CCNA Incident Response Questions

75 of 254 questions · Page 1/4 · Incident Response topic · Answers revealed

1
MCQmedium

A company uses Amazon S3 to store critical data. An incident occurs where an S3 bucket is accidentally deleted. The DevOps engineer needs to recover the bucket and its objects. What should the engineer do?

A.Restore the bucket from AWS CloudTrail event history
B.Contact AWS Support to restore the bucket from a backup if versioning was enabled
C.Recreate the bucket with the same name and restore objects from a previous backup
D.Use the AWS S3 console to undo the deletion
AnswerB

AWS can restore buckets if versioning and MFA delete were configured.

Why this answer

Option B is correct because S3 bucket names are unique and cannot be recreated immediately; however, objects can be recovered if versioning and MFA delete were enabled. Option A is incorrect because buckets cannot be restored from CloudTrail. Option C is incorrect because only the bucket owner can delete a bucket, but deletion cannot be undone.

Option D is incorrect because buckets are not recovered automatically.

2
MCQmedium

A DevOps engineer notices that an EC2 instance running a critical web application has been terminated unexpectedly. The instance was part of an Auto Scaling group. Which step should the engineer take FIRST to investigate the root cause?

A.Review AWS CloudTrail logs for TerminateInstances API calls.
B.Look at the EC2 console's 'Termination Protection' setting.
C.Check the application logs on the instance's attached EBS volume (detached and attached to another instance).
D.Verify the Auto Scaling group's scaling policies and scheduled actions.
AnswerA

CloudTrail logs all API calls and can identify the source of termination.

Why this answer

Option A is correct because the first step in incident response is to gather information. CloudTrail logs all API calls, including TerminateInstances, and can identify who or what terminated the instance. Option B is wrong because examining the application logs does not reveal the termination cause.

Option C is wrong because scaling policies would not cause termination without CloudWatch. Option D is wrong because the termination reason is not available in the console without checking logs.

3
Multi-Selecteasy

A DevOps engineer is troubleshooting an Amazon RDS for PostgreSQL instance that is running out of storage. The engineer wants to resolve the issue without downtime. Which TWO actions can achieve this? (Choose two.)

Select 2 answers
A.Create a read replica and promote it to primary.
B.Enable storage auto scaling on the DB instance.
C.Delete old automated snapshots to free up storage.
D.Scale up the DB instance to a larger instance class.
E.Modify the DB instance to increase the allocated storage size.
AnswersB, E

Auto scaling adds storage automatically without manual intervention.

Why this answer

Option B is correct because enabling storage auto scaling on an Amazon RDS for PostgreSQL instance allows the database to automatically increase its allocated storage when it detects that available storage is running low, preventing out-of-storage errors without requiring manual intervention or downtime. Option E is correct because modifying the DB instance to increase the allocated storage size is a dynamic operation that can be performed without downtime, as Amazon RDS supports online storage scaling for PostgreSQL instances, allowing the change to take effect while the database remains available.

Exam trap

The trap here is that candidates often confuse instance class scaling (compute/memory) with storage scaling, or mistakenly think that deleting snapshots (which are stored separately in S3) can free up space on the DB instance's attached storage volume.

4
MCQhard

A company runs a stateful web application on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. During a deployment, the Auto Scaling group launches new instances, but users experience session loss. What is the most likely cause?

A.The Auto Scaling group's lifecycle hooks are not configured.
B.The stickiness duration is set too low.
C.The target group's deregistration delay is too short.
D.The target group's health check interval is too long.
AnswerC

A short delay causes the ALB to stop sending traffic to the instance before sessions are drained.

Why this answer

The correct answer is D. Sticky sessions are tied to the instance ID. If the ALB target group's deregistration delay is too short, the ALB may route traffic to a new instance before the session is migrated.

Session stickiness duration would affect how long sessions persist on the same instance, but not cause loss during deployments. Lifecycle hooks are for custom actions. Health check thresholds affect availability.

5
MCQeasy

A DevOps engineer receives an alert that an Amazon ECS service is failing to start tasks. The service uses the Fargate launch type. The task definition includes a container that requires port 8080. The security group associated with the service allows inbound traffic on port 8080. What should the engineer check NEXT?

A.Verify that the VPC subnets have a route to a NAT Gateway or Internet Gateway.
B.Confirm that the task definition's container image exists in ECR.
C.Check if the task definition has sufficient CPU and memory allocated.
D.Review the security group rules for outbound traffic.
AnswerA

Fargate tasks need outbound internet access to pull images.

Why this answer

Option B is correct because Fargate tasks require a VPC and subnets with outbound internet access (NAT Gateway or Internet Gateway) to pull images from ECR or Docker Hub. Option A is wrong because CPU/memory limits would cause tasks to fail with resource errors, not prevent starting. Option C is wrong because the security group is already configured.

Option D is wrong because the task definition is already defined.

6
MCQhard

A DevOps team is debugging a production incident where an Application Load Balancer (ALB) is returning 503 errors for some requests. The target group instances are healthy. What is the most likely cause?

A.The security group for the ALB does not allow inbound traffic on port 443
B.Health checks are misconfigured to use an incorrect path
C.The deregistration delay setting on the target group is too long
D.Cross-zone load balancing is disabled
AnswerC

A long deregistration delay can cause the ALB to route requests to instances that are draining, resulting in 503.

Why this answer

Option D is correct because a deregistration delay setting can cause the ALB to continue sending requests to instances that are being de-registered, leading to 503 errors if the instances are no longer accepting traffic. Option A is incorrect because healthy instances mean the health checks pass. Option B is incorrect because a missing security group rule would cause connection timeouts, not 503.

Option C is incorrect because cross-zone load balancing does not cause 503 errors.

7
MCQeasy

The CloudWatch alarm 'HighCPU' has transitioned to ALARM state. What does the alarm history indicate about the metric that triggered it?

A.The metric value remained below the threshold.
B.The metric value was exactly 80.0 at the time of the alarm.
C.The metric value of 90.0 exceeded the threshold of 80.0.
D.The alarm was triggered after 3 consecutive datapoints breached the threshold.
AnswerC

The history clearly states the threshold was crossed with a value of 90.0.

Why this answer

Option D is correct because the history shows that 1 datapoint with value 90.0 was greater than the threshold of 80.0. Option A is wrong because the datapoint is 90.0, not 80.0. Option B is wrong because it crossed the threshold.

Option C is wrong because the alarm uses 1 datapoint, not 3.

8
MCQmedium

After deploying a new application version using AWS CodeDeploy, an EC2 instance fails the deployment. The deployment group is configured with an in-place deployment. The engineer sees the error 'ScriptMissing' in the CodeDeploy logs. What should the engineer check?

A.The deployment group's deployment configuration
B.The file path defined in the appspec.yml for the lifecycle hook
C.The security group attached to the instance
D.The AMI used for the EC2 instance
AnswerB

The appspec.yml specifies scripts; if the script file is not at the specified path, the error occurs.

Why this answer

Option A is correct because the appspec.yml references lifecycle event hooks scripts; if the file is missing, 'ScriptMissing' error occurs. Option B is wrong because the AMI is not related to script files. Option C is wrong because the security group does not affect script execution.

Option D is wrong because the deployment group configuration is not the cause.

9
MCQmedium

An EC2 instance shows as 'running' in the AWS console, but the system status check is 'impaired'. What is the most likely cause?

A.The instance's security group rules are blocking traffic.
B.The EBS root volume is corrupted.
C.The instance's operating system is not responding.
D.The underlying physical host has experienced a failure.
AnswerD

System status checks monitor the health of the physical host; impairment indicates host issues.

Why this answer

Option B is correct because system status checks indicate problems with the underlying physical host, such as loss of network connectivity or power. Option A is wrong because instance status checks are for the OS, not system. Option C is wrong because EBS volume issues are instance status checks.

Option D is wrong because security group rules affect network access but not system status checks.

10
MCQeasy

A DevOps engineer receives a CloudWatch alarm for high CPU utilization on an EC2 instance. The engineer needs to investigate the cause. Which AWS service can provide a detailed analysis of the running processes and their resource consumption?

A.AWS Config
B.AWS CloudTrail
C.AWS Systems Manager Run Command
D.Amazon Inspector
AnswerC

Run Command can run scripts to gather process information.

Why this answer

Option C is correct because AWS Systems Manager Run Command can execute commands (e.g., 'top') on EC2 instances to gather process-level details. Option A (CloudTrail) does not provide OS-level metrics. Option B (Config) records configuration state.

Option D (Inspector) is for vulnerability assessment.

11
MCQeasy

A company uses AWS CloudTrail to record API calls across multiple accounts and regions. The security team needs to be alerted immediately when an IAM user creates a new access key. Which combination of services should be used to achieve this with minimal latency?

A.Send CloudTrail logs to CloudWatch Logs, create a metric filter, and set up a CloudWatch Alarm to publish to an SNS topic.
B.Enable S3 event notifications on the CloudTrail S3 bucket to trigger a Lambda function.
C.Use Amazon EventBridge to match the CloudTrail event and invoke an AWS Lambda function that sends an email.
D.Configure a Lambda function to poll the CloudTrail API every minute and check for new access keys.
AnswerA

This is the standard low-latency alerting pattern for CloudTrail events.

Why this answer

Option B is correct because CloudTrail delivers events to CloudWatch Logs, and a metric filter on 'CreateAccessKey' can trigger a CloudWatch Alarm to send an SNS notification. Option A is wrong because CloudWatch Events (now Amazon EventBridge) can directly match CloudTrail events, but the question asks for minimal latency and a common pattern. Option C is wrong because S3 event notifications are not designed for real-time alerting on API calls.

Option D is wrong because Lambda polling CloudTrail is inefficient and introduces latency.

12
Matchingmedium

Match each AWS compute or container service with its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Container orchestration service supporting Docker

Managed Kubernetes service

Serverless compute engine for containers

Serverless, event-driven compute service

Automatically adjusts EC2 capacity based on demand

Why these pairings

These are core compute and container services.

13
MCQhard

A company uses an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances in an Auto Scaling group. During an incident, the DevOps team notices that the ALB is returning 503 errors. The instances are healthy according to the target group health checks. What is the MOST likely cause?

A.The ALB has no listeners configured.
B.The security group for the ALB is blocking traffic from the clients.
C.The ALB is throttling requests due to a surge.
D.The ALB's surge queue is full, causing it to reject requests.
AnswerD

When the surge queue is full, ALB returns 503, even if targets are healthy.

Why this answer

Option D is correct because 503 errors from an ALB typically indicate that the target group has no healthy instances, or all instances are marked unhealthy. However, the question says instances are healthy according to health checks, so the issue might be that the ALB itself is at capacity (e.g., surge queue full). The most common cause when health checks are passing but 503s persist is that the ALB's connection surge queue is full, often due to too many connections or slow targets.

Option A is wrong because security group rules usually cause timeouts, not 503. Option B is wrong because an ALB with no listeners would return 502 or 504. Option C is wrong because 503 is not a typical throttling response; throttling returns 429.

14
MCQmedium

During an incident, an engineer needs to quickly revoke access to a compromised IAM user. Which action should be taken FIRST?

A.Attach an AWS managed policy that explicitly denies all actions (e.g., AWSDenyAll).
B.Delete the IAM user immediately.
C.Disable the user's signing certificates.
D.Rotate the user's access keys.
AnswerA

A deny-all policy takes immediate effect, revoking all permissions.

Why this answer

Option B is correct because attaching a deny-all policy immediately blocks all actions. Option A is wrong because deleting the user may fail if there are dependencies. Option C is wrong because signing certificates are only for programmatic access, not console.

Option D is wrong because rotating keys does not revoke existing sessions.

15
MCQmedium

An application running on Amazon ECS Fargate is experiencing intermittent 503 errors. The task definition sets a soft limit of 512 CPU units and 1024 memory. The errors occur when traffic spikes. Which change is most likely to resolve the issue?

A.Increase the soft CPU limit to 1024 units.
B.Change the soft memory limit to a hard limit.
C.Increase the desired task count in the service.
D.Increase the soft memory limit to 2048 MiB.
AnswerD

Provides more memory, reducing out-of-memory errors.

Why this answer

Option D is correct because increasing the soft memory limit provides more memory to the container, reducing the likelihood of out-of-memory errors causing 503s. Option A is wrong because increasing CPU units may help if the issue is CPU-bound, but memory is more likely the cause of 503 errors. Option B is wrong because increasing desired count helps with load distribution but not if each task is resource-constrained.

Option C is wrong because changing to hard limit may cause the task to be killed if it exceeds memory.

16
MCQhard

A company uses AWS Config to track resource changes. They want to automatically remediate non-compliant security group rules that allow public SSH access. What is the MOST effective approach?

A.Set up an AWS Config rule that triggers a Lambda function to remove the SSH rule.
B.Use Amazon CloudWatch Events to detect the change and invoke a Lambda function.
C.Use AWS Service Catalog to enforce security group templates.
D.Create an AWS Config rule with an automatic remediation action using AWS Systems Manager Automation.
AnswerD

Config remediation can run an SSM Automation document to remove the rule.

Why this answer

Option A is correct because AWS Config remediation with SSM Automation can automatically modify security group rules. Option B is wrong because AWS Config rules only evaluate, not remediate. Option C is wrong because CloudWatch Events cannot directly modify security groups.

Option D is wrong because Service Catalog is for provisioning, not remediation.

17
MCQeasy

The CloudFormation template in the exhibit deploys an S3 bucket with a bucket policy. After deployment, the DevOps team discovers that the bucket is publicly accessible. Which change should be made to prevent public access while allowing only authenticated users from a specific AWS account to read objects?

A.Enable AWS Organizations to block public access
B.Change the Principal to the AWS account ID of the allowed account
C.Change the Principal to "*" and add a condition for aws:SourceIp
D.Set the bucket's 'BlockPublicAccess' property to true
AnswerB

Restricts access to a specific account.

Why this answer

Option C is correct because restricting the Principal to a specific AWS account prevents public access. Option A is wrong because public access is enabled by Principal "*". Option B is wrong because blocking public access at the account level is an alternative, but the question asks to change the template.

Option D is wrong because blocking public access on the bucket is another approach, but the template change is required.

18
Multi-Selectmedium

A company uses AWS CloudTrail to log API calls. The security team needs to be alerted when an IAM user performs a ConsoleLogin event from an IP address outside the corporate network. Which TWO steps should be taken to achieve this? (Choose TWO.)

Select 2 answers
A.Create a CloudWatch Events rule that matches ConsoleLogin and publishes to an SNS topic.
B.Create an AWS Config rule to detect ConsoleLogin.
C.Configure S3 event notifications on the CloudTrail bucket.
D.Use CloudWatch Logs Insights to query for ConsoleLogin events.
E.Enable CloudTrail to log management events.
AnswersA, E

Real-time alerting based on event pattern.

Why this answer

Option A is correct because CloudTrail logs ConsoleLogin events. Option D is correct because a CloudWatch Events rule can filter for the ConsoleLogin event and check the source IP address, then trigger an SNS notification. Option B is wrong because CloudWatch Logs Insights is used for querying logs, not for real-time alerting.

Option C is wrong because S3 events are not triggered by CloudTrail log delivery. Option E is wrong because Config rules are for resource configuration, not API call events.

19
MCQhard

An application running on an EC2 instance in a private subnet needs to access an S3 bucket. The instance has an IAM role with S3 access. However, the application is failing with timeout errors. The security group allows all outbound traffic, and the NACL allows outbound ephemeral ports. What is the most likely cause?

A.No VPC endpoint for S3
B.Missing route in the route table to an Internet Gateway
C.IAM role does not have correct trust policy
D.Missing HTTP proxy configuration
AnswerA

A VPC endpoint enables private connectivity to S3 from a private subnet.

Why this answer

Option D is correct because a VPC endpoint for S3 (Gateway or Interface) is needed for private subnet access to S3 without NAT. Option A is wrong because the routing table is not typically an issue for S3 access via Internet Gateway. Option B is wrong because the IAM role is already configured.

Option C is wrong because no proxy is required.

20
MCQmedium

Refer to the exhibit. The DevOps engineer runs the commands and sees the output. What is the most likely issue with the instance?

A.The underlying hardware is having issues (system status check failed).
B.The instance is healthy and no issues exist.
C.The instance is stopped.
D.The instance has a failed status check due to OS-level issues.
AnswerA

SystemStatus is impaired, indicating hardware issues.

Why this answer

Option C is correct. The SystemStatus is 'impaired', meaning there is a problem with the underlying physical host (system status check). The instance status is 'ok', so the OS is fine.

Option A is wrong because the instance is running. Option B is wrong because instance status is ok. Option D is wrong because there is a system impairment.

21
Multi-Selectmedium

A company runs a critical application on Amazon ECS with Fargate launch type. During an incident, the DevOps engineer notices that tasks are failing with 'CannotPullContainerError: API error (500)'. Which TWO steps should the engineer take to resolve this issue?

Select 2 answers
A.Attach an EBS volume to the Fargate task for caching.
B.Check that the ECS service role has the required permissions.
C.Ensure that the ECR repository policy allows the task execution role to pull images.
D.Increase the task memory to accommodate the image pull.
E.Verify that the task execution IAM role has the necessary permissions to pull from Amazon ECR.
AnswersC, E

Repository policy may block the pull if not configured correctly.

Why this answer

Options A and C are correct. A is correct because a missing or invalid task execution role can prevent ECS from pulling the image from ECR. C is correct because if the image is in a private ECR repository, the task execution role needs the ecr:GetDownloadUrlForLayer permission.

Option B is wrong because the service role is for load balancer integration, not image pulling. Option D is wrong because Fargate does not support EBS. Option E is wrong because increasing task memory is unrelated to pulling images.

22
MCQmedium

An IAM policy attached to a user is shown in the exhibit. The user reports that they are unable to delete an object in the 'example-bucket' bucket. What is the reason for this?

A.The resource ARN does not match the bucket name
B.The explicit Deny statement overrides the Allow
C.The user does not have permissions to perform s3:DeleteObject
D.The policy has a syntax error
AnswerB

Deny always takes precedence over Allow.

Why this answer

Option B is correct because an explicit Deny overrides any Allow. The Deny action s3:DeleteObject explicitly denies the delete, even though the Allow all s3 actions includes delete. Option A is wrong because the resource ARN matches.

Option C is wrong because the policy allows all s3 actions, but the Deny blocks delete. Option D is wrong because the policy is valid.

23
MCQmedium

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The database experiences a failover due to an availability zone outage. After the failover, the application team reports that the database endpoint is not resolving to the new primary. What is the most likely reason?

A.The RDS CNAME record was not updated by AWS after the failover.
B.The application is using the read replica endpoint instead of the primary endpoint.
C.The application is using a Route 53 health check that failed and redirected traffic away from the endpoint.
D.The application is using a cached DNS resolution that points to the old primary.
AnswerD

DNS caching can cause the old IP to be used until the TTL expires.

Why this answer

Option D is correct because after an RDS Multi-AZ failover, the DNS CNAME record for the DB instance is updated to point to the new primary in the standby AZ. However, if the application or its DNS resolver has cached the previous DNS resolution, it will continue to use the old IP address, which is no longer reachable. This is a common issue that can be resolved by reducing the TTL on the DNS record or implementing retry logic with DNS re-resolution in the application.

Exam trap

The trap here is that candidates may assume AWS automatically handles DNS propagation instantly or that the CNAME record is not updated, but the real issue is client-side DNS caching, which is a common operational oversight in failover scenarios.

How to eliminate wrong answers

Option A is wrong because AWS automatically updates the RDS CNAME record to point to the new primary after a failover; it is not a manual process. Option B is wrong because the read replica endpoint is a separate endpoint used for read-only traffic; using it would not cause the primary endpoint to fail to resolve, and the application team reported the database endpoint is not resolving, not that it is resolving to the wrong instance. Option C is wrong because Route 53 health checks are not used for RDS DNS resolution; RDS uses its own internal DNS system with CNAME records, and Route 53 health checks are typically used for custom domain names pointing to RDS, not for the default RDS endpoint.

24
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a web application. The pipeline has a manual approval step. During an incident, the deployment is stuck at the approval step because the approver is on leave. The team needs to unblock the pipeline quickly. What is the BEST action to take?

A.Update the pipeline definition to remove the manual approval step temporarily.
B.Use the CodePipeline console to approve the action directly as a different user.
C.Disable the transition to the approval stage and manually run the remaining stages.
D.Retry the action in the approval stage from the CodePipeline console.
AnswerD

Retrying resends the approval request to the approver group.

Why this answer

Option C is correct because the pipeline can be manually retried from the approval step, which re-initiates the approval action. Option A is wrong because changing the pipeline definition requires a stack update. Option B is wrong because the console allows approving or rejecting directly.

Option D is wrong because the manual approval is a step, not a stage.

25
MCQhard

A company uses AWS CloudTrail to log API calls. An IAM user's credentials are compromised, and the attacker launches multiple EC2 instances in regions that are not typically used. The security team wants to receive near-real-time notifications of any API calls from this user. What is the MOST effective solution?

A.Create an AWS Config rule that checks for EC2 instances in unauthorized regions
B.Configure CloudTrail to deliver logs to an S3 bucket and enable S3 event notifications to SQS
C.Create a CloudTrail trail that delivers to CloudWatch Logs, then set up a CloudWatch Events rule to invoke a Lambda function that sends an SNS notification
D.Use CloudWatch Logs Insights to query CloudTrail logs every 5 minutes and send results via email
AnswerC

This provides near-real-time notification.

Why this answer

Option A is correct because CloudTrail can send events to CloudWatch Events (now Amazon EventBridge) in near real-time, which can trigger a Lambda function to send notifications. Option B is wrong because CloudWatch Logs Insights is for querying historical logs; C is wrong because S3 events are not near-real-time; D is wrong because Config rules are for configuration compliance, not API call monitoring.

26
MCQeasy

An application running on AWS Lambda is experiencing increased error rates. The DevOps engineer needs to quickly identify the root cause. Which AWS service should the engineer use to analyze the logs and errors?

A.AWS X-Ray
B.AWS Trusted Advisor
C.AWS Config
D.AWS CloudTrail
AnswerA

X-Ray traces requests through Lambda and can pinpoint errors.

Why this answer

Option B is correct because AWS X-Ray provides end-to-end tracing and can identify errors and performance issues in Lambda functions. Option A is wrong because CloudTrail logs API calls, not application errors. Option C is wrong because Config is for resource compliance.

Option D is wrong because Trusted Advisor provides best-practice checks, not real-time error analysis.

27
MCQeasy

A DevOps engineer receives an alert that an Amazon S3 bucket has become publicly accessible. The engineer needs to identify who made the bucket public. Which AWS service should the engineer use to find the API call that changed the bucket policy?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon GuardDuty
AnswerB

CloudTrail records API calls with identity.

Why this answer

Option B is correct because CloudTrail records all S3 API calls, including bucket policy changes. Option A is wrong because CloudWatch monitors metrics. Option C is wrong because Config records configuration changes but not the identity.

Option D is wrong because GuardDuty detects threats but doesn't log API calls.

28
MCQeasy

A DevOps team uses AWS Systems Manager Incident Manager to manage incidents. They have configured a response plan that sends notifications to an SNS topic, which triggers an AWS Lambda function to post messages to a Slack channel. Recently, the Slack notifications have stopped working. The CloudWatch logs for the Lambda function show no invocations when an incident is created. The SNS topic has a subscription to the Lambda function, and the Lambda function's resource policy allows invocation from SNS. What is the MOST likely cause?

A.The Lambda function has a reserved concurrency of 0.
B.The response plan is not configured to send notifications to the correct SNS topic ARN.
C.The Lambda function's execution role does not have permission to post to Slack.
D.The SNS topic's access policy does not allow the Incident Manager to publish to it.
AnswerB

If the ARN is incorrect, SNS never receives the message.

Why this answer

Option C is correct because the response plan must have the correct ARN of the SNS topic. Option A is wrong because the logs show no invocations, so the function is not being triggered. Option B is wrong if the function policy allows SNS.

Option D is wrong because the function is not invoked.

29
MCQhard

An organization uses AWS CloudFormation to manage infrastructure. During an incident, a stack update fails with 'UPDATE_ROLLBACK_FAILED' status. The engineer needs to bring the stack to a consistent state without losing data. What is the BEST approach?

A.Use the 'ContinueUpdateRollback' API to skip the resource that caused the failure.
B.Create a new stack from the same template and migrate resources.
C.Manually correct the resource configuration that caused the failure, then perform a stack update.
D.Delete the stack and then recreate it from the same template.
AnswerA

This is the designed method to resolve rollback failures.

Why this answer

The 'ContinueUpdateRollback' API is the best approach because it allows the stack to resume the rollback process, skipping the resource that caused the failure, and bringing the stack to a consistent 'UPDATE_ROLLBACK_COMPLETE' state without manual intervention or data loss. This API is specifically designed for the 'UPDATE_ROLLBACK_FAILED' status, enabling you to skip resources that cannot be rolled back (e.g., due to a non-reversible change) while preserving the rest of the stack's state.

Exam trap

The trap here is that candidates often choose manual correction (Option C) thinking they can fix the resource and retry the update, but they overlook that the stack is in a failed rollback state that blocks further updates until the rollback is resolved, making 'ContinueUpdateRollback' the only viable path to a consistent state without data loss.

How to eliminate wrong answers

Option B is wrong because creating a new stack from the same template and migrating resources is time-consuming, risks data loss during migration, and does not address the immediate need to recover the existing stack to a consistent state. Option C is wrong because manually correcting the resource configuration and then performing a stack update assumes the failure is fixable via a new update, but the stack is stuck in 'UPDATE_ROLLBACK_FAILED' and cannot accept further updates until the rollback is completed or continued; this approach may also lead to configuration drift and potential data loss. Option D is wrong because deleting the stack would destroy all resources, including any data stored in them (e.g., databases, EBS volumes), which violates the requirement to avoid data loss.

30
MCQmedium

A DevOps engineer notices that an EC2 instance running a critical application is unresponsive. CloudWatch alarms for CPU utilization and memory usage did not trigger. The engineer checks the system logs and finds an 'Out of memory: Kill process' error. What is the MOST likely cause of the missed alarms?

A.The CloudWatch agent is not installed or configured to collect memory metrics.
B.The instance is using instance store volumes instead of EBS, which prevents metric collection.
C.The CloudWatch metrics retention period is set to 1 day, so old alarms were deleted.
D.The EC2 instance's root EBS volume is encrypted, blocking CloudWatch agent logs.
AnswerA

Memory metrics require the CloudWatch agent; default monitoring only collects CPU, disk, and network.

Why this answer

Option D is correct because the CloudWatch agent must be configured to collect memory metrics; CPU metrics are collected by default. Option A is wrong because instance store volumes would not affect CloudWatch metrics. Option B is wrong because CloudWatch metrics are stored for 15 months.

Option C is wrong because the root volume size does not prevent metric collection.

31
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application experiences periodic spikes in response times. The CloudWatch metrics show high CPU and memory usage for the tasks during these spikes. What is the MOST effective approach to handle these spikes?

A.Use a larger Fargate task size to handle the spikes
B.Increase the CPU and memory limits for the ECS task definition
C.Set up a scheduled scaling action to add tasks during peak hours
D.Configure target tracking scaling policies for the ECS service using CPU or memory utilization
AnswerD

This dynamically scales tasks based on actual utilization.

Why this answer

Option D is correct because using Application Auto Scaling with target tracking based on CPU or memory utilization dynamically adjusts the task count. Option A is wrong because it does not address scaling; B is wrong because it does not scale automatically; C is wrong because it does not use metrics for scaling.

32
MCQmedium

A company runs a containerized application on Amazon ECS with Fargate launch type. The application is behind an Application Load Balancer (ALB). The operations team notices that the ALB's 5xx error rate increases periodically. The ECS service is configured with a target tracking scaling policy based on CPU utilization. The CloudWatch logs from the application show no errors. The health check on the ALB is configured to hit the /health endpoint. What is the MOST likely cause of the 5xx errors?

A.The ECS tasks are running on an underlying host that is being patched.
B.The health check endpoint is returning a 503 status due to a dependency failure.
C.The target tracking scaling policy is not responding quickly enough to traffic spikes.
D.The application is throwing exceptions that are not logged.
AnswerB

If the health check fails, the ALB returns 503.

Why this answer

Option D is correct because if the health check endpoint is not returning a 200 status, the ALB will consider the target unhealthy and return 503. Option A is wrong because scaling based on CPU would not directly cause 5xx. Option B is wrong because Fargate has no OS patching.

Option C is wrong because the application logs show no errors.

33
MCQmedium

An organization uses AWS Systems Manager Incident Manager for incident response. They have created a response plan with an engagement plan that pages the on-call engineer via SMS. The engineer acknowledges the incident but then does not take any further action. What is the BEST way to automate escalation?

A.Manually re-page the on-call engineer with a higher urgency.
B.Use Amazon CloudWatch Events to trigger a second SMS if the incident is not resolved within a time frame.
C.Create an AWS Lambda function that checks the incident status and pages the next responder if no action is taken.
D.Configure an escalation plan in the response plan that pages a secondary contact after a specified timeout.
AnswerD

This is a built-in feature.

Why this answer

Option D is correct because Systems Manager Incident Manager supports escalation plans with timeouts and multiple engagement levels. Option A is wrong because Lambda is not needed. Option B is wrong because CloudWatch Events is not the escalation mechanism.

Option C is wrong because it requires manual re-paging.

34
Multi-Selectmedium

A DevOps engineer is investigating a security incident where an EC2 instance was compromised. The engineer needs to collect forensic data without losing volatile information. Which TWO actions should the engineer take? (Choose two.)

Select 2 answers
A.Detach the EBS volumes and attach them to a forensic instance.
B.Retrieve the instance metadata from the console.
C.Create a snapshot of the attached EBS volumes.
D.Collect a memory dump from the instance before stopping it.
E.Terminate the instance immediately to prevent further access.
AnswersC, D

Snapshot preserves disk state for later analysis.

Why this answer

Option B is correct because taking a snapshot of the EBS volume preserves the disk state for analysis. Option C is correct because collecting memory dump captures volatile data like running processes and network connections. Option A is wrong because terminating the instance destroys evidence.

Option D is wrong because detaching the volume stops the instance, but if the instance is stopped, memory is lost; better to snapshot while running. Option E is wrong because the instance metadata is not volatile and can be retrieved later.

35
MCQeasy

A DevOps engineer is troubleshooting an issue where an EC2 instance running Amazon Linux 2 is not receiving commands from AWS Systems Manager Run Command. The instance has the SSM Agent installed and is running. What should the engineer verify FIRST?

A.Verify the instance has outbound internet access to the SSM endpoints.
B.Confirm the instance's clock is synchronized with NTP.
C.Ensure the SSM Agent is the latest version.
D.Check that the instance has an IAM role with the AmazonSSMManagedInstanceCore policy.
AnswerD

Without the correct IAM role, the instance cannot authenticate with SSM.

Why this answer

Option C is correct because the instance needs an IAM role with the AmazonSSMManagedInstanceCore policy to communicate with Systems Manager. Without it, the SSM Agent cannot call the SSM API. Option A is wrong because the agent is already running.

Option B is wrong because outbound internet access is not strictly required if using VPC endpoints. Option D is wrong because time synchronization is important but not the first thing to check.

36
Multi-Selecthard

A company is experiencing intermittent connectivity issues between an EC2 instance and an RDS database. The EC2 instance is in a public subnet, and the RDS instance is in a private subnet. The security group for the RDS instance allows inbound traffic from the EC2 instance's security group. The network ACLs are default (all traffic allowed). Which THREE steps should the engineer take to troubleshoot the connectivity issue? (Choose THREE.)

Select 3 answers
A.Enable VPC Flow Logs for the subnets involved and analyze logs for dropped packets.
B.Check the network ACL for the private subnet to ensure it allows inbound and outbound traffic for the database port.
C.Check if the RDS security group allows inbound traffic on the database port (e.g., 3306) from the EC2 security group.
D.Verify that the EC2 instance can resolve the RDS endpoint via DNS.
E.Check the RDS security group for any deny rules that might block the EC2 instance.
AnswersA, B, C

Flow Logs can identify blocked traffic.

Why this answer

Option A is correct because VPC Flow Logs capture traffic. Option C is correct because the database port must be open. Option D is correct because NACL rules must allow both inbound and outbound.

Option B is wrong because the issue is not DNS. Option E is wrong because the security group already allows the EC2 security group.

37
MCQhard

An incident response team is analyzing an IAM policy attached to a role used by a forensic tool. The tool needs to create snapshots of EBS volumes during an incident. However, when the tool runs from an IP address in the 203.0.113.0/24 range, the CreateSnapshot API call fails with an access denied error. What is the MOST likely cause?

A.The policy does not grant ec2:CreateSnapshot on specific resource ARNs, only on all resources.
B.The aws:ViaAWSService condition is set to false, but the tool is invoked by an AWS service such as Systems Manager, making the condition evaluate to true and denying access.
C.The Deny statement explicitly denies ec2:DeleteSnapshot, but the error is for CreateSnapshot, so it is unrelated.
D.The source IP address 203.0.113.0/24 is not included in the Condition block, so access is implicitly denied.
AnswerB

If the tool runs via an AWS service, ViaAWSService is true, failing the condition, so the Allow statement does not apply.

Why this answer

The aws:ViaAWSService condition key evaluates to true when an API call is made by an AWS service on behalf of a principal. If the policy sets this condition to false, it denies any call that originates from an AWS service (e.g., Systems Manager Automation). In this scenario, the forensic tool is likely invoked by Systems Manager, causing the condition to evaluate to true and triggering the deny, even though the source IP is allowed.

This explains why CreateSnapshot fails with access denied despite the IP being in the allowed range.

Exam trap

The trap here is that candidates focus on the IP address condition and assume the error is due to an IP mismatch, overlooking the subtle aws:ViaAWSService condition that denies calls made through AWS services even when the source IP is allowed.

How to eliminate wrong answers

Option A is wrong because granting ec2:CreateSnapshot on all resources ("*") would not cause an access denied error; the error is due to a condition key, not resource ARN specificity. Option C is wrong because a deny on ec2:DeleteSnapshot is unrelated to the CreateSnapshot failure; IAM evaluates deny statements independently per action. Option D is wrong because the source IP 203.0.113.0/24 is included in the Condition block (as stated in the question), so implicit denial does not apply; the error is caused by the aws:ViaAWSService condition, not the IP condition.

38
Multi-Selecthard

A DevOps team is investigating a performance issue where an application's response time spiked during a deployment. The deployment used AWS CodeDeploy to update an Auto Scaling group. Which THREE actions should the team take to identify the root cause? (Choose THREE.)

Select 3 answers
A.Review the CodeDeploy deployment logs for errors.
B.Examine application logs on the new EC2 instances launched during the deployment.
C.Review the CodeDeploy deployment group configuration.
D.Check AWS CloudTrail for any unauthorized API calls during the deployment.
E.Compare CloudWatch metrics for the Auto Scaling group before and after the deployment.
AnswersA, B, E

Shows deployment-specific issues.

Why this answer

Option A is correct because CodeDeploy deployment logs provide details of the deployment process. Option B is correct because comparing CloudWatch metrics before and after the deployment can show changes. Option D is correct because application logs from the new instances can reveal errors.

Option C is wrong because CloudTrail logs API calls, not application performance. Option E is wrong because the deployment group configuration is unlikely to change performance directly.

39
Multi-Selecteasy

A company uses Amazon CloudFront to distribute content globally. Users in certain geographic regions report slow load times. Which TWO configurations can improve performance for these users? (Choose TWO.)

Select 2 answers
A.Implement Lambda@Edge to optimize content delivery.
B.Use Amazon ElastiCache to cache content.
C.Switch the origin to a Network Load Balancer.
D.Use additional CloudFront edge locations.
E.Enable S3 Transfer Acceleration on the origin bucket.
AnswersA, D

Custom logic at edge improves performance.

Why this answer

Option A is correct because CloudFront edge locations cache content closer to users. Option C is correct because Lambda@Edge can perform custom processing at edge locations, such as URL rewriting or A/B testing, which can optimize content delivery. Option B is wrong because S3 Transfer Acceleration speeds up uploads, not downloads.

Option D is wrong because a Network Load Balancer is for TCP/UDP traffic, not HTTP/HTTPS content. Option E is wrong because ElastiCache is for database caching, not CDN.

40
Multi-Selecthard

An e-commerce platform uses Amazon DynamoDB as its primary database. During a flash sale, the application experiences throttling errors. The operations team needs to implement a solution to handle sudden traffic spikes while keeping costs under control. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Increase the read and write capacity units manually before the sale.
B.Switch from on-demand to provisioned capacity with auto scaling.
C.Implement DynamoDB Accelerator (DAX) to cache read-intensive data.
D.Use application-level retry logic with exponential backoff to handle throttling gracefully.
E.Enable DynamoDB Streams and replicate data to a read replica.
AnswersC, D

DAX reduces read traffic to the table.

Why this answer

Option C is correct because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency from milliseconds to microseconds, offloading read requests from the main DynamoDB table. During a flash sale, caching read-intensive data (e.g., product details) with DAX reduces the number of read capacity units consumed, helping to avoid throttling while keeping costs under control by not requiring a permanent increase in provisioned capacity.

Exam trap

The trap here is that candidates often confuse DynamoDB Streams with read replicas, or assume that provisioned capacity with auto scaling is always cost-effective for spikes, when in fact on-demand capacity is designed for unpredictable traffic and avoids the cold-start throttling risk of auto scaling.

41
MCQhard

An IAM policy is attached to a role used by an operations team. The team reports that they are unable to start or stop EC2 instances tagged with Environment=Production. Other instances can be described. What is the MOST likely reason for this failure?

A.The condition key ec2:ResourceTag/Environment is not valid for ec2:StartInstances and ec2:StopInstances.
B.The role does not have permission to describe instances, so the condition cannot be evaluated.
C.The policy's Resource element is set to '*' and must be restricted to specific instance ARNs.
D.The policy does not include the ec2:RebootInstances action.
AnswerA

These actions do not support resource-level conditions; they require request-based conditions.

Why this answer

Option A is correct because the `ec2:ResourceTag` condition key is not supported for the `ec2:StartInstances` and `ec2:StopInstances` actions in IAM policy evaluation. AWS documentation explicitly states that these actions do not support resource-level permissions based on tags; they only support the `ec2:ResourceTag` condition key for certain read-only or tagging actions. Therefore, the condition in the policy cannot be evaluated, causing the operations team to fail when attempting to start or stop Production-tagged instances.

Exam trap

The trap here is that candidates assume all EC2 actions support resource-level condition keys like `ec2:ResourceTag`, but AWS explicitly restricts tag-based conditions to specific actions, and `ec2:StartInstances` and `ec2:StopInstances` are not among them.

How to eliminate wrong answers

Option B is wrong because the team can describe other instances, indicating they have the `ec2:DescribeInstances` permission; the issue is not a lack of describe permission but the unsupported condition key. Option C is wrong because setting the Resource element to '*' is not the cause of the failure; the policy's condition key is the problem, and restricting to specific instance ARNs would not resolve the unsupported condition key issue. Option D is wrong because the `ec2:RebootInstances` action is irrelevant to the failure to start or stop instances; the missing action is not the root cause.

42
Multi-Selecteasy

Which TWO actions should be taken to ensure a highly available and resilient architecture for a critical web application on AWS? (Choose two.)

Select 2 answers
A.Enable Amazon CloudFront with multiple origins.
B.Use an Auto Scaling group to maintain a desired number of instances.
C.Use a Multi-AZ RDS deployment with read replicas.
D.Store backups in a different AWS Region.
E.Deploy the application across multiple Availability Zones.
AnswersB, E

Ensures capacity is maintained even if instances fail.

Why this answer

Correct: A and D. Deploying across multiple Availability Zones provides resilience against AZ failures. Using an Auto Scaling group ensures capacity is maintained.

Option B provides read scalability but not write availability. Option C is for disaster recovery, not immediate availability. Option E is for performance, not availability.

43
MCQhard

A company uses AWS Organizations with multiple accounts. The security team notices that an IAM user in the production account has been making changes to security group rules that are not compliant with the company's policy. The team wants to automatically revoke any non-compliant security group rules and notify the security team. What is the MOST efficient way to achieve this?

A.Create a CloudWatch alarm on the SecurityGroupEvent metric to notify the security team.
B.Apply a Service Control Policy (SCP) that denies changes to security groups in the production account.
C.Set up a CloudTrail trail that logs security group modifications and use Amazon Detective to analyze the changes.
D.Use an AWS Config managed rule to detect non-compliant security group rules, and configure an automatic remediation action with AWS Systems Manager Automation.
AnswerD

This combination allows detection and automatic remediation.

Why this answer

Option D is correct because AWS Config managed rules can continuously evaluate security group rules against a desired policy (e.g., disallowing SSH from 0.0.0.0/0). When a non-compliant change is detected, AWS Config can trigger an automatic remediation action using an AWS Systems Manager Automation document that revokes the offending rule. This provides both detection and automated correction without manual intervention, making it the most efficient solution.

Exam trap

The trap here is that candidates often confuse detective controls (CloudTrail, CloudWatch alarms) with corrective controls (AWS Config remediation), and fail to recognize that SCPs are preventive and cannot selectively revoke existing non-compliant rules.

How to eliminate wrong answers

Option A is wrong because CloudWatch alarms on the SecurityGroupEvent metric can only notify on the occurrence of an event, not automatically revoke the non-compliant rule; it lacks remediation capability. Option B is wrong because Service Control Policies (SCPs) apply to all IAM users and roles in an account and cannot selectively revoke specific security group rules after they are created; SCPs are preventive, not detective or corrective, and would block all security group changes, which may be too restrictive. Option C is wrong because CloudTrail logs and Amazon Detective can analyze changes after the fact but cannot automatically revoke non-compliant rules; they provide visibility and investigation, not automated remediation.

44
Multi-Selecthard

During a security incident, a DevOps engineer discovers that an EC2 instance has been compromised. The instance has an IAM role with permissions to access S3 and DynamoDB. Which THREE immediate actions should the engineer take to contain the incident?

Select 3 answers
A.Terminate the instance immediately
B.Create an AMI of the instance for forensic analysis
C.Stop the EC2 instance
D.Update the security group to deny all inbound and outbound traffic
E.Remove the IAM role from the instance
AnswersC, D, E

Stopping the instance halts any malicious processes.

Why this answer

Option A is correct to stop the instance. Option D is correct to detach the IAM role to prevent further actions. Option E is correct to isolate the instance by modifying the security group.

Option B is wrong because snapshotting may capture malware. Option C is wrong because terminating destroys evidence.

45
Multi-Selecteasy

A DevOps engineer is troubleshooting a failed deployment. The engineer needs to identify the root cause. Which TWO AWS services can provide information about the deployment events and errors? (Choose two.)

Select 2 answers
A.AWS CloudTrail
B.AWS Trusted Advisor
C.AWS Service Catalog
D.Amazon Inspector
E.AWS Config
AnswersA, E

CloudTrail records API calls like CreateStack, UpdateStack, etc.

Why this answer

Option B is correct because AWS CloudTrail records API calls for deployments. Option C is correct because AWS Config provides a history of configuration changes. Option A is wrong because Amazon Inspector is for vulnerability assessment.

Option D is wrong because AWS Trusted Advisor is for cost optimization and best practices. Option E is wrong because AWS Service Catalog is for managing IT service catalogs.

46
Multi-Selectmedium

A company uses Amazon CloudWatch for monitoring. The operations team wants to receive an alert when an EC2 instance's status check fails for 2 consecutive minutes. Which THREE resources should the team configure? (Choose three.)

Select 3 answers
A.CloudWatch Events rule
B.CloudWatch Logs
C.CloudWatch alarm
D.EC2 StatusCheckFailed metric
E.Amazon SNS topic
AnswersC, D, E

Alarm monitors the metric and triggers actions.

Why this answer

Option A is correct because a CloudWatch alarm triggers based on a metric. Option C is correct because the 'StatusCheckFailed' metric is the correct metric to monitor instance health. Option D is correct because an SNS topic is needed to send notifications.

Option B is wrong because CloudWatch Logs is for log data, not metrics. Option E is wrong because CloudWatch Events is for scheduling or event patterns, but not for metric alarms.

47
MCQmedium

A DevOps team observes that an Amazon CloudFront distribution is returning HTTP 504 errors for a small percentage of requests. The origin is an Application Load Balancer (ALB) that distributes traffic to EC2 instances. The team has already checked the ALB's access logs and found that the ALB returns 200 OK for all requests. What should the team investigate NEXT?

A.Check the ALB target group health check settings and ensure instances are healthy.
B.Examine the request headers in CloudFront logs to identify unusual patterns.
C.Review the CloudFront cache hit ratio and optimize caching strategies.
D.Check the ALB's idle timeout settings and compare with CloudFront origin timeout.
AnswerD

If the ALB idle timeout is less than CloudFront's origin timeout, the ALB may close the connection before CloudFront receives the response.

Why this answer

The ALB returns 200 OK for all requests, so the origin itself is not failing. However, HTTP 504 errors from CloudFront typically indicate that the origin (ALB) is not responding within CloudFront's timeout window. The ALB's idle timeout (default 60 seconds) can cause the ALB to close idle connections, while CloudFront's origin timeout (default 30 seconds) is separate.

If the ALB's idle timeout is shorter than the time CloudFront waits for a response, the ALB may close the connection before CloudFront receives the full response, leading to a 504. Option D directly addresses this mismatch.

Exam trap

The trap here is that candidates assume 504 errors always indicate an unhealthy origin, but the ALB logs show 200 OK, so they incorrectly focus on health checks or caching instead of the timeout mismatch between CloudFront and the ALB.

How to eliminate wrong answers

Option A is wrong because the ALB access logs show 200 OK for all requests, meaning the target group health check settings and instance health are not the issue—healthy instances would still produce 200 responses. Option B is wrong because examining request headers in CloudFront logs for unusual patterns would not explain a consistent 504 error when the ALB itself is responding successfully; the issue is at the transport layer, not the application layer. Option C is wrong because a low cache hit ratio would cause more origin requests but not 504 errors; optimizing caching strategies would reduce origin load but not fix a timeout mismatch between CloudFront and the ALB.

48
MCQhard

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The database experiences a sudden spike in connections, causing some application requests to fail with 'Too many connections' errors. The DevOps team needs to automate a response to this incident. What is the MOST effective solution?

A.Enable Multi-AZ to distribute the load across two instances.
B.Create a CloudWatch alarm on the DatabaseConnections metric to trigger a Lambda function that increases the max_connections parameter.
C.Use Amazon RDS Proxy to pool and share database connections.
D.Use an Auto Scaling policy to increase the RDS instance size.
AnswerB

This automates the response to increase the connection limit when spikes occur.

Why this answer

Option D is correct because the issue is a connection spike that exceeds the max_connections parameter. Using a CloudWatch alarm on 'DatabaseConnections' to invoke a Lambda function that modifies the DB parameter group (requires reboot or apply immediately) can increase the limit. Option A is wrong because scaling storage does not increase max_connections.

Option B is wrong because Multi-AZ is for high availability, not scaling connections. Option C is wrong because RDS Proxy manages connection pooling but does not change the max_connections limit; it would have been a preventive measure.

49
Multi-Selectmedium

A company uses AWS Lambda with an Amazon DynamoDB trigger. Recently, the Lambda function started failing with 'ProvisionedThroughputExceededException' errors. The DevOps team needs to mitigate the issue. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Increase the Lambda function's reserved concurrency
B.Disable DynamoDB Streams on the table
C.Enable DynamoDB Accelerator (DAX) for the table
D.Increase the DynamoDB table's write capacity
E.Reduce the batch size for the DynamoDB stream event source mapping
AnswersD, E

More capacity reduces throttling.

Why this answer

Option B is correct because increasing DynamoDB write capacity reduces throttling. Option D is correct because reducing the batch size lowers the number of writes per invocation. Option A is wrong because Lambda concurrency is not the issue; DynamoDB is throttling.

Option C is wrong because DynamoDB Streams is required for the trigger; disabling it stops the trigger. Option E is wrong because enabling DynamoDB Accelerator (DAX) is for reads, not writes.

50
Drag & Dropmedium

Drag and drop the steps to implement a blue/green deployment using AWS CodeDeploy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the application and deployment group, then configure blue/green settings, then deploy, then validate, then reroute traffic.

51
MCQeasy

A company uses Amazon CloudFront to serve static content from an S3 bucket. Users report that they see outdated content even after the engineer has updated the files in the S3 bucket. What should the engineer do to ensure users see the latest content?

A.Create an invalidation for the updated file paths.
B.Change the S3 bucket policy to allow public access.
C.Reduce the TTL for the CloudFront distribution.
D.Delete and recreate the CloudFront distribution.
AnswerA

Invalidation removes cached content, forcing CloudFront to fetch the latest from origin.

Why this answer

Option C is correct because creating a CloudFront invalidation removes cached objects from edge locations. Option A is wrong because TTL settings affect how long content is cached, but invalidation is immediate. Option B is wrong because invalidating the entire distribution is not necessary; a path-specific invalidation works.

Option D is wrong because changing S3 bucket policy does not affect cache.

52
MCQeasy

A DevOps engineer receives a CloudWatch alarm that an EC2 instance's CPU utilization has exceeded 90% for 10 minutes. The instance hosts a critical web application. What is the MOST appropriate immediate response to mitigate performance impact?

A.Reboot the EC2 instance to clear any temporary processes.
B.Place the instance into an Auto Scaling group with a scale-out policy based on CPU utilization.
C.Create a new AMI from the instance and launch a new larger instance.
D.Stop the instance and change its type to a larger instance size.
AnswerB

Auto Scaling can automatically launch new instances to distribute the load.

Why this answer

Option A is correct because adding the instance to an Auto Scaling group with a scaling policy to launch additional instances can handle increased load. Option B is wrong because rebooting causes downtime and does not address the root cause of high CPU. Option C is wrong because increasing the instance size manually requires a stop and start, causing downtime.

Option D is wrong because creating a new AMI and launching a new instance is time-consuming and not immediate.

53
MCQeasy

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) is experiencing intermittent 503 errors. The target group health checks are failing. The DevOps engineer checks the instance logs and finds that the application is running but taking longer than 30 seconds to respond. What is the MOST likely cause?

A.The Auto Scaling group's scaling policy is too aggressive, causing frequent instance replacements.
B.The security group for the ALB does not allow inbound traffic from the internet.
C.The health check timeout is set too low, causing the ALB to mark instances unhealthy.
D.The EC2 instances are running out of memory and the application is crashing.
AnswerC

If the application responds slowly, health checks may timeout.

Why this answer

Option B is correct because ALB health checks have a configurable timeout; if the response takes longer than the timeout, the health check fails, causing 503 errors. Option A is wrong because security groups typically do not cause intermittent failures. Option C is wrong because the application is running, so it is not crashing.

Option D is wrong because scaling policies do not directly cause 503 errors.

54
MCQmedium

A company uses AWS CloudTrail to monitor API activity. The security team notices that an IAM user 'dev-user' deleted an S3 bucket. They need to quickly identify the source IP address of the delete request. Which CloudTrail feature should they use to find this information?

A.Use CloudTrail Lake to query the event and extract the IP address from the userIdentity field.
B.Check S3 server access logs for the bucket deletion event.
C.Enable CloudTrail Insights to analyze unusual activity.
D.Search the CloudTrail event history for the delete event and review the sourceIPAddress field.
AnswerD

CloudTrail event history includes the sourceIPAddress field in the event record.

Why this answer

Option B is correct because CloudTrail event history includes the sourceIPAddress field in the event record, which directly provides the IP address from which the API call was made. Option A is wrong because CloudTrail Insights detects unusual activity but does not provide the IP address for individual events. Option C is wrong because CloudTrail Lake is used for aggregating and querying trails but the source IP is still found in the event record.

Option D is wrong because S3 server access logs are separate from CloudTrail and do not capture IAM user activity.

55
Multi-Selecthard

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all CloudTrail trails across the organization are delivering events to a centralized S3 bucket in the management account. Currently, some member accounts have their own trails. Which THREE steps should the security team take to enforce this? (Choose three.)

Select 3 answers
A.Manually disable CloudTrail in each member account.
B.Create an organization trail in the management account that applies to all accounts.
C.Use AWS Config rules to detect non-compliant trails and trigger automatic remediation.
D.Enable CloudTrail on the centralized S3 bucket to log access.
E.Use a service control policy (SCP) to deny the 'cloudtrail:CreateTrail' and 'cloudtrail:UpdateTrail' actions.
AnswersB, D, E

Organization trails automatically apply to all accounts in the organization.

Why this answer

Option A is correct because creating an organization trail in the management account will automatically apply to all accounts. Option B is correct because enabling CloudTrail on the S3 bucket ensures logs are delivered. Option D is correct because SCP can deny the ability to create or modify trails, preventing member accounts from creating separate trails.

Option C is wrong because disabling CloudTrail in member accounts is manual and not scalable. Option E is wrong because Config rules can detect but not prevent.

56
MCQhard

A DevOps team applies the above IAM policy to a group. A developer in this group tries to upload an object to the S3 bucket using the AWS CLI without specifying any encryption. The upload fails with an AccessDenied error. Why does the upload fail?

A.The Allow statement's condition is satisfied, but the Deny statement is evaluated first and denies the request.
B.The Allow statement requires encryption to be AES256, but the CLI defaults to SSE-S3, which is not AES256.
C.The Deny statement explicitly denies PutObject when encryption is not AES256, overriding the Allow.
D.The Deny statement's condition is not met because the request does not include encryption headers.
AnswerC

Explicit Deny always overrides Allow.

Why this answer

Option A is correct because the Deny statement explicitly denies PutObject if encryption is not AES256. The Allow statement only allows if AES256 is specified. Since no encryption is specified, the condition in the Deny statement (StringNotEquals AES256) is true, causing a deny.

Option B is wrong because the Allow statement's condition is not met, so it does not grant permission. Option C is wrong because the Deny statement explicitly matches the condition. Option D is wrong because explicit Deny overrides Allow.

57
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. A stack update fails with the error 'UPDATE_ROLLBACK_FAILED'. What should the engineer do to resolve this?

A.Retry the stack update with the same parameters.
B.Delete the stack and recreate it.
C.Ignore the error and continue using the stack.
D.Use the 'ContinueUpdateRollback' operation to fix the resource that caused the failure.
AnswerD

This operation allows CloudFormation to complete the rollback.

Why this answer

Option B is correct because a rollback failure indicates that CloudFormation could not undo some changes. Continuing the rollback process or manually fixing the resource allows the stack to reach a consistent state. Option A is wrong because deleting the stack may cause data loss.

Option C is wrong because ignoring may leave the stack in an inconsistent state. Option D is wrong because updating again may compound the issue.

58
MCQmedium

An application running on Amazon ECS Fargate is experiencing intermittent 'CannotPullContainerError' errors. The task definition references a Docker image in a private Amazon ECR repository. The task execution role has the 'AmazonECSTaskExecutionRolePolicy' policy attached. What is the most likely cause?

A.The Fargate task is in a private subnet without a NAT gateway or VPC endpoint
B.The task execution role does not have sufficient permissions
C.The ECS service is not configured with Auto Scaling
D.The ECR repository is not in the same region as the ECS cluster
AnswerA

Fargate tasks need internet access or VPC endpoints to pull images from ECR.

Why this answer

Option C is correct because the task execution role needs permission to pull images; 'AmazonECSTaskExecutionRolePolicy' includes ecr:GetAuthorizationToken and ecr:BatchCheckLayerAvailability etc., so it should work. However, if the image is in a different account, the repository policy may not allow cross-account pulls. But among options, D is plausible.

Actually, re-evaluate: The policy includes necessary permissions, so likely it's a networking issue. Option A is wrong because the policy does allow. Option B is wrong because ECR does not use VPC endpoints by default.

Option C is correct if the subnet has no route to ECR. Option D is wrong because Auto Scaling does not affect image pulling.

59
Multi-Selecteasy

A DevOps engineer is designing an incident response plan for a serverless application using AWS Lambda, API Gateway, and DynamoDB. Which TWO services should be used to monitor and alert on errors and latency?

Select 2 answers
A.Amazon GuardDuty
B.Amazon CloudWatch
C.AWS X-Ray
D.AWS Config
E.AWS CloudTrail
AnswersB, C

CloudWatch provides metrics, logs, and alarms for Lambda and API Gateway.

Why this answer

Option A (CloudWatch) provides metrics and alarms. Option D (X-Ray) provides tracing for latency. Option B is wrong because CloudTrail records API calls but not latency.

Option C is wrong because Config monitors configuration changes. Option E is wrong because GuardDuty is for security threats.

60
MCQhard

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), an EC2 Auto Scaling group (ASG) for web servers, and an Amazon RDS Multi-AZ DB instance. The ASG uses a launch template with Amazon Linux 2 and a user data script that installs the web application and connects to the RDS database using a static password stored in the user data. Recently, the security team discovered that the user data script is exposed in the EC2 console and could be viewed by anyone with EC2 describe-instances permissions. The team wants to remediate this immediately without causing downtime. The ASG is configured with a min size of 2, max size of 6, and desired capacity of 4. The application is currently under load. Which option describes the best course of action?

A.Create a new launch template version that retrieves the password from AWS Secrets Manager. Update the ASG to use the new template version and perform an instance refresh with a minimum healthy percentage of 100%.
B.Immediately modify the user data on each running EC2 instance to remove the password, then update the launch template to reference AWS Secrets Manager.
C.Update the existing launch template to use AWS Secrets Manager for the database password. The ASG will automatically apply the change to existing instances.
D.Delete the existing launch template and create a new one with secrets from AWS Secrets Manager. Then terminate all running instances and let the ASG launch new ones.
AnswerA

D is correct because it removes the password from the template, uses Secrets Manager for security, and performs a rolling update without downtime.

Why this answer

Option A is correct because it uses an instance refresh with a minimum healthy percentage of 100% to replace instances without downtime, while the new launch template version retrieves the password from AWS Secrets Manager, eliminating the static password exposure. This approach ensures that the security vulnerability is remediated immediately without disrupting the running application under load.

Exam trap

The trap here is that candidates assume updating the launch template automatically propagates to existing instances, but in reality, the ASG only applies the launch template to new instances, so an instance refresh or manual replacement is required to remediate existing instances.

How to eliminate wrong answers

Option B is wrong because modifying user data on running instances does not change the launch template, so any new instances launched by the ASG will still use the exposed static password; also, manually editing instances is not scalable and risks configuration drift. Option C is wrong because updating the launch template does not automatically apply changes to existing instances; the ASG only uses the launch template for new instances, so existing instances remain vulnerable until replaced. Option D is wrong because terminating all running instances at once would cause downtime, violating the requirement to avoid disruption, and the ASG would launch replacements based on the new template, but the immediate termination is not safe under load.

61
MCQmedium

Refer to the exhibit. A CloudWatch alarm is configured for an EC2 instance. The CPU utilization exceeds 80% for two consecutive minutes. What action will occur?

A.No action will be taken because the period is 60 seconds.
B.The instance will be recovered.
C.The instance will be rebooted.
D.The instance will be stopped.
AnswerB

Alarm triggers instance recovery.

Why this answer

Option C is correct because the alarm action is 'ec2:recover', which initiates instance recovery. Option A is wrong because the action is recover, not reboot. Option B is wrong because the alarm does not stop the instance.

Option D is wrong because the alarm evaluates every 60 seconds, not 2 minutes as a total period.

62
MCQhard

A critical application is deployed on Amazon EKS. The DevOps team notices that pods are failing with 'CrashLoopBackOff' status. The team needs to capture the application logs before the pod restarts to debug the issue. Which approach should the team use?

A.Use 'kubectl logs' command immediately after the crash
B.Configure a sidecar container to stream logs to Amazon CloudWatch Logs
C.Store logs in a ConfigMap
D.Use 'kubectl exec' to access the container and check logs
AnswerB

Sidecar streams logs continuously, even if main container crashes.

Why this answer

Option B is correct because configuring a sidecar container to stream logs to Amazon CloudWatch Logs ensures that logs are persisted and available for debugging even if the pod crashes and restarts. This approach decouples log collection from the pod's lifecycle, allowing the DevOps team to analyze logs from the crash without needing to capture them in real-time. It aligns with the incident response best practice of centralized logging for ephemeral environments like EKS.

Exam trap

The trap here is that candidates assume 'kubectl logs' can always capture logs from a crashed pod, but they overlook that CrashLoopBackOff causes the container to restart, overwriting previous logs in the default Kubernetes logging setup (which only retains logs for the current container instance).

How to eliminate wrong answers

Option A is wrong because 'kubectl logs' retrieves logs from the current container instance, and after a crash and restart, the logs from the previous instance are lost unless the container has a logging driver that persists them; in a CrashLoopBackOff scenario, the pod may restart before logs can be captured. Option C is wrong because ConfigMaps are designed for storing configuration data (e.g., environment variables, configuration files), not for dynamic application logs, and they have a size limit of 1 MiB, making them impractical for log storage. Option D is wrong because 'kubectl exec' requires a running container to execute commands, and in a CrashLoopBackOff state, the container may be in a crash loop or not running, making exec inaccessible.

63
Multi-Selecthard

A security team is investigating a potential data exfiltration from an S3 bucket. They need to identify which IAM user accessed a specific object and whether the access was from a known IP address. Which THREE AWS services or features should they use together to conduct this investigation?

Select 3 answers
A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.S3 server access logs
E.Amazon Athena
AnswersC, D, E

Logs all S3 API calls including GetObject.

Why this answer

Options A, B, and D are correct. A is correct because AWS CloudTrail logs S3 API calls including GetObject. B is correct because S3 server access logs provide detailed object-level access logs including requester, IP, and object key.

D is correct because Amazon Athena can query both CloudTrail logs and S3 access logs efficiently. Option C is wrong because AWS Config records resource configuration, not data access. Option E is wrong because VPC Flow Logs capture network traffic but not S3 object-level access.

64
MCQmedium

A company stores sensitive data in Amazon S3. A security audit reveals that several S3 buckets are publicly accessible. The DevOps engineer needs to implement a solution that automatically detects and alerts on any S3 bucket that becomes public. Which AWS service should the engineer use?

A.Amazon Macie
B.S3 Block Public Access
C.AWS Trusted Advisor
D.AWS Config
AnswerA

Macie can detect and alert on public buckets.

Why this answer

Option C is correct because Amazon Macie uses machine learning to discover, classify, and protect sensitive data, and it can alert on public buckets. Option A is wrong because AWS Trusted Advisor checks for public buckets but does not provide real-time alerts. Option B is wrong because S3 Block Public Access is a preventive control, not detective.

Option D is wrong because AWS Config can track bucket policies but does not automatically alert on public access.

65
MCQhard

A company runs a multi-tier web application on EC2 instances behind an Application Load Balancer. The application experiences intermittent 503 errors during peak traffic. The Auto Scaling group is configured with a step scaling policy based on CPU utilization. CloudWatch metrics show that CPU utilization never exceeds 70%, but the ALB target group reports that some targets are unhealthy. What is the MOST likely cause?

A.The application health check endpoint is returning HTTP 5xx or timing out.
B.The ALB is misconfigured with an incorrect security group blocking traffic to the targets.
C.The ALB connection draining settings are too short, causing in-flight requests to fail.
D.The step scaling policy is too aggressive and is terminating instances prematurely.
AnswerA

Unhealthy targets cause the ALB to stop routing traffic, leading to 503 errors for users.

Why this answer

Option A is correct because health checks are failing, causing the ALB to stop sending traffic to those instances, which results in 503 errors. The CPU utilization might be low because the unhealthy instances are not receiving traffic. Option B is wrong because if the scaling policy were too aggressive, you'd see more instances and possibly lower CPU, not 503 errors.

Option C is wrong because connection draining does not cause health check failures. Option D is wrong because the application itself is failing health checks, not the ALB configuration.

66
Multi-Selecteasy

A DevOps engineer is troubleshooting a Lambda function that is timing out. Which TWO actions should the engineer take to diagnose the issue?

Select 2 answers
A.Set reserved concurrency to 1 to isolate the function.
B.Increase the function timeout in the Lambda configuration.
C.Check the VPC configuration for the Lambda function.
D.Increase the function memory allocation.
E.Review the function's CloudWatch Logs for timeout errors.
AnswersB, E

Increasing timeout can help if the function is close to completing.

Why this answer

Option A is correct because increasing timeout may allow the function to complete. Option D is correct because CloudWatch Logs show execution details and errors. Option B is wrong because memory allocation doesn't directly affect timeout.

Option C is wrong because VPC configuration is not directly related to timeout unless network issues. Option E is wrong because reserved concurrency affects scaling, not timeout.

67
MCQmedium

An application runs on EC2 instances behind an ALB. Users report intermittent 503 errors. The engineer checks ALB metrics and sees 'SurgeQueueLength' increasing periodically. What is the most likely cause?

A.The application instances are not able to process requests quickly enough, causing the request queue to back up.
B.The target group health checks are failing, causing the ALB to route traffic to unhealthy instances.
C.The SSL certificate on the ALB has expired.
D.The ALB security group is blocking traffic from the clients.
AnswerA

Slow processing leads to queue buildup and eventual 503 errors.

Why this answer

Option B is correct because a high SurgeQueueLength indicates that the ALB is receiving more requests than the instances can handle, and the queue is filling up, leading to 503 errors when the queue overflows. Option A is wrong because unhealthy hosts would cause errors but not necessarily an increasing queue. Option C is wrong because a misconfigured security group would block traffic entirely.

Option D is wrong because an SSL certificate issue would cause TLS errors, not 503.

68
Drag & Dropmedium

Drag and drop the steps to troubleshoot an AWS CloudTrail that is not logging API calls.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First verify CloudTrail is enabled, then check bucket policy, then check integrity, then check IAM role, then test.

69
MCQeasy

A company uses Amazon RDS for MySQL and has enabled automated backups. The database administrator accidentally deleted a critical row from a table. The deletion occurred 15 minutes ago. What is the fastest way to recover the lost data?

A.Perform a Point-in-Time Restore to a time just before the deletion.
B.Use the RDS console to undo the last transaction.
C.Use the binary log to replay transactions before the deletion.
D.Create a manual snapshot of the current instance and restore it.
AnswerA

Fastest AWS-native method to recover to a specific point.

Why this answer

Option C is correct because Point-in-Time Restore (PITR) allows restoring to any time within the backup retention period, down to the second. Option A is wrong because a manual snapshot from before the deletion would need to be created, which is slower. Option B is wrong because the binlog contains changes, but replaying requires manual effort and is not the fastest AWS-native method.

Option D is wrong because RDS does not have a native 'undo' feature.

70
MCQmedium

A company uses AWS Lambda functions to process messages from an Amazon SQS queue. The Lambda function is configured with a reserved concurrency of 5. The SQS queue has a large backlog of messages, and the Lambda function is processing them slowly. The DevOps team wants to increase throughput without making changes to the Lambda code. The team decides to increase the reserved concurrency to 10. However, after the change, the Lambda function starts to experience throttling errors (RateExceeded). The team also notices that other Lambda functions in the same account are also being throttled. What is the MOST likely cause?

A.The SQS queue's polling interval is too high, causing Lambda to poll infrequently.
B.The account's Lambda concurrency limit has been reached due to the increased reserved concurrency.
C.The Lambda function's execution role does not have permission to invoke the function.
D.The SQS queue's visibility timeout is too short, causing messages to be processed multiple times.
AnswerB

Reserved concurrency consumes from the account limit.

Why this answer

Option B is correct because the account-level Lambda concurrency limit may be reached. Increasing reserved concurrency for one function reduces the pool available for others. Option A is wrong because SQS batch size does not cause throttling.

Option C is wrong because SQS polling interval is controlled by Lambda. Option D is wrong because IAM permissions would cause access denied errors, not throttling.

71
MCQmedium

A company uses AWS CloudTrail to audit API activity. During an incident investigation, they find that a user with the IAM policy 'AdministratorAccess' deleted an S3 bucket. The security team wants to know the source IP address and user agent used for the delete operation. Which action should the team take to obtain this information?

A.View the CloudTrail event history for the delete-bucket event.
B.Check the S3 server access logs for the deleted bucket.
C.Use CloudWatch Logs to search for the event in the CloudTrail log group.
D.Query AWS Config to find the configuration item for the bucket deletion.
AnswerA

D is correct because CloudTrail event history contains the source IP address and user agent for each API call.

Why this answer

CloudTrail event history captures all management events, including DeleteBucket, and records the source IP address and user agent for each API call. By viewing the event history for the specific delete-bucket event, the security team can directly retrieve the required metadata without needing additional log sources or configurations.

Exam trap

The trap here is that candidates confuse S3 server access logs (which log object-level operations) with CloudTrail management events, leading them to incorrectly choose option B for a bucket deletion that is a management API call.

How to eliminate wrong answers

Option B is wrong because S3 server access logs record object-level requests (e.g., GET, PUT, DELETE on objects), not management-level API calls like DeleteBucket, and they do not capture the user agent or IAM user identity. Option C is wrong because CloudTrail does not automatically deliver events to a CloudWatch Logs log group unless a specific trail is configured with CloudWatch Logs integration; the default event history is not searchable via CloudWatch Logs. Option D is wrong because AWS Config records configuration changes to resources (e.g., bucket existence), but it does not capture the source IP address or user agent of the API call that triggered the change.

72
MCQhard

A company runs a critical application on a fleet of EC2 instances managed by an Auto Scaling group. The application generates logs that are sent to CloudWatch Logs using the CloudWatch agent. Recently, the operations team noticed that some instances are missing logs for certain periods. The CloudWatch agent is configured to batch log events and send them every 5 seconds. The instances have high CPU utilization (90%+) during the missing periods. The DevOps engineer suspects that the agent is being throttled or failing. Which of the following is the MOST likely cause and the BEST course of action?

A.The network bandwidth is saturated, causing log delivery to fail. Increase instance network performance.
B.The CloudWatch Logs retention policy is set to 1 day, so older logs are deleted. Increase retention.
C.The CloudWatch agent is being starved of CPU resources, causing it to drop logs. Increase the CPU credits or instance size.
D.The instances are running out of disk space, preventing log buffering. Add more EBS volume space.
AnswerC

High CPU can prevent the agent from processing log batches in time.

Why this answer

Option A is correct because high CPU utilization can cause the CloudWatch agent to miss its scheduled batch upload, leading to log loss. Option B is wrong because disk space issues would cause different symptoms (disk full errors). Option C is wrong because the log group retention does not cause missing logs.

Option D is wrong because network bandwidth, while possible, is less likely than CPU starvation given the high CPU utilization.

73
Multi-Selecthard

A DevOps team is troubleshooting an application that occasionally throws 'Connection reset by peer' errors when connecting to an RDS MySQL instance. The errors are intermittent and seem to correlate with high traffic. Which TWO steps should the team take to diagnose the issue?

Select 2 answers
A.Check the RDS error log for messages about connection timeouts or aborted connections.
B.Increase the max_connections parameter in the DB parameter group.
C.Enable Multi-AZ deployment to provide a standby instance.
D.Enable Performance Insights to analyze database load and find bottlenecks.
E.Review the security group rules to ensure the application can connect.
AnswersA, D

Error logs can show why connections are being reset.

Why this answer

Option B is correct because RDS performance insights can show database load and identify if connections are being dropped. Option E is correct because checking the RDS error log can reveal connection-related errors. Option A is wrong because increasing max_connections may not help if the issue is resource contention.

Option C is wrong because enabling Multi-AZ does not fix connection resets. Option D is wrong because security group changes are unlikely to be the cause of intermittent resets.

74
MCQeasy

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The application experiences increased latency during peak hours. The DevOps engineer investigates and notices that the Read Replicas are not being utilized effectively. The application is configured to use the primary database endpoint. The engineer wants to offload read traffic to the Read Replicas without changing the application code. What is the BEST solution?

A.Increase the instance size of the primary database to handle the load.
B.Modify the application to use separate endpoints for read and write operations.
C.Create a new Multi-AZ cluster with a read-only endpoint.
D.Configure Amazon RDS Proxy in front of the database and enable read/write splitting.
AnswerD

RDS Proxy can automatically route read queries to Read Replicas.

Why this answer

Option A is correct because Amazon RDS Proxy provides connection pooling and can direct read/write traffic appropriately. Option B is wrong because it requires code changes. Option C is wrong because there is no such thing as a read-only endpoint for a Multi-AZ cluster.

Option D is wrong because it does not offload read traffic.

75
MCQeasy

A company uses Amazon CloudFront to serve static content from an S3 bucket. Users report that they see outdated content even after the engineer invalidated the CloudFront cache. What is the MOST likely reason?

A.The origin is an Application Load Balancer that returns stale content.
B.The invalidation has not propagated to all edge locations.
C.The S3 bucket policy does not allow CloudFront to access the updated objects.
D.The CloudFront distribution has a default TTL of 86400 seconds set.
AnswerB

Invalidations take time to propagate globally.

Why this answer

Option B is correct because by default, CloudFront does not invalidate objects in edge locations immediately; invalidation requests can take minutes to complete. Also, users may be hitting a different edge location that still has cached content. Option A is wrong because S3 bucket policies do not affect cache.

Option C is wrong because TTL settings affect how long content is cached, but invalidation should override that. Option D is wrong because the origin is S3, not an ALB.

Page 1 of 4 · 254 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Incident Response questions.