CCNA Monitoring and Logging Questions

75 of 261 questions · Page 3/4 · Monitoring and Logging · Answers revealed

151
MCQhard

A company is using AWS Lambda to process streaming data from Amazon Kinesis. The processing rate is slower than expected, and the engineer needs to monitor the number of records that are failing processing. Which metric should be used to create a CloudWatch alarm?

A.Invocations
B.IteratorAge
C.Errors
D.Throttles
AnswerB

IteratorAge measures the age of the last record processed; high values indicate backlog.

Why this answer

The IteratorAge metric measures the age of the last record in the Lambda function's iterator, indicating how far behind real-time the processing is. A high or increasing IteratorAge suggests that records are being retried or stuck due to processing failures, making it the correct metric to monitor for records failing processing in a Kinesis-triggered Lambda.

Exam trap

The trap here is that candidates confuse 'Errors' (Lambda function exceptions) with 'record processing failures' in a Kinesis stream, not realizing that Kinesis retries failed batches internally, so the Lambda may not emit an error metric for each failed record.

How to eliminate wrong answers

Option A (Invocations) is wrong because it counts the total number of function invocations, not failures; a high invocation count could indicate success or failure, but it does not isolate failing records. Option C (Errors) is wrong because it tracks Lambda function errors (e.g., exceptions in code), but Kinesis stream processing failures often result in retries and do not always surface as Lambda errors if the function returns a success after a partial failure. Option D (Throttles) is wrong because it measures when Lambda concurrency limits are exceeded, which is unrelated to record processing failures; throttling would cause slower processing but not directly indicate failed records.

152
Matchingmedium

Match each AWS monitoring or logging tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitoring for AWS resources and applications

Records API activity for governance and audit

Traces and analyzes requests through distributed applications

Centralized log storage and analysis

Canary monitors to check endpoints and flows

Why these pairings

These are the primary tools for observability and logging.

153
MCQmedium

A company uses Amazon CloudWatch Logs to store application logs. A DevOps engineer needs to create a real-time dashboard that displays the count of ERROR-level log entries across all instances. Which approach is the MOST efficient and cost-effective?

A.Create a CloudWatch Logs metric filter for each log group to count ERROR entries, and then create a CloudWatch dashboard
B.Use CloudWatch Logs Insights to run a query that counts ERROR entries across all log groups and add the query to a CloudWatch dashboard
C.Export logs to Amazon S3 and use Amazon Athena to query and visualize in Amazon QuickSight
D.Create a Kinesis Data Firehose delivery stream to stream logs to Amazon OpenSearch Service and build a dashboard in OpenSearch Dashboards
AnswerB

Logs Insights can query multiple log groups and be added to a dashboard.

Why this answer

Option C is correct because CloudWatch Logs Insights allows you to query logs across log groups in real-time and create dashboards. Option A is wrong because subscribing to a Kinesis stream adds complexity and cost. Option B is wrong because creating a custom metric filter for each log group is inefficient.

Option D is wrong because exporting logs to S3 and using Athena is near real-time, not real-time.

154
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The security team requires that logs are encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?

Select 2 answers
A.Use the CloudWatch Logs console or API to associate the KMS key with the log group
B.Enable default encryption for CloudWatch Logs in the AWS account settings
C.Update the log group's resource policy to reference the KMS key
D.Associate the KMS key with each log stream individually
E.Create a customer-managed KMS key with appropriate key policy that allows CloudWatch Logs to use the key
AnswersA, E

The association is done at log group creation or update.

Why this answer

Options A and C are correct. To encrypt CloudWatch Logs with a customer-managed KMS key, you must first create the KMS key and then associate it with the log group using the CloudWatch Logs console or API. Option B is wrong because you cannot associate a key with a log stream directly; it's at the log group level.

Option D is wrong because CloudWatch Logs does not support default encryption with a KMS key at the account level. Option E is wrong because the key policy must allow CloudWatch Logs to use the key, but the key policy is set on the key itself, not on the log group.

155
MCQeasy

A company wants to monitor the number of messages that are published to an Amazon SNS topic. Which CloudWatch metric should be used?

A.SMSMonthToDateSpentUSD
B.PublishSize
C.NumberOfNotificationsDelivered
D.NumberOfMessagesPublished
AnswerD

Correct. This metric tracks the number of messages published to an SNS topic.

Why this answer

Option A is correct because SNS publishes the NumberOfMessagesPublished metric. Option B (NumberOfNotificationsDelivered) is for deliveries. Option C (PublishSize) is for message size.

Option D (SMSMonthToDateSpentUSD) is for SMS costs.

156
MCQeasy

A DevOps engineer needs to monitor the memory utilization of an Amazon EC2 instance running a critical application. Which AWS service should be used to collect and track this metric?

A.AWS CloudTrail
B.AWS X-Ray
C.AWS Config
D.Amazon CloudWatch
AnswerD

CloudWatch with the CloudWatch Agent can collect memory metrics.

Why this answer

Option B is correct because CloudWatch can collect custom metrics like memory utilization via the CloudWatch Agent. Option A is wrong because CloudTrail tracks API calls, not memory. Option C is wrong because Config records resource configurations.

Option D is wrong because X-Ray traces application requests.

157
Multi-Selecthard

A company uses Amazon CloudWatch Logs to centralize logs from multiple EC2 instances running a web application. The DevOps team needs to create a metric filter that parses logs for HTTP status codes (e.g., 4xx and 5xx) and increment a metric. Additionally, they need to create a CloudWatch alarm on the error count. Which of the following are required to achieve this? (Select TWO.)

Select 2 answers
A.Create an IAM role that allows CloudWatch Logs to read the log data and publish metrics.
B.Define the metric filter pattern to match HTTP status codes in the log entries.
C.Create a metric filter in CloudWatch Logs on the log group that contains the application logs.
D.Configure a subscription filter to forward the logs to a Lambda function that creates the metric.
E.Install the CloudWatch Agent on the EC2 instances to send the logs.
AnswersB, C

The filter pattern is essential to parse the logs correctly.

Why this answer

Option A is correct because a metric filter is defined on a log group to extract metrics. Option C is correct because the metric filter pattern must match the log format to extract the status code. Option B (IAM role) is not required because the CloudWatch Logs agent uses credentials from the instance profile.

Option D (subscription filter) is for streaming logs to other destinations, not for metric filters. Option E (CloudWatch Agent) is not required; the default CloudWatch Logs agent can send logs.

158
MCQhard

A company has a production Amazon EKS cluster with multiple node groups. The DevOps team notices that some pods are frequently restarting due to OOMKilled errors, but the cluster-level metrics (CPU, memory) appear normal. Which CloudWatch Container Insights metric should be analyzed to identify the specific node or pod causing the issue?

A.node_memory_utilization.
B.number_of_running_pods.
C.pod_memory_utilization.
D.pod_cpu_utilization.
AnswerC

Shows memory usage per pod, helping identify pods exceeding limits.

Why this answer

Option A is correct because Container Insights provides pod-level memory utilization metrics that can pinpoint which pod is exceeding its memory limit. Option B is wrong because cluster-level memory utilization is aggregate. Option C is wrong because CPU metrics do not indicate memory issues.

Option D is wrong because the number of pods does not show memory usage.

159
MCQeasy

A DevOps engineer needs to centralize logs from multiple AWS accounts into a single CloudWatch Logs account. Which feature should be used?

A.CloudWatch Logs Insights
B.AWS CloudTrail
C.Amazon Kinesis Data Firehose
D.CloudWatch Logs cross-account subscription
AnswerD

This feature allows sending log groups from source accounts to a central destination.

Why this answer

CloudWatch Logs cross-account subscription (Option D) allows you to stream log data from multiple source AWS accounts to a single destination account's CloudWatch Logs log group. This is the native, managed feature designed specifically for centralizing logs across accounts without needing additional infrastructure or data transformation.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs Insights (a query tool) with the actual cross-account log forwarding mechanism, or they incorrectly assume that CloudTrail or Kinesis Data Firehose are the primary services for cross-account log centralization, when in fact the native CloudWatch Logs cross-account subscription is the correct, managed solution.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs Insights is a query and analysis tool for searching and visualizing log data within a single account; it does not provide cross-account log ingestion or forwarding. Option B is wrong because AWS CloudTrail records API activity and can deliver logs to CloudWatch Logs, but it is not a mechanism for centralizing logs from multiple accounts into a single CloudWatch Logs destination. Option C is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that can load logs into destinations like S3 or Redshift, but it is not designed for direct cross-account CloudWatch Logs subscription; it would require additional setup and does not natively support the cross-account subscription model.

160
MCQeasy

A DevOps engineer needs to monitor the number of messages in an Amazon SQS queue and trigger an Auto Scaling policy to add more EC2 instances when the queue depth exceeds a threshold. Which CloudWatch metric should the alarm use?

A.NumberOfMessagesSent
B.ApproximateNumberOfMessagesNotVisible
C.ApproximateNumberOfMessagesVisible
D.SentMessageSize
AnswerC

This metric reflects the queue depth.

Why this answer

Option A is correct because ApproximateNumberOfMessagesVisible indicates the number of messages available for retrieval. Option B is wrong because NumberOfMessagesSent is a count of sent messages. Option C is wrong because ApproximateNumberOfMessagesNotVisible is for messages in flight.

Option D is wrong because SentMessageSize is the size of messages.

161
MCQmedium

A company's DevOps team notices that their Amazon RDS for PostgreSQL instance's CPU utilization spikes to 90% every day at 10:00 AM, causing application latency. They want to be notified when the CPU utilization exceeds 80% for more than 5 minutes to investigate the cause. Which solution should they implement?

A.Use Amazon CloudWatch Logs Insights to query the RDS logs and trigger an SNS notification when CPU utilization is high.
B.Enable AWS Trusted Advisor to automatically create a CloudWatch alarm on the CPU utilization metric.
C.Create an Amazon CloudWatch alarm on the CPUUtilization metric with a period of 5 minutes and a threshold of 80, and set the alarm action to send a notification to an Amazon SNS topic.
D.Create an AWS CloudTrail trail to monitor CPU utilization and trigger an AWS Lambda function to send an email notification.
AnswerC

This directly monitors the metric and triggers notification when the threshold is breached for the specified duration.

Why this answer

Option D is correct because a CloudWatch alarm with a metric math expression can trigger an SNS notification when CPUUtilization exceeds 80% for 5 minutes. Option A is wrong because CloudTrail does not monitor CPU utilization. Option B is wrong because Trusted Advisor does not create custom alarms.

Option C is wrong because CloudWatch Logs Insights is for log analysis, not metric alarms.

162
MCQhard

A DevOps team is using Amazon CloudWatch Synthetics canaries to monitor the availability of a web application. The canary is configured to run every 5 minutes. The team notices that the canary fails occasionally but the application is healthy. Which action will help identify if the failures are due to network issues between the canary and the application?

A.Enable VPC Flow Logs for the canary's VPC and analyze the logs for dropped packets
B.Enable AWS X-Ray tracing on the canary to trace the request path
C.Increase the canary's memory and timeout settings to reduce false positives
D.Configure the canary to run inside the same VPC as the application using a VPC endpoint
AnswerD

Running canary in the same VPC isolates network path and helps identify network issues.

Why this answer

Option C is correct because CloudWatch Synthetics canaries support the use of VPC endpoints or placement within a VPC to run from the same network environment as the application, allowing canary failures due to network issues to be distinguished from application issues. Option A is wrong because X-Ray traces the application, not the canary. Option B is wrong because VPC Flow Logs capture network metadata but are not directly integrated with canaries.

Option D is wrong because enabling detailed CloudWatch metrics on the ALB does not isolate canary network issues.

163
MCQmedium

An application running on Amazon ECS Fargate writes logs to CloudWatch Logs. The logs include sensitive data such as credit card numbers, which must be masked before storage. What is the most cost-effective solution that requires the least operational overhead?

A.Stream logs to Amazon Kinesis Data Firehose with a Lambda transformation, then deliver to CloudWatch Logs.
B.Configure a CloudWatch Logs subscription to stream logs to Amazon S3, and use S3 Object Lambda to mask data on retrieval.
C.Deploy a sidecar container in the ECS task that reads logs from stdout, masks data, and sends to CloudWatch Logs.
D.Use a CloudWatch Logs subscription filter to invoke an AWS Lambda function that masks sensitive data and writes the sanitized logs to a different log group.
AnswerD

This masks data before storage, is serverless, and cost-effective.

Why this answer

Option D is correct because CloudWatch Logs subscription filters can invoke a Lambda function in real-time as logs are ingested, allowing the function to mask sensitive data (e.g., credit card numbers) and write the sanitized logs to a different log group. This approach requires no additional infrastructure, no streaming services, and no changes to the application code, making it the most cost-effective and operationally lightweight solution.

Exam trap

The trap here is that candidates often choose Option A or C because they assume a streaming pipeline or sidecar is required for log transformation, but they overlook that CloudWatch Logs subscription filters with Lambda provide a native, serverless, and cost-effective alternative that avoids additional services and infrastructure changes.

How to eliminate wrong answers

Option A is wrong because it introduces unnecessary cost and complexity by streaming logs through Kinesis Data Firehose and a Lambda transformation, only to deliver them back to CloudWatch Logs; this adds a per-GB Firehose cost and Lambda invocation overhead without benefit. Option B is wrong because S3 Object Lambda only masks data at retrieval time, not at storage time, so sensitive data remains unmasked in S3; additionally, this approach requires a separate S3 bucket and retrieval workflow, increasing operational overhead. Option C is wrong because deploying a sidecar container in the ECS task adds complexity to the task definition, increases resource consumption (CPU/memory), and requires custom log routing logic, which violates the 'least operational overhead' requirement.

164
Drag & Dropmedium

Drag and drop the steps to set up an AWS CodeBuild project to build a Docker image and push it to Amazon ECR.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the ECR repository, then create the CodeBuild project, then configure buildspec, then set privileged mode, then push image.

165
MCQhard

A company runs a microservices application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer (ALB) to distribute traffic. The DevOps team wants to monitor the number of HTTP 5xx errors returned by each service. They configure the ALB to send access logs to an S3 bucket and enable CloudWatch Container Insights. However, the team cannot view 5xx errors per service. What should the team do to achieve this?

A.Use CloudWatch Logs Insights to query the ALB access logs directly from S3.
B.Enable Container Insights and create a CloudWatch dashboard to view HTTP 5xx errors per ECS service.
C.Enable ALB access logging and parse the logs to filter by target group, then correlate with the ECS service name.
D.Configure the ALB to add a custom header with the service name and use CloudWatch metrics.
AnswerC

Access logs include target group ARN which can be mapped to ECS service.

Why this answer

Option B is correct. ALB access logs contain the target group, but not the service name. By using the target group, you can map to the service.

Option A is incorrect because CloudWatch Logs Insights can query access logs, but the logs need to be in CloudWatch Logs, not S3. Option C is incorrect because Container Insights provides metrics per task, not per service. Option D is incorrect because adding a response header would not be visible in metrics.

166
MCQeasy

A DevOps engineer needs to set up a monitoring solution for an AWS Lambda function that processes messages from an Amazon SQS queue. The engineer wants to be alerted if the function fails to process a message (i.e., the message ends up in the dead-letter queue). Which approach should they use?

A.Create a CloudWatch alarm on the ApproximateNumberOfMessagesVisible metric of the dead-letter queue.
B.Enable CloudTrail to log SQS API calls and create a metric filter for SendMessage to the DLQ.
C.Create a CloudWatch Events rule to monitor the Lambda function errors.
D.Configure the Lambda function's dead-letter queue to send notifications via Amazon SNS.
AnswerA

This metric increases when messages are sent to the DLQ, triggering the alarm.

Why this answer

Option A is correct because the `ApproximateNumberOfMessagesVisible` metric on the dead-letter queue (DLQ) directly reflects the number of messages that have failed processing and been moved there. By creating a CloudWatch alarm on this metric (e.g., when it exceeds 0 for a period), the engineer receives an alert precisely when messages are failing, without needing to parse logs or rely on indirect indicators.

Exam trap

The trap here is that candidates often confuse monitoring Lambda function errors (Option C) with monitoring DLQ messages, not realizing that a message can end up in the DLQ due to exhaustion of retries (configured in the SQS event source mapping) without the Lambda function itself throwing an error.

How to eliminate wrong answers

Option B is wrong because CloudTrail logs SQS API calls (like SendMessage) but does not provide a real-time metric for DLQ message count; creating a metric filter on SendMessage to the DLQ would require parsing every API call and does not natively aggregate to a simple alarm threshold. Option C is wrong because monitoring Lambda function errors (e.g., via CloudWatch Events or Lambda metrics) captures function invocation failures but does not specifically indicate that a message was sent to the DLQ—messages can fail processing without a Lambda error (e.g., if the function returns an error but the SQS trigger retries and eventually sends to DLQ). Option D is wrong because configuring the Lambda function's DLQ to send notifications via SNS would require custom code or configuration to publish a notification each time a message is moved to the DLQ, which is not a built-in feature of SQS or Lambda; SNS can be used as a target for DLQ messages only if the DLQ itself is an SNS topic, but SQS DLQs are queues, not topics, and SNS does not automatically emit notifications when messages are added to an SQS queue.

167
MCQeasy

An application running on Amazon EC2 instances sends custom metrics to CloudWatch. The team notices that some metrics are not appearing. What is the most likely cause?

A.The custom metric namespace is not pre-registered in CloudWatch.
B.The EC2 instances are in a private subnet without a NAT gateway.
C.The IAM role attached to the EC2 instance lacks permissions to publish metrics.
D.The CloudWatch agent is not installed or configured on the EC2 instances.
AnswerD

Custom metrics require the CloudWatch agent or direct API calls.

Why this answer

Option A is correct because the CloudWatch agent must be installed and configured to send custom metrics. Option B is wrong because IAM permissions are required but the agent also needs to be installed. Option C is wrong because the agent needs to be running.

Option D is wrong because the metric namespace is configured in the agent, not in CloudWatch.

168
MCQmedium

A company wants to collect and analyze logs from on-premises servers and send them to AWS for centralized monitoring. Which combination of AWS services should be used?

A.Amazon CloudWatch Agent on the on-premises servers to send logs to Amazon CloudWatch Logs.
B.Amazon Kinesis Agent on the on-premises servers to send logs to Amazon Kinesis Data Firehose, then to Amazon S3.
C.Amazon CloudWatch Agent with the awslogs configuration to send logs to Amazon CloudWatch Logs.
D.AWS Systems Manager Agent to collect logs and send to Amazon CloudWatch Logs.
AnswerA

The CloudWatch Agent can collect logs and metrics from on-premises servers and send to CloudWatch.

Why this answer

Option A is correct: CloudWatch Agent collects logs from on-prem servers and sends to CloudWatch Logs. Option B is wrong because Kinesis Agent is for streaming data to Kinesis, not CloudWatch Logs directly. Option C is wrong because the unified CloudWatch Agent is the recommended tool.

Option D is wrong because SSM Agent does not collect logs.

169
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The DevOps team wants to receive notifications when stack operations fail. They create an Amazon SNS topic and subscribe the team's email. Then they configure CloudFormation to send notifications to the SNS topic. However, no notifications are received when a stack creation fails. What is the MOST likely reason?

A.The SNS topic does not have an IAM policy allowing CloudFormation to publish.
B.The email subscription to the SNS topic has not been confirmed.
C.The SNS topic is in a different AWS Region.
D.The CloudFormation stack was created without specifying the SNS topic ARN in the 'NotificationARNs' parameter.
AnswerD

The topic ARN must be specified in the stack's parameters.

Why this answer

Option D is correct. CloudFormation sends notifications to the SNS topic only if the topic ARN is specified in the stack's 'NotificationARNs' parameter. Option A is incorrect because CloudFormation can send notifications to any SNS topic.

Option B is incorrect because email subscriptions must be confirmed, but that is done when subscribing. Option C is incorrect because SNS does not require IAM roles for CloudFormation to publish.

170
MCQeasy

A DevOps engineer is troubleshooting an issue where an Amazon RDS for MySQL instance is experiencing high latency. The engineer wants to identify which queries are causing the problem. Which AWS service should be used?

A.Amazon RDS Performance Insights
B.AWS CloudTrail
C.Amazon CloudWatch Metrics
D.VPC Flow Logs
AnswerA

Performance Insights provides per-query performance data to identify problematic queries.

Why this answer

Option B is correct because RDS Performance Insights provides a database performance tuning and monitoring feature that allows you to assess the load on your database and determine when and where to take action. Option A is wrong because CloudWatch metrics show aggregate performance, not per-query. Option C is wrong because CloudTrail records API calls.

Option D is wrong because VPC Flow Logs capture network traffic.

171
MCQmedium

A company has a microservices architecture running on Amazon ECS with Fargate. The operations team uses Amazon CloudWatch Container Insights to monitor the cluster. They notice that one of the services is experiencing high memory utilization, causing occasional task failures. The team wants to set up proactive monitoring to receive alerts when memory utilization exceeds 80% for more than 5 minutes. They also want to automate the response by replacing the failing tasks. The team has already created a CloudWatch alarm on the MemoryUtilized metric. Which additional steps should the team take to achieve the desired proactive monitoring and automated response?

A.Use CloudWatch Logs Insights to run queries on the task logs to identify the cause of high memory.
B.Create a CloudWatch Events rule that triggers an AWS Lambda function to restart the tasks when the alarm state changes.
C.Configure the CloudWatch alarm to trigger an Auto Scaling action that increases the desired count of the service to replace failing tasks.
D.Enable AWS CloudTrail to log all ECS API calls to audit the task failures.
AnswerC

This allows the alarm to directly trigger a scaling action to replace tasks when memory is high.

Why this answer

Option A is correct because a CloudWatch Alarm can trigger an Auto Scaling action to replace tasks. Option B is wrong because CloudWatch Events (now EventBridge) can trigger Lambda, but the alarm already exists; the action should be on the alarm. Option C is wrong because CloudWatch Logs Insights is for querying logs, not for automated response.

Option D is wrong because CloudTrail is for auditing API calls, not for automation.

172
MCQmedium

A company is using Amazon RDS for PostgreSQL and wants to monitor the database for performance issues. They need to capture slow queries and analyze them over time. Which combination of AWS services should they use?

A.Enable RDS Event notifications to send alerts for performance issues.
B.Enable RDS Performance Insights and Enhanced Monitoring.
C.Enable CloudWatch Logs for PostgreSQL and export logs to Amazon S3.
D.Use CloudWatch Metrics to monitor database connections and CPU utilization.
AnswerB

Performance Insights captures and analyzes database load, including slow queries, and Enhanced Monitoring provides OS-level visibility.

Why this answer

Option B is correct because RDS Performance Insights provides a database performance schema with detailed wait events and SQL-level metrics to identify slow queries, while Enhanced Monitoring offers OS-level metrics (CPU, memory, disk I/O) at sub-minute granularity. Together, they allow you to capture and analyze slow queries over time without additional log parsing or export overhead.

Exam trap

The trap here is that candidates often confuse general monitoring (CloudWatch Metrics) or log export (CloudWatch Logs to S3) with the specialized, integrated performance analysis tools (Performance Insights and Enhanced Monitoring) that are purpose-built for diagnosing slow queries in RDS.

How to eliminate wrong answers

Option A is wrong because RDS Event notifications only send alerts for instance lifecycle events (e.g., failover, maintenance) and do not capture or analyze slow query performance data. Option C is wrong because exporting PostgreSQL logs to S3 via CloudWatch Logs provides raw log files, but requires additional tooling (e.g., Athena) to parse and analyze slow queries; it is not a native, integrated solution for ongoing performance analysis. Option D is wrong because CloudWatch Metrics for database connections and CPU utilization provide aggregate resource metrics, not the detailed query-level or wait-event data needed to identify and analyze slow queries.

173
MCQeasy

A company uses AWS CloudTrail to log API activity in their AWS account. They need to ensure that any changes to CloudTrail configuration itself are detected and alerted upon in real time. Which service should they use?

A.Use Amazon CloudWatch Events (EventBridge) to create a rule matching the StopLogging or UpdateTrail API calls.
B.Enable AWS Config rules to monitor CloudTrail configuration changes.
C.Use Amazon CloudWatch Logs Insights to query CloudTrail logs for changes.
D.Enable Amazon GuardDuty to detect changes to CloudTrail.
AnswerA

CloudWatch Events can trigger notifications in real time for specific API calls.

Why this answer

Amazon CloudWatch Events (EventBridge) can monitor CloudTrail API calls in real time by creating a rule that matches specific API calls such as StopLogging or UpdateTrail. When these calls are made, the rule triggers an action (e.g., SNS notification or Lambda function) to alert administrators immediately. This provides the real-time detection required for changes to CloudTrail configuration itself.

Exam trap

The trap here is that candidates often confuse AWS Config (which is for compliance and configuration history) with real-time event-driven alerting, or they think GuardDuty covers all security monitoring, but neither provides the specific real-time API call detection that EventBridge offers.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are designed for continuous compliance assessment and configuration auditing, not real-time event-driven alerting; they evaluate resources periodically or on configuration changes but do not provide instantaneous alerts. Option C is wrong because CloudWatch Logs Insights is a query tool for analyzing historical log data, not a real-time alerting mechanism; it cannot proactively detect changes as they occur. Option D is wrong because Amazon GuardDuty is a threat detection service that focuses on malicious activity and anomalies (e.g., unusual API calls or compromised credentials), not specifically on monitoring CloudTrail configuration changes for compliance or operational awareness.

174
MCQeasy

A company wants to receive a notification when an AWS IAM user creates a new access key. Which AWS service should be used to capture this event and trigger a notification?

A.Amazon GuardDuty
B.AWS CloudTrail with CloudWatch Events
C.Amazon CloudWatch
D.AWS Config
AnswerB

Correct. CloudTrail logs API calls, and CloudWatch Events can trigger actions.

Why this answer

AWS CloudTrail captures API activity, including the CreateAccessKey event when an IAM user creates a new access key. By sending these events to Amazon CloudWatch Events (now part of Amazon EventBridge), you can define a rule that triggers a notification via SNS, Lambda, or other targets. This combination provides the real-time event-driven notification the company requires.

Exam trap

The trap here is that candidates often confuse CloudWatch (which handles metrics and logs) with CloudWatch Events (which handles event-driven triggers), leading them to pick Option C, even though CloudWatch alone cannot capture API calls without CloudTrail integration.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail management events for malicious activity, but it does not directly trigger custom notifications for specific IAM actions like CreateAccessKey. Option C is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it cannot natively capture API-level events like CreateAccessKey; it relies on CloudTrail or CloudWatch Events to ingest such events. Option D is wrong because AWS Config evaluates resource configurations and compliance rules, but it does not capture real-time API calls or trigger notifications for specific IAM user actions like creating an access key.

175
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The DevOps team wants to receive notifications when CloudFormation stack creation fails. Which AWS service should be used to capture the stack failure event and send a notification?

A.Amazon SQS
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon EventBridge
AnswerD

EventBridge can capture CloudFormation events and trigger actions like SNS.

Why this answer

Option B is correct because Amazon EventBridge can capture CloudFormation stack events (such as CREATE_FAILED) and route them to an SNS topic for notification. Option A is wrong because CloudWatch Logs stores logs but does not directly send notifications. Option C is wrong because CloudTrail records API calls but is not the most efficient for real-time notifications.

Option D is wrong because SQS is a queue, not a notification service.

176
MCQmedium

A company uses AWS CloudTrail to log all API calls in their AWS account. They need to ensure that any changes to CloudTrail configuration (such as disabling the trail or modifying the log file validation) are immediately detected and trigger an automated response. Which solution should the DevOps engineer implement?

A.Enable Amazon GuardDuty and configure it to monitor CloudTrail logs for suspicious activity.
B.Create an Amazon EventBridge rule that matches CloudTrail API calls like StopLogging or UpdateTrail and triggers an SNS topic.
C.Use AWS Config rules with remediation actions to detect and revert changes to CloudTrail.
D.Use AWS Trusted Advisor to check CloudTrail configuration and send alerts via email.
AnswerB

EventBridge can trigger in real-time on API calls.

Why this answer

Option D is correct because CloudTrail itself logs changes to its configuration, so a CloudWatch Events (now Amazon EventBridge) rule can be created to match API calls that modify CloudTrail (e.g., StopLogging, UpdateTrail) and trigger an SNS notification or Lambda for automated response. Option A is wrong because Config rules can detect configuration drift but are not real-time. Option B is wrong because GuardDuty focuses on security threats, not CloudTrail configuration changes.

Option C is wrong because Trusted Advisor does not monitor CloudTrail changes.

177
MCQhard

A company runs a critical application on Amazon ECS with Fargate. The application experiences intermittent slow responses. The DevOps team enabled Container Insights and CloudWatch ServiceLens. However, traces from the application do not appear in ServiceLens. The application uses the AWS X-Ray SDK for tracing. What is the MOST likely cause?

A.The X-Ray daemon is not running in the task definition.
B.The X-Ray SDK cannot send traces to AWS X-Ray from Fargate tasks.
C.ServiceLens does not support Amazon ECS with Fargate launch type.
D.The application is not sending metrics to CloudWatch Container Insights.
AnswerA

The X-Ray daemon must run alongside the application container to receive and forward trace data.

Why this answer

The X-Ray daemon is required to act as a local intermediary that receives trace segments from the X-Ray SDK and forwards them to the AWS X-Ray API. In Amazon ECS with Fargate, the daemon must be explicitly included as a sidecar container in the task definition. Without it, the SDK cannot send traces, which explains why traces are missing from ServiceLens despite the SDK being integrated.

Exam trap

The trap here is that candidates assume the X-Ray SDK can send traces directly to the AWS X-Ray API without a local daemon, but the SDK is designed to offload segment buffering and transmission to the daemon, making it a mandatory component in containerized environments like Fargate.

How to eliminate wrong answers

Option B is wrong because the X-Ray SDK can send traces from Fargate tasks when the X-Ray daemon is properly configured as a sidecar container; there is no inherent limitation preventing trace transmission from Fargate. Option C is wrong because ServiceLens fully supports Amazon ECS with Fargate launch type, including both EC2 and Fargate, as long as the required agents and permissions are in place. Option D is wrong because Container Insights metrics are not required for traces to appear in ServiceLens; ServiceLens aggregates traces from X-Ray and metrics from CloudWatch independently, and missing metrics do not prevent trace visibility.

178
MCQmedium

A DevOps team has set up centralized logging for multiple AWS accounts using Amazon OpenSearch Service. The team uses CloudWatch cross-account observability to collect logs from various accounts into a monitoring account. Recently, logs from one source account stopped appearing in the monitoring account's OpenSearch dashboard. Other source accounts continue to send logs successfully. Which step should the team take to troubleshoot this issue?

A.Verify that the monitoring account's CloudWatch cross-account observability is enabled.
B.Check the source account's CloudWatch Logs subscription filter for the OpenSearch destination.
C.Review the source account's CloudWatch Logs retention policy to confirm logs are not expired.
D.Ensure the IAM role in the source account has the correct trust policy for the monitoring account.
AnswerB

The subscription filter may have been deleted or misconfigured, stopping log forwarding.

Why this answer

Option B is correct because the most likely cause of logs from a single source account failing to appear is a misconfigured or broken CloudWatch Logs subscription filter. This filter is responsible for forwarding log events from the source account to the OpenSearch destination in the monitoring account. If the filter is missing, misconfigured, or has been accidentally deleted, logs will not be sent, while other accounts continue to work normally.

Exam trap

The trap here is that candidates confuse the cross-account observability setup (which uses IAM roles and trust policies) with the actual log delivery mechanism (subscription filters), leading them to check the IAM role or the monitoring account configuration instead of the source account's subscription filter.

How to eliminate wrong answers

Option A is wrong because cross-account observability is already working for other source accounts, so the monitoring account's feature is enabled. Option C is wrong because a retention policy would cause logs to stop appearing for all accounts after the retention period, not selectively for one account. Option D is wrong because the IAM role's trust policy is used for cross-account access to CloudWatch metrics and logs, but the actual log delivery to OpenSearch is handled by the subscription filter, not by assuming a role in the source account.

179
MCQmedium

A company uses AWS CloudTrail to log API activity. The security team needs to be alerted when an IAM user creates a new access key. How can this be achieved with minimal overhead?

A.Use CloudWatch Logs Insights to run a query every hour and send results via email.
B.Set up an AWS Config rule to detect when an access key is created.
C.Configure S3 event notifications on the CloudTrail bucket to trigger a Lambda function.
D.Create an Amazon EventBridge rule that matches the 'CreateAccessKey' event and targets an SNS topic.
AnswerD

EventBridge can filter CloudTrail events and send alerts via SNS.

Why this answer

Option B is correct because CloudWatch Events (now part of EventBridge) can filter CloudTrail events and invoke a Lambda function to send an alert. Option A is wrong because S3 event notifications are for object-level events, not API calls. Option C is wrong because CloudWatch Logs Insights is a query tool, not a real-time alerting mechanism.

Option D is wrong because Config rules evaluate resource configurations, not API calls.

180
Multi-Selecteasy

A company is using AWS CloudFormation to deploy a microservices architecture. The operations team wants to receive real-time notifications when any stack operation fails. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.AWS Lambda
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon CloudWatch Events (Amazon EventBridge)
E.Amazon Simple Notification Service (SNS)
AnswersD, E

EventBridge can capture CloudFormation events and trigger actions.

Why this answer

Options A and E are correct. CloudWatch Events (now Amazon EventBridge) can capture CloudFormation stack events and trigger an SNS topic to send notifications. Option B is wrong because Lambda alone doesn't provide notifications.

Option C is wrong because CloudTrail is for API auditing, not real-time notification. Option D is wrong because CloudWatch Logs doesn't trigger SNS directly for stack events.

181
MCQmedium

A company uses AWS CloudFormation to deploy a three-tier web application. The stack includes an Application Load Balancer (ALB), an Auto Scaling group of EC2 instances, and an Amazon RDS Multi-AZ database. The DevOps team has configured the EC2 instances to send application logs to CloudWatch Logs using the CloudWatch agent. They also set up a CloudWatch alarm on the ALB's 5xx error count. During a recent deployment, the team noticed that the alarm did not trigger even though the application was returning 5xx errors. The team verified that the CloudWatch agent is running on the instances and logs are appearing in CloudWatch Logs. What should the team do to ensure the alarm triggers correctly?

A.Create a metric filter on the EC2 instance's log group to count 5xx errors and create an alarm on that.
B.Change the CloudWatch alarm to use the 'HTTPCode_ELB_5XX_Count' metric instead.
C.Restart the CloudWatch agent on the EC2 instances.
D.Verify that the CloudWatch alarm is using the correct metric 'HTTPCode_Target_5XX_Count' and that the threshold is appropriate.
AnswerD

The correct metric for backend errors is HTTPCode_Target_5XX_Count.

Why this answer

Option D is correct. The ALB's 5xx metric is based on requests that the ALB itself generates, not the backend responses. If the backend returns a 5xx, the ALB forwards it, but the metric may be 'HTTPCode_Target_5XX_Count'.

The team may have confused the metrics. Option A is incorrect because the agent is already working. Option B is incorrect because the alarm is on ALB, not EC2.

Option C is incorrect because log groups do not affect alarms.

182
Multi-Selectmedium

A company wants to set up centralized logging for its multi-account AWS environment. The logs include CloudTrail, VPC Flow Logs, and Amazon Route 53 resolver query logs. Which TWO services should they use to achieve this with minimal operational overhead? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon S3
C.Amazon Kinesis Data Streams
D.Amazon OpenSearch Service
E.AWS CloudTrail
AnswersA, B

Can aggregate logs from multiple accounts using cross-account subscription filters.

Why this answer

Option A (CloudWatch Logs) and Option C (S3) are correct because CloudWatch Logs can receive logs from multiple accounts via subscription filters, and S3 can serve as a central archive. Option B is wrong because Kinesis is not needed as an intermediate. Option D is wrong because OpenSearch adds overhead.

Option E is wrong because CloudTrail alone cannot centralize all log types.

183
Multi-Selecthard

A company wants to centralize logging from multiple AWS accounts and regions. The logs should be stored in a central S3 bucket for compliance. Which THREE steps are required to achieve this? (Choose THREE.)

Select 3 answers
A.Create a cross-account subscription in Amazon CloudWatch Logs to stream logs to the central account.
B.Create an S3 bucket in the central account with appropriate bucket policy granting permissions to CloudTrail.
C.Enable CloudTrail in each region where the company operates.
D.Enable AWS CloudTrail in each account and configure it to deliver logs to the central S3 bucket.
E.Turn on CloudTrail data events for all S3 and Lambda resources.
AnswersB, C, D

The central bucket needs a policy allowing CloudTrail to write logs from other accounts.

Why this answer

Option B is correct because to centralize logs from multiple accounts into a single S3 bucket, the bucket in the central account must have a bucket policy that explicitly grants the necessary permissions (e.g., `s3:PutObject`) to the CloudTrail service principal (`cloudtrail.amazonaws.com`) from each source account. This policy allows CloudTrail in the source accounts to write log files directly into the central bucket, enabling centralized storage for compliance.

Exam trap

The trap here is that candidates often confuse the need for a cross-account CloudWatch Logs subscription (Option A) with the direct S3 delivery mechanism of CloudTrail, or they mistakenly think enabling data events (Option E) is mandatory for centralization, when only management events and proper S3 bucket policy configuration are required.

184
MCQhard

A company runs a critical application on Amazon ECS with Fargate. The DevOps engineer wants to receive alerts when the application's error rate exceeds 5% over a 5-minute period. Which combination of services should be used?

A.Amazon CloudWatch Synthetics to monitor the application endpoint and create an alarm.
B.Amazon CloudWatch Logs Insights to query logs every 5 minutes and trigger a Lambda function.
C.Amazon CloudWatch Logs metric filter to count errors, then a CloudWatch alarm.
D.Amazon CloudWatch Contributor Insights to detect error patterns, then an alarm.
AnswerC

Metric filters extract metrics from logs; alarms trigger on threshold.

Why this answer

Amazon CloudWatch Logs can use metric filters to extract error counts from logs and create a custom metric. A CloudWatch alarm can then be set on the metric. Option B is correct.

Option A is incorrect because CloudWatch Synthetics is for synthetic monitoring, not logs. Option C is incorrect because CloudWatch Contributor Insights analyzes top contributors, not error rate. Option D is incorrect because CloudWatch Logs Insights is a query tool, not for real-time alarms.

185
Multi-Selecthard

A company uses Amazon CloudWatch Synthetics canaries to monitor endpoint availability. The canaries are failing intermittently with timeout errors. The DevOps team needs to diagnose the issue. Which THREE aspects should they investigate?

Select 3 answers
A.The canary schedule and frequency.
B.The canary script execution time and memory usage.
C.Network connectivity and routing from the canary's VPC to the target endpoint.
D.CloudWatch Synthetics canary logs for error messages.
E.CloudWatch Logs retention policy for the canary logs.
AnswersB, C, D

Excessive execution time or memory can cause timeouts.

Why this answer

Option B is correct because canary scripts have a maximum execution time of 5 minutes (300 seconds) and a memory limit of 1 GB. If the script execution time or memory usage exceeds these limits, the canary will fail with a timeout error. Investigating these metrics in CloudWatch can reveal whether the script is too resource-intensive or slow, causing the intermittent failures.

Exam trap

The trap here is that candidates may confuse canary schedule frequency with execution timeout, thinking that running the canary less often will fix timeout errors, when the root cause is actually script performance or network latency.

186
Multi-Selecthard

A company runs a containerized application on Amazon ECS with Fargate. They want to monitor the application logs and metrics. Which THREE steps should they take to collect and visualize this data? (Choose THREE.)

Select 3 answers
A.Create a CloudWatch Dashboard to display logs and metrics.
B.Use AWS CloudFormation to monitor resource metrics.
C.Configure the ECS task definition to use the awslogs log driver.
D.Use AWS X-Ray to trace requests and collect logs.
E.Enable the CloudWatch agent as a sidecar container in the task definition.
AnswersA, C, E

Dashboards provide visualization of monitoring data.

Why this answer

Option A is correct because the awslogs driver sends container logs to CloudWatch Logs. Option B is correct because enabling the CloudWatch agent in task definition allows custom metric collection. Option C is correct because CloudWatch Dashboards can visualize logs and metrics.

Option D is wrong because X-Ray is for tracing, not logs or metrics. Option E is wrong because CloudFormation is for infrastructure provisioning, not monitoring.

187
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The DevOps team needs to search across multiple log groups and visualize trends. Which TWO services can be used together to achieve this?

Select 2 answers
A.CloudWatch Logs Insights.
B.Amazon Elasticsearch Service with Kibana.
C.Amazon Athena.
D.Amazon QuickSight.
E.CloudWatch Dashboards.
AnswersA, E

Logs Insights can run queries across multiple log groups.

Why this answer

Option A and Option C are correct. CloudWatch Logs Insights can query multiple log groups, and CloudWatch Dashboards can visualize the results. Option B (Athena) queries data in S3, not directly in CloudWatch Logs.

Option D (Kibana) requires Elasticsearch Service, which adds complexity. Option E (QuickSight) can visualize but requires data in S3 or a database.

188
MCQeasy

A company needs to monitor the CPU utilization of its Amazon RDS for PostgreSQL instance. The metric should be available in Amazon CloudWatch with a granularity of 1 minute. Which action should the team take?

A.Install the CloudWatch agent on the RDS instance.
B.Enable Enhanced Monitoring for the RDS instance.
C.No additional configuration is needed; RDS automatically sends metrics to CloudWatch.
D.Enable Performance Insights for the RDS instance.
AnswerC

Correct: RDS publishes CPU utilization to CloudWatch by default.

Why this answer

Amazon RDS for PostgreSQL automatically publishes metrics, including CPU utilization, to CloudWatch with a default granularity of 1 minute for standard instances. No additional configuration is required to enable this basic monitoring. The metrics are collected by the RDS hypervisor layer and sent to CloudWatch without needing an agent or extra setup.

Exam trap

The trap here is that candidates often confuse Enhanced Monitoring (which provides OS-level metrics at higher granularity) with basic CloudWatch monitoring, leading them to incorrectly select Option B when the question only requires standard 1-minute CPU utilization metrics.

How to eliminate wrong answers

Option A is wrong because the CloudWatch agent cannot be installed on an RDS instance; RDS is a managed service that does not allow direct OS-level access or agent installation. Option B is wrong because Enhanced Monitoring provides OS-level metrics (e.g., memory, disk I/O) at a granularity of 1 second or more, but it is not required for basic CPU utilization metrics, which are already sent to CloudWatch at 1-minute granularity. Option D is wrong because Performance Insights is a database performance tuning feature that visualizes database load and waits, not a mechanism for sending CPU utilization metrics to CloudWatch.

189
MCQeasy

A DevOps engineer is responsible for monitoring a set of microservices running on Amazon ECS with Fargate. The services are fronted by an Application Load Balancer (ALB). The engineer needs to collect and analyze application logs centrally with minimal latency and operational overhead. The logs should be searchable and retainable for 90 days. Which solution meets these requirements?

A.Deploy the CloudWatch agent as a Daemon service on the ECS cluster to collect logs from all tasks and forward them to CloudWatch Logs.
B.Use the FireLens log driver in the ECS task definition to send logs to Amazon CloudWatch Logs.
C.Configure the ECS tasks to write logs to Amazon S3 and use Amazon Athena to query the logs.
D.Add a sidecar container to each ECS task that streams logs to Amazon Kinesis Data Firehose, which delivers to Amazon OpenSearch Service.
AnswerA

The CloudWatch agent can collect logs from all tasks with minimal overhead and send them to CloudWatch Logs for search and retention.

Why this answer

Option C is correct because the CloudWatch agent can collect logs from ECS tasks and send them to CloudWatch Logs, which provides near real-time search and configurable retention. Option A is wrong because S3 is not searchable natively and would require additional services like Athena. Option B is wrong because FireLens is a log router, but not all containers have it configured; also, it adds overhead.

Option D is wrong because putting a sidecar for every task increases cost and complexity, and Kinesis Data Firehose adds latency.

190
MCQeasy

A DevOps engineer is troubleshooting a slow API response. They suspect that the issue is related to database queries. The application runs on EC2 instances behind an ALB and uses Amazon RDS for MySQL. Which monitoring approach will provide the most granular insight into database query performance?

A.Enable CloudWatch Logs for the RDS instance and query the error log.
B.Install the CloudWatch agent on the EC2 instances to collect database performance counters.
C.Enable Enhanced Monitoring and Performance Insights for the RDS instance.
D.Monitor the ALB's 'TargetResponseTime' metric and correlate with RDS 'CPUUtilization'.
AnswerC

Enhanced Monitoring provides OS metrics; Performance Insights provides database performance and query details.

Why this answer

Option D is correct because Enhanced Monitoring provides OS-level metrics, and Performance Insights offers query-level performance data. Option A is wrong because ELB metrics only show overall latency. Option B is wrong because CloudWatch agent captures OS metrics but not query-specific data.

Option C is wrong because CloudWatch Logs requires logs to be sent manually.

191
MCQmedium

A company is running a production web application on Auto Scaling EC2 instances behind an ALB. They have enabled detailed CloudWatch metrics on the EC2 instances and enabled CloudTrail. Recently, users reported intermittent 503 errors. The operations team reviews CloudWatch dashboards but sees no spike in CPU or memory. What is the MOST likely cause of the 503 errors?

A.Insufficient CloudTrail logging trail configuration
B.The target group has an insufficient number of healthy instances due to health check failures
C.Detailed monitoring is disabled for the EC2 instances
D.The security group for the ALB is misconfigured
AnswerB

ALB returns 503 when no healthy targets are available; health check failures can occur without high CPU/memory.

Why this answer

Option D is correct because ALB 503 errors often indicate that the target group health checks are failing due to insufficient healthy instances, which may not cause CPU/memory spikes. Option A is wrong because CloudTrail logs API calls, not HTTP responses. Option B is wrong because if detailed monitoring were disabled, metrics would be missing, but the question says they are enabled.

Option C is wrong because a misconfigured security group would cause connection timeouts, not 503 errors.

192
MCQhard

A media company runs a video transcoding pipeline on AWS. The pipeline uses AWS Step Functions to orchestrate multiple Lambda functions that transcode video files stored in Amazon S3. The company wants to implement a monitoring solution to track the progress of each workflow execution, including which step is currently running, the duration of each step, and any errors. The solution should provide near real-time visibility and allow the team to troubleshoot failed executions quickly. Which solution meets these requirements?

A.Create custom CloudWatch metrics from Lambda functions for each step, and build a CloudWatch dashboard.
B.Use Amazon EventBridge to capture Step Functions execution status changes and build a custom dashboard in CloudWatch.
C.Configure each Lambda function to write logs to CloudWatch Logs with the execution ID, and use CloudWatch Logs Insights to query and visualize.
D.Enable AWS X-Ray tracing on the Step Functions and Lambda functions to get a service map and trace details.
AnswerB

Step Functions emits events to EventBridge for each state transition, which can be used to create a real-time dashboard showing progress, durations, and errors.

Why this answer

Option D is correct because Step Functions natively emits execution history and CloudWatch Events (now Amazon EventBridge) for state changes. Using these events with a dashboard provides real-time visibility into step durations and errors. Option A is wrong because CloudWatch Logs from individual Lambda functions do not provide workflow-level context easily.

Option B is wrong because X-Ray traces are for distributed tracing, not for workflow step tracking; also, it adds overhead. Option C is wrong because CloudWatch dashboards can be built from existing metrics, but custom metrics from each step would require significant instrumentation.

193
MCQhard

A company is using Amazon RDS for MySQL and needs to monitor the number of slow queries. They have enabled slow query logs. How can they effectively monitor and alert on the number of slow queries per minute?

A.Use RDS Events to send slow query metrics to CloudWatch.
B.Enable RDS Enhanced Monitoring and publish metrics to CloudWatch.
C.Use AWS CloudTrail to monitor SQL queries.
D.Publish slow query logs to CloudWatch Logs, create a metric filter, and set an alarm.
AnswerD

Metric filters can count pattern occurrences in logs.

Why this answer

Option C is correct because you can publish slow query logs to CloudWatch Logs, create a metric filter to count occurrences, and set an alarm on that metric. Option A is wrong because RDS Events do not include slow query counts. Option B is wrong because Enhanced Monitoring does not include slow query logs.

Option D is wrong because CloudTrail does not capture database queries.

194
MCQhard

A DevOps team is implementing a comprehensive logging strategy for a microservices architecture running on Amazon EKS. They need to collect logs from all containers and send them to a centralized log analytics platform. The solution must be agentless and support multi-line log events. Which approach should the team use?

A.Deploy a Fluent Bit DaemonSet on the EKS cluster and configure it to send logs to Amazon CloudWatch Logs.
B.Use the Amazon CloudWatch agent as a sidecar container in each pod to forward logs to CloudWatch Logs.
C.Install the Amazon Kinesis Agent on each EC2 instance and configure it to stream logs to Amazon Kinesis Data Firehose.
D.Deploy a Fluentd DaemonSet on the EKS cluster and configure it to send logs to Amazon S3.
AnswerA

Fluent Bit is a lightweight, agentless log processor that can be deployed as a DaemonSet and supports multi-line logs.

Why this answer

Option A is correct because Fluent Bit is a lightweight, CNCF-graduated log processor that can be deployed as a DaemonSet on EKS to collect logs from all nodes without requiring sidecar containers. It supports multi-line log events natively via its multiline filter plugin, and it can output directly to Amazon CloudWatch Logs using the cloudwatch_logs output plugin, meeting the agentless requirement since it runs as a Kubernetes DaemonSet rather than as a per-pod sidecar.

Exam trap

The trap here is that candidates often confuse 'agentless' with 'no software at all,' but in Kubernetes, agentless means no sidecar injection per pod; a DaemonSet is considered agentless because it runs as a cluster-level service, not as part of the application deployment.

How to eliminate wrong answers

Option B is wrong because deploying the CloudWatch agent as a sidecar container in each pod is not agentless; it requires modifying every pod definition and increases resource overhead, whereas the requirement specifies an agentless solution. Option C is wrong because the Amazon Kinesis Agent is an EC2-level agent that must be installed on each underlying EC2 instance, which is not agentless and does not integrate with EKS pod-level log collection; it also does not natively support multi-line log events without custom configuration. Option D is wrong because Fluentd is a heavier log collector compared to Fluent Bit, and while it can send logs to Amazon S3, S3 is a storage service, not a centralized log analytics platform; the requirement specifies sending logs to a centralized log analytics platform, which CloudWatch Logs fulfills.

195
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. The operations team notices that some services are experiencing intermittent high latency, but CPU and memory metrics appear normal. They need to identify the root cause. Which approach should they use?

A.Enable detailed CloudWatch Logs and use CloudWatch Logs Insights to query logs for slow requests.
B.Use Amazon Managed Service for Prometheus to collect custom metrics and set up dashboards.
C.Set up CloudWatch Synthetics canaries to monitor the endpoints and measure response times.
D.Instrument the application with the AWS X-Ray SDK and use the X-Ray console to analyze traces.
AnswerD

X-Ray traces individual requests across services, identifying latency sources.

Why this answer

Option D is correct because AWS X-Ray provides end-to-end tracing to pinpoint latency issues in distributed applications. Option A is wrong because CloudWatch Logs Insights alone does not trace requests across services. Option B is wrong because Prometheus metrics are aggregated and may not correlate individual requests.

Option C is wrong because CloudWatch Synthetics canaries test endpoints but cannot trace internal service calls.

196
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to be notified whenever a stack is created, updated, or deleted. They also want to track who made the change. Which combination of services should be used to achieve this?

A.AWS Config rules and Amazon SNS
B.AWS CloudTrail and Amazon CloudWatch Events (now Events) with SNS
C.Amazon S3 event notifications and AWS Lambda
D.AWS Lambda and Amazon DynamoDB
AnswerB

CloudTrail logs API calls, and CloudWatch Events can filter those events and publish to SNS.

Why this answer

Option B is correct because CloudTrail captures CloudFormation API calls (CreateStack, UpdateStack, DeleteStack) and CloudWatch Events can trigger SNS notifications based on those API calls. Option A is wrong because Config rules evaluate resource compliance, not API events. Option C is wrong because S3 event notifications are for S3 objects.

Option D is wrong because Lambda alone cannot capture who made the change without CloudTrail integration.

197
Drag & Dropmedium

Drag and drop the steps to configure an AWS Auto Scaling group with a launch template and scaling policies.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the launch template, then create the Auto Scaling group, then configure network, then set capacities, then add scaling policy.

198
MCQmedium

An e-commerce platform uses Amazon DynamoDB as its primary database. During a flash sale, the application experienced high read latency. The DevOps team wants to set up CloudWatch alarms to detect high read latency proactively. The team has enabled DynamoDB Accelerator (DAX) for caching. Which metric should the team use to create a CloudWatch alarm for read latency?

A.DAX's CacheHitCount metric.
B.DynamoDB's ConsumedReadCapacityUnits metric.
C.DAX's CacheHitLatency metric.
D.DynamoDB's SuccessfulRequestLatency metric for GetItem operations.
AnswerC

This metric measures the latency of cache hits from DAX.

Why this answer

Option C is correct. With DAX enabled, the application reads from DAX, so the relevant latency metric is the DAX cache hit latency. Option A is incorrect because DynamoDB read latency does not reflect DAX caching.

Option B is incorrect because DynamoDB consumed read capacity is not a latency metric. Option D is incorrect because DAX cache hit count is a count, not a latency measure.

199
MCQhard

A company is running a critical application on Amazon ECS with Fargate. The application generates custom metrics that are published to CloudWatch using the PutMetricData API. Recently, the metrics have been delayed by up to 5 minutes. The DevOps team needs to reduce the latency. What should the team do?

A.Install the CloudWatch agent on the Fargate tasks to collect metrics.
B.Set the StorageResolution parameter to 1 when calling PutMetricData.
C.Publish the metrics as structured logs to CloudWatch Logs and use metric filters.
D.Increase the frequency of PutMetricData calls to every 5 seconds.
AnswerB

High-resolution metrics are available faster than standard resolution.

Why this answer

Option D is correct because the storage resolution parameter allows metrics to be stored at a higher resolution (1 second) which can be retrieved faster. Option A is wrong because the CloudWatch agent is not needed for custom API calls. Option B is wrong because increasing the PutMetricData frequency may cause throttling.

Option C is wrong because CloudWatch Logs does not replace custom metrics.

200
Multi-Selectmedium

A DevOps engineer needs to set up a monitoring solution that can detect and alert on unusual patterns in application metrics. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.Amazon CloudWatch Alarms
C.Amazon CloudWatch Anomaly Detection
D.AWS CloudTrail
E.AWS Config
AnswersB, C

Alarms can trigger notifications when anomaly detection breaches thresholds.

Why this answer

CloudWatch Anomaly Detection creates a model of expected metric behavior and alerts on anomalies. CloudWatch alarms can then trigger actions. Option A and D are correct.

Option B is incorrect because AWS Config is for configuration compliance. Option C is incorrect because AWS CloudTrail is for API auditing. Option E is incorrect because Amazon GuardDuty is for security threats.

201
Multi-Selecteasy

A DevOps engineer wants to monitor the health of an Auto Scaling group and receive notifications when instances are launched or terminated. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.AWS CloudTrail.
B.AWS Config.
C.Amazon EventBridge.
D.Amazon SNS.
E.AWS Lambda.
AnswersC, D

EventBridge can match Auto Scaling events and publish to SNS.

Why this answer

Option A and Option C are correct. Amazon SNS can send notifications, and CloudWatch Events (now Amazon EventBridge) can capture Auto Scaling lifecycle events and trigger SNS. Option B (CloudTrail) logs API calls but does not directly trigger notifications.

Option D (Lambda) can be used but is not required; SNS alone is sufficient. Option E (Config) records configuration changes but is not the primary choice for real-time notifications.

202
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. They use Amazon CloudFront for content delivery. The DevOps team notices that some requests are returning HTTP 503 errors intermittently. After checking the CloudFront and ALB logs, they find that the errors originate from the ALB. What is the most likely cause?

A.The SSL certificate on the ALB is expired.
B.The security group for the ALB is blocking traffic from CloudFront.
C.CloudFront is configured to forward an HTTP method that the ALB does not support.
D.The ALB is experiencing a surge in traffic and is scaling up, but during the scaling activity, some requests are rejected.
AnswerD

ALB returns 503 when it cannot handle the request load, often during scaling.

Why this answer

Option D is correct because when an Application Load Balancer (ALB) experiences a sudden surge in traffic that exceeds its current capacity, it may temporarily reject requests with HTTP 503 errors while it scales up. During the scaling activity, the ALB's target group might not have enough healthy registered targets to handle the load, causing the ALB to return 503 responses until new instances are provisioned and pass health checks. This matches the intermittent nature of the errors described in the scenario.

Exam trap

The trap here is that candidates often confuse 503 errors with SSL certificate issues or security group misconfigurations, but the intermittent nature of the errors and the fact that they originate from the ALB (not CloudFront) points directly to capacity scaling limitations rather than configuration errors.

How to eliminate wrong answers

Option A is wrong because an expired SSL certificate on the ALB would cause SSL/TLS handshake failures (e.g., ERR_CERT_DATE_INVALID) and result in 502 Bad Gateway errors from CloudFront, not 503 errors from the ALB. Option B is wrong because if the security group for the ALB were blocking traffic from CloudFront, the ALB would not receive the requests at all, and CloudFront would return 502 errors (or connection timeouts) instead of the ALB returning 503 errors. Option C is wrong because CloudFront forwarding an unsupported HTTP method would cause the ALB to return a 405 Method Not Allowed error, not a 503 Service Unavailable error.

203
MCQmedium

A company has deployed a containerized application on Amazon ECS with Fargate. The application is fronted by an Application Load Balancer (ALB). The DevOps team is using CloudWatch Container Insights to monitor the ECS cluster. They notice that the 'MemoryUtilized' metric for the service is consistently above 80%, and the 'CPUUtilized' is around 50%. The ALB's 'TargetResponseTime' is increasing over time. The team wants to resolve the performance issue. Which action should the team take?

A.Increase the memory limit for the ECS task definition to allow the container to use more memory.
B.Increase the CPU limit for the ECS task definition to improve performance.
C.Increase the number of ALB targets by adding more availability zones.
D.Increase the desired count of the ECS service to distribute the load across more tasks.
AnswerA

Memory utilization is above 80%, indicating a memory bottleneck.

Why this answer

Option B is correct because the high memory utilization (above 80%) is likely causing performance degradation. Increasing the memory limit for the task definition will allow the container to handle more load. Option A is wrong because CPU is not the bottleneck.

Option C is wrong because scaling the ALB does not address the container's resource limits. Option D is wrong because increasing the desired count without fixing the memory limit may not help if each task is memory-constrained.

204
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. The operations team wants to collect custom application metrics (e.g., request latency per service) and visualize them in CloudWatch dashboards. The team also needs to set CloudWatch alarms based on these metrics. Which solution requires the LEAST amount of code changes and operational overhead?

A.Use the CloudWatch Embedded Metric Format to emit custom metrics as JSON log entries.
B.Deploy a StatsD daemon as a sidecar container and configure the application to send metrics to StatsD, then forward to CloudWatch.
C.Modify the application code to use the AWS SDK to call PutMetricData API directly.
D.Install the CloudWatch Agent on each Fargate task as a sidecar container to collect custom metrics.
AnswerA

EMF allows emitting metrics via logs with minimal code changes.

Why this answer

Option A is correct because the CloudWatch Embedded Metric Format allows applications to emit metrics as structured JSON logs, which CloudWatch automatically extracts into metrics and logs. This requires minimal code changes (just log format). Option B is wrong because publishing to CloudWatch via PutMetricData requires the AWS SDK and more code changes.

Option C is wrong because CloudWatch Agent on Fargate is not supported (requires EC2). Option D is wrong because using a sidecar container for StatsD adds complexity and overhead.

205
Multi-Selectmedium

A company uses Amazon CloudWatch Logs to store application logs. The DevOps team wants to search across multiple log groups for a specific error pattern. Which TWO options can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Use CloudWatch Logs Insights to run queries across multiple log groups.
B.Export the logs to Amazon S3 and use Amazon Athena to query the logs.
C.Install the CloudWatch Logs agent on an EC2 instance and tail the logs.
D.Create a Lambda function that reads logs from each log group and searches for the pattern.
E.Use Amazon Kinesis Data Analytics to process the log streams.
AnswersA, B

CloudWatch Logs Insights can query multiple log groups simultaneously.

Why this answer

CloudWatch Logs Insights is purpose-built for querying log data across multiple log groups. It uses a query language to search, filter, and aggregate log events, making it ideal for identifying error patterns across different sources. This option is correct because it directly supports cross-log-group queries without additional data movement or infrastructure.

Exam trap

The trap here is that candidates may think Lambda or Kinesis are suitable for ad-hoc log searching, but they are designed for real-time processing or custom workflows, not for efficient cross-log-group querying like CloudWatch Logs Insights or Athena.

206
MCQhard

A company runs a containerized web application on Amazon ECS with AWS Fargate. The application is critical and requires high availability. The DevOps team has set up an Amazon CloudWatch alarm that triggers an auto scaling action when the average CPU utilization exceeds 75% for 5 minutes. However, during a recent traffic spike, the application became slow and some requests timed out, even though the CloudWatch alarm did not fire. The team checked the ECS service auto scaling configuration and found that the target tracking scaling policy based on average CPU utilization is set with a target value of 75%. The ECS service is configured with a minimum of 2 tasks and a maximum of 10 tasks. Upon investigation, they noticed that the CPU utilization metric for the service remained below 75% during the spike, but the memory utilization was high (over 90%). The application logs show that the tasks were running out of memory, causing garbage collection pauses and slow responses. Which course of action should the DevOps engineer take to prevent this issue in the future?

A.Add a second target tracking scaling policy based on average memory utilization with a target value of 75%.
B.Decrease the CPU target value to 50% to trigger scaling earlier.
C.Increase the minimum number of tasks from 2 to 5 to provide more capacity upfront.
D.Increase the task memory limit in the task definition to 8 GB.
AnswerA

Memory-based scaling will add tasks when memory is high, preventing memory exhaustion.

Why this answer

Option B is correct because the issue is memory pressure, not CPU. Adding a target tracking scaling policy based on memory utilization will scale the service when memory is high. Option A is wrong because increasing the minimum number of tasks would not dynamically respond to memory spikes.

Option C is wrong because the issue is not CPU. Option D is wrong because the application is already containerized; increasing task memory is a static change that may not handle dynamic spikes efficiently, and the best practice is to auto scale based on memory.

207
MCQeasy

Refer to the exhibit. An IAM policy is attached to an EC2 instance role. The application on the instance fails to write logs to CloudWatch Logs in the log group 'MyAppLogs'. What is the most likely cause?

A.The policy does not grant permissions on the log stream resource.
B.The CloudWatch agent is not installed on the instance.
C.The policy specifies the wrong region in the resource ARN.
D.The policy does not include the 'logs:DescribeLogGroups' action.
AnswerA

PutLogEvents requires permissions on the log stream ARN.

Why this answer

Option B is correct because the resource ARN in the policy specifies the log group but does not include the log stream ARN. To write logs, the policy must also allow resources for the log streams. Option A is wrong because the actions are correct.

Option C is wrong because CloudWatch agent is not required if using the AWS SDK. Option D is wrong because the region is specified correctly.

208
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The DevOps team wants to set up real-time monitoring for specific error patterns and trigger remediation actions. Which TWO services can process the log events in real time and invoke an AWS Lambda function for remediation? (Choose two.)

Select 2 answers
A.Stream log events to Amazon Kinesis Data Streams and configure a Lambda function to process the stream.
B.Create a CloudWatch Logs subscription filter that delivers log events to a Lambda function.
C.Create an Amazon EventBridge rule that matches on CloudWatch Logs log group events.
D.Configure the log group to send log events to an Amazon SQS queue, and have the Lambda function poll the queue.
E.Publish log events to an Amazon SNS topic and subscribe the Lambda function.
AnswersA, B

Kinesis Data Streams can receive log events from a subscription filter, and Lambda can process the stream in real time.

Why this answer

Option A and Option C are correct. CloudWatch Logs can stream to Lambda via subscription filters (Option A) and also to Kinesis Data Streams which can then be processed by Lambda (Option C). Option B is wrong because EventBridge does not directly subscribe to log streams; it can receive events from other sources but not directly from CloudWatch Logs in real time.

Option D (SQS) would require a Lambda to poll, but real-time streaming is not native. Option E (SNS) is for push notifications, but cannot directly receive log events from CloudWatch Logs without a subscription filter.

209
MCQhard

A DevOps engineer is configuring a centralized logging solution using Amazon CloudWatch Logs. They need to ensure that logs from multiple AWS accounts are aggregated into a single CloudWatch Logs account. Which approach meets this requirement?

A.Use Amazon Kinesis Data Firehose in each account to stream logs to a central Amazon S3 bucket, then use Amazon Athena to query.
B.Create a subscription filter in each account that delivers log events to a CloudWatch Logs destination in the central account.
C.Set up a cross-account destination using an Amazon Kinesis Data Streams stream in the central account and configure each account to send logs to that stream.
D.Configure each application to use the PutLogEvents API to send logs directly to the central account's log group.
AnswerB

Cross-account subscription filters allow real-time log aggregation from multiple accounts to a central account.

Why this answer

Option B is correct because CloudWatch Logs supports cross-account subscription filters that can deliver log events to a CloudWatch Logs destination in a central account. The destination is a logical resource that points to a Kinesis Data Stream or Lambda function in the central account, and the source account creates a subscription filter that sends matching log events to that destination. This allows centralized aggregation without requiring each account to manage separate streaming infrastructure.

Exam trap

The trap here is that candidates confuse the CloudWatch Logs destination (which is a cross-account subscription mechanism) with directly writing to a Kinesis stream or using PutLogEvents across accounts, both of which are not supported for cross-account log aggregation.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Firehose cannot directly stream logs from CloudWatch Logs in multiple accounts to a central S3 bucket without additional cross-account permissions and intermediate services; it also introduces unnecessary complexity and latency for real-time log aggregation. Option C is wrong because while a cross-account Kinesis Data Streams destination can be used, the correct implementation requires creating a CloudWatch Logs destination in the central account that points to the Kinesis stream, not configuring each account to send logs directly to the stream via PutRecord. Option D is wrong because the PutLogEvents API requires the log group and log stream to exist in the same account as the API call; cross-account PutLogEvents is not supported, and applications cannot send logs directly to a central account's log group.

210
Matchingmedium

Match each AWS service health or performance concept to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum limits on resources per account

Shows events and changes affecting your AWS resources

Monitors a metric and performs actions based on thresholds

Provides recommendations for cost, performance, security, and fault tolerance

Recommends optimal AWS compute resources for workloads

Why these pairings

These are tools for managing performance and health.

211
MCQeasy

A DevOps engineer needs to set up an alert for when the CPU utilization of an EC2 instance exceeds 90% for 5 consecutive minutes. Which CloudWatch features should be used?

A.CloudWatch Logs with a metric filter on CPU utilization logs.
B.CloudTrail to monitor EC2 instance CPU usage.
C.CloudWatch alarm on the CPUUtilization metric with a period of 5 minutes and threshold of 90.
D.Amazon S3 server access logs to check CPU utilization.
AnswerC

Alarms evaluate metrics over time and trigger actions.

Why this answer

Option B is correct because a CloudWatch alarm can monitor a metric and trigger an action when a threshold is breached for a specified period. Option A is wrong because CloudWatch Logs does not directly monitor CPU utilization. Option C is wrong because CloudTrail records API calls, not metrics.

Option D is wrong because S3 does not provide monitoring or alerting.

212
MCQeasy

A DevOps engineer is tasked with ensuring that all Amazon S3 buckets in the account have server access logging enabled. The engineer needs to be automatically notified when a new bucket is created without logging enabled. Which AWS service should they use?

A.Use AWS CloudTrail to detect CreateBucket API calls and trigger a Lambda function to check logging.
B.Use AWS Trusted Advisor to check S3 bucket logging and send notifications via Amazon SNS.
C.Use Amazon S3 Event Notifications to trigger a Lambda function when a new bucket is created.
D.Use AWS Config with a managed rule to check if S3 bucket logging is enabled, and configure an SNS topic for notifications.
AnswerD

AWS Config evaluates configuration changes in near real time and can trigger notifications.

Why this answer

Option D is correct because AWS Config provides continuous monitoring and evaluation of your AWS resource configurations. By using the managed rule 's3-bucket-server-access-logging-enabled', AWS Config can automatically check all S3 buckets (including newly created ones) for server access logging. When a bucket is non-compliant, AWS Config can trigger an SNS notification to alert the DevOps engineer, meeting the requirement for automatic notification without custom code.

Exam trap

The trap here is that candidates often confuse event-driven services like CloudTrail or S3 Event Notifications with configuration compliance services, mistakenly thinking they can directly detect and react to resource misconfigurations without the need for custom evaluation logic.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls but does not evaluate resource configurations; triggering a Lambda function from CloudTrail would require custom code to parse the event and check logging, which is not the most efficient or managed solution. Option B is wrong because AWS Trusted Advisor checks S3 bucket logging only for buckets in the 'S3 Bucket Logging' check, but it does not provide real-time notifications for new bucket creation; it runs periodic checks and requires manual setup or custom automation for alerts. Option C is wrong because Amazon S3 Event Notifications cannot be configured on a bucket that does not exist yet; you cannot set up event notifications for 'new bucket creation' events, as S3 Event Notifications are per-bucket and only support events like object creation or deletion within an existing bucket.

213
MCQmedium

A DevOps team uses AWS CloudFormation to deploy a web application. They want to receive notifications when a stack update fails. Which combination of services should they use?

A.Use AWS Config rules to monitor stack status and trigger an SNS notification.
B.Create a CloudWatch alarm on the CloudFormation stack event metric 'UPDATE_FAILED' and configure an SNS topic to send email notifications.
C.Use Amazon EventBridge to capture CloudFormation events and invoke an AWS Lambda function that sends an email.
D.Enable S3 event notifications on the CloudFormation template bucket and subscribe an SNS topic.
AnswerB

CloudWatch alarms can monitor stack events and trigger SNS notifications directly.

Why this answer

Option B is correct because you can create a CloudWatch alarm on the 'Stack Events' metric for 'UPDATE_FAILED' and send notifications via SNS. Option A is wrong because Lambda cannot directly receive CloudFormation events without a custom integration. Option C is wrong because EventBridge can capture CloudFormation events, but the question asks for notifications; the simplest approach is CloudWatch Alarm + SNS.

Option D is wrong because S3 does not trigger on stack events by default.

214
MCQhard

A company is using Amazon CloudWatch Logs to store application logs. The DevOps engineer needs to ensure that log data is encrypted at rest using a customer-managed KMS key. What step must be taken?

A.Use AWS CloudTrail to encrypt the log data before it is sent to CloudWatch Logs.
B.Create a KMS key and apply it to the IAM role used by the application.
C.Create a new KMS customer-managed key and associate it with the CloudWatch Logs log group.
D.Enable server-side encryption on the log group using the default CloudWatch Logs key.
AnswerC

You can associate a CMK with a log group to encrypt logs at rest.

Why this answer

Option C is correct because CloudWatch Logs supports encryption at rest using a customer-managed KMS key, which must be explicitly associated with the log group. When you create or update a log group, you can specify a KMS key ID (via the AWS CLI, SDK, or console) to encrypt all log data stored in that group. This ensures that the log data is encrypted using a key you control, not the default AWS-managed key.

Exam trap

The trap here is that candidates often confuse associating a KMS key with an IAM role (which controls access) with associating it directly with the log group (which controls encryption at rest), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is an auditing service that records API calls, not an encryption mechanism; it cannot encrypt log data before it is sent to CloudWatch Logs. Option B is wrong because applying a KMS key to an IAM role does not encrypt log data at rest; the key must be associated directly with the CloudWatch Logs log group, not with an IAM role. Option D is wrong because enabling server-side encryption with the default CloudWatch Logs key uses an AWS-managed key, not a customer-managed KMS key, which does not meet the requirement for a customer-managed key.

215
MCQeasy

A DevOps engineer needs to aggregate logs from multiple AWS accounts into a central account for analysis. Which service should they use?

A.AWS CloudTrail with organization trails.
B.Amazon CloudWatch Logs with cross-account subscription filters.
C.AWS Config with aggregator.
D.Amazon S3 with cross-account bucket policies.
AnswerB

Subscription filters can stream logs to a central account.

Why this answer

Option B is correct because CloudWatch Logs can send log data cross-account using subscription filters with Kinesis Data Streams or Firehose. Option A is wrong because S3 can store logs but does not provide real-time aggregation. Option C is wrong because CloudTrail is for API activity, not general logs.

Option D is wrong because Config is for resource configuration.

216
MCQhard

A DevOps engineer is tasked with centralizing logs from multiple AWS accounts into a single Amazon OpenSearch Service domain. The engineer sets up Amazon Kinesis Data Firehose to deliver logs from each account to the OpenSearch domain. However, some accounts show failed deliveries in the Firehose console. Which configuration is MOST likely causing the failures?

A.The IAM role assumed by Firehose in each account does not have permissions to write to the cross-account OpenSearch domain
B.The source accounts do not have a CloudWatch Logs subscription filter to send logs to Firehose
C.The Kinesis Data Streams used as the Firehose source is not encrypted
D.The OpenSearch domain's access policy does not allow access from the S3 bucket used by Firehose
AnswerA

Firehose needs an IAM role with sts:AssumeRole and es:HttpPut permissions for the destination OpenSearch domain.

Why this answer

Option B is correct because each account must have an IAM role that grants Firehose cross-account access to the OpenSearch domain's destination. Option A is wrong because CloudWatch Logs subscription is not required. Option C is wrong because Kinesis Data Streams is not needed.

Option D is wrong because S3 bucket permissions are not relevant for direct Firehose-to-OpenSearch delivery.

217
Multi-Selecthard

A company uses AWS Organizations to manage multiple accounts. The DevOps team needs to monitor for any IAM user creation across all accounts in the organization. Which THREE steps should be taken to implement this centralized monitoring?

Select 3 answers
A.Create a CloudWatch Logs metric filter on the organization's CloudTrail log group for 'CreateUser' events.
B.Enable CloudTrail in the management account with an organization trail that applies to all accounts.
C.Configure an S3 bucket to receive CloudTrail logs from all accounts and enable S3 event notifications for object creation.
D.Use AWS Config rules to detect IAM user creation across accounts.
E.Set a CloudWatch alarm on the metric to send notifications via SNS.
AnswersA, B, E

A metric filter counts occurrences of the 'CreateUser' event in the CloudTrail logs.

Why this answer

Options A, C, and E are correct. Option A: Enabling CloudTrail in the management account with organization trail captures all account API activity. Option C: Creating a CloudWatch Logs metric filter for 'CreateUser' events in the management account's CloudTrail log group captures the event.

Option E: Creating a CloudWatch alarm on the metric triggers a notification. Option B is wrong because an S3 bucket alone does not provide alerting. Option D is wrong because AWS Config does not monitor API calls like IAM user creation.

218
MCQeasy

A company runs a web application on an Auto Scaling group of EC2 instances. The operations team uses CloudWatch alarms to monitor the application. They have set up a CPUUtilization alarm that triggers when the average CPU exceeds 70% for 5 minutes. The alarm triggers a scaling policy to add instances. Recently, the team noticed that the alarm frequently triggers during the day, but the application performance is acceptable. They suspect the alarm is too sensitive and want to reduce the number of false alarms. The team wants to keep the alarm responsive to real CPU spikes but avoid triggering on short bursts. What should the team change in the alarm configuration?

A.Create a composite alarm that combines CPUUtilization with MemoryUtilization.
B.Reduce the metric period to 1 minute and keep evaluation periods at 1.
C.Increase the number of evaluation periods to 3, so the alarm triggers only if CPU is high for 3 consecutive periods.
D.Lower the threshold to 60% to catch more CPU spikes.
AnswerC

This filters out short bursts and requires sustained high CPU.

Why this answer

Option B is correct because increasing the evaluation periods requires sustained high CPU for a longer duration before triggering. Option A is wrong because reducing the period would increase sensitivity. Option C is wrong because lowering the threshold would make it more sensitive.

Option D is wrong because a composite alarm is not needed; the issue is with the evaluation period.

219
MCQhard

A company uses Amazon ECS with Fargate for containerized applications. The DevOps team notices that some tasks are failing with 'OutOfMemoryError' but the CloudWatch metric 'MemoryUtilization' for the service shows values well below the task memory limit. What is the most likely cause of this discrepancy?

A.The container's memory usage is hitting the kernel's memory cgroup limit before the Docker-reported usage reaches the task memory limit.
B.The CloudWatch metric 'MemoryUtilization' is aggregated across all tasks in the service, so individual task spikes are averaged out.
C.The task definition has a memory reservation but no hard limit, causing ECS to overcommit memory.
D.The container is using swap space, which is not included in the MemoryUtilization metric.
AnswerA

The OOM killer can be triggered by the kernel's memory cgroup limit, which may be set lower than the task memory limit, or by the container exceeding the soft limit, causing the metric to not reflect the actual limit breach.

Why this answer

Option D is correct because the MemoryUtilization metric reported by ECS is based on the container's memory usage as seen by the Docker daemon, but the Linux kernel's Out-Of-Memory (OOM) killer may terminate the container if the task's soft memory limit is exceeded, even if the reported utilization is below the hard limit. Option A is wrong because memory limits are defined in the task definition, not by ECS automatically. Option B is wrong because memory is allocated per task, not per container, and the task memory limit is the total.

Option C is wrong because swap is not typically used in Fargate.

220
Multi-Selectmedium

A company is deploying a new microservice on AWS Lambda. The DevOps team needs to monitor the function for errors and performance issues. Which TWO steps should the team take to set up effective monitoring?

Select 2 answers
A.Enable VPC Flow Logs to monitor network traffic to the function
B.Enable AWS Config rules to evaluate the function configuration
C.Enable active tracing with AWS X-Ray to trace requests through the function
D.Enable CloudWatch Logs for the Lambda function to capture application logs
E.Install the CloudWatch Agent on the Lambda execution environment
AnswersC, D

X-Ray provides end-to-end tracing for Lambda.

Why this answer

Option A is correct because Lambda automatically sends logs to CloudWatch Logs. Option C is correct because enabling AWS X-Ray traces requests and provides performance insights. Option B is wrong because CloudWatch Agent is not needed for Lambda.

Option D is wrong because VPC Flow Logs are for network traffic. Option E is wrong because AWS Config is for configuration management.

221
MCQhard

A company runs a containerized application on Amazon EKS. The DevOps engineer needs to collect application metrics and make them available in Amazon CloudWatch. Which solution should be used?

A.Use AWS X-Ray daemon to collect metrics and send them to CloudWatch.
B.Install the Amazon CloudWatch agent as a DaemonSet on the EKS cluster.
C.Deploy the AWS Distro for OpenTelemetry collector on the EKS cluster.
D.Enable Amazon CloudWatch Container Insights using the AWS Management Console.
AnswerB

The CloudWatch agent can collect metrics and publish to CloudWatch.

Why this answer

The CloudWatch agent with the EKS add-on can collect container and application metrics and send them to CloudWatch. Option B is correct. Option A is incorrect because AWS Distro for OpenTelemetry can also send metrics but requires additional setup; CloudWatch agent is the recommended approach.

Option C is incorrect because CloudWatch Container Insights requires the CloudWatch agent or a sidecar. Option D is incorrect because AWS X-Ray is for tracing, not metrics.

222
Multi-Selectmedium

A company runs a critical application on Amazon ECS with Fargate. The DevOps team wants to set up a metric to track the number of tasks running. Which TWO steps are required to achieve this? (Choose TWO.)

Select 2 answers
A.Create a CloudWatch alarm on the 'RunningTaskCount' metric.
B.Install the CloudWatch agent on the task containers.
C.Enable Container Insights for the ECS cluster.
D.Configure a CloudWatch Logs subscription filter to count tasks.
E.Create a service auto scaling target for the ECS service.
AnswersA, C

Alarm can notify on threshold.

Why this answer

Options A and D are correct. Container Insights must be enabled (A) to get task count metrics, and then a CloudWatch alarm can be created on the metric (D). Option B is incorrect because a service auto scaling target is not required for monitoring.

Option C is incorrect because CloudWatch Logs subscription does not provide metrics. Option E is incorrect because CloudWatch agent is not needed for Fargate.

223
Multi-Selecthard

A DevOps team is troubleshooting a slow website that uses Amazon CloudFront with an Application Load Balancer as the origin. The team notices that cache hit ratio is low. Which THREE actions are most likely to improve the cache hit ratio?

Select 3 answers
A.Configure CloudFront to forward all cookies to the origin.
B.Enable CloudFront Origin Shield to reduce load on the origin and increase cache effectiveness.
C.Decrease the default TTL for objects.
D.Increase the minimum TTL for the CloudFront distribution.
E.Optimize the cache key to include only relevant headers.
AnswersB, D, E

Origin Shield acts as a centralized cache layer, improving hit ratio.

Why this answer

Option B is correct because CloudFront Origin Shield acts as an additional caching layer that consolidates requests from multiple edge locations, reducing the load on the origin and increasing the likelihood of cache hits by serving cached content from the Origin Shield regional cache. This improves cache effectiveness, especially for origins with high latency or limited capacity.

Exam trap

The trap here is that candidates often confuse decreasing TTL with improving cache hit ratio, but in reality, shorter TTLs cause more frequent cache expirations and origin fetches, reducing cache effectiveness.

224
MCQmedium

A DevOps engineer notices that an Amazon RDS for MySQL instance's CPU is consistently high during business hours. The engineer wants to identify the specific queries causing the high CPU. Which combination of services should be used to capture and analyze the queries? (Choose the best answer.)

A.Enable RDS Performance Insights and analyze the top SQL queries
B.Enable RDS Enhanced Monitoring and view metrics in CloudWatch
C.Enable AWS X-Ray tracing on the application and database
D.Enable RDS audit logs and stream them to Amazon CloudWatch Logs
AnswerA

Performance Insights identifies the top queries by CPU usage.

Why this answer

Option C is correct because RDS Performance Insights provides a dashboard to identify top SQL queries consuming CPU. Option A is wrong because CloudWatch Logs alone doesn't capture queries. Option B is wrong because RDS Enhanced Monitoring provides OS-level metrics, not query-level.

Option D is wrong because AWS X-Ray traces requests, not database queries.

225
Multi-Selecthard

A company is running a microservices application on Amazon ECS with AWS Fargate. The operations team wants to collect and visualize metrics such as CPU, memory, and network utilization at the task level. Which TWO services should the team use to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon Managed Service for Prometheus
B.Amazon CloudWatch Logs
C.Amazon CloudWatch
D.AWS X-Ray
E.Amazon CloudWatch Container Insights
AnswersC, E

CloudWatch stores and visualizes metrics via dashboards.

Why this answer

Option A (CloudWatch Container Insights) and Option D (Amazon CloudWatch) are correct. Container Insights collects metrics from ECS tasks, and CloudWatch stores and visualizes them via dashboards. Option B (CloudWatch Logs) is for logs, not metrics.

Option C (AWS X-Ray) is for tracing. Option E (Amazon Managed Service for Prometheus) can scrape metrics but is not the standard integrated solution for ECS Fargate; Container Insights is the recommended approach.

← PreviousPage 3 of 4 · 261 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Monitoring and Logging questions.