CCNA Config Mgmt Iac Questions

75 of 281 questions · Page 1/4 · Config Mgmt Iac topic · Answers revealed

1
MCQmedium

A financial services company uses AWS CloudFormation to deploy a three-tier web application. The stack includes an Amazon RDS for PostgreSQL database. The database master password is stored in AWS Secrets Manager, and the CloudFormation template uses a dynamic reference to retrieve it during stack creation. The team recently rotated the database password in Secrets Manager. When they attempt to update the stack to change other parameters, the update fails with the error: 'Value of property MasterUserPassword must be a string.' The team is using the following template snippet for the password: 'MasterUserPassword': '{{resolve:secretsmanager:MySecret:SecretString:password}}'. The stack was originally created with AWS CloudFormation. What is the most likely cause of the failure?

A.The secret was rotated before the stack was created, causing a mismatch.
B.The template syntax is incorrect; it should use '{{resolve:secretsmanager:MySecret:SecretString:password}}' with different quotes.
C.Dynamic references in CloudFormation are only resolved at stack creation, not during updates. The team must use a different method to reference the rotated password.
D.The secret is in a different region than the stack.
AnswerC

CloudFormation does not re-resolve dynamic secrets on stack updates.

Why this answer

Option A is correct because dynamic references are only resolved during stack creation and not during updates. To update the password, the team must use a different approach. Option B is incorrect because Secrets Manager rotation does not invalidate the secret immediately.

Option C is incorrect because the template syntax is correct. Option D is incorrect because Secrets Manager is not region-bound in this context.

2
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for an application that runs on Amazon ECS. The pipeline should automatically build a Docker image from source code, push it to Amazon ECR, and deploy it to the ECS service. The engineer wants to use AWS CodePipeline with Amazon ECR as a source. Which action provider should be used for the deploy stage?

A.AWS CloudFormation
B.AWS CodeDeploy
C.Amazon ECS
D.AWS Elastic Beanstalk
AnswerC

ECS action provider directly deploys to an ECS service.

Why this answer

Amazon ECS is the correct action provider for the deploy stage when using AWS CodePipeline because it directly integrates with ECS to update an existing ECS service with a new task definition. When Amazon ECR is configured as a source, CodePipeline detects image pushes, and the ECS deploy action automatically triggers a rolling update of the ECS service using the new image, without requiring additional deployment tools.

Exam trap

The trap here is that candidates often confuse the Amazon ECS deploy action with AWS CodeDeploy, but CodeDeploy is only required for ECS blue/green deployments, while the Amazon ECS action directly handles rolling updates and is the simplest choice for standard ECS service deployments.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an infrastructure-as-code service used to provision and manage AWS resources, not a direct deploy action for updating an ECS service with a new Docker image; using it would require custom scripts and adds unnecessary complexity. Option B is wrong because AWS CodeDeploy can deploy to ECS only when using the ECS blue/green deployment type, which requires an additional CodeDeploy application and deployment group setup, but the question asks for the simplest direct deploy action provider for ECS, which is Amazon ECS itself. Option D is wrong because AWS Elastic Beanstalk is a PaaS service for deploying web applications, not designed for ECS service deployments; it abstracts underlying infrastructure and does not provide a native action to update an ECS service with a new image from ECR.

3
MCQhard

A DevOps engineer is troubleshooting a CloudFormation stack creation failure. The stack includes an AWS::EC2::Instance with a UserData script. The stack creation fails with the error: 'The following resource(s) failed to create: [EC2Instance]. The requested configuration is currently not supported. Please check the documentation for supported configurations.' The engineer suspects the instance type is not supported in the selected Availability Zone. Which action should the engineer take to resolve this issue and ensure successful stack creation?

A.Add an Availability Zone parameter and map it to an AZ that supports the instance type, or use the AWS::EC2::Instance AvailabilityZone property to specify an AZ that supports the instance type.
B.Use AWS OpsWorks to deploy the instance instead of CloudFormation.
C.Change the instance type to a previous generation that is supported in all AZs.
D.Modify the template to specify a different region that supports the instance type.
AnswerA

Explicitly specifying a supported AZ resolves the incompatibility.

Why this answer

Option C is correct because specifying AllowedPattern in the template for the instance type parameter is not relevant; the solution is to use the AWS::EC2::Instance property AvailabilityZone to explicitly set an AZ that supports the instance type, or use a parameter to select an AZ. Option A is wrong because OpsWorks is not needed. Option B is wrong because it only changes the region, not the availability zone within the region.

Option D is wrong because changing the instance type to a previous generation might not be desired and does not address the AZ constraint.

4
MCQeasy

A company uses AWS Systems Manager to manage configuration compliance. They want to ensure that all EC2 instances have a specific security patch installed. Which Systems Manager capability should they use?

A.Automation
B.Parameter Store
C.State Manager
D.Patch Manager
AnswerD

Patch Manager automates the patching process.

Why this answer

Option B is correct because Patch Manager is designed to patch instances. Option A is wrong because State Manager is for state management, not patching. Option C is wrong because Automation is for workflows.

Option D is wrong because Parameter Store is for configuration data.

5
MCQeasy

A DevOps engineer needs to manage configuration files for multiple applications across several EC2 instances. The configuration values are sensitive (e.g., database passwords) and must be encrypted at rest and in transit. Which AWS service should be used to store and retrieve these configuration values?

A.AWS Systems Manager Parameter Store (SecureString)
B.AWS CloudFormation template parameters
C.Amazon DynamoDB with encryption
D.Amazon S3 with server-side encryption
AnswerA

Parameter Store provides secure, hierarchical storage for configuration data with encryption.

Why this answer

AWS Systems Manager Parameter Store supports secure string parameters that are encrypted with KMS. It also integrates with EC2 instances via the SSM Agent for secure retrieval. Option B is correct.

Options A, C, and D either lack encryption or are not designed for configuration management.

6
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires environment-specific configuration values (database URL, API keys) that must be stored securely and rotated automatically. The team uses AWS Secrets Manager. Which configuration management strategy should the team implement to securely inject secrets into the Elastic Beanstalk environment?

A.Store the secrets in the Elastic Beanstalk environment configuration as plain text under 'aws:elasticbeanstalk:application:environment'.
B.Configure Secrets Manager to automatically push secrets to Elastic Beanstalk environment properties.
C.Use an Elastic Beanstalk platform hook script that retrieves secrets from Secrets Manager and sets them as environment variables.
D.Use AWS CloudFormation dynamic references to inject secrets into the Elastic Beanstalk environment.
AnswerC

Platform hooks can run scripts during deployment to fetch secrets and set environment variables.

Why this answer

Option C is correct because Elastic Beanstalk platform hooks allow custom scripts to run during deployment, enabling retrieval of secrets from AWS Secrets Manager and setting them as environment variables before the application starts. This approach keeps secrets out of the environment configuration and supports automatic rotation by having the script fetch the latest secret value on each deployment.

Exam trap

The trap here is that candidates often assume CloudFormation dynamic references (Option D) are the best fit for automatic rotation, but they only inject secrets at deployment time and do not handle in-place rotation without a stack update, whereas platform hooks can be used to fetch the latest secret on every instance start or deployment.

How to eliminate wrong answers

Option A is wrong because storing secrets as plain text in the Elastic Beanstalk environment configuration under 'aws:elasticbeanstalk:application:environment' exposes them in the environment properties, which can be viewed by anyone with access to the environment configuration and does not support automatic rotation. Option B is wrong because Secrets Manager does not have a native capability to automatically push secrets to Elastic Beanstalk environment properties; it requires an external mechanism (e.g., Lambda, custom script) to retrieve and set them. Option D is wrong because AWS CloudFormation dynamic references can inject secrets at stack creation or update time, but they do not handle automatic rotation of secrets within a running Elastic Beanstalk environment without additional custom logic.

7
MCQhard

An organization uses AWS OpsWorks for configuration management. They have a stack with multiple layers, including a PHP application layer and a MySQL database layer. The operations team needs to deploy a custom configuration file to all PHP application instances. How should this be accomplished using OpsWorks?

A.Use the OpsWorks agent to directly copy the file to each instance via SSH.
B.Add the configuration file as a stack-level custom cookbook and assign it to all layers.
C.Create a custom cookbook with a recipe that deploys the configuration file, and assign it to the Deploy lifecycle event of the PHP layer.
D.Use a custom JSON attribute in the stack settings to define the file content, and then use a built-in recipe to apply it.
AnswerC

This targets only the PHP instances at deploy time.

Why this answer

Option C is correct because OpsWorks uses Chef cookbooks to manage configuration. By creating a custom cookbook with a recipe that deploys the configuration file and assigning it to the Deploy lifecycle event of the PHP layer, the recipe runs on all PHP application instances during deployment, ensuring the file is placed correctly. This approach leverages OpsWorks' built-in lifecycle events and Chef's idempotent execution model.

Exam trap

The trap here is that candidates confuse stack-level custom cookbooks (which apply to all layers) with layer-specific lifecycle event assignments, leading them to choose Option B, which would incorrectly deploy the configuration file to the MySQL layer as well.

How to eliminate wrong answers

Option A is wrong because the OpsWorks agent does not support direct SSH file copying; OpsWorks uses Chef recipes to manage instances, and manual SSH operations bypass automation and are not scalable. Option B is wrong because stack-level custom cookbooks are assigned to layers, not to all layers automatically; assigning a cookbook to all layers would run its recipes on every instance, including the MySQL layer, which is not desired. Option D is wrong because custom JSON attributes can pass data to recipes but cannot directly deploy files; a custom recipe is required to interpret the JSON and write the file.

8
Multi-Selecthard

A company uses AWS CodeBuild to build and test their application. They want to integrate Infrastructure as Code (IaC) scanning into their build pipeline to detect security misconfigurations in CloudFormation templates before deployment. Which TWO tools or services can be used for this purpose? (Choose TWO.)

Select 2 answers
A.AWS CloudFormation Guard
B.AWS Security Hub
C.AWS Config
D.HashiCorp Terraform
E.cfn-nag
AnswersA, E

CloudFormation Guard checks templates against policy rules.

Why this answer

AWS CloudFormation Guard (cfn-guard) is a policy-as-code tool that allows you to define rules to enforce compliance and security best practices on CloudFormation templates. It can be integrated into a CodeBuild pipeline to scan templates for misconfigurations before deployment, making it a correct choice for IaC security scanning.

Exam trap

The trap here is that candidates may confuse AWS Config (which evaluates deployed resources) with a pre-deployment scanning tool, or assume Security Hub can scan templates directly, when in fact both operate on live infrastructure, not on template files.

9
MCQeasy

A company uses AWS OpsWorks for configuration management. They want to automate the installation of a custom agent on new EC2 instances. Which OpsWorks feature should they use?

A.Use a custom Chef recipe in the layer's configuration to run the installation.
B.Define the agent installation in the layer's built-in configuration.
C.Use custom JSON to pass the installation commands.
D.Create a cookbook repository and upload the agent installation script.
AnswerA

Custom recipes run on instance setup.

Why this answer

Option B is correct because OpsWorks uses Chef recipes or Ansible playbooks to define configuration. Custom recipes can be used to install agents. Option A is wrong because Cookbook repositories store cookbooks but don't automatically run them on new instances.

Option C is wrong because custom JSON is for input data, not execution. Option D is wrong because Layers define the configuration but recipes are the actual executable code.

10
MCQmedium

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. During a deployment, the deployment fails because the target instances are not passing the health checks. The DevOps engineer notices that the CodeDeploy agent logs show 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which step should the engineer take to diagnose the issue?

A.Increase the size of the Auto Scaling group to ensure more instances are available.
B.Review the CodeDeploy deployment logs on a failed instance to identify script errors.
C.Create a CloudWatch alarm to monitor the deployment health.
D.Check AWS CloudTrail logs for the CodeDeploy API calls to see if permissions are missing.
AnswerB

The agent logs contain detailed output of the lifecycle event hooks.

Why this answer

Option B is correct because reviewing the deployment logs on a failed instance provides details on why the application installation failed. Option A is wrong because CloudTrail logs API calls, not deployment scripts. Option C is wrong because scaling policies do not cause deployment failures.

Option D is wrong because CloudWatch alarms may not capture script-level errors.

11
MCQeasy

A team creates the CloudFormation template shown in the exhibit. What is a potential security concern with this configuration?

A.The bucket name is not unique.
B.The bucket does not have server-side encryption enabled.
C.The bucket is not versioned.
D.The bucket policy allows public read access to all objects.
AnswerD

Principal: '*' allows anyone to read objects.

Why this answer

Option C is correct because the bucket policy allows anonymous access (Principal: "*") to get objects, which can lead to unauthorized access if the bucket contains sensitive data. Option A is wrong because versioning is enabled. Option B is wrong because the bucket name is unique.

Option D is wrong because there is no encryption specified, but the primary concern is the public access.

12
MCQeasy

A DevOps team is using AWS CloudFormation to manage infrastructure. They want to reuse the same template across multiple environments (dev, test, prod) with minor parameter variations. Which CloudFormation feature should they use to pass environment-specific values without modifying the template?

A.Conditions
B.Outputs
C.Mappings
D.Parameters
AnswerD

Parameters enable passing environment-specific values into the template.

Why this answer

Parameters allow passing custom values to the template at stack creation or update time. Mappings are for static lookup tables, Conditions control resource creation, and Outputs return stack values. Option B is correct.

13
MCQmedium

A team is using AWS CodeDeploy to deploy an application to EC2 instances. They want to ensure that if a deployment fails, the instances are automatically rolled back to the previous version. What should they configure?

A.Add a BeforeBlockTraffic hook to the AppSpec file to run a rollback script.
B.Set the deployment configuration to 'CodeDeployDefault.OneAtATime' for a gradual deployment.
C.Configure the deployment group to use the same Auto Scaling group for rollback.
D.Enable automatic rollback in the deployment group settings.
AnswerD

Automatic rollback redeploys the previous revision on failure.

Why this answer

Option D is correct because CodeDeploy supports automatic rollback configuration. When enabled, if a deployment fails, CodeDeploy automatically redeploys the last successful revision. Option A is wrong because a hook is a lifecycle event, not a rollback mechanism.

Option B is wrong because a deployment group contains instances but does not have a rollback setting. Option C is wrong because a deployment configuration specifies traffic routing and failure thresholds, not automatic rollback.

14
MCQhard

A company uses AWS OpsWorks for configuration management. The DevOps team wants to run a custom recipe on all instances in a layer during stack updates. Which OpsWorks lifecycle event should they hook the recipe into?

A.Deploy
B.Shutdown
C.Configure
D.Setup
AnswerD

Setup runs after boot, suitable for initial configuration.

Why this answer

Option C is correct because the Setup event runs after an instance finishes booting, which is appropriate for applying configurations during stack updates. Option A is wrong because Configure runs when instances come online or go offline. Option B is wrong because Deploy runs when you run a deploy command.

Option D is wrong because Shutdown runs when the instance is terminated.

15
MCQmedium

A team uses AWS CloudFormation to manage a VPC with multiple subnets. They want to ensure that when a stack is updated, the update does not accidentally replace the VPC or any subnet. Which CloudFormation property should they set on the resources?

A.CreationPolicy
B.DependsOn
C.UpdateReplacePolicy
D.DeletionPolicy
AnswerC

UpdateReplacePolicy specifies what to do if a resource is replaced during an update; setting 'Retain' prevents deletion of the original resource.

Why this answer

The 'DeletionPolicy' attribute with 'Retain' keeps the resource if the stack is deleted, but does not prevent replacement during update. To prevent replacement, use 'UpdateReplacePolicy' with 'Retain', or design the template to avoid replacement. However, the most direct way is to use 'UpdateReplacePolicy'.

Option C is correct because it specifically handles update replacement.

16
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails because the new instances cannot connect to the database. The previous deployment succeeded. The DevOps engineer checks the CodeDeploy deployment configuration and finds that the deployment uses the 'CodeDeployDefault.AllAtOnce' configuration. What is the MOST likely cause of the failure?

A.The load balancer health check is misconfigured, causing new instances to be deregistered.
B.The deployment group is not configured to handle traffic routing, causing a routing loop.
C.The security group for the Auto Scaling group was updated during deployment, blocking database access.
D.The deployment replaced all instances at once, causing a temporary loss of connectivity if the new application version has incompatible changes.
AnswerD

AllAtOnce can cause full outage if changes are not backward compatible.

Why this answer

The 'CodeDeployDefault.AllAtOnce' deployment configuration causes CodeDeploy to attempt to deploy the new application revision to all instances in the Auto Scaling group simultaneously. If the new application version contains incompatible changes—such as a database schema mismatch, altered connection strings, or missing environment variables—all instances will fail at the same time, resulting in a complete loss of connectivity to the database. This contrasts with a rolling or canary deployment, which would limit the blast radius by updating only a subset of instances at a time.

Exam trap

The trap here is that candidates may assume the failure is due to a misconfiguration (like security groups or health checks) rather than recognizing that the deployment strategy itself—replacing all instances at once—amplifies the impact of any application-level incompatibility.

How to eliminate wrong answers

Option A is wrong because a misconfigured load balancer health check would cause instances to be deregistered from the target group, but the failure described is that new instances cannot connect to the database—a connectivity issue, not a registration issue. Option B is wrong because CodeDeploy deployment groups do not handle traffic routing in a way that creates routing loops; traffic routing is managed by the load balancer, and a routing loop would affect all traffic, not just database connections. Option C is wrong because security groups are not updated automatically during a CodeDeploy deployment; the engineer would have to manually modify them, and the question states the previous deployment succeeded, implying no security group changes occurred.

17
MCQeasy

A company uses AWS CodeBuild to build and test code. They need to securely store sensitive parameters, such as database passwords, and inject them into the build process. Which AWS service should they use?

A.Storing them in the CodeBuild project environment variables
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerD

Parameter Store can securely store configuration data and secrets, and CodeBuild can reference them.

Why this answer

AWS Systems Manager Parameter Store is designed to store configuration data and secrets securely. Option D is correct. Option A is incorrect because Secrets Manager can also store secrets but is more expensive and not necessary for simple build parameters.

Option B is incorrect because KMS is a key management service, not a parameter store. Option C is incorrect because CodeBuild does not store secrets natively.

18
MCQeasy

A company uses AWS Systems Manager to manage a fleet of EC2 instances. The operations team needs to run a script on all instances that are missing a specific security patch. Which Systems Manager capability should be used to accomplish this?

A.Automation
B.State Manager
C.Run Command
D.Patch Manager
AnswerB

State Manager can maintain desired state of instances, including running scripts to remediate missing patches.

Why this answer

State Manager is the correct capability because it is designed to maintain consistent configuration of EC2 instances by defining and enforcing a desired state. In this scenario, the operations team needs to ensure that all instances missing a specific security patch are brought into compliance, which is a classic desired-state management task. State Manager uses associations to define the desired state (e.g., a script to apply the patch) and automatically enforces it on a schedule or on-demand, making it ideal for ensuring all instances eventually reach the patched state.

Exam trap

The trap here is that candidates often confuse State Manager with Run Command, but State Manager is for ongoing state enforcement and compliance, while Run Command is for one-time, ad-hoc execution without any state tracking.

How to eliminate wrong answers

Option A is wrong because Automation is used for performing complex, multi-step workflows (e.g., AMI creation, instance recovery) and is not designed for ongoing state enforcement or running scripts on a fleet based on missing patches. Option C is wrong because Run Command executes scripts or commands on instances on-demand without any state tracking or enforcement; it does not check for missing patches or ensure compliance over time. Option D is wrong because Patch Manager is specifically for scanning and applying OS patches using predefined patch baselines, not for running custom scripts; it cannot execute arbitrary scripts to address a specific missing patch.

19
MCQeasy

A company uses AWS Elastic Beanstalk to deploy web applications. The DevOps team wants to implement a blue/green deployment strategy to minimize downtime. Which Elastic Beanstalk feature should be used?

A.Rolling update
B.Canary deployment
C.Environment URL swap
D.Immutable update
AnswerC

Swapping URLs between two environments implements blue/green.

Why this answer

Option C is correct because Elastic Beanstalk supports blue/green deployments by swapping environment URLs between two environments. Option A (Rolling update) updates instances incrementally, not blue/green. Option B (Immutable update) creates a new Auto Scaling group but does not swap URLs.

Option D (Canary deployment) is not supported natively in Elastic Beanstalk; it is for Lambda.

20
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. They want to ensure that configuration changes (e.g., environment variables, instance type) are version-controlled and can be rolled back. Which strategy should they use?

A.Use AWS CloudFormation to manage the Beanstalk environment outside of Beanstalk.
B.Use Elastic Beanstalk saved configurations to store environment settings.
C.Store configuration in a configuration file (e.g., .ebextensions) included with the application source code.
D.Manually change environment configuration using the Elastic Beanstalk console when needed.
AnswerC

Configuration files are versioned with the source code, enabling rollback.

Why this answer

Option D is correct because using a configuration file (e.g., .ebextensions) stored in the application source bundle allows versioning of configuration along with code. Option A is wrong because saved configurations are not tied to a specific application version. Option B is wrong because manually changing settings via the console is not version-controlled.

Option C is wrong because CloudFormation is not natively integrated with Beanstalk for this purpose.

21
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes an Amazon RDS DB instance. The DevOps team wants to update the DB instance class without downtime. What should they do?

A.Use a CloudFormation stack update with a 'ReplaceOnDelete' deletion policy on the DB instance.
B.Create a new DB instance with the new class, update the application to point to the new endpoint, and delete the old instance.
C.Update the DBInstanceClass property in the CloudFormation template and set 'ApplyImmediately: true'.
D.Modify the DB instance class using an RDS blue/green deployment, then update the CloudFormation stack to match the new class.
AnswerD

RDS blue/green deployments allow changing instance class without downtime.

Why this answer

Option D is correct because modifying the DB instance class with 'ApplyImmediately: false' and enabling Multi-AZ allows a blue/green deployment via RDS. Option A is wrong because it causes downtime. Option B is wrong because it creates a new DB, not an update.

Option C is wrong because 'ReplaceOnDelete' would recreate the resource.

22
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The Operations team needs to update a stack that contains an EC2 instance. They want to change the instance type from t2.micro to t2.small without recreating the instance. Which CloudFormation stack update policy should they use?

A.Use a ChangeSet with Replacement set to False
B.Use a CreationPolicy with a Timeout
C.Use a DeletionPolicy with Retain
D.Use an UpdatePolicy with AutoScalingRollingUpdate
AnswerD

This policy allows rolling updates to instances without recreation.

Why this answer

Option D is correct because the 'UpdatePolicy: AutoScalingRollingUpdate' attribute can be used to update instance types without interruption when associated with an Auto Scaling group or EC2 instances with a creation policy. Option A is wrong because Replacement policy dictates whether to replace or update a resource. Option B is wrong because CreationPolicy is used to wait for signals before considering the resource created.

Option C is wrong because DeletionPolicy only defines what happens when a resource is deleted.

23
MCQhard

A company uses AWS CloudFormation to deploy infrastructure across multiple accounts. They want to reuse a set of resource definitions for a standard VPC configuration. Which approach minimizes duplication and maintains centralized control?

A.Create a CloudFormation module for the VPC resources and reference it in each stack.
B.Define the VPC resources in a CloudFormation macro and call the macro from each stack.
C.Publish the VPC template in AWS Service Catalog and have each account provision from it.
D.Use nested stacks by creating a separate template for the VPC and including it in each account's stack.
AnswerA

CloudFormation modules enable reuse and centralized management.

Why this answer

Option A is correct because AWS CloudFormation modules allow packaging reusable resource configurations that can be shared across stacks and accounts, reducing duplication and enabling centralized updates. Option B is wrong because nested stacks require separate templates, not reuse within a template. Option C is wrong because macros are for template processing, not reusable components.

Option D is wrong because Service Catalog is for end-user product provisioning, not infrastructure reuse.

24
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. They want to implement a change management process that requires approval before any stack update is executed. Which TWO approaches can achieve this? (Choose TWO.)

Select 2 answers
A.Use AWS CodePipeline with a manual approval stage before the CloudFormation deployment action.
B.Use CloudFormation StackSets with approval tokens.
C.Use CloudFormation Change Sets and require a separate user to execute them.
D.Use AWS Service Catalog to manage CloudFormation templates and require approval for product launches.
E.Implement a custom AWS Lambda function that checks a ticketing system before allowing the update to proceed.
AnswersA, E

CodePipeline supports manual approval gates.

Why this answer

Options A and D are correct. Option A uses a manual approval step in CodePipeline before the CloudFormation deployment action. Option D uses a Lambda function to check for approval before executing the update.

Option B is wrong because CloudFormation does not have a built-in approval mechanism. Option C is wrong because Change Sets are for review, not for requiring external approval. Option E is wrong because it does not enforce approval.

25
MCQhard

A DevOps engineer is troubleshooting a CloudFormation stack that failed to update. The error message indicates a circular dependency among resources. The template includes an Auto Scaling group, a launch template, and an IAM instance profile. The launch template references the IAM instance profile, and the Auto Scaling group references the launch template. The IAM instance profile's role references the Auto Scaling group name in its trust policy. How can the engineer resolve the circular dependency?

A.Use DependsOn clauses to explicitly order the resource creation
B.Pass the Auto Scaling group name as a parameter to the IAM role's trust policy, and create the Auto Scaling group with a condition that depends on the role
C.Place the launch template and Auto Scaling group in a nested stack
D.Hardcode the Auto Scaling group name in the IAM role's trust policy
AnswerB

Using a parameter breaks the circular reference by not requiring the actual Auto Scaling group resource to exist when the role is created.

Why this answer

Option B resolves the circular dependency by decoupling the Auto Scaling group name from the IAM role's trust policy at template creation time. By passing the group name as a parameter and using a condition to create the Auto Scaling group only after the role exists, CloudFormation can determine the correct creation order without a circular reference. This approach allows the trust policy to reference a value that is not yet known at template parsing, breaking the dependency cycle.

Exam trap

The trap here is that candidates often assume DependsOn can override any dependency issue, but CloudFormation still validates the entire dependency graph and will reject any cycle regardless of explicit DependsOn clauses.

How to eliminate wrong answers

Option A is wrong because DependsOn clauses only specify explicit ordering but do not resolve circular dependencies; if two resources depend on each other, DependsOn cannot break the cycle. Option C is wrong because placing resources in a nested stack does not eliminate circular dependencies; the nested stack still has the same logical references, and CloudFormation would still detect the cycle across stack boundaries. Option D is wrong because hardcoding the Auto Scaling group name makes the template non-portable and brittle, and it does not solve the circular dependency if the group name is used elsewhere in a way that creates a reference loop.

26
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The security team requires that all S3 buckets have versioning enabled. A DevOps engineer needs to enforce this policy across all accounts in an AWS Organization. Which solution is MOST operationally efficient?

A.Add a CloudFormation custom resource to each template that enables versioning and attaches a Lambda function to re-enable it if disabled.
B.Create an SCP in AWS Organizations that denies s3:PutBucketVersioning with a condition that versioning is not enabled.
C.Create a Service Catalog portfolio with a product that enforces versioning and require all users to launch stacks from it.
D.Use AWS Config with a managed rule 's3-bucket-versioning-enabled' and an automatic remediation action that enables versioning.
AnswerB

D: SCPs prevent actions that disable versioning at the organization level, covering all accounts and existing buckets.

Why this answer

Option D is correct because using SCPs at the organizational level allows you to centrally deny actions that disable versioning, which is more efficient than per-account Lambda functions or IAM policies. Option A is wrong because a custom resource in each stack would require modification of every template. Option B is wrong because AWS Config rules require remediations that are not as immediate as SCPs.

Option C is wrong because Service Catalog only helps with new stacks, not existing ones.

27
MCQmedium

A company is using AWS Systems Manager to manage configuration drift on EC2 instances. They want to automatically apply a baseline configuration to instances that have drifted from the desired state. Which Systems Manager capability should they use?

A.AWS Systems Manager Patch Manager
B.AWS Systems Manager Parameter Store
C.AWS Systems Manager Run Command
D.AWS Systems Manager State Manager
AnswerD

State Manager enforces configuration and remediates drift.

Why this answer

Option A is correct because State Manager uses associations to automatically apply configurations and remediate drift. Option B is wrong because Patch Manager only handles patches. Option C is wrong because Run Command is for manual execution.

Option D is wrong because Parameter Store stores configuration data but does not apply it.

28
MCQmedium

A company uses AWS CloudFormation StackSets to deploy a VPC with subnets across multiple accounts and regions. Recently, a new account was added to the organization, and the DevOps team wants to deploy the stack set to this new account without affecting existing stacks. The stack set has self-managed permissions. The engineer creates a new stack instance for the account and region, but the operation fails with an 'Access Denied' error when CloudFormation tries to create resources in the new account. The engineer has verified that the stack set's IAM roles exist in the new account. What is the most likely cause?

A.The stack set template contains a resource that is not supported in the target region.
B.The trust policy of the IAM role in the target account does not grant permissions to the administrator account.
C.The target account has reached a service limit for VPCs.
D.The IAM roles in the target account are not named correctly.
AnswerB

The target account's role must trust the administrator account to assume it.

Why this answer

Option A is correct because self-managed permissions require a trust relationship between the administrator and target accounts. Option B is wrong because the roles exist. Option C is wrong because the stack set is already deployed to other accounts, so template is valid.

Option D is wrong because service limits would give a different error.

29
Multi-Selecthard

A company is using AWS Elastic Beanstalk with a custom platform. The DevOps team wants to automate the creation of a new platform version whenever changes are pushed to a Git repository. The pipeline should run tests, build the platform, and then update the Elastic Beanstalk environment to use the new platform version. Which services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS CloudFormation
B.AWS CodeBuild
C.AWS CodePipeline
D.HashiCorp Packer (run in CodeBuild)
E.AWS CodeDeploy
AnswersB, C, D

C: CodeBuild can run tests and build artifacts, including using Packer.

Why this answer

Options A, C, and D are correct. A: CodePipeline orchestrates the pipeline. C: CodeBuild can run tests and build the platform AMI.

D: Packer (through CodeBuild) can create a custom AMI for the platform. Option B is wrong because CodeDeploy is for deploying applications, not for creating platform versions. Option E is wrong because CloudFormation is not directly used to create a custom platform; Packer and CodeBuild handle that.

30
MCQeasy

A company uses AWS CodePipeline with a GitHub source action. The pipeline triggers on changes to the master branch. However, the pipeline does not trigger when changes are pushed to the master branch. What is the MOST likely cause?

A.The pipeline uses a different branch name.
B.The GitHub repository is not in the same AWS region as the pipeline.
C.The webhook in GitHub is not properly configured or has been removed.
D.The pipeline does not have permission to access the GitHub repository.
AnswerC

Webhooks are required for automatic triggering.

Why this answer

Option B is correct because CodePipeline uses webhooks to detect changes in GitHub. If the webhook is not properly configured, changes may not trigger the pipeline. Option A is incorrect because the branch is specified.

Option C is incorrect because the pipeline can access public repositories. Option D is incorrect because the pipeline does not need to be in the same region as GitHub.

31
MCQeasy

A company wants to use AWS Elastic Beanstalk to deploy a web application. They need to ensure that the application can be updated with zero downtime. Which deployment policy should they use?

A.Immutable
B.All at once
C.Rolling
D.Traffic splitting
AnswerC

Rolling updates can achieve zero downtime if health checks are used.

Why this answer

The Rolling deployment policy in AWS Elastic Beanstalk updates instances in batches, replacing a subset of the current environment's instances with new ones while keeping the rest serving traffic. This ensures that the application remains available throughout the update process, achieving zero downtime as long as the health check passes for each batch before proceeding.

Exam trap

The trap here is that candidates often confuse 'Rolling' with 'Immutable' or 'Traffic splitting' because they all aim for zero downtime, but only Rolling updates instances in-place without creating a full parallel environment, while Immutable incurs a brief CNAME swap delay and Traffic splitting is not a native Elastic Beanstalk deployment policy.

How to eliminate wrong answers

Option A is wrong because Immutable deployment launches a completely new Auto Scaling group with new instances, then swaps the environment's CNAME to point to the new group, which can cause a brief period of traffic disruption during the swap and is not strictly zero-downtime if the new instances fail health checks. Option B is wrong because All at once terminates all existing instances and deploys the new version simultaneously, causing downtime until the new instances pass health checks and become available. Option D is wrong because Traffic splitting (also known as canary testing) is not a standard Elastic Beanstalk deployment policy; it is a feature of AWS CodeDeploy and AWS AppConfig, and Elastic Beanstalk does not natively support traffic splitting for zero-downtime updates.

32
MCQeasy

A DevOps engineer runs this command to list resources of a CloudFormation stack. The stack status is 'CREATE_COMPLETE'. However, the EC2 instance 'i-0abcd1234efgh5678' was manually terminated by another team. The engineer wants to restore the stack to its intended state without deleting the stack. What should the engineer do?

A.Import the terminated instance back into the stack.
B.Update the stack with the original template.
C.Create a new stack with the same template and delete the old one.
D.Perform a stack drift detection and then manually fix the drift.
AnswerB

CloudFormation will detect that the instance is missing and recreate it.

Why this answer

Option D is correct because updating the stack with the original template will cause CloudFormation to recreate the terminated instance. Option A is wrong because the stack is not in a failed state. Option B is wrong because creating a new stack would cause duplication.

Option C is wrong because the instance is not managed outside the stack.

33
MCQhard

An IAM policy is attached to a user who needs to create a CloudFormation stack that provisions an EC2 instance and an S3 bucket. The user receives an 'Access Denied' error when running the 'aws cloudformation create-stack' command. Which additional permission is required?

A.ec2:RunInstances and s3:CreateBucket
B.s3:PutObject
C.cloudformation:DescribeStacks
D.iam:PassRole
AnswerA

CloudFormation uses the user's permissions to create the resources defined in the template.

Why this answer

Option B is correct because to create a stack that provisions EC2 and S3 resources, the user must have permissions for those resource types (ec2:RunInstances, s3:CreateBucket) in addition to cloudformation:CreateStack. Option A is incorrect because the user already has cloudformation:CreateStack. Option C is incorrect because the user already has s3:GetObject.

Option D is incorrect because iam:PassRole is needed only if a role is passed, which is not mentioned.

34
MCQeasy

A company uses AWS OpsWorks for configuration management. They need to automate the installation of a custom package on all instances in a layer. Which OpsWorks feature should they use?

A.AWS CodeDeploy AppSpec file
B.AWS CloudFormation custom resources
C.Custom Chef recipes associated with lifecycle events
D.AWS Systems Manager Run Command
AnswerC

Custom recipes run on lifecycle events like Setup to install packages.

Why this answer

Custom recipes in OpsWorks allow running Chef recipes on instance lifecycle events. Option B is correct. Lifecycle events (Setup, Configure, Deploy, Undeploy, Shutdown) trigger the recipes.

Options A, C, and D are not OpsWorks features.

35
MCQhard

A company is using AWS CodePipeline for CI/CD with CloudFormation as the deployment action. The pipeline fails intermittently with the error 'Rate exceeded' when creating or updating stacks. What is the most likely cause and solution?

A.The stack has a stack policy that prevents updates; modify the stack policy.
B.The IAM role used by CloudFormation does not have sufficient permissions; update the role policy.
C.The CloudFormation API rate limit is being hit; request a limit increase from AWS Support.
D.The pipeline is exceeding the CodePipeline execution frequency limit; reduce the number of pipeline executions.
AnswerC

Rate exceeded errors indicate API throttling; increasing the limit resolves it.

Why this answer

Option D is correct because CloudFormation has an account-level rate limit for API calls, and the error indicates the limit is being exceeded. The solution is to request a limit increase. Option A is wrong because CodePipeline does not have a rate limit that would cause this specific error.

Option B is wrong because IAM permissions would cause an 'AccessDenied' error, not 'Rate exceeded'. Option C is wrong because stack policies do not cause rate limit errors.

36
MCQmedium

A company uses AWS OpsWorks for Chef Automate. They have a stack that includes a PHP application layer. The application requires a custom PHP configuration file. The DevOps engineer creates a custom Chef cookbook with a recipe that deploys the configuration file. The recipe is assigned to the layer's Setup lifecycle event. The engineer notices that the configuration file is not being created on new instances when they are added to the layer. The cookbook is stored in a private S3 bucket. The engineer has verified that the cookbook is correctly associated with the stack. What should the engineer do to fix the issue?

A.Assign the recipe to the Configure lifecycle event instead of Setup
B.Verify that the recipe is included in the cookbook's default.rb file
C.Update the cookbook version to the latest
D.Ensure that the instance profile has permissions to read from the S3 bucket where the cookbook is stored
AnswerD

Without S3 read access, the cookbook cannot be downloaded.

Why this answer

Option C is correct because OpsWorks requires that the cookbook be installed on the instance before the lifecycle event runs. The cookbook is in a private S3 bucket, so the instance needs permission to access it. The engineer should ensure that the stack's custom cookbooks source is configured with the correct S3 bucket and that the instance profile has permissions to read from the bucket.

Option A is wrong because the recipe is assigned to the correct lifecycle event. Option B is wrong because the cookbook version is not the issue. Option D is wrong because the recipe is in the cookbook.

37
MCQhard

A company uses Terraform to manage AWS infrastructure. They have a state file stored in an S3 bucket with DynamoDB locking. After a failed 'terraform apply', the state file is locked. The DevOps engineer tries to run 'terraform plan' but gets an error: 'Error acquiring the state lock'. What should the engineer do to resolve this issue?

A.Manually delete the lock item from the DynamoDB table
B.Wait for the lock to expire automatically
C.Run 'terraform force-unlock' with the lock ID
D.Delete the state file from S3 and re-run terraform init
AnswerC

This is the intended way to remove a stuck lock.

Why this answer

Option D is correct because the lock is stored in DynamoDB and can be forcefully removed using 'terraform force-unlock' after verifying no other process is using it. Option A is wrong because deleting the S3 bucket would lose the state. Option B is wrong because modifying the DynamoDB table directly is not recommended.

Option C is wrong because waiting indefinitely is not a solution.

38
Multi-Selecthard

Which THREE actions are best practices for managing secrets in AWS CloudFormation templates? (Choose three.)

Select 3 answers
A.Use AWS CloudFormation parameters with the NoEcho property set to true.
B.Use AWS Systems Manager Parameter Store secure string parameters with dynamic references.
C.Use AWS Secrets Manager dynamic references to retrieve secrets at deployment time.
D.Encrypt the CloudFormation template file with AWS KMS.
E.Store secrets as plaintext in the template parameters.
AnswersA, B, C

Prevents secrets from being displayed in console.

Why this answer

Option A is correct because setting the NoEcho property to true on a CloudFormation parameter prevents the parameter value from being returned in API calls or displayed in the console, which is a basic mechanism for masking secrets. However, this alone does not encrypt the value at rest or in transit, and the value is still passed as plaintext in the template, so it is considered a best practice only when combined with other secure methods like dynamic references.

Exam trap

The trap here is that candidates often think encrypting the template file (Option D) is sufficient for secret protection, but they overlook that secrets remain exposed during stack operations unless dynamic references or NoEcho are used.

39
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The network team manages the VPC and subnets using a separate CloudFormation stack. The application team needs to reference the VPC ID and subnet IDs from the network stack. Which approach should the application team use to obtain these values?

A.Hardcode the VPC and subnet IDs in the application template.
B.Export the VPC ID and subnet IDs from the network stack using the 'Export' field and import them in the application stack using Fn::ImportValue.
C.Create the network stack as a nested stack inside the application stack.
D.Store the VPC and subnet IDs in AWS Systems Manager Parameter Store and retrieve them using dynamic references.
AnswerB

Cross-stack references allow sharing outputs between independent stacks.

Why this answer

Option B is correct because CloudFormation's Export and Fn::ImportValue mechanism allows cross-stack references without hardcoding or duplicating values. The network stack exports the VPC ID and subnet IDs using the Export field, and the application stack imports them via Fn::ImportValue, ensuring that changes in the network stack propagate automatically to dependent stacks.

Exam trap

The trap here is that candidates may confuse cross-stack references with nested stacks or parameter stores, but the exam specifically tests the Export/ImportValue pattern for decoupled stacks managed by different teams.

How to eliminate wrong answers

Option A is wrong because hardcoding VPC and subnet IDs creates brittle templates that break if the network stack is recreated or updated, violating infrastructure-as-code best practices. Option C is wrong because nesting the network stack inside the application stack would tightly couple the two teams' responsibilities, defeating the purpose of separate management and making it harder to update the network independently. Option D is wrong because while Systems Manager Parameter Store can store values, dynamic references in CloudFormation (e.g., '{{resolve:ssm:...}}') are resolved at stack creation time and do not automatically update when the parameter changes, unlike Fn::ImportValue which tracks the exported value across stacks.

40
MCQmedium

A company uses AWS CodePipeline to deploy a serverless application with AWS Lambda and Amazon API Gateway. The pipeline includes a beta and a production stage. The DevOps team wants to automatically promote the application from beta to production after successful testing. Which action should be taken in the pipeline?

A.Configure a CloudWatch Events rule to automatically trigger the production deployment after beta completion
B.Use AWS CodeDeploy to create a deployment group that promotes the application
C.Add a manual approval step between the beta and production stages
D.Configure an AWS Config rule to automatically approve the promotion
AnswerC

Manual approval action allows human review before promotion.

Why this answer

Option C is correct because CodePipeline requires an explicit manual approval action to gate promotions between stages. Without a manual approval step, the pipeline would automatically transition from beta to production upon successful testing, which bypasses the necessary human validation for production deployments. Adding a manual approval step ensures that a designated approver reviews the beta stage results before promoting to production, aligning with safe deployment practices.

Exam trap

The trap here is that candidates may confuse event-driven triggers (CloudWatch Events) or compliance checks (AWS Config) with the need for a human-in-the-loop approval gate, overlooking that CodePipeline's native manual approval action is the only way to pause and require explicit authorization between stages.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events can trigger pipeline executions but cannot insert a manual approval gate within a pipeline; it would start a new execution rather than pause the existing one for approval. Option B is wrong because CodeDeploy is a deployment service for managing application deployments to compute platforms (e.g., EC2, Lambda), but it does not provide pipeline-level approval gates between CodePipeline stages. Option D is wrong because AWS Config rules evaluate resource compliance and cannot approve or block pipeline transitions; they are not designed for workflow approval actions.

41
Multi-Selectmedium

Which TWO options are valid approaches for managing configuration drift in an AWS environment? (Choose two.)

Select 2 answers
A.Use AWS Config rules to evaluate resource configurations against desired policies.
B.Use AWS CodePipeline to automatically redeploy infrastructure when changes are detected.
C.Use AWS Systems Manager Patch Manager to keep instances patched.
D.Use AWS CloudTrail to monitor API calls that modify resources.
E.Use AWS CloudFormation drift detection to identify resources that have been modified outside of CloudFormation.
AnswersA, E

AWS Config can evaluate compliance and detect drift.

Why this answer

Option A is correct because AWS Config can detect drift from desired configuration. Option D is correct because CloudFormation drift detection identifies changes to resources. Option B is wrong because Systems Manager Patch Manager is for patching, not drift detection.

Option C is wrong because CloudTrail is for API logging. Option E is wrong because CodePipeline is for CI/CD.

42
MCQmedium

A DevOps team is troubleshooting a CloudFormation stack creation failure. The error message states: 'CREATE_FAILED: Resource handler returned message: "You have attempted to create more resources than the current AWS account limit"'. Which step should the team take to resolve this issue?

A.Delete the failed stack and recreate it with the same template.
B.Review the IAM permissions for the CloudFormation service role.
C.Modify the CloudFormation template to use a different resource type.
D.Check the current service limits for the resource type and request a limit increase from AWS Support.
AnswerD

The error explicitly states that the account limit has been reached.

Why this answer

Option C is correct because the error indicates a service limit has been reached, and the team should request a limit increase. Option A is wrong because the error is not about permissions. Option B is wrong because retrying will fail again.

Option D is wrong because the error is specific to resource limits, not stack names.

43
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The team wants to ensure that all stack updates are reviewed and approved before execution. Which mechanism should the team implement?

A.Create a stack policy that denies all updates unless approved.
B.Use AWS CloudFormation drift detection to identify changes before updating.
C.Enable termination protection on the stack to prevent accidental updates.
D.Use AWS CloudFormation change sets to review the proposed changes before executing the update.
AnswerD

Change sets allow you to preview how changes will affect running resources.

Why this answer

AWS CloudFormation change sets allow you to preview how proposed changes to a stack will be applied before you execute them. This includes a summary of additions, modifications, and deletions of resources, enabling you to review and approve the changes in a controlled manner. By generating a change set, the team can ensure that no update is executed without prior review and approval, meeting the requirement for a gated deployment process.

Exam trap

The trap here is that candidates confuse stack policies (which control resource-level permissions) with change sets (which provide a preview of changes), or they mistakenly think termination protection or drift detection can gate updates, when neither is designed for that purpose.

How to eliminate wrong answers

Option A is wrong because a stack policy controls permissions for stack resources (e.g., preventing updates to specific resources) but does not provide a review-and-approve workflow for the entire stack update; it cannot block the update itself. Option B is wrong because drift detection identifies whether the stack's actual resources have deviated from the template, but it does not preview or gate proposed updates; it is a detective, not a preventive, control. Option C is wrong because termination protection prevents accidental deletion of the entire stack, not updates; it has no effect on stack updates or change review.

44
MCQmedium

A company uses AWS CodeDeploy for application deployments to EC2 instances. The team recently noticed that deployments are failing because some instances do not have the CodeDeploy agent installed. Which configuration management approach should the team implement to ensure the CodeDeploy agent is installed and running on all instances before deployment?

A.Use an AWS Config rule to detect instances without the agent and trigger a Lambda function to install it.
B.Use the CodeDeploy deployment configuration to skip instances that do not have the agent.
C.Create a custom AMI with the CodeDeploy agent pre-installed, or use a user data script to install the agent at launch.
D.Configure the CodeDeploy deployment group to automatically install the agent on new instances.
AnswerC

Pre-installing the agent in the AMI or using user data ensures the agent is ready before deployment.

Why this answer

Option C is correct because it ensures the CodeDeploy agent is present on every EC2 instance from the moment it is launched, either by baking the agent into a custom AMI or by installing it via a user data script. This approach aligns with immutable infrastructure and configuration management best practices, preventing deployment failures caused by missing agents. AWS CodeDeploy requires the agent to be installed and running on target instances before any deployment can proceed.

Exam trap

The trap here is that candidates may assume CodeDeploy can automatically install its own agent on instances (Option D), but AWS CodeDeploy has no such built-in capability; the agent must be provisioned independently through AMI, user data, or a configuration management tool like AWS Systems Manager or Chef.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are reactive and can only detect non-compliance after an instance is launched, not proactively ensure the agent is installed before deployment; additionally, relying on a Lambda function to install the agent introduces latency and potential race conditions. Option B is wrong because CodeDeploy deployment configurations do not support skipping instances based on agent presence; if an instance lacks the agent, the deployment will fail for that instance, and the overall deployment may fail depending on the failure threshold. Option D is wrong because CodeDeploy deployment groups do not have a built-in feature to automatically install the agent on new instances; the agent must be installed separately via AMI, user data, or an external configuration management tool.

45
MCQhard

A company uses AWS Elastic Beanstalk for application deployments. They want to integrate infrastructure-as-code practices using AWS CloudFormation. Which approach allows them to manage the Elastic Beanstalk environment and underlying resources as part of a CloudFormation stack?

A.Use a custom resource backed by a Lambda function to create the Elastic Beanstalk environment.
B.Use the CloudFormation import feature to bring the existing Elastic Beanstalk environment into the stack.
C.Export the Elastic Beanstalk environment configuration as a CloudFormation template from the console.
D.Define the Elastic Beanstalk environment in the CloudFormation template using the AWS::ElasticBeanstalk::Environment resource.
AnswerD

CloudFormation natively supports Elastic Beanstalk.

Why this answer

Option B is correct because CloudFormation supports the AWS::ElasticBeanstalk::Environment resource type, which can be used to create and manage Elastic Beanstalk environments within a stack. Option A is wrong because Elastic Beanstalk environments are not directly compatible with CloudFormation custom resources. Option C is wrong because CloudFormation does not import existing Elastic Beanstalk environments.

Option D is wrong because Elastic Beanstalk does not generate CloudFormation templates automatically.

46
MCQmedium

A financial services company uses AWS CloudFormation to deploy a multi-tier application. The security team mandates that all data at rest must be encrypted using KMS CMKs. The CloudFormation template creates an RDS instance with encryption enabled using a KMS key. After deployment, the security team reports that the RDS instance is not using the specified KMS key. The DevOps engineer checks the template and finds the KMS Key ID is correct. What is the MOST likely cause?

A.The RDS instance was created without enabling encryption; encryption cannot be added later.
B.The KMS key is in a different AWS region.
C.The IAM role used by CloudFormation lacks permissions to use the KMS key.
D.The RDS instance is inside a VPC that does not have a KMS key policy.
AnswerA

RDS encryption can only be enabled at creation time.

Why this answer

RDS encryption cannot be enabled after creation (B). The template must set the StorageEncrypted property and the KmsKeyId. If encryption is not enabled at creation, it cannot be added later.

Option A (region) is less likely; C (IAM) is irrelevant; D (VPC) is unrelated.

47
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. They want to enforce mandatory tags on all resources created by CloudFormation. Which TWO approaches can achieve this? (Choose TWO.)

Select 2 answers
A.Use CloudFormation stack tags that propagate to all resources in the stack.
B.Create an AWS Config rule to automatically tag resources after creation.
C.Use an AWS Organizations service control policy (SCP) to deny creation of resources that are not tagged.
D.Add an IAM policy that denies cloudformation:CreateStack unless the template includes the required tags.
E.Enable AWS CloudTrail to log all API calls and monitor for untagged resources.
AnswersA, C

Stack tags are automatically applied to all resources that support tagging.

Why this answer

Option A is correct because CloudFormation stack tags propagate to all resources that support tagging within the stack. When you specify tags at the stack level, CloudFormation automatically applies them to each resource it creates, ensuring mandatory tags are enforced without additional configuration.

Exam trap

The trap here is that candidates often confuse reactive detection (AWS Config) with proactive prevention (SCPs or stack tags), or mistakenly believe IAM policies can parse template content to enforce tagging rules.

48
MCQeasy

An organization uses AWS OpsWorks for configuration management of their EC2 instances. They need to ensure that all instances have the latest security patches applied automatically. Which action should the team take?

A.Configure a custom Chef recipe in OpsWorks to run 'yum update' on a schedule.
B.Create an AWS Config rule to check for missing patches and trigger an auto-remediation.
C.Update the AMI used by the OpsWorks layer to include the latest patches.
D.Enable AWS Systems Manager Patch Manager to patch all instances managed by OpsWorks.
AnswerA

OpsWorks supports custom Chef recipes that can be executed on a schedule to apply updates.

Why this answer

Option D is correct because OpsWorks can run Chef recipes on a schedule using custom recipes. Option A is incorrect because OpsWorks does not directly integrate with Systems Manager Patch Manager; that is a separate service. Option B is incorrect because AWS Config rules are for compliance evaluation, not patching.

Option C is incorrect because updating the AMI does not affect running instances.

49
MCQmedium

A DevOps engineer updated an EC2 instance's InstanceType in a CloudFormation stack and received the stack events shown in the exhibit. What is the most likely cause of the failure?

A.The engineer did not have permission to modify the instance type.
B.The AMI ID specified does not support the new instance type.
C.The VPC configuration does not support the new instance type.
D.The engineer specified an invalid instance type (e.g., t2.large) that is not allowed by CloudFormation.
AnswerD

The error says value must be one of t2.micro, t2.small, t2.medium.

Why this answer

Option B is correct because the error message states that the InstanceType value must be one of the allowed types. The engineer likely specified an invalid instance type like t2.large. Option A is wrong because the error is about instance type, not AMI.

Option C is wrong because the error is not about IAM. Option D is wrong because the error is not about network.

50
MCQeasy

A company uses AWS OpsWorks for configuration management. The DevOps team wants to deploy a new application version to a stack of EC2 instances. What should the team use to perform the deployment?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS CodeDeploy
D.Custom Chef recipes in OpsWorks
AnswerD

OpsWorks uses Chef recipes for configuration and deployment.

Why this answer

AWS OpsWorks is a configuration management service that uses Chef. When you need to deploy a new application version to a stack of EC2 instances managed by OpsWorks, the native and recommended approach is to use custom Chef recipes. These recipes can be executed as a lifecycle event (e.g., Deploy) to update application code, restart services, or perform any deployment tasks directly on the instances, leveraging the existing OpsWorks agent and Chef infrastructure.

Exam trap

The trap here is that candidates often confuse OpsWorks with Elastic Beanstalk or think that CodeDeploy is the universal deployment tool for all EC2 instances, forgetting that OpsWorks has its own native Chef-based deployment mechanism that should be used when the stack is already managed by OpsWorks.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Beanstalk is a PaaS service for deploying web applications, not a deployment tool for existing OpsWorks stacks; it manages its own EC2 instances and cannot target an OpsWorks stack. Option B is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service for provisioning and managing AWS resources, not for deploying application code to running instances; it can create the stack but not perform the application deployment within OpsWorks. Option C is wrong because AWS CodeDeploy is a separate deployment service that can deploy to EC2 instances, but it is not integrated with OpsWorks lifecycle events; using it would bypass OpsWorks' built-in Chef-based deployment mechanism and require additional setup, making it non-idiomatic for an OpsWorks-managed environment.

51
MCQhard

A DevOps team is designing a configuration management solution for a microservices architecture running on Amazon ECS. The team wants to ensure that container configurations are automatically updated when a new version of a parameter is stored in AWS Systems Manager Parameter Store. Which approach best meets this requirement with minimal operational overhead?

A.Use AWS AppConfig to create a configuration profile that references the parameter. Configure a Lambda function as a validator and deploy strategy. When the parameter changes, AppConfig triggers a deployment that updates the ECS service.
B.Use an AWS CloudFormation custom resource that updates the ECS service when the parameter changes.
C.Use a CI/CD pipeline that monitors the parameter store and triggers a new build and deploy of the container image with the updated parameter.
D.Use Amazon EventBridge to detect changes to the parameter and invoke a Lambda function that updates the ECS task definition and forces a new deployment.
AnswerA

AppConfig is designed for dynamic configuration and can integrate with ECS to update containers.

Why this answer

Option A is correct because using AWS AppConfig with a Lambda function to trigger an ECS service update is a native, managed solution. Option B is wrong because it does not automatically update running containers. Option C is wrong because it requires manual steps.

Option D is wrong because CloudWatch Events cannot directly update ECS services.

52
MCQhard

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. During a deployment, the new instances fail the health check and are terminated. The deployment fails. The team wants to automatically roll back to the previous working version. What should they do?

A.Set up an Auto Scaling lifecycle hook to terminate instances and trigger a rollback.
B.Configure the deployment group to automatically roll back when a deployment fails.
C.Manually redeploy the last successful deployment revision after investigating the failure.
D.Configure the deployment group to automatically redeploy the same revision on failure.
AnswerB

CodeDeploy can automatically roll back to the last known good revision.

Why this answer

Option B is correct because AWS CodeDeploy provides a built-in rollback configuration that can be triggered automatically when a deployment fails. By enabling automatic rollback in the deployment group settings, CodeDeploy will redeploy the last successful revision when the current deployment fails health checks, without requiring manual intervention or additional infrastructure.

Exam trap

The trap here is that candidates may confuse Auto Scaling lifecycle hooks with CodeDeploy rollback mechanisms, or think that redeploying the same revision (option D) would fix the issue, when in fact it would just repeat the failure.

How to eliminate wrong answers

Option A is wrong because Auto Scaling lifecycle hooks are used to perform custom actions during instance launch or termination (e.g., draining connections or running scripts), but they do not trigger CodeDeploy rollbacks; rollback logic must be configured within CodeDeploy itself. Option C is wrong because manually redeploying the last successful revision is a valid recovery method but does not meet the requirement for automatic rollback; the team wants an automated solution, not manual steps. Option D is wrong because redeploying the same revision on failure would repeat the same failing deployment, not restore the previous working version; automatic rollback specifically redeploys the last known good revision, not the failed one.

53
Multi-Selecteasy

A company is adopting Infrastructure as Code (IaC) using AWS CloudFormation. They want to ensure that stack updates are safe and minimize the risk of resource replacement. Which TWO of the following strategies should they use?

Select 2 answers
A.Always create a change set before executing a stack update.
B.Use a stack policy to prevent updates to critical resources.
C.Perform updates directly from the AWS Management Console to see immediate results.
D.Delete the stack and create a new one with the updated template.
E.Use the --disable-rollback flag to avoid unnecessary rollbacks.
AnswersA, B

Change sets allow you to review changes before applying.

Why this answer

Creating a change set before executing a stack update allows you to review the proposed changes, including whether any resources will be replaced or interrupted. This provides a safety net by letting you validate the impact of the update before committing, reducing the risk of unintended resource replacement.

Exam trap

The trap here is that candidates often confuse the --disable-rollback flag with a safety mechanism, but it actually prevents recovery from failures and does nothing to mitigate resource replacement risks.

54
MCQhard

A company runs a critical web application on AWS using an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application is deployed using AWS CodeDeploy with a blue/green deployment configuration. The DevOps team is responsible for configuration management using AWS Systems Manager State Manager. They have set up a State Manager association to ensure that the instances have a specific security configuration (e.g., firewall rules). Recently, after a new deployment, the team noticed that the security configuration is missing on some new instances. The old instances still have the correct configuration. The association is configured to apply the configuration only at instance launch (using the AWS-RunShellScript document). The team suspects that the new instances are not being targeted by the association. Upon investigation, they find that the association is set to target instances based on tags, and the new instances do have the required tags. However, the association status shows 'Success' for the old instances but no status for the new instances. Which of the following is the MOST likely cause of this issue?

A.The State Manager association was created before the new instances were launched, and the association is not configured to automatically apply to new instances. The association needs to be updated or scheduled to run periodically.
B.The new instances have a different tag than the one specified in the association.
C.The association is trying to download a script from an S3 bucket, but the bucket policy denies access to new instances.
D.The AWS-RunShellScript document failed to execute on the new instances due to a missing IAM role.
AnswerA

Associations only apply to instances that exist at the time of association creation unless configured otherwise.

Why this answer

Option A is correct because State Manager associations are created at a specific time and target instances that exist at that time. New instances launched after the association creation will not automatically be targeted unless the association is configured with a schedule or the 'Apply only at next update' option. The association is set to run only at launch, but the association itself must be applied to the instance at launch time.

If the association was created before the new instances, it won't apply to them unless it is updated. Option B is wrong because the association can target instances by tags; tagging is not the issue. Option C is wrong because the problem is not about the script failing; the association is not running on new instances.

Option D is wrong because the S3 bucket policy would affect the ability to store logs, but the association status would show error, not missing status.

55
Multi-Selecthard

Which TWO are correct about using AWS CloudFormation to manage infrastructure across multiple AWS accounts? (Select TWO.)

Select 2 answers
A.You can use AWS Organizations to centrally manage accounts and use StackSets with trusted access.
B.CloudFormation can automatically create new AWS accounts using a template.
C.Nested stacks can be used to deploy resources in different accounts from a single template.
D.AWS CloudFormation StackSets can deploy stacks across multiple accounts.
E.You can use cross-stack references to share resources between accounts.
AnswersA, D

Organizations integration enables StackSets across accounts.

Why this answer

Option C is correct because StackSets allow deploying stacks across accounts. Option D is correct because you can use AWS Organizations to manage accounts and StackSets can be integrated. Option A is wrong because StackSets do not support nested stacks across accounts natively.

Option B is wrong because CloudFormation does not automatically create accounts. Option E is wrong because CloudFormation templates cannot reference resources across accounts without explicit parameters.

56
MCQmedium

An organization uses AWS CodeCommit to store CloudFormation templates. They have a requirement that all templates must pass a series of validation checks before being merged to the main branch. The checks include syntax validation, IAM policy linting, and compliance rules. The DevOps team wants to implement this validation using AWS services with minimal operational overhead. They already use AWS CodePipeline for CI/CD. What should the team do?

A.Configure a CloudFormation stack to automatically validate templates and send notifications.
B.Create a Lambda function that triggers on CodeCommit events and runs validation.
C.Use AWS CloudFormation Guard as a pre-commit hook on local machines.
D.Set up a CodePipeline that is triggered by pull request creation, with a CodeBuild stage to run validation checks, and configure a branch policy to require the pipeline to succeed before merging.
AnswerD

This provides automated, centralized validation with minimal overhead.

Why this answer

Option D is correct because CodePipeline with CodeBuild can run validation checks on pull requests using a branch policy. Option A is wrong because it requires managing Lambda functions. Option B is wrong because it doesn't integrate with pull request workflow.

Option C is wrong because CloudFormation alone cannot enforce pre-merge validation.

57
MCQhard

An organization wants to ensure that all objects stored in the S3 bucket are encrypted at rest using server-side encryption with S3 managed keys (SSE-S3). The bucket policy above is intended to enforce this. However, a user reported that they can still upload unencrypted objects. What is the MOST likely reason?

A.The condition is applied to the GetObject action, not the PutObject action.
B.The bucket policy is not attached to the bucket because of a circular dependency.
C.The bucket policy does not apply to objects uploaded by the root user.
D.The condition should use 's3:x-amz-server-side-encryption-aws-kms-key-id' instead.
AnswerA

To enforce encryption on uploads, the condition must be on s3:PutObject.

Why this answer

Option D is correct. The bucket policy condition checks for the header 'x-amz-server-side-encryption' with value 'AES256'. However, this condition is on the GetObject action, not on PutObject.

To enforce encryption on uploads, the condition should be on s3:PutObject. Additionally, the condition should require encryption, not just check it. Option A is incorrect because using bucket policy is a valid way to enforce encryption.

Option B is incorrect because the condition syntax is correct for SSE-S3. Option C is incorrect because the policy applies to the bucket, but the condition is on the wrong action.

58
MCQeasy

A company uses Ansible for configuration management on EC2 instances. They want to ensure that only instances with a specific tag (Environment: Production) are targeted by their playbooks. What is the best way to achieve this?

A.Add a 'when' condition in the playbook to check the instance tag at runtime.
B.Maintain a static inventory file listing only Production instances.
C.Use the AWS EC2 dynamic inventory plugin to filter instances based on tags.
D.Use the ec2_tag module to assign the tag to instances.
AnswerC

Dynamic inventory can filter by tags, so playbooks run only on matching instances.

Why this answer

Option B is correct because Ansible dynamic inventory with AWS EC2 plugin can filter by tags. Option A is wrong because it assigns tags to instances, not select them. Option C is wrong because it is less dynamic.

Option D is wrong because it modifies the playbook to check tags after connecting, which is inefficient.

59
Multi-Selectmedium

A DevOps team is using AWS Elastic Beanstalk to deploy a web application. They need to customize the software configuration on the EC2 instances that are part of the Elastic Beanstalk environment. Which THREE methods can they use? (Choose THREE.)

Select 3 answers
A.Use saved configurations to create reusable environment templates
B.Create a custom AMI with the desired configuration
C.Use OpsWorks to manage the instances
D.Use .ebextensions configuration files
E.Use platform hooks to run custom scripts during deployment
AnswersA, D, E

Saved configurations capture environment settings and can be applied to new environments.

Why this answer

Elastic Beanstalk provides several ways to customize the environment: .ebextensions for config files, saved configurations for environment settings, and platform hooks for custom scripts. Options A, B, and D are correct. Option C is incorrect because OpsWorks is a separate service.

Option E is incorrect because custom AMIs are not recommended for Elastic Beanstalk; you should use platform hooks instead.

60
MCQmedium

A DevOps engineer is troubleshooting a CloudFormation stack creation failure. The stack includes an EC2 instance with a UserData script that installs software. The stack creation fails with the error: 'The following resource(s) failed: EC2Instance (AWS::EC2::Instance) – Resource creation cancelled'. What is the most likely cause?

A.The EC2 instance type is not supported in the region
B.The IAM role attached to the instance lacks permissions
C.The stack creation timed out or was manually cancelled
D.The UserData script failed due to a syntax error
AnswerC

Resource creation cancelled typically indicates a timeout or manual cancellation.

Why this answer

Option D is correct because Resource creation cancelled indicates the stack creation timed out or was manually cancelled. UserData scripts do not affect CloudFormation resource status unless the instance is created with a CreationPolicy or WaitCondition. Option A is incorrect because UserData failure does not cause a CloudFormation error.

Option B is incorrect because Resource creation cancelled is not due to API rate limiting. Option C is incorrect because missing IAM role would cause an 'AccessDenied' error, not cancellation.

61
MCQeasy

A company uses AWS OpsWorks for configuration management. The DevOps team wants to automate the patching of operating system updates on a set of EC2 instances managed by OpsWorks. Which OpsWorks feature should be used?

A.Weekly Auto Update
B.Auto Scaling
C.Chef Automate
D.Lifecycle events (Setup, Configure, Deploy, etc.)
AnswerA

OpsWorks can automatically install updates on a weekly schedule.

Why this answer

Option B is correct because OpsWorks Stacks supports automatic patching via the 'Auto Healing' and 'Custom Recipes' but also has a built-in 'Weekly Auto Update' feature for managed instances. Option A (Auto Scaling) handles capacity, not patching. Option C (Lifecycle events) can be used to trigger custom recipes for patching, but the question asks for a specific feature.

Option D (Chef Automate) is a separate product, not natively integrated with OpsWorks Stacks.

62
MCQhard

A company uses AWS CloudFormation to manage a production environment. The DevOps team wants to implement a change management process where any changes to the stack must be reviewed before execution. Which feature should the team use?

A.CloudFormation StackSets
B.CloudFormation Stack Policies
C.CloudFormation Change Sets
D.CloudFormation Drift Detection
AnswerC

Change Sets allow review of changes before execution.

Why this answer

CloudFormation Change Sets allow the DevOps team to preview how proposed changes to a stack will impact running resources before they are executed. This enables a review-and-approval workflow because the change set can be created, reviewed, and then executed only after approval, satisfying the requirement for a change management process.

Exam trap

The trap here is that candidates often confuse Stack Policies (which control update permissions) with Change Sets (which provide a preview), or they assume Drift Detection can be used to review proposed changes when it only detects unmanaged changes after they occur.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets are used to deploy stacks across multiple accounts and regions, not to review or approve changes to a single stack. Option B is wrong because Stack Policies define resource-level update protections (e.g., prevent replacement of a database) but do not provide a preview or review step before changes are applied. Option D is wrong because Drift Detection identifies whether a stack's actual resources have diverged from the template, but it does not control or review proposed changes before execution.

63
MCQhard

A DevOps team is troubleshooting a CloudFormation stack creation failure. The stack uses a service role with the trust policy shown in the exhibit. The error message states: 'Insufficient permissions to create the resource'. Which action should the team take to resolve this issue?

A.Modify the CloudFormation template to use the user's IAM role instead of a service role.
B.Create a new stack policy that allows the required actions.
C.Add the user's IAM role to the trust policy.
D.Attach IAM policies to the service role that grant permissions to create the resources.
AnswerD

The service role needs permission to create resources on behalf of CloudFormation.

Why this answer

Option B is correct because the service role's trust policy allows CloudFormation to assume it, but the role itself needs permissions to create resources. Option A is wrong because the trust policy is correct. Option C is wrong because adding a trust policy is for the stack's role.

Option D is wrong because CloudFormation does not need to assume the user role.

64
MCQmedium

A company uses AWS OpsWorks for configuration management. They have a stack with a layer that includes several EC2 instances. The DevOps engineer needs to deploy a custom configuration file to all instances in the layer. What is the recommended approach?

A.Use custom JSON in the stack settings to specify the file content
B.Create a custom Chef recipe and assign it to the layer's lifecycle events
C.Use AWS Systems Manager Run Command to copy the file
D.Add the file to the instance's user data script
AnswerB

Custom recipes are the standard way to manage configuration in OpsWorks.

Why this answer

Option A is correct because OpsWorks allows custom recipes to be associated with lifecycle events, which can deploy configuration files. Option B is wrong because custom JSON is for overriding stack settings, not for deploying files. Option C is wrong because user data only runs at launch.

Option D is wrong because Run Command is for ad-hoc commands, not for ongoing configuration management.

65
MCQeasy

A company is using AWS Elastic Beanstalk to deploy a web application. The development team wants to ensure that environment variables are set consistently across all environments (development, staging, production) without manual intervention. Which AWS service or feature should be used to manage these environment variables?

A.AWS CloudFormation templates with parameters
B.Elastic Beanstalk environment properties
C.AWS Systems Manager Parameter Store
D.AWS CodeDeploy environment variables
AnswerC

Parameter Store can store configuration data and Elastic Beanstalk can retrieve it via instance profile or configuration files.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store can store configuration data securely and Elastic Beanstalk can retrieve it during environment creation or update. Option A is incorrect because CloudFormation is for infrastructure provisioning, not runtime configuration management. Option C is incorrect because Elastic Beanstalk environment properties are environment-specific and not shared across environments.

Option D is incorrect because CodeDeploy is for deployment automation, not configuration management.

66
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The stack creation recently failed because an IAM role resource was created before the AWS Lambda function that depends on it. The template has no DependsOn clauses. What is the most likely reason for this failure and how can it be fixed?

A.Add a DependsOn clause to the Lambda function resource referencing the IAM role
B.Use AWS Systems Manager Automation to create the resources sequentially
C.Use a ChangeSet to roll back the stack and modify the template
D.Split the template into two separate stacks and use nested stacks
AnswerA

Explicitly ordering resource creation solves the parallel creation failure.

Why this answer

The most likely reason for the failure is that CloudFormation, by default, parallelizes the creation of resources that do not have explicit dependencies. Since the IAM role and Lambda function have no DependsOn clause, CloudFormation may attempt to create the Lambda function before the IAM role is fully created and its permissions are propagated. Adding a DependsOn clause to the Lambda function resource referencing the IAM role ensures that CloudFormation creates the IAM role first, resolving the dependency and preventing the failure.

Exam trap

The trap here is that candidates may assume CloudFormation automatically detects all dependencies via Ref or Fn::GetAtt, but it does not infer dependencies from resource attributes like IAM role ARNs used in Lambda function configurations unless explicitly referenced in the template.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Automation is used for operational tasks like patching or runbooks, not for managing CloudFormation resource creation order; it does not address the missing dependency in the template. Option C is wrong because a ChangeSet is used to preview changes before updating a stack, not to roll back a failed creation or modify the template to fix dependency ordering; rolling back and modifying the template would require a new stack creation, not a ChangeSet. Option D is wrong because splitting the template into two separate stacks and using nested stacks does not inherently solve the dependency ordering issue; the same parallel creation problem could occur across nested stacks unless explicit DependsOn or cross-stack references are used, making it an unnecessarily complex solution.

67
MCQmedium

A company uses Chef for configuration management of their EC2 instances. They want to use AWS OpsWorks for Chef Automate to manage the Chef server. What is the primary benefit of using OpsWorks for Chef Automate compared to running a self-managed Chef server?

A.It provides a graphical user interface to author cookbooks.
B.It creates cookbooks based on the instance configuration.
C.It reduces operational overhead by managing the Chef server's infrastructure.
D.It automatically applies cookbooks to all instances in the account.
AnswerC

AWS manages the Chef server, reducing maintenance.

Why this answer

Option B is correct. OpsWorks for Chef Automate is a managed service that handles the Chef server maintenance, patching, and high availability. It integrates with AWS services like CloudWatch and IAM.

Option A is incorrect because OpsWorks does not provide a GUI for cookbooks; Chef has its own tools. Option C is incorrect because OpsWorks manages the server, not the nodes' cookbooks. Option D is incorrect because OpsWorks does not automatically create cookbooks; they must be developed by the user.

68
MCQeasy

A DevOps engineer runs the command shown in the exhibit. The output shows the stack status as ROLLBACK_COMPLETE. Which statement best describes the current state of the stack?

A.The stack was created successfully and is in a steady state.
B.The stack update failed and has been rolled back to the previous state.
C.The stack is currently in the process of rolling back after a failed creation.
D.The stack creation failed and has been rolled back. No resources remain.
AnswerD

ROLLBACK_COMPLETE means all resources were cleaned up after failure.

Why this answer

Option B is correct because ROLLBACK_COMPLETE means the stack creation failed and rolled back, leaving no resources. Option A is wrong because that would be CREATE_COMPLETE. Option C is wrong because UPDATE_ROLLBACK_COMPLETE is for updates.

Option D is wrong because ROLLBACK_IN_PROGRESS is the intermediate state.

69
MCQhard

A DevOps engineer uses AWS CloudFormation to manage infrastructure. The stack creation fails with the error: 'Circular dependency between resources'. The template includes an EC2 instance, an Elastic IP, and an internet gateway. The instance is associated with the Elastic IP, and the Elastic IP uses the internet gateway for the VPC. Which resource relationship is MOST likely causing the circular dependency?

A.The security group depends on the EC2 instance, and the EC2 instance depends on the security group.
B.The Elastic IP depends on the internet gateway, and the internet gateway depends on the Elastic IP.
C.The EC2 instance depends on the Elastic IP, and the Elastic IP depends on the EC2 instance.
D.The internet gateway depends on the VPC, and the VPC depends on the internet gateway.
AnswerC

This creates a circular dependency.

Why this answer

Option C is correct because the circular dependency arises when the EC2 instance depends on the Elastic IP (via an Association resource) and the Elastic IP depends on the EC2 instance (via the InstanceId property). CloudFormation cannot resolve the creation order when two resources each require the other to exist first. This is a classic circular dependency in CloudFormation templates when using an AWS::EC2::EIP with an InstanceId that references the EC2 instance, while the instance itself has a DependsOn or a reference to the Elastic IP.

Exam trap

The trap here is that candidates confuse the Elastic IP's dependency on the internet gateway (which is not direct) with the mutual dependency between the EC2 instance and the Elastic IP when the EIP uses the InstanceId property.

How to eliminate wrong answers

Option A is wrong because a security group does not depend on an EC2 instance; the instance depends on the security group, and CloudFormation handles this as a one-way dependency. Option B is wrong because an Elastic IP does not depend on an internet gateway; the Elastic IP is associated with a VPC or instance, and the internet gateway is attached to the VPC independently. Option D is wrong because an internet gateway depends on the VPC (via VpcId), but the VPC does not depend on the internet gateway; the VPC is created first, and the gateway is attached to it.

70
MCQmedium

A DevOps engineer is responsible for managing infrastructure as code for multiple microservices. The team uses AWS CloudFormation and wants to reuse common resource definitions across multiple stacks. Which approach should the engineer use to promote reusability and reduce code duplication?

A.Create nested stacks that include the common resources and pass parameters as needed.
B.Store the common resource definitions in an AWS CodeCommit repository and copy them into each template.
C.Use cross-stack references by exporting outputs from a central stack and importing them in other stacks.
D.Develop CloudFormation modules that encapsulate common resource configurations and publish them in a registry.
AnswerD

Modules are designed for reusability and can be shared across accounts and regions.

Why this answer

Option D is correct because AWS CloudFormation modules allow you to encapsulate common resource configurations into reusable, versioned components that can be published in the CloudFormation registry. This promotes reusability and reduces code duplication across multiple stacks without the overhead of managing nested stack templates or manual copying.

Exam trap

The trap here is that candidates often confuse cross-stack references (Fn::ImportValue) with reusable resource definitions, but cross-stack references only share output values, not the underlying resource configuration, so they do not reduce code duplication.

How to eliminate wrong answers

Option A is wrong because nested stacks still require you to maintain separate template files for the common resources, and they do not inherently reduce duplication if the same nested stack template is copied across projects. Option B is wrong because copying common resource definitions from a CodeCommit repository into each template leads to code duplication and version drift, defeating the purpose of reusability. Option C is wrong because cross-stack references (using Fn::ImportValue) only allow sharing output values, not entire resource definitions, so they do not reduce duplication of the resource configuration itself.

71
Multi-Selecthard

A company is using AWS Elastic Beanstalk for a production environment. They have observed that during deployments, the environment's health status intermittently becomes 'Severe' even though the application is functioning correctly. The deployment uses rolling updates with a batch size of 50%. Which TWO configuration changes would improve deployment stability without completely redesigning the deployment process? (Select TWO.)

Select 2 answers
A.Switch from rolling to immutable updates.
B.Increase the health check interval to allow more time for the application to stabilize.
C.Increase the batch size to 75%.
D.Decrease the deployment cooldown time.
E.Decrease the batch size to 25%.
AnswersB, E

Longer health check interval prevents premature health status degradation.

Why this answer

Option A is correct because decreasing the batch size reduces the number of instances updated at once, limiting the impact of potential issues. Option D is correct because increasing the health check interval gives the application more time to stabilize before Elastic Beanstalk marks it as unhealthy. Option B (immutable updates) completely changes the deployment strategy, which may not be desired.

Option C (decreasing cooldown) could worsen stability. Option E (increasing batch size) would increase instability.

72
MCQhard

A company runs a production e-commerce platform on AWS. The architecture includes an Application Load Balancer (ALB) distributing traffic across EC2 instances in an Auto Scaling group. The application uses a custom configuration stored in an S3 bucket. The DevOps team uses AWS CodeDeploy to deploy application updates. Recently, a deployment failed because new instances launched by the Auto Scaling group did not have the latest configuration from S3. The team had manually updated the configuration in S3 but the deployment did not pull the new version. The team wants to ensure that all instances always have the latest configuration at launch. Current setup: The Auto Scaling group uses a launch template that specifies an IAM instance profile with permissions to read from S3. The user data script runs at launch to download configuration from S3. However, the user data script is static and does not account for configuration updates. The team wants a solution that automatically applies configuration changes to both existing and new instances without manual intervention.

A.Use AWS Config with a custom rule to detect instances that do not have the latest configuration and trigger a Lambda function to update them.
B.Update the launch template with a new user data script that always fetches the latest configuration from S3. Then, update the Auto Scaling group to use the new launch template version.
C.Configure AWS CodeDeploy to deploy the configuration to all instances whenever the S3 object is updated, using an S3 event notification.
D.Use AWS Systems Manager State Manager to associate a document that runs on all instances to fetch the latest configuration from S3 on a schedule and at instance startup.
AnswerD

State Manager can enforce configuration on both existing and new instances.

Why this answer

Option B is correct because AWS Systems Manager State Manager can enforce configuration on instances, pull the latest config from S3, and apply it to both existing and new instances. Option A is incorrect because updating the user data script in the launch template only affects new instances, not existing ones. Option C is incorrect because CodeDeploy does not run at instance launch unless triggered by a lifecycle hook, and it requires additional setup.

Option D is incorrect because AWS Config is for compliance, not for pushing configurations.

73
MCQhard

A company uses AWS Systems Manager to manage a fleet of EC2 instances. They need to run a custom script on all instances every time the instance is started. The script is stored in an S3 bucket. Which approach ensures the script runs automatically on every instance start with minimal administrative overhead?

A.Create a State Manager association with the AWS-RunDocument document, targeting the instances, and set the schedule to 'On Instance Start'.
B.Place the script in /etc/rc.local on a custom AMI.
C.Use AWS Config rules to invoke a Lambda function that runs the script.
D.Create an EC2 launch template that includes the script in user data.
AnswerA

State Manager can be configured to run a document on instance start automatically.

Why this answer

Associating a State Manager association with the AWS-RunDocument document and targeting the instances ensures the script runs on every instance start. Option A is correct because State Manager can be configured to run on instance start. Options B, C, and D are either manual or not triggered automatically on start.

74
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The CloudFormation template includes a custom resource backed by an AWS Lambda function that validates a condition and returns a value. During a stack update, the custom resource fails, and the stack rolls back. The DevOps engineer needs to debug the issue. Which steps should be taken to troubleshoot the custom resource failure?

A.View the Amazon CloudWatch Logs log group for the Lambda function to see the function's output and error messages.
B.Update the Lambda function code to include additional logging and then re-execute the stack update.
C.Check the Amazon S3 bucket where the Lambda function code is stored for any access denied errors.
D.Review the CloudFormation stack events in the AWS Management Console for detailed error messages from the Lambda function.
AnswerA

Custom resource Lambda functions log to CloudWatch Logs; reviewing those logs helps identify the failure.

Why this answer

Option A is correct because AWS Lambda functions invoked by CloudFormation custom resources automatically send their logs to Amazon CloudWatch Logs. By examining the log group named `/aws/lambda/<function-name>`, the DevOps engineer can view the function's `stdout`, `stderr`, and any `print()` or `console.log()` statements, which will contain the exact error messages or return values that caused the custom resource to fail. This is the most direct and reliable method to debug the failure without modifying the stack or waiting for a new update.

Exam trap

The trap here is that candidates often assume CloudFormation stack events provide detailed error messages from the Lambda function, but in reality, they only show generic failure statuses, while the actual debugging data resides in CloudWatch Logs.

How to eliminate wrong answers

Option B is wrong because updating the Lambda function code and re-executing the stack update does not help debug the original failure; it changes the code and may mask the root cause, and the stack update would still need to be triggered again. Option C is wrong because the Lambda function code is stored in Amazon S3 only for deployment; access denied errors on the S3 bucket would prevent the function from being created or updated, but they would not cause a custom resource failure during a stack update — the function is already deployed and running. Option D is wrong because CloudFormation stack events only show high-level status messages like 'CREATE_FAILED' or 'UPDATE_FAILED' for the custom resource, but they do not include the detailed error messages or return values from the Lambda function itself; those details are only available in CloudWatch Logs.

75
MCQeasy

A DevOps team uses Ansible for configuration management of EC2 instances. They want to ensure that the Ansible control node can connect to managed nodes securely without storing SSH keys in plaintext. Which AWS service should they integrate with Ansible to securely manage SSH keys?

A.AWS KMS to encrypt the SSH keys at rest.
B.AWS Secrets Manager to store the SSH private keys and retrieve them dynamically.
C.AWS IAM roles to grant Ansible access to the instances.
D.AWS Systems Manager Parameter Store to store the keys.
AnswerB

Secrets Manager stores secrets securely and supports automatic retrieval.

Why this answer

Option B is correct because AWS Secrets Manager can store SSH private keys securely and Ansible can retrieve them via API. Option A is wrong because AWS KMS is for encryption keys, not for storing secrets directly. Option C is wrong because IAM roles are for permissions, not storing keys.

Option D is wrong because Systems Manager Parameter Store can store secrets but is less feature-rich for secret rotation.

Page 1 of 4 · 281 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Config Mgmt Iac questions.