CCNA Monitoring and Logging Questions

75 of 261 questions · Page 2/4 · Monitoring and Logging · Answers revealed

76
MCQmedium

A company uses Amazon CloudWatch to monitor its EC2 instances. A DevOps engineer notices that some metrics (e.g., memory utilization) are not available in the CloudWatch console. The engineer wants to collect these metrics. What should the engineer do?

A.Enable VPC Flow Logs for the instance's subnet.
B.Install and configure the CloudWatch Agent on the EC2 instances.
C.Send the metrics to CloudWatch Logs and create a metric filter.
D.Enable detailed monitoring on the EC2 instances.
AnswerB

The CloudWatch Agent collects custom metrics including memory and disk utilization.

Why this answer

Option C is correct because EC2 does not report memory metrics by default; you need to install the CloudWatch Agent to collect custom metrics like memory. Option A is wrong because detailed monitoring only provides more frequent data for built-in metrics. Option B is wrong because CloudWatch Logs is for logs, not metrics.

Option D is wrong because VPC Flow Logs capture network traffic, not instance-level metrics.

77
Multi-Selecthard

A company is running a production application on Amazon ECS with Fargate. The DevOps team needs to monitor the application's performance and set up alerts for high memory usage. Which THREE steps should the team take to achieve this?

Select 3 answers
A.Configure CloudWatch to automatically collect memory metrics from Fargate tasks
B.Create a custom CloudWatch metric and publish memory usage data from the application
C.Set up a CloudWatch alarm on the custom memory metric with appropriate threshold and actions
D.Enable the ECS task metadata endpoint and configure the application to publish memory metrics to CloudWatch
E.Enable Amazon CloudWatch Container Insights for the ECS cluster
AnswersB, C, D

Custom metrics allow monitoring of memory usage in Fargate.

Why this answer

Options B, C, and E are correct. To monitor memory usage in ECS Fargate, you must enable the ECS task metadata endpoint, which allows the container to publish memory metrics to CloudWatch. Then create a custom CloudWatch metric from the container, and set up a CloudWatch alarm on that metric.

Option A is wrong because Container Insights requires the CWAgent configuration. Option D is wrong because CloudWatch does not automatically collect memory metrics from Fargate; custom metrics are needed.

78
Multi-Selectmedium

A DevOps team is setting up centralized logging for a multi-account AWS environment. They want to aggregate logs from all accounts into a single S3 bucket. Which services should be used to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon Kinesis Data Firehose
E.Amazon S3 replication
AnswersA, C

Correct. CloudTrail can be configured to deliver logs from multiple accounts to a central S3 bucket.

Why this answer

AWS CloudTrail is correct because it can be configured to deliver log files from multiple accounts to a single S3 bucket by setting up a trail in the management account and using the 'Enable for all accounts in my organization' option, which automatically applies the trail to all member accounts in AWS Organizations. This centralizes CloudTrail logs without requiring per-account configuration.

Exam trap

The trap here is that candidates often confuse Amazon Kinesis Data Firehose as a log aggregation service, but it is a delivery stream that requires a log source to send data to it, not a service that natively collects logs from multiple accounts.

79
Multi-Selecteasy

A DevOps engineer is investigating a performance issue in a serverless application using AWS Lambda. The engineer wants to view the duration of each invocation and identify cold starts. Which TWO AWS services should be used? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Metrics for Lambda (duration, invocations)
B.AWS X-Ray to trace invocations and detect cold starts
C.AWS CloudTrail to record Lambda API calls
D.Amazon CloudWatch Logs for Lambda execution logs
E.AWS Config to track Lambda configuration changes
AnswersA, D

CloudWatch Metrics shows duration and invocation counts.

Why this answer

Amazon CloudWatch Metrics for Lambda (option A) provides built-in metrics such as duration and invocations, which are essential for analyzing performance trends and identifying slow invocations. AWS X-Ray (option B) traces individual requests through the Lambda function and can explicitly detect cold starts by showing the initialization phase duration, making it the correct complementary service.

Exam trap

The trap here is that candidates often assume CloudWatch Logs (option D) is needed for performance analysis, but Lambda execution logs contain custom log output and error messages, not structured duration or cold start data—those are provided by CloudWatch Metrics and X-Ray respectively.

80
MCQhard

A company runs a containerized application on Amazon ECS Fargate. The DevOps team wants to collect custom application metrics (e.g., request count, error rate) and send them to Amazon CloudWatch. The team wants to minimize changes to the application code. Which solution should be used?

A.Have the application call the CloudWatch PutMetricData API directly.
B.Run the CloudWatch agent as a sidecar container in the ECS task definition, configured to collect StatsD metrics from the application container.
C.Use the ECS agent's built-in metric collection feature.
D.Modify the application to send logs using the embedded metric format.
AnswerB

Correct: The CloudWatch agent can collect StatsD metrics without code changes.

Why this answer

Option B is correct because the CloudWatch agent can run as a sidecar container in the same ECS task definition and listen for StatsD metrics (over UDP port 8125) from the application container. This approach requires zero changes to the application code—the application simply emits StatsD-formatted metrics, and the CloudWatch agent forwards them to CloudWatch via the PutMetricData API. It minimizes operational overhead while enabling custom metric collection from containerized workloads on Fargate.

Exam trap

The trap here is that candidates often assume the ECS agent or CloudWatch agent must be installed on the host, but in Fargate, the sidecar pattern is the only way to run the CloudWatch agent without modifying the application code.

How to eliminate wrong answers

Option A is wrong because it requires modifying the application code to call the CloudWatch PutMetricData API directly, which contradicts the requirement to minimize code changes. Option C is wrong because the ECS agent's built-in metric collection feature only gathers infrastructure-level metrics (CPU, memory, network) for the task, not custom application metrics like request count or error rate. Option D is wrong because it requires modifying the application to emit logs in the embedded metric format and then configuring a log subscription filter to extract metrics, which still involves code changes and adds complexity compared to the sidecar approach.

81
Multi-Selecthard

A DevOps engineer needs to set up a monitoring solution for an application running on Amazon EKS. The application emits custom metrics that need to be stored in Amazon CloudWatch and visualized on a dashboard. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Configure the CloudWatch agent to emit custom metrics to CloudWatch.
B.Use CloudWatch Logs Insights to analyze the custom metrics.
C.Create a CloudWatch dashboard to visualize the collected metrics.
D.Install the CloudWatch agent on the EKS cluster using a DaemonSet.
E.Use Amazon Managed Service for Prometheus to scrape the metrics.
AnswersA, C, D

The agent must be configured to send custom metrics.

Why this answer

Option A is correct because the CloudWatch agent can be configured to emit custom application metrics to Amazon CloudWatch, which is the required destination for storing the metrics. The agent uses the CloudWatch PutMetricData API to send these metrics, enabling centralized monitoring and alerting within CloudWatch.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs Insights (for logs) with CloudWatch Metrics (for numeric data), or assume Amazon Managed Service for Prometheus is a direct replacement for CloudWatch metrics, when the question specifically requires storing custom metrics in CloudWatch.

82
MCQeasy

A company is running a critical application on Amazon RDS for PostgreSQL. The DevOps team needs to set up monitoring to detect when database connections exceed 80% of the maximum connections for more than 5 minutes. Which CloudWatch metric should be used to create an alarm?

A.DatabaseConnections
B.FreeableMemory
C.CPUUtilization
D.DiskQueueDepth
AnswerA

The DatabaseConnections metric directly provides the number of current connections, which can be compared to the maximum connections to determine threshold breaches.

Why this answer

Option A is correct because the DatabaseConnections metric shows the number of connections to the DB instance. Option B is wrong because CPUUtilization measures CPU usage, not connections. Option C is wrong because FreeableMemory measures available memory.

Option D is wrong because DiskQueueDepth measures disk I/O.

83
MCQmedium

Your company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to a fleet of Amazon EC2 instances running a web server. The web servers write access logs to a shared Amazon EFS filesystem. The operations team needs to monitor the web server logs in real-time to detect and alert on 5xx error spikes. Currently, the team manually SSHes into instances to tail logs, which is inefficient and doesn't provide real-time alerting. The team wants a centralized, near-real-time logging solution with minimal operational overhead. They have asked you to design a solution that ingests logs from the EFS filesystem into a centralized log analytics platform. Which solution would you recommend?

A.Enable AWS CloudTrail data events for the EC2 instances to capture log file modifications.
B.Configure an Amazon EventBridge scheduled rule to invoke an AWS Lambda function that reads new log lines from EFS and publishes them to Amazon CloudWatch Logs.
C.Stream the log files to Amazon Kinesis Data Streams using a custom producer, then use a Lambda function to analyze and alert on 5xx errors.
D.Install and configure the Amazon CloudWatch Logs agent on each EC2 instance to tail the log files from the EFS mount and send them to CloudWatch Logs. Create a metric filter and alarm for 5xx errors.
AnswerD

The CloudWatch agent provides near-real-time log ingestion and built-in support for metric filters and alarms.

Why this answer

Option D is correct because installing the CloudWatch Logs agent on each EC2 instance allows it to tail the log files from the shared EFS mount point and stream them to CloudWatch Logs in near real-time. This provides centralized log ingestion with minimal operational overhead, and you can create a metric filter and alarm to detect and alert on 5xx error spikes without manual SSH access.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Kinesis or Lambda-based approaches (Options B and C) when a simple agent-based solution (Option D) is sufficient, or they may confuse CloudTrail data events (Option A) with log file monitoring, not realizing CloudTrail captures API activity, not file content changes.

How to eliminate wrong answers

Option A is wrong because CloudTrail data events for EC2 instances capture API calls (e.g., RunInstances, TerminateInstances), not log file modifications on EFS; they cannot ingest or analyze web server log content. Option B is wrong because an EventBridge scheduled rule with a Lambda function that reads new log lines from EFS would introduce latency (scheduled intervals) and complexity in tracking file offsets, making it unsuitable for near-real-time monitoring. Option C is wrong because streaming logs to Kinesis Data Streams requires a custom producer to be deployed and managed, adding significant operational overhead compared to the agent-based approach, and it does not directly integrate with CloudWatch Logs for metric filtering and alerting without additional Lambda processing.

84
Multi-Selecthard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application logs show that some requests are timing out. The team needs to identify the source of the issue. Which TWO steps should they take?

Select 2 answers
A.Enable ALB access logs and analyze them.
B.Enable VPC Flow Logs to capture network traffic.
C.Enable AWS WAF logs to inspect HTTP requests.
D.Review CloudWatch metrics for the ALB, such as 'RequestCount' and 'TargetResponseTime'.
E.Enable AWS CloudTrail to log all API calls.
AnswersA, D

Access logs provide request-level details including response times.

Why this answer

Option A is correct because ALB access logs contain detailed request information. Option C is correct because CloudWatch metrics for ALB show request counts per target. Option B is wrong because CloudTrail logs API calls, not application requests.

Option D is wrong because VPC Flow Logs show network traffic but not application-level details. Option E is wrong because WAF logs are for web ACLs, not general request tracing.

85
MCQhard

Refer to the exhibit. An alarm is configured as shown. The CPU utilization averages 85% for 10 minutes, then spikes to 95% for the next 5 minutes, and returns to 80%. How many times will the SNS topic receive a notification?

A.0
B.1
C.2
D.3
AnswerA

Correct; the alarm never enters ALARM state.

Why this answer

The alarm evaluates every 300 seconds (5 minutes) and requires 2 consecutive evaluation periods above threshold to trigger ALARM. The spike to 95% lasts only one period, so it never meets the 2-period condition. However, the OK action is triggered when state goes from ALARM to OK, but since it never enters ALARM, no notification is sent.

86
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. The application logs are sent to CloudWatch Logs. Recently, the operations team noticed that logs from one service are missing for certain time periods. The service is very chatty and produces a high volume of logs. The CloudWatch Logs agent is configured with default settings. What is the MOST likely cause of the missing logs?

A.CloudWatch Logs has a throttling limit on log ingestion per log group.
B.The log group has reached its maximum size and stopped accepting new logs.
C.The CloudWatch Logs agent is dropping logs due to the default batch size and timeout settings.
D.The log retention policy is set to 1 day, so older logs are automatically deleted.
AnswerC

The agent buffers logs and if the buffer is exceeded, logs may be dropped. Increasing batch size and timeout can help.

Why this answer

Option C is correct because the CloudWatch Logs agent has a default batch size limit (1MB) and batch timeout (5 seconds). High-volume logs may be dropped if the buffer fills and the agent cannot flush quickly enough. Option A is wrong because CloudWatch Logs does not have per-log-group throttling, but it does have per-account throttling.

Option B is wrong because the agent does not stop sending logs when the log group is full; it overwrites old logs if retention is set. Option D is wrong because CloudWatch Logs retention policy does not affect ingestion.

87
Multi-Selecteasy

A company uses AWS Lambda for data processing. The operations team wants to be alerted when a function fails. Which TWO methods can they use?

Select 2 answers
A.Configure S3 event notifications to trigger on Lambda errors.
B.Enable AWS CloudTrail to log Lambda invocations.
C.Configure a dead-letter queue (DLQ) for the Lambda function and monitor the queue.
D.Create a CloudWatch alarm on the 'Errors' metric for the Lambda function.
E.Use AWS Config to detect Lambda function failures.
AnswersC, D

Failed invocations are sent to the DLQ.

Why this answer

Option A is correct because CloudWatch alarms can monitor the 'Errors' metric. Option D is correct because Lambda can send failed invocation records to a dead-letter queue (DLQ), which can trigger alerts. Option B is wrong because CloudTrail logs API calls, not function execution.

Option C is wrong because S3 event notifications are not triggered by Lambda errors. Option E is wrong because Config is for resource configuration, not runtime errors.

88
MCQeasy

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses a custom health check endpoint '/health'. The DevOps team notices that the ALB is marking some instances as unhealthy even though the application is running fine. The team checks the security groups and network ACLs and confirms they allow traffic. What should the team check next?

A.Ensure the health check path is case-insensitive.
B.Increase the health check interval and timeout values.
C.Confirm that the health check path is correctly configured to '/health' on the target group.
D.Verify that the health check port matches the application port.
AnswerC

Misconfigured path leads to non-200 responses.

Why this answer

Option D is correct. The health check path must match the application's endpoint. If the path is wrong, the ALB will receive a non-200 response.

Option A is incorrect because the health check port is typically the same as the traffic port. Option B is incorrect because response timeout is a symptom, not a cause. Option C is incorrect because the path is case-sensitive by default.

89
Multi-Selecteasy

A company wants to ensure that all changes to its Amazon S3 bucket policies are logged for auditing purposes. Which TWO AWS services should be enabled to capture these changes?

Select 2 answers
A.Amazon CloudWatch
B.AWS Config
C.Amazon GuardDuty
D.VPC Flow Logs
E.AWS CloudTrail
AnswersB, E

Config records changes to S3 bucket policies.

Why this answer

Options B and D are correct. AWS Config records resource configuration changes, including bucket policies. CloudTrail records API calls like PutBucketPolicy.

Option A is wrong because CloudWatch is not for auditing. Option C is wrong because VPC Flow Logs capture network traffic. Option E is wrong because GuardDuty is for threat detection.

90
Multi-Selectmedium

A DevOps engineer is designing a monitoring solution for a multi-tier web application hosted on AWS. The application consists of an Application Load Balancer (ALB), EC2 instances, and an RDS database. The engineer needs to capture and analyze HTTP request logs from the ALB to understand client behavior and troubleshoot errors. Which THREE steps are necessary to achieve this?

Select 3 answers
A.Install the CloudWatch Agent on the ALB
B.Enable AWS CloudTrail for the ALB
C.Use Amazon Athena to query the access logs in S3
D.Enable access logs on the ALB
E.Create an Amazon S3 bucket to store the access logs
AnswersC, D, E

Athena can query the log files directly.

Why this answer

Option A is correct because ALB access logs must be enabled. Option C is correct because access logs are stored in S3. Option E is correct because Athena can query the logs in S3.

Option B is wrong because CloudWatch Agent is not needed for ALB logs. Option D is wrong because CloudTrail captures API calls, not HTTP requests.

91
MCQhard

A company is migrating its on-premises applications to AWS and wants to maintain the same level of monitoring for its Linux-based EC2 instances. They currently use Nagios for monitoring. They want a managed AWS service that can monitor instance health, system metrics, and application logs. Which solution should they use?

A.Install the Amazon CloudWatch agent on each EC2 instance to collect system metrics and logs, and send them to CloudWatch.
B.Use AWS CloudTrail to monitor instance activity and capture log files.
C.Use AWS Systems Manager Inventory to collect system configuration and log files.
D.Use AWS Config to track instance configuration changes and trigger alerts.
AnswerA

The CloudWatch agent can collect both metrics and logs, replacing Nagios.

Why this answer

Option B is correct because CloudWatch unified agent collects system metrics and logs, and integrates with CloudWatch. Option A is wrong because Systems Manager Inventory is for software inventory, not real-time monitoring. Option C is wrong because CloudTrail is for API logging.

Option D is wrong because Config is for configuration compliance.

92
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application consists of three microservices: frontend, backend, and database. The ECS cluster is in a VPC with public and private subnets. The frontend service is publicly accessible via an Application Load Balancer (ALB) in public subnets. The backend service communicates with the database service, which runs as a stateful service with persistent storage using Amazon EFS. The DevOps team is using CloudWatch Container Insights and has enabled Prometheus metrics for the ECS cluster. Recently, the team observed that the frontend service's response time has increased significantly, and some requests are timing out. The team checked the ALB metrics and saw an increase in 5xx errors. They also noticed that the backend service's CPU utilization is high, and the database service's disk I/O is high. The team suspects a bottleneck in the backend service. Which course of action should the team take FIRST to identify the root cause?

A.Disable the health check for the backend service in the ALB target group.
B.Migrate the database service to Amazon RDS for better performance.
C.Check the backend service's application logs in CloudWatch Logs to identify errors or slow database queries.
D.Increase the desired count of the backend service to reduce load per task.
AnswerC

Logs will help pinpoint the issue.

Why this answer

Option B is correct. The first step is to analyze the backend service's application logs to identify any errors or slow operations. The high CPU and disk I/O could be symptoms of inefficient queries or code.

Option A is incorrect because increasing capacity without understanding the root cause may not solve the issue and could increase costs. Option C is incorrect because switching to a different database does not address the immediate issue. Option D is incorrect because disabling health checks would hide the problem, not fix it.

93
Multi-Selectmedium

A DevOps engineer is setting up centralized logging for a multi-account environment using AWS Organizations. The engineer needs to aggregate logs from all accounts into a single Amazon S3 bucket. Which TWO steps are necessary?

Select 2 answers
A.Create IAM roles in each account to allow the central bucket to read logs.
B.Create a bucket policy on the central S3 bucket that grants permissions to the source accounts.
C.Enable CloudTrail organization trail in the management account to deliver logs to the central bucket.
D.Set up a cross-account subscription in CloudWatch Logs to forward logs to the central account.
E.Configure each account’s services (e.g., CloudTrail, VPC Flow Logs) to deliver logs to the central S3 bucket.
AnswersB, E

The bucket policy must allow the source accounts to write logs.

Why this answer

Option B is correct because a bucket policy on the central S3 bucket can grant cross-account permissions to source accounts to write logs. This allows services like CloudTrail and VPC Flow Logs from member accounts to deliver logs directly to the central bucket without requiring IAM roles in each account for reading logs.

Exam trap

The trap here is that candidates often confuse the need for IAM roles in each account (Option A) with the correct bucket policy approach, or they assume that enabling an organization trail (Option C) is mandatory when the question allows for individual account configuration.

94
MCQhard

A company uses Amazon S3 to store sensitive data. The security team wants to be notified when an S3 bucket policy is modified. Which approach is most efficient?

A.Create an Amazon EventBridge rule that matches the 'PutBucketPolicy' API call and sends a notification to an SNS topic.
B.Set up an AWS Config rule to detect changes to the bucket policy.
C.Configure S3 event notifications for 's3:PutBucketPolicy' on the bucket.
D.Enable S3 server access logs and use CloudWatch Logs Insights to run queries periodically.
AnswerA

EventBridge provides real-time filtering of CloudTrail events.

Why this answer

Option A is correct because CloudTrail logs S3 bucket policy changes, and EventBridge can filter those events to trigger an SNS notification. Option B is wrong because CloudWatch Logs Insights is a query tool, not real-time alerting. Option C is wrong because S3 event notifications are for object-level events, not bucket policy changes.

Option D is wrong because Config can detect changes but is not the most efficient for real-time alerting.

95
MCQhard

A company is running a critical application on Amazon ECS with Fargate launch type. The application writes logs to Amazon CloudWatch Logs. The DevOps team needs to set up an alert when the application generates more than 100 error logs in any 5-minute window. Which configuration should be used?

A.Create a CloudWatch Logs Insights query that runs every 5 minutes and triggers an SNS notification
B.Create an Amazon EventBridge rule that matches CloudWatch Logs events for the word 'ERROR' and triggers an alarm
C.Create a CloudWatch Logs metric filter for 'ERROR' and a CloudWatch alarm on the resulting metric with a period of 5 minutes
D.Enable AWS CloudTrail logging for the ECS task and create a metric filter on CloudTrail logs
AnswerC

Metric filter extracts error count into a custom metric, and alarm triggers when threshold exceeded.

Why this answer

Option D is correct because a CloudWatch Logs metric filter can parse logs for the word 'ERROR' and create a custom metric, and a CloudWatch alarm can be set on that metric. Option A is wrong because CloudWatch Logs Insights is for querying, not real-time alerting. Option B is wrong because EventBridge can't directly parse log contents.

Option C is wrong because CloudTrail is for API calls.

96
MCQhard

A DevOps team is using Amazon CloudWatch Logs to centralize logs from multiple EC2 instances running a custom application. The team notices that logs are missing from some instances intermittently. The CloudWatch agent configuration is identical across all instances. What is the MOST likely cause of the missing logs?

A.The CloudWatch Logs agent's state file has become corrupted due to disk full condition
B.The VPC Flow Logs are consuming all available network bandwidth
C.The EC2 instances are running out of CPU credits, causing the agent to skip log batches
D.The IAM role attached to the instances has been rotated incorrectly
AnswerA

If the agent's buffer disk is full, it stops sending logs until space is freed.

Why this answer

Option B is correct because the CloudWatch agent will stop sending logs if the disk space dedicated to the log buffer is full, which can happen if the destination log group or stream is throttled. Option A is wrong because VPC Flow Logs do not affect CloudWatch Logs. Option C is wrong because IAM roles are typically checked at startup, and intermittent issues are unlikely.

Option D is wrong because CPU utilization does not directly cause log loss; the agent prioritizes logs.

97
MCQmedium

A DevOps engineer is setting up centralized logging for multiple AWS accounts. They need to collect VPC Flow Logs, CloudTrail logs, and application logs into a single Amazon S3 bucket. What is the most efficient approach?

A.Configure a Lambda function in each account to copy logs to a central S3 bucket.
B.Create an S3 bucket in each account and use S3 replication.
C.Use Amazon Kinesis Data Firehose to stream logs from all accounts to a central S3 bucket.
D.Use an S3 bucket in a centralized logging account with a bucket policy that grants write access from all other accounts.
AnswerD

This allows direct cross-account log delivery.

Why this answer

Option B is correct because using an S3 bucket policy in a centralized account to allow cross-account log delivery is a common pattern. Option A is wrong because aggregating logs in a single account's S3 bucket requires cross-account permissions. Option C is wrong because Kinesis Data Firehose is not needed for simple log aggregation.

Option D is wrong because Lambda functions would add complexity and cost.

98
Multi-Selecthard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The DevOps team has enabled detailed CloudWatch metrics for the ALB and is using CloudWatch Logs for the EC2 instances. Recently, users report intermittent 503 errors. The team notices that the ALB's 'RequestCount' metric shows a sudden drop during error periods, while the 'ActiveConnectionCount' remains steady. Which TWO steps should the team take to diagnose the issue? (Choose two.)

Select 2 answers
A.Enable and analyze the ALB access logs to see the HTTP response codes and target processing time.
B.Check the Amazon Route 53 health checks for the ALB DNS name.
C.Review the EC2 instances' CloudWatch metrics for CPU utilization and network traffic.
D.Observe the ALB's 'UnhealthyHostCount' metric and check target group health checks.
E.Inspect AWS CloudTrail logs for the ALB to see if there are any configuration changes.
AnswersA, D

Access logs provide detailed per-request information, including 503 responses and which target handled the request.

Why this answer

Option A is correct because ALB access logs contain detailed per-request data, including HTTP response codes (e.g., 503) and target processing time. Analyzing these logs will reveal whether the 503 errors are coming from the ALB itself (e.g., due to request queue overflow) or from the targets, and whether the sudden drop in RequestCount is due to clients aborting or the ALB throttling requests.

Exam trap

The trap here is that candidates often focus on EC2-level metrics (CPU, network) or CloudTrail config changes, missing that the ALB's own health check and access log data are the direct sources for diagnosing 503 errors tied to target unavailability or request queue limits.

99
MCQmedium

A DevOps engineer receives an alarm that an EC2 instance's StatusCheckFailed metric has been in ALARM state for 10 minutes. Which action should the engineer take first to investigate?

A.Review the instance's system log and application logs in CloudWatch Logs
B.Use AWS Config to check the instance's configuration compliance
C.Check AWS CloudTrail for any API calls that modified the instance
D.Restart the EC2 instance to clear the alarm
AnswerA

Correct. System logs help diagnose instance status check failures.

Why this answer

Option C is correct because StatusCheckFailed indicates an instance issue; reviewing system logs in CloudWatch Logs can reveal the cause. Option A (restart) might resolve temporarily but does not diagnose. Option B (CloudTrail) logs API calls, not OS-level issues.

Option D (Config) is for configuration compliance.

100
MCQmedium

A company uses AWS CloudTrail to log API activity across multiple accounts. The security team needs to ensure that all CloudTrail logs are delivered to a centralized S3 bucket in the audit account, and that any log file validation failures trigger an immediate notification. What should the engineer do to meet this requirement?

A.Enable CloudTrail log file validation and create a CloudWatch alarm on the DigestDeliveryFailed metric
B.Create a Lambda function that checks the integrity of logs and publishes to SNS
C.Configure CloudTrail to deliver logs to the S3 bucket and enable SNS notifications for all events
D.Send CloudTrail logs to CloudWatch Logs and create a metric filter for validation errors
AnswerA

Log file validation detects tampering; DigestDeliveryFailed metric triggers alarm.

Why this answer

Option C is correct because enabling log file validation and creating a CloudWatch alarm on the DigestDeliveryFailed metric will trigger notifications. Option A is wrong because CloudTrail does not publish to SNS directly. Option B is wrong because CloudWatch Logs is for log streams, not CloudTrail.

Option D is wrong because Lambda is not needed for this simple alert.

101
MCQmedium

A DevOps team needs to monitor failed API calls in their AWS account. They want to receive notifications when specific IAM actions, such as DeleteBucket, fail. Which service should they use?

A.AWS CloudTrail and Amazon EventBridge.
B.AWS Config rules.
C.Amazon S3 server access logs.
D.CloudWatch Logs and metric filters.
AnswerA

CloudTrail logs API calls, EventBridge can filter and route to SNS.

Why this answer

Option D is correct because CloudTrail logs API calls, and CloudWatch Events (now Amazon EventBridge) can be used to create rules that match specific API calls and trigger notifications. Option A is wrong because CloudWatch does not directly capture API calls. Option B is wrong because Config monitors resource configuration, not API calls.

Option C is wrong because S3 access logs are for object-level operations.

102
MCQmedium

A company is using Amazon CloudWatch Logs Insights to analyze application logs. The DevOps team needs to create a metric filter that counts occurrences of the word 'ERROR' in the log events. Which CloudWatch Logs Insights query should be used to test the metric filter?

A.fields @timestamp, @message | stats count() by bin(5m)
B.fields @timestamp, @message | filter @message like /ERROR/
C.fields @timestamp, @message | parse @message '[*] *' as @severity, @log
D.fields @timestamp, @message | sort @timestamp desc
AnswerB

This query filters events containing 'ERROR', useful for testing the metric filter.

Why this answer

Option B is correct because the `fields @timestamp, @message` command retrieves the relevant fields, and `filter @message like /ERROR/` filters events containing 'ERROR'. Option A is wrong because `stats count() by bin(5m)` aggregates but doesn't show individual matches. Option C is wrong because `parse @message` extracts fields but doesn't filter.

Option D is wrong because `sort @timestamp desc` only sorts.

103
MCQeasy

A company wants to be alerted when the root user signs in to the AWS Management Console. Which service should be used to create a monitoring rule for this event?

A.AWS Config
B.Amazon S3
C.AWS IAM
D.Amazon CloudWatch Events (now Events) with a rule for the 'RootSignIn' event from CloudTrail
AnswerD

CloudWatch Events can match the root sign-in event and send notifications.

Why this answer

Amazon CloudWatch Events (now Events) can monitor AWS CloudTrail API calls and trigger actions based on specific events. The 'RootSignIn' event is a predefined CloudTrail event that fires when the root user signs in to the AWS Management Console. By creating a CloudWatch Events rule that matches this event, you can send notifications (e.g., via SNS) or invoke automated responses, meeting the alerting requirement.

Exam trap

The trap here is that candidates may confuse AWS Config (which can detect configuration changes but not real-time API call events) with CloudWatch Events, or mistakenly think IAM can generate alerts, when in fact only CloudWatch Events can create rules based on CloudTrail events like 'RootSignIn'.

How to eliminate wrong answers

Option A is wrong because AWS Config is used for resource inventory, configuration history, and compliance auditing, not for real-time event monitoring or alerting on specific API calls like root user sign-ins. Option B is wrong because Amazon S3 is an object storage service and cannot natively create monitoring rules or trigger alerts based on CloudTrail events; it can only store logs or serve as a target for notifications. Option C is wrong because AWS IAM manages users, roles, and permissions but does not provide event-driven monitoring or alerting capabilities; it cannot create rules to detect and respond to root user sign-ins.

104
MCQhard

Refer to the exhibit. A CloudFormation template deploys a Lambda function with X-Ray tracing enabled. However, traces are not appearing in the X-Ray console. What is the most likely missing configuration?

A.The Lambda runtime (nodejs18.x) does not support X-Ray tracing.
B.The Lambda execution role does not have permissions to upload trace data to X-Ray.
C.The TracingConfig mode is set to 'Active' but should be 'PassThrough'.
D.The Lambda function code does not use the AWS X-Ray SDK.
AnswerB

The role needs xray:PutTraceSegments and xray:PutTelemetryRecords.

Why this answer

Option D is correct because the Lambda function's IAM role only has the AWSLambdaBasicExecutionRole, which grants permissions to write to CloudWatch Logs but not to send trace data to X-Ray. The function needs the AWSXRayDaemonWriteAccess policy or equivalent permissions. Option A is wrong because Node.js 18 is supported.

Option B is wrong because the code logs the event but does not affect X-Ray. Option C is wrong because the TracingConfig is set to Active.

105
MCQhard

A company runs a multi-region application on Amazon EC2 instances across us-east-1 and eu-west-1. The application uses an Amazon Aurora global database for writes in us-east-1 and reads in eu-west-1. The DevOps team wants to monitor the replication lag between the primary and secondary regions. They have set up a CloudWatch alarm on the AuroraReplicaLag metric in both regions. However, they notice that the alarm in eu-west-1 sometimes triggers false positives when the lag spikes briefly but then recovers. The team wants to reduce false alarms while still being alerted to sustained high lag that could impact read replicas. The team is already using a standard CloudWatch alarm with a period of 1 minute and evaluation periods of 1. What should the team change to reduce false positives?

A.Increase the alarm threshold to a higher value, such as 10 seconds.
B.Reduce the metric period to 30 seconds to get more granular data.
C.Increase the number of evaluation periods to 3, so the alarm triggers only if the lag is high for 3 consecutive minutes.
D.Create a composite alarm that triggers when both the AuroraReplicaLag and CPUUtilization metrics are high.
AnswerC

This requires sustained high lag, filtering out brief spikes.

Why this answer

Option A is correct because increasing evaluation periods requires the lag to be high for a longer duration before triggering an alarm. Option B is wrong because reducing the period would cause more frequent data points, potentially increasing false alarms. Option C is wrong because increasing the threshold would only alert on higher lag, but false positives are due to brief spikes.

Option D is wrong because a composite alarm combining multiple metrics is not needed; the issue is with the evaluation period.

106
MCQhard

A company runs a critical e-commerce platform on AWS. The architecture includes an Application Load Balancer (ALB) that distributes traffic to a fleet of EC2 instances in an Auto Scaling group. The EC2 instances run a custom Java application that uses an RDS for MySQL database and an ElastiCache Redis cluster for session caching. The DevOps team has set up CloudWatch alarms for CPU utilization, memory, and database connections. Recently, customers have been reporting slow page load times and occasional timeouts. The team notices that during peak hours, the ALB's TargetResponseTime metric spikes, and the number of healthy hosts in the target group fluctuates. The CPU and memory metrics on the EC2 instances remain within normal ranges. The database CPU is also normal. The team suspects the issue is related to the application's session management. Which course of action should the DevOps team take to identify the root cause?

A.Enable RDS Performance Insights and look for slow queries or connection storms
B.Install the CloudWatch Agent on the EC2 instances to collect additional application-level metrics
C.Monitor ElastiCache metrics such as CPUUtilization, CacheHits, and Evictions to determine if the Redis cluster is overloaded
D.Increase the number of ALB targets and adjust the target group health check interval
AnswerC

ElastiCache metrics will reveal if session caching is causing latency.

Why this answer

Option C is correct because the symptoms (increased latency, fluctuating healthy hosts) and the role of ElastiCache in session caching suggest that Redis performance may be degrading. Monitoring ElastiCache metrics like CPUUtilization, cache hits/misses, and evictions can confirm if Redis is the bottleneck. Option A is wrong because scaling the ALB does not address session management issues.

Option B is wrong because database connection pooling is not indicated; database CPU is normal. Option D is wrong because CloudWatch Agent on EC2 would not capture Redis metrics.

107
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to collect logs from multiple EC2 instances. They need to filter logs in real time and send specific log events to a custom application for processing. Which TWO services can they use to achieve this?

Select 2 answers
A.Use Amazon Kinesis Data Analytics to process the log stream.
B.Configure a CloudWatch Logs subscription filter that invokes an AWS Lambda function.
C.Create a CloudWatch Events rule to capture log events and send them to Amazon SQS.
D.Configure a CloudWatch Logs subscription filter that sends data to Amazon Kinesis Data Firehose.
E.Use Amazon S3 event notifications to trigger a Lambda function on new log files.
AnswersB, D

Lambda can process filtered log events in real time.

Why this answer

Correct: A (CloudWatch Logs subscription filter with Lambda) and D (CloudWatch Logs subscription filter with Kinesis Data Firehose). Option B is wrong because Kinesis Data Analytics is for analytics, not forwarding. Option C is wrong because CloudWatch Events is for events, not log filtering.

Option E is wrong because S3 is a destination, not a real-time processing service.

108
MCQhard

A company runs a critical e-commerce application on AWS. The application is deployed on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The instances store session data in an ElastiCache for Redis cluster. Recently, users have reported intermittent session timeouts during peak traffic hours. The operations team notices that CloudWatch alarms for the Redis cluster's CPUUtilization and Evictions metrics are frequently breaching thresholds. The team wants to resolve the issue without incurring unnecessary costs. Which solution should the team implement?

A.Configure a Lambda function to offload session data to Amazon DynamoDB and use DAX for caching.
B.Enable auto scaling for the ElastiCache Redis cluster to add replicas or shards based on CPU and memory utilization.
C.Enable encryption in transit (TLS) for the Redis cluster to reduce overhead.
D.Migrate the Redis cluster to a memory-optimized instance type like r6g.large.
AnswerB

Auto scaling can dynamically add resources to handle peak traffic, reducing evictions and CPU utilization.

Why this answer

Option B is correct because enabling auto scaling with a larger instance type or adding shards (clustering) directly addresses the resource contention causing evictions and high CPU. Option A is wrong because memory-optimized instances may not solve CPU issues; also, increasing memory without scaling CPU may not help. Option C is wrong because increasing tRANSIT_ENCRYPTION_ENABLED does not affect performance.

Option D is wrong because Lambda integration adds complexity and latency without scaling the cache.

109
Multi-Selectmedium

A DevOps engineer needs to set up centralized logging for an application running on multiple EC2 instances across different AWS accounts. The logs must be aggregated in a single S3 bucket and also be analyzed in near real-time. Which TWO services should be used together to achieve this?

Select 2 answers
A.Amazon Simple Queue Service (SQS)
B.Amazon Kinesis Data Firehose
C.AWS CloudTrail
D.Amazon CloudWatch Logs subscription
E.AWS Lambda
AnswersB, D

Can receive logs from CloudWatch subscription and deliver to S3.

Why this answer

Option B (CloudWatch Logs subscription) and Option D (Kinesis Data Firehose) are correct. CloudWatch Logs subscription can forward logs to Kinesis Data Firehose, which can then deliver to S3 in near real-time. Option A is wrong because CloudTrail is for API logs.

Option C is wrong because Lambda alone cannot efficiently aggregate logs from multiple accounts. Option E is wrong because SQS is for decoupling, not for log aggregation.

110
MCQeasy

A company uses Amazon CloudWatch to monitor its production environment. The DevOps team wants to receive an email notification whenever the average CPU utilization of any EC2 instance exceeds 90% for 5 consecutive minutes. Which steps should be taken to set up this notification?

A.Install the CloudWatch Logs agent on each EC2 instance and configure a metric filter to trigger an SNS notification
B.Create a CloudWatch alarm on CPUUtilization with a threshold of 90% for 5 consecutive periods, and configure an SNS topic to send email
C.Use AWS CloudTrail to monitor CPU utilization and send notifications via SNS
D.Use AWS Config to create a rule that triggers an SNS notification when CPU utilization exceeds 90%
AnswerB

Correct. This is the standard way to set up metric-based notifications.

Why this answer

Option A is correct: create a CloudWatch alarm on the CPUUtilization metric with a threshold of 90% for 5 minutes, and configure an SNS topic to send email. Option B is wrong because CloudTrail is for API logging. Option C is wrong because CloudWatch Logs agent is for log collection.

Option D is wrong because Config is for configuration auditing.

111
MCQhard

A company uses AWS Lambda with an Amazon DynamoDB table to process high-volume clickstream data. The Lambda function writes the data to DynamoDB. Recently, the function has been experiencing throttling and timeouts during peak traffic. The DevOps team needs to set up monitoring to identify the root cause. Which combination of metrics should they analyze?

A.DynamoDB throttled write events and Lambda concurrent executions.
B.DynamoDB read and write capacity metrics and Lambda error count.
C.CloudWatch metrics for Lambda invocations and duration.
D.CloudWatch Logs for Lambda function logs and Lambda memory utilization.
AnswerA

Throttled write events indicate DynamoDB throttling, and concurrent executions show if Lambda is under-provisioned.

Why this answer

Option C is correct because DynamoDB throttling metrics and Lambda concurrency metrics directly indicate the issue. Option A is wrong because Lambda invocations and duration don't show throttling. Option B is wrong because DynamoDB read/write capacity and Lambda errors don't pinpoint the cause.

Option D is wrong because CloudWatch Logs and Lambda memory are not the primary indicators.

112
MCQmedium

A DevOps team is troubleshooting a slow application. They enabled AWS X-Ray tracing and see that one of the downstream services has a high average response time. However, the traces show that the service itself is fast; the delay is in the network call from the upstream service. Which X-Ray feature should the team use to identify the root cause?

A.Examine the trace map to see the connection between services.
B.Add annotations to the traces for better filtering.
C.View the raw segments of the upstream service.
D.Adjust the sampling rules to capture more traces.
AnswerA

Correct: The trace map visualizes service connections and latency.

Why this answer

The trace map in AWS X-Ray provides a visual representation of the service graph, showing the connections and latency between services. Since the delay is in the network call from the upstream service to the downstream service, the trace map can highlight the specific edge where the high latency occurs, allowing the team to pinpoint whether the issue is due to network congestion, DNS resolution, or a slow HTTP connection. This is the most direct way to identify the root cause of the inter-service communication delay.

Exam trap

The trap here is that candidates might focus on the downstream service's segment (Option C) thinking the delay is inside that service, when the trace map is specifically designed to reveal inter-service communication latency that is not captured by individual segment durations.

How to eliminate wrong answers

Option B is wrong because annotations are key-value pairs added to traces for custom metadata filtering, not for diagnosing network latency between services. Option C is wrong because viewing raw segments of the upstream service would show the service's own processing time and subsegments, but the delay is in the downstream network call, which is captured as a subsegment of the upstream service's trace; however, the trace map is more efficient for visualizing the edge-level latency. Option D is wrong because adjusting sampling rules increases the number of traces captured but does not help identify the root cause of an existing latency issue in the network call.

113
MCQmedium

A DevOps engineer runs the command above to retrieve CPU utilization for an EC2 instance, but gets no data points. The instance is running and has basic monitoring enabled. What is the most likely reason?

A.The dimension name should be 'InstanceId' with a different case.
B.The instance has basic monitoring disabled.
C.The period of 300 seconds is less than the minimum supported period.
D.The IAM user executing the command lacks 'cloudwatch:GetMetricStatistics' permission.
AnswerD

Without the proper permission, the API call returns no data.

Why this answer

Option A is correct because basic monitoring publishes metrics every 5 minutes (300 seconds), so a period of 300 seconds should work. However, the command may fail due to insufficient permissions. Option B is wrong because basic monitoring does publish CPUUtilization.

Option C is wrong because the period matches the default 5-minute interval. Option D is wrong because the command syntax is correct.

114
Multi-Selectmedium

A DevOps engineer is designing a monitoring solution for a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The team needs to monitor for errors and latency. Which TWO actions should the engineer take to implement comprehensive monitoring? (Choose TWO.)

Select 2 answers
A.Enable DynamoDB Accelerator (DAX) to reduce latency.
B.Enable detailed billing metrics for cost analysis.
C.Configure CloudWatch Logs for DynamoDB.
D.Enable AWS X-Ray tracing on API Gateway and Lambda.
E.Set up CloudWatch Alarms on Lambda error count and API Gateway 5XX count.
AnswersD, E

Correct: X-Ray provides end-to-end tracing to identify latency and errors.

Why this answer

Option D is correct because AWS X-Ray provides end-to-end tracing for requests as they travel through API Gateway, Lambda, and DynamoDB, enabling the team to identify latency bottlenecks and errors across the entire serverless application. This is essential for comprehensive monitoring of distributed applications, as it captures detailed timing and error data for each component.

Exam trap

The trap here is that candidates may confuse performance optimization tools (like DAX) or cost monitoring (like billing metrics) with actual monitoring solutions, or assume that DynamoDB has native CloudWatch Logs support, when in fact it only emits metrics and requires X-Ray or CloudTrail for detailed request tracing.

115
MCQmedium

A DevOps engineer is troubleshooting an application that runs on Amazon EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. CloudWatch metrics for the ALB show an increase in 'HTTPCode_ELB_5XX_Count' but the backend 'HealthyHostCount' remains stable. Which action should the engineer take to identify the root cause?

A.Increase the size of the EC2 instances to handle more requests.
B.Enable detailed CloudWatch metrics on the EC2 instances to monitor CPU and memory.
C.Enable and review the ALB access logs stored in Amazon S3 to analyze the HTTP response codes and request patterns.
D.Increase the idle timeout setting on the ALB.
AnswerC

ALB access logs provide detailed information about each request, including response codes, timestamps, and request paths, enabling identification of the specific requests that are failing.

Why this answer

Option C is correct because increasing the ALB's idle timeout will not help if requests are taking longer than the timeout. Option A is wrong because it would only help if there were autoscaling issues. Option B is wrong because the backend is healthy, so the issue is likely with the ALB configuration.

Option D is correct because checking ALB access logs can reveal the exact requests that are failing, allowing analysis of latency or errors.

116
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team wants to monitor the CloudFormation stack events to detect when stack creation or updates fail, and automatically send notifications to a Slack channel. The team has set up an Amazon SNS topic that sends messages to a Slack webhook via a Lambda function. Which solution should the team implement to trigger the SNS topic when a CloudFormation stack fails?

A.Use CloudWatch Logs Insights to query CloudFormation logs and set up a scheduled query to send results to SNS.
B.Configure the CloudFormation stack to send events to an SNS topic by specifying the topic ARN in the stack's notification options.
C.Enable AWS CloudTrail to log CloudFormation API calls and create a CloudWatch metric filter that detects failure messages, then trigger an alarm to SNS.
D.Create an Amazon EventBridge rule that matches CloudFormation API calls for CreateStack and UpdateStack with a status of CREATE_FAILED or UPDATE_FAILED, and set the target to the SNS topic.
AnswerB

CloudFormation can directly publish stack events to an SNS topic.

Why this answer

Option D is correct because CloudFormation publishes stack events to an SNS topic when specified as a notification ARN in the stack. The team can create an SNS topic and subscribe the Slack webhook Lambda function to it, then specify that topic as the notification ARN when creating or updating the stack. This will send events directly to SNS.

Option A is wrong because CloudFormation does not send events to EventBridge by default; you would need to create a rule. Option B is wrong because CloudTrail logs API calls, but you would need additional setup. Option C is wrong because CloudWatch Logs Insights is for querying logs, not real-time events.

117
Multi-Selecteasy

A DevOps team is designing a centralized logging solution for multiple AWS accounts. The team needs to collect logs from EC2 instances, Lambda functions, and VPC Flow Logs, and store them in a central account for analysis. The solution must be cost-effective and support near real-time log aggregation. Which THREE steps should the team take? (Choose three.)

Select 3 answers
A.Configure VPC Flow Logs to deliver to a Lambda function in each account, which forwards logs to the central account.
B.Deliver logs from the central account's CloudWatch Logs to Amazon Kinesis Data Firehose, which writes to Amazon S3.
C.Use Amazon OpenSearch Service to index and search the logs in near real time.
D.Use Amazon Athena to query the logs stored in S3 for analysis.
E.Use CloudWatch cross-account subscription to stream logs from source accounts to a central account's CloudWatch Logs.
AnswersB, D, E

Kinesis Data Firehose provides near real-time delivery to S3 at low cost.

Why this answer

Options B, C, and D are correct. CloudWatch cross-account subscription allows sending logs from source accounts to a central account (Option B). Kinesis Data Firehose can buffer and deliver logs to S3 at low cost (Option C).

Athena can query logs in S3 efficiently (Option D). Option A (direct delivery to S3) does not support near real-time aggregation; VPC Flow Logs can be delivered to S3, but not Lambda directly. Option E (OpenSearch) is more expensive and not necessary for cost-effective storage and analysis.

118
MCQhard

A Lambda function is unable to write logs to CloudWatch Logs. The IAM policy attached to the function's execution role is shown above. What is the issue?

A.The resource ARN is incorrect; it should include the log stream name.
B.The region in the ARN does not match the Lambda function's region.
C.The action should be 'logs:PutLogEvents' but the resource is too restrictive.
D.The policy is missing the 'logs:CreateLogGroup' and 'logs:CreateLogStream' actions.
AnswerD

Lambda needs to create the log group and stream before writing events.

Why this answer

Option B is correct because the policy grants permission to put log events but does not include the necessary permissions to create log groups and log streams. The Lambda function needs 'logs:CreateLogGroup' and 'logs:CreateLogStream' actions. Option A is wrong because the resource ARN is valid.

Option C is wrong because the region matches. Option D is wrong because the action 'logs:PutLogEvents' is correct for writing logs.

119
MCQmedium

A DevOps engineer needs to monitor the number of messages in an Amazon SQS queue and trigger an auto scaling action when the queue depth exceeds a threshold. Which combination of services should be used?

A.Amazon CloudWatch Logs and Amazon EC2 Auto Scaling
B.Amazon CloudWatch and Amazon EC2 Auto Scaling
C.Amazon EventBridge and Amazon EC2 Auto Scaling
D.Amazon SQS and AWS Lambda
AnswerB

CloudWatch monitors SQS queue depth and alarm triggers auto scaling policy.

Why this answer

Option D is correct because CloudWatch can monitor the ApproximateNumberOfMessagesVisible metric from SQS, and a CloudWatch alarm can trigger an auto scaling policy based on that metric. Option A is wrong because SQS does not directly invoke Lambda for scaling. Option B is wrong because EventBridge can capture SQS events but is not the standard way to trigger auto scaling.

Option C is wrong because CloudWatch Logs does not directly trigger auto scaling.

120
MCQhard

Refer to the exhibit. A DevOps engineer runs this query to investigate a spike in errors. What is the most likely interpretation?

A.The error rate is increasing sharply in the last 15 minutes.
B.The error rate is decreasing over time.
C.The error rate is stable with no significant change.
D.The query is incorrectly filtering log streams.
AnswerA

Correct; the count jumps from 1 to 12 in the most recent bins.

Why this answer

The query counts ERROR messages per 5-minute bin for a specific log stream. The output shows a clear increasing trend from 1 to 12 errors over the last 20 minutes, indicating a recent escalation of errors.

121
MCQmedium

A company uses Amazon RDS for MySQL. The database performance has degraded, and the engineer suspects that slow queries are the cause. Which service should be used to identify and analyze the slow queries?

A.Amazon RDS Performance Insights
B.Amazon CloudWatch Metrics
C.Amazon CloudWatch Logs
D.AWS X-Ray
AnswerA

Performance Insights provides a detailed view of database load and slow queries.

Why this answer

Amazon RDS Performance Insights is the correct service because it provides a database-specific performance schema that visualizes database load and identifies the exact SQL queries causing performance degradation. It integrates directly with RDS for MySQL, offering a dashboard that breaks down wait events, SQL text, and host-level metrics, making it the ideal tool for analyzing slow queries.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs (which can store slow query logs) with a native analysis tool, overlooking that Performance Insights provides immediate, built-in visualization and query-level analysis without requiring custom log parsing.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Metrics provides aggregated performance metrics like CPU utilization and IOPS, but it does not capture individual SQL query text or detailed database wait event analysis needed to identify slow queries. Option C is wrong because Amazon CloudWatch Logs can store MySQL slow query logs if configured, but it requires manual setup and does not provide built-in visualization or analysis of query performance; it is a log storage service, not an analysis tool. Option D is wrong because AWS X-Ray is designed for tracing distributed application requests and debugging microservices, not for analyzing database query performance or slow SQL statements.

122
MCQhard

A company runs a critical application on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The DevOps team needs to implement a dashboard that shows real-time request latency, error rates, and the number of healthy hosts. Which AWS service should be used to create this dashboard?

A.Amazon QuickSight
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Dashboards
AnswerD

Correct. CloudWatch Dashboards can graph multiple metrics from different sources.

Why this answer

Amazon CloudWatch Dashboards is the correct choice because it provides real-time monitoring and visualization of metrics such as request latency, error rates, and healthy host counts directly from CloudWatch. These metrics are automatically emitted by the Application Load Balancer (e.g., TargetResponseTime, HTTPCode_ELB_5XX_Count, HealthyHostCount) and can be displayed on a customizable dashboard without additional data transformation or querying.

Exam trap

The trap here is that candidates may confuse Amazon QuickSight with CloudWatch Dashboards, assuming QuickSight is the go-to for any dashboarding need, but QuickSight is for business analytics and not designed for real-time infrastructure monitoring with sub-minute latency metrics.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a business intelligence service for interactive dashboards and ad-hoc analysis, not designed for real-time operational monitoring of live infrastructure metrics like ALB latency or healthy hosts. Option B is wrong because AWS CloudTrail records API activity and governance events, not real-time performance metrics or health status of EC2 instances behind a load balancer. Option C is wrong because AWS Config tracks resource configuration changes and compliance, not real-time operational metrics such as request latency or error rates.

123
Multi-Selecthard

A company runs a critical application on Amazon EKS. The operations team needs to monitor the health of the Kubernetes cluster and the applications running on it. Which THREE services can be used together to achieve comprehensive monitoring? (Choose THREE.)

Select 3 answers
A.AWS X-Ray
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Container Insights
E.Amazon Managed Service for Prometheus
AnswersA, D, E

X-Ray traces requests through distributed applications, helping to identify performance issues.

Why this answer

Correct options: A, C, D. Option A: CloudWatch Container Insights provides metrics and logs for EKS. Option C: Prometheus (via AWS managed service or self-hosted) is a common open-source monitoring tool for Kubernetes.

Option D: AWS X-Ray can trace requests across microservices. Option B is wrong because CloudTrail logs API calls, not cluster health. Option E is wrong because VPC Flow Logs capture network traffic, not application health.

124
Multi-Selecthard

A company is running a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). They need to implement a monitoring strategy that provides detailed visibility into application performance, including request-level latency and error codes. Which THREE actions should they take?

Select 3 answers
A.Enable VPC Flow Logs to capture traffic patterns.
B.Enable ALB access logs and store them in Amazon S3.
C.Install the CloudWatch agent on EC2 instances to collect application logs and custom metrics.
D.Enable AWS CloudTrail to log API calls made to the load balancer.
E.Enable detailed CloudWatch metrics for the ALB (e.g., RequestCount, TargetResponseTime).
AnswersB, C, E

Access logs contain request-level details including latency and error codes.

Why this answer

Correct: A (Enable ALB access logs), C (Enable detailed CloudWatch metrics for the ALB), and D (Enable CloudWatch agent on EC2 instances for application logs). Option B is wrong because VPC Flow Logs are for network traffic, not application performance. Option E is wrong because CloudTrail is for API calls, not application metrics.

125
MCQhard

A company has a microservices architecture with 50 services running on Amazon ECS. The DevOps team wants to collect and analyze logs from all services centrally. They need to query logs across services and set up alerts for error patterns. Which solution is the most scalable and cost-effective?

A.Use AWS CloudTrail to capture all log events and store them in an S3 bucket for analysis
B.Deploy an Amazon Elasticsearch cluster and configure the ECS Fargate agent to send logs directly to Elasticsearch
C.Use the awslogs driver to send logs to Amazon CloudWatch Logs and use CloudWatch Logs Insights for querying and metric filters for alerts
D.Send logs to Amazon S3 and use Amazon Athena for querying, with scheduled queries for alerts
AnswerC

Correct. This is scalable, integrates with ECS, and provides real-time alerts.

Why this answer

Option D is correct because sending logs to CloudWatch Logs and using Logs Insights provides centralized querying and alerting. Option A (S3 + Athena) is cheaper but has slower query times and no real-time alerting. Option B (Elasticsearch) is more complex and costly.

Option C (CloudTrail) is for API logs.

126
MCQeasy

A DevOps engineer is responsible for monitoring an AWS environment that includes multiple EC2 instances running a web application. The engineer needs to set up a solution that sends an email alert when the average CPU utilization across all instances exceeds 80% for 10 consecutive minutes. The engineer has created a CloudWatch alarm with the metric `CPUUtilization` aggregated across all instances using the statistic `Average` and a period of 5 minutes. The alarm is set to trigger when the metric exceeds 80% for 2 consecutive periods (10 minutes). The alarm's action is configured to send a notification to an Amazon SNS topic that has an email subscription. However, the engineer is not receiving the email alerts. The engineer verified that the SNS topic exists and the email subscription is confirmed. The CloudWatch alarm shows that the metric value exceeded the threshold for 2 periods, but the alarm state is still 'OK'. What is the MOST likely reason for this?

A.The email subscription is not confirmed.
B.The metric `CPUUtilization` is not being published to CloudWatch.
C.The CloudWatch alarm requires 2 consecutive evaluation periods with the metric exceeding the threshold, but the alarm is still evaluating because of insufficient data points.
D.The SNS topic is not configured to allow CloudWatch to publish to it.
AnswerC

If the metric has missing data points, the alarm may not evaluate to ALARM.

Why this answer

Option A is correct because the alarm must be in the 'ALARM' state to send notifications. If the metric exceeds the threshold but the alarm does not transition to ALARM, it may be due to missing data points or insufficient data to evaluate. Option B is wrong because the SNS topic appears to be correctly configured.

Option C is wrong because the email subscription is confirmed. Option D is wrong because the metric is being published; the alarm shows values.

127
MCQeasy

A DevOps engineer is troubleshooting a slow-running Lambda function. The function processes messages from an SQS queue. Which CloudWatch metric should be examined first to determine if the function is experiencing throttling?

A.Invocations
B.ConcurrentExecutions
C.Duration
D.Throttles
AnswerD

Throttles metric counts the number of times invocation requests are throttled.

Why this answer

The Throttles metric directly indicates when Lambda is rejecting invocation requests due to concurrency limits being reached. Since the question asks specifically about throttling, this is the first metric to examine to confirm whether the function is being rate-limited by AWS.

Exam trap

The trap here is that candidates may confuse high ConcurrentExecutions with throttling, but throttling is a separate metric that directly counts rejected invocations, not the number of concurrent runs.

How to eliminate wrong answers

Option A is wrong because Invocations counts total function invocations, including successful ones, and does not indicate throttling events. Option B is wrong because ConcurrentExecutions shows the number of function instances running at a given time, but it does not directly measure throttling; high concurrency can lead to throttling but the metric itself is not the throttling indicator. Option C is wrong because Duration measures how long the function runs, which can be affected by throttling indirectly but is not a direct measure of throttling events.

128
MCQhard

A DevOps engineer manages a production environment with EC2 instances behind an Application Load Balancer (ALB). The application logs show intermittent 5xx errors from the ALB. The engineer needs to identify whether the errors originate from the targets or the ALB itself. Which CloudWatch metric should be examined to differentiate between these two sources?

A.TargetResponseTime
B.UnhealthyHostCount
C.HTTPCode_Target_5XX_Count
D.RequestCount
AnswerC

This metric counts 5xx responses from targets, distinguishing from ALB-originated 5xx.

Why this answer

Option B is correct because HTTPCode_Target_5XX_Count indicates errors from the target (EC2 instances), while HTTPCode_ELB_5XX_Count indicates errors from the ALB. Option A is wrong because RequestCount is total requests. Option C is wrong because TargetResponseTime measures latency.

Option D is wrong because UnhealthyHostCount indicates unhealthy targets, not specific error codes.

129
MCQeasy

A DevOps engineer is tasked with setting up a centralized logging solution for a multi-account AWS environment. Which service should be used to aggregate logs from multiple accounts?

A.Amazon S3 with cross-region replication
B.AWS CloudTrail with organization trails
C.Amazon CloudWatch Logs with cross-account subscription
D.AWS Config with aggregated compliance rules
AnswerC

CloudWatch Logs supports cross-account subscriptions to centralize logs.

Why this answer

Amazon CloudWatch Logs can aggregate logs across accounts using cross-account subscriptions with a central destination (e.g., Kinesis or Lambda). Option C is correct. Option A is incorrect because S3 is a storage service, not for real-time aggregation.

Option B is incorrect as CloudTrail is for API activity, not application logs. Option D is incorrect because AWS Config is for configuration compliance.

130
MCQeasy

A DevOps engineer needs to monitor the memory utilization of an Amazon RDS for MySQL instance. Which AWS service should be used to collect and visualize this metric?

A.CloudWatch default metrics for RDS.
B.AWS Systems Manager Inventory.
C.Enhanced Monitoring for RDS.
D.AWS Trusted Advisor.
AnswerC

Enhanced Monitoring provides memory, CPU, and disk metrics.

Why this answer

Option C is correct because Enhanced Monitoring for RDS provides memory metrics (among others) and sends them to CloudWatch Logs, which can be visualized with CloudWatch dashboards. Option A is wrong because RDS does not expose memory utilization by default in CloudWatch; Enhanced Monitoring is required. Option B is wrong because Trusted Advisor does not collect instance-level metrics.

Option D is wrong because Systems Manager is not the primary tool for RDS monitoring.

131
MCQmedium

A DevOps engineer is setting up monitoring for an Amazon RDS for PostgreSQL instance. The engineer wants to track the number of active database connections over time to plan for scaling. Which approach should the engineer use?

A.Enable Enhanced Monitoring and view the 'DatabaseConnections' metric in CloudWatch.
B.Configure CloudWatch Logs to monitor the PostgreSQL error log for connection entries.
C.Enable RDS event subscriptions to receive notifications about connection changes.
D.Use Performance Insights to view the number of active connections.
AnswerA

Enhanced Monitoring provides the DatabaseConnections metric.

Why this answer

Option B is correct. Enhanced Monitoring provides OS-level metrics including the number of database connections. Option A is incorrect because RDS event subscriptions are for events like failover, not metrics.

Option C is incorrect because Performance Insights shows database load, not connection count. Option D is incorrect because CloudWatch Logs does not directly provide connection count metrics.

132
MCQeasy

A company wants to centralize logging from multiple AWS accounts into a single Amazon S3 bucket for long-term storage and analysis. The logs include AWS CloudTrail, VPC Flow Logs, and Amazon RDS audit logs. Which solution is the MOST operationally efficient?

A.Configure each account to send logs to a central CloudWatch Logs account, then export to S3.
B.Use Amazon Kinesis Data Firehose in each account to stream logs to a central S3 bucket.
C.Create an S3 bucket in each account and use S3 replication to copy logs to the central bucket.
D.Configure each account to deliver logs directly to a central S3 bucket using a bucket policy that allows cross-account writes.
AnswerD

Direct delivery is the most efficient and uses native S3 features.

Why this answer

Option D is correct. Amazon S3 supports cross-account access via bucket policies, and enabling S3 server access logs is not required for this use case. Option A is incorrect because CloudWatch Logs subscription filters can stream to a cross-account S3 bucket, but Kinesis Data Firehose adds unnecessary complexity.

Option B is incorrect because aggregating into a single CloudWatch Logs account and then exporting requires additional steps. Option C is incorrect because it requires manual configuration per account.

133
MCQmedium

A DevOps engineer is troubleshooting a production issue where an application's response time has increased. The application is deployed on Amazon ECS with Fargate. The engineer wants to identify which microservice is causing the latency. Which AWS service should be used?

A.Amazon CloudWatch Synthetics canary to monitor the application endpoint.
B.AWS X-Ray to trace requests and analyze service latency.
C.Amazon CloudWatch Logs Insights to query application logs for errors.
D.Amazon CloudWatch ServiceLens to visualize service maps and traces.
AnswerB

X-Ray provides detailed traces and service maps to pinpoint latency.

Why this answer

AWS X-Ray is the correct service because it provides end-to-end tracing of requests as they travel through microservices, allowing the engineer to pinpoint which service is introducing latency. By analyzing trace segments and subsegments, X-Ray can break down response times for each component in the application, directly addressing the need to identify the specific microservice causing the delay.

Exam trap

The trap here is that candidates often confuse CloudWatch ServiceLens (which visualizes traces) with the actual tracing service itself, forgetting that ServiceLens depends on X-Ray to collect the trace data in the first place.

How to eliminate wrong answers

Option A is wrong because CloudWatch Synthetics canaries monitor endpoint availability and performance from the outside, but they cannot trace internal request paths across microservices to identify which specific service is causing latency. Option C is wrong because CloudWatch Logs Insights is designed for querying and analyzing log data, not for tracing request flows or measuring per-service latency; it would require manual correlation of timestamps across services. Option D is wrong because CloudWatch ServiceLens is a visualization layer that combines traces from X-Ray and metrics from CloudWatch, but it is not the primary service for tracing; the engineer must first use X-Ray to collect the trace data that ServiceLens visualizes.

134
MCQhard

A DevOps engineer is configuring CloudWatch Logs for a Lambda function that processes streaming data from Kinesis. The function sometimes fails due to memory exhaustion. The engineer wants to ensure that logs from the function are shipped to CloudWatch Logs even when the function fails. Which configuration should be used?

A.Configure a Kinesis Agent on the Lambda execution environment to stream logs to CloudWatch Logs
B.Install the CloudWatch Logs agent on the Lambda function to continuously send logs
C.Enable detailed CloudWatch metrics for the Lambda function
D.Ensure the Lambda function writes logs to stdout or stderr; CloudWatch Logs will automatically capture them
AnswerD

Correct. Lambda automatically captures stdout/stderr and sends to CloudWatch Logs regardless of function success or failure.

Why this answer

Lambda functions automatically send all output written to stdout (via print or console.log) and stderr to CloudWatch Logs, regardless of whether the function succeeds or fails. This is a built-in behavior of the Lambda runtime, so no additional agents or configuration are needed to capture logs from a failed invocation due to memory exhaustion.

Exam trap

The trap here is that candidates may overthink the solution and assume a separate agent or service is required for log shipping in failure scenarios, when in fact Lambda’s native stdout/stderr capture works automatically and reliably even on invocation failure.

How to eliminate wrong answers

Option A is wrong because a Kinesis Agent is designed to run on EC2 instances or on-premises servers to send data to Kinesis, not to stream logs from a Lambda execution environment; Lambda does not support installing or running external agents. Option B is wrong because the CloudWatch Logs agent is intended for EC2 instances or on-premises servers, and cannot be installed inside a Lambda function’s ephemeral execution environment. Option C is wrong because enabling detailed CloudWatch metrics provides performance metrics (e.g., duration, invocations, errors) but does not capture or ship log output from the function.

135
MCQeasy

A DevOps engineer notices that a CloudWatch alarm for high CPU utilization on an EC2 instance is not triggering despite the CPU consistently above the threshold. The instance is in a VPC with a public subnet and has internet access. What is the most likely cause?

A.The EC2 instance does not have a public IP address.
B.The instance is using basic monitoring (5-minute intervals) which delays the alarm.
C.The IAM role attached to the instance does not have the cloudwatch:PutMetricData permission.
D.The CloudWatch alarm is in the 'INSUFFICIENT_DATA' state because the instance is stopped.
AnswerC

Without proper IAM permissions, the CloudWatch agent cannot publish metrics, causing the alarm not to trigger.

Why this answer

Option D is correct because CloudWatch requires the SSM Agent or the CloudWatch agent to send metrics; the standard EC2 metrics include CPU utilization, but if the instance is not sending detailed metrics, the alarm may not trigger if the threshold is based on a higher-resolution metric. However, the most common cause is that the CloudWatch agent is not installed or configured, or the IAM role lacks permissions. If the instance does not have the correct IAM role to publish custom metrics, CloudWatch alarms may not trigger.

Option A is wrong because CloudWatch can collect metrics from instances without a public IP if they have a NAT gateway or VPC endpoint. Option B is wrong because CloudWatch alarms are evaluated based on metric data, not instance state. Option C is wrong because standard monitoring collects metrics every 5 minutes, which should be sufficient for high CPU, though detailed monitoring (1-minute) is recommended.

136
MCQmedium

A DevOps engineer is troubleshooting a slow web application. The application runs on EC2 instances behind an ALB. The engineer notices that the ALB's TargetResponseTime metric shows high p99 values, but the CPU and memory on the EC2 instances are well below thresholds. What is the most likely cause?

A.The Auto Scaling group has too many instances, causing increased network overhead
B.The ALB is routing requests to instances in different Availability Zones, increasing latency
C.The application is waiting on a slow database query or external API call
D.The ALB idle timeout is set too low, causing connections to be dropped
AnswerC

Correct. Application latency often comes from external dependencies.

Why this answer

High p99 TargetResponseTime on the ALB with low CPU and memory on the EC2 instances indicates that the bottleneck is not compute capacity but rather a dependency external to the application server. The application is likely waiting on a slow database query or external API call, which increases response time without consuming significant local CPU or memory. This is a classic symptom of an I/O-bound or network-bound dependency.

Exam trap

The trap here is that candidates often assume high response times must be caused by compute saturation (CPU/memory) or network issues, but the question deliberately shows low resource utilization to force you to consider external dependencies as the root cause.

How to eliminate wrong answers

Option A is wrong because having too many instances in the Auto Scaling group would reduce per-instance load and likely decrease response times, not increase them; network overhead from more instances is negligible compared to the ALB's connection management. Option B is wrong because ALB inherently routes requests to instances across Availability Zones with minimal latency overhead (typically <1 ms), and cross-AZ data transfer costs are not a significant factor in p99 response time. Option D is wrong because a low ALB idle timeout would cause connections to be dropped prematurely, resulting in client-side errors (e.g., 504 Gateway Timeout) rather than consistently high p99 response times; the metric would show timeouts, not slow completions.

137
MCQmedium

A company is using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The operations team notices that the error rate on the ALB is increasing, but the CPU utilization on the EC2 instances remains low. Which CloudWatch metric should be examined to determine if the errors are due to a lack of healthy targets?

A.UnHealthyHostCount
B.RequestCount
C.HealthyHostCount
D.TargetResponseTime
AnswerC

Correct. HealthyHostCount shows the number of healthy targets. A decrease indicates fewer available targets, which can cause errors.

Why this answer

Option A is correct because HealthyHostCount indicates the number of healthy targets per Availability Zone. If it drops, the ALB may return errors. Option B (UnHealthyHostCount) shows unhealthy hosts but not the direct cause of errors.

Option C (RequestCount) measures total requests. Option D (TargetResponseTime) measures latency.

138
Multi-Selecthard

A company runs a critical application on Amazon ECS with Fargate. The application emits structured logs in JSON format. The DevOps team wants to monitor for specific error codes and receive near-real-time alerts. The team also needs to retain logs for 5 years for compliance. Which TWO steps should the team implement?

Select 2 answers
A.Create a CloudWatch Logs metric filter to count occurrences of specific error codes and create an alarm
B.Use Amazon Kinesis Data Analytics to analyze logs in real-time and send alerts
C.Enable AWS CloudTrail to log the application's API calls
D.Stream logs to Amazon S3 via Amazon Kinesis Data Firehose and use S3 event notifications to trigger alerts
E.Configure a CloudWatch Logs retention policy to keep logs for 5 years
AnswersA, E

Metric filters allow real-time monitoring and alerting.

Why this answer

Option A is correct because CloudWatch Logs metric filters can parse JSON-structured logs to count occurrences of specific error codes, and you can create a CloudWatch alarm on that metric to trigger near-real-time notifications via SNS. This is a native, low-latency solution for monitoring specific patterns in ECS Fargate logs without additional infrastructure.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs AWS API calls) with application-level logging, or they over-engineer the solution with Kinesis Data Analytics or Firehose when CloudWatch native features (metric filters and retention policies) are sufficient and more cost-effective for this use case.

139
MCQhard

A company is running a production microservices architecture on Amazon ECS with Fargate. The operations team wants to set up centralized logging across all services, including the ability to search logs in near real-time and retain them for 3 years. The logs are currently sent to CloudWatch Logs. Which combination of services would meet these requirements with the least operational overhead?

A.Stream logs to Amazon OpenSearch Service (Elasticsearch) using a CloudWatch Logs subscription filter.
B.Set a retention policy of 3 years on the CloudWatch Logs log groups and use CloudWatch Logs Insights for searching.
C.Export logs to Amazon S3 and use Amazon Athena to query them.
D.Use Amazon Kinesis Data Firehose to deliver logs to Amazon S3 with a 3-year lifecycle policy.
AnswerB

CloudWatch Logs Insights provides near real-time querying and retention policies are straightforward.

Why this answer

Option C is correct because CloudWatch Logs provides near real-time search and can set retention to 3 years. Option A is wrong because S3 + Athena is not real-time and adds complexity. Option B is wrong because Elasticsearch Service adds operational overhead.

Option D is wrong because Firehose to S3 alone lacks search capability.

140
MCQhard

A company is using Amazon CloudWatch Synthetics canaries to monitor its web application endpoints. The canaries are deployed in multiple AWS regions. The team wants to aggregate the canary results into a single dashboard in the US East (N. Virginia) region. What is the MOST efficient way to achieve this?

A.Replicate the canaries to US East (N. Virginia) and run them from there.
B.Create a cross-region CloudWatch dashboard and add metrics from each region using metric math.
C.Set up a Lambda function in each region to push canary results to a central S3 bucket, then create a dashboard from S3.
D.Create a CloudWatch Logs Insights query across all regions and visualize results.
AnswerB

Correct: Cross-region dashboards natively support displaying metrics from different regions.

Why this answer

Option B is correct because CloudWatch cross-region dashboards allow you to aggregate metrics from multiple regions into a single dashboard without data movement. By using metric math, you can reference metric IDs from different regions directly in the dashboard widget, enabling real-time aggregation of Synthetics canary success/failure rates and latency metrics from all regions into a unified view in US East (N. Virginia).

This approach avoids unnecessary data replication, reduces latency, and minimizes operational overhead.

Exam trap

The trap here is that candidates may assume cross-region aggregation requires data movement (e.g., to S3 or Lambda) or that CloudWatch dashboards are region-scoped, but AWS actually supports cross-region dashboards natively, making option B the most efficient and direct solution.

How to eliminate wrong answers

Option A is wrong because replicating canaries to US East (N. Virginia) would only monitor endpoints from that single region, losing the geographic distribution and failing to aggregate results from the original regions. Option C is wrong because pushing canary results to an S3 bucket and then creating a dashboard from S3 introduces unnecessary complexity, latency, and potential data staleness; CloudWatch Synthetics already stores metrics and logs in CloudWatch, so a cross-region dashboard is more direct and efficient.

Option D is wrong because CloudWatch Logs Insights queries cannot span multiple regions; they are scoped to a single region and log group, making cross-region aggregation impossible without additional tooling.

141
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. They want to receive notifications when a stack operation fails, including the specific resource that caused the failure. Which approach should they use?

A.Create a CloudWatch alarm on the 'StackFailure' metric.
B.Configure an SNS topic as a notification option in the CloudFormation stack and subscribe to receive stack events.
C.Create an AWS Lambda function that polls the CloudFormation DescribeStackEvents API every minute and sends an email on failure.
D.Enable AWS CloudTrail to log CloudFormation API calls and configure an SNS notification on the trail.
AnswerB

CloudFormation can send stack events (including failures) to SNS.

Why this answer

Option B is correct because CloudFormation allows you to specify an SNS topic ARN as a notification option when creating or updating a stack. When a stack operation fails, CloudFormation publishes a notification to that SNS topic, and the notification includes the logical resource ID and the status reason for the failure. This provides real-time, event-driven notifications without requiring polling or additional services.

Exam trap

The trap here is that candidates may confuse CloudWatch metrics or CloudTrail with CloudFormation's native notification capability, assuming that failure events are exposed as metrics or logs rather than through SNS topic subscriptions.

How to eliminate wrong answers

Option A is wrong because CloudFormation does not emit a 'StackFailure' metric to CloudWatch; CloudFormation publishes stack events to SNS topics, not CloudWatch metrics. Option C is wrong because polling the DescribeStackEvents API every minute introduces latency, unnecessary cost, and complexity compared to the native SNS notification mechanism; it also violates the principle of event-driven architecture. Option D is wrong because AWS CloudTrail logs API calls for auditing, but it does not provide real-time notifications on stack operation failures; configuring SNS on a trail only delivers log file delivery notifications, not stack failure events.

142
MCQhard

Refer to the exhibit. A DevOps engineer runs the AWS CLI command to get the average TargetResponseTime for an ALB over a 1-hour period. The output shows only three datapoints. What is the most likely reason?

A.The ALB did not receive any requests during most of the 5-minute periods.
B.The metric TargetResponseTime is not available for Application Load Balancers.
C.The command is missing the 'Statistics' parameter with 'Average'.
D.The period of 300 seconds is too large; a smaller period should be used.
AnswerA

If no requests are received, no datapoints are emitted for that period.

Why this answer

Option C is correct because the period is 300 seconds (5 minutes), so there should be 12 datapoints in an hour. However, the output shows only 3, which suggests that data is missing for most intervals, likely because the ALB did not receive any requests during those periods (the metric is only emitted when there are requests). Option A is wrong because the metric is available.

Option B is wrong because the command includes the TargetGroup dimension. Option D is wrong because the period is set to 300.

143
MCQmedium

A company uses AWS CloudTrail to log API activity across multiple accounts in AWS Organizations. The security team wants to receive near-real-time notifications for specific high-risk API calls, such as IAM policy changes or S3 bucket policy modifications. What is the MOST efficient and scalable solution?

A.Deliver CloudTrail logs to an S3 bucket, enable S3 Event Notifications to trigger a Lambda function that filters and publishes to SNS.
B.Create a CloudWatch Events rule that matches the specific API calls and publishes to an SNS topic.
C.Use CloudWatch Logs Insights to query CloudTrail logs and set up a metric filter with an alarm.
D.Enable AWS Config rules to detect changes and trigger an SNS notification.
AnswerA

This is efficient and scalable because S3 events are near-real-time and Lambda can filter precisely.

Why this answer

Option A is correct because it uses S3 Event Notifications to trigger a Lambda function in near-real-time when CloudTrail logs are delivered to S3. The Lambda function can filter for specific high-risk API calls (e.g., IAM policy changes, S3 bucket policy modifications) and publish only relevant events to an SNS topic, providing a scalable and cost-effective solution that avoids polling or complex querying.

Exam trap

The trap here is that candidates often assume CloudWatch Events (EventBridge) is the default choice for real-time CloudTrail monitoring, but they overlook that S3 Event Notifications with Lambda provide a more direct and scalable path for filtering high-volume log data without the overhead of streaming all logs to CloudWatch Logs.

How to eliminate wrong answers

Option B is wrong because CloudWatch Events (now Amazon EventBridge) can match specific API calls from CloudTrail, but it does not support near-real-time notifications for all CloudTrail log entries; it relies on CloudTrail delivering logs to CloudWatch Logs, which can introduce latency and is less efficient for high-volume filtering. Option C is wrong because CloudWatch Logs Insights is a query tool for ad-hoc analysis, not a real-time notification mechanism; metric filters and alarms can trigger notifications but require logs to be streamed to CloudWatch Logs, adding complexity and potential delay. Option D is wrong because AWS Config rules detect configuration changes (e.g., resource modifications) but are not designed for real-time API-level monitoring; they evaluate resources periodically or on configuration changes, which may not capture all high-risk API calls and introduces evaluation delays.

144
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The DevOps team needs to receive notifications when stack creation fails. Which approach should be used to automate this monitoring?

A.Create a CloudWatch Events rule that matches CloudFormation 'CREATE_FAILED' stack events and targets an SNS topic.
B.Use AWS Config rules to detect failed stack creations.
C.Enable CloudTrail and create a metric filter for 'CreateStack' API calls.
D.Stream CloudFormation logs to CloudWatch Logs and create a metric filter for 'CREATE_FAILED'.
AnswerA

CloudWatch Events can capture CloudFormation stack events and trigger notifications via SNS.

Why this answer

Option C is correct because CloudFormation stack events are sent to CloudWatch Events, which can be used to trigger a notification via SNS. Option A is wrong because CloudTrail logs CloudFormation API calls, not stack events specifically. Option B is wrong because CloudWatch Logs does not automatically receive CloudFormation events; they must be sent via CloudWatch Events.

Option D is wrong because AWS Config does not monitor CloudFormation stack events.

145
MCQmedium

A company is using Amazon RDS for MySQL and needs to monitor slow queries to optimize database performance. The team has enabled slow query logs and wants to centralize logging in Amazon CloudWatch Logs for real-time analysis and alerting. Which solution meets these requirements with minimal operational overhead?

A.Enable Performance Insights on the RDS instance and use the Performance Insights dashboard to view slow queries.
B.Enable Enhanced Monitoring on the RDS instance and configure CloudWatch alarms based on the metrics.
C.Modify the DB parameter group to enable slow_query_log and set log_output to FILE, then configure the RDS instance to publish the slowquery log file to CloudWatch Logs.
D.Configure the RDS instance to export slow query logs to an S3 bucket, then set up a Lambda function to read the logs and send them to CloudWatch Logs.
AnswerC

RDS can natively publish slow query logs to CloudWatch Logs via the 'slowquery' log export.

Why this answer

Option B is correct because publishing RDS MySQL slow query logs to CloudWatch Logs can be achieved natively by configuring the DB parameter group to set 'slow_query_log' to 1 and 'log_output' to 'FILE', then enabling the 'slowquery' log export in the RDS console or CLI. This automatically streams logs to CloudWatch without additional infrastructure. Option A is wrong because Enhanced Monitoring provides OS-level metrics, not slow query logs.

Option C is wrong because exporting logs to S3 and then using Lambda to push to CloudWatch adds unnecessary complexity. Option D is wrong because enabling Performance Insights does not automatically send slow query logs to CloudWatch; it provides a different performance schema.

146
MCQmedium

Refer to the exhibit. A security engineer runs this AWS Config query. What is the intended purpose?

A.Find all resources that are not approved.
B.Find all t2 instances that are using approved AMIs.
C.Find all t2 instances that are not using approved AMIs.
D.Find all instances regardless of type that are not using approved AMIs.
AnswerC

Correct; the query filters for t2 instances with unapproved AMIs.

Why this answer

The query selects EC2 instances of type t2.* whose AMI ID is not in the list of approved AMIs (those tagged with 'approved'). This identifies instances running unapproved AMIs.

147
MCQhard

A company has a critical application running on Amazon EC2 instances behind an Application Load Balancer. The application is experiencing intermittent latency spikes. The DevOps team has enabled detailed monitoring on the EC2 instances and is using CloudWatch metrics. They notice that CPU utilization and network traffic are normal during the spikes. Which additional diagnostic step should the team take to identify the root cause?

A.Instrument the application with AWS X-Ray to trace requests and identify bottlenecks.
B.Use CloudWatch Container Insights to monitor the performance of the EC2 instances.
C.Enable CloudWatch Synthetics to create canaries that monitor the application endpoints.
D.Run an AWS Trusted Advisor check to identify performance-related recommendations.
AnswerA

X-Ray provides end-to-end tracing to find latency sources.

Why this answer

Option B is correct because X-Ray can trace requests end-to-end and identify which component is causing latency, even if CPU and network are normal. Option A is wrong because Synthetics monitors external endpoints, not internal application behavior. Option C is wrong because Container Insights is for containerized environments.

Option D is wrong because Trusted Advisor is not a diagnostic tool.

148
Multi-Selecteasy

A company uses Amazon CloudWatch Logs to store application logs. The security team requires that all logs be encrypted at rest using a customer-managed AWS KMS key. Which THREE steps are necessary to meet this requirement? (Choose THREE.)

Select 3 answers
A.Grant the IAM role used by the application to write logs permission to use the KMS key (kms:Encrypt, kms:Decrypt).
B.Associate the KMS key with the CloudWatch Logs log group by specifying the key ARN in the log group's settings.
C.Create a customer-managed AWS KMS key in the same region as the CloudWatch Logs log group.
D.Enable encryption on each log stream individually.
E.Enable server-side encryption on the Amazon S3 bucket where logs are exported.
AnswersA, B, C

The writer must have permissions to use the KMS key.

Why this answer

Options A, B, and C are correct. A KMS key must be created (A), the CloudWatch Logs log group must be associated with the key (B), and the IAM role that writes logs must have permission to use the key (C). Option D (enable server-side encryption with S3) is not applicable because logs are stored in CloudWatch Logs, not S3.

Option E (enable encryption on the log stream) is not a supported action; encryption is set at the log group level.

149
MCQeasy

A DevOps engineer needs to centrally collect and analyze logs from multiple AWS accounts and on-premises servers. Which AWS service should be used to aggregate logs in a single dashboard?

A.Amazon Athena.
B.Amazon S3.
C.Amazon CloudWatch Logs.
D.Amazon Kinesis Data Firehose.
AnswerC

CloudWatch Logs can aggregate logs from multiple accounts and on-premises, and provides dashboards.

Why this answer

Option D is correct because CloudWatch Logs can be used as a central destination for log data from multiple sources via subscription filters and cross-account log groups. Option A is wrong because S3 is storage, not a dashboard. Option B is wrong because Athena is a query service, not a dashboard.

Option C is wrong because Kinesis is a streaming service, not a dashboard.

150
MCQmedium

A DevOps engineer needs to audit changes to IAM policies over the past 90 days. The engineer wants to see who made the change, what the change was, and when it occurred. Which AWS tool should be used?

A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.IAM Access Analyzer
AnswerC

CloudTrail records all API calls, providing the user, timestamp, and details of the change.

Why this answer

AWS CloudTrail is the correct choice because it records all API calls made to the AWS environment, including IAM policy changes, and stores them as events with details such as the identity of the caller (IAM user or role), the time of the request, and the request parameters. By querying CloudTrail logs over the past 90 days, the DevOps engineer can audit who made the change, what the change was (e.g., the specific IAM policy document modification), and when it occurred.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to track configuration changes with CloudTrail's ability to provide a detailed audit trail of API calls, leading them to choose AWS Config for auditing who made a change, when in fact Config only shows the state change, not the identity of the actor.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration management and compliance service that tracks resource configuration changes and evaluates them against rules, but it does not record who made the change or the exact API call details; it focuses on the state of resources, not the audit trail of actions. Option B is wrong because Amazon CloudWatch Logs is used to monitor, store, and access log files from AWS resources and applications, but it does not natively capture IAM API calls; it would require custom logging or integration with CloudTrail to obtain such data. Option D is wrong because IAM Access Analyzer is designed to identify resources shared with external entities and analyze access policies for unintended public or cross-account access, not to provide a historical audit trail of who made changes to IAM policies.

← PreviousPage 2 of 4 · 261 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Monitoring and Logging questions.