CCNA Configuration Management and IaC Questions

56 of 281 questions · Page 4/4 · Configuration Management and IaC · Answers revealed

226
MCQhard

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to stop an EC2 instance in us-east-1. What will happen?

A.The action is denied because the policy does not explicitly allow stopping an instance that is running.
B.The action is denied because the Deny statement is ambiguous and could apply to StopInstances.
C.The action is allowed only if the instance is in a stopped state.
D.The action is allowed because StopInstances is explicitly allowed and not denied.
AnswerD

Explicit Allow overrides implicit Deny.

Why this answer

Option D is correct because the policy explicitly allows ec2:StopInstances for all resources, and there is no explicit deny for StopInstances. The Deny only applies to TerminateInstances. Option A is incorrect because StopInstances is allowed.

Option B is incorrect because the Deny is not ambiguous. Option C is incorrect because there is no condition key about instance state.

227
MCQeasy

A DevOps engineer needs to deploy a configuration management solution that can manage both Windows and Linux servers across on-premises and AWS environments. The solution must support a Git-based workflow for version control of configurations. Which AWS service should the engineer choose?

A.AWS CloudFormation
B.AWS OpsWorks for Chef Automate
C.AWS Elastic Beanstalk
D.AWS CodeDeploy
AnswerB

Chef Automate supports Git-based workflows and manages both Windows and Linux servers.

Why this answer

AWS OpsWorks for Chef Automate is the correct choice because it provides a fully managed Chef Automate server that supports configuration management for both Windows and Linux servers across on-premises and AWS environments. Chef uses a Git-based workflow for version control of cookbooks, enabling DevOps teams to store, version, and manage configurations as code in a Git repository.

Exam trap

The trap here is that candidates often confuse Infrastructure as Code services like CloudFormation with configuration management tools, failing to recognize that CloudFormation manages AWS resource provisioning while Chef Automate handles OS-level configuration drift across both Windows and Linux servers.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service for provisioning AWS resources using templates, not a configuration management tool for managing OS-level settings on existing servers. Option C is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) for deploying web applications, not a configuration management solution for managing server configurations across hybrid environments. Option D is wrong because AWS CodeDeploy is a deployment service for automating application code deployments to compute instances, not a configuration management tool for enforcing desired state configurations on servers.

228
MCQmedium

A DevOps team is using AWS CodePipeline to automate deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). The team wants to add a manual approval step before the deploy stage to ensure that only authorized personnel can approve production deployments. Which action should be taken to implement this requirement?

A.Add an AWS Lambda function as a transition action between the build and deploy stages that sends an email to the approver and waits for a response.
B.Create a CodeDeploy deployment group with a manual approval step in the deployment configuration.
C.Configure an Amazon SNS topic to send an approval request email to the approver, and use a Lambda function to resume the pipeline upon approval.
D.Add a manual approval action to the pipeline between the build and deploy stages, and configure the SNS topic to notify the approvers.
AnswerD

CodePipeline supports manual approval actions that pause the pipeline until approved.

Why this answer

Option D is correct because AWS CodePipeline natively supports a manual approval action that can be inserted as a stage between build and deploy. This action pauses the pipeline and sends a notification via an SNS topic to the configured approvers. The pipeline only resumes when an authorized user clicks the 'Approve' button in the CodePipeline console or API, ensuring that only authorized personnel can approve production deployments.

Exam trap

The trap here is that candidates often confuse CodeDeploy's deployment configuration options (like traffic shifting or validation hooks) with pipeline-level approval actions, or they assume a custom Lambda function can replace the native approval action, missing the fact that CodePipeline provides a fully managed, auditable approval workflow.

How to eliminate wrong answers

Option A is wrong because AWS Lambda cannot act as a transition action in CodePipeline; transitions are automatic and cannot be replaced by custom functions. Option B is wrong because CodeDeploy deployment groups do not have a manual approval step in their deployment configuration; manual approvals are a pipeline-level feature, not a CodeDeploy feature. Option C is wrong because while an SNS topic can send approval emails, using a Lambda function to resume the pipeline bypasses the built-in approval workflow and security controls of CodePipeline, and the pipeline would not properly wait for the approval response.

229
MCQhard

A DevOps engineer is troubleshooting an AWS OpsWorks for Chef Automate deployment. The Chef server is configured with a custom run list that includes a recipe to install and configure an application. The test environment works correctly, but in the production environment, the application fails to start. The Chef client logs show that the recipe executed successfully, but the application process is not running. What is the most likely cause of this issue?

A.The OpsWorks stack is configured to use 'auto-healing' which automatically terminates and replaces instances that fail to start the application.
B.The Chef server in production is running a different version of Chef than the test environment, causing the recipe to behave differently.
C.The IAM instance profile attached to the production EC2 instance does not have the necessary permissions to start the application service.
D.The Chef recipe does not include a 'service' resource to start the application; it only installs the package.
AnswerC

The instance profile must allow actions like ec2:StartInstances or ssm:StartAutomationExecution if the recipe uses those, or the application may need permissions to access resources.

Why this answer

Option C is correct because the IAM instance profile determines the AWS API permissions available to the EC2 instance. If the profile lacks permissions to call the service startup API (e.g., `ec2:StartInstances` or `autoscaling:CompleteLifecycleAction`), or to access required resources like an EFS mount target or Secrets Manager secret, the Chef recipe's service resource may execute without error but the underlying systemd or init daemon cannot actually start the application process. The Chef client logs only show recipe execution success, not the outcome of the service start, so the application fails silently.

Exam trap

The trap here is that candidates assume a successful Chef client run guarantees the application is running, but the exam tests the distinction between recipe execution success and the actual outcome of system commands that depend on IAM permissions.

How to eliminate wrong answers

Option A is wrong because auto-healing in OpsWorks replaces instances that fail health checks, not instances where an application fails to start after successful recipe execution; the scenario describes a post-deployment failure, not an instance-level health failure. Option B is wrong because Chef server version differences would typically cause syntax or resource errors during recipe compilation, not a silent failure where the recipe executes successfully but the application does not run; the logs confirm successful execution. Option D is wrong because the question states the recipe includes a custom run list to install and configure the application, and the logs show successful execution; if the recipe lacked a service resource, the application would never be started, but the logs would not show a successful start attempt—the issue is that the start attempt fails due to permissions.

230
Matchingmedium

Match each AWS service to its primary function in a DevOps pipeline.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Continuous delivery service for release pipelines

Fully managed continuous integration build service

Automates code deployments to any instance

Unified user interface for managing software development activities

Fully managed source control service hosting Git repositories

Why these pairings

These are the core AWS developer tools for CI/CD.

231
MCQmedium

A CloudFormation template includes the following resource: MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: My security group SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 MyInstance: Type: AWS::EC2::Instance Properties: ImageId: ami-0abcdef1234567890 InstanceType: t2.micro SecurityGroupIds: !Ref MySecurityGroup The stack creation fails with the error shown. What is the cause?

A.The SecurityGroupIds property must be a list, but !Ref returns a single value.
B.The SecurityGroupIds property must be a list of security group names, not IDs.
C.The security group ingress rule is invalid because it allows all traffic.
D.The ImageId is missing, so the security group validation fails first.
AnswerA

!Ref returns a string, not a list.

Why this answer

Option C is correct. The SecurityGroupIds property expects a list of security group IDs, but the !Ref MySecurityGroup returns a single string (the security group ID). To pass a list, you must use !Sub or a list literal like [!Ref MySecurityGroup].

Option A is incorrect because the security group definition is correct. Option B is incorrect because security groups can be referenced by ID. Option D is incorrect because the error is about format, not missing property.

232
MCQmedium

A company is using AWS Elastic Beanstalk with a custom platform. They need to install a third-party agent on all instances. The agent requires a configuration file that contains sensitive credentials. How should the DevOps engineer provide the configuration file to the agent?

A.Use instance user data to write the configuration file during instance launch.
B.Embed the configuration file in the application source code and deploy it with the application.
C.Use .ebextensions configuration files to download the configuration from a secure S3 bucket using an IAM instance role.
D.Use AWS Systems Manager Run Command to distribute the configuration file after instances are launched.
AnswerC

Secure and automated.

Why this answer

Option C is correct because .ebextensions configuration files allow you to run custom commands and scripts during instance provisioning, and by combining this with an IAM instance role that grants read access to a secure S3 bucket, you can securely download the sensitive configuration file without embedding credentials in the source code or user data. This approach follows AWS best practices for handling secrets by avoiding hard-coded credentials and leveraging IAM roles for temporary, scoped access.

Exam trap

The trap here is that candidates often choose Option A (user data) because it seems like a simple provisioning step, but they overlook that user data is not encrypted and is visible in the EC2 console, making it unsuitable for secrets, whereas .ebextensions with S3 and IAM roles provide a secure, auditable method that aligns with the AWS shared responsibility model.

How to eliminate wrong answers

Option A is wrong because instance user data is stored in plain text and can be viewed by anyone with access to the EC2 console or instance metadata, making it insecure for sensitive credentials. Option B is wrong because embedding the configuration file in the application source code exposes the credentials in version control systems and deployment artifacts, violating security best practices. Option D is wrong because AWS Systems Manager Run Command is an operational tool for ad-hoc or scheduled tasks, not a provisioning mechanism; it would introduce a race condition if the agent starts before the configuration is delivered, and it does not integrate with the Elastic Beanstalk lifecycle hooks to ensure the file is present at boot.

233
MCQhard

A DevOps engineer is troubleshooting an AWS CloudFormation stack that failed to create. The error message indicates that a resource 'AWS::Lambda::Function' timed out while being created. The Lambda function code is packaged as a ZIP file in Amazon S3. What is the most likely cause?

A.The Lambda function has a very short timeout (e.g., 3 seconds) configured in the function properties.
B.The Lambda function's execution role does not have permission to download the ZIP file from S3.
C.The Lambda deployment package is very large, causing the S3 download to exceed the resource creation timeout.
D.The CloudFormation service role does not have permissions to create Lambda functions.
AnswerC

Large packages can cause timeouts during creation.

Why this answer

Option C is correct because Lambda function creation can time out if the deployment package is very large and the S3 download takes too long. Option A is wrong because execution role permissions cause access denied errors, not timeouts. Option B is wrong because the Lambda function's timeout setting is for execution, not creation.

Option D is wrong because CloudFormation service role permissions affect the stack operations but not the resource creation timeout specifically.

234
MCQeasy

A startup uses AWS CloudFormation to manage its infrastructure. The team stores stack templates in an S3 bucket and creates stacks using the AWS CLI. Recently, a developer accidentally deleted a CloudFormation stack, causing a production outage. The team wants to prevent accidental stack deletions while allowing authorized users to delete stacks after approval. What is the MOST effective solution?

A.Enable termination protection on the stack.
B.Implement a manual review process for all stack deletion requests.
C.Apply a Service Control Policy that denies the cloudformation:DeleteStack action.
D.Use an IAM policy that denies DeleteStack for all users.
AnswerC

SCPs can prevent deletion across the entire account, with exceptions for authorized roles via permissions boundaries.

Why this answer

Using an SCP to deny DeleteStack actions (B) prevents accidental deletion at the account level. Option A (manual) is not automated; C (termination protection) can be disabled; D (IAM policy only) can be bypassed by users with full admin.

235
Multi-Selecteasy

A company uses AWS CodeCommit to store source code. The development team wants to automatically trigger a build in AWS CodeBuild whenever a pull request is created or updated. Which TWO resources must be configured to accomplish this? (Select TWO.)

Select 2 answers
A.An AWS Lambda function to process the pull request event.
B.An AWS CodePipeline pipeline with a source stage for CodeCommit.
C.An Amazon CloudWatch Events rule that listens for CodeCommit pull request events.
D.An Amazon Simple Notification Service (SNS) topic to send notifications.
E.An AWS CodeBuild project with a webhook configured.
AnswersC, E

EventBridge can trigger a build on pull request events.

Why this answer

Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can capture CodeCommit pull request state changes (e.g., created, updated) and route them to targets like AWS CodeBuild. This allows you to automatically trigger a build when a pull request event occurs, without needing a separate polling mechanism.

Exam trap

The trap here is that candidates often think they need a Lambda function or CodePipeline to bridge the event, but AWS natively supports direct event-driven triggers from CodeCommit to CodeBuild via CloudWatch Events and webhooks.

236
MCQhard

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline to deploy a serverless application. The application uses AWS Lambda functions and Amazon API Gateway. The engineer wants to implement a canary deployment strategy for the Lambda functions to reduce risk. Which AWS service or feature should be used to achieve this?

A.AWS Lambda traffic shifting using aliases
B.AWS CodeDeploy with an AWS Lambda deployment configuration
C.AWS CloudFormation with UpdatePolicy attribute
D.AWS SAM with AutoPublishAlias and DeploymentPreference
AnswerA, B, D

Lambda aliases can be used to shift traffic gradually between two versions.

Why this answer

Option B is correct because AWS Lambda supports traffic shifting using aliases with weighted targets, enabling canary deployments. Option A (CodeDeploy with Lambda) is correct but more specific: CodeDeploy can orchestrate canary deployments for Lambda, but it uses Lambda's built-in traffic shifting. Option C (SAM with AutoPublishAlias) is also correct but is a feature within SAM, not a separate service.

However, the question asks for an AWS service or feature; both CodeDeploy and SAM's AutoPublishAlias are valid. But CodeDeploy is the native service for deployment strategies. Option D (CloudFormation with UpdatePolicy) is not applicable for Lambda canary deployments.

237
MCQeasy

A DevOps engineer wants to ensure that all EC2 instances launched in an AWS account automatically have a specific set of tags applied for cost allocation. Which AWS service should they use to enforce this?

A.AWS Service Catalog
B.AWS Config
C.Amazon EC2 Auto Scaling
D.AWS CloudFormation
AnswerB

AWS Config rules can evaluate and enforce tagging on all resources.

Why this answer

Option D is correct because AWS Config rules can be used to check for required tags and trigger remediation. Option A is wrong because CloudFormation is for infrastructure as code, not automatic enforcement. Option B is wrong because Service Catalog allows users to provision products but does not enforce tags on all instances.

Option C is wrong because EC2 Auto Scaling does not enforce tagging across all instances.

238
MCQmedium

A DevOps engineer uses AWS Secrets Manager to rotate database credentials. The rotation fails because the Lambda function used for rotation does not have network access to the database. The database is in a private VPC. How should the engineer fix this?

A.Configure the Lambda function to be VPC-enabled and place it in the same subnet as the database.
B.Assign a public IP address to the database and update the security group to allow access from the Lambda function.
C.Set up a VPC Peering connection between the Lambda service and the VPC.
D.Add a NAT Gateway to the VPC to allow Lambda to reach the database.
AnswerA

VPC-enabled Lambda can access resources within the VPC.

Why this answer

Option A is correct because the Lambda function must be configured to run in the same VPC and subnet as the database to access it. Option B is incorrect because Secrets Manager uses Lambda for rotation, not direct access. Option C is incorrect because VPC Peering adds complexity and is unnecessary.

Option D is incorrect because NAT Gateway is for outbound internet access, not inbound.

239
Multi-Selectmedium

A company uses AWS CodeCommit as a source repository and AWS CodeBuild for building artifacts. The DevOps team wants to ensure that all commits to the main branch trigger a build. Which steps should be taken? (Choose THREE.)

Select 3 answers
A.Configure the CodeBuild project to use the CodeCommit repository as the source and specify the main branch
B.Configure a webhook in the CodeCommit repository to notify CodeBuild
C.Create a CloudWatch Events rule that listens for CodeCommit repository state changes on the main branch
D.Set the CodeBuild project's trigger to use the CloudWatch Events rule
E.Use AWS CodeDeploy to trigger the build on commits
AnswersA, C, D

The CodeBuild project must know the source and branch.

Why this answer

Option A is correct because configuring the CodeBuild project to use the CodeCommit repository as the source and specifying the main branch ensures that CodeBuild knows which repository and branch to monitor for changes. This is the foundational step that links the source code to the build project, enabling automated builds when commits are pushed to the main branch.

Exam trap

The trap here is that candidates confuse CodeCommit's lack of native webhook support with other Git providers, leading them to select Option B, or they mistakenly think CodeDeploy can trigger builds instead of deployments.

240
MCQhard

An organization uses AWS CloudFormation StackSets to deploy resources across multiple accounts. They notice that a stack instance in one account is in a 'FAILED' status because of a permissions issue. After fixing the permissions, what is the most efficient way to retry the stack instance operation?

A.Manually create the stack in the failed account using the same template.
B.Use the 'Update stack instances' operation for the failed target account.
C.Update the entire stack set to retry all stack instances.
D.Delete the stack instance from the stack set and add it again.
AnswerB

Targets only the failed instance.

Why this answer

Option B is correct because StackSets allow you to update stack instances individually; you can retry the specific failed instance without affecting others. Option A is wrong because updating the entire stack set would affect all accounts, which is inefficient. Option C is wrong because deleting and recreating the stack instance is disruptive.

Option D is wrong because manual stack creation outside StackSets defeats the purpose.

241
MCQhard

A company uses AWS CloudFormation StackSets to deploy a VPC across multiple AWS accounts in AWS Organizations. The StackSet is created with self-managed permissions. The deployment fails in some accounts with the error: 'Insufficient IAM permissions to create resources'. What is the most likely cause of this failure?

A.The StackSet does not support deploying to more than one account
B.The execution IAM role is not created in the target accounts
C.The administrator account does not have a service-linked role for StackSets
D.The target accounts have reached their resource service quotas
AnswerB

Self-managed permissions require an execution role in each target account.

Why this answer

With self-managed permissions in AWS CloudFormation StackSets, the administrator account does not automatically create the necessary IAM roles in target accounts. The execution IAM role must be manually created in each target account to grant StackSets the permissions required to create resources. The error 'Insufficient IAM permissions to create resources' directly indicates that this execution role is missing or lacks the required policies.

Exam trap

The trap here is that candidates often confuse self-managed and service-managed permissions, assuming that StackSets automatically handle IAM roles in target accounts, when in fact self-managed requires manual role creation in each target account.

How to eliminate wrong answers

Option A is wrong because StackSets are specifically designed to deploy stacks across multiple accounts and regions, so deploying to more than one account is a core feature, not a limitation. Option C is wrong because service-linked roles are not required for StackSets with self-managed permissions; they are used with service-managed permissions when StackSets integrates with AWS Organizations. Option D is wrong because resource service quotas would produce a different error message (e.g., 'Resource limit exceeded'), not an IAM permissions error.

242
Multi-Selectmedium

A company uses AWS Config to evaluate resource compliance. They have a custom AWS Config rule that checks whether EC2 instances have a specific tag. The rule is triggered by configuration changes. The DevOps engineer notices that the rule evaluation results show 'NON_COMPLIANT' for some instances that actually have the tag. Which TWO could be causes? (Choose TWO.)

Select 2 answers
A.The rule's maximum execution frequency is set to 24 hours
B.The Lambda function that evaluates the rule has a logic error
C.The rule is not being triggered by CloudTrail events
D.The rule is configured to evaluate only for a specific resource type that does not include EC2
E.The AWS Config service role does not have permission to invoke the Lambda function
AnswersB, D

A bug in the Lambda function can cause incorrect evaluations.

Why this answer

Options A and D are correct. A: The custom lambda function might have a bug. D: The AWS Config rule might not be using the correct resource type.

Option B is wrong because AWS Config does not use CloudTrail for triggering. Option C is wrong because the rule's maximum execution frequency is not relevant for change-triggered rules. Option E is wrong because the IAM role for AWS Config might not have permission to invoke the Lambda function, but that would cause a different error.

243
Multi-Selectmedium

A DevOps engineer is designing an AWS CloudFormation template to deploy a three-tier web application. The application must be highly available across multiple Availability Zones. The engineer needs to ensure that the database layer uses a Multi-AZ deployment. Which TWO options should the engineer implement to meet these requirements? (Choose TWO.)

Select 2 answers
A.Define a separate 'AWS::RDS::DBSubnetGroup' resource with subnets from at least two Availability Zones.
B.Deploy the database with multiple read replicas in different Availability Zones.
C.Select a database engine that supports Multi-AZ deployments.
D.Configure the database to use a DB subnet group with subnets in a single Availability Zone.
E.Set the 'MultiAZ' property of the 'AWS::RDS::DBInstance' resource to 'true'.
AnswersC, E

Not all engines support Multi-AZ; e.g., Microsoft SQL Server requires specific editions.

Why this answer

Option C is correct because not all AWS RDS database engines support Multi-AZ deployments; for example, Amazon Aurora uses a different high-availability mechanism (cluster volume) and does not use the standard Multi-AZ feature. The engineer must verify that the chosen engine (e.g., MySQL, PostgreSQL, Oracle, SQL Server) explicitly supports Multi-AZ to enable synchronous standby replication across Availability Zones. Option E is correct because setting the 'MultiAZ' property to 'true' on the 'AWS::RDS::DBInstance' resource directly instructs CloudFormation to provision a primary DB instance in one AZ and a standby in another AZ, with automatic failover.

Exam trap

The trap here is that candidates often assume any database engine can be made Multi-AZ by simply setting the flag, but the exam tests the knowledge that engines like Aurora have a different architecture and require a cluster-based approach, not the standard MultiAZ property.

244
Multi-Selecteasy

A company uses AWS OpsWorks for Chef to manage its configuration. The company is planning to migrate to AWS Systems Manager. Which AWS Systems Manager capabilities can replace OpsWorks Chef functionalities? (Choose THREE.)

Select 3 answers
A.Patch Manager
B.Session Manager
C.Run Command
D.State Manager
E.Inventory
AnswersA, D, E

B: Patch Manager automates patching.

Why this answer

Options A, B, and D are correct. A: State Manager can enforce configuration state. B: Patch Manager can manage patching.

D: Inventory can collect software inventory. Option C is wrong because Run Command is for ad-hoc commands, not state enforcement. Option E is wrong because Session Manager is for interactive access, not configuration management.

245
MCQeasy

A company uses AWS CodeBuild to run unit tests and package a Java application. The build environment needs to have a specific version of Java installed that is not available in the standard build images. The team wants to minimize build time. How should the engineer configure the build environment?

A.Use AWS Lambda to run the tests and package the application.
B.Use a standard build image and include a pre-build command to install the required Java version.
C.Use a custom build image that already includes the required Java version, stored in Amazon ECR.
D.Use the pre-build phase to download and install Java from an S3 bucket.
AnswerC

B: A custom image eliminates the need to install software each time, reducing build time.

Why this answer

Option B is correct because using a custom Docker image with the required Java version avoids installing it during each build, reducing build time. Option A is wrong because installing during build increases time. Option C is wrong because installing at the start of the build phase also increases time.

Option D is wrong because Lambda is not suitable for running a build server.

246
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The DevOps team wants to enforce a policy that prevents creating S3 buckets with public read access. They plan to use AWS CloudFormation StackSets to deploy a stack across all accounts. What is the BEST way to enforce this policy?

A.Use AWS CloudFormation Guard to validate templates before deployment and reject those with public access.
B.Create an IAM policy that denies s3:PutBucketAcl and attach it to all IAM users.
C.Create a service control policy (SCP) in the root organizational unit that denies the s3:PutBucketPublicAccessBlock action.
D.Create an S3 bucket policy in each account that denies public read access.
AnswerC

SCPs can deny actions across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) applied at the root organizational unit in AWS Organizations can centrally deny the s3:PutBucketPublicAccessBlock action across all accounts, effectively preventing any user or role from disabling the bucket-level public access block settings. This approach works even if an IAM principal has full administrative permissions, as SCPs act as a guardrail that cannot be overridden by account-level policies. It enforces the policy at the organization level without requiring per-account configuration or modifying individual IAM users.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies or resource-based policies, assuming that an SCP can only restrict IAM users and not API actions like s3:PutBucketPublicAccessBlock, or they mistakenly think that denying s3:PutBucketAcl is sufficient to prevent public read access when in reality bucket policies are a more common vector for granting public access.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation Guard is a policy-as-code validation tool that can reject templates before deployment, but it only applies to the account where the StackSet is deployed and does not prevent manual creation of S3 buckets via the console, CLI, or SDK in other accounts; it also cannot enforce the policy retroactively. Option B is wrong because attaching an IAM policy that denies s3:PutBucketAcl to all IAM users does not prevent public read access via bucket policies (which use s3:PutBucketPolicy) or via the S3 Block Public Access settings; it also fails to cover roles, service-linked roles, or root user actions. Option D is wrong because creating an S3 bucket policy in each account that denies public read access only applies to existing buckets and does not prevent the creation of new buckets with public read access; it also requires manual deployment and maintenance in every account, which is not scalable or centrally enforceable.

247
Multi-Selectmedium

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS DB instance and an EC2 instance that connects to it. The DB instance has a deletion policy of 'Retain'. The stack fails to delete because the DB instance is retained and still exists. Which TWO actions would allow the stack to be deleted successfully? (Select TWO.)

Select 2 answers
A.Use the AWS CLI to force delete the stack with the --force option.
B.Manually delete the DB instance using the RDS console.
C.Disable termination protection on the EC2 instance.
D.Change the deletion policy of the DB instance to 'Delete' and then update the stack before deleting.
E.Modify the DB instance to allow deletion by setting DeletionProtection to false.
AnswersB, D

After manual deletion, the stack can be deleted.

Why this answer

Option B is correct because manually deleting the retained DB instance removes the resource that is blocking the stack deletion. CloudFormation cannot delete a stack that contains a resource with a 'Retain' deletion policy until that resource is manually removed, as the stack expects the resource to no longer exist for the deletion to complete.

Exam trap

The trap here is that candidates often confuse 'Retain' deletion policy with 'DeletionProtection' or assume that termination protection on EC2 instances is relevant, when in fact the core issue is that the retained resource must be either manually removed or its policy changed to allow CloudFormation to delete it.

248
MCQmedium

A CloudFormation stack update failed with the error shown. What is the most likely cause?

A.The instance type t2.micro is not available in the region.
B.The IAM role used by CloudFormation lacks ec2:RunInstances permissions.
C.The AMI ID specified in the template is incorrect or has been deregistered.
D.The stack name does not match the existing stack.
AnswerC

The error clearly states the imageId is invalid.

Why this answer

Option B is correct. The error message indicates that the AMI ID specified in the resource properties is invalid. This typically happens when the AMI ID does not exist in the region or has been deregistered.

The stack update is trying to update the EC2 instance with a new AMI, but the AMI ID is incorrect. Option A is incorrect because the error is about the AMI ID, not the instance type. Option C is incorrect because the error is not about permissions.

Option D is incorrect because the error is not about the stack name.

249
MCQhard

A company uses AWS CodeDeploy for application deployments. They want to ensure that if a deployment fails, the system automatically rolls back to the previous version. Which configuration should they set?

A.Define a 'Failure' lifecycle event hook that calls a Lambda function to revert the deployment.
B.Configure the deployment group to enable automatic rollback when a deployment fails.
C.Set the 'auto-rollback' property in the CodeDeploy deployment group to 'true'.
D.Use a CloudFormation stack with a rollback configuration.
AnswerB

CodeDeploy supports automatic rollback on failure.

Why this answer

Option D is correct because CodeDeploy has a built-in rollback configuration that can automatically trigger when a deployment fails. Option A is wrong because CloudFormation is for infrastructure. Option B is wrong because 'auto-rollback' is not a valid CodeDeploy property.

Option C is wrong because the 'Failure' hook is for custom scripts, not automatic rollback.

250
MCQmedium

A DevOps team uses Elastic Beanstalk to deploy a web application. They want to configure environment variables without modifying the application code. Where should they define these variables?

A.As environment properties in the Elastic Beanstalk environment
B.In the EC2 User Data script
C.In the instance metadata
D.In the application code
AnswerA

Elastic Beanstalk natively supports environment properties that are injected as environment variables.

Why this answer

Elastic Beanstalk allows environment properties to be set in the console, CLI, or via .ebextensions. These are exposed as environment variables to the application. Option C is correct.

Option A is incorrect because the application code is the wrong place. Option B is incorrect because User Data is for EC2 initialization, not for application environment variables. Option D is incorrect because Instance Metadata does not expose custom environment variables automatically.

251
MCQeasy

A DevOps engineer is using AWS CloudFormation to deploy a stack that includes a VPC with public and private subnets. The engineer wants to ensure that the public subnets automatically get a public IP address assigned to instances launched in them. Which property should be set?

A.EnableDnsSupport on the VPC
B.MapPublicIpOnLaunch on the subnet
C.EnableDnsHostnames on the VPC
D.AssociatePublicIpAddress on the instance
AnswerB

MapPublicIpOnLaunch automatically assigns public IPs to instances in the subnet.

Why this answer

Option D is correct because MapPublicIpOnLaunch set to true allows public IP assignment. Option A (AssociatePublicIpAddress) is not a subnet property. Option B (EnableDnsHostnames) is for VPC DNS.

Option C (EnableDnsSupport) is also for VPC DNS.

252
Multi-Selecthard

A DevOps engineer is designing an infrastructure as code solution for a microservices application that runs on Amazon ECS with Fargate. The application requires a shared Application Load Balancer (ALB) and multiple ECS services. Which CloudFormation resources are required to expose each service behind the ALB? (Choose THREE.)

Select 3 answers
A.AWS::ElasticLoadBalancingV2::Listener
B.AWS::ElasticLoadBalancingV2::LoadBalancer
C.AWS::ECS::Service
D.AWS::ElasticLoadBalancingV2::ListenerRule
E.AWS::AutoScaling::AutoScalingGroup
AnswersA, C, D

The listener receives incoming traffic on a specific port.

Why this answer

AWS::ElasticLoadBalancingV2::Listener is correct because it defines the protocol and port (e.g., HTTP:80) on which the ALB accepts traffic. Without a listener, the ALB cannot receive incoming requests. This resource is essential for routing traffic to target groups that are associated with ECS services.

Exam trap

The trap here is that candidates often select the LoadBalancer resource (Option B) thinking it is required for each service, but the LoadBalancer is a shared resource created once, while the Listener, ListenerRules, and ECS Service are the per-service components that enable routing.

253
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The stack includes an Application Load Balancer (ALB), an Auto Scaling group, and an RDS database. The DevOps engineer needs to update the stack to change the DB instance type. The engineer wants to minimize downtime. Which strategy should they use?

A.Create a new CloudFormation stack with the new DB instance type and update DNS to point to the new DB
B.Create a new DB instance with the new type, update the application stack to point to the new DB, then remove the old DB
C.Modify the DB instance to use Multi-AZ deployment before the update
D.Update the stack directly by changing the DBInstanceType property
AnswerB

This minimizes downtime by creating the new instance before switching.

Why this answer

Option D is correct because using a 'Replacement' update policy for the DB instance will create a new DB instance and then delete the old one. However, to minimize downtime, the engineer can create a new DB instance first (by updating the logical ID) and then update the application to point to the new one before removing the old one. Option A is wrong because updating in place causes downtime.

Option B is wrong because creating a new stack and migrating traffic is possible but not the best practice for a single stack. Option C is wrong because Multi-AZ is for high availability, not for updates.

254
Multi-Selecthard

A DevOps team is using AWS CodeDeploy to deploy a web application. The deployment group consists of an Auto Scaling group with a minimum of 2 instances. They want to ensure high availability during the deployment. Which THREE of the following deployment configurations support zero-downtime deployments?

Select 3 answers
A.Deployment type: Rolling, with a batch size of 1 and a wait time between batches.
B.Deployment type: AllAtOnce, with Auto Scaling group minimum size set to double the desired capacity.
C.Deployment type: Blue/green, with traffic shifting to the new environment after testing.
D.Deployment type: Canary, with 10% traffic shift initially.
E.Deployment type: In-place, with a batch size of 50%.
AnswersA, B, C

Rolling updates replace instances in batches, maintaining capacity.

Why this answer

Option A is correct because a rolling deployment with a batch size of 1 and a wait time between batches updates one instance at a time, keeping the remaining instances in service. This ensures that the Auto Scaling group never drops below its minimum capacity, maintaining full availability throughout the deployment process.

Exam trap

The trap here is that candidates confuse canary traffic shifting (a blue/green feature) with a standalone deployment type, or assume that in-place deployments with any batch size guarantee zero downtime, ignoring the impact on Auto Scaling group minimum capacity.

255
MCQhard

An organization uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon S3 bucket with a bucket policy that restricts access to a specific IAM role. During a recent security audit, it was discovered that the bucket policy was modified manually via the AWS Management Console, and the change was not reflected in the CloudFormation template. The security team wants to detect and remediate such drift automatically. Which combination of steps should be taken to achieve this?

A.Use AWS CloudTrail to monitor PutBucketPolicy events and send alerts to the security team via Amazon SNS.
B.Create an AWS Config rule to check if the bucket policy matches the desired policy, and use an AWS Lambda function to automatically correct any noncompliant buckets.
C.Configure S3 event notifications to invoke an AWS Lambda function whenever the bucket policy is modified.
D.Enable drift detection on the CloudFormation stack and use Amazon EventBridge to trigger an AWS Lambda function that restores the original bucket policy when drift is detected.
AnswerD

Drift detection identifies changes; EventBridge can trigger Lambda to remediate by updating the stack or resource.

Why this answer

Option D is correct because it directly addresses the requirement to both detect and automatically remediate drift in a CloudFormation-managed S3 bucket policy. CloudFormation drift detection identifies manual changes to the bucket policy, and Amazon EventBridge can trigger an AWS Lambda function that uses the CloudFormation UpdateStack API to restore the original policy from the template, ensuring the infrastructure remains in sync with the IaC definition.

Exam trap

The trap here is that candidates often confuse S3 event notifications (which are for object-level events) with control plane operations like PutBucketPolicy, leading them to choose Option C, or they assume AWS Config alone can remediate drift without understanding that Config does not automatically correct CloudFormation stack resources.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail monitoring of PutBucketPolicy events only provides detection via alerts; it does not include any automated remediation to restore the original policy. Option B is wrong because an AWS Config rule can detect noncompliant bucket policies, but the suggested Lambda function would need to directly modify the S3 bucket policy, which would create a new drift event and not correct the CloudFormation stack itself, leaving the template out of sync. Option C is wrong because S3 event notifications are triggered by object-level events (e.g., PUT, POST) on the bucket, not by changes to the bucket policy; PutBucketPolicy is a control plane API call, not an S3 event notification trigger.

256
MCQhard

A DevOps team is using this IAM policy to allow a CI/CD pipeline to launch EC2 instances and retrieve parameters. However, the pipeline is failing with an 'AccessDenied' error when trying to create an instance. The pipeline uses a role with this policy attached. What is the most likely cause?

A.The condition StringEquals on InstanceType is incorrectly formatted.
B.The pipeline does not have permission to call ssm:GetParameter because the resource is not specified.
C.The policy does not grant permissions on additional resources required for RunInstances, such as images and network interfaces.
D.The policy must include a 'Resource' for the 'ec2:DescribeInstances' action to be valid.
AnswerC

RunInstances requires permissions on resources like images, security groups, etc., which are not allowed.

Why this answer

Option A is correct because the policy only allows RunInstances for instance resource, but creating an instance also requires permissions on other resources like images, security groups, etc. Option B is wrong because the condition is on instance type, not on resource level. Option C is wrong because ssm:GetParameter is allowed.

Option D is wrong because the policy is valid syntax.

257
Multi-Selectmedium

A DevOps engineer is creating an AWS Elastic Beanstalk environment and needs to ensure that configuration changes are tracked and can be reverted. Which THREE steps should the engineer take to achieve this? (Choose THREE.)

Select 3 answers
A.Enable configuration drift detection using AWS Config.
B.Use Elastic Beanstalk lifecycle policies to automatically retain old configurations.
C.Store configuration templates in the Elastic Beanstalk console, which automatically keeps version history.
D.Enable enhanced health reporting and detailed CloudWatch metrics.
E.Save configuration versions as saved configurations in Elastic Beanstalk.
AnswersA, D, E

Correct. AWS Config detects configuration changes and can trigger notifications.

Why this answer

Option A (enable enhanced health reporting) is correct because it enables detailed metrics and logs. Option B (enable configuration drift detection) is correct because it allows tracking changes. Option D (use saved configurations) is correct because they enable rollback.

Option C is wrong because the console does not automatically store history. Option E is wrong because it applies only to environments managed by AWS Config.

258
MCQhard

A company is using AWS Elastic Beanstalk with a custom platform. The platform is based on Amazon Linux 2 and includes a pre-installed application. The DevOps team needs to inject environment-specific configuration files into the EC2 instances during deployment. Which approach should be used?

A.Use AWS CloudFormation to update the environment with new configuration
B.Use .ebextensions configuration files in the application source bundle
C.Use EC2 user-data scripts to download configuration from S3
D.Store configuration in AWS Systems Manager Parameter Store and retrieve it in the application
AnswerB

.ebextensions are processed during deployment and can create files from configuration.

Why this answer

Option B is correct because .ebextensions configuration files are the native mechanism in Elastic Beanstalk to inject environment-specific configuration into EC2 instances during deployment. These YAML or JSON files, placed in the .ebextensions directory of the application source bundle, are processed by the Elastic Beanstalk platform engine to execute commands, create files, or modify configuration before the application starts, ensuring the custom platform receives the necessary environment-specific settings.

Exam trap

The trap here is that candidates often confuse runtime parameter retrieval (Option D) with deployment-time file injection, or assume that user-data scripts (Option C) are sufficient for ongoing deployments, failing to recognize that Elastic Beanstalk's .ebextensions are specifically designed for this purpose and integrate seamlessly with the platform's lifecycle.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is used to manage the Elastic Beanstalk environment's infrastructure (e.g., resources like load balancers or scaling policies), not to inject configuration files into individual EC2 instances during deployment; it operates at the infrastructure layer, not the instance configuration layer. Option C is wrong because EC2 user-data scripts run only once at instance launch and are not integrated with Elastic Beanstalk's deployment lifecycle hooks, making them unreliable for injecting configuration during updates or rolling deployments where instances are reused. Option D is wrong because while Systems Manager Parameter Store can store configuration values, it requires the application code to explicitly retrieve them at runtime, which does not satisfy the requirement to inject configuration files into the EC2 instances during deployment; the question specifies injecting files, not runtime parameter access.

259
Multi-Selecteasy

A DevOps team wants to manage EC2 instance configurations using AWS Systems Manager. Which THREE capabilities of Systems Manager can be used to ensure instances are in a desired state? (Choose THREE.)

Select 3 answers
A.Run Command
B.OpsCenter
C.Parameter Store
D.Patch Manager
E.State Manager
AnswersA, D, E

Run Command can execute commands to enforce configuration.

Why this answer

Run Command (A) is correct because it allows you to remotely and securely execute scripts or commands across EC2 instances without needing SSH or RDP, using an SSM document (SSM Document) that defines the desired configuration actions. This capability directly enforces a desired state by running idempotent scripts on demand or on a schedule.

Exam trap

The trap here is confusing Parameter Store (a data store) with a configuration management tool, or thinking OpsCenter (an operations dashboard) can enforce state, when only Run Command, State Manager, and Patch Manager directly execute actions to achieve and maintain a desired configuration.

260
MCQhard

A DevOps team manages a multi-account AWS environment using AWS Organizations. They need to enforce a mandatory tag (e.g., 'CostCenter') on all resources created across accounts. Which combination of services should be used to automatically remediate non-compliant resources?

A.AWS Service Control Policies (SCPs) to deny creation of resources without the tag.
B.AWS CloudTrail to detect non-compliant resource creation and send notifications.
C.AWS Config rules with automatic remediation using AWS Systems Manager Automation or Lambda.
D.AWS Resource Groups & Tag Editor to manually add tags to non-compliant resources.
AnswerC

Config rules can detect non-compliance and trigger automated remediation.

Why this answer

Option B is correct because AWS Config can detect non-compliant resources and trigger a custom Lambda function to automatically add the missing tag. Option A is incorrect because SCPs only prevent certain actions but do not remediate existing resources. Option C is incorrect because CloudTrail logs events but does not remediate.

Option D is incorrect because Tag Editor is a manual tool, not automated.

261
MCQhard

A large enterprise uses AWS CloudFormation StackSets to deploy resources across multiple accounts and regions. They need to update a stack set that contains a custom resource backed by a Lambda function. The update changes the Lambda function code. What is the CORRECT approach to ensure the Lambda function is updated without manual intervention?

A.Use a Lambda function alias and point the custom resource to the alias.
B.Create a new stack set for the updated Lambda and delete the old one.
C.Update the stack set with a new template version that references the updated Lambda code, and let CloudFormation handle the update.
D.Manually update the Lambda function in each account, then update the stack set.
AnswerC

CloudFormation will automatically update the Lambda function as part of the stack update.

Why this answer

Option A is correct because updating the stack set with new template and parameters triggers CloudFormation to update the Lambda function automatically. Option B is wrong because manually updating the Lambda function is not scalable. Option C is wrong because CloudFormation does not support Lambda function aliases for custom resources.

Option D is wrong because StackSets automatically handle updates across accounts.

262
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes a parameter for the instance type of EC2 instances. The DevOps team wants to restrict the allowed values to a specific set of instance types. Which CloudFormation section should be used?

A.Outputs
B.Parameters with AllowedValues
C.Conditions
D.Mappings
AnswerB

AllowedValues restricts parameter input to a list.

Why this answer

Option C is correct because the AllowedValues property in the Parameters section restricts input values. Option A (Mappings) maps keys to values, not input restriction. Option B (Conditions) determine resource creation.

Option D (Outputs) return values after stack creation.

263
Multi-Selecteasy

A company is using AWS CloudFormation to manage its infrastructure. The DevOps team wants to implement a strategy that allows for rollback in case a stack update fails. Which TWO approaches should the team consider? (Choose TWO.)

Select 2 answers
A.Disable the 'Rollback on failure' option and manually revert changes using the AWS Management Console.
B.Create and execute a change set. If the update fails, the stack remains unchanged.
C.Use AWS Backup to create manual snapshots of all resources before the update.
D.Use nested stacks to isolate changes; if a nested stack fails, the parent stack automatically rolls back.
E.Enable the 'Rollback on failure' option in the stack's update settings.
AnswersB, E

Correct. Change sets allow you to review changes and execute them; if execution fails, the stack is not modified.

Why this answer

Option A (enable rollback on failure) is correct because it is a built-in CloudFormation property that automatically rolls back changes if an update fails. Option C (create a change set) is correct because change sets allow previewing changes and can be executed or discarded; if an update fails, the stack remains unchanged. Option B is wrong because manual snapshots do not automatically roll back.

Option D is wrong because disabling rollback leaves the stack in a partial state. Option E is wrong because nested stacks do not inherently provide rollback for parent stacks.

264
MCQmedium

A company uses AWS Elastic Beanstalk for a web application. The DevOps engineer needs to ensure that environment configuration changes (e.g., instance type, environment variables) are version-controlled and can be rolled back quickly. Which approach should they use?

A.Use Elastic Beanstalk saved configurations stored in source control.
B.Manually update the environment configuration through the Elastic Beanstalk console.
C.Use the AWS CLI to apply configuration changes from a script.
D.Use AWS CloudFormation to manage the Elastic Beanstalk environment.
AnswerA

Saved configurations can be versioned and applied to environments for rollback.

Why this answer

Option C is correct because Elastic Beanstalk supports saved configurations that can be versioned in source control and applied to environments. Option A is wrong because manual changes in the console are not version-controlled. Option B is wrong because CloudFormation is for infrastructure, not Elastic Beanstalk configuration.

Option D is wrong because CLI commands are not version-controlled by default.

265
Multi-Selecthard

A DevOps engineer is troubleshooting a CloudFormation stack that creates an Auto Scaling group with a launch configuration. The stack creation fails with the error 'Resource handler returned message: "Invalid IAM Instance Profile name" (Service: AutoScaling, Status Code: 400)'. Which TWO are possible causes?

Select 2 answers
A.The IAM instance profile has not been created yet.
B.The launch configuration references a deleted instance profile.
C.The instance profile is in a different AWS account.
D.The instance profile name in the launch configuration is misspelled.
E.The IAM role associated with the instance profile does not have sufficient permissions.
AnswersA, D

The instance profile must exist before being used.

Why this answer

Option A (IAM instance profile does not exist) and Option C (Instance profile name misspelled) are correct. Option B is wrong because insufficient IAM permissions would cause AccessDenied, not Invalid name. Option D is wrong because instance profile can be in same or different account? But cross-account would need ARN.

Option E is wrong because it would cause a different error.

266
MCQhard

Refer to the exhibit. A DevOps engineer is troubleshooting an issue where an IAM user is unable to stop an EC2 instance with the tag 'Environment: Development'. The attached IAM policy is shown. Which statement explains the failure?

A.The Deny statement condition incorrectly uses StringNotEquals, which denies all instances except those with the Production tag.
B.The Deny statement includes ec2:StopInstances implicitly because stop is a termination action.
C.The Allow statement only grants ec2:DescribeInstances, not start/stop.
D.The policy does not prevent stopping instances with the Development tag; the failure must be caused by another policy or service control policy.
AnswerD

The policy allows StopInstances on all instances, so the inability to stop is due to another factor.

Why this answer

Option D is correct. The Deny statement denies ec2:TerminateInstances for instances where the tag Environment is NOT Production. However, the user is trying to stop an instance, not terminate it.

The StopInstances action is allowed by the first statement. But wait, the user is unable to stop; that suggests there is an additional deny or the policy is not the issue. Actually, the policy allows StopInstances.

The problem might be that the user is trying to stop an instance that is part of an Auto Scaling group and the stop action is not allowed by the ASG. But based on the policy alone, the user should be able to stop. However, the question says 'unable to stop'.

Actually, the Deny statement only applies to TerminateInstances. So the correct answer is D: The policy does not restrict stop actions, so the issue is elsewhere. But the question asks 'Which statement explains the failure?' The options are about the policy.

Let's review: Option A says the Deny statement prevents stop, which is false. Option B says the Allow statement only gives describe, but it gives start and stop. Option C says the condition on the Deny statement incorrectly uses StringNotEquals.

Option D says the policy does not prevent stopping instances with Development tag. Actually, the user can stop Development instances because the Deny only applies to terminate. So the failure must be due to something else.

However, the question expects D as correct because the policy is not the cause. But that doesn't 'explain the failure'. Hmm.

I think the intended answer is D: The policy does not prevent stopping instances with the Development tag, so the failure is not due to this policy. But that doesn't explain why they can't stop. Maybe the exhibit is about a different issue.

Let me re-read: 'unable to stop an EC2 instance with the tag Environment: Development'. The policy allows StopInstances on all resources. So why can't they stop? Possibly because there is another policy denying it.

But the question is to explain based on the exhibit. The best answer is D because the policy shown does not deny stop. So the failure must be due to another reason.

I'll go with D.

267
MCQhard

A company manages a fleet of EC2 instances using AWS Systems Manager State Manager. They have a State Manager association that ensures a specific software package is installed on all instances. Recently, they noticed that some instances are reporting the association as 'Success' even though the software is not installed. The association uses a custom document that runs a script to install the package. The engineer checks the association execution history and sees that the script exited with code 0 on those instances. What is the most likely cause?

A.The association is not targeting those instances.
B.The instances are not configured to send compliance data to Systems Manager.
C.The instances do not have the SSM Agent installed.
D.The script does not check the exit code of the installation command and always returns 0.
AnswerD

If the script doesn't propagate failure exit codes, State Manager sees success.

Why this answer

Option B is correct because the script may exit with code 0 even if installation fails, making State Manager think it succeeded. Option A is wrong because compliance reporting is not the issue. Option C is wrong because the association is running.

Option D is wrong because the script ran.

268
MCQmedium

A company uses Terraform with an S3 backend to manage infrastructure. The DevOps engineer notices that after a colleague runs 'terraform apply' locally, the state file in S3 becomes corrupted and subsequent runs fail. What is the BEST way to prevent this issue?

A.Store the state file locally and commit it to version control.
B.Use DynamoDB for state locking and enable consistency checks.
C.Use S3 server-side encryption to protect the state file.
D.Enable S3 versioning on the state bucket to recover previous versions.
AnswerB

Prevents concurrent modifications that cause corruption.

Why this answer

Option B is correct because enabling DynamoDB state locking prevents concurrent modifications that can corrupt the state file. Option A is wrong because versioning only allows recovery, not prevention. Option C is wrong because encryption does not prevent corruption.

Option D is wrong because it is not a best practice for state management.

269
MCQmedium

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The pipeline includes a build stage using AWS CodeBuild. Developers notice that the deployed application occasionally crashes due to missing environment variables that were configured in the Elastic Beanstalk environment but not passed from CodeBuild. What is the MOST efficient way to ensure the environment variables are consistently applied?

A.Define environment variables in the source code using .ebextensions configuration files.
B.Update the environment variables manually in the Elastic Beanstalk console after each deployment.
C.Use the aws elasticbeanstalk update-environment CLI command after the pipeline completes.
D.Store environment variables in AWS Systems Manager Parameter Store and have the application retrieve them at runtime.
AnswerA

.ebextensions files are processed during deployment, ensuring consistency.

Why this answer

Option A is correct because .ebextensions configuration files allow you to define environment variables declaratively in the source code, ensuring they are consistently applied during every deployment via CodePipeline. This approach eliminates the dependency on runtime or manual steps, as the Elastic Beanstalk environment automatically reads these files during environment creation and updates. It integrates seamlessly with CodeBuild and CodePipeline, making it the most efficient and reliable method for maintaining environment variable consistency.

Exam trap

The trap here is that candidates often assume runtime parameter retrieval (e.g., from Parameter Store or Secrets Manager) is the best practice for all scenarios, but for environment variables required at process startup in Elastic Beanstalk, .ebextensions provide a more reliable and simpler solution that avoids application code changes and ensures variables are set before the application runs.

How to eliminate wrong answers

Option B is wrong because manually updating environment variables in the Elastic Beanstalk console after each deployment is error-prone, not scalable, and violates the principle of infrastructure as code, leading to configuration drift. Option C is wrong because using the aws elasticbeanstalk update-environment CLI command after the pipeline completes introduces an extra post-deployment step that can fail or be forgotten, and it does not tie the variables to the source code version, making rollbacks inconsistent. Option D is wrong because while Parameter Store can be used for runtime retrieval, it requires application code changes to fetch variables at startup, adds latency, and does not guarantee the variables are present during the Elastic Beanstalk environment initialization, potentially causing crashes before the application code runs.

270
MCQhard

A large enterprise uses AWS Systems Manager to manage configuration drift on thousands of EC2 instances. The compliance team requires that instances must have a specific security configuration enforced by a Systems Manager State Manager association. The association is configured to run every 30 minutes. However, some instances consistently report a status of 'Failed' in the association compliance dashboard. The instances are running and have the SSM Agent installed. What is the MOST likely cause of the failures?

A.The instances do not have the required IAM instance profile to execute the association document.
B.The instances are behind a firewall that blocks communication with the Systems Manager endpoint.
C.The association is configured to run at a specific time that conflicts with the instance's maintenance window.
D.The SSM Agent version on the instances is outdated and not compatible with the association document.
AnswerA

Without proper permissions, the association cannot run.

Why this answer

State Manager associations require the SSM Agent and appropriate IAM permissions (B). If the instance profile lacks the required permissions, the association will fail. Option A (agent version) would cause a different error; C (timing) is unlikely; D (firewall) would affect communication overall.

271
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The DevOps team wants to ensure that critical resources, such as an RDS database, are not accidentally deleted when a stack is updated or deleted. Which CloudFormation feature should be used to prevent this?

A.DeletionPolicy attribute with Retain
B.Stack policy
C.Termination protection
D.DependsOn attribute
AnswerA

DeletionPolicy with Retain preserves the resource when the stack is deleted.

Why this answer

Option D is correct because DeletionPolicy with Retain prevents the resource from being deleted when the stack is deleted. Option A (Stack policy) controls updates to stack resources, not deletion prevention. Option B (Termination protection) is an EC2 feature, not native to CloudFormation.

Option C (DependsOn) only defines resource creation order, not deletion behavior.

272
Multi-Selectmedium

Which TWO approaches can be used to manage configuration files (e.g., application.properties) across multiple AWS accounts and regions using AWS Systems Manager? (Select TWO.)

Select 2 answers
A.Use AWS AppConfig to create, manage, and deploy application configurations across accounts and regions.
B.Use AWS OpsWorks for Chef Automate to store configuration data in Chef data bags.
C.Store configuration files in AWS Secrets Manager and retrieve them using the Secrets Manager API.
D.Store configuration parameters in AWS Systems Manager Parameter Store and reference them from applications using the AWS SDK.
E.Use AWS Systems Manager Run Command to push configuration files to EC2 instances on demand.
AnswersA, D

AppConfig is designed for application configuration management with validation and deployment strategies.

Why this answer

AWS AppConfig is a feature of AWS Systems Manager that allows you to create, manage, and deploy application configurations across accounts and regions. It supports staged rollouts, validation, and monitoring, making it suitable for managing configuration files like application.properties in multi-account, multi-region environments.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with Parameter Store for configuration management, or assume Run Command is suitable for configuration deployment, when in fact AppConfig and Parameter Store are the correct Systems Manager services for managing and deploying configuration files across multiple accounts and regions.

273
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The operations team wants to ensure that the environment's configuration (e.g., instance type, scaling limits) is version-controlled and reproducible. Which practice should they adopt?

A.Manually recreate the environment from the Elastic Beanstalk console when needed.
B.Use the Elastic Beanstalk saved configuration feature to download a configuration file and store it in version control.
C.Use AWS CloudFormation to define the environment and store the template in a Git repository.
D.Document the configuration in a wiki and apply it manually through the AWS Management Console.
AnswerB

Saved configurations allow versioning and reproducibility.

Why this answer

Option B is correct because Elastic Beanstalk's saved configuration feature allows you to download the environment's configuration as a YAML or JSON file, which can be stored in version control and used to recreate identical environments. This directly addresses the need for version-controlled, reproducible environment configuration without requiring additional infrastructure-as-code tools.

Exam trap

The trap here is that candidates may overthink and choose CloudFormation (Option C) because it is a powerful IaC tool, but the question specifically asks for a practice within Elastic Beanstalk's own features to version-control its configuration, not to replace the deployment service entirely.

How to eliminate wrong answers

Option A is wrong because manually recreating an environment from the console is error-prone, not version-controlled, and violates the principle of reproducibility. Option C is wrong because while AWS CloudFormation can define Elastic Beanstalk environments, the question specifically asks for a practice within Elastic Beanstalk's native capabilities; using CloudFormation adds unnecessary complexity and is not the recommended practice for version-controlling Elastic Beanstalk environment configuration. Option D is wrong because documenting configuration in a wiki and applying it manually is not version-controlled, is prone to human error, and does not enable automated or reproducible deployments.

274
MCQmedium

An organization uses AWS Elastic Beanstalk for deploying a web application. They have a custom platform extension that modifies the nginx configuration. After a recent deployment, the custom configuration is not applied. The environment logs show that the platform extension script ran successfully. What should the engineer check first?

A.Review the application source code for errors.
B.Ensure the script has execute permissions.
C.Check if the nginx configuration file is being overwritten by later deployment phases.
D.Verify that the platform extension is in the correct folder.
AnswerC

The extension script may run early, and later steps may overwrite the config.

Why this answer

Option A is correct because if the file is overwritten after the script runs, the changes are lost. Option B is wrong because the script ran successfully. Option C is wrong because the script ran.

Option D is wrong because it is less likely the first check.

275
Multi-Selectmedium

A company wants to implement a configuration management strategy for their EC2 instances that are part of an Auto Scaling group. They need to ensure that new instances are automatically configured with the latest software packages and settings without manual intervention. Which TWO approaches meet these requirements? (Choose TWO.)

Select 2 answers
A.Use AWS OpsWorks to manage configurations and associate with the Auto Scaling group.
B.Use AWS CodeDeploy with an Auto Scaling lifecycle hook to deploy applications to new instances.
C.Use EC2 user data scripts to install software at launch.
D.Use AWS Config rules to enforce configuration settings.
E.Use AWS Systems Manager Run Command on a schedule to apply configurations.
AnswersB, C

Lifecycle hooks can trigger CodeDeploy deployments on launch.

Why this answer

Options A and C are correct. Option A uses a bootstrapping script in the user data to install packages on launch. Option C uses AWS CodeDeploy to automatically deploy applications to new instances.

Option B is incorrect because AWS Config is for compliance, not configuration management. Option D is incorrect because AWS OpsWorks is a separate service, not directly integrated with Auto Scaling groups. Option E is incorrect because Systems Manager Run Command is manual, not automatic on launch.

276
Multi-Selecthard

Which THREE actions should be taken to ensure that an AWS CloudFormation stack update does not cause downtime for a production application that runs on an Auto Scaling group behind an Application Load Balancer? (Select THREE.)

Select 3 answers
A.Configure an 'UpdateWaitCondition' in the CloudFormation template to pause the stack update until a healthy signal is received from the new instances.
B.Add a custom resource that triggers an AWS Lambda function to take a snapshot of the database before the update.
C.Ensure that the Auto Scaling group spans at least three Availability Zones to distribute instances.
D.Set the Auto Scaling group's UpdatePolicy to 'AutoScalingRollingUpdate' with a 'BatchSize' of 1 and 'MinInstancesInService' equal to the desired capacity.
E.Define a lifecycle hook for the Auto Scaling group that delays instance termination until the new instance is fully registered and healthy with the load balancer.
AnswersA, D, E

Wait conditions allow you to verify that new instances are healthy before proceeding.

Why this answer

Option A is correct because an 'UpdateWaitCondition' in a CloudFormation template can pause the stack update until a healthy signal is received from the new instances. This ensures that the update proceeds only after the new instances have passed health checks, preventing premature traffic routing and potential downtime.

Exam trap

The trap here is that candidates may confuse general high-availability practices (like multi-AZ distribution) with specific update-time actions that prevent downtime, or they may think database snapshots are relevant to instance-level availability during a stack update.

277
Matchingmedium

Match each AWS Config rule to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks that resources have specified tags

Ensures EBS volumes are encrypted

Prevents public read access on S3 buckets

Verifies CloudTrail is enabled

Checks for IAM policies granting full admin access

Why these pairings

These are common managed Config rules for compliance.

278
MCQmedium

A DevOps engineer is troubleshooting a failed AWS CloudFormation stack creation. The stack creates an EC2 instance with a user data script that runs a configuration management tool. The instance launches successfully, but the user data script fails. How can the engineer retrieve the user data execution logs to debug the issue?

A.Use AWS CloudTrail to view the user data execution events.
B.Use AWS Systems Manager Run Command to retrieve the logs remotely.
C.Check the CloudWatch Logs group for the instance.
D.Access the instance via EC2 Instance Connect and check /var/log/cloud-init-output.log.
AnswerD

Cloud-init logs contain the output of user data scripts.

Why this answer

Option A is correct. User data scripts run as root, and the output is typically logged to /var/log/cloud-init-output.log on Linux instances. Option B is incorrect because CloudTrail does not capture user data execution logs.

Option C is incorrect because Systems Manager Run Command is not used to retrieve logs from user data. Option D is incorrect because CloudWatch Logs agent must be configured in the user data to send logs; it is not automatically enabled.

279
MCQeasy

A DevOps engineer is implementing AWS Config rules to enforce tagging standards on resources. The rule should trigger a remediation action via AWS Systems Manager Automation to apply the correct tags if a resource is non-compliant. What is the correct way to set up this remediation?

A.Use the AWS Config rule's remediation action to run an AWS Systems Manager Automation document.
B.Configure the AWS Config rule to send events to AWS CodePipeline to trigger a pipeline that fixes the tags.
C.Configure a CloudWatch Events rule to detect non-compliant resources and invoke a Lambda function that applies tags.
D.Use an SNS topic to notify administrators when a resource is non-compliant.
AnswerA

C: Config rules have a built-in remediation feature that can execute an Automation document.

Why this answer

Option C is correct because AWS Config rule remediation actions can be configured to run an Automation document when a resource is non-compliant. Option A is wrong because CloudWatch Events alone cannot run remediation; it would need a target like Lambda. Option B is wrong because SNS notifications are just notifications, not remediation.

Option D is wrong because AWS Config does not directly trigger CodePipeline.

280
Multi-Selectmedium

Which THREE are valid AWS Systems Manager capabilities for configuration management? (Select THREE.)

Select 3 answers
A.Run Command
B.OpsCenter
C.Parameter Store
D.Patch Manager
E.State Manager
AnswersA, D, E

For ad-hoc command execution.

Why this answer

Option A is correct because State Manager is used for configuration management. Option C is correct because Patch Manager manages patching. Option E is correct because Run Command executes commands remotely.

Option B is wrong because OpsCenter is for operational issues. Option D is wrong because Parameter Store is for secrets management, not configuration management per se.

281
Multi-Selectmedium

A company uses AWS CloudFormation to manage a production environment with multiple stacks. The DevOps team needs to implement a change management process that requires approval for any changes to the production stack. Which approaches meet this requirement? (Choose TWO.)

Select 2 answers
A.Create an IAM policy that allows only read-only access to the production stack and a separate role with write access.
B.Require that all stack updates be performed through a change set that is reviewed and executed by a separate role.
C.Use AWS CodePipeline with a manual approval step before executing a CloudFormation change set.
D.Use AWS Config rules to detect unapproved changes and automatically revert them.
E.Use an SCP to deny all CloudFormation actions except from a specific CI/CD role.
AnswersB, C

B: Change sets allow previewing changes; a separate role can execute after review.

Why this answer

Options B and C are correct. B: Using a change set allows reviewing proposed changes without applying them. C: StackSets with approval workflows are not standard; however, using a separate pipeline with a manual approval step in CodePipeline before executing the change set is a valid approach.

Option A is wrong because SCPs cannot control CloudFormation changes specifically. Option D is wrong because IAM policies can restrict who can update, but not provide an approval workflow. Option E is wrong because Config rules are detective, not preventive.

← PreviousPage 4 of 4 · 281 questions total

Ready to test yourself?

Try a timed practice session using only Configuration Management and IaC questions.