CCNA SDLC Automation Questions

75 of 397 questions · Page 3/6 · SDLC Automation · Answers revealed

151
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails during the 'ValidateService' lifecycle event. The CloudWatch Agent reports that the target process is running but the health check endpoint returns HTTP 503. The CodeDeploy agent logs show no errors. What is the most likely cause of the failure?

A.The Auto Scaling group is not healthy
B.The CodeDeploy agent is not installed on the instances
C.The application is not fully functional due to missing configuration files
D.The target process is not listening on the expected port
AnswerC

Process is running but health check fails, suggesting configuration issue.

Why this answer

Option B is correct because the health check is failing (HTTP 503) even though the process is running, indicating the application is not serving traffic properly, likely due to missing dependencies or configuration. Option A is incorrect because CodeDeploy agent logs showed no errors. Option C is incorrect because Auto Scaling group health checks are separate from CodeDeploy's validation.

Option D is incorrect because the process is running.

152
MCQhard

An organization has a AWS CodePipeline that deploys a critical application. The pipeline uses a manual approval step before deploying to production. The team wants to ensure that only authorized users can approve the deployment, and that the approval action is logged for compliance. Which combination of actions should the team take? (Select TWO.)

A.Configure the approval action to invoke an AWS Lambda function that validates the approver's IAM role tags.
B.Enable AWS CloudTrail to log all approval API calls for auditing.
C.Use Amazon Simple Notification Service (SNS) to send approval notifications and allow any subscriber to approve.
D.Use AWS CodeCommit to manage approval permissions via repository policies.
E.Store approval logs in Amazon CloudWatch Logs for real-time monitoring.
AnswerA, B

This allows custom authorization based on tags.

Why this answer

Options A and C are correct. Option A: Configuring the Lambda function for approval to check IAM tags ensures only users with specific tags (e.g., 'role=approver') can call the approval API. Option C: Using CloudTrail to log approval actions meets compliance logging requirements.

Option B is wrong because SNS does not provide fine-grained authorization. Option D is wrong because CloudWatch Logs can log but CloudTrail is the correct service for API logging. Option E is wrong because CodeCommit is not involved in approval authorization.

153
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline for a microservices application. Each microservice has its own code repository and build artifacts. The team wants to use AWS CodePipeline with multiple parallel actions to build and test all microservices simultaneously. They also want to ensure that if one microservice's build fails, the pipeline does not block other microservices. Which THREE steps should the team take? (Choose THREE.)

Select 3 answers
A.Use a parallel action group with separate build actions for each microservice.
B.Create a separate pipeline for each microservice to fully isolate failures.
C.Configure the pipeline to block subsequent stages if any build action fails.
D.Configure a single build action that sequentially builds all microservices.
E.Set the 'RunOrder' field for each build action to the same number to run them in parallel.
AnswersA, B, E

Parallel actions allow simultaneous builds.

Why this answer

Option A is correct because using a parallel action group with separate build actions for each microservice allows all microservices to be built simultaneously within a single pipeline. This design ensures that if one microservice's build fails, the other parallel actions continue unaffected, as CodePipeline treats each action in a parallel group independently.

Exam trap

The trap here is that candidates may think a single pipeline with parallel actions is insufficient and instead choose to create separate pipelines per microservice, but the question explicitly asks for steps within a single pipeline design, and option B is incorrect because it suggests multiple pipelines, which is not one of the three required steps.

154
MCQmedium

A development team uses AWS CodePipeline with multiple stages including source, build, and deploy. The pipeline uses an Amazon S3 source action that triggers on changes to a specific bucket. Recently, the pipeline stopped triggering automatically. The IAM role for CodePipeline has the necessary permissions. What is the most likely cause?

A.The IAM role for CodePipeline does not have s3:GetObject permission.
B.The S3 bucket policy denies access to CodePipeline.
C.The S3 bucket does not have event notifications configured.
D.AWS CloudTrail is not configured to deliver S3 data events to CloudWatch Logs.
AnswerD

CodePipeline relies on CloudWatch Events, which require CloudTrail to log S3 data events.

Why this answer

Option C is correct because CodePipeline uses Amazon CloudWatch Events to detect S3 events. If CloudTrail is not configured to deliver events to CloudWatch Logs, the pipeline won't trigger. Option A is wrong because S3 event notifications are not used for CodePipeline triggers.

Option B is wrong because the pipeline role has permissions. Option D is wrong because the S3 bucket policy is not relevant for triggering.

155
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. They have a template that creates an Amazon EC2 instance and an Elastic IP address. The template uses the AWS::EC2::EIP resource. The team notices that when they delete the stack, the Elastic IP address is not released, leading to charges. They want to ensure that the Elastic IP is automatically released when the stack is deleted. What should they do?

A.Set the DeletionPolicy attribute to 'Retain' to keep the EIP
B.Create a custom resource to release the EIP before stack deletion
C.Set the DeletionPolicy attribute to 'Delete' on the EIP resource
D.Add a DependsOn clause to ensure proper order of deletion
AnswerC

Default is Delete, but ensure it's explicitly set to avoid accidental retention

Why this answer

By default, CloudFormation deletes the EIP when the stack is deleted. However, if the EIP is associated with an instance, the association may prevent deletion. To ensure release, set the 'DeletionPolicy' attribute to 'Delete' (which is default) and ensure that the EIP is not associated with an ENI that is not being deleted.

Option A is correct. Option B (DependsOn) does not affect deletion. Option C (Retain policy) would keep the EIP, causing charges.

Option D (manual release) is not automated.

156
MCQhard

A team uses AWS CodePipeline to deploy a containerized application to Amazon ECS. The pipeline uses a source stage from CodeCommit, a build stage that builds a Docker image and pushes it to Amazon ECR, and a deploy stage that updates an ECS service. The team wants to add a manual approval step before the deploy stage to allow QA to verify the image. What is the BEST way to implement this?

A.Configure an AWS Lambda function in the pipeline that checks a DynamoDB table for approval status and pauses until approved.
B.Use an Amazon SNS topic to send a notification to QA, and have them manually trigger the deploy stage by clicking a link in the email.
C.Use Amazon CloudWatch Events to trigger a custom action that waits for an approval signal.
D.Add a manual approval stage in CodePipeline between the build and deploy stages, and configure SNS to notify approvers.
AnswerD

CodePipeline supports manual approval actions that pause the pipeline and notify approvers via SNS.

Why this answer

Option A is correct because CodePipeline has a built-in approval action that can be added as a stage. Option B is incorrect because SNS does not provide an approval mechanism. Option C is incorrect because Lambda cannot pause the pipeline.

Option D is incorrect because CloudWatch Events cannot approve.

157
MCQmedium

You are a DevOps engineer for a company that uses AWS CodePipeline to deploy a microservice to Amazon ECS with Fargate. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild) that builds a Docker image and pushes it to Amazon ECR, and a deploy stage that uses an ECS task definition update. Recently, the deploy stage started failing intermittently with the error 'The task definition does not have a compatibilities attribute set correctly.' The task definition is generated dynamically during the build stage and uses the 'FARGATE' launch type. The error occurs only when a new task definition revision is created. You suspect the issue is related to how the task definition is generated. Upon reviewing the buildspec, you see that the task definition JSON is created using environment variables for the image URI. What is the MOST likely cause and solution?

A.The task definition is missing the 'executionRoleArn' field, which is required for Fargate.
B.The task definition JSON does not include the 'requiresCompatibilities' field with the value '["FARGATE"]'.
C.The task definition specifies 'networkMode' as 'bridge', but Fargate requires 'awsvpc'.
D.The task definition does not specify 'cpu' and 'memory' values, which are required for Fargate.
AnswerB

Without this field, ECS cannot determine the launch type compatibility.

Why this answer

Option B is correct because the 'requiresCompatibilities' attribute must be explicitly set to 'FARGATE' for Fargate tasks. Option A is incorrect because the error is about compatibilities, not execution role. Option C is incorrect because network mode should be 'awsvpc', but that is not the error.

Option D is incorrect because CPU and memory values are required but would cause a different error.

158
Multi-Selectmedium

A DevOps team is designing a CI/CD pipeline for a containerized application. Which THREE components are essential for a complete pipeline? (Choose three.)

Select 3 answers
A.AWS CodeDeploy
B.Artifact storage
C.Amazon CloudWatch
D.Build and test automation
E.Source control repository
AnswersB, D, E

Build artifacts need to be stored for deployment.

Why this answer

Options A, C, and D are correct. Option B is wrong because it's a deployment service, not a pipeline component. Option E is wrong because it's a monitoring service.

159
MCQeasy

A company uses AWS CodePipeline with multiple stages: Source, Build, Test, Deploy. The Test stage runs integration tests using AWS CodeBuild. If the Test stage fails, what happens to the pipeline execution?

A.The pipeline continues to the next stage but marks the Test stage as failed.
B.The pipeline execution stops and the status is set to 'Failed'.
C.The pipeline skips the Test stage and proceeds to Deploy.
D.The pipeline automatically retries the Test stage up to three times.
AnswerB

On failure, the pipeline execution stops.

Why this answer

In AWS CodePipeline, by default, if a stage (such as Test) fails, the pipeline execution immediately stops and the overall pipeline status is set to 'Failed'. This is because CodePipeline treats each stage as a sequential gate; a failure in any stage blocks progression to subsequent stages unless explicitly configured otherwise (e.g., with a 'Blocker' or 'Manual Approval' action). Option B correctly describes this default behavior.

Exam trap

The trap here is that candidates may confuse the default behavior with optional features like automatic retries or stage skipping, assuming CodePipeline behaves like a CI/CD tool that allows failures to pass through (e.g., Jenkins with 'unstable' status) or automatically retries failed jobs.

How to eliminate wrong answers

Option A is wrong because CodePipeline does not continue to the next stage after a failure; it halts execution and marks the pipeline as 'Failed', not just the stage. Option C is wrong because CodePipeline does not skip a failed stage; it stops entirely, preventing the Deploy stage from running. Option D is wrong because CodePipeline does not automatically retry a failed stage; retry behavior must be explicitly configured using the 'Retry' feature in the pipeline settings or via manual intervention.

160
MCQmedium

Refer to the exhibit. A DevOps engineer runs the above commands. The build project 'my-project' uses an S3 bucket as source and another S3 bucket for artifacts. The build fails with an 'Access Denied' error when trying to download the source code. What is the most likely cause?

A.The encryption key is a KMS key that the role cannot access
B.The service role does not have s3:GetObject permission on the source bucket
C.The source type is S3, but the project expects CodeCommit
D.The source location is incorrect
AnswerB

The role needs GetObject to download the source.

Why this answer

Option B is correct because the service role must have s3:GetObject permission on the source bucket. Option A is incorrect because the source type is S3, not CodeCommit. Option C is incorrect because the encryption key is the default S3 key, not a custom KMS key.

Option D is incorrect because the source bucket is specified.

161
MCQeasy

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a Source stage from CodeCommit and a Deploy stage that syncs the contents to an S3 bucket. The deployment fails intermittently with a 'BucketNotEmpty' error. What is the most likely cause?

A.The S3 bucket has versioning enabled, and the deploy action is trying to delete the bucket before syncing.
B.The source artifact from CodeCommit contains a 'delete' manifest that instructs S3 to remove all files.
C.The CodePipeline service role does not have permission to list the bucket contents.
D.The S3 bucket has a bucket policy that denies DeleteObject permissions.
AnswerA

When versioning is enabled, the bucket cannot be deleted until all versions are removed; the 'aws s3 sync' command may attempt to delete objects, but versioning causes issues.

Why this answer

Option B is correct because the error 'BucketNotEmpty' indicates the bucket has versioning enabled and the sync command does not delete previous versions. Option A is wrong because S3 bucket policies do not cause this error. Option C is wrong because CodePipeline does not enforce bucket deletion.

Option D is wrong because the source stage is unrelated to the bucket's state.

162
MCQeasy

A company uses AWS CodeCommit for source control. Developers frequently push large binary files, causing the repository size to exceed the recommended limit. What is the most efficient way to manage this situation?

A.Increase the repository size limit in CodeCommit settings.
B.Use Git LFS (Large File Storage) and configure it to store binaries in S3.
C.Periodically run a script to remove large files from the commit history.
D.Use S3 directly for storing binaries and reference them in code.
AnswerB

Git LFS replaces large files with text pointers in the repository and stores the actual files in S3, keeping the repository lean.

Why this answer

Option A is best practice: use Git LFS to handle large files without bloating the repository. Option B is temporary. Option C is not efficient.

Option D is not a good practice.

163
MCQhard

A CodeDeploy deployment group is configured as shown in the exhibit. During a deployment, the deployment fails because the instances are not found. What is the MOST likely reason?

A.The deployment configuration 'CodeDeployDefault.AllAtOnce' is not compatible with in-place deployments
B.The EC2 instances do not have the tag 'Environment' with value 'Production'
C.The service role ARN is incorrect and does not have the necessary permissions
D.The load balancer 'my-alb' is not registered with the instances
AnswerB

The deployment group filters instances by tag; if no instances match, the deployment fails.

Why this answer

Option B is correct because the exhibit shows the deployment group is configured to match EC2 instances with the tag 'Environment' set to 'Production'. If the instances do not have this exact tag key-value pair, CodeDeploy cannot find them during the deployment, causing the failure. The error 'instances are not found' directly points to a tag mismatch, not to permissions or load balancer issues.

Exam trap

The trap here is that candidates often confuse 'instances not found' errors with permission or load balancer issues, but the error is a direct result of tag mismatch, which is the most common cause in CodeDeploy tag-based deployments.

How to eliminate wrong answers

Option A is wrong because 'CodeDeployDefault.AllAtOnce' is a valid deployment configuration that deploys to all instances simultaneously and is fully compatible with in-place deployments; the error is about instances not found, not about configuration incompatibility. Option C is wrong because an incorrect service role ARN or insufficient permissions would typically result in an 'access denied' or 'permission error', not an 'instances not found' error. Option D is wrong because the load balancer 'my-alb' not being registered with instances would cause health check or routing issues, but the deployment would still find the instances; the error specifically states instances are not found, indicating a tag or filter mismatch.

164
MCQhard

A company uses AWS CodeBuild to compile and test code. The buildspec.yaml includes a pre_build phase that runs 'aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com'. The build fails with 'Error: Cannot connect to the Docker daemon'. What is the most likely cause?

A.The CodeBuild project does not have privileged mode enabled.
B.The region specified does not match the ECR repository region.
C.The Docker login command syntax is incorrect.
D.The AWS CLI is not installed in the CodeBuild environment.
AnswerA

Docker commands require privileged mode in CodeBuild.

Why this answer

Option D is correct because CodeBuild runs in a managed environment where the Docker daemon is only available if the compute type is set to a privileged mode (e.g., by setting 'privileged: true' in buildspec). Option A is wrong because the command is syntactically correct. Option B is wrong because the ECR login command is correct.

Option C is wrong because the region is specified.

165
MCQhard

A company uses AWS CodeCommit for source control and wants to enforce that all commits to the main branch are signed. The DevOps team has configured Git commit signing using GPG keys. However, some developers are able to push unsigned commits to main. What should the engineer do to enforce signed commits?

A.Set the 'requireSignedCommits' parameter in the repository configuration to 'true'.
B.Configure branch protection rules in IAM to deny push access to main unless the commit is signed.
C.Use an AWS CodeCommit trigger with an AWS Lambda function that validates commit signatures and rejects unsigned commits.
D.Create a repository policy that denies git push actions unless the condition 'codecommit:References' and 'codecommit:SourceIp' match.
AnswerC

Lambda can validate signatures and reject pushes via CodeCommit's ability to reject triggers.

Why this answer

Option C is correct because CodeCommit repository policies can require commit signing. Option A does not enforce signing. Option B is not a repository setting.

Option D is a CodeCommit feature for notifications, not enforcement.

166
MCQeasy

A DevOps team wants to run unit tests in parallel across multiple build environments using AWS CodeBuild. Which build specification configuration allows this?

A.Use multiple build phases in the buildspec file.
B.Configure multiple artifacts in the buildspec.
C.Define a batch build with multiple builds.
D.Set environment variables to run multiple commands concurrently.
AnswerC

Batch builds run multiple builds in parallel.

Why this answer

Option C is correct because AWS CodeBuild supports batch builds, which allow you to define a build project that runs multiple builds in parallel. By specifying a batch configuration in your buildspec file (using the `batch` section), you can run unit tests across multiple build environments simultaneously, improving test execution speed and resource utilization.

Exam trap

The trap here is that candidates confuse sequential build phases with parallel execution, or assume that environment variables or multiple artifacts can achieve parallelism, when only the batch build feature in CodeBuild provides true parallel builds across multiple environments.

How to eliminate wrong answers

Option A is wrong because multiple build phases (e.g., install, pre_build, build, post_build) run sequentially within a single build, not in parallel across multiple environments. Option B is wrong because configuring multiple artifacts in the buildspec defines output files from a single build, not parallel execution across environments. Option D is wrong because setting environment variables to run multiple commands concurrently does not enable parallel builds across separate environments; it only runs commands sequentially within the same build container.

167
MCQmedium

A DevOps engineer is creating a CodePipeline service role. The above IAM policy is attached to the role. The pipeline fails when trying to download artifacts from the S3 bucket. What is the issue?

A.The Resource for S3 actions should be the bucket ARN, not the object ARN.
B.The policy is missing s3:ListBucket permission on the bucket.
C.The CodeDeploy actions require a specific resource ARN instead of '*'.
D.The Action list is missing s3:GetObjectVersion.
AnswerB

ListBucket is required to list objects in the bucket.

Why this answer

The policy allows s3:GetObject on the bucket, but it does not allow s3:ListBucket. CodePipeline needs to list objects in the bucket to find the artifact. Option C is correct.

168
MCQmedium

A company uses AWS CodeCommit as a Git repository and CodeBuild for continuous integration. The buildspec.yml file includes steps to run unit tests and package the application. The team wants to ensure that only code from the main branch is deployed to production. They have set up a CodePipeline that triggers on changes to any branch. The pipeline includes a build stage that runs CodeBuild, and then a deploy stage that deploys to production. The team noticed that code from feature branches is being deployed to production accidentally. The team wants to modify the pipeline to prevent this. What is the MOST effective solution?

A.Use IAM policies to restrict developers from pushing to the main branch.
B.In the CodePipeline source stage, configure the branch filter to only allow the main branch to trigger the pipeline.
C.Add a manual approval step before the deploy stage and require approval from a senior engineer.
D.Modify the CodeBuild project to only build the main branch by specifying the branch in the source configuration.
AnswerB

Branch filtering at the source stage prevents the pipeline from starting for non-main branches.

Why this answer

Option A is correct because adding a filter to the source stage that only triggers on the main branch ensures that feature branch changes do not start the pipeline. Option B is wrong because restricting IAM permissions for developers does not prevent the pipeline from triggering on feature branches if the pipeline is configured to do so. Option C is wrong because a manual approval step prevents unintended deployments but still triggers the pipeline, wasting resources.

Option D is wrong because configuring the branch in the build stage does not stop the pipeline from being triggered by feature branches.

169
MCQhard

A large enterprise uses AWS CodePipeline with multiple stages including source, build, test, and deploy. The test stage runs a suite of integration tests that take 30 minutes. The team wants to reduce the overall pipeline execution time by running the test stage in parallel across different test environments (e.g., different browsers, operating systems). However, they also need to aggregate the test results into a single report. Which approach should they use?

A.Create separate pipelines for each test environment
B.Create a sequential test stage that runs each environment one after another
C.Use CodeBuild batch builds with a single buildspec to run tests in parallel
D.Configure parallel actions in the test stage and use a custom action to aggregate results
AnswerD

Parallel actions reduce time, and a custom Lambda or CodeBuild action can aggregate reports

Why this answer

CodePipeline supports parallel actions within a stage. You can define multiple test actions (e.g., one for each browser) and run them in parallel. To aggregate results, use a post-test action that runs after all parallel actions complete, or use a custom report generation step.

Option C is correct. Option A (sequential) increases time. Option B (separate pipelines) adds complexity.

Option D (batch builds) is for CodeBuild batch, but not for different environments.

170
MCQeasy

A development team uses AWS CodeBuild to run unit tests on every commit to the develop branch. The tests take a long time because they download dependencies each time. What should the team do to reduce build time?

A.Enable the local cache feature in CodeBuild.
B.Store dependencies in Amazon Elastic File System (EFS) and mount it during builds.
C.Increase the compute type of the build environment.
D.Use multiple builds in parallel for the same commit.
AnswerA

Caching dependencies reduces download time.

Why this answer

Option B is correct because enabling the local cache in CodeBuild allows dependencies to be cached across builds, reducing download time. Option A is wrong because increasing compute resources may help but not as effectively as caching. Option C is wrong because parallel builds do not reduce a single build's time.

Option D is wrong because Amazon EFS adds network latency; local instance store is better.

171
MCQhard

A company is migrating from Jenkins to AWS CodeBuild. They have hundreds of Jenkins jobs that run on a schedule. Some jobs take hours and must not overlap. What is the most efficient way to migrate these jobs to CodeBuild while ensuring no overlapping builds?

A.Create a buildspec file that includes a sleep command to stagger start times.
B.Configure the CodeBuild project with a concurrent build limit of 1.
C.Set up a separate CodeBuild project for each job and use a custom retry policy.
D.Use Amazon CloudWatch Events to trigger a Lambda function that checks the build status before starting a new build.
AnswerD

Lambda can check and prevent overlapping builds.

Why this answer

Option C is correct because you can use a CloudWatch Events rule scheduled to trigger a Lambda function that checks if a previous build is running (using the CodeBuild API) before starting a new one. Option A is wrong because buildspec does not control scheduling or concurrency. Option B is wrong because different projects can run concurrently, but the issue is within the same job.

Option D is wrong because there is no built-in queue for same project; you must implement it.

172
MCQeasy

A startup is using AWS CodeCommit to store their application code. They have set up a CI/CD pipeline with AWS CodePipeline and AWS CodeBuild. The pipeline consists of a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using AWS CodeDeploy to deploy to an Auto Scaling group of EC2 instances. Recently, a developer committed code that introduced a critical bug, and the pipeline automatically deployed the bug to production, causing an outage. The team wants to implement a manual approval step before production deployment. They also want to ensure that the approval step is only required for deployments to the production environment, not for development or testing. Which solution should they implement?

A.Add a manual approval action in the CodePipeline pipeline before the production deployment stage. Configure the approval to require a designated approver.
B.Configure the CodeDeploy deployment group to require approval before deploying to any instance.
C.Use Amazon Simple Notification Service (SNS) to send a notification to the team and have them manually stop the pipeline if needed.
D.Use Amazon CloudWatch Events to trigger an AWS Lambda function that sends an approval request via email and pauses the pipeline until approved.
AnswerA

Manual approval actions in CodePipeline allow a human to approve before deployment.

Why this answer

Option A is correct because CodePipeline supports manual approval actions that can be added as a stage before production deployment. By configuring separate pipelines or stages for different environments, the approval step can be limited to production. Option B is wrong because CodeDeploy does not have approval workflows.

Option C is wrong because CloudWatch Events does not provide manual approval. Option D is wrong because SNS is for notifications, not approvals.

173
MCQmedium

An organization uses AWS CodePipeline with a multi-branch strategy. They want to run unit tests on every push to any branch, but only deploy to production on pushes to the 'main' branch. What is the most efficient way to achieve this?

A.Configure a single pipeline with a source action that triggers on all branches, then use a 'branch' condition on the deployment stage to only proceed if the branch is 'main'.
B.Use a single pipeline with a source action that triggers on all branches, and deploy to a test environment for all branches, then promote to production manually.
C.Create separate pipelines for each branch, each with its own test and deploy stages.
D.Use a single pipeline with a source action that only triggers on the 'main' branch, and run tests in a separate system.
AnswerA

This uses one pipeline and conditions to control deployment, minimizing overhead.

Why this answer

Option B is correct because using a single pipeline with a branch filter on the source action triggers on all branches, and a separate deployment stage with a condition based on the branch name ensures only main deploys. Option A is wrong because it requires manual pipeline creation per branch. Option C is wrong because it still deploys to all environments.

Option D is wrong because it would trigger for main only, missing other branches.

174
MCQmedium

A team uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The team checks the logs and finds that the application installation script fails on some instances due to missing dependencies. What is the BEST long-term solution?

A.Create a custom AMI that includes all dependencies and use it in the Auto Scaling group.
B.Use an Elastic Load Balancer health check to automatically replace failed instances.
C.Modify the CodeDeploy AppSpec file to run the installation script as root.
D.Implement a retry mechanism in the deployment script to install dependencies again.
AnswerA

Baking dependencies into the AMI avoids runtime installation issues and ensures consistency.

Why this answer

Option A is correct because baking dependencies into the AMI ensures all instances have them. Option B is wrong because it does not fix the root cause. Option C is wrong because it only works for in-place deployments.

Option D is wrong because it does not prevent script failures.

175
MCQhard

A company has a multi-account AWS environment with separate accounts for development, staging, and production. They want to implement a CI/CD pipeline that deploys to each account sequentially after manual approvals. Which setup allows cross-account deployment with CodePipeline?

A.Create an IAM role in the target account with permissions for the pipeline service role to assume, and use that role in the deployment action.
B.Create separate pipelines in each account and trigger them via SNS from a master pipeline.
C.Use CodePipeline with cross-account actions by specifying the target account ID and region.
D.Use a single pipeline in the management account with different stages for each account.
AnswerA

This is the standard cross-account deployment pattern with CodePipeline.

Why this answer

Cross-account deployment requires an IAM role in the target account that the pipeline can assume. Option D is correct.

176
Multi-Selectmedium

Which of the following are valid strategies for implementing continuous integration in AWS? (Choose two.)

Select 2 answers
A.Configure AWS CodeBuild to automatically run tests when a pull request is created in CodeCommit.
B.Set up AWS CodeDeploy to trigger a build every time a commit is pushed to a repository.
C.Use AWS CodePipeline with a source stage that polls CodeCommit for changes and triggers a build stage.
D.Use AWS CloudFormation to create a stack that runs tests every time a new commit is pushed.
AnswersA, C

Why this answer

Option A is correct because AWS CodeBuild can be configured to automatically run tests when a pull request is created in CodeCommit using a webhook or event rule. This enables continuous integration by validating code changes before merging, ensuring that only tested code is integrated into the main branch.

Exam trap

The trap here is confusing deployment services (CodeDeploy) and infrastructure provisioning (CloudFormation) with CI build triggers, leading candidates to select options that sound plausible but lack the specific capability to initiate a build or run tests.

Why the other options are wrong

B

CodeDeploy is for deployment, not building or testing.

D

CloudFormation is for infrastructure as code, not for running tests.

177
MCQeasy

A company uses AWS CodeBuild to build a Docker image and push it to Amazon ECR. The buildspec.yml includes a 'post_build' phase command to tag the image. The build fails with 'unauthorized: authentication required'. What must be done to resolve this?

A.Add 'ecr:InitiateLayerUpload' and 'ecr:CompleteLayerUpload' permissions to the CodeBuild service role.
B.Use the 'docker login' command with AWS CLI in the build phase.
C.Install the AWS CLI in the CodeBuild build environment.
D.Create a new IAM user with ECR permissions and store the keys in CodeBuild environment variables.
AnswerA

These are required for pushing Docker images to ECR.

Why this answer

CodeBuild needs permission to push to ECR. The IAM role must have appropriate ECR permissions. Option A is correct.

178
MCQmedium

A DevOps team is using AWS CodePipeline to automate build, test, and deploy phases. The team notices that the pipeline is failing intermittently during the deploy stage due to a timeout when updating an Auto Scaling group. The deploy stage uses CodeDeploy with a blue/green deployment configuration. What is the MOST likely cause and solution?

A.The CloudFormation stack update is failing. Update the stack with a longer timeout.
B.The CodeCommit repository has too many branches. Clean up unused branches.
C.The CodeDeploy deployment group has a low original revision timeout. Increase the original revision timeout.
D.The CodeBuild project has a low build timeout. Increase the build timeout.
AnswerC

Blue/green deployment waits for new instances to be healthy; increasing timeout allows more time.

Why this answer

Option C is correct because the blue/green deployment typically waits for instances to be healthy before completing. Option A is wrong because CodeBuild timeout affects build stage, not deploy. Option B is wrong because CodeCommit is the source stage.

Option D is wrong because CloudFormation is not used in this deploy stage.

179
MCQhard

Refer to the exhibit. A DevOps engineer runs the CLI command to view stack events. The output shows that a Lambda function update was cancelled by the stack update. What is the most likely cause?

A.The stack had a drift detection operation that overrode the update.
B.The IAM role for the Lambda function lacked permissions to update the function.
C.The Lambda function code exceeded the maximum size limit for inline code.
D.A concurrent stack update was initiated while a previous update was in progress.
AnswerD

CloudFormation cancels pending updates when a new update is started.

Why this answer

Option B is correct because 'Resource update cancelled by stack update' indicates that a previous update to the Lambda function was interrupted by a newer stack update operation. Option A is wrong because a permissions error would show 'AccessDenied'. Option C is wrong because size limits would show a different error.

Option D is wrong because drift detection does not cancel updates.

180
MCQmedium

Refer to the exhibit. A CloudTrail log shows a failed GitPush event to a CodeCommit repository by the IAM user 'jenkins'. The DevOps engineer has attached the following IAM policy to the user: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codecommit:*", "Resource": "*" } ] } What is the MOST likely reason for the failure?

A.The user has not generated a Git credential for CodeCommit in the IAM console.
B.The user is trying to push via HTTPS but the repository only allows SSH.
C.The user's IAM policy includes a condition that restricts access based on source IP, and the push originates from a different IP.
D.The policy is attached but the user has a permissions boundary that denies codecommit:GitPush.
AnswerA

CodeCommit requires Git credentials or SSH key for Git operations, even if IAM policy allows.

Why this answer

Option C is correct because CodeCommit requires an inline policy or managed policy to allow Git operations, but the user may be trying to push using HTTPS with a Git credential that is not associated with the IAM user, or the SSH key is not configured. However, the error says the user is not authorized, which suggests that the IAM policy is not effective because CodeCommit requires a specific Git credentials or SSH key to authenticate, not just an IAM policy. Actually, the IAM policy should allow the action.

The most common issue is that the user has not created a Git credential in IAM for CodeCommit. Option A is about permissions boundary. Option B is about IP restriction.

Option D is about HTTPS vs SSH.

181
MCQmedium

A company uses AWS CodeCommit and wants to enforce that all commits to the main branch are signed. What must be configured to enforce this requirement?

A.Configure a repository policy that requires signed commits.
B.Assign an IAM role that only allows signed API calls.
C.Use a pre-commit hook in the local repository.
D.Set up a CloudWatch Events rule to reject unsigned commits.
AnswerA

CodeCommit supports repository policies to require commit signing.

Why this answer

AWS CodeCommit supports repository policies that can enforce commit signing by denying `codecommit:GitPush` unless the commit is signed with a GPG key. This is done using the `git:IsSigned` condition key in an IAM-based resource policy attached to the repository. Option A is correct because it directly configures this policy to reject unsigned pushes to the main branch.

Exam trap

The trap here is that candidates confuse client-side Git hooks (pre-commit) with server-side enforcement, or assume CloudWatch Events can block API calls, when only a repository policy with the `git:IsSigned` condition can enforce signed commits at the service level.

How to eliminate wrong answers

Option B is wrong because IAM roles control who can make API calls, not the signing status of individual commits within a Git push; the `git:IsSigned` condition key is not available in IAM identity policies for the `codecommit:GitPush` action. Option C is wrong because pre-commit hooks are client-side and cannot be enforced server-side; a developer can bypass or remove them locally. Option D is wrong because CloudWatch Events (now Amazon EventBridge) can trigger on API calls but cannot reject or block the Git push itself; it can only react after the fact.

182
MCQmedium

A development team uses AWS CodeCommit and AWS CodePipeline for CI/CD. They notice that a pipeline execution failed due to a code review rejection in the 'Approve' stage. The pipeline is configured with a manual approval action. What is the most likely cause of the failure?

A.The IAM role for the pipeline does not have permission to invoke the approval action.
B.The CodeCommit repository has a branch policy that prevents direct commits.
C.An authorized user logged in to the CodePipeline console and rejected the approval request.
D.The pipeline is not configured with a CloudWatch Events rule to trigger the approval.
AnswerC

A manual approval action fails if an authorized user explicitly rejects the approval request.

Why this answer

Option D is correct because a manual approval action requires a user to approve before proceeding; if the approval is rejected, the pipeline fails. Option A is wrong because an IAM policy issue would likely cause a different error. Option B is wrong because CodeCommit repository settings do not directly block pipeline approval actions.

Option C is wrong because a CloudWatch Events rule is not required for manual approvals.

183
MCQmedium

A company is using AWS CodeBuild to compile a Java application. The build takes over 30 minutes, causing timeouts. The team has already increased the build timeout to the maximum. Which action would MOST effectively reduce the build time?

A.Use a smaller instance type to reduce provisioning time.
B.Enable dependency caching in the buildspec file.
C.Use a larger compute type in CodeBuild.
D.Split the build into multiple parallel CodeBuild projects.
AnswerB

Caches downloaded dependencies across builds.

Why this answer

Option C is correct because caching dependencies can significantly reduce build time by avoiding re-downloading. Option A is wrong because increasing compute resources can help but may not be as effective as caching. Option B is wrong because parallel builds may introduce complexity and dependencies.

Option D is wrong because using a smaller instance would increase build time.

184
MCQmedium

A company uses AWS CodeCommit for source control. Developers work on feature branches and create pull requests to merge into the 'develop' branch. The company wants to enforce that all commits to the 'develop' branch are signed. Which AWS service or feature should be used to enforce this policy?

A.Use Amazon CloudWatch Events to trigger a Lambda function that verifies commit signatures and reverts unsigned commits.
B.Create an approval rule template in CodeCommit that requires commits to be signed and associate it with the 'develop' branch.
C.Use AWS Key Management Service (KMS) to create a signing key and require developers to use it.
D.Configure an IAM policy that denies 'git push' unless the commit is signed.
AnswerB

CodeCommit approval rule templates can enforce signed commits as a condition for merging.

Why this answer

Option C is correct because CodeCommit supports approval rule templates that can require signed commits. Option A is incorrect because IAM policies can restrict who can push but not enforce signing. Option B is incorrect because CloudWatch Events can trigger actions but not enforce signing.

Option D is incorrect because AWS KMS is used for encryption keys, not for enforcing commit signing.

185
MCQhard

A company uses AWS CodeBuild to run integration tests. The tests require access to an RDS database in a private subnet. CodeBuild runs in a VPC but the build times out waiting for the database connection. What is the MOST likely cause?

A.CodeBuild cannot access resources in a private subnet unless it uses a NAT gateway.
B.The CodeBuild service role does not have rds:Connect permission.
C.The CodeBuild project's security group outbound rules do not allow traffic to the RDS security group on port 3306 (or appropriate port).
D.The RDS instance is in a different subnet CIDR than CodeBuild's subnet.
AnswerC

Security groups control network traffic; missing outbound rule causes timeout.

Why this answer

Option B is correct because CodeBuild must be configured with a security group that allows outbound traffic to the RDS security group on the database port. Option A is wrong because IAM permissions affect API calls, not network connectivity. Option C is wrong because subnet CIDR is not relevant for security group rules.

Option D is wrong because CodeBuild can access resources in the same VPC if security groups allow.

186
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that creates an Amazon RDS DB instance. The database password must be stored securely and rotated automatically. Which approach meets these requirements?

A.Hardcode the password in the CloudFormation template and use a NoEcho parameter.
B.Use AWS Key Management Service (KMS) to encrypt the password and pass it as a parameter.
C.Store the password in AWS Systems Manager Parameter Store and reference it using a dynamic reference.
D.Store the password in AWS Secrets Manager and enable automatic rotation. Reference the secret in the template using a dynamic reference.
AnswerD

Secrets Manager supports rotation and dynamic references.

Why this answer

Option D is correct because AWS Secrets Manager provides built-in capabilities for automatic password rotation, which is a requirement. By storing the password in Secrets Manager and referencing it in the CloudFormation template using a dynamic reference (e.g., `{{resolve:secretsmanager:secret-id:SecretString:password}}`), the password is never exposed in the template or parameter logs, and rotation can be configured without updating the stack. This approach meets both security and automation requirements.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store with AWS Secrets Manager, assuming both support automatic rotation, but only Secrets Manager provides native rotation capabilities for RDS credentials.

How to eliminate wrong answers

Option A is wrong because hardcoding the password in the template, even with NoEcho, still exposes the password in the template source code and does not support automatic rotation. Option B is wrong because passing the password as a parameter, even if encrypted with KMS, does not enable automatic rotation and the plaintext value may be logged in AWS CloudTrail or parameter history. Option C is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it is a parameter store, not a secrets manager with rotation capabilities.

187
MCQmedium

A company uses AWS CodeBuild to compile and test code. The build takes 30 minutes, but the team wants to reduce build time by caching dependencies. Which approach should be used?

A.Remove unnecessary dependencies from the build specification.
B.Store dependencies in an S3 bucket and download them before each build.
C.Use AWS CodeArtifact to store dependencies and pull them during build.
D.Enable local caching in the build project configuration.
AnswerD

CodeBuild local caching stores dependencies in a cache directory that persists across builds.

Why this answer

Option D is correct because AWS CodeBuild's local caching feature allows you to cache intermediate build artifacts (such as dependencies) in a local directory on the build instance, which persists across builds for the same build project. This eliminates the need to re-download dependencies from external sources for every build, significantly reducing build time. The cache is stored in a Docker volume or S3 bucket, but the key benefit is that it is automatically managed by CodeBuild without manual download steps.

Exam trap

The trap here is that candidates may confuse caching with simply storing artifacts externally (like S3 or CodeArtifact) and fail to recognize that CodeBuild's local caching is the only option that eliminates the download overhead by persisting dependencies on the build instance itself.

How to eliminate wrong answers

Option A is wrong because removing unnecessary dependencies from the build specification is a good practice but does not address caching of existing dependencies; it reduces the total amount of dependencies but does not speed up the download of those that remain. Option B is wrong because storing dependencies in an S3 bucket and downloading them before each build still incurs network transfer time and does not leverage CodeBuild's built-in caching mechanism; it is a manual workaround that adds complexity and latency. Option C is wrong because AWS CodeArtifact is a managed artifact repository service for storing and retrieving packages, but it does not inherently cache dependencies on the build instance; using it still requires a download step during each build, which does not reduce build time as effectively as local caching.

188
Multi-Selecteasy

A DevOps engineer is setting up a CI/CD pipeline for a Python application using AWS CodePipeline. The pipeline includes a build stage with CodeBuild and a deploy stage that runs an AWS CLI command to update a Lambda function. Which THREE steps are necessary to ensure the pipeline can update the Lambda function? (Choose 3)

Select 3 answers
A.Store the AWS CLI command in the buildspec file or as a separate script in the source repository.
B.Grant the CodePipeline service role permission to pass the CodeBuild IAM role to CodeBuild.
C.Configure a CloudWatch Events rule to trigger the pipeline when the Lambda function is updated.
D.Create an IAM role for CodeBuild that includes permissions to invoke 'lambda:UpdateFunctionCode'.
E.Use AWS CodeDeploy instead of the AWS CLI to update the Lambda function.
AnswersA, B, D

The deploy stage must have the command to execute.

Why this answer

Options A, B, and D are correct. The CodeBuild project needs a role that allows Lambda updates, and the pipeline role needs to pass the CodeBuild role. Option C is incorrect because CloudWatch is not required.

Option E is incorrect because the CLI command is already in the deploy stage.

189
MCQmedium

Refer to the exhibit. A DevOps engineer sees the following error when trying to update a CloudFormation stack: 'Stack [arn:aws:cloudformation:us-west-2:123456789012:stack/MyStack/abc123] is in ROLLBACK_COMPLETE state and can not be updated.' What should the engineer do to proceed?

A.Run 'aws cloudformation continue-update-rollback' to finish the rollback and then update.
B.Modify the stack's template and try the update again.
C.Use the 'aws cloudformation resume-update' command to resume the update.
D.Delete the stack and create a new one with the updated template.
AnswerD

A stack in ROLLBACK_COMPLETE must be deleted and recreated.

Why this answer

Option D is correct. A stack in ROLLBACK_COMPLETE state cannot be updated; it must be deleted and recreated. Option A is wrong because continue-update-rollback is for stacks in UPDATE_ROLLBACK_FAILED state.

Option B is wrong because there is no 'resume' operation. Option C is wrong because you cannot update a stack in ROLLBACK_COMPLETE.

190
MCQhard

A company uses multiple AWS accounts: one for development, one for testing, and one for production. They want to implement a CI/CD pipeline using AWS CodePipeline that deploys the same application to all three accounts. The source code is stored in a CodeCommit repository in the development account. The pipeline should first build the application, then deploy to development, then after approval, deploy to testing, and finally after another approval, deploy to production. The deployment uses AWS CodeDeploy to deploy to EC2 instances in each account. The pipeline will be created in the development account. Which configuration will allow the pipeline to deploy to the testing and production accounts?

A.Create IAM roles in the testing and production accounts that grant CodeDeploy permissions, and configure the pipeline to assume those roles using the CodePipeline cross-account action.
B.Establish VPC peering between the accounts and allow the pipeline to communicate directly with CodeDeploy in the other accounts.
C.Create IAM users in testing and production accounts with programmatic access, and configure the pipeline to use those credentials.
D.Use AWS Organizations to create a shared service and grant the pipeline full access to all accounts.
AnswerA

Cross-account roles are the standard way to allow a pipeline in one account to deploy to another.

Why this answer

Option C is correct because using cross-account roles allows the pipeline in the development account to assume a role in the target accounts to perform deployments. The pipeline can use the CodePipeline cross-account action with a role ARN. Option A is wrong because IAM users cannot be used programmatically by CodePipeline.

Option B is wrong because VPC peering is not relevant to cross-account permissions. Option D is wrong because AWS Organizations does not grant cross-account access automatically.

191
MCQhard

Refer to the exhibit. A CodeBuild project uses this buildspec.yml to build and push a Docker image to Amazon ECR. The build fails at the pre_build phase with the error 'Error: Cannot perform an interactive login from a non TTY device'. What is the MOST likely issue?

A.The AWS_DEFAULT_REGION environment variable is not set in CodeBuild.
B.The CodeBuild project's IAM role does not have permission to call ecr:GetAuthorizationToken.
C.The buildspec.yml is missing the 'docker login' command.
D.The Docker daemon is not running on the CodeBuild instance.
AnswerB

This is a common cause; without this permission, the login command fails.

Why this answer

Option C is correct because aws ecr get-login-password outputs the password to stdout, and docker login reads from stdin. The pipe (|) should work. However, the error indicates that docker login is trying interactive mode, which suggests that the command is not receiving the password correctly.

But the real issue is that the ECR login command requires AWS credentials, and if the CodeBuild project does not have proper permissions to call ecr:GetAuthorizationToken, it will fail. Option A is not relevant because the error is about interactive login. Option B is not the cause.

Option D is incorrect because the region is specified via environment variable.

192
MCQhard

A company is using AWS CodeCommit with multiple repositories. Developers are required to create pull requests for all changes, and the pull request must be associated with a JIRA issue key (e.g., PROJ-123) in the commit message. A DevOps engineer needs to enforce this policy automatically. Which approach meets the requirement with minimal operational overhead?

A.Store JIRA keys in an S3 bucket and configure a CloudWatch Events rule to check commits
B.Create a CodeCommit trigger that invokes an AWS Lambda function to validate the pull request description and reject if missing JIRA key
C.Use AWS CodeBuild to run a validation script during the build phase
D.Require developers to install a pre-commit hook script locally
AnswerB

Server-side enforcement via triggers.

Why this answer

Option B is correct because CodeCommit supports custom triggers that can invoke a Lambda function to validate commit messages or pull request descriptions. This approach is automatic and does not require additional infrastructure. Option A is wrong because pre-commit hooks are client-side and not enforceable.

Option C is wrong because CodeBuild does not run on every commit by default and would require a pipeline trigger. Option D is wrong because S3 is not involved.

193
Multi-Selecthard

A company uses AWS CodePipeline to deploy a critical application. The pipeline has a manual approval step before deployment. Which TWO actions should be taken to improve security and auditability? (Choose two.)

Select 2 answers
A.Enable AWS CloudTrail to log all approval actions.
B.Remove the approval step and rely on post-deployment monitoring.
C.Integrate with AWS IAM to require multi-factor authentication (MFA) for approvers.
D.Replace the manual approval with an automated approval based on test results.
E.Use a shared IAM user for all approvers to simplify management.
AnswersA, C

CloudTrail logs who approved and when, providing audit trail.

Why this answer

Options A and D are correct. Option B is wrong because approval is manual. Option C is wrong because it reduces security.

Option E is wrong because it bypasses approval.

194
MCQmedium

A company uses AWS CodePipeline with a multi-branch strategy. Developers push to feature branches, which should trigger a pipeline that runs unit tests and then deploys to a staging environment. However, the pipeline only triggers on the main branch. What should be done to enable pipeline execution for feature branches?

A.Change the source provider from Amazon S3 to AWS CodeCommit.
B.Increase the polling frequency in the source stage to detect new branches.
C.Create a separate pipeline for each feature branch.
D.Update the source stage to use 'Webhook' as the change detection method and specify a branch pattern.
AnswerD

Webhooks with branch patterns trigger pipelines on pushes to matching branches.

Why this answer

Option B is correct because enabling 'Webhook' as the source trigger type and specifying the feature branch pattern allows CodePipeline to start on pushes to those branches. Option A is incorrect because changing the source provider does not affect branch filtering. Option C is incorrect because polling is less efficient and not the recommended approach.

Option D is incorrect because a separate pipeline per branch would be overkill.

195
Multi-Selectmedium

Which TWO actions are best practices when designing a CI/CD pipeline for a containerized application on Amazon ECS? (Choose two.)

Select 2 answers
A.Run a full integration test suite on every commit to the repository.
B.Separate the build stage from the deploy stage in the pipeline.
C.Build the Docker image in the deploy stage to ensure consistency.
D.Use a rolling update with a fixed number of tasks for deployment.
E.Use a blue/green deployment strategy for the ECS service.
AnswersB, E

Separation allows independent validation and rollback.

Why this answer

Using separate build and deploy stages (C) is a best practice for separation of concerns. Using a blue/green deployment strategy (D) ensures zero-downtime. A is wrong because building the image inside the deployment stage conflates steps.

B is wrong because running a full integration test suite in every commit slows down the pipeline; tests should be optimized. E is wrong because rolling update may cause downtime; blue/green is preferred for zero-downtime.

196
Multi-Selecthard

A company is migrating to a microservices architecture on Amazon ECS with AWS Fargate. They want to automate the deployment process using AWS CodePipeline. The pipeline should build a Docker image, push it to Amazon ECR, and deploy the updated service to ECS. Which THREE components are required in the pipeline? (Choose 3.)

Select 3 answers
A.Deploy stage with AWS CodeDeploy to ECS.
B.Build stage with AWS CodeBuild to build the Docker image and push to ECR.
C.Manual approval stage.
D.Source stage with AWS CodeCommit or Amazon S3 as source.
E.Test stage with AWS CodeBuild to run unit tests.
AnswersA, B, D

Deploy stage updates the ECS service.

Why this answer

Options A, C, and E are correct. Source stage (A) with CodeCommit or S3, build stage (C) with CodeBuild to build and push the image, and deploy stage (E) with CodeDeploy (or ECS) to deploy. Option B is wrong because a manual approval is optional.

Option D is wrong because a test stage is optional.

197
MCQeasy

An organization is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails because the target group is not configured correctly. Which CodeDeploy component is responsible for registering instances with the load balancer?

A.The CodeDeploy agent configuration
B.The deployment group configuration
C.The AppSpec file hooks section
D.The application revision bundle
AnswerC

Hooks define lifecycle events, including registration/deregistration

Why this answer

The AppSpec file's 'hooks' section includes lifecycle hooks like BeforeInstall, AfterInstall, ApplicationStart, etc. One of the hooks is 'BeforeAllowTraffic' and 'AfterAllowTraffic', which are used to manage traffic routing and deregister/register instances with the load balancer. The 'hooks' section in AppSpec contains the script to register/deregister.

Option B is correct. Option A is wrong because the deployment group defines the target group, but the registration action is in the AppSpec hooks. Option C is wrong because CodeDeploy agent runs the scripts, but the configuration is in AppSpec.

Option D is wrong because the revision contains the application files, not the traffic routing logic.

198
MCQmedium

An organization uses AWS CodeDeploy for automated deployments to EC2 instances. The deployment is failing with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment group has a minimum healthy hosts setting of 75%. The application has 4 instances. What is the MOST likely issue?

A.The AppSpec file references a script that does not exist.
B.The IAM instance profile does not have sufficient permissions.
C.The CodeDeploy agent is not installed on any of the instances.
D.The deployment failed on 2 instances, leaving only 2 healthy.
AnswerD

75% of 4 is 3; only 2 healthy is below threshold.

Why this answer

Option B is correct because if the deployment fails on 2 instances, only 2 remain healthy (50%), which is below 75%. Option A is wrong because CodeDeploy agent not installed would cause failure on all instances. Option C is wrong because a missing script would cause failure on all.

Option D is wrong because incorrect IAM role would cause failure on all.

199
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They need to implement a CI/CD pipeline that automatically updates CloudFormation stacks when changes are pushed to a CodeCommit repository. The pipeline must use change sets to review changes before execution. Which pipeline configuration meets these requirements?

A.Use a CloudFormation action in CodePipeline with action mode 'CREATE_UPDATE' and include a manual approval step before the action.
B.Use a CloudFormation action with action mode 'CHANGE_SET_REPLACEMENT' and then a separate action with mode 'CHANGE_SET_EXECUTE' after an approval step.
C.Use an AWS Lambda function to create a change set and trigger a manual approval via SNS.
D.Use a CloudFormation action with action mode 'CREATE_UPDATE' and set the 'Review' flag to true.
AnswerB

Why this answer

Option B is correct because CodePipeline's CloudFormation deployment action supports a 'CHANGE_SET_REPLACEMENT' mode that creates or replaces a change set without executing it, followed by a 'CHANGE_SET_EXECUTE' action that applies the change set after an approval step. This two-step approach allows teams to review infrastructure changes before they are applied, meeting the requirement to use change sets for review before execution.

Exam trap

The trap here is that candidates often assume a manual approval step combined with a 'CREATE_UPDATE' action is sufficient for review, but they miss that change sets are required to preview the actual changes before execution, and 'CREATE_UPDATE' does not generate a change set at all.

Why the other options are wrong

A

CREATE_UPDATE directly applies changes without creating a change set first.

C

This is more complex and not the native CodePipeline CloudFormation action.

D

There is no 'Review' flag; CloudFormation actions do not support reviewing before update in that mode.

200
MCQhard

An organization uses AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Test stage runs integration tests that take 30 minutes. The team wants to speed up feedback without skipping tests. Which action should they take?

A.Use a larger build environment for the Test stage.
B.Configure parallel build actions in the Test stage to run tests concurrently.
C.Remove the Test stage and rely on post-deployment testing.
D.Move the Test stage to after deployment.
AnswerB

Running tests in parallel reduces the overall stage duration.

Why this answer

Option A is correct because parallel actions reduce total time. Option B is wrong because it skips tests. Option C is wrong because increasing instance size may not help if tests are I/O bound.

Option D is wrong because it does not speed tests.

201
MCQmedium

A DevOps engineer is troubleshooting a failed AWS CloudFormation stack update. The stack contains an AWS::Lambda::Function resource. The update failed with the error 'Resource creation cancelled' after a timeout. The engineer wants to view the logs from the Lambda function during the stack update to diagnose the issue. What should the engineer do?

A.Use AWS CodeBuild to build and test the function locally
B.Enable detailed CloudFormation logging in the stack template
C.Access the CloudWatch Logs log group for the Lambda function
D.Review the CloudFormation stack events in the AWS Management Console
AnswerC

Lambda writes logs to CloudWatch Logs automatically

Why this answer

CloudFormation does not directly capture Lambda function logs. The Lambda function logs are sent to Amazon CloudWatch Logs. The engineer should check the CloudWatch Logs log group for the specific function to see any errors during invocation.

Option A is correct. Option B is wrong because the stack events do not include function logs. Option C is wrong because CloudFormation does not log function output.

Option D is wrong because CodeBuild is not involved in this scenario.

202
MCQmedium

A DevOps engineer needs to implement a CI/CD pipeline that builds a Docker image, scans it for vulnerabilities, and deploys it to Amazon ECS. The scanning must be integrated into the pipeline before the image is pushed to Amazon ECR. Which approach meets these requirements?

A.Enable ECR 'Scan on Push' and configure CodePipeline to deploy only if the scan result is clean.
B.Use CodeBuild to run a vulnerability scanner on the Docker image, then push to ECR only if the scan passes.
C.Use AWS Lambda to scan the image after push and automatically roll back if vulnerabilities are found.
D.Use AWS Security Hub to scan images in ECR and block deployment.
AnswerB

Why this answer

Option B is correct because it uses CodeBuild to run a vulnerability scanner on the Docker image before pushing to ECR, ensuring that only images that pass the scan are stored and deployed. This satisfies the requirement to scan before the image is pushed to ECR, which is critical for preventing vulnerable images from entering the registry.

Exam trap

The trap here is that candidates often confuse 'Scan on Push' (post-push) with pre-push scanning, or assume that Security Hub can directly scan and block deployments, when in reality it is an aggregation and correlation service, not a scanning engine.

Why the other options are wrong

A

Scan on Push scans after the image is pushed, not before. The requirement is to scan before push.

C

This scans after push, not before.

D

Security Hub aggregates findings but does not scan images itself; it relies on other services.

203
MCQeasy

A DevOps engineer is setting up a CI/CD pipeline for a microservices architecture. The team uses AWS CodeCommit, CodeBuild, and CodeDeploy. The engineer needs to ensure that the pipeline can automatically roll back the deployment if the health checks fail after deployment. Which action should the engineer take?

A.Use AWS Lambda to monitor health checks and trigger a rollback via the CodeDeploy API.
B.Configure the deployment group to roll back when a CloudWatch alarm is triggered.
C.Set up the deployment group to use blue/green deployment with traffic shifting.
D.Configure the pipeline to have a manual approval step after deployment.
AnswerB

CodeDeploy can automatically roll back based on CloudWatch alarms.

Why this answer

Option D is correct because CodeDeploy supports automatic rollback based on CloudWatch alarm triggers. Options A and B are manual steps. Option C only stops traffic, not rollback.

204
MCQeasy

A developer wants to automate the creation of a new Amazon ECS service whenever a new Docker image is pushed to Amazon ECR. Which AWS service should be used to orchestrate this workflow?

A.Amazon EventBridge
B.AWS Step Functions
C.Amazon CloudWatch Logs
D.Amazon S3
AnswerA

EventBridge can detect ECR events and invoke a Lambda function to create the ECS service.

Why this answer

Option A is correct because Amazon EventBridge can listen for ECR image push events and trigger a target (e.g., Lambda) to create the ECS service. Option B is incorrect because CloudWatch Logs is for log storage. Option C is incorrect because Step Functions is for state machines, not direct event triggers.

Option D is incorrect because S3 is for object storage.

205
Multi-Selectmedium

A company uses AWS CodeBuild to build and test a Node.js application. The buildspec.yml currently runs npm install and npm test. They want to also run a security scan using a third-party tool. Which THREE steps are required to integrate the security scan into the CodeBuild build?

Select 3 answers
A.Ensure the build fails if the scanner finds vulnerabilities by checking the exit code.
B.Create a new 'security' phase in the buildspec.yml.
C.Add a command to run the security scanner in the build phase.
D.Add a command to install the security scanning tool in the pre_build or build phase.
E.Upload the security scanner configuration to an S3 bucket and reference it in the buildspec.
AnswersA, C, D

Fail the build on security issues.

Why this answer

Option A is correct because CodeBuild phases (install, pre_build, build, post_build) run shell commands sequentially, and a non-zero exit code from any command causes the build to fail. By checking the exit code of the security scanner (e.g., via `$?` or relying on the tool's default exit behavior), the build will stop and report failure if vulnerabilities are found, enforcing a security gate. This is the standard mechanism to integrate third-party tools without custom scripting.

Exam trap

The trap here is that candidates think they need to create a custom phase (Option B) to run a security scan, but CodeBuild's fixed phases are sufficient—simply add the scanner command to the existing build phase after the test step.

206
MCQeasy

A development team is using AWS CodeCommit as the source for a CI/CD pipeline. They want to automatically trigger a build in AWS CodeBuild whenever a developer pushes changes to any branch in the repository. Which pipeline configuration should be used?

A.Configure CodePipeline to poll the CodeCommit repository every minute
B.Use Amazon EventBridge to capture CodeCommit events and start a CodePipeline execution
C.Set up a scheduled CodePipeline execution using Amazon CloudWatch Events
D.Configure a CodeCommit repository trigger to invoke a Lambda function that starts a CodeBuild build
AnswerD

Triggers provide immediate response to pushes.

Why this answer

Option B is correct because using a webhook that triggers on all branch pushes is the simplest and most direct way to achieve automatic builds on every push. Option A is wrong because polling is less efficient and introduces latency. Option C is wrong because event rules require event bus setup and are more complex.

Option D is wrong because scheduled builds do not respond to pushes.

207
MCQhard

Refer to the exhibit. The deployment succeeded but the application fails. What is the MOST likely cause?

A.The CodePipeline deployment action uses the wrong cluster.
B.The new task definition has a misconfigured database connection string or security group.
C.The ECS service is not registered with a target group.
D.The database is not available in the same Availability Zone.
AnswerB

The timeout to database IP indicates network or configuration issue introduced by the new task definition.

Why this answer

The error shows a database connection timeout to an internal IP (10.0.0.5). The new task definition likely has incorrect environment variables or security group rules that prevent connecting to the database.

208
MCQmedium

A team uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is configured with a deployment configuration that uses the 'CodeDeployDefault.OneAtATime' traffic routing. However, during deployment, the new instances are failing health checks and the deployment is rolling back. The team wants to minimize the impact on users. What should the team do to detect issues earlier?

A.Change the deployment configuration to 'CodeDeployDefault.AllAtOnce'.
B.Use a canary deployment configuration that shifts 10% of traffic initially.
C.Increase the batch size to deploy to multiple instances at once.
D.Add a manual approval step in the pipeline before the deployment.
AnswerB

Canary deployments allow early detection of issues with minimal impact.

Why this answer

Option B is correct because the 'CodeDeployDefault.AllAtOnce' deployment would update all instances at once, but that could cause full outage. However, the question asks to detect issues earlier, so using a smaller batch size or a canary deployment would detect issues earlier. In this context, changing to a canary deployment that shifts a small percentage of traffic first is best.

Option A is wrong because increasing batch size makes detection later. Option C is wrong because manual approval doesn't detect health issues automatically. Option D is wrong because stopping the deployment is reactive, not proactive.

209
MCQhard

A company uses AWS CodeStar to manage software development projects. The team wants to integrate a third-party issue tracking system with CodeStar. Which AWS service should they use to achieve this integration?

A.Amazon API Gateway
B.Amazon CloudWatch Events
C.AWS CodePipeline webhooks
D.Amazon Simple Notification Service (SNS)
AnswerC

CodePipeline webhooks allow integration with external systems.

Why this answer

AWS CodePipeline webhooks allow you to connect external systems, such as a third-party issue tracking system, to your CodePipeline pipeline. When the external system triggers an event (e.g., an issue status change), the webhook sends an HTTP POST request to a configured endpoint in CodePipeline, which then starts the pipeline. This is the native integration mechanism for CodeStar to receive events from outside AWS.

Exam trap

The trap here is that candidates often confuse the purpose of AWS services like SNS or CloudWatch Events, thinking they can directly receive external HTTP callbacks, but they lack native webhook support for third-party systems, whereas CodePipeline webhooks are specifically designed for this integration.

How to eliminate wrong answers

Option A is wrong because Amazon API Gateway is used to create, publish, and manage RESTful APIs, not to directly integrate third-party issue tracking systems with CodeStar; it would require custom Lambda functions and additional overhead. Option B is wrong because Amazon CloudWatch Events (now Amazon EventBridge) is designed to route AWS service events and custom application events, but it cannot natively receive HTTP callbacks from a third-party issue tracking system without an intermediary like API Gateway. Option D is wrong because Amazon Simple Notification Service (SNS) is a pub/sub messaging service that can send notifications, but it does not provide a direct HTTP endpoint for third-party systems to trigger CodePipeline; it would require additional components to translate the webhook call into an SNS message.

210
Multi-Selecteasy

Which TWO are valid deployment configurations in AWS CodeDeploy? (Choose two.)

Select 2 answers
A.Rolling
B.Linear
C.AllAtOnce
D.Canary10Percent5Minutes
E.BlueGreen
AnswersC, D

This is a predefined configuration that deploys to all instances at once.

Why this answer

CodeDeploy provides predefined deployment configurations like Canary10Percent5Minutes and AllAtOnce. BlueGreen is a deployment type, not a configuration. Rolling is not a configuration name.

Linear is also a type.

211
MCQhard

An organization uses AWS CodePipeline to deploy a serverless application using AWS Lambda and Amazon API Gateway. The pipeline includes a manual approval action. The team wants to ensure that the approval email is sent to multiple approvers and that any one of them can approve or reject. How should the approval action be configured?

A.Specify multiple email addresses in the 'ApproverEmail' field of the approval action.
B.Set the 'Approvers' field in the approval action to a comma-separated list of IAM user ARNs.
C.Add multiple IAM users to the pipeline's service role.
D.Create an Amazon SNS topic with multiple subscribers, and configure the approval action to use that SNS topic ARN.
AnswerD

CodePipeline sends approval notifications to the SNS topic, and any subscriber can respond.

Why this answer

Option B is correct because the manual approval action in CodePipeline supports a list of SNS topic ARNs; any subscriber of that topic can approve or reject. Option A is wrong because the approval action does not have a 'multiple approvers' attribute; it uses SNS topics. Option C is wrong because you cannot specify multiple IAM users directly in the action.

Option D is wrong because you cannot specify multiple email addresses directly in the action.

212
MCQeasy

A DevOps engineer is setting up a CI/CD pipeline for a Node.js application. The application must be built, tested, and deployed to an Amazon ECS cluster. The team wants to use AWS CodeBuild to run unit tests and package the application as a Docker image, and AWS CodePipeline to orchestrate the workflow. Which artifact type should CodeBuild output to be used by a subsequent CodePipeline action?

A.A Docker image pushed to Amazon ECR.
B.A zip file containing the application source code.
C.A tarball stored in Amazon S3.
D.A JSON file with the image details.
AnswerA

ECR is the registry for Docker images.

Why this answer

Option D is correct because CodeBuild can output a Docker image to Amazon ECR, and CodePipeline can use that image in a deploy action. Option A is wrong because the buildspec does not produce an artifact; it builds a Docker image. Option B is wrong because the image is pushed to ECR, not stored in S3 directly.

Option C is wrong because the image is stored in ECR, not S3.

213
MCQeasy

A developer is using AWS CloudFormation to deploy a stack that includes an AWS Lambda function. The Lambda function code is stored in an S3 bucket. The CloudFormation template references the S3 bucket and object key. The developer wants to update the Lambda function code by uploading a new zip file to S3 and then updating the stack. The developer updates the S3 object with a new version, but the stack update does not automatically use the new code. What should the developer do to ensure the stack update uses the new code?

A.Enable S3 event notifications to trigger a CloudFormation stack update when the object is updated.
B.Modify the CloudFormation stack policy to allow updates to the Lambda function.
C.Delete the stack and recreate it with the new code.
D.Upload the new code to a different S3 key or specify a new version ID in the CloudFormation template.
AnswerD

Changing the S3 key or version ID forces CloudFormation to recognize the change and update the Lambda function.

Why this answer

Option C is correct because CloudFormation only detects changes to S3 objects if the S3 key or version changes. By uploading the new code with a different key or setting a new version ID, CloudFormation will detect the change and update the Lambda function. Option A is wrong because the stack policy does not affect resource updates.

Option B is wrong because CloudFormation does not automatically poll for S3 changes. Option D is wrong because recreating the entire stack is unnecessary and disruptive.

214
MCQhard

A company has a monolith application that takes over an hour to build. The DevOps team wants to implement continuous integration using AWS CodeBuild. The build environment requires a large amount of dependencies that are rarely updated. Which strategy will MINIMIZE build time and cost?

A.Enable Amazon S3 cache for the CodeBuild project to reuse dependencies from previous builds.
B.Store the dependencies in an Amazon S3 bucket and download them at the start of each build.
C.Create a custom Docker image that includes all dependencies and use it as the build environment.
D.Use a larger compute type for the CodeBuild project to speed up the build.
AnswerC

Pre-installing dependencies in the image eliminates download time entirely.

Why this answer

Option D is correct because using a custom Docker image with pre-installed dependencies avoids re-downloading them each build, reducing build time and cost. Option A is wrong because increasing compute resources may not help if the bottleneck is network. Option B is wrong because S3 caching helps but is slower than having dependencies in the image.

Option C is wrong because local cache is ephemeral and does not persist across builds.

215
MCQeasy

A DevOps engineer is setting up a CI/CD pipeline for a microservices application using AWS CodePipeline. The pipeline includes a Test stage that runs integration tests against a staging environment. The engineer wants to ensure that manual approval is required before deploying to production. Which action should be taken?

A.Configure a CodeCommit approval rule template to block the merge.
B.Use CloudWatch Events to send a notification and wait for a custom signal.
C.Set the pipeline to only run on manual invocation.
D.Add a manual approval action in the pipeline stage before production deployment.
AnswerD

Manual approval actions pause the pipeline until approved.

Why this answer

Option A is correct because a manual approval action in CodePipeline requires a reviewer to approve before proceeding to the next stage. Option B is wrong because CodeCommit does not provide approval workflows for pipeline stages. Option C is wrong because CloudWatch can monitor but not block.

Option D is wrong because the pipeline can be triggered after approval, but the approval is a stage action.

216
MCQmedium

An IAM policy is attached to a user. The user is trying to push a commit to the 'main' branch of the 'MyRepo' repository. The push is denied. What is the most likely reason?

A.The user does not have permission to push to any branch.
B.The policy does not allow the 'codecommit:GitPush' action for the main branch.
C.The resource ARN is incorrect.
D.The condition key 'codecommit:References' is not correctly formatted for an array value.
AnswerD

StringEquals with an array is invalid; should use set operators.

Why this answer

Option B is correct because the condition uses StringEquals with an array, but the condition key 'codecommit:References' expects a single value when using StringEquals; the policy should use 'ForAllValues:StringEquals' or 'ForAnyValue:StringEquals' for array matching. Option A is wrong because the actions are allowed for the main branch reference. Option C is wrong because the condition restricts to main branch, not other branches.

Option D is wrong because the resource ARN matches the repository.

217
Multi-Selectmedium

A company is implementing a CI/CD pipeline for a containerized application using AWS CodePipeline, CodeBuild, and Amazon ECS. The pipeline should automatically deploy to a staging environment and then, after manual approval, to production. The production environment uses an ECS service with rolling update deployment. Which TWO actions are necessary to achieve this?

Select 2 answers
A.Use CloudFormation to deploy the ECS service with a rolling update policy.
B.Add a manual approval stage in CodePipeline between staging and production.
C.Set up an ECS task definition with a sidecar container for health checks.
D.Use the ECS-to-CodePipeline deploy action configured for rolling update.
E.Configure CodeBuild to push the Docker image to Amazon ECR.
AnswersB, D

This ensures manual approval before production deployment.

Why this answer

Option B is correct because a manual approval stage is needed between staging and production. Option D is correct because the ECS deploy action in CodePipeline can perform rolling updates. Option A is not necessary; CodeBuild can push to ECR directly.

Option C is not required for rolling update. Option E is incorrect because CodePipeline does not support CloudFormation for ECS rolling updates directly.

218
MCQhard

A company uses AWS CodeBuild to compile a Java application. The buildspec.yml includes a pre_build phase that runs unit tests and a build phase that packages the application. Recently, builds have been failing intermittently with 'OutOfMemoryError' during the test phase. The build environment is set to 'BUILD_GENERAL1_SMALL'. What is the MOST cost-effective solution?

A.Split the tests into smaller batches using CodeBuild test splitting.
B.Change the build environment to 'BUILD_GENERAL1_MEDIUM' which has more memory.
C.Configure the buildspec to set MAVEN_OPTS='-Xmx512m' to reduce JVM heap usage.
D.Use multiple CodeBuild jobs to run tests in parallel.
AnswerB

This increases available memory, solving the OOM error cost-effectively.

Why this answer

Option C is correct because it directly addresses the memory issue by increasing compute resources. Option A may not solve the problem if the test runner doesn't use the environment variable. Option B doesn't increase memory.

Option D might not help if memory limit is per instance.

219
MCQeasy

Refer to the exhibit. A DevOps engineer is troubleshooting a cross-account deployment where an AWS CodeBuild project in Account A needs to upload build artifacts to an S3 bucket in Account B. The engineer attaches this IAM policy to the CodeBuild service role in Account A. However, the upload fails. What is the most likely reason?

A.The bucket policy in Account B grants s3:PutObject to Account A
B.The condition requires bucket-owner-full-control ACL, but the bucket policy may not allow it
C.The policy does not include s3:PutObjectAcl permission
D.The policy does not include s3:GetObject permission
AnswerB

Cross-account uploads often require bucket policy to grant permissions.

Why this answer

Option C is correct because the policy only allows PutObject with the condition that the ACL is 'bucket-owner-full-control'. If the bucket policy in Account B does not accept objects with that ACL, the upload might fail. Option A is incorrect because the action is PutObject.

Option B is incorrect because GetObject is not needed for upload. Option D is incorrect because the bucket policy is not shown.

220
MCQeasy

A DevOps engineer needs to automatically roll back a CodeDeploy deployment if the number of failed instances exceeds a threshold. Which deployment configuration should be used?

A.Configure the deployment group to ignore failed instances.
B.Set the minimum number of healthy instances in the deployment configuration to trigger automatic rollback.
C.Use a CloudWatch alarm to trigger a rollback.
D.Use a custom deployment configuration that fails the deployment if any instance fails.
AnswerB

CodeDeploy can automatically roll back based on health thresholds.

Why this answer

Option B is correct because setting the minimum number of healthy instances in the deployment configuration directly controls when CodeDeploy triggers an automatic rollback. When the number of healthy instances falls below this threshold during a deployment, CodeDeploy automatically stops the deployment and rolls back to the last known good state, meeting the requirement to roll back based on failed instance count.

Exam trap

The trap here is that candidates often confuse a deployment failure with an automatic rollback, assuming that failing the deployment inherently reverts changes, but CodeDeploy requires explicit rollback configuration (via minimum healthy hosts or CloudWatch alarms) to actually revert to a previous revision.

How to eliminate wrong answers

Option A is wrong because ignoring failed instances would prevent any rollback from occurring, which is the opposite of the requirement. Option C is wrong because while CloudWatch alarms can trigger a rollback, they are not the deployment configuration itself; they monitor external metrics (e.g., CPU utilization) rather than the number of failed instances during the deployment. Option D is wrong because a custom deployment configuration that fails the deployment if any instance fails does not trigger an automatic rollback; it only fails the deployment without reverting to a previous version.

221
Multi-Selectmedium

A company uses AWS CodeCommit for source control and AWS CodeBuild for building a Java application. They want to enforce that every commit triggers a build, but only if the commit message contains a specific pattern 'BUILD:'. Which THREE steps are required?

Select 3 answers
A.Create an AWS Lambda function that processes the commit message and calls CodeBuild.
B.Create a CloudWatch Events rule to invoke CodeBuild on every push to CodeCommit.
C.Configure a webhook in CodeBuild that filters events by commit message pattern.
D.Create a custom trigger in CodeCommit that invokes CodeBuild.
E.Use a buildspec.yml file with a conditional phase that checks the commit message.
AnswersC, D, E

Correct: Webhooks can filter by pattern.

Why this answer

Option B creates the trigger. Option C adds a condition for the commit message. Option E ensures the build runs in a VPC.

Option A is not needed for filtering. Option D is for Lambda integration, not required.

222
MCQmedium

Your company has a CI/CD pipeline for a Java web application using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline has three stages: Source (CodeCommit), Build (CodeBuild), and Deploy (CodeDeploy to EC2 instances in an Auto Scaling group). Recently, after a change to the buildspec, the Build stage succeeds but the Deploy stage fails with the error 'The deployment failed because the deployment group exceeded the minimum healthy host count.' The CodeDeploy deployment configuration uses a 'OneAtATime' deployment with a minimum healthy host count of 1. The Auto Scaling group has a minimum size of 2 and a maximum size of 4. The application runs on Amazon Linux 2 instances. The CodeDeploy agent is installed and running on all instances. What is the most likely cause of the failure?

A.The CodeDeploy agent on some instances has been stopped or is not responding.
B.The Auto Scaling group is using a different Amazon Machine Image (AMI) that lacks the CodeDeploy agent.
C.The new build artifact is larger, causing the instances to run out of disk space during deployment, which prevents the CodeDeploy agent from completing the deployment.
D.The CodeDeploy service role does not have permission to describe the Auto Scaling group.
AnswerC

Disk space issues can cause the agent to fail, reducing healthy hosts.

Why this answer

Option B is correct because if the buildspec change introduced a new artifact that requires additional disk space, the instances may run out of space during deployment, causing the agent to fail and the deployment to stop, leading to insufficient healthy hosts. Option A is wrong because if the agent were missing, the error would be different. Option C is wrong because a different AMI would cause launch failures, not deployment failures.

Option D is wrong because the CodeDeploy service role is used by CodeDeploy, not the pipeline; if it were missing, the pipeline would fail earlier.

223
MCQmedium

A development team is using AWS CodeCommit to store source code and AWS CodePipeline to automate builds and deployments. The team wants to ensure that builds and tests are triggered only when code is pushed to specific branches, and that manual approval is required before deploying to production. Which CodePipeline configuration should the team implement?

A.Configure the source action to trigger on all branches and add a manual approval step before the build stage.
B.Configure the source action with a branch filter for main, and add a manual approval step before the build stage.
C.Use a branch filter on the build action to run only for the main branch, and add a manual approval step before the deploy stage.
D.Configure the source action with a branch filter for main, and add a manual approval step before the production deployment stage.
AnswerD

This ensures builds only on main pushes and requires approval before production deployment.

Why this answer

Option D is correct because it uses a branch filter in the source action to trigger only on pushes to main, and a manual approval step before the production deployment stage. Options A and B trigger on all branches, and C filters on both source and build instead of just source.

224
MCQhard

A team uses AWS CodePipeline with a source action from an Amazon S3 bucket. The pipeline triggers on changes to the S3 bucket, but sometimes runs twice for a single commit. What is the most likely cause?

A.CodePipeline has a deduplication setting that is disabled.
B.S3 event notifications for the same object may be delivered more than once.
C.The S3 bucket has versioning enabled.
D.The pipeline is also triggered by a CloudWatch Events rule.
AnswerB

S3 event notifications are at-least-once delivery, so duplicates can occur.

Why this answer

Amazon S3 event notifications are designed for at-least-once delivery, meaning the same event (e.g., an object PUT) can be delivered multiple times. When CodePipeline uses S3 as a source, it relies on these notifications to trigger the pipeline. If S3 sends duplicate notifications for the same object version, CodePipeline will start a new execution for each notification, causing the pipeline to run twice for a single commit.

Exam trap

The trap here is that candidates may assume S3 event notifications are exactly-once, leading them to incorrectly suspect versioning or a missing deduplication setting, rather than recognizing S3's inherent at-least-once delivery behavior.

How to eliminate wrong answers

Option A is wrong because CodePipeline does not have a configurable deduplication setting; deduplication is handled by the source event mechanism, not a pipeline-level toggle. Option C is wrong because S3 versioning, when enabled, creates distinct object versions for each PUT, and CodePipeline triggers on changes to the bucket (including new versions), but versioning alone does not cause duplicate notifications—it actually helps differentiate versions. Option D is wrong because if a CloudWatch Events rule were also triggering the pipeline, it would be an additional trigger source, but the question states the pipeline triggers on S3 bucket changes, and the most likely cause of duplicate runs is duplicate S3 event notifications, not an extra rule.

225
MCQmedium

A development team uses AWS CodeBuild to compile a Java application. The build takes 15 minutes on average, but recently it started taking over 30 minutes. The buildspec.yml file is unchanged. What is the most likely cause?

A.The cache for the build project was cleared, forcing a full dependency download.
B.The build environment was changed from a Linux to a Windows environment.
C.The build project's compute type was downgraded to a smaller instance.
D.The buildspec.yml file was updated to include more build commands.
AnswerA

Clearing the cache means all dependencies must be downloaded again, increasing build time.

Why this answer

Option B is correct because CodeBuild caches dependencies and layers; clearing the cache may cause a full rebuild, increasing time. Option A is wrong because buildspec changes would affect time, but it's unchanged. Option C is wrong because environment type change would require a new build project, not just time increase.

Option D is wrong because a smaller instance type would be slower, but that would be a known change.

← PreviousPage 3 of 6 · 397 questions totalNext →

Ready to test yourself?

Try a timed practice session using only SDLC Automation questions.