CCNA SDLC Automation Questions

22 of 397 questions · Page 6/6 · SDLC Automation · Answers revealed

376
MCQeasy

A developer wants to automate the testing of a serverless application built with AWS Lambda and Amazon API Gateway. Which AWS service is best suited for running integration tests as part of a CI/CD pipeline?

A.AWS CodeDeploy
B.AWS CodeBuild
C.Amazon CloudWatch
D.AWS CloudFormation
AnswerB

CodeBuild can execute test scripts and report results.

Why this answer

Option C is correct because AWS CodeBuild can run integration tests in a managed environment; it supports custom test frameworks. Option A is wrong because CodeDeploy is for deployment, not testing. Option B is wrong because CloudFormation is for infrastructure provisioning.

Option D is wrong because CloudWatch is for monitoring and logging, not running tests.

377
MCQmedium

A DevOps engineer notices that a CodePipeline execution fails at the deploy stage when deploying a Lambda function using AWS CloudFormation. The error message indicates that the stack update failed because the Lambda function's code is too large. What is the most likely cause?

A.The IAM role used by CloudFormation does not have sufficient permissions to update the Lambda function.
B.The CloudFormation template exceeds the maximum size limit for templates.
C.The artifact stored in the pipeline's S3 bucket exceeds the maximum allowed size for CodePipeline artifacts.
D.The Lambda function deployment package exceeds the maximum allowed size for Lambda.
AnswerD

Lambda has a size limit for deployment packages.

Why this answer

The error message explicitly states that the Lambda function's code is too large, which directly points to the Lambda deployment package exceeding the maximum allowed size. AWS Lambda has a hard limit of 50 MB for zipped direct uploads (or 250 MB for container images), and CloudFormation will fail the stack update if the package exceeds this limit during a deploy stage.

Exam trap

The trap here is that candidates may confuse CodePipeline artifact size limits (which are much larger) with Lambda deployment package size limits, or incorrectly attribute the failure to CloudFormation template size limits or IAM permissions, when the error message directly indicates the Lambda code size is the issue.

How to eliminate wrong answers

Option A is wrong because insufficient IAM permissions would produce an 'access denied' or 'unauthorized' error, not a 'code is too large' error. Option B is wrong because CloudFormation template size limits (1 MB for templates, 51,200 bytes for parameters) are unrelated to the Lambda function code size; the error is about the function's code, not the template. Option C is wrong because CodePipeline artifact size limits (default 2 GB per artifact) are much larger than Lambda's code size limit, and the error message specifically mentions the Lambda function's code, not the pipeline artifact.

378
Multi-Selectmedium

Which TWO actions can be used to improve the security of a CI/CD pipeline that uses AWS CodePipeline? (Choose two.)

Select 2 answers
A.Enable encryption for artifacts stored in the pipeline's S3 bucket.
B.Use cross-account actions with appropriate IAM roles to limit access.
C.Configure the source action to poll for changes instead of using webhooks.
D.Store secrets in the pipeline environment variables in plain text.
E.Use a single IAM role for all pipeline actions to simplify permissions.
AnswersA, B

Encrypting artifacts protects data at rest.

Why this answer

Options A and D are correct. Enabling artifact encryption and using cross-account actions enhance security. Option B is wrong because using a single IAM role reduces security.

Option C is wrong because polling is less secure than event-based triggers. Option E is wrong because storing secrets in plain text is insecure.

379
Multi-Selectmedium

A company has a CI/CD pipeline that builds a Docker image and pushes it to Amazon ECR. The build step uses AWS CodeBuild. The engineer wants to ensure that the ECR repository has a lifecycle policy to expire untagged images after 14 days. Which TWO actions are required? (Choose 2.)

Select 2 answers
A.Use the docker tag command to tag images with a timestamp.
B.Create an ECR lifecycle policy for the repository.
C.Add a lifecycle policy rule in the buildspec.yml file.
D.Configure the lifecycle policy in the CodeBuild project settings.
E.Define a rule that expires untagged images after 14 days.
AnswersB, E

Lifecycle policies are applied to the repository.

Why this answer

Options A and D are correct. A lifecycle policy must be applied to the ECR repository (A) and the policy must specify the rule for untagged images (D). Option B is wrong because the buildspec is not where lifecycle policies are defined.

Option C is wrong because the lifecycle policy is defined on the repository, not in the pipeline. Option E is wrong because the lifecycle policy is not applied during the build.

380
MCQeasy

A team uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment strategy is Blue/Green. During a recent deployment, the new instances passed all health checks, but traffic was not routed to them. What is the most likely reason?

A.The target group associated with the Auto Scaling group is not properly configured to route traffic.
B.The deployment group is not configured to use a load balancer.
C.The Auto Scaling group's lifecycle hook failed to signal readiness.
D.The CodeDeploy agent on the new instances is not installed.
AnswerA

The target group must be correctly set up to forward traffic to the new instances.

Why this answer

In a Blue/Green deployment with CodeDeploy and an Auto Scaling group, traffic routing is handled by a load balancer target group. If the target group is not properly configured to route traffic to the new instances (e.g., missing or incorrect listener rules, deregistration delay, or health check thresholds), the instances may pass health checks but never receive traffic. This is the most likely cause because the deployment succeeded in provisioning and validating the new instances, but the load balancer did not forward requests to them.

Exam trap

The trap here is that candidates often assume health check success guarantees traffic routing, but in AWS, health checks only verify instance readiness; traffic routing depends on separate load balancer listener rules and target group associations.

How to eliminate wrong answers

Option B is wrong because if the deployment group were not configured to use a load balancer, CodeDeploy would not attempt to route traffic via a load balancer at all; the issue described is that traffic was not routed, implying a load balancer is present but misconfigured. Option C is wrong because a lifecycle hook failure would prevent the instance from completing its launch or termination process, typically causing the instance to remain in a 'Pending:Wait' state and fail health checks, not pass them. Option D is wrong because if the CodeDeploy agent were not installed, the deployment would fail during the Install phase on the new instances, and they would not pass health checks or reach the 'Succeeded' state.

381
MCQhard

A company has a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. The build stage runs unit tests and produces a JUnit report. The pipeline includes a test action that publishes results to an S3 bucket. Recently, the pipeline started failing with the error: 'The action could not be started because the artifact bucket policy is misconfigured.' What is the most likely cause?

A.The S3 bucket has Amazon S3 Transfer Acceleration enabled, which is not supported by CodePipeline.
B.The KMS key used to encrypt the bucket objects has been rotated, causing the pipeline to lose access.
C.The artifact bucket is in a different AWS Region than the pipeline, and cross-region replication is not enabled.
D.The artifact bucket's bucket policy does not grant the necessary permissions to the CodePipeline service role.
AnswerD

CodePipeline needs read/write permissions on the artifact bucket; a misconfigured bucket policy can cause this error.

Why this answer

Option A is correct because CodePipeline requires a bucket policy that allows cross-account access if the pipeline uses an artifact bucket in a different account. Option B is wrong because S3 transfer acceleration is not related. Option C is wrong because the bucket is already in use.

Option D is wrong because KMS keys are not mentioned in the error.

382
Multi-Selectmedium

Which TWO options are valid ways to trigger an AWS CodePipeline execution automatically?

Select 2 answers
A.Create an Amazon CloudWatch Events rule that starts the pipeline on a schedule.
B.Configure an Amazon S3 event notification to invoke the pipeline.
C.Use a git push to the repository via SSH.
D.Set up a manual approval step in the pipeline.
E.Enable AWS CodeBuild to start the pipeline after a build.
AnswersA, B

CloudWatch Events can trigger pipelines on a schedule.

Why this answer

Amazon CloudWatch Events (now Amazon EventBridge) can be configured with a cron or rate expression to trigger an AWS CodePipeline execution on a schedule. This is a native integration that directly starts the pipeline without requiring additional compute resources or custom code.

Exam trap

The trap here is that candidates may confuse a git push (which requires a configured webhook) with a direct trigger, or assume that a manual approval step or CodeBuild can initiate the pipeline, when in fact they are actions within the pipeline or require an external event source.

383
MCQeasy

A DevOps engineer is creating an AWS CloudFormation template to deploy a stack that includes an Amazon EC2 instance. The instance needs to be launched in a specific subnet. How should the engineer reference the subnet ID in the template?

A.Hardcode the subnet ID in the template.
B.Use a mapping (Mappings) to define the subnet ID based on the stack name.
C.Define a parameter (Parameters) of type AWS::EC2::Subnet::Id and reference it.
D.Use the Fn::GetAtt function to retrieve the subnet ID from a VPC resource.
AnswerC

Parameters allow the user to specify the subnet ID at stack creation.

Why this answer

Option C is correct because using a parameter allows the subnet ID to be passed in at stack creation time, making the template reusable. Option A is wrong because hardcoding reduces reusability. Option B is wrong because mappings are for static values, not dynamic IDs.

Option D is wrong because the Fn::GetAtt function is used to get attributes of resources created in the same stack, not for parameters.

384
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS DB instance with automated backups enabled. The DevOps team needs to modify the DB instance to use a larger instance type. They update the CloudFormation template and execute a stack update. The update fails with the error: 'Cannot modify DB instance class because the instance is in a state that does not allow modification.' The DB instance is in the 'available' state. The team needs to successfully update the instance type without data loss. What should the team do?

A.Stop the RDS instance, then update the stack, then start it.
B.Add the 'AllowMajorVersionUpgrade' property to the DB instance in the template and update the stack.
C.Modify the CloudFormation template to change the 'DBInstanceClass' property and set 'UpdateReplacePolicy' to 'Snapshot', then update the stack. This will create a new DB instance and delete the old one after taking a snapshot.
D.Delete the CloudFormation stack, create a new stack with the new instance type, and restore from the automated backup.
AnswerC

Correct: Forces replacement with snapshot preservation.

Why this answer

Option C is correct because modifying the DB instance class for RDS often requires a replacement (not just modification) when using CloudFormation, and a snapshot ensures data is preserved. Option A is wrong because stopping the instance is not allowed for RDS. Option B is wrong because deleting the stack would cause data loss.

Option D is wrong because the error is not about lack of permissions.

385
MCQeasy

The exhibit shows a CloudFormation stack event. The stack creation failed with 'Resource creation cancelled'. What is the most likely reason for this cancellation?

A.The stack template contains a syntax error.
B.The IAM role used for stack operations lacks permissions.
C.A stack creation timeout was reached.
D.The stack was manually cancelled by a user or an automation script.
AnswerD

'Resource creation cancelled' typically occurs when the stack creation is cancelled manually via the console or CLI.

Why this answer

Option B is correct: 'Resource creation cancelled' indicates a user-initiated cancellation or stack policy override. Option A would show a different error. Option C is not typical.

Option D is not related.

386
MCQhard

A DevOps engineer is designing a deployment pipeline for a microservices application on Amazon ECS. The team wants to use blue/green deployments with automatic rollback if CloudWatch alarms are triggered during the deployment. Which combination of services and configurations should the engineer use?

A.Use AWS CodeDeploy with a blue/green deployment configuration on the ECS service, and configure automatic rollback when CloudWatch alarms are breached.
B.Use AWS CloudFormation with a ChangeSet and a custom rollback Lambda function triggered by CloudWatch alarms.
C.Use AWS CodeBuild to run a build that creates a new task definition, then update the ECS service manually, and use CloudWatch alarms to trigger a rollback via a Lambda function.
D.Use Amazon ECS service auto scaling with step scaling policies based on CloudWatch alarms.
AnswerA

CodeDeploy supports blue/green deployments on ECS with automatic rollback based on alarms.

Why this answer

Option D is correct because CodeDeploy supports blue/green deployments on ECS with automatic rollback based on CloudWatch alarms. Option A is wrong because ECS service auto scaling is for scaling, not deployment. Option B is wrong because CloudFormation does not natively support blue/green with automatic rollback based on alarms.

Option C is wrong because CodeBuild is for building, not deploying.

387
MCQmedium

A team uses AWS CodePipeline with a multi-branch strategy. They want to run different build projects based on the branch name: 'main' triggers a production build, 'develop' triggers a staging build, and feature branches trigger a test build. Which CodePipeline feature should they use?

A.Use AWS Lambda to dynamically change the pipeline definition.
B.Create separate pipelines for each branch and use tags.
C.Configure the source action with a branch filter using a regular expression.
D.Use a manual approval action to select the branch.
AnswerC

CodePipeline source actions for CodeCommit support branch filters (e.g., using GitBranchPattern) to trigger pipelines based on branch names.

Why this answer

Option A is correct: use a filter with branch conditions. Option B is not a pipeline feature. Option C is manual.

Option D is not a feature.

388
MCQmedium

Refer to the exhibit. A DevOps engineer runs the AWS CLI command to list deployments for an application. The output shows only 2 deployments, but the team knows there are more. How can the engineer retrieve the remaining deployments?

A.Use the --starting-token parameter with the value 'abc123' from the output.
B.Increase the --max-items value to a larger number.
C.Run the command without --max-items to get all deployments.
D.Use the --no-paginate option.
AnswerA

The nextToken should be used as the starting-token to get the next page.

Why this answer

The output includes a nextToken, indicating there are more results. The engineer should use the --starting-token parameter with the nextToken value to get the next page.

389
MCQeasy

A company uses AWS CodeBuild to compile a Java application. The build specification includes a pre-build phase to download dependencies. Which file defines the commands for each build phase?

A.pipeline.json
B.buildspec.yml
C.config.xml
D.appspec.yml
AnswerB

buildspec.yml defines build phases for CodeBuild.

Why this answer

In AWS CodeBuild, the build specification file named 'buildspec.yml' defines the commands that CodeBuild runs during each phase of the build process, including the pre-build phase for downloading dependencies. This YAML file is placed in the root of the source code or specified in the build project configuration, and it contains structured sections for install, pre_build, build, and post_build phases. Option B is correct because buildspec.yml is the standard file that CodeBuild uses to orchestrate build commands.

Exam trap

The trap here is that candidates often confuse the build specification file for CodeBuild (buildspec.yml) with the deployment specification file for CodeDeploy (appspec.yml), especially since both services are part of the AWS CI/CD pipeline and have similar naming patterns.

How to eliminate wrong answers

Option A is wrong because pipeline.json is not a file used by AWS CodeBuild; it is associated with AWS CodePipeline for defining pipeline stages and actions, not for specifying build phase commands. Option C is wrong because config.xml is a configuration file commonly used by Jenkins (a different CI/CD tool) for job configuration, not by AWS CodeBuild. Option D is wrong because appspec.yml is used by AWS CodeDeploy to define deployment lifecycle hooks and file mappings, not for CodeBuild build phases.

390
Multi-Selectmedium

A company uses AWS CodePipeline with a source stage from Amazon S3 and a deploy stage to AWS Elastic Beanstalk. The pipeline has been working for months, but recently the deploy stage started failing with the error 'The S3 object does not exist.' The source artifact is uploaded to the S3 bucket by an external system. Which TWO actions should be taken to resolve this issue? (Choose TWO.)

Select 2 answers
A.Ensure the external system does not overwrite the object after the pipeline execution starts.
B.Change the source stage to use AWS CodeCommit instead of S3.
C.Enable versioning on the S3 bucket and configure the pipeline to use the specific version ID.
D.Use server-side encryption with AWS KMS (SSE-KMS) on the S3 bucket.
E.Increase the timeout for the deploy stage in the pipeline.
AnswersA, C

Preventing overwrites ensures the object remains available.

Why this answer

Option A is correct because the deploy stage fails with 'The S3 object does not exist' when the external system overwrites the source artifact after the pipeline execution starts. CodePipeline references the object by its key at the time the pipeline is triggered; if the object is replaced (i.e., deleted and re-uploaded with the same key), the pipeline may attempt to download a version that no longer exists, especially if the S3 bucket is not versioned. Ensuring the external system does not overwrite the object during execution prevents this race condition.

Exam trap

The trap here is that candidates often assume the error is due to a permission or encryption issue (like SSE-KMS) rather than recognizing it as a classic race condition caused by object overwriting in a non-versioned bucket.

391
MCQmedium

A company is using AWS OpsWorks for configuration management. They have a stack with a PHP application layer and a MySQL layer. The DevOps team needs to update the PHP version across all instances. They create a custom Chef recipe that updates the PHP package and add it to the lifecycle events. After running the 'Setup' lifecycle event on the layer, the instances are updated but the application stops working because the new PHP version is incompatible with some custom PHP extensions. The team needs to roll back the PHP version to the previous one quickly and minimize downtime. The instances are in an Auto Scaling group with a desired count of 4. What should the team do?

A.Re-run the old 'Setup' recipe that installs the previous PHP version on the layer.
B.Create a new AMI with the old PHP version, launch new instances, and terminate the old ones.
C.Use the OpsWorks 'Rollback' feature to revert the stack to a previous state.
D.Manually SSH into each instance and downgrade the PHP package, then restart the web server.
AnswerA

Correct: Re-running the old recipe will reinstall the old PHP version.

Why this answer

Option D is correct because OpsWorks supports rollback by running a previous setup recipe. Option A is wrong because it would cause downtime during re-provisioning. Option B is wrong because it takes time and may not restore the exact state.

Option C is wrong because replacing instances is slow and may cause data loss.

392
MCQhard

A DevOps team is implementing a blue/green deployment strategy for a microservice running on Amazon ECS with AWS CodeDeploy. They want to shift 10% of traffic to the new task set for 5 minutes, then shift the remaining 90%. Which deployment configuration should they use?

A.CodeDeployDefault.ECSAllAtOnce
B.CodeDeployDefault.ECSLinear10PercentEvery1Minutes
C.CodeDeployDefault.ECSCanary10Percent5Minutes
D.Custom configuration with 10% initial traffic and 100% after 5-minute interval
AnswerD

Custom configuration allows exact specification.

Why this answer

Option D is correct because the requirement specifies a 10% traffic shift for 5 minutes, followed by the remaining 90%. AWS CodeDeploy does not provide a built-in configuration that matches this exact pattern; the built-in canary option (C) shifts 10% for 5 minutes but then automatically completes the deployment after that interval, not waiting for a manual or additional step. Therefore, a custom configuration must be created with a 10% initial traffic percentage and a 100% final traffic percentage after a 5-minute interval to achieve the desired two-step linear shift.

Exam trap

The trap here is that candidates often confuse the built-in canary configuration (Option C) with a custom configuration, assuming the canary's 5-minute interval includes a hold at 10% before the final shift, when in reality it automatically completes the deployment after the canary step without an additional wait.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.ECSAllAtOnce shifts 100% of traffic to the new task set immediately, which does not match the 10% then 90% gradual shift requirement. Option B is wrong because CodeDeployDefault.ECSLinear10PercentEvery1Minutes shifts 10% of traffic every 1 minute until 100%, resulting in a linear progression over 10 minutes, not a 5-minute wait at 10% followed by a single 90% shift. Option C is wrong because CodeDeployDefault.ECSCanary10Percent5Minutes shifts 10% for 5 minutes and then automatically shifts the remaining 90% immediately after the 5-minute interval, which does not allow the 5-minute hold at 10% before the final shift as specified; it completes the deployment in one canary step.

393
Multi-Selecthard

A DevOps engineer is building a CI/CD pipeline for a PHP application that uses Amazon RDS for MySQL. The pipeline must run database migrations as part of the deployment. The team wants to ensure that if a migration fails, the deployment is rolled back and the database is restored to its previous state. Which THREE steps should the engineer implement?

Select 3 answers
A.Take a snapshot of the RDS database before the migration.
B.Use CloudFormation with a custom resource to run the migration.
C.Use CodeDeploy's AppSpec file to run a migration script in the AfterInstall lifecycle hook.
D.Use AWS Database Migration Service (DMS) to replicate the database continuously.
E.Configure the CodeDeploy deployment group to automatically roll back on failure.
AnswersA, C, E

Allows restoration if migration fails.

Why this answer

Option A is correct because a snapshot provides a restore point. Option B is correct because CodeDeploy can run scripts, including migration scripts. Option D is correct because rollback can be configured in CodeDeploy.

Option C is not typically used for database migrations. Option E is not a standard practice for rollback.

394
MCQmedium

A company uses AWS CloudFormation to manage infrastructure as code. They have a stack that creates an Amazon RDS database instance. The database password is stored as a parameter in AWS Systems Manager Parameter Store. The CloudFormation template references the parameter using the 'resolve:ssm' dynamic reference. Recently, a security audit found that the password was exposed in plaintext in the CloudFormation stack outputs. The team wants to prevent sensitive information from being displayed in stack outputs or logs. Which approach should be taken?

A.Set the 'NoEcho' property to 'true' for the parameter in the template
B.Store the password in AWS Secrets Manager and reference it in the template
C.Remove the output from the CloudFormation stack
D.Encrypt the output value using AWS KMS
AnswerA

NoEcho masks the parameter value in outputs and logs

Why this answer

To prevent sensitive data from being shown in outputs or logs, use the 'NoEcho' property set to 'true' in the CloudFormation template parameter. This will mask the value in outputs. Option B is correct.

Option A (encrypt the output) is not possible because outputs are not encrypted. Option C (remove the output) would prevent exposure but may break automation that depends on the output. Option D (use AWS Secrets Manager) is good but does not directly solve the output exposure issue.

395
MCQhard

A DevOps engineer is reviewing the CodePipeline structure above. The pipeline fails during the Deploy stage with an error: 'The deployment group could not be found.' What is the most likely cause?

A.The pipeline is configured as a single-region pipeline, but the Deploy action is in a different region.
B.The source artifact is not accessible from us-west-2.
C.The CodeDeploy application does not exist in us-west-2.
D.The CodeBuild project is not configured to output artifacts.
AnswerA

Cross-region actions require explicit configuration; the pipeline is in us-east-1 and cannot deploy to us-west-2 without cross-region setup.

Why this answer

The pipeline stages are in different regions: Build in us-east-1, Deploy in us-west-2. CodePipeline does not support cross-region actions unless cross-region action is configured with proper artifact storage. The default pipeline runs in a single region.

Option B is correct.

396
MCQmedium

A company uses AWS Elastic Beanstalk for deploying a web application. The development team wants to implement a blue/green deployment strategy to minimize downtime. Which approach should they use?

A.Update the Auto Scaling group launch configuration and gradually replace instances.
B.Create a new CodeDeploy deployment group and use the blue/green deployment configuration.
C.Create a new Elastic Beanstalk environment and swap the environment CNAMEs.
D.Create a new target group and register instances from the old environment.
AnswerC

Elastic Beanstalk provides environment swapping for blue/green.

Why this answer

Option D is correct because Elastic Beanstalk supports blue/green deployments by swapping CNAME records between two environments. Option A is wrong because Elastic Beanstalk does not natively use CodeDeploy for blue/green; it has its own swap method. Option B is wrong because updating the Auto Scaling group is not a blue/green approach.

Option C is wrong because updating the load balancer target group is more of a rolling update.

397
MCQmedium

A DevOps team uses AWS CodePipeline with a multi-branch strategy. The pipeline should deploy to production only from the 'main' branch, but run unit tests for all branches. How should the team configure the pipeline?

A.Configure the pipeline source stage to trigger on all branches, use branch-specific logic in the test stage, and add a manual approval step for production deployment only when the branch is 'main'.
B.Use an AWS Lambda function to check the branch name and invoke different CodePipeline executions for testing and deployment.
C.Create one pipeline with two source stages: one for 'main' and one for all other branches, each with its own test and deploy actions.
D.Create a separate pipeline for each branch, each with identical test and deploy stages.
AnswerA

Branch filtering in source stage and conditional deployment is the recommended approach.

Why this answer

Option C is correct because CodePipeline can use branch filtering in the source stage to trigger on specific branches, and the test stage can be configured to run for all branches. Option A is wrong because a single pipeline cannot have dynamic branch-based stages without multiple pipelines. Option B is wrong because separate pipelines per branch would duplicate effort.

Option D is wrong because Lambda triggers are not the standard way to implement branch-based logic; branch filtering is native.

← PreviousPage 6 of 6 · 397 questions total

Ready to test yourself?

Try a timed practice session using only SDLC Automation questions.