CCNA SDLC Automation Questions

75 of 397 questions · Page 1/6 · SDLC Automation · Answers revealed

1
MCQeasy

A team uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that creates an S3 bucket and a DynamoDB table. The S3 bucket name must be unique across all AWS accounts. Which CloudFormation intrinsic function should be used to generate a unique bucket name?

A.!Ref 'AWS::StackName'
B.!GetAtt S3Bucket.Arn
C.!Sub 'mybucket-${AWS::AccountId}'
D.!Select [0, !Split ['-', !Ref 'AWS::Region']]
AnswerC

AccountId is globally unique, ensuring bucket name uniqueness.

Why this answer

Option C is correct because the `!Sub 'mybucket-${AWS::AccountId}'` intrinsic function substitutes the AWS::AccountId pseudo parameter, which is guaranteed to be unique per AWS account. Since S3 bucket names must be globally unique across all AWS accounts, appending the account ID ensures the generated name does not conflict with buckets in other accounts. This approach is a common pattern for creating unique resource names in CloudFormation.

Exam trap

The trap here is that candidates may think `!Ref 'AWS::StackName'` or `!Ref 'AWS::Region'` provide sufficient uniqueness, but they overlook the requirement for global uniqueness across all AWS accounts, which only `AWS::AccountId` guarantees.

How to eliminate wrong answers

Option A is wrong because `!Ref 'AWS::StackName'` returns the name of the CloudFormation stack, which is not guaranteed to be unique across AWS accounts—multiple accounts can have stacks with the same name. Option B is wrong because `!GetAtt S3Bucket.Arn` returns the Amazon Resource Name of the S3 bucket, which is only available after the bucket is created, and cannot be used to generate a name before creation. Option D is wrong because `!Select [0, !Split ['-', !Ref 'AWS::Region']]` extracts the first part of the region name (e.g., 'us' from 'us-east-1'), which is not unique across accounts or even across regions within the same account.

2
MCQmedium

A company uses AWS CodeBuild to compile a Java application. The buildspec.yml includes a 'pre_build' phase that runs SonarQube for static code analysis. The analysis requires access to a private SonarQube server hosted on an EC2 instance in the same VPC. The CodeBuild project is configured with a VPC ID, subnet IDs, and security group IDs. However, the build fails with a timeout when trying to connect to the SonarQube server. The security group for the SonarQube server allows inbound traffic on port 9000 from the CodeBuild security group. What is the MOST likely reason for the failure?

A.The CodeBuild project is not configured with the correct VPC subnets.
B.The security group for the SonarQube server does not allow inbound traffic on port 9000 from the CodeBuild security group.
C.The SonarQube server is using a self-signed certificate that CodeBuild does not trust.
D.The CodeBuild project does not have internet access, so it cannot reach the SonarQube server.
AnswerB

Without inbound rule from CodeBuild's security group, the connection is blocked.

Why this answer

Option B is correct because the scenario explicitly states that the security group for the SonarQube server allows inbound traffic on port 9000 from the CodeBuild security group, yet the build fails with a timeout. A timeout typically indicates a network connectivity issue, not a certificate or permission problem. The most likely cause is that the security group rule is misconfigured (e.g., using the wrong security group ID, or the rule is not actually applied), preventing the TCP handshake on port 9000 from completing.

Exam trap

The trap here is that candidates assume the security group rule is correctly configured because it is described in the question, but the timeout indicates the rule is either missing, misconfigured, or not applied, making option B the most likely cause despite the description.

How to eliminate wrong answers

Option A is wrong because the CodeBuild project is already configured with VPC ID, subnet IDs, and security group IDs, so the subnets are correctly specified; a subnet misconfiguration would cause a different error (e.g., 'subnet not found') rather than a timeout. Option C is wrong because a self-signed certificate would cause an SSL/TLS handshake failure (e.g., 'unable to find valid certification path') or a certificate validation error, not a generic timeout; CodeBuild can be configured to ignore SSL errors if needed. Option D is wrong because the SonarQube server is in the same VPC, so internet access is not required; the build fails due to lack of connectivity within the VPC, not because of internet egress.

3
MCQhard

A company runs a critical e-commerce application on AWS. They use AWS CodePipeline to manage deployments. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy to an Auto Scaling group). Recently, a deployment caused a 5-minute outage because the new application version had a bug that caused the health checks to fail. The Auto Scaling group marked instances as unhealthy and replaced them, but during the replacement, traffic was routed to the remaining instances, which also failed health checks, causing a full outage. The company wants to implement a deployment strategy that prevents any traffic from being routed to unhealthy instances and automatically rolls back if the deployment fails. They also want to minimize deployment time and cost. Which solution should the DevOps team implement?

A.Add a manual approval step in CodePipeline before deploy
B.Use CodeDeploy in-place deployment with automatic rollback enabled
C.Use CodeDeploy blue/green deployment with automatic rollback enabled
D.Increase the health check grace period in the Auto Scaling group
AnswerC

Blue/green creates a new environment, tests it, and shifts traffic only if healthy; rollback is automatic

Why this answer

The best approach is to use a blue/green deployment with CodeDeploy, which creates a new Auto Scaling group (green) alongside the existing one (blue). Traffic is shifted to the green group only after health checks pass. If health checks fail, the deployment is automatically rolled back by terminating the green group.

This avoids any outage. Option B is correct. Option A (in-place with rollback) would still cause downtime during instance replacement.

Option C (increase health check grace period) would delay detection but not prevent outage. Option D (manual approval) slows down deployment and doesn't automate rollback.

4
MCQeasy

A company wants to enforce that all infrastructure changes go through a CI/CD pipeline. Which AWS service can be used to prevent direct changes to production resources?

A.AWS Service Catalog
B.AWS IAM
C.AWS Config
D.AWS CloudTrail
AnswerC

Config rules can detect and automatically remediate non-compliant changes.

Why this answer

Option D is correct because AWS Config rules can detect changes and trigger remediation. Option A is incorrect because IAM alone does not prevent changes. Option B is incorrect because CloudTrail is for auditing.

Option C is incorrect because Service Catalog is for pre-approved products.

5
MCQeasy

A company uses AWS CodePipeline to automate the deployment of a static website hosted on Amazon S3. The pipeline includes a source stage that pulls from a CodeCommit repository and a deploy stage that uses CodeBuild to sync the files to an S3 bucket. The team noticed that the website is not updating after a successful pipeline run. The CodeBuild logs show that the 'aws s3 sync' command completed successfully. However, the website still shows the old content. What is the MOST likely cause?

A.The CodeBuild project does not have permission to write to the S3 bucket.
B.The S3 bucket is not configured for static website hosting.
C.The website is fronted by Amazon CloudFront, which is caching the old content.
D.The S3 bucket policy is blocking public access to the updated objects.
AnswerC

CloudFront caches content; a cache invalidation is needed to serve the new files.

Why this answer

Option B is correct because S3 static website hosting serves content from the bucket, but if CloudFront is used as a CDN, it caches the content. The sync command updates the S3 bucket, but CloudFront serves cached content until the TTL expires or the cache is invalidated. Option A is wrong because the bucket policy does not affect serving content if it's already public.

Option C is wrong because the sync command does not require public access to update objects. Option D is wrong because website hosting can be enabled on the bucket; the issue is caching.

6
MCQmedium

A CloudFormation stack creation failed as shown in the exhibit. What is the MOST likely cause of the failure?

A.The subnet resource depends on a resource that was not created successfully
B.The VPC creation failed, so the subnet could not be created
C.The CloudFormation service role does not have permission to create subnets
D.The subnet logical ID conflicts with an existing resource in the stack
AnswerA

The subnet likely depends on the VPC, but the VPC succeeded; the error suggests the subnet's physical ID was not assigned, possibly due to a missing dependency or invalid property.

Why this answer

The exhibit shows that the VPC was created successfully, but the subnet creation failed with a 'dependency violation' error. In CloudFormation, when a resource depends on another resource that was not created successfully (or was deleted), the dependent resource cannot be created because the target resource (the VPC) no longer exists or is in a failed state. This is the most likely cause because the subnet depends on the VPC, and if the VPC was rolled back or deleted due to a prior failure, the subnet creation will fail with a dependency violation.

Exam trap

The trap here is that candidates assume the subnet failed because the VPC creation failed, but the exhibit clearly shows the VPC succeeded, so the real issue is a dependency violation caused by the VPC being deleted or rolled back after initial creation.

How to eliminate wrong answers

Option B is wrong because the VPC creation succeeded (as shown in the exhibit), so the subnet failure is not due to a VPC creation failure. Option C is wrong because if the CloudFormation service role lacked permissions, the error would typically be an 'AccessDenied' or 'UnauthorizedOperation' error, not a 'dependency violation' error. Option D is wrong because a logical ID conflict within the same stack would cause a 'ResourceConflict' or 'AlreadyExists' error, not a dependency violation; logical IDs are unique within a stack template and do not conflict with existing resources in the same stack.

7
Matchingmedium

Match each AWS deployment strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Two identical environments; traffic switches after validation

Incremental rollout to a small subset before full release

Updates instances in batches to minimize downtime

Replaces entire instances with new ones; no in-place changes

Deploys to all instances simultaneously (fastest but riskier)

Why these pairings

These are common deployment patterns used in DevOps.

8
MCQeasy

A company uses AWS CloudFormation to manage a stack that includes an Amazon SQS queue. The queue name must be unique. The developer wants to define the queue name in the CloudFormation template. Which intrinsic function should be used to generate a unique name?

A.Fn::Sub
B.Fn::Select
C.AWS::NoValue
D.Fn::GetAtt
AnswerA

Sub can substitute ${AWS::StackName} to make a unique name.

Why this answer

Option C is correct because AWS::NoValue is not a function; AWS::StackName can be used to incorporate the stack name, but not generate a unique suffix. Option A is wrong because Fn::Select picks from a list. Option B is wrong because Fn::GetAtt gets attributes.

Option D is correct because Fn::Sub can substitute a parameter like ${AWS::StackName} to create a unique name.

9
MCQhard

A company uses AWS CodeBuild to compile and test their Java application. The build takes about 20 minutes. They have enabled Amazon S3 cache to store the Maven repository to speed up subsequent builds. However, they notice that the build time has not improved significantly. The buildspec file includes the 'cache' section with 'paths' pointing to '/root/.m2'. The CodeBuild project has cache type set to 'S3' and a valid bucket. The build logs show that the cache is being downloaded and uploaded, but the Maven dependencies are still being downloaded from the internet each time. What is the most likely cause?

A.The cache is too large and takes as long to download as the build itself.
B.The S3 bucket is in a different region than the CodeBuild project.
C.The buildspec file does not include the 'cache' section correctly.
D.The Maven dependencies are not being stored in the local repository path specified in the cache.
AnswerD

If Maven is configured to download dependencies to a different location, the cache won't capture them.

Why this answer

Option C is correct because if the Maven local repository is not configured to store dependencies, the cache will not help. The build might be using a different repository or the dependencies are not cached properly. Option A is wrong because the cache bucket is configured.

Option B is wrong because the cache is being used. Option D is wrong because the paths are correct.

10
Multi-Selecthard

Which THREE factors should be considered when designing a deployment strategy using AWS CodeDeploy to minimize downtime during updates? (Choose three.)

Select 3 answers
A.Configure a load balancer to deregister instances before deployment.
B.Use a blue/green deployment to switch traffic instantly.
C.Use canary deployments to shift traffic gradually.
D.Deploy to all instances simultaneously to reduce total time.
E.Use the same instance type for all instances.
AnswersA, B, C

Deregistering prevents traffic during update.

Why this answer

Options A, B, and D are correct. Option A ensures service continuity. Option B leverages rolling updates.

Option D allows testing before full rollout. Option C is wrong because smaller batch size increases deployment time, not reduces downtime. Option E is wrong because same instance type is irrelevant.

11
MCQmedium

A company uses AWS CodePipeline with a GitHub source action. The pipeline is configured to trigger on changes to the main branch. After a recent commit, the pipeline did not trigger. The DevOps engineer verified that the webhook is configured correctly and the IAM role has the necessary permissions. What is the most likely cause?

A.The GitHub personal access token used for authentication has expired.
B.The pipeline is set to manual execution only.
C.The source action's branch filter is set to a different branch.
D.The GitHub webhook endpoint URL is incorrect.
AnswerA

Expired token prevents webhook events.

Why this answer

Option C is correct because if the GitHub personal access token has expired, CodePipeline cannot receive webhook events. Option A is wrong because the branch filter is set to main. Option B is wrong because the webhook is configured correctly.

Option D is wrong because the pipeline execution frequency is not the issue.

12
MCQmedium

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment configuration uses a linear traffic shifting with a 10-minute interval. The application logs show that the new version of the application crashes on startup. What is the MOST effective way to handle this situation to ensure successful future deployments?

A.Increase the interval in the linear traffic shifting to 30 minutes to allow more time for instances to stabilize.
B.Configure the deployment to automatically roll back when a failure occurs and ignore the error.
C.Switch to a blue/green deployment strategy to minimize the impact on existing instances.
D.Add a script in the AppSpec file's 'Validate Service' lifecycle hook to check the application health and fail the deployment if the application does not start successfully.
AnswerD

This ensures that unhealthy instances are detected early and the deployment is stopped before traffic is shifted.

Why this answer

Option B is correct because adding a script to the AppSpec file that validates the application health before allowing traffic shifting can catch startup failures early and prevent deployment failures. Option A is wrong because increasing the interval doesn't fix the root cause. Option C is wrong because rolling back doesn't address the underlying issue.

Option D is wrong because a blue/green deployment would still have the same crash issue.

13
MCQhard

Refer to the exhibit. A developer is troubleshooting a failed AWS CodeBuild build. The buildspec file contains the following build commands: 'pre_build' - run linting, 'build' - './gradlew build', 'post_build' - package artifact. The error occurs in the build phase. Which of the following is the MOST likely cause?

A.The Gradle build encountered compilation or test errors.
B.The build environment ran out of disk space.
C.The artifact packaging step failed.
D.The linting step failed.
AnswerA

exit status 1 from gradlew indicates a build failure.

Why this answer

Option B is correct because a Gradle build failure (exit status 1) typically indicates compilation errors or test failures. Option A is wrong because linting is in pre_build and would have failed earlier. Option C is wrong because disk space would cause a different error.

Option D is wrong because the error is from the Gradle command itself.

14
MCQhard

A company uses AWS CodeBuild to run builds for a Java application. The buildspec includes a 'mvn test' command. The build succeeds but the tests fail. The team wants to fail the build if any test fails. What should they do?

A.Add a 'post_build' phase that fails the build if tests fail.
B.Add a 'test' phase in the buildspec before the 'build' phase.
C.Ensure the buildspec's 'build' phase includes the test command and that the command returns a non-zero exit code on failure.
D.Configure the build project to use batch builds.
AnswerC

CodeBuild fails the build if any command returns non-zero.

Why this answer

Option C is correct because CodeBuild's build phase returns exit code; if Maven test fails, it returns non-zero, and CodeBuild fails the build. Option A is wrong because phases are not modified. Option B is wrong because batch builds are for multiple builds.

Option D is wrong because post_build runs after build phases.

15
MCQmedium

Refer to the exhibit. A DevOps engineer ran the above AWS CLI command after a CloudFormation stack update. What does the status 'ROLLBACK_COMPLETE' indicate?

A.The stack update is in progress.
B.The stack was deleted successfully.
C.The stack was created successfully.
D.The stack update failed and CloudFormation reverted to the previous stack.
AnswerD

ROLLBACK_COMPLETE indicates a failed update with rollback.

Why this answer

Option D is correct because ROLLBACK_COMPLETE means the update failed and CloudForm reverted to the previous state. Option A is wrong because the stack was not created successfully; it rolled back. Option B is wrong because ROLLBACK_COMPLETE is not a delete status.

Option C is wrong because it is not an update in progress.

16
MCQhard

Refer to the exhibit. A CodePipeline deployment fails at the CloudFormation stage. The Lambda function creation is cancelled. What is the MOST likely cause?

A.The buildspec.yml file contains an invalid command.
B.The Lambda function is configured in a VPC without a NAT gateway or VPC endpoints, causing deployment timeout.
C.The Lambda function's execution role lacks permissions to create ENIs.
D.The CodeCommit branch is not configured correctly in the pipeline.
AnswerB

Lambda in VPC without internet access can cause timeouts if it needs to download packages or call external services during initialization.

Why this answer

The error indicates CloudFormation timed out waiting for a signal (WaitCondition). Lambda functions in a VPC require a NAT gateway or VPC endpoints to download dependencies or access external services, and the wait condition might be waiting for a signal that never arrives due to network issues.

17
Multi-Selectmedium

A DevOps engineer is designing a CI/CD pipeline for a Python application using AWS CodeBuild and AWS CodeDeploy. The application is deployed to an Auto Scaling group of EC2 instances. The engineer wants to ensure that the deployment does not impact availability. Which TWO strategies can be used? (Choose 2.)

Select 2 answers
A.In-place deployment with a large batch size.
B.Rolling deployment with a small batch size.
C.Immutable deployment.
D.Blue/green deployment.
E.Canary deployment.
AnswersB, D

Rolling updates instances in batches, maintaining availability.

Why this answer

Options B and C are correct. A blue/green deployment (B) creates a new environment and switches traffic. A rolling deployment (C) updates instances in batches, maintaining availability.

Option A is wrong because in-place deployment can cause downtime. Option D is wrong because immutable deployments are not supported directly with Auto Scaling groups. Option E is wrong because canary is not a deployment type for EC2/ASG.

18
Multi-Selecthard

A company uses AWS CodePipeline with multiple stages: Source (CodeCommit), Build (CodeBuild), Test (CodeBuild), and Deploy (CodeDeploy to EC2). The Test stage runs integration tests that require network access to a private database in a VPC. The CodeBuild project is configured to use a VPC. However, the Test stage fails intermittently with timeout errors. Which TWO actions would MOST likely resolve the issue? (Choose 2)

Select 2 answers
A.Remove the VPC configuration from the CodeBuild project and use a public subnet instead.
B.Increase the timeout for the Test stage in the CodeBuild project to accommodate network delays.
C.Ensure the CodeBuild project's VPC configuration includes a NAT gateway for internet access.
D.Use a larger compute type for the CodeBuild project to improve network performance.
E.Configure the security group for the CodeBuild project to allow outbound traffic to the database security group on the required port.
AnswersB, C

Intermittent timeouts may be due to network congestion; increasing timeout provides buffer.

Why this answer

Options A and D are correct. Using a NAT gateway ensures outbound internet access if needed, and increasing the timeout prevents premature timeouts. Option B is incorrect because security groups should be permissive within the VPC.

Option C is incorrect because Subnet IDs are required for VPC configuration. Option E is incorrect because compute type does not affect network.

19
Multi-Selectmedium

Which TWO actions should a DevOps engineer take to implement a CI/CD pipeline that automatically deploys a containerized application to Amazon ECS using AWS CodePipeline and AWS CodeBuild? (Choose TWO.)

Select 2 answers
A.Use AWS CloudFormation to deploy the ECS service
B.Use AWS CodeDeploy to deploy the container to ECS with a blue/green deployment
C.Store the Docker image in AWS CodeCommit
D.Use CodeBuild to build the Docker image and push it to Amazon ECR
E.Configure CodePipeline to use Amazon ECR as a source for the container image
AnswersD, E

CodeBuild can run docker build and push to ECR as part of the pipeline.

Why this answer

Option D is correct because AWS CodeBuild can be configured to build the Docker image from source code and then push it to Amazon ECR using the `post_build` phase with commands like `docker push`. This is a standard pattern for containerized CI/CD pipelines, as ECR serves as the private registry for storing and versioning container images. Option E is correct because CodePipeline can use Amazon ECR as a source action, which triggers the pipeline automatically when a new image is pushed to the specified repository, enabling continuous deployment to ECS.

Exam trap

The trap here is that candidates often confuse the role of CodeDeploy (which is for EC2/on-premises deployments) with ECS deployment mechanisms, or mistakenly think CodeCommit can store Docker images instead of source code, leading them to select options B or C.

20
Multi-Selecteasy

A company uses AWS CodeCommit for source control. Developers need to automatically run tests on every push to a feature branch, but only if the push includes changes to the 'src/' directory. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CodePipeline
C.AWS CodeDeploy
D.AWS Lambda
E.AWS CodeBuild
AnswersB, D

CodePipeline can start on CodeCommit push with path filters

Why this answer

CodeCommit can trigger AWS Lambda via CloudWatch Events or via Amazon EventBridge. The Lambda function can check the commit details for changes in the 'src/' directory and then trigger CodeBuild to run tests. Alternatively, CodePipeline can be configured with a source trigger on the feature branch and a filter for path changes.

Option B (Lambda) and Option D (CodePipeline) are correct. Option A is wrong because CodeDeploy is for deployment, not testing. Option C is wrong because CloudWatch Logs is for log storage.

Option E is wrong because CodeBuild alone cannot listen to CodeCommit events.

21
MCQmedium

A large enterprise is using AWS CloudFormation to manage their infrastructure. They have a master template that orchestrates nested stacks for different components: VPC, application, and database. The VPC stack creates subnets, route tables, and security groups. The application stack creates EC2 instances and an Application Load Balancer. The database stack creates an RDS instance. The master template uses parameters to pass configuration values. Recently, when updating the application stack, the update failed because the security group ID from the VPC stack changed, and the application stack references the old security group ID. The team wants to ensure that when the VPC stack is updated, dependent stacks are automatically updated to use the new outputs. Which approach should they take?

A.Use the Fn::ImportValue intrinsic function in the application stack to import the security group ID from the VPC stack's exports.
B.Use the Fn::GetAtt intrinsic function in the application stack to directly reference the security group from the VPC stack.
C.Hardcode the security group ID in the application template to avoid changes.
D.Configure the master template to automatically update all nested stacks whenever any output changes.
AnswerA

Fn::ImportValue allows stacks to reference exported outputs from other stacks.

Why this answer

Option B is correct because using Fn::ImportValue to import exported outputs from other stacks ensures that the dependent stack always gets the latest value. Option A is wrong because hardcoding is error-prone. Option C is wrong because CloudFormation does not automatically update nested stacks when parent outputs change; the parent stack must be updated.

Option D is wrong because cross-stack references using Fn::ImportValue are the recommended pattern.

22
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The DevOps engineer wants to ensure that stack updates are rolled back if a new Amazon RDS instance fails to be created. Which CloudFormation feature should the engineer use?

A.Use a WaitCondition and a WaitHandle to pause creation
B.Set the RDS instance's DeletionPolicy to Retain
C.Define a StackPolicy that denies updates to the RDS instance
D.Add a CreationPolicy to the RDS instance with a timeout
AnswerD

CreationPolicy monitors resource creation and triggers rollback on failure.

Why this answer

Option D is correct because CreationPolicy with a timeout ensures that a resource is fully created before continuing; if it fails, the stack rolls back. Option A is incorrect because StackPolicy only prevents updates to specific resources. Option B is incorrect because WaitCondition is used for external signals, not for resource creation.

Option C is incorrect because it does not force a rollback if creation fails.

23
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate launch type. Each microservice is deployed using AWS CodePipeline with a source stage from CodeCommit, a build stage in CodeBuild, and a deploy stage that updates the ECS service. The team wants to implement a blue/green deployment strategy to reduce downtime and enable quick rollbacks. Which combination of AWS services and configurations should be used?

A.Use AWS CloudFormation with a 'DeploymentPreference' set to 'BlueGreen' for the ECS service.
B.Use AWS CodeDeploy with a deployment group configured for blue/green deployment, and an Application Load Balancer (ALB) to shift traffic between the blue and green target groups.
C.Use the ECS service's built-in rolling update with a 'minimumHealthyPercent' of 100 and 'maximumPercent' of 200.
D.Configure the ECS service with an 'AutoScaling' policy that replaces instances gradually.
AnswerB

CodeDeploy integrates with ECS and ALB to perform blue/green deployments with traffic shifting.

Why this answer

Option C is correct because CodeDeploy supports blue/green deployments for ECS with Fargate, using an Application Load Balancer (ALB) to shift traffic. Option A is incorrect because ECS does not support blue/green natively without CodeDeploy. Option B is incorrect because CloudFormation does not provide blue/green traffic shifting for ECS.

Option D is incorrect because ECS service auto scaling does not control deployment strategy.

24
MCQmedium

A DevOps team is designing a deployment pipeline for a microservices application on Amazon ECS using AWS CodePipeline. They want to implement a canary deployment strategy where a small percentage of traffic is routed to the new version before fully promoting it. Which AWS service or feature should they use to achieve this?

A.Amazon ECS Service Auto Scaling
B.AWS CodeDeploy with ECS blue/green deployment
C.Amazon Route 53 weighted routing
D.AWS App Mesh with traffic shifting
AnswerB

Why this answer

AWS CodeDeploy with ECS blue/green deployment is the correct choice because it natively supports canary traffic shifting for Amazon ECS services. When integrated with AWS CodePipeline, CodeDeploy can route a small percentage of traffic (e.g., 10%) to the new task set, monitor it with CloudWatch alarms, and then automatically shift the remaining traffic after a specified interval. This is the only option that directly provides the canary deployment lifecycle within the ECS and CodePipeline context.

Exam trap

The trap here is that candidates often confuse Route 53 weighted routing (which operates at the DNS level and cannot shift traffic within a single ECS service) with the application-level traffic shifting needed for canary deployments, or they assume App Mesh is required when CodeDeploy already provides the native integration.

Why the other options are wrong

A

Auto Scaling adjusts the number of tasks, not traffic shifting between versions.

C

Route 53 can distribute traffic across multiple endpoints, but it's not the native way for ECS service deployments.

D

App Mesh provides traffic splitting, but ECS natively integrates with CodeDeploy for canary deployments.

25
Multi-Selectmedium

Which THREE actions should a DevOps team take to ensure a CI/CD pipeline using AWS CodePipeline is secure? (Choose three.)

Select 3 answers
A.Require multi-factor authentication (MFA) for pipeline executions.
B.Use AWS KMS to encrypt artifacts in the pipeline.
C.Use AWS CodePipeline with a customer-managed S3 bucket for artifacts and restrict bucket access.
D.Enable pipeline-level IAM permissions to restrict who can modify the pipeline.
E.Enable AWS CloudTrail to log pipeline executions.
AnswersB, C, D

Encrypts sensitive data in transit and at rest.

Why this answer

Options A, C, and E are correct. Option A prevents unauthorized changes. Option C encrypts artifacts.

Option E ensures secure artifact storage. Option B is wrong because CloudTrail is for auditing, not pipeline security directly. Option D is wrong because MFA is for user access, not pipeline actions.

26
MCQhard

A team uses AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Test stage runs integration tests against a staging environment. Occasionally, the tests fail due to environment issues, not code issues. The team wants to automatically retry the Test stage up to two times if it fails, but not the Deploy stage. How can this be achieved?

A.Create a CloudWatch Events rule that triggers a Lambda function to retry the failed stage.
B.Configure the Retry setting in the Test stage's action configuration.
C.Enable the 'Retry on failure' option in the CodePipeline pipeline settings.
D.Use AWS Step Functions to orchestrate the pipeline and implement retries.
AnswerB

CodePipeline supports per-stage retry configuration.

Why this answer

Option B is correct because CodePipeline allows configuring retry on a per-stage basis in the pipeline structure. Option A is wrong because there is no global retry setting. Option C is wrong because Step Functions would add complexity and is not native.

Option D is wrong because CloudWatch Events can trigger retries but not in a simple way; the native retry is simpler.

27
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group of Amazon EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The application is deployed to the instances using an in-place deployment. The instances are running Amazon Linux 2. What should the DevOps engineer check first?

A.Check the security group rules for the EC2 instances.
B.Check the application's port availability.
C.Verify that the AWS CodeDeploy agent is installed and running on each EC2 instance.
D.Verify that the IAM instance profile associated with the instances has the correct permissions.
AnswerC

Without the agent, the instance cannot receive deployment instructions.

Why this answer

Option A is correct because the CodeDeploy agent must be installed and running on the instances. If it is not, the deployment fails. Option B is wrong because security groups affect network access, not the agent.

Option C is wrong because IAM instance profile permissions are needed but the agent must be running to use them. Option D is wrong because the application port is not directly related to the agent.

28
Multi-Selecteasy

A company uses AWS CodeBuild to run unit tests. The buildspec.yaml file includes commands to install dependencies and run tests. Which TWO environment variables are automatically set by CodeBuild and can be used in the build commands? (Choose TWO.)

Select 2 answers
A.CODEBUILD_SRC_DIR
B.AWS_REGION
C.CODEBUILD_BUILD_ID
D.CODEBUILD_BUILD_NUMBER
E.CI
AnswersA, C

This is automatically set to the source directory.

Why this answer

Options B and D are correct. CODEBUILD_BUILD_ID and CODEBUILD_SRC_DIR are automatically set by CodeBuild. Option A is wrong because AWS_REGION is automatically set, but it is an AWS CLI environment variable, not specific to CodeBuild.

Option C is wrong because CODEBUILD_BUILD_NUMBER is not an automatic environment variable; it is exposed but not automatically set. Option E is wrong because CI is not automatically set by CodeBuild.

29
Multi-Selecthard

A DevOps engineer is managing a CI/CD pipeline using AWS CodePipeline with multiple stages: Source (CodeCommit), Build (CodeBuild), Test (CodeBuild), and Deploy (CodeDeploy). The engineer wants to add manual approval steps before the Test and Deploy stages. Additionally, the pipeline should automatically roll back the deployment if the Deploy stage fails. Which two actions should the engineer take to implement these requirements? (Choose two.)

Select 2 answers
A.Add an Approval action in the Test stage before the Test build action.
B.Insert a new stage between Build and Test, and add an Approval action to that stage.
C.In the CodeDeploy deployment group configuration, enable automatic rollback for deployment failure.
D.Add a Lambda function in the pipeline that triggers a rollback if the Deploy stage fails.
E.Configure the pipeline's Deploy stage to have a 'Rollback' action that runs on failure.
AnswersB, C

Why this answer

Option B is correct because manual approval actions in AWS CodePipeline must be added as a separate stage, not within an existing stage. By inserting a new stage between Build and Test and adding an Approval action, the pipeline pauses before the Test stage, allowing manual review. Option C is correct because CodeDeploy deployment groups support automatic rollback on deployment failure, which can be enabled in the deployment group configuration to revert to the last known good revision.

Exam trap

The trap here is that candidates often think approval actions can be inserted within an existing stage (like before a build action) or that rollback can be implemented as a pipeline action, rather than understanding that approvals require a separate stage and rollback is a deployment group configuration in CodeDeploy.

Why the other options are wrong

A

Approval actions are separate stages, not part of the same stage as build.

D

CodePipeline does not have a native rollback; rely on CodeDeploy's rollback feature.

E

CodePipeline does not support a rollback action type.

30
Multi-Selectmedium

A company wants to implement a CI/CD pipeline for an application that runs on Amazon ECS with Fargate. The pipeline should build a Docker image, push it to Amazon ECR, and deploy a new task definition to ECS. Which THREE AWS services are required to build this pipeline?

Select 3 answers
A.Amazon S3
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CodeCommit
E.AWS CodeBuild
AnswersB, C, E

Deploys the new task definition to ECS.

Why this answer

Options A, B, and D are correct. CodeBuild builds the Docker image and pushes it to ECR. CodePipeline orchestrates the stages.

CodeDeploy (or ECS directly) deploys the new task definition. Option C is not a deployment service. Option E is not needed because ECR is used.

31
MCQeasy

A company uses AWS CodePipeline to automate builds and deployments. The pipeline has a source stage (Amazon S3) and a build stage (AWS CodeBuild). The build stage is failing with the error: 'Error: Unable to download artifact from S3: Access Denied'. The artifacts are stored in an S3 bucket that is encrypted with AWS KMS. The CodeBuild service role has permissions to read from the S3 bucket and use the KMS key. The team checks that the S3 bucket policy and the KMS key policy allow the CodeBuild role. What is the most likely cause of the failure?

A.The S3 bucket does not have versioning enabled, so CodeBuild cannot retrieve the artifact.
B.The KMS key policy does not grant 'kms:Decrypt' permission to the CodeBuild service role.
C.The CodePipeline service role does not have permission to pass the artifact to CodeBuild.
D.The artifact is stored in the same S3 bucket used by CodePipeline for its artifacts, causing a conflict.
AnswerB

Correct: CodeBuild needs decrypt permission to read encrypted artifacts.

Why this answer

Option A is correct because CodeBuild needs permissions to decrypt the artifact; if the KMS key policy does not grant 'kms:Decrypt' to the CodeBuild role, access will be denied. Option B is wrong because bucket versioning is not required. Option C is wrong because the artifact bucket is separate from the pipeline bucket.

Option D is wrong because CodePipeline service role is not used by CodeBuild to download artifacts.

32
Multi-Selectmedium

Which TWO best practices should be followed when configuring AWS CodeBuild projects to improve build performance and security? (Choose TWO.)

Select 2 answers
A.Run builds as the root user to avoid permission errors
B.Use the AWS managed policy 'AdministratorAccess' for the CodeBuild service role to avoid permission issues
C.Configure the build project to use a custom VPC to access resources like private Amazon RDS databases
D.Always use the 'latest' tag for the build environment image to ensure up-to-date software
E.Enable Amazon S3 cache to store dependencies and reuse them across builds
AnswersC, E

VPC enables secure access to private resources and is a best practice for security.

Why this answer

Option C is correct because configuring a CodeBuild project to use a custom VPC allows it to access resources that are not publicly accessible, such as private Amazon RDS databases or internal services, which is essential for building applications that depend on those resources. This also enhances security by keeping traffic within the VPC and avoiding exposure to the public internet.

Exam trap

The trap here is that candidates may confuse 'improving performance' with 'simplifying configuration' and choose options like using the 'latest' tag or granting broad permissions, overlooking the security and determinism trade-offs.

33
MCQhard

A large enterprise uses a multi-account AWS strategy with a centralized DevOps account. The DevOps account hosts an AWS CodePipeline that deploys a critical application to production account (111111111111) using AWS CodeDeploy. The pipeline has three stages: Source (CodeCommit), Build (CodeBuild), and Deploy (CodeDeploy). The deploy stage uses a cross-account role (arn:aws:iam::111111111111:role/CrossAccountDeployRole) to perform the deployment. The trust policy on that role allows the DevOps account's CodePipeline service role (arn:aws:iam::222222222222:role/CodePipelineServiceRole) to assume it. The pipeline has been working for months, but after a recent security audit, the security team tightened permissions. Now the deploy stage fails with the error: 'User: arn:aws:sts::222222222222:assumed-role/CodePipelineServiceRole/AWS-CodePipeline-xxx is not authorized to perform: codedeploy:CreateDeployment on resource: arn:aws:codedeploy:us-east-1:111111111111:deploymentgroup:MyApp/MyDG'. The DevOps team has verified that the CrossAccountDeployRole has a permissions policy that allows 'codedeploy:*' on all resources. The CodePipelineServiceRole has a permissions policy that allows 'sts:AssumeRole' on the CrossAccountDeployRole. What is the most likely cause and what action should be taken to resolve the issue?

A.Add 'sts:AssumeRole' to the permissions policy of CodePipelineServiceRole.
B.Create the deployment group in the production account again to reset permissions.
C.Check the permissions boundary on CrossAccountDeployRole and add a boundary that allows CodeDeploy actions.
D.Update the trust policy of CrossAccountDeployRole to include the DevOps account ID.
AnswerC

A permissions boundary can override the permissions policy and must explicitly allow required actions.

Why this answer

Option C is correct because the error indicates that the assumed role (CrossAccountDeployRole) is not authorized to perform codedeploy:CreateDeployment, despite having a permissions policy that allows codedeploy:* on all resources. This typically occurs when a permissions boundary is attached to the role that restricts the effective permissions, overriding the permissions policy. Adding a permissions boundary that allows CodeDeploy actions resolves the issue by ensuring the role's effective permissions include the necessary CodeDeploy operations.

Exam trap

The trap here is that candidates often assume the error is due to missing sts:AssumeRole or trust policy misconfiguration, but the role was already assumed successfully (as shown by the assumed-role ARN in the error), so the real issue is a permissions boundary or service control policy limiting the role's effective permissions.

How to eliminate wrong answers

Option A is wrong because the CodePipelineServiceRole already has sts:AssumeRole in its permissions policy (as stated in the scenario), so adding it again would not resolve the issue. Option B is wrong because recreating the deployment group does not address the underlying permission restriction; the error is about authorization, not resource existence or configuration. Option D is wrong because the trust policy already allows the DevOps account's CodePipelineServiceRole to assume the role (the error shows the role was assumed successfully), so updating the trust policy is unnecessary.

34
MCQmedium

An organization uses AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Test stage runs integration tests in CodeBuild. Recently, the pipeline failed because the Test stage took longer than expected, causing a pipeline execution timeout. The pipeline has a default timeout of 7 days. What is the MOST efficient way to set a maximum execution time for the Test stage without affecting other stages?

A.Create an AWS Lambda function that stops the pipeline if the Test stage exceeds 1 hour.
B.Set the pipeline execution timeout to 1 hour in the pipeline settings.
C.Use Amazon CloudWatch Events to detect when the Test stage runs for more than 1 hour and then stop the pipeline.
D.Modify the CodeBuild project's build timeout (e.g., 1 hour) in the buildspec or project configuration.
AnswerD

CodeBuild allows setting a timeout; if the build exceeds it, the stage fails quickly.

Why this answer

Option D is correct because the CodeBuild project's build timeout setting directly controls the maximum duration a build can run before it is stopped. By setting this timeout to 1 hour in the CodeBuild project configuration or buildspec, the Test stage will automatically fail if it exceeds that limit, without affecting the pipeline's overall timeout or other stages. This is the most efficient and targeted approach, as it leverages a native CodeBuild feature rather than adding external monitoring or changing pipeline-wide settings.

Exam trap

The trap here is that candidates may confuse the pipeline-level execution timeout with stage-level or action-level timeouts, assuming that adjusting the pipeline timeout is the correct way to limit a specific stage, when in fact CodeBuild's own timeout is the precise and efficient mechanism for controlling build duration.

How to eliminate wrong answers

Option A is wrong because creating an AWS Lambda function to stop the pipeline adds unnecessary complexity, cost, and maintenance overhead; it is not the most efficient solution when a native CodeBuild timeout exists. Option B is wrong because setting the pipeline execution timeout to 1 hour applies to the entire pipeline, not just the Test stage, which would cause the entire pipeline to fail if any stage (e.g., Source, Build, or Deploy) takes longer than 1 hour, even if they are functioning correctly. Option C is wrong because using Amazon CloudWatch Events to detect a long-running Test stage and stop the pipeline introduces additional latency, complexity, and potential race conditions; it is less efficient than directly configuring the CodeBuild project's timeout.

35
Multi-Selecteasy

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is failing because the new instances are not passing the health checks. The team wants to automatically roll back the deployment if health checks fail. Which THREE steps should the team take?

Select 3 answers
A.Use a deployment configuration with a high minimum healthy host percentage.
B.Create a CloudWatch alarm based on the ELB health check metric.
C.Configure the deployment group to automatically roll back when a deployment fails.
D.Configure the Auto Scaling group to use an ELB health check with a sufficient grace period.
E.Store the deployment artifacts in an S3 bucket with versioning enabled.
AnswersB, C, D

Correct: Alarm can trigger rollback.

Why this answer

Option A configures rollback. Option B configures alarms. Option C configures health check grace period.

Option D is not needed. Option E is not for rollback.

36
MCQhard

An organization uses AWS Elastic Beanstalk to deploy a web application. The deployment fails with a '502 Bad Gateway' error after the environment update. The health status shows 'Severe'. Investigation reveals that the application is not binding to the port that the nginx proxy expects. What is the most efficient way to diagnose and resolve this issue?

A.Rebuild the environment with a larger instance type to handle the load.
B.Use the Elastic Beanstalk console to update the environment's software configuration.
C.Review the application logs in CloudWatch Logs for error messages.
D.Check the application's listening port by viewing the nginx configuration files in the platform hooks and ensure the app listens on the expected port (e.g., 8080).
AnswerD

Elastic Beanstalk's nginx proxy forwards requests to the application on a specific port (usually 8080). If the app listens on a different port, it causes 502 errors.

Why this answer

Option A is correct: the nginx proxy expects the app to listen on port 8080 (or as defined in the proxy configuration). Option B is a workaround. Option C might not show the port.

Option D is not specific.

37
Multi-Selectmedium

A DevOps team uses AWS OpsWorks for Chef Automate to manage configuration. They want to ensure that all EC2 instances automatically register with OpsWorks and are assigned to the correct layer. Which THREE steps are required? (Choose THREE.)

Select 3 answers
A.Install the AWS OpsWorks agent on each EC2 instance.
B.Configure the instance's user data to run the Chef client.
C.Attach an IAM role with the AmazonEC2RoleforOpsWorks policy to the EC2 instance.
D.Register the EC2 instance with the OpsWorks stack using the AWS CLI or console.
E.Assign the registered instance to the appropriate layer (e.g., web, app).
AnswersA, D, E

The agent is required for communication with the OpsWorks service.

Why this answer

Options A, C, and E are correct: install agent, register stack, assign layer. Option B is not required. Option D is for other services.

38
MCQmedium

A development team uses AWS CodeCommit and wants to enforce that all commits include a JIRA issue key in the commit message. They want to reject any push that does not contain a valid JIRA key. Which approach should the engineer use?

A.Create a CloudWatch Events rule that triggers a Lambda function on push
B.Use AWS CodeCommit hooks to validate commit messages
C.Use a Lambda function triggered by CodeCommit push events that calls codecommit:PutRepositoryTriggers to reject
D.Configure a pre-commit hook in the Git client
AnswerC

Lambda can validate and reject the push using CodeCommit API.

Why this answer

Option D is correct because CodeCommit can trigger a Lambda function on push events, and the Lambda can validate commit messages and reject the push. Option A is incorrect because pre-commit hooks are client-side and not enforced by AWS. Option B is incorrect because CodeCommit does not support server-side hooks natively.

Option C is incorrect because CloudWatch Events can trigger Lambda but not reject pushes directly.

39
MCQmedium

A company uses AWS CodePipeline to orchestrate builds and deployments. The build stage uses CodeBuild to run unit tests and generate a report. The team wants to fail the pipeline if the test coverage drops below 80%. How should the engineer configure this?

A.Add a post-build action in the buildspec that checks coverage and exits with non-zero if below threshold.
B.Configure CodeBuild to fail the build if the test report indicates coverage below 80% using the buildspec's reports section.
C.Enable CodeBuild's 'Test Reporting' feature and set a threshold in the CodeBuild project configuration.
D.Use a CodePipeline condition to check the test report artifact and fail the pipeline if coverage is low.
AnswerB

CodeBuild can evaluate test report metrics and fail the build.

Why this answer

Option B is correct because CodeBuild can be configured to fail based on test report criteria. Option A requires custom scripting. Option C uses CodePipeline condition, which is not for test reports.

Option D is not a CodeBuild feature.

40
MCQmedium

Refer to the exhibit. After a deployment at 10:00, the error rate increases steadily. What is the MOST likely cause?

A.An external dependency became unavailable after the deployment.
B.A bug in the new release causes errors to accumulate over time.
C.The database connection limit was reached immediately after deployment.
D.The deployment triggered a scaling event that overloaded the application.
AnswerB

The steady increase suggests a defect that worsens with time, like a memory leak or resource exhaustion.

Why this answer

The error count increases after deployment and continues to rise, suggesting a code defect or configuration issue introduced by the deployment that causes progressively more errors (e.g., memory leak, connection pool exhaustion).

41
MCQhard

Refer to the exhibit. A CloudFormation template creates a Lambda function. After deployment, the function fails with a timeout error. Logs are not being created in CloudWatch. What is the most likely cause?

A.The IAM role does not grant sufficient permissions to write logs.
B.The runtime is not supported.
C.The Lambda execution role has a trust policy that is missing the lambda service.
D.The Lambda function code is faulty.
AnswerA

The log group ARN should include a log group name pattern like '/aws/lambda/*'.

Why this answer

Option C is correct because the Lambda function does not have permission to create log groups in the correct log group ARN. The log group ARN pattern is missing the log group name. Option A is wrong because the code is not the issue.

Option B is wrong because the runtime is correct. Option D is wrong because the role is correctly assumed.

42
Multi-Selecteasy

A team uses AWS CodeBuild to build a Node.js application. The buildspec.yml file is at the root of the repository. The build fails with 'Error: Cannot find module 'aws-sdk''. Which TWO actions could resolve the issue? (Choose TWO.)

Select 2 answers
A.Ensure 'aws-sdk' is listed in the 'dependencies' section of package.json.
B.Specify a different Node.js runtime version in the buildspec.
C.Add a 'pre_build' phase that runs 'npm test'.
D.Add a 'install' phase that runs 'npm install'.
E.Add a 'build' phase command to compile the code.
AnswersA, D

Without it, npm install will not install aws-sdk.

Why this answer

B and E are correct. B: Including 'npm install' installs dependencies from package.json. E: Adding aws-sdk to package.json ensures it is installed.

A is incorrect because pre_build runs after install. C is incorrect because runtime version does not affect module availability. D is incorrect because build commands are for building, not installing dependencies.

43
MCQeasy

A development team uses AWS CodeCommit for source control and wants to automatically run unit tests on every push to the main branch. Which AWS service should they use to trigger the tests?

A.AWS CodeBuild
B.Amazon CloudWatch Events
C.AWS CodePipeline
D.AWS CodeDeploy
AnswerC

CodePipeline can be configured to start on CodeCommit push and run tests.

Why this answer

AWS CodePipeline is the correct service because it provides a fully managed continuous delivery service that can be configured to automatically trigger a build action (such as running unit tests in AWS CodeBuild) whenever a change is pushed to a specified branch in AWS CodeCommit. This is achieved by setting the source stage to the CodeCommit repository and branch, and then adding a build stage that invokes CodeBuild to execute the tests, enabling an automated CI/CD workflow.

Exam trap

The trap here is that candidates often confuse AWS CodeBuild as a standalone trigger because it can run tests, but they overlook that CodeBuild lacks native event-driven triggers and requires an orchestrator like CodePipeline or EventBridge to automate the start on a repository push.

How to eliminate wrong answers

Option A is wrong because AWS CodeBuild is a build service that compiles source code and runs tests, but it does not have native event-driven triggers to automatically start on a CodeCommit push; it requires an external trigger like CodePipeline or Amazon EventBridge. Option B is wrong because Amazon CloudWatch Events (now part of Amazon EventBridge) can capture CodeCommit repository events (e.g., push to branch) but cannot directly run unit tests; it would need to invoke a target like AWS Lambda or CodeBuild, making it an indirect and less integrated solution compared to CodePipeline. Option D is wrong because AWS CodeDeploy is a deployment service that automates application deployments to compute services (e.g., EC2, Lambda) and does not include functionality to run unit tests or trigger builds from source code changes.

44
MCQmedium

A company uses AWS Elastic Beanstalk for deploying web applications. They want to automate deployments whenever a new commit is pushed to the master branch of their CodeCommit repository. Which AWS service should they use to trigger the deployment?

A.AWS CloudTrail
B.AWS OpsWorks
C.Amazon CloudWatch Events
D.AWS CodePipeline
AnswerD

CodePipeline integrates with CodeCommit and Elastic Beanstalk for continuous delivery.

Why this answer

AWS CodePipeline is a fully managed continuous delivery service that can be configured to automatically trigger a deployment pipeline when a new commit is pushed to a CodeCommit repository's master branch. It integrates directly with CodeCommit as a source action and Elastic Beanstalk as a deployment provider, enabling end-to-end automation without custom scripting.

Exam trap

The trap here is that candidates confuse CloudWatch Events (EventBridge) as a direct trigger for Elastic Beanstalk deployments, but it lacks the built-in pipeline orchestration and artifact management that CodePipeline provides for CI/CD workflows.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is an auditing service that records API calls for governance and compliance, not a service for triggering automated deployments. Option B is wrong because AWS OpsWorks is a configuration management service using Chef or Puppet, not designed for event-driven deployment triggers from CodeCommit. Option C is wrong because Amazon CloudWatch Events (now Amazon EventBridge) can detect CodeCommit events but requires a custom target (e.g., a Lambda function) to invoke Elastic Beanstalk; it does not natively orchestrate the deployment pipeline as CodePipeline does.

45
MCQeasy

A DevOps team uses AWS CodeBuild to compile a Java application. The build environment is managed by AWS and runs on Linux. The team wants to speed up the build process by caching dependency directories across builds. Which configuration should the team use?

A.Configure the buildspec file to use Docker layer caching
B.Use the CodeBuild cache configuration to store the entire build output in a custom Docker image
C.Store dependencies in an Amazon S3 bucket and download them at the start of each build
D.Enable local caching in the CodeBuild project and specify the cache location as /root/.m2
AnswerD

Local caching reuses files from previous builds on the same build agent.

Why this answer

Option B is correct because CodeBuild supports local caching, which can be configured to cache specific directories like the Maven local repository. Option A is wrong because S3 caching is not a built-in CodeBuild feature. Option C is wrong because it is not specific to dependency caching.

Option D is wrong because Docker layer caching is for Docker builds, not Java dependencies.

46
MCQmedium

Refer to the exhibit. A DevOps engineer attaches this IAM policy to a user. The user reports that they cannot start a pipeline execution for 'my-pipeline' using the AWS CLI. What is the MOST likely reason?

A.The IAM policy does not allow the 'codepipeline:StartPipelineExecution' action.
B.The user is missing the 'codepipeline:ListPipelines' permission needed to list pipelines before execution.
C.The resource ARN for the pipeline is incorrect.
D.The policy has a condition that restricts execution to certain times.
AnswerB

The AWS CLI may need to list pipelines first, requiring additional permissions.

Why this answer

Option C is correct because the user needs 'codepipeline:StartPipelineExecution' permission, which is allowed. But the CLI command may require 'codepipeline:ListPipelines' to list pipelines, which is missing. Option A is wrong because the actions are allowed.

Option B is wrong because resource ARN is correct. Option D is wrong because there is no such condition.

47
Multi-Selecthard

A company is using AWS CodeBuild to compile and test code. The buildspec.yml file includes a pre_build phase that installs dependencies and a build phase that runs the compilation. The tests are run in the post_build phase. The team wants to improve the security of the build process by ensuring that sensitive information such as database passwords is not exposed in the build logs. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Use AWS Systems Manager Parameter Store to store the secrets and reference them in the buildspec using the 'parameter-store' field.
B.Use AWS Secrets Manager to store the secrets and reference them in the buildspec using the 'secrets-manager' field.
C.Restrict access to the build logs by using IAM policies to only allow specific users to view them.
D.Enable encryption at rest for the CodeBuild project's S3 logs.
E.Store the secrets as plain-text environment variables in the CodeBuild project.
AnswersA, B

Parameter Store can store secrets securely and references are not displayed in logs.

Why this answer

Options B and D are correct. Using AWS Systems Manager Parameter Store or AWS Secrets Manager to store secrets and referencing them in the buildspec using parameter-store or secrets-manager prevents secrets from being printed in logs. Option A is wrong because environment variables in plain text can be logged.

Option C is wrong because build logs are accessible to authorized users, but the issue is exposure in plain text. Option E is wrong because encryption at rest does not prevent secrets from being logged in plain text.

48
MCQmedium

A development team uses AWS CodeCommit as a source repository for their AWS CodePipeline. They want to automatically trigger a pipeline execution when a new branch is created. Which solution should they implement?

A.Create an S3 event notification to invoke the pipeline when a branch is created.
B.Use Amazon CloudWatch Events to trigger the pipeline on a CodeCommit 'Reference Created' event.
C.Configure a webhook in CodePipeline to detect branch creation events.
D.Set up a polling mechanism in CodePipeline to check for new branches every minute.
AnswerB

CloudWatch Events can capture CodeCommit events such as branch creation and trigger the pipeline.

Why this answer

Option B is correct because CloudWatch Events can trigger on code commit events like branch creation. Option A is wrong because webhooks are for third-party sources. Option C is wrong because polling is inefficient and not best practice.

Option D is wrong because S3 events are for S3 source, not CodeCommit.

49
MCQmedium

The exhibit shows the output of the AWS CLI command 'batch-get-builds' for a CodeBuild build. The build failed. What is the most likely cause of the failure?

A.The source code has compilation errors.
B.The buildspec file is malformed.
C.The build project does not have sufficient memory.
D.The S3 bucket 'my-bucket' does not exist or the build project lacks permissions to access it.
AnswerD

The DOWNLOAD_SOURCE phase failed, suggesting an issue with accessing the source artifact in S3.

Why this answer

Option D is correct: the DOWNLOAD_SOURCE phase failed, indicating the source could not be downloaded from S3. Option A is not supported by the output. Option B is not the failed phase.

Option C is not indicated.

50
MCQhard

A company uses AWS CodePipeline with an Amazon S3 source action. The pipeline deploys to an Amazon ECS Fargate service. The engineer notices that the pipeline does not automatically start when a new object is uploaded to the S3 bucket. The S3 bucket versioning is enabled. What is the most likely cause?

A.The pipeline has manual approval required before the source stage
B.The S3 bucket does not have event notifications configured for the pipeline
C.S3 versioning is not enabled on the bucket
D.The ECS service is not configured for blue/green deployments
AnswerB

CodePipeline needs S3 events to trigger automatically.

Why this answer

Option A is correct because CodePipeline S3 source action requires change detection via Amazon CloudWatch Events or S3 Event Notifications. If the S3 bucket does not have event notifications configured, the pipeline will not trigger automatically. Option B is incorrect because versioning is not required for triggering.

Option C is incorrect because the pipeline can still start manually. Option D is incorrect because Fargate does not affect pipeline triggering.

51
Multi-Selectmedium

Which TWO options are valid ways to trigger an AWS CodePipeline execution automatically? (Choose two.)

Select 2 answers
A.A scheduled CloudWatch Logs metric filter.
B.Completion of a CodeDeploy deployment.
C.Changes to a CodeCommit repository.
D.Manual approval action in the pipeline.
E.Upload of a new object to an S3 bucket.
AnswersC, E

CodePipeline can be configured to start on push to a branch.

Why this answer

Options B and D are correct. Option A is wrong because manual approval does not trigger execution; it pauses. Option C is wrong because CodeDeploy is a deployment service, not a trigger.

Option E is wrong because CloudWatch Logs do not trigger pipelines.

52
MCQhard

A company runs a containerized microservices application on Amazon ECS with Fargate. The application is deployed using AWS CodePipeline with CodeBuild as the build stage and ECS as the deploy stage. The pipeline uses a deployment controller of type CODE_DEPLOY with a blue/green deployment strategy. Recently, the team noticed that during deployments, the new task set fails health checks and the deployment is rolled back. The application logs indicate that the new containers fail because they cannot connect to the Redis cluster, which is a required dependency. The Redis cluster is running on Amazon ElastiCache and is in the same VPC as the ECS tasks. The team has verified that the security group for the ElastiCache cluster allows inbound traffic from the ECS tasks' security group. The ECS task definition includes the Redis endpoint as an environment variable. What is the MOST likely cause of the connection failure?

A.The new task set is being launched in different private subnets that do not have a route to the ElastiCache cluster.
B.The Redis endpoint environment variable is not being passed correctly to the new task set because of a misconfiguration in the task definition.
C.The security group for the ElastiCache cluster only allows inbound traffic from the security group of the original task set, not the new task set created during deployment.
D.The new task set is using a different VPC than the ElastiCache cluster.
AnswerC

During a blue/green deployment, the new task set uses a different security group (or the same group but with a new rule) and the ElastiCache security group must be updated to allow traffic from the new tasks.

Why this answer

Option B is correct because in a blue/green deployment with CODE_DEPLOY, the new task set is created in a separate target group, and the security group for the ElastiCache cluster must allow traffic from the new task set's security group. If the security group rule is only attached to the original task set's security group, the new task set cannot connect. Option A is wrong because the ECS service uses the same subnets; the issue is not subnet-related.

Option C is wrong because if the environment variable is correctly set, DNS resolution should work. Option D is wrong because the security group for ECS tasks is typically attached to the service, and adding a new security group rule is necessary.

53
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot push to the 'MyRepo' repository. What is the likely reason?

A.The policy does not allow GitPush on the repository's branches.
B.The user is not in the correct IAM group.
C.The user does not have GitPull permission on the repository.
D.The policy must include codecommit:CreateRepository action.
AnswerA

GitPush requires permission on the branch resource, not just the repository.

Why this answer

The policy allows GitPush on the MyRepo repository, but does not include the branch-specific permissions or may require additional actions like 'codecommit:CreateBranch' or 'codecommit:PutFile'. However, the most common issue is that the policy does not allow the required GitPull action on the same repository. But it does allow GitPull on all resources.

The user might be trying to push to a branch that doesn't exist? Actually, the policy should work. The error might be due to missing 'codecommit:GitPush' on the repository's default branch? No. Wait, the exhibit shows GitPush on arn:aws:codecommit:us-east-1:123456789012:MyRepo.

That should work. Let me think: perhaps the user is not authenticated properly? But the question is about the policy. The policy grants GitPush on MyRepo, but the user might need additional actions like 'codecommit:GetBranch' or 'codecommit:ListBranches'.

The policy is too restrictive. The correct answer is that the policy does not allow necessary read actions like 'codecommit:GitPull' on the specific repository? But it does via the wildcard. Another issue: the resource ARN for GitPush is for the repository, but GitPush also requires permissions on the repository's branches? Actually, the action GitPush is allowed on the repository resource, which should be sufficient.

I think the policy is missing the 'codecommit:GetBranch' action for the branch being pushed to. But the typical error is that the policy does not include the 'codecommit:GitPush' on the repository's branches. However, the resource ARN for branches is different: arn:aws:codecommit:region:account:repository-name/branch-name.

So the policy only allows GitPush on the repository, not on any branch. Therefore, the user cannot push to any branch because the resource is the repository, not the branch. The correct fix is to add a branch resource.

But the options must reflect this. I'll set the correct answer to: The policy does not grant GitPush on branch resources.

54
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline for a microservices application that runs on Amazon ECS. They need to implement automated canary deployments. Which TWO AWS services would be essential for this implementation?

Select 2 answers
A.AWS CodeDeploy
B.AWS CloudFormation
C.AWS CodeBuild
D.Amazon CloudWatch
E.Amazon EC2 Auto Scaling
AnswersA, D

CodeDeploy supports canary deployments for ECS.

Why this answer

Options B and D are correct. AWS CodeDeploy supports canary deployments for ECS, and AWS CloudWatch provides metrics for monitoring. Option A is wrong because CodeBuild is for building, not deployment.

Option C is wrong because CloudFormation can deploy but does not natively support canary. Option E is wrong because EC2 Auto Scaling is not directly used for canary.

55
MCQeasy

A development team uses AWS CodeBuild to compile a Java application. The build fails during the 'Install' phase with an error: 'Error: JAVA_HOME is not set'. How should the team fix this?

A.Set the environment variable 'JAVA_HOME' in the buildspec file's 'env' section.
B.Use the managed image 'aws/codebuild/standard:5.0' which has Java pre-installed.
C.Install Java in the pre_build phase using a command.
D.Use a custom Docker image that has Java pre-installed.
AnswerA

Setting JAVA_HOME in the 'env' section ensures it is available in all build phases.

Why this answer

Option B is correct: each build phase uses a separate shell, so environment variables set in one phase do not persist. Option A is wrong because it's not needed. Option C is not the cause.

Option D is not necessary.

56
Multi-Selectmedium

A company uses AWS CodePipeline to automate deployments. The pipeline consists of Source, Build, and Deploy stages. The Build stage uses CodeBuild, and the Deploy stage uses CodeDeploy. Recently, the pipeline failed at the Deploy stage with an error: 'The deployment group does not exist'. Which TWO actions should the team take to resolve this issue?

Select 2 answers
A.Verify that the deployment group name specified in the pipeline's Deploy stage matches the actual deployment group name in CodeDeploy.
B.Confirm that the pipeline and the CodeDeploy deployment group are in the same AWS Region.
C.Increase the timeout for the Deploy stage to allow more time for the deployment group to be created.
D.Ensure that the CodeBuild project has permissions to access the CodeDeploy deployment group.
E.Check that the CodeDeploy application exists in the same AWS account as the pipeline.
AnswersA, B

A typo or mismatch in the deployment group name causes this error.

Why this answer

Options A and D are correct: the deployment group name must match exactly, and the pipeline must be in the same region. Option B is not required. Option C is not a common cause.

Option E is not related.

57
MCQmedium

A company uses AWS CodePipeline with Amazon S3 as the source stage. The pipeline triggers on object creation events in the S3 bucket. The development team notices that the pipeline does not trigger when multiple files are uploaded simultaneously. What is the most likely cause?

A.Amazon S3 event notifications are not guaranteed to be delivered for bulk operations.
B.The S3 event notification filter is set to only include objects with a specific prefix or suffix that does not match the uploaded files.
C.CodePipeline does not support triggering from S3 event notifications when multiple files are uploaded simultaneously.
D.The S3 bucket versioning is not enabled, causing events to be lost.
AnswerB

Why this answer

Option B is correct because Amazon S3 event notifications can be filtered by prefix and suffix. If the filter is configured to only match objects with a specific prefix or suffix (e.g., `images/` or `.zip`), and the uploaded files do not match that filter, the event notification will not be sent to CodePipeline, causing the pipeline not to trigger. This is the most likely cause when the pipeline fails to trigger on simultaneous uploads, as the filter configuration is a common misconfiguration.

Exam trap

The trap here is that candidates may incorrectly attribute the issue to a limitation of S3 event notifications or CodePipeline with bulk uploads, rather than recognizing that the most likely cause is a misconfigured event notification filter that excludes the uploaded files.

Why the other options are wrong

A

S3 event notifications are designed to deliver events for each object creation, though there may be occasional delays or duplicates.

C

CodePipeline supports S3 event notifications and can handle multiple triggers.

D

Versioning is not required for event notifications; events are sent regardless.

58
MCQhard

A company uses AWS CodePipeline with multiple stages: Source (Amazon S3), Build (AWS CodeBuild), and Deploy (AWS CodeDeploy). The build stage runs a series of tests, and if they pass, the pipeline proceeds to deploy. Recently, a developer committed a change that passed all tests but caused a production outage. The team wants to add an approval step before the deploy stage, but they also want to ensure that only changes from specific branches can be deployed. What is the MOST secure and maintainable way to enforce this?

A.Use a Lambda function in the pipeline to check the branch name and fail if not allowed.
B.Add a manual approval step in the pipeline and rely on the approver to verify the branch.
C.Create a separate pipeline for each allowed branch, with the approval step only in the production pipeline.
D.Tag the source artifacts with the branch name and use a condition in CodePipeline to allow only specific tags.
AnswerC

Isolating pipelines prevents direct deployment from unauthorized branches.

Why this answer

Option C is correct because it enforces branch-based deployment at the pipeline level, ensuring that only changes from specific branches trigger the production pipeline with the approval step. This approach is secure and maintainable as it leverages AWS CodePipeline's native ability to trigger on branch events, avoiding custom logic or manual verification. By isolating production deployments to a dedicated pipeline, the team reduces the risk of unauthorized or untested code reaching production.

Exam trap

The trap here is that candidates often overestimate the flexibility of CodePipeline's built-in filtering or underestimate the security and maintainability benefits of using separate pipelines per branch, leading them to choose a custom Lambda solution (Option A) that introduces unnecessary complexity and risk.

How to eliminate wrong answers

Option A is wrong because using a Lambda function to check the branch name and fail the pipeline introduces custom code that must be maintained, tested, and secured, increasing complexity and potential failure points; it also fails the pipeline after the build stage, wasting resources. Option B is wrong because relying on a manual approver to verify the branch is error-prone and not automated, violating the principle of secure, maintainable enforcement; it depends on human diligence rather than system-level controls. Option D is wrong because CodePipeline does not support conditions that filter based on artifact tags; tagging source artifacts with branch names does not natively restrict pipeline execution, and such a condition would require custom logic, making it less secure and maintainable.

59
MCQeasy

A development team uses AWS CodeBuild to compile a Java application and run unit tests. The build takes 30 minutes, but the team wants to reduce build time. The codebase has not changed significantly, and dependencies are stable. Which action would be MOST effective in reducing build time?

A.Configure CodeBuild to cache dependencies in an Amazon S3 bucket.
B.Move the build process to a local developer machine to avoid CodeBuild overhead.
C.Reduce the number of unit tests executed in the build phase.
D.Increase the compute type of the build environment to a larger instance.
AnswerA

Caching avoids re-fetching dependencies every build.

Why this answer

Caching dependencies in an Amazon S3 bucket allows CodeBuild to reuse previously downloaded Maven/Gradle dependencies across builds, eliminating the need to re-download them each time. Since the codebase and dependencies are stable, this directly reduces the build time by avoiding repeated network transfers of large artifact repositories.

Exam trap

The trap here is that candidates assume a larger compute instance always speeds up builds, overlooking that network-bound operations like dependency downloads are not significantly improved by CPU or memory upgrades.

How to eliminate wrong answers

Option B is wrong because moving the build to a local developer machine sacrifices consistency, scalability, and auditability, and does not address the core issue of dependency download overhead in CodeBuild. Option C is wrong because reducing unit tests compromises code quality and test coverage, and the question states the team wants to reduce build time without changing the codebase significantly — removing tests is not a valid optimization. Option D is wrong because increasing the compute type primarily accelerates CPU-bound tasks (compilation), but the bottleneck here is likely network-bound dependency downloads; a larger instance does not reduce the time spent downloading unchanged dependencies.

60
MCQhard

An organization uses AWS CodePipeline with multiple stages: Source, Build, Deploy to Test, Deploy to Prod. They want to implement a canary deployment strategy for the production deployment. Which approach should they use?

A.Use a Lambda function in CodePipeline to manually adjust weights in Route53.
B.Use CodeDeploy with a canary deployment configuration in the Deploy to Prod stage.
C.Use an Elastic Load Balancer to gradually shift traffic using weighted target groups.
D.Use CloudFormation with a canary update policy in the Deploy to Prod stage.
AnswerB

CodeDeploy provides built-in canary traffic shifting for both EC2/On-Premises and Lambda.

Why this answer

CodeDeploy supports canary deployments with a deployment configuration that specifies a percentage of traffic to shift to the new version initially.

61
MCQmedium

A team uses AWS CodePipeline to deploy a microservices application. The pipeline has a deploy action that uses AWS CloudFormation. The CloudFormation template creates an Amazon ECS service. The deployment fails because the ECS service cannot be updated. What is the most likely cause?

A.The CloudFormation stack already exists and is in a previous failed state.
B.The ECS service is in a steady state and cannot be modified.
C.The CodePipeline deploy action is configured with the wrong action type.
D.The IAM role used by CloudFormation does not have permission to update ECS services.
AnswerA

A failed stack must be deleted or updated with a changeset.

Why this answer

When a CloudFormation stack update fails, the stack enters a ROLLBACK_COMPLETE or UPDATE_ROLLBACK_COMPLETE state. In this state, the stack is considered to be in a 'failed' state and cannot be updated again until it is either deleted or the stack is manually continued with a rollback. CodePipeline's CloudFormation deploy action will attempt to perform a stack update, but CloudFormation rejects the request because the existing stack is in a non-updatable state, causing the pipeline deployment to fail.

Exam trap

The trap here is that candidates often assume the error is due to missing IAM permissions or a misconfigured action type, but the real issue is CloudFormation's requirement that stacks be in a valid state before updates can proceed.

How to eliminate wrong answers

Option B is wrong because an ECS service in a steady state (e.g., ACTIVE) can be modified via CloudFormation updates; the error is not due to the service being immutable. Option C is wrong because the deploy action type (CloudFormation) is correct for deploying infrastructure; the failure is not related to a misconfigured action type. Option D is wrong because if the IAM role lacked permissions, the error would be an access denied or authorization failure, not a generic 'cannot be updated' error from CloudFormation.

62
MCQeasy

A team uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment.' The instances are healthy and can connect to the CodeDeploy service. What is the most likely cause?

A.The Auto Scaling group launch configuration is incorrect.
B.The deployment group is not configured with the correct service role.
C.The appspec.yml file or lifecycle event scripts have errors.
D.The target revision is not accessible from the instances.
AnswerC

Lifecycle event scripts must succeed; otherwise the deployment fails per instance.

Why this answer

The appspec.yml file defines hooks like BeforeBlockTraffic, AfterInstall, etc. If these scripts exit with a non-zero code, the deployment fails.

63
MCQmedium

A company uses AWS CodePipeline to deploy a static website to an S3 bucket. The pipeline includes a source stage (S3), a build stage (CodeBuild) that minifies assets, and a deploy stage that copies files to the production S3 bucket. The deploy stage uses 's3 sync' command. After a recent deployment, some users report seeing old content. What is the MOST likely cause?

A.The website is served through Amazon CloudFront, and the CloudFront distribution cache was not invalidated after the deployment.
B.The S3 bucket policy blocks public read access, so users get a 403 error.
C.The IAM role for CodeBuild does not have permissions to write to the S3 bucket.
D.The deploy stage uses 's3 cp' instead of 's3 sync', so new files are not uploaded.
AnswerA

CloudFront caches content; without invalidation, users see stale files.

Why this answer

Option C is correct because S3 does not automatically invalidate CloudFront cache; old cached files are served. Option A is incorrect because 's3 sync' does sync new files. Option B is incorrect because bucket policies don't affect content freshness.

Option D is incorrect because CodeBuild would fail if permissions were insufficient.

64
MCQmedium

A company uses AWS CodeCommit for source control. Developers frequently push large binary files (e.g., compiled JARs) to the repository, causing the repository size to grow rapidly and slowing down clone operations. The team wants to enforce a policy to reject pushes that contain files larger than 50 MB. Which approach should be used?

A.Configure a CodeCommit trigger that invokes an AWS Lambda function to validate file sizes and reject the push.
B.Set up an Amazon CloudWatch Events rule to monitor repository size and alert when it exceeds a threshold.
C.Create an IAM policy that denies the `codecommit:GitPush` action if the file size exceeds 50 MB.
D.Use a pre-receive hook in the repository to reject large files by generating an S3 pre-signed URL.
AnswerA

CodeCommit triggers allow custom validation before accepting a push.

Why this answer

Option A is correct because AWS CodeCommit supports custom triggers that invoke AWS Lambda functions on repository events, including pushes. By configuring a trigger for the 'push' event, a Lambda function can inspect each file in the push payload, check its size against the 50 MB threshold, and programmatically reject the push by returning an error response. This approach enforces the policy at the repository level without requiring client-side changes.

Exam trap

The trap here is that candidates confuse CodeCommit triggers with Git hooks (like pre-receive hooks) or assume IAM policies can enforce content-based rules, when in fact IAM cannot inspect file contents and CodeCommit does not support server-side Git hooks.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Events can monitor repository metrics and send alerts, but it cannot actively reject a push; it only provides post-hoc notification after the push has already occurred. Option C is wrong because IAM policies evaluate permissions based on the principal, action, and resource, but they cannot inspect the content or size of files being pushed; the `codecommit:GitPush` action does not support condition keys for file size. Option D is wrong because CodeCommit does not support pre-receive hooks; that feature is specific to self-managed Git servers or AWS CodeCommit's hosted Git does not expose hook mechanisms like pre-receive scripts, and generating an S3 pre-signed URL is unrelated to rejecting pushes.

65
MCQeasy

A DevOps engineer is troubleshooting a failed build in AWS CodeBuild. The build log shows: 'Error: Cannot find module 'lodash'.' The buildspec.yml file lists 'npm install' as a command. What is the most likely cause?

A.The npm install command is running before the source is downloaded.
B.The lodash package is not compatible with the Node.js version.
C.The package.json file is missing or does not include lodash.
D.The build environment does not have internet access to download packages.
AnswerC

npm install reads package.json; if lodash is not listed, it won't be installed.

Why this answer

npm install may fail if the package.json file is not present or has errors. The missing module indicates that dependencies were not installed properly.

66
MCQhard

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group of Amazon EC2 instances. The deployment strategy is Blue/Green. After a successful deployment, the team notices that the new instances are receiving traffic but the application returns errors. The old instances are still serving traffic correctly. The team wants to roll back immediately. What should be done?

A.Stop the current deployment using the AWS CLI.
B.Manually update the Auto Scaling group to associate new instances with the old launch configuration.
C.Configure the deployment group to automatically roll back when a deployment fails, then manually trigger a rollback.
D.Redeploy the same application revision to the same Auto Scaling group.
AnswerC

CodeDeploy supports automatic rollback; triggering a rollback will reroute traffic back to the blue environment.

Why this answer

Option B is correct because in a Blue/Green deployment, CodeDeploy can automatically roll back by re-routing traffic to the original (blue) environment if a deployment fails. Option A is wrong because redeploying the same revision would redeploy the faulty code. Option C is wrong because stopping the deployment terminates the process but does not restore traffic to the old instances.

Option D is wrong because while you could manually reassociate instances, CodeDeploy provides a built-in rollback mechanism.

67
MCQhard

An organization uses AWS CodePipeline to deploy a web application to Amazon EC2 instances behind an Application Load Balancer. The deployment uses a CodeDeploy action with an in-place deployment configuration. After a recent deployment, some instances are running the old version while others are running the new version. What is the most likely cause?

A.The deployment group is associated with an Auto Scaling group that launched new instances during the deployment.
B.The deployment group was configured with the 'AllAtOnce' deployment configuration, and the deployment failed partway through.
C.A lifecycle hook is configured to pause the deployment until manual approval.
D.The deployment was configured to use a blue/green strategy, but the target group is misconfigured.
AnswerB

AllAtOnce deploys to all instances simultaneously; a failure may leave some instances updated.

Why this answer

Option A is correct because if the deployment group is set to deploy to all instances at once (AllAtOnce), there is no rolling update, and if the deployment fails partway, some instances may be updated and others not. Option B is wrong because a lifecycle hook would not cause partial deployment; it would pause. Option C is wrong because CodeDeploy does not depend on Auto Scaling for in-place deployments.

Option D is wrong because a failed health check would cause the deployment to fail entirely, not partially.

68
MCQeasy

A DevOps engineer needs to automate the creation of a new AWS CodeCommit repository when a new project starts. The engineer wants to use infrastructure as code. Which service should be used?

A.AWS CloudFormation
B.AWS CodePipeline
C.AWS CodeStar
D.AWS CodeBuild
AnswerA

CloudFormation can define CodeCommit repositories as resources.

Why this answer

Option A is correct because AWS CloudFormation can manage CodeCommit repositories as resources. Option B is wrong because CodePipeline orchestrates CI/CD, not resource creation. Option C is wrong because CodeStar is a project management tool, not infrastructure as code.

Option D is wrong because CodeBuild is a build service.

69
Multi-Selecteasy

Which THREE AWS services can be used as a source action in AWS CodePipeline? (Choose three.)

Select 3 answers
A.Amazon S3
B.Amazon DynamoDB
C.AWS CodeCommit
D.AWS CloudFormation
E.GitHub (via webhook)
AnswersA, C, E

S3 can be a source for zip files.

Why this answer

Options A, B, and D are correct. Option C is wrong because DynamoDB is not a source. Option E is wrong because CloudFormation is not a source.

70
MCQeasy

A DevOps engineer is designing a CI/CD pipeline for a serverless application using AWS Lambda and Amazon API Gateway. The team wants to automate deployment across multiple environments (dev, test, prod) with environment-specific configuration. Which approach should the engineer use?

A.Use the AWS Serverless Application Model (SAM) with CodePipeline, and pass environment parameters as CloudFormation parameter overrides.
B.Use CodeBuild to package the Lambda code and then use CloudFormation with parameters for each environment.
C.Use CodeDeploy with a deployment configuration that deploys to all environments sequentially.
D.Use CodePipeline with separate CodeBuild projects for each environment.
AnswerA

SAM integrates with CodePipeline and allows parameter overrides per environment.

Why this answer

Option D is correct because AWS SAM supports environment parameterization and is designed for serverless. Option A is not environment-aware. Option B requires manual variable managing.

Option C lacks environment-specific config.

71
Multi-Selectmedium

A DevOps team uses AWS CloudFormation to manage infrastructure. They want to implement a change management process that requires approval before making changes to production stacks. Which TWO approaches can be used to enforce this?

Select 2 answers
A.Use CloudFormation StackSets to manage approvals.
B.Use CloudFormation Stack Policies to prevent updates.
C.Use CloudFormation Drift Detection to detect changes.
D.Use AWS CodePipeline with a manual approval stage.
E.Use CloudFormation Change Sets to review and manually execute changes.
AnswersD, E

Manual approval stage enforces review before deployment.

Why this answer

Option D is correct because AWS CodePipeline can include a manual approval stage that pauses the pipeline and requires explicit approval before proceeding to deploy changes to production stacks. Option E is correct because CloudFormation Change Sets allow you to review the proposed changes and then manually execute them, ensuring that no changes are applied without human review and approval.

Exam trap

The trap here is that candidates may confuse Stack Policies (which prevent updates to specific resources) with an approval workflow, or think that Drift Detection can be used to block changes, when in fact it only reports drift after the fact.

72
MCQhard

A company uses AWS CodePipeline to deploy a serverless application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). The deployment consistently fails because the Lambda function's IAM role is not created before the function. The team uses a single CloudFormation template. Which action should be taken to resolve this dependency issue?

A.Add a DependsOn attribute in the CloudFormation template to ensure the IAM role is created before the Lambda function.
B.Create the IAM role in a separate CodeBuild action before the deploy stage.
C.Add a wait condition in the CloudFormation template.
D.Separate the IAM role into a nested stack and reference it.
AnswerA

DependsOn explicitly sets creation order.

Why this answer

Option A is correct because CloudFormation handles resource dependencies via the DependsOn attribute. The issue is that the template likely lacks a DependsOn on the Lambda function resource to wait for the IAM role. Adding DependsOn ensures the role is created first.

Option B is wrong because nested stacks add complexity but don't inherently fix dependency ordering. Option C is wrong because the role should be in the same template. Option D is wrong because wait conditions are for external signals, not resource dependencies.

73
MCQeasy

A company uses AWS Systems Manager Automation to patch EC2 instances. The automation document 'AWS-RunPatchBaseline' runs successfully but some instances are not patched because they are not managed by Systems Manager. What is the most likely reason?

A.The instances are running Windows Server 2012 or older.
B.The instances are in a VPC without internet access.
C.The instances do not have the AWS Systems Manager Agent (SSM Agent) installed and the required IAM role attached.
D.The automation document is not compatible with the instance's operating system.
AnswerC

Systems Manager requires the SSM Agent to be installed and an IAM role that permits Systems Manager actions (e.g., AmazonSSMManagedInstanceCore).

Why this answer

Option B is correct: SSM Agent must be installed and the instance must have an IAM role that allows Systems Manager actions. Option A is not a requirement. Option C is not required.

Option D is incorrect.

74
MCQeasy

A startup is using AWS CodeBuild to build and test their application. The build process takes about 10 minutes. Recently, they noticed that some builds are failing randomly with the error 'Could not download dependencies'. The build environment uses a custom Docker image stored in Amazon ECR. The team suspects that the issue is due to network connectivity problems when pulling the Docker image or dependencies from the internet. They want to ensure reliable and faster builds. Which solution should they implement?

A.Switch to using a public Docker image from Docker Hub
B.Increase the build timeout in CodeBuild project settings
C.Use a larger compute type for the CodeBuild project
D.Configure CodeBuild to use a VPC with a NAT gateway
AnswerD

VPC with NAT gateway provides reliable internet access for pulling images and dependencies

Why this answer

To improve reliability and speed, use an Amazon ECR repository in the same region and configure CodeBuild to use a VPC with a NAT gateway for internet access, or use a VPC endpoint for ECR. The best approach is to use a VPC with a NAT gateway to provide consistent internet access. Option A is correct.

Option B (increase build timeout) does not fix the root cause. Option C (use a larger instance) may not resolve network issues. Option D (use a public Docker Hub) may still have network issues and is not controlled.

75
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a serverless application using AWS Lambda. They want to automatically deploy the latest version of the Lambda function to production after running integration tests. The source code is in AWS CodeCommit. Which pipeline configuration should they use?

A.CodeCommit -> CodeBuild (test) -> CodeDeploy (Lambda deployment) -> Lambda.
B.CodeCommit -> CodeBuild (test) -> Lambda (deploy via update-function-code).
C.CodeCommit -> Lambda (deploy via S3 trigger) -> CodeBuild (test) -> production.
D.CodeCommit -> CodeBuild (test and deploy) -> Lambda via AWS CLI in buildspec.
AnswerA

CodeDeploy provides canary, linear, and all-at-once deployments for Lambda.

Why this answer

The best practice is to use CodePipeline with CodeBuild for testing and CodeDeploy for Lambda deployment. Option B is correct.

Page 1 of 6 · 397 questions totalNext →

Ready to test yourself?

Try a timed practice session using only SDLC Automation questions.