or renamed after the pipeline was configured
B.The Auto Scaling group associated with the deployment group has insufficient capacity
C.The CodePipeline service role does not have permission to call CodeDeploy
D.The CodeDeploy application name in the pipeline is misspelled
AnswerA

If the deployment group is missing, the deploy stage fails.

Why this answer

Option B is correct because the deployment group is configured in CodeDeploy, and if the pipeline's deploy stage references a deployment group that does not exist, it will fail. Option A is wrong because IAM roles would cause a different error. Option C is wrong because insufficient capacity would cause a deployment error, not a missing group.

Option D is wrong because the application name would also cause a different error.

191
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier web application. The template includes a nested stack for the database layer. When updating the stack, the database stack fails with a 'CREATE_FAILED' status, but the parent stack continues updating other resources. What is the most likely cause and best practice to prevent this?

A.The parent stack's update policy is set to 'CONTINUE' by default. To prevent this, set 'OnFailure' to 'ROLLBACK' in the stack update options.
B.The parent stack was created without the '--capabilities' parameter, so it cannot roll back.
C.The nested stack failure automatically triggers a rollback of the parent stack, but the rollback also failed.
D.The parent stack is configured with 'OnFailure' set to 'DO_NOTHING'. Change it to 'DELETE'.
AnswerA

Setting 'OnFailure' to 'ROLLBACK' during update ensures the entire stack rolls back if any resource fails, maintaining consistency.

Why this answer

Option A is correct because, by default, when a CloudFormation stack update encounters a failure in a nested stack, the parent stack's update policy is set to 'CONTINUE', meaning it will proceed with updating other resources despite the failure. To prevent this, you should set the 'OnFailure' parameter to 'ROLLBACK' in the stack update options, which instructs CloudFormation to roll back the entire parent stack if any resource (including nested stacks) fails to update, ensuring consistency across the deployment.

Exam trap

The trap here is that candidates confuse the 'OnFailure' parameter (which only applies to stack creation) with update behavior, and mistakenly think that nested stack failures always trigger an automatic rollback of the parent stack, when in fact the default update policy is to continue.

How to eliminate wrong answers

Option B is wrong because the '--capabilities' parameter is required for stacks that create IAM resources, not for controlling rollback behavior; omitting it would cause a different error (e.g., 'InsufficientCapabilitiesException') but does not prevent rollback. Option C is wrong because a nested stack failure does not automatically trigger a rollback of the parent stack; the parent stack's behavior depends on the 'OnFailure' setting, which defaults to 'CONTINUE' (not rollback). Option D is wrong because 'OnFailure' set to 'DO_NOTHING' is not a valid value for stack updates; valid values are 'ROLLBACK' and 'DELETE' (for creation), and 'DO_NOTHING' is not an option—the default behavior for updates is to continue, not to do nothing.

192
MCQmedium

An operations team manages a fleet of Amazon EC2 instances that require periodic software updates. They want to use AWS Systems Manager to apply patches automatically while ensuring that patches are tested before production deployment. Which approach meets these requirements?

A.Use AWS Systems Manager Automation to create a runbook that patches instances one by one.
B.Create a patch baseline and assign it to all instances; enable automatic approval for all patches.
C.Use AWS Systems Manager Run Command to manually run patch commands on test instances, then on production.
D.Use AWS Systems Manager Patch Manager with maintenance windows, and configure a patch baseline that approves patches after a test period.
AnswerD

Automated and allows testing.

Why this answer

Option C is correct because Systems Manager Patch Manager supports patch baselines and maintenance windows, and can be used with State Manager to schedule patching. By creating separate patching schedules for test and production, patches can be tested first. Option A is wrong because Patch Manager does not automatically install patches without a maintenance window.

Option B is wrong because Run Command is manual. Option D is wrong because Automation is not designed for patching.

193
MCQeasy

A DevOps team uses AWS OpsWorks for configuration management. They want to run a custom recipe on all instances in a layer during the setup lifecycle event. What should they do?

A.Add the recipe commands to the instance's user data.
B.Store the recipe in an S3 bucket and reference it in the stack configuration.
C.Define a custom lifecycle event in the stack settings.
D.Assign the custom recipe to the Setup lifecycle event in the layer's Recipes settings.
AnswerD

This is the correct way to run a recipe during setup.

Why this answer

In AWS OpsWorks, lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) are predefined hooks that run Chef recipes on instances. To run a custom recipe during the Setup event on all instances in a layer, you must assign that recipe to the Setup lifecycle event in the layer's Recipes settings. This ensures the recipe executes automatically when an instance enters the online state after bootstrapping.

Exam trap

The trap here is that candidates confuse OpsWorks lifecycle events with EC2 user data or assume recipes can be triggered arbitrarily via stack configuration, but OpsWorks strictly requires recipes to be assigned to predefined lifecycle events at the layer level.

How to eliminate wrong answers

Option A is wrong because user data is an EC2 feature that runs scripts at instance launch, but OpsWorks manages instances via its agent and Chef runs; user data is not integrated with OpsWorks lifecycle events or its recipe execution order. Option B is wrong because while recipes can be stored in S3, simply referencing a recipe in the stack configuration does not tie it to a specific lifecycle event; recipes must be assigned to a lifecycle event in the layer's settings to execute. Option C is wrong because OpsWorks does not support defining custom lifecycle events; the five lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) are fixed and cannot be extended or renamed.

194
MCQmedium

A DevOps team uses AWS OpsWorks for configuration management. They have a stack with a custom cookbook that installs and configures an application. After updating the cookbook on GitHub, they need to apply the changes to existing instances without creating new ones. What should the team do?

A.Clone the stack and assign the updated cookbook to the new stack.
B.Use the 'Execute Recipes' feature to run the updated custom recipe on the instances.
C.Update the layer's custom cookbook settings and then reboot the instances.
D.Update the stack's custom cookbook source and click 'Update Dependencies' on the stack.
AnswerB

Correct. 'Execute Recipes' runs the specified recipe on selected instances, applying the changes.

Why this answer

Option C (run a custom recipe using 'Execute Recipes' on the instances) is correct because it applies the updated cookbook without replacing instances. Option A is wrong because cloning creates a new stack, not updating existing instances. Option B is wrong because updating the stack configuration does not trigger cookbook execution.

Option D is wrong because it updates the layer, but does not run the updated cookbook automatically.

195
MCQmedium

A DevOps engineer is creating a CloudFormation template that includes an AWS Lambda function. The function code is stored in an S3 bucket. The engineer wants to ensure that the Lambda function is updated whenever the code in S3 changes. What should the engineer do?

A.Use AWS CodeDeploy to deploy the Lambda function
B.Reference the S3 object version in the Lambda function's Code property to force an update when the version changes
C.Add a DependsOn clause to the Lambda function resource
D.Use AWS CodePipeline to automatically update the stack when the S3 object changes
AnswerB

Changing the version triggers a stack update.

Why this answer

Option B is correct because referencing the S3 object version in the Lambda function's Code property (e.g., `S3ObjectVersion`) creates a dependency on that specific version. When the S3 object is updated, its version changes, which triggers CloudFormation to detect a change in the template and update the Lambda function during the next stack update. This ensures the function code is refreshed without manual intervention.

Exam trap

The trap here is that candidates assume any automation tool (CodePipeline or CodeDeploy) can replace the need for explicit version tracking, but CloudFormation requires a property change to trigger an update, and only referencing the S3 object version achieves that directly.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a deployment service for managing traffic shifting and rollbacks, not a mechanism to detect S3 object changes and trigger CloudFormation updates. Option C is wrong because a DependsOn clause only controls resource creation order, not update triggers based on S3 object version changes. Option D is wrong because AWS CodePipeline can automate stack updates, but it requires an external trigger (e.g., S3 event notification or webhook) and does not inherently detect S3 object version changes to update the Lambda function directly.

196
MCQeasy

A DevOps engineer needs to manage the configuration of a large number of EC2 instances that are part of a cluster. The instances should have consistent software packages, services, and settings. The engineer wants to use a configuration management tool that integrates with AWS and supports a push-based model. Which service should be used?

A.AWS OpsWorks Stacks
B.AWS CodeCommit
C.AWS Systems Manager Run Command
D.AWS CloudFormation
AnswerC

Run Command pushes commands to instances.

Why this answer

Option D is correct because AWS Systems Manager Run Command uses a push-based model to execute commands and manage configuration on instances. Option A (OpsWorks) is pull-based. Option B (CloudFormation) is for infrastructure, not configuration.

Option C (CodeCommit) is a source control service.

197
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team needs to deploy a stack that includes a Lambda function and an S3 bucket. The Lambda function's code is stored in the S3 bucket. How can the team ensure that the Lambda function is created after the S3 bucket and the code is uploaded?

A.Upload the code to the S3 bucket before creating the stack.
B.Use the Fn::GetAtt intrinsic function to retrieve the bucket name.
C.Define the S3 bucket resource before the Lambda function resource in the template.
D.Use the DependsOn attribute on the Lambda function to depend on the S3 bucket.
AnswerD

DependsOn ensures creation order.

Why this answer

Option D is correct because the DependsOn attribute explicitly instructs CloudFormation to create the S3 bucket before the Lambda function. Even though CloudFormation automatically determines resource dependencies for certain intrinsic functions, it does not infer dependencies based on code uploads. Using DependsOn ensures the bucket exists and the code is uploaded before the Lambda function is created, preventing a deployment failure when the Lambda references code that is not yet available.

Exam trap

The trap here is that candidates assume CloudFormation automatically orders resources based on template order or implicit references like Fn::GetAtt, but it does not infer dependencies from code uploads or resource definition order, so explicit DependsOn is required for non-attribute-based dependencies.

How to eliminate wrong answers

Option A is wrong because it requires manual intervention outside of the CloudFormation stack, breaking the principle of infrastructure as code and making the deployment non-repeatable and error-prone. Option B is wrong because Fn::GetAtt retrieves an attribute of a resource (e.g., the bucket ARN) but does not create a dependency that ensures the bucket is fully created and the code is uploaded before the Lambda function is created. Option C is wrong because the order of resource definitions in the template does not guarantee creation order; CloudFormation may create resources in parallel or in a different order unless explicit dependencies are defined.

198
MCQmedium

A company uses AWS CloudFormation to deploy a three-tier web application. The deployment includes an Application Load Balancer (ALB), an Auto Scaling group, and an Amazon RDS database. The operations team reports that updates to the database security group rules are not being applied correctly during stack updates. The CloudFormation template uses AWS::RDS::DBInstance and AWS::EC2::SecurityGroup resources. What is the most likely cause of this issue?

A.The DBInstance resource has a DeletionPolicy attribute set to 'Retain', causing CloudFormation to skip updates to dependent resources.
B.The CloudFormation stack has a stack policy that denies updates to the security group resources.
C.The security group rules are defined inline within the AWS::EC2::SecurityGroup resource, and CloudFormation does not update inline rules after initial creation.
D.The RDS database is in a VPC that requires a VPC endpoint for CloudFormation to update security groups.
AnswerA

When DeletionPolicy is Retain, CloudFormation may not update the DBInstance and its dependencies correctly during updates.

Why this answer

Option A is correct because when a DBInstance resource has a DeletionPolicy set to 'Retain', CloudFormation treats the resource as a 'non-updatable' resource during stack updates. This means CloudFormation will not modify the DBInstance or its dependent resources, such as the security group rules, even if the template changes. The 'Retain' policy prevents CloudFormation from replacing or updating the resource, causing updates to associated security group rules to be silently skipped.

Exam trap

The trap here is that candidates often assume security group rule updates fail due to inline rule limitations or VPC networking issues, but the real cause is the DeletionPolicy on a dependent resource (DBInstance) that blocks the update chain.

How to eliminate wrong answers

Option B is wrong because a stack policy that denies updates to security group resources would cause the entire stack update to fail with an explicit error, not silently skip updates. Option C is wrong because CloudFormation does update inline security group rules defined within the AWS::EC2::SecurityGroup resource when the template changes; the issue is not about inline vs. separate rules but about the DeletionPolicy on the DBInstance. Option D is wrong because VPC endpoints are not required for CloudFormation to update security groups; CloudFormation uses the AWS API directly, and VPC endpoints are only needed if the stack operations are performed from within a private subnet without internet access, which is not indicated here.

199
MCQmedium

A company uses AWS CodePipeline with a multi-branch strategy. The pipeline deploys a Lambda function using CloudFormation. The DevOps engineer notices that when a new branch is created, the pipeline executes but the CloudFormation stack fails because the stack name already exists. What is the MOST efficient way to resolve this issue?

A.Modify the pipeline to use a dynamic stack name parameter, such as the branch name.
B.Hardcode a different stack name for each branch in the pipeline.
C.Delete the existing stack before each deployment.
D.Use the CloudFormation 'Override' parameter to reuse the same stack.
AnswerA

This creates unique stacks per branch, avoiding conflicts.

Why this answer

Option B is correct because using a dynamic stack name based on the branch name or a unique identifier ensures each pipeline execution creates a separate stack, avoiding name conflicts. Option A is wrong because deleting the stack before creation may cause downtime. Option C is wrong because CloudFormation does not support stack name overrides; a new name must be used.

Option D is wrong because hardcoding a different stack name per branch is not scalable.

200
MCQeasy

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to ensure that infrastructure changes are reviewed and approved before deployment. The code is stored in AWS CodeCommit, and the pipeline uses AWS CodePipeline and AWS CloudFormation. What is the BEST way to implement an approval process for infrastructure changes?

A.Use CodeCommit approval rules to require a pull request before any change is merged.
B.Configure IAM policies to require MFA before any CloudFormation stack update.
C.Use CodeBuild to run a script that sends an approval request via Amazon SNS and waits for a response.
D.Add a manual approval step in CodePipeline between the build and deploy stages.
AnswerD

C: Manual approval actions in CodePipeline allow a reviewer to approve or reject before deployment.

Why this answer

Option C is correct because CodePipeline supports manual approval actions that can be inserted between stages. Option A is wrong because CodeCommit approval rules only apply to code merges, not pipeline execution. Option B is wrong because IAM policies cannot create approval gates in the pipeline.

Option D is wrong because CodeBuild does not have native approval capabilities.

201
MCQmedium

A DevOps engineer runs the command shown in the exhibit to view stack events. The stack update failed. What is the most likely cause of the failure?

A.The IAM role for the Lambda function is missing required permissions.
B.The Lambda function specifies a runtime that is not available in the region.
C.The Lambda function code exceeds the maximum size limit.
D.The S3 bucket containing the template is not accessible.
AnswerB

B: The error clearly states 'The runtime parameter 'nodejs18.x' is not supported.'

Why this answer

Option B is correct because the error message indicates that the runtime 'nodejs18.x' is not supported. Option A is wrong because the error is about runtime, not S3 access. Option C is wrong because the error is specific to Lambda runtime, not IAM.

Option D is wrong because the error is about an invalid parameter, not a timeout.

202
MCQmedium

A DevOps engineer deploys the CloudFormation snippet shown in the exhibit. After the stack is deleted, the engineer checks for the S3 bucket. Which statement best describes the outcome?

A.The bucket is deleted because the stack deletion overrides the DeletionPolicy.
B.The bucket is retained (not deleted) after the stack deletion.
C.The stack deletion fails because the bucket has versioning enabled.
D.The bucket is deleted along with the stack because the DeletionPolicy is not supported for S3 buckets.
AnswerB

DeletionPolicy: Retain preserves the bucket.

Why this answer

Option C is correct because the DeletionPolicy: Retain ensures the bucket is not deleted when the stack is deleted. Option A is wrong because the bucket is retained. Option B is wrong because the bucket exists.

Option D is wrong because the stack deletion succeeds, but the bucket remains.

203
MCQeasy

A DevOps team is using AWS CloudFormation to manage infrastructure. They need to ensure that stack updates are reviewed and approved by a senior engineer before being executed. Which feature should they implement?

A.Stack policies
B.Drift detection
C.Change sets
D.Stack sets
AnswerC

Change sets allow you to review the proposed changes before executing a stack update.

Why this answer

Change sets allow you to preview proposed changes before applying them. Option B is correct. Option A is incorrect because stack policies protect stack resources during updates but do not provide a review mechanism.

Option C is incorrect because drift detection detects changes outside of CloudFormation. Option D is incorrect because stack sets deploy stacks across accounts/regions.

204
Multi-Selectmedium

A company uses AWS Systems Manager to manage patching of EC2 instances. They want to ensure that instances in a specific Auto Scaling group are patched before being allowed to serve traffic. Which THREE steps should be part of the solution?

Select 3 answers
A.Create a new launch configuration with the patched AMI.
B.Update the Auto Scaling group to use the new launch configuration.
C.Deploy the patched version using AWS CodeDeploy.
D.Configure Amazon CloudWatch Events to trigger a Lambda function after patching.
E.Use an AWS Systems Manager Maintenance Window to apply patches to instances.
AnswersA, B, E

After patching, create a new AMI and launch configuration.

Why this answer

Options A, B, and E are correct. Option A ensures instances are patched before use. Option B creates new instances.

Option E updates the Auto Scaling group to use the new launch configuration. Option C (CodeDeploy) is not needed for patching. Option D (CloudWatch Events) is optional and not required.

205
MCQeasy

A gaming company uses AWS Elastic Beanstalk to deploy a web application. The operations team needs to update environment configuration variables (e.g., database URL) without causing downtime. They want to change the value of an environment property. What is the CORRECT way to apply this change?

A.Update the environment properties in the Elastic Beanstalk console; the platform will perform a rolling update.
B.Terminate the environment and create a new one with the updated configuration.
C.Use an immutable update by deploying a new version with the changes.
D.Use AWS Lambda to directly modify the environment configuration without redeploying.
AnswerA

Elastic Beanstalk applies configuration changes via rolling updates without downtime.

Why this answer

Elastic Beanstalk supports rolling updates for environment configuration changes (B). Updating via the console or CLI triggers a rolling update. Option A (terminate) causes downtime; C (SQS) is not relevant; D (immutable) also causes replacement.

206
Multi-Selecthard

Which THREE actions should a DevOps engineer take to ensure that AWS CloudFormation stacks are securely managed? (Choose three.)

Select 3 answers
A.Set a DeletionPolicy on the stack to retain resources when the stack is deleted.
B.Use a service role with least privilege when creating the stack.
C.Use IAM policies to restrict CloudFormation actions to specific users and roles.
D.Define a StackSetPolicy to control permissions across accounts.
E.Apply a stack policy to prevent updates to sensitive resources during stack updates.
AnswersB, C, E

Service roles allow CloudFormation to perform actions on behalf of the user.

Why this answer

Option A is correct because IAM policies can restrict who can create/modify stacks. Option C is correct because stack policies protect critical resources during updates. Option D is correct because using service roles follows least privilege.

Option B is wrong because there is no 'StackSetPolicy' property. Option E is wrong because deletion policies are for individual resources, not the whole stack.

207
MCQhard

A DevOps engineer manages infrastructure using Terraform. The team needs to store secrets such as database passwords in a secure manner and reference them in Terraform configurations. They have configured AWS Secrets Manager. What is the recommended approach to reference secrets in Terraform without exposing them in state files?

A.Store the secret ARN in a Terraform variable and use 'var.secret_arn' in the resource.
B.Store the secret in AWS Systems Manager Parameter Store and reference it using 'data.aws_ssm_parameter'.
C.Pass the secret as an environment variable to Terraform and reference it with 'var.secret_value'.
D.Use the 'data.aws_secretsmanager_secret_version' data source and mark the attribute as 'sensitive = true' in the output.
AnswerD

The data source retrieves the secret, and marking outputs as sensitive prevents them from being shown in logs or state.

Why this answer

Option D is correct because using the `data.aws_secretsmanager_secret_version` data source retrieves the secret value at plan time without storing it in the Terraform state file. Marking the attribute as `sensitive = true` in the output prevents the value from being displayed in the CLI output, but the key protection is that the secret value itself is never written to the state file when using this data source — Terraform only stores the data source's ID and metadata, not the actual secret payload.

Exam trap

The trap here is that candidates assume marking an output as `sensitive = true` alone protects the secret, but the real protection comes from the data source not storing the secret value in the state file — the `sensitive` flag only controls CLI display, not state persistence.

How to eliminate wrong answers

Option A is wrong because storing the secret ARN in a variable does not retrieve or protect the secret value; it only references the ARN, and the actual secret must still be fetched and could be exposed in the state. Option B is wrong because while AWS Systems Manager Parameter Store can store secrets, the question explicitly states the team has configured AWS Secrets Manager, and using Parameter Store would be a different service; additionally, `data.aws_ssm_parameter` can expose the secret value in the state file if not handled carefully. Option C is wrong because passing the secret as an environment variable and referencing it with `var.secret_value` requires the secret to be defined as a Terraform variable, which will be stored in plaintext in the Terraform state file unless the variable is marked as sensitive and the state is encrypted, but the environment variable approach does not inherently prevent state exposure.

208
MCQhard

A company uses CloudFormation to manage infrastructure. They have a nested stack that creates an Amazon RDS instance. When updating the parent stack, the RDS instance is unexpectedly replaced even though no changes were made to its properties. The engineer suspects a 'Drift' detection issue. What is the most likely reason for the replacement?

A.The RDS instance has drifted from the template definition.
B.The deletion policy is set to 'Retain'.
C.The logical ID of the RDS resource was changed in the nested stack template.
D.The stack policy prevents updates to the RDS instance.
AnswerC

A change in logical ID causes CloudFormation to create a new resource and delete the old one.

Why this answer

Option D is correct because if the logical ID in the template changes, CloudFormation treats it as a new resource and replaces the old one. Option A is wrong because replacement may occur without drift. Option B is wrong because stack policy doesn't always prevent replacement.

Option C is wrong because deletion policy doesn't cause replacement.

209
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that when a stack update fails, the stack automatically rolls back to its previous state. However, they also want to preserve any resources that were created outside of CloudFormation (drift). What should they do?

A.Enable termination protection on the stack to prevent deletion during rollback.
B.Use a CloudFormation resource policy with a 'Retain' rule for resources that might have drifted. Then enable rollback on failure.
C.Use a stack policy that denies updates to resources created outside CloudFormation. Then enable rollback on failure.
D.Enable rollback on failure in the stack options. CloudFormation will automatically roll back, preserving all resources.
AnswerB

Resource policies allow retaining specific resources during stack updates and rollbacks.

Why this answer

Option B is correct because CloudFormation resource policies allow you to specify which resources should be retained on deletion. Option A is wrong because it would delete all resources. Option C is wrong because stack policies protect resources during updates, not for rollback.

Option D is wrong because termination protection prevents stack deletion, not resource deletion during rollback.

210
MCQhard

A company uses AWS Elastic Beanstalk with a custom platform. They need to update the platform version to include a new security patch. Which approach should be used to create a new custom platform version?

A.Use the Elastic Beanstalk CLI to rebuild the platform with the new AMI.
B.Launch a new EC2 instance, apply the patch, and create an AMI, then update the platform version.
C.Modify the existing platform version's AMI ID using the Elastic Beanstalk console.
D.Create a new platform version using the aws elasticbeanstalk create-platform-version command with an updated platform definition file.
AnswerD

This creates a new custom platform version with the updated configuration.

Why this answer

Option D is correct. Custom platforms are created by packaging a platform definition file (a .zip) and using the aws elasticbeanstalk create-platform-version command. The platform definition includes the AMI ID and other configuration.

Option A is incorrect because you cannot update an existing platform; you must create a new version. Option B is incorrect because you cannot directly modify the AMI in the existing platform. Option C is incorrect because Beanstalk does not automatically rebuild platforms; you need to create a new version.

211
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to implement a GitFlow branching strategy for infrastructure as code using AWS CodeCommit and CodePipeline? (Choose two.)

Select 2 answers
A.Disable automatic triggers on the master branch to prevent accidental deployments.
B.Use CodeBuild to run unit tests on feature branches before merging.
C.Use a single pipeline that handles all branches.
D.Create separate pipelines for develop and master branches.
E.Configure CodePipeline to trigger on pull request creation.
AnswersB, D

Validates code before merge.

Why this answer

Options B and D are correct. Using separate pipelines for each branch allows different deployment behaviors. Option A is wrong because CodePipeline does not natively support pull request triggers; CodeBuild can be used for validation.

Option C is wrong because merging from develop to master should trigger a pipeline for release. Option E is wrong because using the same pipeline for all branches reduces flexibility.

212
MCQhard

A company uses AWS CloudFormation with a template that creates an Amazon RDS DB instance. The password for the master user is stored in AWS Secrets Manager. The CloudFormation stack creation fails with the error: 'Value of property MasterUserPassword must be of type String'. How should the DevOps engineer resolve this issue?

A.Use the Fn::ImportValue intrinsic function to import the secret value.
B.Use the Ref intrinsic function to reference the secret.
C.Use the dynamic reference '{{resolve:secretsmanager:MySecret:SecretString:password}}' in the CloudFormation template.
D.Use the Fn::GetAtt intrinsic function to retrieve the secret value from Secrets Manager.
AnswerC

Dynamic references allow CloudFormation to resolve secrets at stack creation.

Why this answer

Option C is correct because CloudFormation supports dynamic references, which allow you to retrieve secret values from AWS Secrets Manager at stack creation time using the syntax `{{resolve:secretsmanager:secret-id:secret-string:json-key}}`. This resolves the password as a plaintext string directly in the template, satisfying the `MasterUserPassword` property's requirement for a String type. Other intrinsic functions like `Ref` or `Fn::GetAtt` return ARNs or metadata, not the secret value itself, and cannot be used directly for this purpose.

Exam trap

The trap here is that candidates often confuse intrinsic functions like `Ref` or `Fn::GetAtt` with the ability to retrieve secret values, not realizing that only dynamic references (the `{{resolve:...}}` syntax) can directly inject a secret string into a resource property that expects a plaintext value.

How to eliminate wrong answers

Option A is wrong because `Fn::ImportValue` is used to import exported cross-stack output values, not to retrieve secret values from Secrets Manager. Option B is wrong because `Ref` on an AWS::SecretsManager::Secret resource returns the secret ARN, not the secret string value, so it cannot provide the password as a string. Option D is wrong because `Fn::GetAtt` on a Secrets Manager secret returns attributes like the ARN or the generated password metadata, but not the plaintext secret value, and it does not resolve to a string that can be used directly in the `MasterUserPassword` property.

213
MCQmedium

An engineer uses AWS Elastic Beanstalk to deploy a web application. The application needs to read from an S3 bucket. The engineer has configured an instance profile with the necessary S3 permissions. However, the application returns an access denied error. What is the MOST likely cause?

A.The instance profile has not been assigned to the Elastic Beanstalk environment.
B.The S3 bucket policy denies access to the application.
C.The security group assigned to the environment does not allow outbound traffic to S3.
D.The S3 bucket is in a different region and the application is not configured to use the correct region.
AnswerA

The instance profile must be specified in the environment configuration.

Why this answer

Option B is correct because the instance profile must be associated with the EC2 instances launched by Elastic Beanstalk. Option A is incorrect because security groups control network traffic, not S3 permissions. Option C is incorrect because environment variables are not used for IAM permissions.

Option D is incorrect because a bucket policy is not needed if the instance profile grants access.

214
Multi-Selectmedium

A DevOps team is using AWS CodeBuild to run unit tests and package a Java application. They want to cache the Maven local repository (~/.m2) between builds to improve build times. Which TWO steps are necessary to enable caching in CodeBuild? (Select TWO.)

Select 2 answers
A.Set the MAVEN_OPTS environment variable to use a custom repository path.
B.Configure the buildspec to upload the Maven repository as a build artifact.
C.Enable 'Local cache' mode in the CodeBuild project.
D.Add a 'cache' section in the buildspec file specifying the paths to cache.
E.Create an S3 bucket to store the cache.
AnswersD, E

The buildspec cache section tells CodeBuild which files to cache.

Why this answer

Option A is correct because caching requires an S3 bucket to store the cache. Option D is correct because the buildspec must specify the paths to cache. Option B (setting environment variable) is not required.

Option C (local cache mode) is a different feature for Docker layer caching. Option E (buildspec artifact) is for output artifacts, not caching.

215
MCQeasy

A company uses AWS OpsWorks for configuration management. The operations team needs to apply a configuration change to all instances in a layer without downtime. Which approach should they use?

A.Use a custom Chef recipe and run it on the layer using OpsWorks 'Run Command'.
B.Use an Auto Scaling lifecycle hook to apply the change during instance launch.
C.Clone the layer and update the clone with the new configuration, then switch traffic.
D.SSH into each instance and manually apply the change.
AnswerA

OpsWorks supports running recipes on existing instances.

Why this answer

Option D is correct because OpsWorks allows running custom recipes on a layer, which can be applied without recreating instances. Option A is incorrect because cloning does not apply changes. Option B is incorrect because Chef solo is not managed by OpsWorks.

Option C is incorrect because Auto Scaling does not apply configuration updates.

216
MCQmedium

A DevOps engineer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment'. The engineer checks the logs and finds that the application installation script exits with a non-zero exit code. What should the engineer do to troubleshoot?

A.Configure CloudWatch Logs to capture the script output
B.Increase the deployment's MinHealthyHosts percentage
C.Re-upload the application revision to S3
D.SSH into one of the failed instances and run the install script manually to identify the error
AnswerD

Manual debugging reveals the script error.

Why this answer

Option D is correct because the deployment failure is caused by the application installation script exiting with a non-zero exit code, which indicates a specific error in the script or its environment. SSHing into a failed instance and running the install script manually allows the engineer to see the exact error output, debug the script logic, and identify missing dependencies or configuration issues directly on the target host.

Exam trap

The trap here is that candidates may assume increasing MinHealthyHosts or re-uploading the revision will fix the issue, when in fact the problem is a script-level error that requires direct investigation on a failed instance.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs can capture script output only if the script is configured to write to a log file and the CloudWatch agent is installed and configured on the instances; it does not retroactively capture the error from a failed deployment. Option B is wrong because increasing MinHealthyHosts percentage would raise the threshold for healthy instances, making the deployment more strict and likely to fail faster, not help troubleshoot the script error. Option C is wrong because re-uploading the application revision to S3 does not address the root cause of the script failure; the revision is already present on the instances, and the error is in the execution, not in the upload.

217
MCQmedium

An organization uses AWS Systems Manager to manage a fleet of EC2 instances. They want to ensure that all instances have a specific software package installed. Which approach should they take?

A.Use OpsCenter to create an OpsItem for each instance.
B.Use Run Command to execute the installation on all instances.
C.Create a Patch Baseline that includes the package.
D.Create a State Manager association with a custom document that installs the package.
AnswerD

State Manager enforces configuration state.

Why this answer

Option A is correct because State Manager associations can enforce desired configurations, such as installing software packages, on a schedule or on demand. Option B is wrong because Run Command is for one-time ad-hoc execution, not continuous enforcement. Option C is wrong because Patch Manager focuses on OS patches, not arbitrary software.

Option D is wrong because OpsCenter is for operational issues, not configuration management.

218
MCQeasy

A DevOps team is using AWS CloudFormation to manage a multi-tier application. They want to ensure that when an update to the stack causes a resource replacement, the replacement occurs only after the new resource is fully created and tested. Which CloudFormation feature should they use?

A.UpdatePolicy attribute with AutoScalingRollingUpdate
B.CreationPolicy attribute with CreateBeforeDestroy
C.DeletionPolicy attribute set to Retain
D.DependsOn attribute to specify creation order
AnswerB

Ensures new resource is created before old one is deleted.

Why this answer

Option D is correct because CloudFormation 'CreateBeforeDestroy' ensures that a new resource is created before the old one is deleted, reducing downtime. Option A is wrong because 'UpdatePolicy' is for auto-scaling groups. Option B is wrong because 'DeletionPolicy' controls what happens when a resource is deleted.

Option C is wrong because 'DependsOn' only defines resource creation order.

219
MCQmedium

A DevOps engineer is creating a CloudFormation template to deploy a VPC with public and private subnets. The template uses the 'AWS::EC2::VPC' resource and two 'AWS::EC2::Subnet' resources. The engineer wants to ensure that the subnets are created in different Availability Zones. What is the best approach?

A.Use Fn::GetAZs function with Fn::Select to pick different AZs from the region's AZ list.
B.Use the CidrBlock property to define different AZs.
C.Use Fn::GetAZs function with a count of 2 to automatically assign different AZs.
D.Hardcode the Availability Zone names in the template.
AnswerA

Ensures different AZs dynamically.

Why this answer

Option A is correct because Fn::GetAZs returns a list of all Availability Zones in the region, and Fn::Select allows you to pick specific indices from that list, ensuring each subnet is assigned a different AZ. This approach is dynamic and region-agnostic, so the template works across regions without hardcoding AZ names. It also avoids the risk of using the same AZ for both subnets, which would violate the requirement for high availability.

Exam trap

The trap here is that candidates confuse the CidrBlock property with AZ assignment, or assume Fn::GetAZs can directly return multiple AZs without using Fn::Select, leading them to pick option B or C.

How to eliminate wrong answers

Option B is wrong because the CidrBlock property defines the IP address range for the subnet, not the Availability Zone; AZ assignment is controlled by the AvailabilityZone property. Option C is wrong because Fn::GetAZs does not accept a count parameter; it returns a list of all AZs, and you must use Fn::Select or Fn::Split to pick individual AZs. Option D is wrong because hardcoding AZ names makes the template region-specific and brittle; if the template is deployed in a region with different AZ names, it will fail, and it also prevents the template from adapting to regions with fewer AZs.

220
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. After updating a stack, a resource fails to update because it requires a physical replacement. The stack update is set to 'Rollback on failure'. The engineer wants to test the effect of the change without affecting the production environment. Which approach should the engineer use?

A.Create a change set to review the proposed changes before executing the update.
B.Disable rollback on failure and update the stack, then manually revert if issues occur.
C.Create a new stack using the same template but with a different stack name.
D.Use a different AWS region and replicate the stack there for testing.
AnswerA

Change sets provide a preview of how changes will affect the stack.

Why this answer

Option D is correct because a change set allows previewing changes without applying them. Option A is incorrect because disabling rollback still applies changes. Option B is incorrect because using a different stack set requires manual synchronization.

Option C is incorrect because a new stack does not compare changes against the existing stack.

221
MCQeasy

A company wants to use AWS OpsWorks for configuration management of their EC2 instances. They need to ensure that the instances are automatically configured with the latest security patches upon boot. Which OpsWorks feature should they use?

A.Create a custom Chef recipe that installs security patches and assign it to the setup lifecycle event.
B.Configure the instances to run a user data script that updates packages.
C.Use AWS Systems Manager Patch Manager with an OpsWorks lifecycle event.
D.Use a CloudFormation template to apply patches during stack creation.
AnswerA

Custom recipes run during instance setup.

Why this answer

Option B is correct because OpsWorks uses Chef or Puppet recipes to configure instances. A custom recipe can be created to apply patches during the setup lifecycle event. Option A is wrong because OpsWorks does not integrate directly with Systems Manager Patch Manager.

Option C is wrong because user data is an EC2 feature, not OpsWorks. Option D is wrong because CloudFormation is for provisioning, not configuration management.

222
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. They have a stack that includes a VPC, subnets, and EC2 instances. They want to update the AMI ID of an EC2 instance without causing downtime. Which TWO approaches meet this requirement?

Select 2 answers
A.Use CloudFormation stack update with 'UpdatePolicy' set to 'AutoScalingRollingUpdate' and 'MinInstancesInService' set to 0.
B.Delete the stack and recreate it with the new AMI.
C.Use a CloudFormation update with a rolling update policy on the Auto Scaling group.
D.Create a custom resource backed by a Lambda function that updates the instance using AWS Systems Manager.
E.Deploy the instances across multiple Availability Zones and update each zone separately.
AnswersC, D

Rolling updates replace instances gradually.

Why this answer

Option A is correct because a rolling update can replace instances one at a time, minimizing downtime. Option D is correct because a custom resource can run a script to update the instance without replacing it. Option B is wrong because deleting and recreating the stack causes downtime.

Option C is wrong because update with replacement replaces the instance, causing downtime. Option E is wrong because multi-AZ is for RDS, not EC2.

223
MCQeasy

A developer is writing an AWS CloudFormation template to create an Amazon S3 bucket. The bucket name must be unique across all AWS accounts. Which property should the developer use to ensure the name is unique?

A.Use the DeletionPolicy attribute to retain the bucket.
B.Set the BucketName property to a unique value using a parameter.
C.Use the UpdateReplacePolicy attribute to control replacement.
D.Omit the BucketName property so CloudFormation generates a unique name.
AnswerD

CloudFormation auto-generates a unique name when BucketName is not specified.

Why this answer

Option B is correct because AWS::S3::Bucket's BucketName must be globally unique; if not specified, CloudFormation generates a unique name. Using AWS::NoValue in a condition can help but the intrinsic function Fn::Sub with !Ref AWS::StackName or AWS::AccountId is a common pattern. However, the question asks which property ensures uniqueness.

The correct answer is that the BucketName property, if omitted, results in an auto-generated unique name. Option A is wrong because the bucket name is not automatically generated to be unique if you specify it; you must ensure uniqueness yourself. Option B is correct because by not specifying BucketName, CloudFormation generates a unique name.

Option C is wrong because DeletionPolicy does not affect naming. Option D is wrong because the UpdateReplacePolicy does not affect naming.

224
MCQeasy

A developer wants to use AWS CloudFormation to create an Amazon RDS DB instance. The template includes a DB instance resource. Which property is required for the DB instance to be created successfully?

A.DBInstanceClass and Engine
B.AllocatedStorage
C.DBInstanceIdentifier
D.MasterUsername and MasterUserPassword
AnswerA

These are required properties for the DB instance resource.

Why this answer

In AWS CloudFormation, when creating an Amazon RDS DB instance using the AWS::RDS::DBInstance resource, the only truly required properties are DBInstanceClass (the compute and memory capacity) and Engine (the database engine, e.g., MySQL, PostgreSQL). These two properties are mandatory in the CloudFormation resource specification; without them, the template will fail validation. All other properties, such as AllocatedStorage, DBInstanceIdentifier, MasterUsername, and MasterUserPassword, have default behaviors or can be omitted under certain conditions (e.g., AllocatedStorage defaults to 20 GB for some engines, and MasterUsername/MasterUserPassword are not required if you use a snapshot or a source DB instance).

Exam trap

The trap here is that candidates often assume MasterUsername and MasterUserPassword are always required because they are mandatory in the AWS Management Console wizard, but CloudFormation allows omitting them when the DB instance is created from a snapshot or as a read replica, making DBInstanceClass and Engine the only universally required properties.

How to eliminate wrong answers

Option B is wrong because AllocatedStorage is not required; CloudFormation will use a default value (typically 20 GB) if not specified, and the DB instance can still be created successfully. Option C is wrong because DBInstanceIdentifier is optional; if omitted, CloudFormation automatically generates a unique identifier for the DB instance. Option D is wrong because MasterUsername and MasterUserPassword are not required when creating a DB instance from a snapshot or when specifying a source DB instance identifier; they are only required for a fresh, empty DB instance creation.

225
Multi-Selecthard

A company manages multiple AWS accounts using AWS Organizations. The DevOps team needs to enforce that all newly created S3 buckets in any account automatically have versioning enabled and are encrypted with SSE-S3. Which THREE steps should the team take to achieve this using Infrastructure as Code and policy-based controls?

Select 3 answers
A.Create an SCP that denies s3:PutObject if the bucket does not have encryption enabled.
B.Configure AWS CodePipeline to run a script that checks bucket configurations after creation.
C.Manually configure each new bucket via the AWS Management Console.
D.Use AWS CloudFormation StackSets to deploy a template that creates S3 buckets with required settings in all accounts.
E.Deploy an AWS Config managed rule to check that S3 buckets have versioning enabled, with automatic remediation using SSM Automation.
AnswersA, D, E

SCPs can restrict API calls across accounts, enforcing encryption at creation time.

Why this answer

Using a Service Control Policy (SCP) (A) prevents creation of buckets without encryption. AWS Config Rules (B) can remediate non-compliant buckets. CloudFormation StackSets (D) deploy a baseline template to all accounts.

Option C (manual) is not scalable; E (CodePipeline only) does not enforce policies.

← PreviousPage 3 of 4 · 281 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Configuration Management and IaC questions.