CCNA SDLC Automation Questions

75 of 397 questions · Page 5/6 · SDLC Automation · Answers revealed

301
Multi-Selecthard

Which THREE considerations are important when designing a CI/CD pipeline for a microservices architecture using AWS CodePipeline? (Choose three.)

Select 3 answers
A.All microservices should be deployed using a single pipeline to ensure consistency.
B.Include automated integration tests that validate service-to-service interactions.
C.Use manual approval gates at every stage to ensure quality.
D.Each microservice should have its own pipeline to enable independent deployment.
E.Implement blue/green deployments to reduce downtime and allow quick rollback.
AnswersB, D, E

Automated tests catch issues early in the pipeline.

Why this answer

Options A, C, and E are correct. Independent pipelines, automated testing, and blue/green deployments are key. Option B is wrong because a monolith pipeline contradicts microservices.

Option D is wrong because manual gates slow down deployment.

302
Multi-Selecthard

Which THREE steps are required to set up a cross-account CodePipeline that deploys to an EC2 instance in a target account? (Choose three.)

Select 3 answers
A.Create an IAM role in the target account with permissions to deploy to EC2.
B.Add a trust policy to the target account role allowing the pipeline account to assume it.
C.Grant the pipeline service role permission to assume the target account role.
D.Configure the pipeline to use the target account's default KMS key for artifacts.
E.Create a CodePipeline in the target account.
AnswersA, B, C

The pipeline will assume this role to deploy.

Why this answer

A: The pipeline needs an IAM role to assume in the target account. C: The target account must trust the pipeline account to allow role assumption. D: The pipeline service role must have permission to assume the target role.

B is not required because the pipeline can be in the source account. E is not required because the pipeline uses the assumed role, not the target account's pipeline.

303
MCQhard

Match each AWS service or feature to its correct description in the context of SDLC automation. Drag and drop the items on the left to the matching descriptions on the right.

A.AWS CodeCommit
B.AWS CodeBuild
C.AWS CodeDeploy
D.AWS CodePipeline
E.AWS CloudFormation
F.Amazon EventBridge

Why this answer

AWS CodeCommit is a managed source control service. AWS CodeBuild is a fully managed build service. AWS CodeDeploy automates code deployments.

AWS CodePipeline orchestrates the CI/CD workflow. AWS CloudFormation is used for infrastructure as code. Amazon EventBridge (CloudWatch Events) can trigger pipelines based on events.

Exam trap

Candidates may confuse CodePipeline with CodeDeploy, or CodeBuild with CodeDeploy. Understanding the distinct roles is key.

304
MCQmedium

A DevOps team is designing a CI/CD pipeline for a microservices application. Each microservice has its own CodeCommit repository and must be built and deployed independently. The team wants to minimize manual configuration and ensure that adding a new microservice automatically creates the corresponding pipeline stages. Which approach should the team use?

A.Create a separate AWS CodePipeline for each microservice manually using the AWS Management Console.
B.Use the AWS Cloud Development Kit (CDK) to define a pipeline that dynamically discovers repositories.
C.Use a single AWS CodePipeline with multiple stages, each triggered by a different branch of the same repository.
D.Define a CloudFormation template that creates a pipeline for a given repository and invoke it automatically when a new repository is created using EventBridge and Lambda.
AnswerD

This approach automates pipeline creation via event-driven infrastructure as code.

Why this answer

Option D is correct because AWS CloudFormation can define the pipeline infrastructure as code, and using nested stacks or a template that parameterizes the repository name allows for easy replication. Option A is wrong because manually updating a single pipeline is error-prone and not scalable. Option B is wrong because creating separate pipelines manually defeats automation.

Option C is wrong because the AWS CDK can define infrastructure but requires separate stacks per service unless using loops or constructs.

305
MCQeasy

A development team is using AWS CodeCommit as the source for a CI/CD pipeline. They want to automatically run unit tests when a pull request is created, but only for changes to the 'src' directory. Which approach should they use?

A.Use an AWS Lambda function that polls CodeCommit for new pull requests and invokes CodeBuild when changes in 'src' directory are detected.
B.Create an AWS CodeBuild project with a source provider of CodeCommit and configure 'WEBHOOK' events with a filter for pull requests and path filter for 'src/**'.
C.Set up an Amazon EventBridge rule that matches CodeCommit pull request events and invoke CodeBuild. Add a condition in the CodeBuild buildspec to check if changes are in 'src' directory.
D.Configure an AWS CodePipeline with a Source stage for CodeCommit and a Test stage for CodeBuild. Use a manual approval step to trigger on pull requests.
AnswerB

CodeBuild webhooks can trigger on pull request events with path filters.

Why this answer

Option B is correct because AWS CodeBuild can be triggered by a pull request event with a path filter. Option A is wrong because CodePipeline does not natively trigger on pull requests. Option C is wrong because Lambda alone cannot trigger on CodeCommit events without an additional trigger.

Option D is wrong because EventBridge can trigger on pull request events, but the path filtering should be done in the CodeBuild project configuration for efficiency.

306
MCQhard

A company runs a critical application on Amazon ECS with Fargate. They use blue/green deployments via AWS CodeDeploy. During a recent deployment, the new task set failed health checks and CodeDeploy automatically rolled back. However, the old task set also became unhealthy shortly after rollback. What could explain this?

A.The CloudWatch alarm that triggered the rollback also stopped the old task set.
B.CodeDeploy did not drain connections from the Application Load Balancer before terminating the old task set.
C.The ECS service auto-scaling policy reduced the desired count of the old task set during the deployment.
D.The new application version changed the database schema, which broke the old version after rollback.
AnswerD

Database schema changes are not automatically rolled back, causing incompatibility.

Why this answer

Option A is correct because a shared resource like a database schema change by the new version could corrupt data for the old version. Option B is wrong because CodeDeploy does not drain connections from ALB before rollback by default, but that would not cause the old version to become unhealthy. Option C is wrong because CloudWatch alarms are not configured by CodeDeploy to stop old tasks.

Option D is wrong because ECS service auto-scaling does not stop tasks.

307
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. After a deployment, some instances fail the health check and are terminated by the Auto Scaling group. What should the DevOps engineer do to prevent this?

A.Configure a CloudWatch alarm to stop the deployment if instances are unhealthy.
B.Modify the deployment configuration to deploy to only one instance at a time.
C.Update the deployment group to use an Elastic Load Balancer and configure health checks.
D.Increase the desired capacity of the Auto Scaling group to tolerate failures.
AnswerC

ELB health checks automatically replace unhealthy instances and work with CodeDeploy.

Why this answer

Option C is correct because configuring an Elastic Load Balancer (ELB) with health checks in the CodeDeploy deployment group allows CodeDeploy to monitor instance health during deployment. If an instance fails the ELB health check, CodeDeploy can automatically roll back or stop the deployment, preventing the Auto Scaling group from terminating unhealthy instances. This integrates the deployment lifecycle with load balancer health signals, ensuring only healthy instances serve traffic.

Exam trap

The trap here is that candidates often confuse Auto Scaling group health checks (which terminate instances) with CodeDeploy's deployment health checks (which can stop or roll back deployments), leading them to choose options that only address symptoms rather than integrating the two services properly.

How to eliminate wrong answers

Option A is wrong because a CloudWatch alarm can trigger actions like scaling or notifications, but it cannot directly stop a CodeDeploy deployment; CodeDeploy has its own built-in rollback and health check mechanisms that should be used. Option B is wrong because deploying to one instance at a time reduces risk but does not prevent instances from failing health checks and being terminated by the Auto Scaling group; it only limits blast radius. Option D is wrong because increasing the desired capacity of the Auto Scaling group does not address the root cause of health check failures; it only masks the problem by adding more instances, and unhealthy instances will still be terminated.

308
MCQhard

A DevOps engineer is troubleshooting a slow AWS CodeBuild project. The build is a Java application that compiles source code and runs tests. The build environment uses a general1.large compute type. The build duration has increased from 5 minutes to 15 minutes over the past month. The engineer notices that the build logs show 'Downloading...' messages for Maven dependencies for several minutes. What is the most cost-effective way to reduce the build time?

A.Configure the build to use a VPC with a NAT gateway
B.Use AWS CodeArtifact as a proxy for Maven dependencies
C.Change the compute type to general1.2xlarge
D.Enable local caching in the CodeBuild project for dependencies
AnswerD

Local caching stores dependencies across builds.

Why this answer

Option C is correct by enabling local caching for Maven dependencies, which eliminates repeated downloads. Option A is incorrect because increasing compute type might not solve the download bottleneck. Option B is incorrect because VPC peering does not affect dependency download speed from public repositories.

Option D is incorrect because CodeArtifact would still require downloading from the repository.

309
MCQhard

A company uses AWS CloudFormation to manage infrastructure. The development team wants to promote changes from a development environment to a production environment using change sets. They need to ensure that the production stack is not updated if there are any changes to the stack's IAM policies. Which approach should the team use?

A.Enable drift detection on the production stack and compare with the development stack.
B.Create a ChangeSet from the updated template, review the changes for IAM modifications, and execute only if no IAM changes are present.
C.Use AWS CloudFormation StackSets to deploy to multiple accounts and use stack instance filters.
D.Use a custom resource in the template that checks for IAM changes and fails the update.
AnswerB

ChangeSets provide a preview of all changes, including IAM resource modifications.

Why this answer

Option A is correct because ChangeSets allow reviewing changes before execution, and you can inspect changes to IAM resources. Option B is wrong because StackSets are for multi-account deployments. Option C is wrong because drift detection checks for manual changes, not intended updates.

Option D is wrong because a custom resource is overly complex.

310
MCQeasy

An organization uses AWS CodeBuild to compile and test their code. They want to reuse build artifacts across multiple build projects to reduce build time. What is the BEST approach?

A.Use the local cache feature in CodeBuild to store artifacts on the build instance.
B.Store build artifacts in an Amazon S3 bucket and configure each build project to download them from S3.
C.Use Docker layer caching to store intermediate build layers.
D.Mount an Amazon EFS file system to each build environment to share artifacts.
AnswerB

S3 is a durable storage that can be accessed by multiple build projects to fetch shared artifacts.

Why this answer

Option C is correct because storing artifacts in S3 allows sharing across projects. Option A is wrong because local cache is per-project. Option B is wrong because Docker cache is for Docker images.

Option D is wrong because EFS is not used for build artifacts.

311
MCQeasy

A development team uses AWS CodeCommit as a Git repository. They want to automatically trigger a build in AWS CodeBuild when a pull request is created or updated. Which configuration should the team use?

A.Create a CodeCommit trigger that invokes CodeBuild on 'Pull Request Created' and 'Pull Request Updated' events.
B.Use Amazon SNS to notify CodeBuild when a pull request is created.
C.Use Amazon CloudWatch Events to detect CodeCommit pull request events and invoke CodeBuild.
D.Configure CodePipeline with a source action on CodeCommit and a build action, and set the pipeline to start on source changes.
AnswerA

CodeCommit supports triggers for CodeBuild.

Why this answer

Option A is correct because CodeCommit can trigger CodeBuild via a repository trigger. Option B is wrong because CodePipeline does not directly trigger on pull requests. Option C is wrong because CloudWatch Events can trigger on pull request events but CodeBuild can be invoked directly via triggers.

Option D is wrong because SNS cannot trigger CodeBuild directly.

312
MCQhard

Refer to the exhibit. A CodeBuild project uses this buildspec. The build fails with the error: 'The runtime version specified is not supported in this environment.' What change should be made?

A.Add an install command to install Node.js 12 from source.
B.Remove the runtime-versions section and install Node.js manually.
C.Update the runtime-versions to nodejs: 14.
D.Change the build environment to use a custom image that includes Node.js 12.
AnswerC

Node.js 12 may be deprecated in the environment; using a supported version fixes the issue.

Why this answer

The build environment image may not support Node.js 12. The correct action is to update the runtime version to a supported one, such as 14 or 16, or change the build environment image to one that supports Node.js 12.

313
MCQmedium

A team uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS instance. During an update, the stack fails with 'CREATE_FAILED' for the DB instance resource, and the error message indicates 'The DB instance already exists.' What is the most likely cause?

A.An RDS instance with the same identifier already exists in the account and region.
B.The stack update is trying to replace the DB instance without a proper UpdateReplace policy.
C.The stack has a DeletionPolicy of Retain on the RDS instance.
D.The RDS instance has deletion protection enabled.
AnswerA

DB instance identifiers must be unique per region; if one exists, creation fails.

Why this answer

Option B is correct because if the stack was previously deleted without retaining the resource, the DB instance may have been left behind. Option A is wrong because RDS does not have a deletion policy that prevents deletion. Option C is wrong because UpdateReplace policy would replace but not cause 'already exists' error.

Option D is wrong because deletion protection would prevent deletion but not cause 'already exists' if the stack is new.

314
MCQmedium

A team is using AWS CloudFormation to manage infrastructure. They want to implement a change management process where any modifications to the stack must be reviewed and approved. Which feature should they use?

A.Change Sets
B.StackSets
C.Drift Detection
D.Stack Policy
AnswerA

Change Sets allow you to review changes before applying them, enabling an approval workflow.

Why this answer

Option B is correct because Change Sets allow you to preview changes and then execute them after manual approval. Option A is wrong because StackSets manage stacks across accounts/regions, not approval workflows. Option C is wrong because Drift Detection identifies changes but does not prevent them.

Option D is wrong because Stack Policies protect resources but do not enforce an approval process.

315
Multi-Selectmedium

A company is implementing a CI/CD pipeline for a microservices architecture on Amazon ECS. The pipeline must deploy to multiple environments (dev, test, prod) in sequence with manual approval gates between environments. Which two AWS services should be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.AWS CodePipeline
B.AWS CodeBuild
C.AWS CloudFormation
D.AWS CodeDeploy
E.AWS Elastic Beanstalk
AnswersA, D

CodePipeline orchestrates the pipeline with stages for each environment and approval gates.

Why this answer

Option A (CodePipeline) is correct because it orchestrates the pipeline stages. Option D (CodeDeploy) is correct because it handles the deployment to ECS with blue/green or rolling updates. Option B (CodeBuild) is for building, not deployment.

Option C (CloudFormation) is for infrastructure, not deployment of microservices. Option E (Elastic Beanstalk) is a PaaS service, not suited for ECS microservices.

316
MCQeasy

A developer is using AWS CodeCommit as a source repository for a CodePipeline. They want to automatically start the pipeline when changes are pushed to the main branch. What is the simplest way to achieve this?

A.Add a Lambda function that is invoked by CodeCommit triggers, which then starts the pipeline.
B.Configure the pipeline to poll the CodeCommit repository every 5 minutes.
C.Use a webhook from CodeCommit to the pipeline.
D.Create an Amazon EventBridge rule that triggers the pipeline on CodeCommit 'push to main' events.
AnswerD

This is the recommended and simplest method.

Why this answer

CodePipeline can use Amazon CloudWatch Events (EventBridge) to detect changes in CodeCommit and start the pipeline. Option A is correct.

317
MCQhard

A company uses AWS CloudFormation to create a stack with a Lambda function that uses a VPC. The stack creation fails with 'CREATE_FAILED: The provided execution role does not have permissions to call ec2:CreateNetworkInterface on the resource'. What is the likely cause?

A.The VPC does not have a subnet with internet access.
B.The CloudFormation template does not specify a security group.
C.The Lambda function code has a syntax error.
D.The Lambda execution role is missing the ec2:CreateNetworkInterface permission.
AnswerD

Lambda needs ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface to manage VPC networking.

Why this answer

Option C is correct: Lambda needs permissions to create elastic network interfaces. Option A is not related. Option B is not required.

Option D is not the cause.

318
Multi-Selecteasy

A company is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. The buildspec.yaml includes commands to build and tag the image. However, the push to ECR fails with an authentication error. Which TWO actions should the DevOps engineer take to resolve this?

Select 2 answers
A.Configure the ECR repository as public.
B.Add a command in the buildspec to run 'aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account>.dkr.ecr.<region>.amazonaws.com'.
C.Create an ECR lifecycle policy to expire untagged images.
D.Ensure the CodeBuild service role has permissions for ecr:GetAuthorizationToken and ecr:Push.
E.Run 'docker login' with ECR credentials in the buildspec.
AnswersB, D

This authenticates Docker to ECR.

Why this answer

Options B and D are correct. The CodeBuild project must have an IAM role with permissions to push to ECR, and the buildspec must include the 'aws ecr get-login-password' command to authenticate. Option A is wrong because Docker login is not needed.

Option C is wrong because ECR does not require a public repository. Option E is wrong because ECR lifecycle policies are not related.

319
Multi-Selecthard

A company uses AWS CodePipeline with a source stage from Amazon S3. The pipeline deploys a static website to an S3 bucket. The deployment must ensure that the website is always available and that rollbacks happen automatically if the deployment fails. Which TWO actions should the company take?

Select 2 answers
A.Use Amazon Route53 weighted routing to shift traffic
B.Use AWS CodeDeploy with an in-place deployment
C.Use a blue/green deployment strategy with two S3 buckets
D.Configure AWS CloudFormation stack with automatic rollback on failure
E.Enable S3 bucket versioning to keep multiple versions
AnswersC, D

Blue/green allows switching traffic to the new version after validation

Why this answer

To ensure availability during deployment, use a blue/green deployment strategy with two separate buckets (one active, one staging). Automated rollbacks can be achieved by configuring CloudFront to point to the active bucket and using CloudFormation to manage the deployment with rollback triggers. Option A (blue/green with two buckets) is correct because it allows switching traffic after successful deployment.

Option D (CloudFormation with rollback configuration) is correct because CloudFormation can automatically roll back on failure. Option B is wrong because versioning alone doesn't provide zero-downtime switching. Option C is wrong because it doesn't specify a rollback mechanism.

Option E is wrong because Route53 weighted routing can be used but is more complex and not the best practice.

320
Multi-Selectmedium

A company is using AWS CodeBuild to run builds for a Java application. The build takes a long time because it downloads Maven dependencies every time. The team wants to speed up the build by caching dependencies. Which TWO actions should be taken? (Choose 2)

Select 2 answers
A.Enable Amazon S3 caching in the CodeBuild project and specify an S3 bucket to store the cache.
B.Use CodeBuild's 'build cache' feature without specifying a bucket; it will automatically cache to a default location.
C.Set the cache type to 'Local' in the CodeBuild project configuration.
D.Mount an Amazon EFS file system to the build container and configure Maven to use it as a local repository.
E.Configure the buildspec file to save the Maven local repository (.m2) to the cache path.
AnswersA, E

S3 caching allows dependencies to be stored and reused across builds.

Why this answer

Options B and D are correct. Enabling caching in CodeBuild and specifying a cache bucket stores dependencies. Option A is incorrect because caching is not automatic.

Option C is incorrect because EFS is not required. Option E is incorrect because local caching is not a feature.

321
MCQhard

An organization uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. Developers complain that their pipeline executions often fail because the source stage cannot access the CodeCommit repository. The IAM role used by CodePipeline has the following policy attached. What is the MOST likely cause of the failure? Policy: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["codecommit:GetBranch","codecommit:GetCommit","codecommit:UploadArchive","codecommit:GetUploadArchiveStatus"],"Resource":"*"}]}

A.The IAM role does not have permissions to describe the CodeCommit repository
B.The CodeCommit repository is not tagged with the pipeline's project tag
C.The IAM role is missing the 'codecommit:GitPull' permission
D.The pipeline uses a CodeStar connection instead of a direct CodeCommit source
AnswerC

GitPull is required for CodePipeline to clone the repository.

Why this answer

Option A is correct because the pipeline source stage needs to use Git operations like GitPull, which require the codecommit:GitPull action. The provided policy only allows GetBranch, GetCommit, and archive operations, which are not sufficient for Git-based connections. Option B is wrong because CodeStar connections are used for third-party sources.

Option C is wrong because the role does not need S3 permissions for CodeCommit access. Option D is wrong because tagging is not related to this issue.

322
Multi-Selecthard

Which TWO approaches can be used to automatically roll back a failed deployment in AWS CodeDeploy? (Choose two.)

Select 2 answers
A.Use a CloudWatch Events rule to trigger a rollback when a deployment fails
B.Attach an IAM policy to the CodeDeploy service role that allows rollback actions
C.Specify a rollback revision in the AppSpec file
D.Configure the deployment group to automatically roll back when a deployment fails
E.Configure the deployment group to automatically roll back when a CloudWatch alarm is triggered
AnswersD, E

CodeDeploy can automatically roll back on failure.

Why this answer

Options B and D are correct. Configuring automatic rollback in CodeDeploy will trigger a rollback when deployment fails or a CloudWatch alarm is triggered. Option A is wrong because the deployment group settings control rollback, not the revision.

Option C is wrong because CodePipeline can trigger rollback, but it requires manual configuration. Option E is wrong because the IAM role does not initiate rollback.

323
MCQhard

A company is using AWS CodeDeploy with a blue/green deployment strategy for an Amazon ECS service. After a deployment, the new task set fails health checks, and CodeDeploy automatically rolls back to the original task set. However, the rollback fails because the original task set's desired count is set to 0. What is the most likely cause?

A.The original task set's desired count was set to 0 during the blue/green deployment and the rollback is unable to restore it because the original task definition is no longer available.
B.The original task set's health checks are failing.
C.The original task set's CloudFormation stack was deleted during the deployment.
D.The original task set was deregistered from the target group.
AnswerA

In blue/green deployments, the original task set is scaled down to 0. If the original task definition is deleted or replaced, rollback fails.

Why this answer

Option D is correct because during a blue/green deployment, the original task set's desired count is often scaled down to zero, and rollback tries to restore it but may fail if the original task definition or service configuration is no longer valid. Option A is wrong because CodeDeploy manages ECS service updates, not through CloudFormation. Option B is wrong because the issue is not about deregistering from the target group; it's about scaling.

Option C is wrong because health checks are failing on the new task set, not the original.

324
MCQeasy

A team wants to automate the creation of a CI/CD pipeline using a JSON/YAML file that defines source, build, and deploy stages. Which AWS service should they use?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS CodePipeline
D.AWS CodeDeploy
AnswerA

CloudFormation can define and provision CodePipeline resources.

Why this answer

Option B is correct because AWS CloudFormation can define CodePipeline resources in a template. Option A is wrong because CodePipeline itself uses a structure, but not to create itself. Option C is wrong because CodeDeploy is for deployment, not pipeline creation.

Option D is wrong because Elastic Beanstalk is for applications, not pipeline definition.

325
MCQhard

A DevOps engineer is troubleshooting a CodePipeline that has a Build stage using AWS CodeBuild. The build logs show 'Error: No such file or directory' for a file that is present in the source repository. What is the most likely cause?

A.The buildspec.yaml specifies an incorrect path for the file relative to the source root.
B.The build commands are not executed because the pre_build phase failed.
C.The artifact definition in the buildspec.yaml is incorrect.
D.The environment variables in CodeBuild are not set correctly.
AnswerA

The build process runs from the source root; incorrect relative paths cause file not found errors.

Why this answer

Option A is correct because CodeBuild uses a source code location; if the buildspec.yaml references a relative path that does not exist in the root, it may fail. Options B, C, and D are less likely because environment variables, build commands, and artifacts are not directly related to file existence in the source.

326
MCQmedium

A development team uses AWS CodePipeline to orchestrate builds and deployments. They want to automatically deploy to a staging environment only if a manual approval step is granted. Which configuration should they use?

A.Add an approval action in the pipeline stage before the deploy action.
B.Use a Lambda function to check a parameter in Parameter Store.
C.Configure a CloudWatch Events rule to trigger deployment after a manual event.
D.Set the deploy action to manual invocation only.
AnswerA

Manual approval action pauses the pipeline; deployment proceeds only after approval.

Why this answer

CodePipeline supports manual approval actions that pause the pipeline until an authorized person approves or rejects.

327
MCQmedium

A team uses AWS CodeBuild to run security scans on code before deployment. They want to ensure that if the security scan fails, the build is marked as FAILED and no further pipeline stages execute. What should they add to the buildspec?

A.Use the 'artifacts' section to define failure conditions.
B.Use the 'env' section to set a variable that fails the build.
C.Use the 'reports' section to mark the build as failed if tests fail.
D.Use the 'phases' section with a command that exits with a non-zero status on failure.
AnswerD

Non-zero exit causes build failure.

Why this answer

Option D is correct because the 'phases' section runs commands, and if a command exits with a non-zero status, the build fails. Option A is wrong because 'env' is for environment variables. Option B is wrong because 'artifacts' is for output.

Option C is wrong because 'reports' is for test reports and does not cause build failure.

328
MCQmedium

A company uses AWS CodeBuild to compile and test Java code. The buildspec.yml file includes a 'pre_build' phase that runs unit tests. The build occasionally fails with the error 'No space left on device.' The build environment is a general1.medium EC2 instance with 160 GB of disk space. What is the MOST effective solution to resolve this issue?

A.Increase the file system size or add commands to clean up temporary files in the buildspec.
B.Configure the build to use an Amazon EFS file system to offload data.
C.Switch the build environment to a compute type with more memory, such as general1.large.
D.Enable the 'cache' feature in CodeBuild to reuse dependencies and reduce disk usage.
AnswerA

Cleaning up disk space or using a larger file system resolves the 'No space left' error.

Why this answer

Option C is correct because increasing the file system size or cleaning up disk space addresses the 'No space left' error. Option A is incorrect because using a larger instance type may not increase disk space. Option B is incorrect because the error is disk-related, not memory.

Option D is incorrect because the error is not related to dependencies not being cached.

329
MCQmedium

During a deployment using AWS CodeDeploy, the deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment group is configured with a minimum healthy instances of 75%. What could be the cause?

A.The deployment configuration timeout is too short.
B.The CodeDeploy service role does not have sufficient permissions.
C.The instances are not running the CodeDeploy agent.
D.More than 25% of the instances failed the deployment.
AnswerD

The minimum healthy instances threshold was breached.

Why this answer

Option A is correct because the error indicates too many instances failed or are unhealthy. The minimum healthy instances setting of 75% means at least 75% of instances must remain healthy; if more than 25% fail, the deployment fails. Option B is wrong because IAM permissions would cause a different error.

Option C is wrong because that error would be about failing to reach instances. Option D is wrong because CodeDeploy agent timeout would show a specific error.

330
MCQeasy

A startup is using AWS CloudFormation to manage their infrastructure. They have a stack that creates an Amazon S3 bucket and an Amazon DynamoDB table. The stack was created successfully, but when they try to update the stack to add a new S3 bucket, the update fails with the error 'CREATE_FAILED - S3 bucket already exists'. The new bucket name is unique and does not exist. The template uses the same AWS::S3::Bucket resource type. What is the most likely cause?

A.The IAM user does not have permission to create S3 buckets.
B.The S3 bucket name was previously used and is still in the process of being deleted (bucket name not yet released).
C.The stack is in a different region than where the bucket is being created.
D.The CloudFormation template uses the wrong resource type for the bucket.
AnswerB

S3 bucket names are globally unique and not immediately released after deletion.

Why this answer

Option A is correct because the bucket name may have been used in a previous stack and is in a deletion state. Option B is wrong because the account has permissions. Option C is wrong because the resource type is correct.

Option D is wrong because the region is correct.

331
MCQeasy

A DevOps engineer is setting up an AWS CodeBuild project that needs to access resources in a VPC, such as an Amazon RDS database. The engineer has configured the CodeBuild project to run in the VPC. Which additional configuration is required for CodeBuild to pull the build Docker image?

A.Create a VPC peering connection to another VPC that has internet access.
B.Configure a VPC gateway endpoint for Amazon ECR.
C.Attach an internet gateway to the VPC and add a default route to it.
D.Create a VPC interface endpoint for Amazon ECR and configure the CodeBuild project to use it.
AnswerD

Interface endpoints allow CodeBuild to pull images from ECR without internet access.

Why this answer

Option D is correct because CodeBuild requires a VPC interface endpoint to Amazon ECR or the Docker Hub to pull images when running in a private subnet without internet access. Option A is wrong because internet gateway is not enough; the subnet must be public or have NAT. Option B is wrong because VPC peering does not provide internet access.

Option C is wrong because CodeBuild does not have a direct integration with Amazon ECR via a gateway endpoint; ECR requires interface endpoints.

332
MCQmedium

Refer to the exhibit. A DevOps engineer sees this output when listing pipelines. The pipeline 'my-app-pipeline' has execution mode set to 'QUEUED'. The team reports that when multiple commits are pushed simultaneously, only the latest commit is deployed, and earlier ones are skipped. How should the pipeline execution mode be changed to ensure all commits are deployed?

A.Change the execution mode to 'SUPERSEDED'.
B.Upgrade the pipeline to V2 type which supports 'QUEUED' mode.
C.Change the execution mode to 'SERIAL'.
D.Change the execution mode to 'PARALLEL'.
AnswerD

PARALLEL allows multiple executions to run simultaneously for each commit.

Why this answer

Option B is correct because 'PARALLEL' execution mode allows multiple pipeline executions to run concurrently, one per commit. Option A is incorrect because 'SUPERSEDED' would replace the current execution with a new one. Option C is incorrect because 'SERIAL' would queue them but run one at a time, potentially still skipping if a newer one supersedes.

Option D is incorrect because V2 pipelines support only 'QUEUED' and 'SUPERSEDED', not 'PARALLEL'.

333
MCQmedium

A development team is implementing a CI/CD pipeline using AWS CodePipeline. The pipeline has a Source stage connected to an Amazon S3 bucket, a Build stage using AWS CodeBuild, and a Deploy stage that deploys to an Amazon ECS cluster. The team notices that the pipeline fails intermittently during the Build stage with a 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE' error. What is the most likely cause?

A.The CodeBuild project is in a different AWS Region than the CodePipeline pipeline.
B.The CodeBuild project is configured to run in a VPC without a NAT gateway, and the build image is pulled from a public registry.
C.The S3 bucket where the source code is stored has a bucket policy denying access to the CodeBuild service role.
D.The CodeBuild project does not have enough memory or vCPU allocated.
AnswerB

Without a NAT gateway, the build container cannot access the public internet to pull the image.

Why this answer

Option C is correct because CodeBuild builds run in a VPC that must have a route to pull Docker images from public registries; if the VPC does not have a NAT gateway or internet gateway, the build container cannot pull the base image. Option A is wrong because CodePipeline does not require CodeBuild to be in the same region. Option B is wrong because the error is about pulling the image, not insufficient resources.

Option D is wrong because S3 policy does not affect image pulling.

334
MCQeasy

A development team uses AWS CodeCommit as a Git repository. They want to automatically trigger a build in AWS CodeBuild whenever a pull request is created or updated. Which AWS service should be used to detect the pull request events and start the build?

A.Amazon Simple Notification Service (SNS)
B.AWS CodePipeline
C.Amazon CloudWatch Logs
D.Amazon EventBridge
AnswerD

Amazon EventBridge can detect CodeCommit events and trigger CodeBuild.

Why this answer

Option A is correct because Amazon EventBridge can monitor AWS CodeCommit events (like pull request creation) and trigger an AWS CodeBuild build using a rule. Option B is incorrect because CodePipeline is a continuous delivery service, not an event detection service. Option C is incorrect because CloudWatch Logs does not detect events; it stores logs.

Option D is incorrect because SNS is a notification service, not a trigger for CodeBuild.

335
MCQhard

Refer to the exhibit. A developer runs this buildspec in CodeBuild to deploy a CDK application. The build succeeds, but the CDK stack is not deployed. What is the MOST likely reason?

A.The 'npx cdk deploy' command should be in the build phase, not post_build.
B.The CDK application has not been bootstrapped in the target account.
C.The Node.js runtime version 14 is incompatible with the CDK version.
D.The IAM role for CodeBuild does not have permission to create CloudFormation stacks.
AnswerB

CDK requires bootstrapping to deploy stacks; otherwise, the deploy command fails silently or with an error.

Why this answer

Option A is correct because CDK synth outputs to 'cdk.out' by default, but the artifacts specify 'cdk.out' as base-directory, so the deploy command runs in the build environment, not from the artifacts. However, the issue is that 'cdk deploy' runs in the build phase but the artifacts are collected after; but actually the deploy should happen in post_build. The more likely reason is that the CDK stack requires bootstrapping.

Option B is incorrect because the runtime is sufficient. Option C is incorrect because the commands are valid. Option D is incorrect because the permissions might be missing, but the error would be different.

336
MCQhard

A company uses AWS CodeCommit for source control. Developers frequently push large binary files (e.g., compiled binaries, datasets) to the repository, causing repository size to grow and clone operations to become slow. What is the BEST approach to manage this?

A.Use S3 as the source in CodePipeline and skip CodeCommit for binaries.
B.Store binaries in a separate CodeCommit repository.
C.Increase the repository size limit by requesting a quota increase.
D.Enable Git LFS in CodeCommit and configure the large files to use LFS.
AnswerD

Git LFS is supported in CodeCommit and stores large files in S3, reducing repository size.

Why this answer

AWS CodeCommit repositories have a size limit (2 GB per repository) and are not optimized for large binaries. Using a separate S3 bucket with Git LFS is the standard approach.

337
MCQhard

A company uses AWS CodePipeline with an Amazon S3 source, AWS CodeBuild, and AWS CodeDeploy. The deployment stage fails intermittently with the error 'Deployment failed because the deployment group does not exist'. The pipeline has been working for months. What is the MOST likely cause?

A.The deployment group name contains a typo in the pipeline definition.
B.The IAM role for CodePipeline does not have sufficient permissions in all regions.
C.The pipeline's cross-region action configuration references the deployment group in a different region without specifying the region.
D.The pipeline was recreated without specifying the deployment group.
AnswerC

If the pipeline uses a cross-region action and the region is not specified, it defaults to the pipeline region, which may not have the deployment group, causing intermittent failures when the region changes.

Why this answer

Option D is correct because the deployment group ARN is passed as a parameter; if the region is not specified, the default region may differ from the pipeline's region. Option A is wrong because IAM permissions are not tied to region. Option B is wrong because the deployment group name is not case-sensitive.

Option C is wrong because the pipeline is not being recreated, only the deployment group reference changes.

338
MCQhard

A company is using AWS CodePipeline with a deployment stage that uses AWS CloudFormation to deploy infrastructure. The team wants to ensure that if the CloudFormation stack update fails, the pipeline automatically rolls back to the previous version of the stack. Which configuration should the DevOps engineer implement?

A.Configure the CodeDeploy deployment group to automatically roll back on failure.
B.In the CodePipeline CloudFormation deployment action, set 'Stack failure behavior' to 'ROLLBACK'.
C.Configure a CloudFormation stack policy to prevent updates and force rollback.
D.Use CloudFormation change sets and manually execute them after review.
AnswerB

This configures automatic rollback on stack update failure.

Why this answer

Option D is correct because CloudFormation deployment actions in CodePipeline can be configured with 'Stack failure behavior' set to 'ROLLBACK'. Option A is wrong because CloudFormation stack policy does not control rollback. Option B is wrong because change sets are for manual review.

Option C is wrong because rollback triggers in CodeDeploy are for CodeDeploy, not CloudFormation.

339
MCQhard

A DevOps team is designing a CI/CD pipeline for a microservices application. Each service is stored in a separate repository. The team wants to build and test only the services that changed in a given commit. Which AWS solution is MOST efficient and cost-effective?

A.Use AWS CodeCommit triggers with Amazon SNS to send notifications and then manually trigger builds.
B.Use AWS CodeBuild with a webhook that triggers builds only for repositories where files changed, using buildspec filters.
C.Use AWS CodePipeline with a single pipeline that builds all services on every commit.
D.Use Amazon EventBridge to detect repository changes and trigger AWS Lambda functions that determine which services changed.
AnswerB

CodeBuild webhooks can filter by file paths, triggering builds only for relevant services.

Why this answer

Option C is correct because AWS CodeBuild can use webhook events and filter by changed files to trigger builds only for affected services. Option A is incorrect because building all services wastes resources. Option B is incorrect because Lambda functions add unnecessary complexity.

Option D is incorrect because it is not a native integration.

340
Multi-Selectmedium

A company uses AWS CodePipeline with multiple stages. The pipeline includes a Beta stage that deploys to a test environment and a Prod stage. The team wants to require manual approval before the Prod stage. Which TWO actions should be taken to implement this? (Choose TWO.)

Select 2 answers
A.Ensure that the IAM user or role performing the approval has codepipeline:PutApprovalResult permissions.
B.Use CloudWatch Events to trigger a Lambda function that requires manual sign-off.
C.Set the Prod stage to only run on manual invocation.
D.Add a manual approval action in the pipeline stage between Beta and Prod.
E.Configure a CodeCommit approval rule template to require approval before merging.
AnswersA, D

The approver needs permissions to submit the approval result.

Why this answer

Options B and E are correct. The approval action must be added to the pipeline structure as a stage with an approval action, and the IAM policy must allow the approver to perform the approval. Option A is wrong because CodeCommit approval rules are for pull requests.

Option C is wrong because CloudWatch Events does not provide manual approval. Option D is wrong because the pipeline must be configured to use the manual approval action, not just restrict triggers.

341
MCQhard

Refer to the exhibit. A developer runs the AWS CLI command to start a build in AWS CodeBuild. The build project 'my-project' uses an S3 bucket as the source. What is the MOST likely cause of the error?

A.The CodeBuild service role does not have s3:GetObject permission on the source bucket.
B.The S3 bucket name is misspelled in the build project configuration.
C.The developer's IAM user does not have s3:GetObject permission.
D.The S3 bucket is in a different region than the CodeBuild project.
AnswerA

CodeBuild assumes a service role to access sources; that role needs S3 read permission.

Why this answer

Option B is correct because the CodeBuild service role needs S3 access. Option A is wrong because the error is about the role. Option C is wrong because the error says 'provided role'.

Option D is wrong because the bucket is specified.

342
MCQhard

A DevOps team is implementing a CI/CD pipeline for a microservices architecture on AWS ECS. They want to ensure zero-downtime deployments and automatic rollback if health checks fail. Which combination of services should they use?

A.AWS CodePipeline with ECS rolling update and manual rollback.
B.AWS CodeDeploy with ECS blue/green deployment and CloudWatch alarms for automatic rollback.
C.AWS Elastic Beanstalk with rolling deployment and enhanced health reporting.
D.AWS CloudFormation with ECS service update and SNS notification on failure.
AnswerB

Blue/green provides zero-downtime; CloudWatch alarm triggers automatic rollback.

Why this answer

CodeDeploy with ECS blue/green deployment and CloudWatch alarms for rollback provides zero-downtime and automatic rollback. Option B is correct.

343
MCQmedium

An organization uses AWS CodeBuild to run integration tests. The tests require a large amount of memory and CPU, and they often timeout after the default 60 minutes. What is the MOST efficient way to increase the timeout and allocate more resources?

A.Use Amazon CloudWatch to monitor the build and automatically restart it if it times out.
B.Use AWS Lambda instead of CodeBuild, as it can run up to 15 minutes.
C.Select a larger instance type in the CodeBuild project configuration, such as 'BUILD_GENERAL1_LARGE'.
D.Modify the buildspec.yml file to include 'compute-type' and 'timeout-in-minutes' overrides.
AnswerD

The buildspec can specify higher compute resources and timeout values.

Why this answer

Option D is correct because the buildspec allows setting compute type and timeout via 'compute-type' and 'timeout-in-minutes' overrides. Option A is incorrect because Lambda has a 15-minute limit. Option B is incorrect because only large instance types are suitable.

Option C is incorrect because CloudWatch does not control build resources.

344
MCQhard

A company uses AWS CodePipeline with a cross-account action where the source account (Account A) triggers a deploy action in a target account (Account B). The pipeline is failing with an 'Access Denied' error when trying to assume the deployment role. What is the MOST likely cause?

A.The S3 artifact bucket in Account A does not have a bucket policy allowing Account B.
B.The deployment role in Account B does not exist.
C.The CloudFormation service role in Account B is missing.
D.The KMS key used to encrypt artifacts is not shared with Account B.
AnswerD

To decrypt artifacts, Account B needs decrypt permission on the KMS key.

Why this answer

Option C is correct because cross-account pipelines require the source account to have a KMS key to encrypt artifacts and the target account to have permissions to decrypt. Option A is wrong because the error is 'Access Denied', not missing role. Option B is wrong because S3 bucket policy might be needed but often not the primary cause.

Option D is wrong because CloudFormation role is for stack operations, not for the pipeline artifact decryption.

345
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. The DevOps team wants to deploy a stack across multiple accounts using AWS CodePipeline. Which approach is BEST for automating cross-account deployments?

A.Use AWS CloudFormation StackSets to deploy the stack across accounts.
B.Create a separate pipeline in each account and trigger them manually.
C.Use a single pipeline in the management account with IAM roles that assume cross-account roles.
D.Use an S3 bucket with cross-account access and Lambda to invoke CloudFormation.
AnswerC

This is the standard pattern for cross-account pipelines.

Why this answer

Option D is correct because cross-account CodePipeline uses a KMS key and IAM roles in each account. Option A is wrong because cross-account roles are needed. Option B is wrong because CloudFormation StackSets are for multiple regions/accounts but not directly integrated with CodePipeline.

Option C is wrong because separate pipelines in each account increase management overhead.

346
Multi-Selectmedium

A DevOps engineer is troubleshooting a failed CodePipeline execution. The pipeline has a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy. The build stage succeeds, but the deploy stage fails with 'No deployments found for the specified deployment group.' Which TWO actions should the engineer take to resolve this?

Select 2 answers
A.Update the IAM role for CodePipeline to allow it to list deployment groups.
B.Confirm that the CodeDeploy deployment group exists in the same AWS Region as the pipeline.
C.Check the CodeBuild build logs for errors.
D.Verify that the deploy stage in CodePipeline is configured with the correct deployment group name.
E.Ensure the CodeCommit repository has a valid commit.
AnswersB, D

Cross-region mismatches can cause this error.

Why this answer

Options A and D are correct. The error suggests the pipeline cannot find the deployment group, often due to incorrect configuration or region mismatch. Checking the deploy stage configuration ensures the deployment group name is correct.

Verifying the deployment group exists confirms it's not deleted. Option B is unnecessary if the build succeeded. Option C is unrelated.

Option E is about IAM, but the error message is about missing deployment group.

347
Multi-Selectmedium

An organization uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild that minifies assets), and a deploy stage (S3 deployment). The team wants to add a stage for running security vulnerability scans on the code. Which TWO options are viable?

Select 2 answers
A.Add a custom action in the pipeline that invokes a third-party scanning service via AWS Lambda.
B.Enable AWS Shield Advanced to scan for vulnerabilities.
C.Use Amazon Inspector to scan the source code.
D.Add an S3 event notification to trigger a Lambda function that scans the S3 bucket.
E.Modify the buildspec in the build stage to include commands that run security scanning tools.
AnswersA, E

Custom actions allow integration with external tools.

Why this answer

Correct answers are B and D. B: CodeBuild can run security scans as part of the build. D: Third-party tools can be integrated via CodePipeline custom actions.

A is wrong because S3 cannot run scans. C is wrong because Inspector is for EC2 instances, not code. E is wrong because Shield is for DDoS protection.

348
MCQeasy

A company is using AWS CodeCommit for source control and wants to automatically trigger a build in AWS CodeBuild whenever a pull request is created against the main branch. Which AWS service should be used to connect CodeCommit events to CodeBuild?

A.AWS CodePipeline
B.Amazon EventBridge
C.AWS Lambda
D.Amazon Simple Notification Service (SNS)
AnswerB

EventBridge can capture CodeCommit events and trigger CodeBuild directly.

Why this answer

Option C is correct because Amazon EventBridge can capture CodeCommit repository events (like pull request creation) and route them to targets such as CodeBuild projects. Option A is wrong because AWS CodePipeline is a CI/CD orchestration service, not a direct event trigger. Option B is wrong because Amazon SNS is a notification service, not a build trigger.

Option D is wrong because AWS Lambda can be used as an intermediary but is not the direct connection; EventBridge is the correct native integration.

349
MCQmedium

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. The pipeline has a Source stage that polls the repository for changes. Recently, developers have noticed that the pipeline does not always trigger when code is pushed to the main branch. What is the most likely cause?

A.The number of pushes to the repository has exceeded the CodePipeline poll rate limit.
B.The repository does not have a webhook configured to notify CodePipeline of changes.
C.The IAM role used by CodePipeline does not have permission to read from CodeCommit.
D.CloudWatch Events is not enabled for the repository.
AnswerA

CodePipeline polls at a fixed interval; if many pushes occur, some may be missed due to throttling.

Why this answer

Option B is correct because excessive pushes to the repository can cause throttling of CodePipeline's polling mechanism. Option A is wrong because CodePipeline does not require a webhook; polling is a valid method. Option C is wrong because CloudWatch Events are not used for polling.

Option D is wrong because IAM permissions for CodeCommit are separate from CodePipeline's service role.

350
MCQmedium

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The pipeline includes a build stage that runs 'npm install' and 'npm test'. The team notices that the build stage often fails due to network timeouts when downloading npm packages. Which action would MOST reliably resolve this issue?

A.Configure the CodeBuild project to use a VPC with a NAT gateway to the internet.
B.Use a custom Docker image that includes pre-installed npm packages.
C.Enable local dependency caching in the buildspec file.
D.Increase the build timeout to the maximum value.
AnswerA

Provides reliable internet access from CodeBuild.

Why this answer

Option B is correct because using a VPC with a NAT gateway ensures consistent outbound internet access for CodeBuild. Option A is wrong because npm packages are not cached by default. Option C is wrong because increasing timeout may not resolve timeouts.

Option D is wrong because using a custom image does not fix network issues.

351
MCQeasy

A team uses AWS CloudFormation to manage infrastructure. They want to reuse a common set of resources (e.g., VPC, subnets) across multiple stacks. Which CloudFormation feature should they use?

A.Custom resources
B.StackSets
C.Cross-stack references
D.Nested stacks
AnswerD

Nested stacks allow a template to reference another template, enabling reuse.

Why this answer

Option A is correct because nested stacks allow reusing a common template. Option B is wrong because cross-stack references allow passing values but not reusing resource definitions. Option C is wrong because custom resources are for extending CloudFormation.

Option D is wrong because StackSets deploy across accounts/regions.

352
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS instance. The stack creation fails with the error: 'The following resource(s) failed to create: [DBInstance]'. The CloudFormation template includes a parameter for the DB instance class. Which troubleshooting step should be taken FIRST?

A.Increase the stack creation timeout to allow more time for the database to be created.
B.Check the CloudFormation stack events for a detailed status message from the DBInstance resource.
C.Verify that the VPC has at least two public subnets in different Availability Zones.
D.Use the Amazon RDS console to check if a DB instance with the same identifier already exists.
AnswerB

Stack events provide the specific reason for failure, such as 'DBInstance class not supported'.

Why this answer

Option B is correct because the most common reason for RDS creation failure is an invalid instance class (e.g., not available in the region). Option A is wrong because the VPC configuration is less likely. Option C is wrong because checking the RDS console will show the error, but checking the events is more direct.

Option D is wrong because increasing timeout won't fix a configuration error.

353
MCQhard

A company has a CI/CD pipeline that deploys to Amazon ECS using AWS CodePipeline. The pipeline includes a manual approval step before deployment to production. The security team requires that all approvals be logged in AWS CloudTrail and that the approver's identity be verified. Which action should the DevOps engineer take to meet these requirements?

A.Ensure that the manual approval action is configured as a CodePipeline approval action; CloudTrail will log the 'Approval' event with the IAM user ARN.
B.Create a custom CloudTrail trail specifically for CodePipeline API calls.
C.Enable CloudTrail Insights to detect unusual approval activity.
D.Configure the approval action to send a notification to an Amazon SNS topic, and log the SNS delivery to CloudWatch Logs.
AnswerA

CodePipeline approval actions are logged in CloudTrail as PutApprovalResult events.

Why this answer

Option C is correct because CodePipeline manual approval actions are already logged in CloudTrail with the approver's IAM user ARN. Option A is wrong because CloudWatch Logs do not capture approval actions. Option B is wrong because CloudTrail is sufficient.

Option D is wrong because enabling CloudTrail is not needed if already enabled.

354
MCQmedium

A company uses AWS CodeDeploy with a blue/green deployment strategy for an Amazon EC2 Auto Scaling group. During deployment, the new instances are failing health checks and the deployment is rolling back. What is the MOST likely cause?

A.The new instances are not passing the configured health check grace period.
B.The application is not registered with an Elastic Load Balancer.
C.The deployment group is not configured to use an Auto Scaling group.
D.The CodeDeploy agent is not installed on the new instances.
AnswerA

If health checks fail during the grace period, CodeDeploy rolls back.

Why this answer

Option C is correct because failing health checks indicate the new instances are not ready. Option A is incorrect because CodeDeploy agent not running would cause a different error. Option B is incorrect because blue/green typically uses an ELB.

Option D is incorrect because the deployment group already targets the ASG.

355
MCQhard

A company runs a critical application on Amazon EC2 instances managed by an Auto Scaling group behind an Application Load Balancer. They use AWS CodeDeploy for blue/green deployments. The deployment process creates a new Auto Scaling group (green) and routes traffic to it after a successful deployment. Recently, the deployment succeeded but the green instances are not receiving traffic; users are still served by the old (blue) instances. The deployment logs show that the 'AllowTraffic' step succeeded. The team checked the ALB target groups; the green target group has healthy instances but the ALB listener default action still points to the blue target group. What is the most likely cause and remediation?

A.The ALB has sticky sessions enabled, causing traffic to stick to the blue instances. Disable sticky sessions.
B.The deployment configuration uses 'AllAtOnce' traffic shifting, which is not supported for blue/green with an ALB. Change to 'Canary' or 'Linear'.
C.The deregistration delay on the blue target group is too long, preventing traffic from shifting. Reduce the deregistration delay to 0 seconds.
D.The CodeDeploy deployment group is not configured to update the ALB listener rule. Update the deployment group to include the ALB listener ARN so that CodeDeploy can switch the listener to the green target group.
AnswerD

Correct: CodeDeploy must be configured with the listener ARN to update routing.

Why this answer

Option A is correct because CodeDeploy blue/green with an ALB uses a target group for the green environment, and the listener rule should be updated to route traffic to the green target group. Option B is about deregistration delay, which affects traffic drain, not routing. Option C is about stickiness, which doesn't prevent new traffic.

Option D is about deployment configuration, which doesn't affect traffic routing.

356
MCQhard

A company is using AWS CodeBuild to compile a Java application. The build takes over 30 minutes, which is too long. The project uses the standard build environment. The source code is stored in an S3 bucket. What is the most effective way to reduce build time?

A.Use a custom build environment with pre-installed Java.
B.Enable local caching for dependencies in the buildspec.yml.
C.Store the source code in AWS CodeCommit instead of S3.
D.Increase the compute type to a larger instance.
AnswerB

Caching dependencies avoids re-downloading them each build.

Why this answer

Option D is correct because caching the Maven dependencies can significantly reduce build time by reusing downloaded artifacts. Option A is wrong because it adds overhead. Option B is wrong because S3 is already the source.

Option C is wrong because it does not address the compilation time.

357
MCQhard

A team uses AWS CodeBuild to run integration tests that require access to an Amazon RDS database. The database is in a private subnet. The CodeBuild project is configured to use a VPC. However, the builds are failing with a timeout connecting to the database. What could be the issue?

A.The CodeBuild project's VPC configuration does not include the subnet IDs where the database resides.
B.The security group for the CodeBuild project does not allow outbound traffic to the RDS database.
C.The security group for the RDS database does not allow inbound traffic from the security group assigned to the CodeBuild project.
D.The CodeBuild project does not have a route to the internet via an internet gateway, so it cannot reach the RDS endpoint.
AnswerC

The database's security group must allow inbound from the CodeBuild security group.

Why this answer

Option B is correct because security group rules must allow inbound traffic from the security group associated with the CodeBuild project. Option A is wrong because CodeBuild VPC support requires subnets, not just the VPC ID. Option C is wrong because CodeBuild does not need an internet gateway for VPC-based builds; it can use VPC endpoints for AWS services.

Option D is wrong because the security group for CodeBuild should allow outbound to the database, but the database's security group must allow inbound from CodeBuild.

358
MCQhard

Refer to the exhibit. A DevOps engineer deploys this CloudFormation template. The EC2 instance launches, but the httpd service does not start. The engineer connects to the instance and finds that the user data script did not run. What is the most likely cause?

A.The UserData is not base64 encoded correctly
B.The AMI does not have yum installed
C.The tags prevent user data from executing
D.The AMI uses a different init system than systemd
AnswerB

Amazon Linux 2 may not have yum by default.

Why this answer

Option D is correct because the default AMI for t2.micro may be Amazon Linux 2, which uses 'dnf' or 'amazon-linux-extras' instead of 'yum'. Option A is incorrect because the syntax looks correct. Option B is incorrect because SystemD is used.

Option C is incorrect because tags do not affect user data execution.

359
MCQmedium

A DevOps engineer needs to automate the creation of an AWS CodeStar project for a new microservice. The engineer wants to use AWS CloudFormation to define the project and its resources. Which CloudFormation resource should be used?

A.AWS::CodeStar::Project
B.AWS::ServiceCatalog::CloudFormationProduct
C.AWS::CodePipeline::Pipeline
D.AWS::CodeBuild::Project
AnswerA

This resource creates a CodeStar project with associated resources.

Why this answer

Option A is correct because AWS::CodeStar::Project is the CloudFormation resource for creating a CodeStar project. Option B is wrong because AWS::ServiceCatalog::CloudFormationProduct is for Service Catalog products. Option C is wrong because AWS::CodePipeline::Pipeline creates a pipeline, not a CodeStar project.

Option D is wrong because AWS::CodeBuild::Project creates a build project, not a CodeStar project.

360
Multi-Selectmedium

A DevOps engineer is managing infrastructure as code using AWS CloudFormation. The engineer wants to automatically update a stack when changes are pushed to a Git repository. Which THREE services can be used together to achieve this?

Select 3 answers
A.AWS CloudFormation
B.Amazon CloudWatch Events
C.AWS CodeBuild
D.AWS CodeCommit
E.AWS CodePipeline
AnswersA, D, E

CloudFormation is used to update the stack.

Why this answer

Option A is correct because CodePipeline can orchestrate the deployment. Option B is correct because CodeCommit is the repository. Option D is correct because CloudFormation is the deployment action.

Option C is wrong because CloudWatch Events can trigger pipelines but is not a primary service for this scenario. Option E is wrong because CodeBuild is for building, not directly applying CloudFormation stacks.

361
MCQhard

A team uses AWS CodePipeline with multiple parallel actions in a stage. They notice that when one action fails, the entire stage fails and no further actions are attempted. They want the pipeline to continue with the remaining actions even if one fails, and then report the failure at the end. Which feature should they use?

A.Configure each action with a 'RunOrder' of 1 and set 'On failure' to 'ABORT'.
B.Configure each action with 'On failure' set to 'CONTINUE'.
C.Set the stage's 'On failure' to 'ROLLBACK'.
D.Use a custom Lambda function to catch failures and resume the pipeline.
AnswerB

CONTINUE allows the pipeline to proceed with other actions even if this action fails.

Why this answer

CodePipeline supports a 'RunOrder' but also a 'Failure mode' per action. However, to allow continuation, they need to set the 'On failure' for the stage to 'ROLLBACK' or 'FAIL'. Actually, the correct approach is to use a custom action or set the 'RunOrder' such that actions are independent.

The best practice is to use 'FAILURE' mode as 'CONTINUE' is not available; instead, they should set the stage's 'On failure' to 'FAIL' and use a separate stage for error handling. But the question asks for a specific feature: 'Retry on failure' with a maximum count. Option C is correct because setting retry allows the pipeline to continue after a transient failure, but for permanent failure, they need to use 'Failure mode' per action.

Actually, CodePipeline now supports 'On failure' for actions: 'ABORT' or 'CONTINUE'. So using 'CONTINUE' on failure for the action will let the pipeline continue. Option C is correct.

362
MCQhard

Refer to the exhibit. An AWS CloudFormation template includes a Lambda function with the ARN shown. The function is part of a custom resource to create an S3 bucket. The stack creation fails with the error 'Function not found: arn:aws:lambda:us-east-1:123456789012:function:my-function'. The Lambda function exists in the same account and region. What is the most likely cause?

A.The Lambda function is defined in the same template and has a circular dependency
B.The Lambda function is not in the same AWS region
C.The Lambda function lacks necessary IAM permissions
D.The Lambda function ARN is malformed
AnswerA

CloudFormation cannot use a resource that is being created in the same stack as a custom resource without proper DependsOn

Why this answer

The error indicates that CloudFormation cannot find the Lambda function. Since the function exists in the same account and region, the issue could be that the function is not deployed yet because of a circular dependency. CloudFormation may be trying to invoke the function before it is created.

Option C is correct. Option A is wrong because the ARN is correct. Option B is wrong because IAM permissions would cause a different error.

Option D is wrong because the function exists.

363
MCQeasy

A company wants to ensure that all code changes are reviewed before being merged to the main branch in AWS CodeCommit. Which feature should be enabled?

A.Configure a Lambda function to validate commits and block pushes.
B.Enable branch protection rules on the repository.
C.Create an approval rule template and associate it with the main branch.
D.Use CloudWatch Events to notify when a push occurs.
AnswerC

Approval rules require pull request approvals before merging.

Why this answer

Option D is correct because CodeCommit supports approval rule templates that can require pull request approvals. Option A is wrong because branches are not protected by default; approval rules are needed. Option B is wrong because Lambda triggers can be used but are not the built-in solution.

Option C is wrong because CloudWatch Events can send notifications but not block merges.

364
MCQeasy

A DevOps engineer needs to deploy a serverless application using AWS CodeDeploy with a Lambda deployment group. The application uses AWS Lambda functions. The engineer wants to shift 10% of traffic to the new version initially, then gradually increase to 100%. Which deployment configuration should be used?

A.CodeDeployDefault.LambdaAllAtOnce
B.CodeDeployDefault.LambdaCanary10Percent5Minutes
C.CodeDeployDefault.LambdaCanary10Percent10Minutes
D.CodeDeployDefault.LambdaLinear10PercentEvery10Minutes
AnswerB

This shifts 10% initially and then the rest after 5 minutes.

Why this answer

Option B is correct because CodeDeployDefault.LambdaCanary10Percent5Minutes shifts 10% traffic initially and then every 5 minutes. Option A is wrong because it shifts all at once. Option C is wrong because it shifts 10% then every 10 minutes.

Option D is wrong because it shifts linearly over 10 minutes.

365
MCQeasy

Refer to the exhibit. A team uses this buildspec.yml in AWS CodeBuild. The build fails because the 'dist' directory does not exist after the build phase. What is the most likely cause?

A.The build command outputs to a 'build' directory, but the artifacts base-directory is set to 'dist'.
B.The buildspec version is incorrect.
C.The Python runtime version 3.8 is not available in CodeBuild.
D.The requirements.txt file is missing from the source code.
AnswerA

Mismatch between output directory and artifacts base-directory.

Why this answer

Option B is correct. The 'python setup.py build' command typically outputs to a 'build' directory, not 'dist'. The artifacts base-directory should match the actual output directory.

Option A is wrong because runtime version is correct. Option C is wrong because requirements.txt is not related to output directory. Option D is wrong because the version field is fine.

366
MCQeasy

A company uses AWS CodeDeploy with a blue/green deployment configuration. The engineer wants to automatically roll back the deployment if the new instances fail the health check for 5 minutes. Which setting should the engineer configure?

A.Create a CloudWatch alarm that monitors the health check endpoint
B.Configure the deployment group to roll back when a CloudWatch alarm is triggered
C.Set the Auto Scaling group health check grace period to 5 minutes
D.Set the deployment configuration's 'timeout' to 5 minutes
AnswerB

CodeDeploy can roll back based on CloudWatch alarms.

Why this answer

Option B is correct because CodeDeploy blue/green deployments can automatically roll back based on CloudWatch alarms. Option A is incorrect because creating an alarm alone does not trigger rollback; CodeDeploy must be configured to use it. Option C is incorrect because Auto Scaling group health checks are separate.

Option D is incorrect because CodeDeploy does not have a built-in timeout for health checks; it uses alarms.

367
MCQeasy

A developer wants to automatically run unit tests when a pull request is created in AWS CodeCommit. Which AWS service should be used to trigger the tests?

A.AWS CodePipeline with source polling.
B.AWS CodeBuild with webhooks from CodeCommit.
C.AWS CloudWatch Logs subscription filter for repository logs.
D.Amazon EventBridge rule for CodeCommit pull request state changes targeting AWS Lambda.
AnswerD

EventBridge can capture pull request events and invoke Lambda.

Why this answer

CodeCommit can trigger Amazon EventBridge events on pull request creation, which can invoke a Lambda function to run tests. Option C is correct.

368
MCQeasy

A DevOps engineer is tasked with automating the deployment of a microservices architecture. Each service is packaged as a Docker container. The team wants to use AWS CodePipeline and AWS CodeBuild to build Docker images and push them to Amazon ECR, then deploy to Amazon ECS. What should the CodeBuild buildspec file include to push the image to ECR?

A.A call to the AWS CodeDeploy API to push the image.
B.An invocation of the AWS ECS RunTask API.
C.A buildspec phase with 'ecr-push' action.
D.Docker build and docker push commands with AWS CLI to authenticate to ECR.
AnswerD

Standard approach: build, tag, and push to ECR.

Why this answer

Option C is correct because standard Docker commands are used to build and push images. Option A is wrong because CodeDeploy is not used for pushing images. Option B is wrong because CodeBuild does not natively call ECS.

Option D is wrong because there is no built-in ECR push action in CodeBuild; you must use docker push.

369
MCQeasy

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. They have configured a CodeBuild project that triggers on pushes to the 'develop' branch. The build runs unit tests and packages the application. However, developers report that the pipeline fails intermittently with a 'BUILD_FAILED' status due to test failures, but the tests pass locally. What is the MOST likely cause of this discrepancy?

A.The CodeBuild project is configured with a VPC that restricts access to external dependency repositories.
B.The CodePipeline has a timeout setting that causes the build to be terminated before tests complete.
C.The CodePipeline is configured with a branch filter that only triggers on the 'main' branch.
D.The CodeBuild project has different environment variables or dependency versions compared to the local environment.
AnswerD

Differences in environment, such as dependency versions, environment variables, or operating system, can cause tests to fail in CodeBuild but pass locally.

Why this answer

Option D is correct because the most common cause of tests passing locally but failing in CodeBuild is environment inconsistency. CodeBuild runs in a managed environment with specific runtime versions, environment variables, and dependency caches that may differ from the developer's local machine. This discrepancy can lead to test failures due to different library versions, missing environment variables, or platform-specific behaviors.

Exam trap

The trap here is that candidates may focus on network or timeout issues (options A and B) instead of recognizing that environment inconsistency is the classic cause of 'works on my machine' failures in CI/CD pipelines.

How to eliminate wrong answers

Option A is wrong because while a VPC restriction could cause network issues, it would typically result in build failures due to dependency download errors, not test failures that pass locally. Option B is wrong because a pipeline timeout would terminate the entire build process, not cause specific test failures; the error would be 'BUILD_TIMEOUT' or similar, not 'BUILD_FAILED' with test failures. Option C is wrong because the question states the pipeline triggers on pushes to the 'develop' branch, so a branch filter for 'main' would prevent the pipeline from triggering at all, not cause intermittent failures.

370
MCQmedium

A company uses AWS CodeCommit as a Git repository. Developers want to enforce that all commits are signed with GPG keys. How can this be achieved?

A.Configure a Git hook in the repository to reject unsigned commits.
B.Use an IAM policy condition to deny pushes if the commit is not signed.
C.Enable the 'Require GPG signatures' option in the CodeCommit repository settings.
D.Ask developers to sign commits locally and use a pre-commit hook.
AnswerB

IAM conditions can check for GPG signature.

Why this answer

AWS CodeCommit does not natively support server-side GPG signature verification or a repository-level setting to require signed commits. The correct approach is to use an IAM policy with a condition key like `aws:SourceIp` or a custom condition that checks for a specific commit signature status, but since CodeCommit does not expose a native condition for GPG signatures, the only practical way to enforce signing is through client-side Git hooks or by using a pre-receive hook in a custom Git server. However, among the given options, the IAM policy condition is the closest to a server-side enforcement mechanism because it can deny pushes based on the presence of a signed commit tag, though this is not a native CodeCommit feature.

Option B is marked as correct in the exam context because it represents the principle of using IAM to control API actions, even though CodeCommit does not have a built-in 'require GPG signatures' toggle.

Exam trap

The trap here is that candidates assume CodeCommit has a native 'require GPG signatures' toggle like GitHub or GitLab, but AWS CodeCommit does not support this feature, so the correct answer relies on understanding that IAM policies are the only server-side enforcement mechanism available in CodeCommit.

How to eliminate wrong answers

Option A is wrong because Git hooks are client-side scripts that run in the developer's local repository and cannot be enforced server-side in CodeCommit; they can be bypassed by the developer. Option C is wrong because CodeCommit does not have a 'Require GPG signatures' setting in its repository settings; this feature exists in other Git hosting services like GitHub or GitLab but not in CodeCommit. Option D is wrong because a pre-commit hook is client-side and only runs before the commit is created locally; it does not enforce signing on the remote repository and can be bypassed by the developer.

371
MCQmedium

A development team is using AWS CodeCommit as a source control repository. They want to automate the creation of a new feature branch whenever a developer creates a new Jira issue with a specific label. Which AWS service should be used to listen for Jira webhooks and trigger the branch creation?

A.Amazon EventBridge to schedule a rule every minute
B.AWS Lambda with Amazon API Gateway to receive the webhook
C.AWS CodePipeline to poll for new Jira issues
D.AWS CodeBuild to run a build when a webhook is received
AnswerB

Lambda can process the webhook and create the branch via SDK

Why this answer

AWS CodeCommit can be managed through AWS CLI or SDK, but the trigger for webhook events is best handled by AWS Lambda, which can be invoked by Amazon API Gateway or directly via HTTP. AWS CodePipeline is for CI/CD pipelines, not for reacting to external webhooks. Amazon EventBridge can also ingest events, but the simplest integration for custom webhooks is Lambda behind API Gateway.

Option D is correct because Lambda can execute code to create a branch in CodeCommit via AWS SDK.

372
MCQhard

Refer to the exhibit. The above buildspec.yml is used in AWS CodeBuild. The build is failing during the 'build' phase with a 'FileNotFoundError: setup.py' error. What is the MOST likely cause?

A.The source code does not contain a setup.py file in the root directory.
B.The unit tests in the post_build phase are failing.
C.The Python version 3.8 is not supported by CodeBuild.
D.The artifacts configuration discarding paths is causing the error.
AnswerA

The build command runs python setup.py build, which requires setup.py in the current directory.

Why this answer

Option B is correct because the pre_build phase runs flake8 on src/ directory, but the build command expects setup.py in the root; setup.py might be in src/ or missing. Option A is wrong because Python 3.8 is supported. Option C is wrong because unit tests are in post_build, not causing build failure.

Option D is wrong because artifacts are only collected after build.

373
Multi-Selectmedium

Which THREE steps are required to set up a continuous deployment pipeline using AWS CodePipeline that deploys a Docker-based application to Amazon ECS? (Choose three.)

Select 3 answers
A.Create a deploy stage that uses AWS CodeDeploy to deploy to Amazon ECS
B.Create a source stage that uses AWS CodeCommit as the source provider
C.Create a deploy stage that uses Amazon ECS as the deploy provider with an imagedefinitions.json file
D.Create an invoke stage that uses AWS Lambda to update the ECS service
E.Create a build stage that uses AWS CodeBuild to build a Docker image and push it to Amazon ECR
AnswersB, C, E

CodeCommit is the source for the application code and Dockerfile.

Why this answer

Options A, C, and D are correct. A source stage with CodeCommit stores the code; a build stage with CodeBuild builds and pushes the Docker image to ECR; a deploy stage with ECS deploys the new task definition. Option B is wrong because CodeDeploy is for EC2/on-premises, not ECS.

Option E is wrong because Lambda is not used for ECS deployment.

374
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. They have set up a CI/CD pipeline using AWS CodePipeline. The pipeline has a source stage from GitHub (using the GitHub source action) and a deploy stage that deploys to Elastic Beanstalk. The deployment is configured to use the 'Immutable' deployment policy. Recently, the deployment started failing with the error: 'The environment is in an unhealthy state. The deployment failed.' The developer checks the Elastic Beanstalk environment and sees that the new instances are not passing health checks. The application logs show that the new instances cannot connect to the existing Amazon RDS database. What is the most likely cause?

A.The RDS database is not available because it is being updated during the deployment.
B.The deployment policy should be changed to 'Rolling' to ensure instances are updated in place.
C.The security group attached to the Elastic Beanstalk environment does not allow the new instances to connect to the RDS database.
D.The application code has a bug that causes the health check to fail.
AnswerC

New instances in a new Auto Scaling group may have a different security group that is not authorized to access RDS.

Why this answer

Option B is correct because with immutable deployments, new instances are launched in a new Auto Scaling group, and they may not have the correct security group rules to access the RDS database. Option A is wrong because the deployment policy is immutable, not rolling. Option C is wrong because the database is existing and shouldn't cause issues.

Option D is wrong because the source code is unchanged.

375
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The DevOps engineer wants to implement a CI/CD pipeline that builds and tests a CloudFormation template and then deploys it across multiple AWS accounts. Which combination of services should the engineer use?

A.Use CodeBuild to run cfn-lint and then use AWS Lambda to deploy stacks across accounts.
B.Use CodePipeline with separate CodeBuild projects for validation and CloudFormation deployment actions assuming IAM roles in target accounts.
C.Use CodePipeline with CodeDeploy to deploy CloudFormation stacks across accounts.
D.Use CodePipeline with a single CodeBuild project to run cfn-lint and deploy to all accounts.
AnswerB

This allows cross-account deployments using assumed roles.

Why this answer

Option C is correct because CodePipeline can orchestrate cross-account deployments using CloudFormation deployment actions with cross-account roles. Option A lacks cross-account capability. Option B uses CodeDeploy for apps, not infrastructure.

Option D uses Lambda, which is less suitable than CloudFormation for infrastructure.

← PreviousPage 5 of 6 · 397 questions totalNext →

Ready to test yourself?

Try a timed practice session using only SDLC Automation questions.