CCNA Monitoring Logging Questions

36 of 261 questions · Page 4/4 · Monitoring Logging topic · Answers revealed

226
MCQeasy

A company runs a production web application on Amazon EC2 instances that are part of an Auto Scaling group. The instances are behind an Application Load Balancer. The DevOps team has enabled detailed CloudWatch metrics and set up a CloudWatch dashboard to monitor the application. Recently, the team noticed that the CPU Utilization metric for the Auto Scaling group shows a spike every day at 2:00 PM, but the application performance remains normal. The team wants to investigate the cause of the CPU spike. What should the team do FIRST to identify the root cause?

A.Enable AWS CloudTrail to log all API calls to the instances.
B.Use CloudWatch Logs Insights to query the application logs on the instances to identify any scheduled tasks or jobs running at 2:00 PM.
C.Disable any scheduled tasks on the instances to see if the spike stops.
D.Increase the instance size to provide more CPU capacity to handle the spike.
AnswerB

Logs Insights allows querying logs from EC2 instances, which can reveal scheduled tasks causing CPU spikes.

Why this answer

Option A is correct because CloudWatch Logs Insights can query instance logs to identify processes causing high CPU. Option B is wrong because increasing instance size is not a first step for investigation. Option C is wrong because a cron job may be the cause, but the first step is to check logs.

Option D is wrong because CloudTrail logs API calls, not CPU usage.

227
Multi-Selectmedium

A DevOps engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must collect logs from all accounts into a centralized Amazon S3 bucket for analysis. Which THREE steps are required to set up this centralized logging?

Select 3 answers
A.Enable VPC Flow Logs for all VPCs in every account and send them to the centralized bucket
B.Create an S3 bucket in the central logging account with bucket policies allowing cross-account writes
C.Enable AWS CloudTrail in each account and configure it to deliver logs to the centralized S3 bucket
D.Set up Amazon Kinesis Data Streams in the central account to ingest logs from all accounts
E.Configure Amazon CloudWatch Logs subscription filters to stream logs from each account to the centralized S3 bucket via Kinesis Data Firehose
AnswersB, C, E

The bucket must allow other accounts to write logs.

Why this answer

Options A, B, and D are correct. Creating a log archive bucket with appropriate cross-account permissions, enabling CloudTrail in all accounts with the same S3 bucket, and configuring CloudWatch Logs to export to the centralized bucket. Option C is wrong because VPC Flow Logs are not required for all accounts.

Option E is wrong because Kinesis is not necessary; S3 is sufficient.

228
MCQeasy

A company is using Amazon RDS for MySQL and wants to monitor database connections. They need to set up an alarm when the number of connections exceeds 80% of the maximum connections for more than 5 minutes. Which CloudWatch metric and statistic should be used?

A.DatabaseConnections metric with Maximum statistic
B.DatabaseConnections metric with Average statistic
C.DatabaseConnections metric with Sum and then divide by the number of data points
D.DatabaseConnections metric with Sum statistic
AnswerB

Average of DatabaseConnections over 5 minutes gives a good indication of sustained connection usage.

Why this answer

Option B is correct because the Average statistic of the DatabaseConnections metric over a 5-minute period provides a smoothed representation of connection usage, which is appropriate for detecting sustained breaches of the 80% threshold. Using Average reduces sensitivity to transient spikes, ensuring the alarm triggers only when the average number of connections remains above the threshold for the entire evaluation period, aligning with the requirement of 'more than 5 minutes'.

Exam trap

The trap here is that candidates often choose Maximum because they think it is the most conservative for detecting high usage, but they overlook that the requirement is for sustained breaches over 5 minutes, not instantaneous spikes, making Average the correct choice for avoiding false alarms.

How to eliminate wrong answers

Option A is wrong because the Maximum statistic captures the highest single data point within the period, which would trigger alarms on brief spikes even if the average stays below 80%, causing false positives. Option C is wrong because dividing the Sum by the number of data points is mathematically equivalent to the Average statistic, but this approach is unnecessarily complex and not a standard CloudWatch metric statistic; CloudWatch directly supports Average. Option D is wrong because the Sum statistic aggregates the total number of connections over the period, which is not meaningful for comparing against a percentage of maximum connections—Sum values scale with the number of data points and do not represent a per-moment connection count.

229
MCQmedium

A company uses AWS Lambda functions to process incoming events. The DevOps team notices that some functions are timing out after 30 seconds, but the configured timeout is 1 minute. They want to capture the actual invocation duration for all invocations to analyze performance. What is the most efficient way to achieve this?

A.Add custom metrics using the AWS SDK within the Lambda function code to record the duration.
B.Configure Amazon Kinesis Data Streams to receive Lambda invocation records and compute duration using a consumer application.
C.Enable detailed CloudWatch Logs for the Lambda functions and parse the 'REPORT' log entries to extract the 'Duration' value.
D.Use AWS CloudTrail to capture Lambda execution events and analyze the 'duration' field.
AnswerC

Lambda automatically logs duration in the REPORT line; parsing these logs is efficient.

Why this answer

Option C is correct because Lambda automatically writes a REPORT log entry to CloudWatch Logs at the end of each invocation, which includes the exact 'Duration' in milliseconds. Parsing these logs is the most efficient approach since it requires no code changes, no additional infrastructure, and leverages existing logging with no extra cost beyond standard CloudWatch Logs ingestion.

Exam trap

The trap here is that candidates may confuse CloudTrail's 'duration' field (which measures API call latency) with the actual function execution duration, leading them to incorrectly select option D.

How to eliminate wrong answers

Option A is wrong because adding custom metrics via the AWS SDK within the function code requires modifying every function, introduces latency from SDK calls, and incurs additional CloudWatch custom metrics costs, making it less efficient than using built-in logs. Option B is wrong because configuring Kinesis Data Streams to receive invocation records is overly complex and costly; Lambda does not natively send invocation records to Kinesis, and building a consumer application to compute duration from streamed data is far less efficient than parsing existing logs. Option D is wrong because CloudTrail captures API calls (e.g., Invoke actions) but does not record the actual function execution duration; the 'duration' field in CloudTrail events refers to the API call latency, not the function's runtime.

230
MCQmedium

A company uses AWS Lambda functions to process streaming data from Amazon Kinesis Data Streams. The Lambda function processes records in batches and writes the results to an Amazon DynamoDB table. Recently, the operations team noticed that the Lambda function is experiencing a high number of throttling errors (HTTP 400) when writing to DynamoDB. The DynamoDB table has on-demand capacity mode enabled. The CloudWatch metrics show that the DynamoDB consumed write capacity is well below the provisioned limits, but the Lambda function's error rate is increasing. The Lambda function's reserved concurrency is set to 100, and the function's timeout is 1 minute. The Kinesis stream has 10 shards. What is the MOST likely cause of the throttling errors?

A.The DynamoDB table is experiencing hot partitions due to uneven access patterns.
B.The Lambda function's timeout is too short, causing the function to retry and overload DynamoDB.
C.The Lambda function's reserved concurrency is too high, causing too many concurrent invocations.
D.The Kinesis stream's batch size is too large, causing the Lambda function to write too many records at once.
AnswerA

On-demand capacity still has per-partition throughput limits; hot partitions can cause throttling.

Why this answer

Option C is correct because the DynamoDB table has on-demand capacity, but throttling can still occur due to per-partition throughput limits. When many writes target the same partition key, the partition can throttle even if overall capacity is not exceeded. Option A is wrong because the function's concurrency is not the issue; throttling is from DynamoDB.

Option B is wrong because the function timeout is not causing throttling. Option D is wrong because the batch size affects the number of records per invocation but not DynamoDB throttling directly.

231
MCQeasy

A DevOps engineer is tasked with setting up monitoring for a serverless application that uses AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The engineer needs to create a centralized dashboard that displays the number of Lambda invocations, API Gateway request counts, and DynamoDB consumed read/write capacity units. The dashboard should be accessible to the operations team without requiring AWS Management Console login. The engineer also wants to set up email alerts when the DynamoDB consumed capacity exceeds 80% of the provisioned capacity. Which solution meets these requirements with the LEAST operational overhead?

A.Use Amazon QuickSight to connect to CloudWatch metrics and create a dashboard with email alerts.
B.Use CloudWatch Logs Insights to query the logs of each service and create a dashboard from the results.
C.Create a CloudWatch dashboard and share it using Amazon Cognito to grant access to the operations team.
D.Create a CloudWatch dashboard with the relevant metrics and set CloudWatch alarms on DynamoDB consumed capacity. Share the dashboard as a public read-only dashboard.
AnswerD

CloudWatch dashboards can be shared publicly, and alarms can send email via SNS.

Why this answer

Option D is correct because CloudWatch Dashboards can be shared publicly as a read-only dashboard without AWS credentials. The metrics for Lambda, API Gateway, and DynamoDB are automatically available in CloudWatch. Alarms can be set on DynamoDB's ConsumedReadCapacityUnits and ConsumedWriteCapacityUnits metrics.

Option A is wrong because CloudWatch Logs Insights is for log analysis, not metrics. Option B is wrong because sharing CloudWatch dashboards does not require Cognito; dashboards can be shared via a public URL. Option C is wrong because QuickSight requires additional setup and cost.

232
Multi-Selecteasy

A company is using AWS CloudTrail to log API activity in their AWS account. They want to ensure that any modification to CloudTrail configuration itself is logged and that the logs are immutable. Which combination of actions should they take? (Choose TWO.)

Select 2 answers
A.Enable S3 Object Lock on the destination S3 bucket in governance mode.
B.Enable log file validation to guarantee integrity of log files.
C.Disable log file validation to reduce overhead.
D.Store CloudTrail logs in a CloudWatch Logs log group with a retention policy.
E.Enable CloudTrail Insights to detect configuration changes.
AnswersA, B

S3 Object Lock prevents objects from being deleted or overwritten for a specified period, ensuring immutability.

Why this answer

Option A is correct because enabling S3 Object Lock in governance mode on the destination S3 bucket prevents any user, including the root user, from overwriting or deleting CloudTrail log objects during the retention period, ensuring immutability. Option B is correct because enabling log file validation creates a digest file that uses SHA-256 hashing to verify that log files have not been modified, deleted, or tampered with after delivery, providing integrity assurance.

Exam trap

The trap here is that candidates often confuse CloudTrail Insights (which detects configuration changes) with the actual mechanisms for ensuring log immutability and integrity, leading them to select option E instead of the correct combination of S3 Object Lock and log file validation.

233
MCQmedium

A company uses Amazon CloudWatch Logs to store application logs from multiple EC2 instances. The security team requires that logs be encrypted at rest using a customer-managed KMS key. Which configuration step should the engineer perform to meet this requirement?

A.Configure the CloudWatch agent to encrypt logs before sending
B.Create a KMS key and attach a policy allowing CloudWatch Logs to use it
C.Enable default encryption on the S3 bucket that stores logs
D.Associate the KMS key with the CloudWatch log group using the console or CLI
AnswerD

Associating the KMS key encrypts the log group at rest.

Why this answer

Option C is correct because you must associate a KMS key with the log group to encrypt logs. Option A is wrong because the CloudWatch Agent does not handle encryption at rest. Option B is wrong because KMS key policy alone is insufficient; you must specify the key.

Option D is wrong because S3 encryption does not apply to CloudWatch Logs.

234
Multi-Selectmedium

A company is using AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that all CloudTrail logs are delivered to a central Amazon S3 bucket and that the logs are encrypted and cannot be deleted. Which THREE steps should the team take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Enable MFA Delete on the central S3 bucket to require multi-factor authentication for deletions.
B.Enable default encryption (SSE-S3) on the central S3 bucket.
C.Enable S3 Object Lock on the central S3 bucket to prevent log file deletion.
D.Enable CloudTrail log file integrity by using AWS KMS.
E.Enable CloudTrail log file validation to ensure log integrity.
AnswersB, C, E

SSE-S3 encrypts log files at rest.

Why this answer

Options A, C, and D are correct. Enabling log file validation (A) ensures integrity. Enabling SSE-S3 encryption (C) encrypts logs at rest.

Enabling S3 Object Lock (D) prevents deletion. Option B (enable log file integrity) is duplicate of A? Actually, CloudTrail log file validation provides integrity. Option E (enable MFA Delete) is not supported on S3 buckets for this purpose; Object Lock is used.

235
MCQmedium

Refer to the exhibit. An IAM policy is attached to an EC2 instance role. The application on the instance is unable to send logs to CloudWatch Logs. The log group 'MyAppLogs' exists in the same account and region. What is the most likely reason for the failure?

A.The resource ARN is incorrect; it should include the log stream name.
B.The log group does not exist in the specified region.
C.The policy does not allow the logs:PutLogEvents action.
D.The policy is missing permissions to create log streams.
AnswerD

The application likely needs to create a log stream first, which requires logs:CreateLogStream.

Why this answer

Option B is correct because the policy only allows PutLogEvents, but the instance needs permissions for CreateLogStream and DescribeLogStreams as well. Option A is wrong because the log group exists. Option C is wrong because the resource ARN includes log-stream wildcard, which is correct.

Option D is wrong because the policy explicitly allows the action.

236
Multi-Selecthard

A DevOps engineer is investigating a performance issue with an Amazon RDS for MySQL instance. The engineer has enabled Performance Insights and CloudWatch Enhanced Monitoring. Which THREE metrics should the engineer examine to identify whether the issue is due to a resource bottleneck? (Choose THREE.)

Select 3 answers
A.ReadLatency from CloudWatch.
B.FreeableMemory from Enhanced Monitoring.
C.CPUUtilization from Enhanced Monitoring.
D.ReadIOPS from Enhanced Monitoring.
E.DatabaseConnections from Enhanced Monitoring.
AnswersB, C, D

Indicates memory pressure.

Why this answer

Options A, B, and C are correct. These metrics from Enhanced Monitoring help identify CPU, memory, and disk bottlenecks. Option D is incorrect because database connections is not a resource metric.

Option E is incorrect because read latency is a database metric, not a resource metric.

237
Multi-Selectmedium

A DevOps team is designing a monitoring strategy for a microservices application deployed on Amazon EKS. The application emits custom metrics, and the team needs to collect them with minimal latency and at high resolution. The team also needs to retain logs for 90 days for compliance. Which THREE steps should the team take to meet these requirements? (Choose three.)

Select 3 answers
A.Use Fluent Bit daemonset to send application logs to CloudWatch Logs.
B.Stream logs to Amazon Kinesis Data Firehose for transformation before landing in CloudWatch Logs.
C.Enable CloudWatch Container Insights for the EKS cluster.
D.Configure a CloudWatch metric filter or an alarm to alert on high error rates.
E.Deploy the CloudWatch agent with Prometheus metric collection configuration.
AnswersA, D, E

Fluent Bit is a common log collector for EKS that can send logs to CloudWatch Logs for retention.

Why this answer

Option A is correct because Fluent Bit is a lightweight, high-performance log processor that can be deployed as a DaemonSet on Amazon EKS to collect application logs with minimal latency. It sends logs directly to CloudWatch Logs, which supports a retention policy of up to 10 years, easily meeting the 90-day compliance requirement. Fluent Bit's low resource footprint and efficient data pipeline ensure high-resolution log collection without impacting application performance.

Exam trap

The trap here is that candidates often confuse CloudWatch Container Insights (which provides infrastructure-level metrics) with a solution for custom application metrics and logs, leading them to select Option C instead of the correct combination of Fluent Bit, metric filters/alarms, and the CloudWatch agent with Prometheus configuration.

238
Multi-Selecthard

A company uses Amazon RDS for MySQL and wants to monitor slow queries to optimize performance. Which actions should the DevOps engineer take to capture and analyze slow query logs? (Choose THREE.)

Select 3 answers
A.Use AWS CloudTrail to capture SQL queries
B.Enable the slow query log parameter in the RDS DB parameter group
C.Enable RDS Performance Insights
D.Configure RDS to publish logs to Amazon CloudWatch Logs
E.Use CloudWatch Logs Insights to query and analyze the slow query logs
AnswersB, D, E

Correct. This generates slow query logs.

Why this answer

Option A (enable slow query log) is necessary. Option B (publish to CloudWatch Logs) allows centralized access. Option D (use CloudWatch Logs Insights) enables analysis.

Option C (RDS Performance Insights) is for performance but not slow queries specifically. Option E (CloudTrail) is not relevant.

239
MCQeasy

A DevOps engineer wants to receive an alert when the total number of error logs in an application exceeds 100 within a 5-minute period. The application writes logs to CloudWatch Logs. How can this be achieved?

A.Create a CloudWatch dashboard with a line chart for error count and manually monitor it.
B.Use CloudWatch Logs Insights to run a query every 5 minutes and trigger an alert based on the result.
C.Create a CloudWatch Logs subscription filter to send matching logs to a Lambda function, which counts errors and sends an alert.
D.Create a metric filter on the log group for 'ERROR', then create a CloudWatch alarm on the resulting metric with a threshold of 100.
AnswerD

Metric filters extract metrics from logs, and alarms can be set on those metrics to trigger actions when thresholds are breached.

Why this answer

Option A is correct because a metric filter in CloudWatch Logs can count the occurrence of 'ERROR' in log events and create a metric. A CloudWatch alarm can then be set on that metric with a threshold of 100. Option B is wrong because CloudWatch Logs subscription filters send logs to destinations, not trigger alarms.

Option C is wrong because CloudWatch Logs Insights is for querying, not real-time alerting. Option D is wrong because CloudWatch dashboards are for visualization, not alerting.

240
MCQhard

A DevOps team uses AWS Lambda functions to process events from an SQS queue. The Lambda function occasionally fails due to transient errors, and the team wants to capture and analyze the full error details, including stack traces, for debugging. The errors are not always related to invocation failures (e.g., timeouts) but include exceptions thrown within the function code. Which approach will capture the MOST comprehensive error information?

A.Configure a DLQ on the SQS queue to capture failed messages and inspect them.
B.Enable CloudWatch Logs and rely on the automatic logging of invocation results.
C.Ensure the Lambda function code returns a meaningful error object (e.g., throws an exception) so that the error is logged in CloudWatch Logs with a stack trace.
D.Use AWS X-Ray to trace the function execution and analyze the traces.
AnswerC

Throwing an exception causes Lambda to log the error with stack trace in CloudWatch Logs.

Why this answer

Option D is correct because returning the error object from the Lambda handler (either by throwing an exception or returning a structured error) will cause Lambda to record the error details in CloudWatch Logs, including stack traces. Option A is wrong because CloudWatch Logs streams all logs, including console log statements, but capturing stack traces requires explicit logging. Option B is wrong because DLQ captures failed events (messages), not error details.

Option C is wrong because X-Ray traces requests but may not capture full stack traces of application errors.

241
MCQmedium

A company uses AWS Lambda functions to process data from an Amazon SQS queue. The Lambda function sometimes fails due to timeouts. The DevOps team wants to monitor the number of function timeouts and receive alerts. What is the MOST efficient way to achieve this?

A.Create an Amazon EventBridge rule that captures Lambda execution results and triggers an SNS topic
B.Enable AWS X-Ray on the Lambda function and analyze traces for timeouts
C.Create a CloudWatch Logs Insights query to search for 'Task timed out' and run it periodically
D.Configure a CloudWatch alarm on the 'Timeouts' metric from AWS/Lambda namespace
AnswerD

Lambda publishes Timeout metric natively, and alarm can be set directly.

Why this answer

Option D is correct because Lambda automatically publishes 'Timeout' metrics to CloudWatch, and a CloudWatch alarm can be configured on that metric. Option A is wrong because CloudWatch Logs Insights requires querying logs, which is not real-time. Option B is wrong because EventBridge can capture Lambda events but requires creating a rule and target.

Option C is wrong because X-Ray is for tracing, not metrics.

242
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to store application logs. The DevOps team needs to search and analyze logs from multiple EC2 instances in real time. Which TWO services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon OpenSearch Service.
B.Amazon Athena.
C.Amazon QuickSight.
D.Amazon Kinesis Data Analytics.
E.CloudWatch Logs Insights.
AnswersA, E

CloudWatch Logs can stream to OpenSearch for real-time search.

Why this answer

Option A is correct because CloudWatch Logs Insights allows real-time querying of log groups. Option C is correct because CloudWatch Logs can stream to Amazon OpenSearch Service for real-time search and analytics. Option B is wrong because Athena is for ad-hoc querying of S3 data, not real-time.

Option D is wrong because Kinesis Data Analytics is for streaming data analysis, not directly for log search. Option E is wrong because QuickSight is for visualization, not real-time search.

243
MCQmedium

Refer to the exhibit. A DevOps engineer runs the above CloudWatch Logs Insights query on a log group containing application logs. The query returns an empty result set. The engineer knows that the application logs contain ERROR entries. Which of the following is the most likely cause?

A.The stats function cannot be used with the filter command.
B.The log group does not have any log streams.
C.The filter pattern is case-sensitive and the log entries use lowercase 'error'.
D.The limit of 20 results is too low and the query times out.
AnswerC

The 'like' operator is case-sensitive by default.

Why this answer

Option B is correct because the query uses 'like /ERROR/' which is case-sensitive. If the logs contain 'error' in lowercase, the filter will not match. Option A is wrong because the timestamp field is present.

Option C is wrong because the stats function is valid. Option D is wrong because the limit is fine.

244
MCQhard

Refer to the exhibit. The IAM policy above is attached to an EC2 instance role. The CloudWatch agent on the instance is configured to send logs to the 'MyAppLogs' log group. However, logs are not appearing in CloudWatch. What is the most likely issue?

A.The instance role needs additional permissions to write to S3 for log delivery.
B.The log group name in the policy does not match the log group name configured in the agent.
C.The policy does not allow the 'logs:PutLogEvents' action on the specific log stream resource.
D.The region in the policy ARN does not match the region where the log group is created.
AnswerC

The resource ARN for PutLogEvents should include the log stream, e.g., 'arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogs:log-stream:*'. The current policy only allows actions on the log group itself, not on log streams.

Why this answer

Option C is correct because the policy only grants permissions for log streams under the log group (using the * wildcard for log streams), but it does not include permission to describe or interact with the log group itself. However, the real issue is that the resource ARN for PutLogEvents requires a log stream resource, not just the log group. The correct resource should be "arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogs:log-stream:*" for PutLogEvents.

Option A is wrong because the log group name matches. Option B is wrong because the region is correct. Option D is wrong because CloudWatch Logs agent does not require S3 permissions.

245
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to centrally monitor and analyze VPC Flow Logs from all accounts. The solution must be cost-effective and allow querying across accounts. Which approach should they take?

A.Use Amazon Elasticsearch Service (Amazon OpenSearch Service) with a cross-account ingestion pipeline.
B.Stream VPC Flow Logs from each account to Amazon Kinesis Data Analytics for real-time analysis.
C.Send VPC Flow Logs from each account to a centralized Amazon S3 bucket, then use Amazon Athena to query the logs.
D.Configure each account to send VPC Flow Logs to a central CloudWatch Logs group using cross-account subscription.
AnswerC

This approach is cost-effective, scalable, and allows cross-account queries using Athena.

Why this answer

Option C is correct because it uses a centralized Amazon S3 bucket to aggregate VPC Flow Logs from all accounts, which is cost-effective (S3 storage costs are low) and enables cross-account querying via Amazon Athena using standard SQL. This approach avoids per-ingestion costs of services like CloudWatch Logs or Kinesis and provides a serverless, scalable query engine for analyzing logs across accounts.

Exam trap

The trap here is that candidates may overestimate the complexity of cross-account S3 access or underestimate the cost of CloudWatch Logs ingestion, leading them to choose Option D (central CloudWatch Logs group) which seems simpler but is actually more expensive and less query-friendly than S3+Athena.

How to eliminate wrong answers

Option A is wrong because Amazon OpenSearch Service (formerly Elasticsearch Service) incurs significant costs for ingestion and storage, and cross-account ingestion pipelines require complex setup with Lambda or Kinesis, making it less cost-effective than S3+Athena. Option B is wrong because Amazon Kinesis Data Analytics is designed for real-time stream processing, not for cost-effective historical querying across accounts; it would be overkill and expensive for periodic analysis of VPC Flow Logs. Option D is wrong because CloudWatch Logs cross-account subscriptions require each account to send logs to a central account's CloudWatch Logs group, which incurs per-ingestion costs and does not natively support SQL-based querying like Athena; querying across accounts would require additional tools or cross-account log group access, increasing complexity and cost.

246
MCQmedium

A company runs a serverless application using AWS Lambda and Amazon API Gateway. The application processes user uploads to an S3 bucket. The operations team uses CloudWatch Logs for monitoring, but they are finding it difficult to correlate logs across multiple Lambda functions that handle different parts of the workflow. The team wants to trace requests as they flow through the application and identify bottlenecks or errors. The team has already enabled CloudWatch Logs for all Lambda functions. What should the team do to achieve end-to-end request tracing?

A.Use CloudWatch Contributor Insights to analyze the log data and identify the top contributors to latency.
B.Use AWS CloudTrail to log all API calls and correlate them with CloudWatch Logs.
C.Create a CloudWatch ServiceLens service map to visualize the application components.
D.Enable AWS X-Ray on the Lambda functions and API Gateway to trace requests end-to-end.
AnswerD

X-Ray provides distributed tracing to follow requests through services.

Why this answer

Option C is correct because AWS X-Ray provides end-to-end tracing and integrates with Lambda and API Gateway. Option A is wrong because CloudWatch Contributor Insights analyzes top contributors but does not trace requests across services. Option B is wrong because CloudWatch ServiceLens provides service maps but relies on X-Ray for tracing.

Option D is wrong because CloudTrail logs API calls, not application-level tracing.

247
Multi-Selecteasy

A company is using AWS CloudFormation to deploy infrastructure. The DevOps team wants to receive notifications when a stack creation fails. Which services can be used together to send an email notification on stack failure? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.Amazon Simple Queue Service (SQS)
C.Amazon Simple Notification Service (SNS)
D.AWS CloudFormation
E.Amazon CloudWatch
AnswersC, D

Correct. SNS can send email notifications.

Why this answer

Amazon SNS (Option C) is correct because it can send email notifications to subscribers when a CloudFormation stack creation fails. AWS CloudFormation (Option D) is correct because it can directly publish failure events to an SNS topic via the 'NotificationARNs' parameter in stack creation, enabling automated email alerts without additional services.

Exam trap

The trap here is that candidates might think CloudWatch (Option E) can send emails directly, but CloudWatch only publishes to SNS or other targets; it cannot natively deliver email notifications without SNS.

248
Multi-Selecthard

A company is using Amazon CloudWatch Synthetics canaries to monitor its web application endpoints. The canaries are failing intermittently with timeout errors. The DevOps team needs to troubleshoot the root cause. Which THREE actions should they take? (Select THREE.)

Select 3 answers
A.Use AWS CloudTrail to review Canary API calls.
B.Increase the canary timeout configuration to allow more time for the endpoint to respond.
C.Check the EC2 instance CPU utilization in the VPC where the canaries run.
D.Review VPC Flow Logs to see if requests are being dropped or denied.
E.Examine the canary logs in CloudWatch Logs for error messages.
AnswersB, D, E

If the timeout is too low, increasing it may resolve false positives.

Why this answer

Options B, C, and D are correct. B: Checking VPC Flow Logs helps identify network issues. C: Checking canary logs provides details about the failure.

D: Increasing canary timeout may resolve if the timeout is too low. A is wrong because canaries run in Lambda and do not use EC2. E is wrong because CloudTrail does not capture canary execution details.

249
MCQhard

A DevOps engineer is troubleshooting an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a reserved concurrency of 5 and a batch size of 10. The SQS queue has a visibility timeout of 30 seconds, and the Lambda function typically completes processing each batch in 10 seconds. Recently, the engineer noticed that messages are repeatedly processed, causing duplicates. The CloudWatch Logs show that the function is experiencing throttling errors. What is the MOST likely cause of the duplicate processing?

A.Lambda is throttling the function, and the visibility timeout expires before the function can process the messages.
B.The SQS queue's dead-letter queue (DLQ) is not configured, causing messages to be reprocessed.
C.The function's batch size is too large, causing timeouts.
D.The function's reserved concurrency is too high, causing overloading.
AnswerA

Throttling prevents processing, and visibility timeout expires, making messages visible again.

Why this answer

Option C is correct. When Lambda throttles, it cannot process the messages, so SQS does not delete them. The visibility timeout of 30 seconds may expire before Lambda retries, making the messages visible again.

Option A is incorrect because the batch size of 10 is within the maximum of 10. Option B is incorrect because reserved concurrency does not cause duplicate processing directly. Option D is incorrect because DLQ would store messages, not cause duplicates.

250
MCQhard

A company uses AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The DevOps team wants to detect and alert on any IAM user who creates an access key and then uses it to make API calls within 24 hours, as this may indicate a compromised account. Which combination of actions should be taken to achieve this with minimal latency?

A.Use Amazon Athena to query CloudTrail logs in S3 every hour and send alerts for matches.
B.Create an Amazon EventBridge rule that matches CreateAccessKey and any subsequent API call from the same user within 24 hours.
C.Stream CloudTrail logs to CloudWatch Logs and create a metric filter to detect the pattern, then set an alarm.
D.Enable S3 Event Notifications on the CloudTrail S3 bucket to invoke a Lambda function that processes new log files and checks for the pattern.
AnswerD

Allows near-real-time processing with minimal latency.

Why this answer

Option D is correct because CloudTrail delivers logs to S3 within about 15 minutes; using S3 Events to trigger a Lambda that analyzes the logs in near-real-time allows detection within the 24-hour window. Option A is wrong because CloudWatch Logs Insights queries are not real-time and require logs to be streamed to CloudWatch Logs, which adds latency. Option B is wrong because Athena is not real-time.

Option C is wrong because EventBridge can detect API calls but cannot correlate the creation of a key with its subsequent use in a single rule; it would require complex pattern matching.

251
MCQmedium

A company wants to monitor network traffic to and from its VPC for security analysis. It needs to capture IP traffic information, including accepted and rejected connection attempts, and store the data in S3 for long-term analysis. Which AWS service should be used?

A.Amazon CloudWatch Logs
B.Amazon VPC Flow Logs
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerB

VPC Flow Logs capture network traffic metadata and can be published to S3.

Why this answer

Option B is correct because VPC Flow Logs capture network traffic metadata and can be published to S3. Option A is wrong because CloudWatch Logs is for application logs, not network flows. Option C is wrong because CloudTrail tracks API calls.

Option D is wrong because GuardDuty is a threat detection service, not a log source.

252
MCQmedium

A company is running a microservices application on Amazon ECS with AWS Fargate. The operations team needs to monitor application performance and troubleshoot slow API responses. They currently use Amazon CloudWatch Logs for container logs and have enabled Container Insights. However, they are unable to see detailed latency breakdowns per API endpoint. Which solution would provide the most granular visibility into API performance?

A.Enable detailed CloudWatch metrics for ECS and Fargate, including CPU and memory.
B.Enable CloudWatch Logs Insights to query API logs for slow requests.
C.Use AWS X-Ray to instrument the application and collect trace data.
D.Deploy the AWS Distro for OpenTelemetry collector on each task to send metrics to CloudWatch.
E.Set up VPC Flow Logs to analyze network latency between services.
AnswerC

AWS X-Ray provides end-to-end tracing with segment details, allowing you to see latency per API endpoint and downstream dependencies.

Why this answer

AWS X-Ray provides end-to-end tracing of requests as they travel through microservices, capturing detailed latency breakdowns per API endpoint, including downstream calls, database queries, and external HTTP requests. This gives the operations team the granular visibility needed to pinpoint exactly where slow responses occur, unlike aggregated metrics or log-based queries.

Exam trap

The trap here is that candidates confuse infrastructure-level metrics (CPU, memory, network) or log-based querying with the distributed tracing capability needed to break down latency per API endpoint, overlooking that only X-Ray provides end-to-end trace segments with sub-millisecond timing per service call.

How to eliminate wrong answers

Option A is wrong because enabling detailed CloudWatch metrics for ECS and Fargate (CPU, memory, network) provides infrastructure-level metrics, not per-endpoint latency breakdowns. Option B is wrong because CloudWatch Logs Insights can query logs for slow requests but cannot trace a single request across multiple services or show the latency contributed by each downstream call. Option D is wrong because the AWS Distro for OpenTelemetry collector sends metrics and traces to CloudWatch, but without X-Ray integration or trace sampling, it does not provide the per-endpoint latency breakdowns that X-Ray's service map and trace segments offer.

Option E is wrong because VPC Flow Logs capture network-level metadata (packet headers, timestamps) and can indicate network latency between ENIs, but they cannot reveal application-level latency per API endpoint or trace a request through microservices.

253
MCQmedium

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer. The application is experiencing intermittent errors. The DevOps engineer needs to identify if the errors are caused by the application or the underlying infrastructure. Which solution provides the MOST detailed visibility into the application's behavior?

A.Enable VPC Flow Logs and analyze traffic patterns
B.Enable AWS CloudTrail and monitor for API errors
C.Instrument the application with AWS X-Ray SDK and analyze traces
D.Enable detailed CloudWatch metrics on the EC2 instances and ALB
AnswerC

X-Ray provides end-to-end tracing to pinpoint where errors occur in the application.

Why this answer

Option C is correct because AWS X-Ray provides end-to-end tracing of requests as they travel through the application, allowing the engineer to pinpoint where errors occur. Option A is wrong because CloudWatch metrics only show aggregate data, not per-request details. Option B is wrong because VPC Flow Logs capture network traffic metadata, not application-level errors.

Option D is wrong because CloudTrail records API calls, not application errors.

254
MCQhard

A company is using AWS X-Ray to trace requests through a microservices application. Some traces are incomplete, showing only the root segment without any subsegments. The application uses the X-Ray SDK for Java. What is the most likely cause?

A.The application is missing the x-amzn-trace-id header in incoming requests.
B.The segment document size exceeds the maximum allowed size.
C.The X-Ray daemon is not running on the EC2 instances.
D.The sampling rate is set to a low value, causing many requests to be dropped.
AnswerD

Low sampling rate means fewer requests are traced, leading to incomplete traces.

Why this answer

Option A is correct because if the sampling rate is too low, many requests are not traced, resulting in incomplete traces. Option B is wrong because segment size limits do not cause missing subsegments. Option C is wrong because a missing annotation would not prevent subsegments from appearing.

Option D is wrong because the SDK automatically sends traces to the X-Ray daemon.

255
MCQhard

A DevOps engineer is troubleshooting why an AWS Lambda function is not writing logs to the CloudWatch Logs log group 'MyAppLogs'. The Lambda function's execution role includes the IAM policy shown in the exhibit. What is the MOST likely reason the logs are not being written?

A.The log group is in a different AWS Region.
B.The policy does not grant permission to create the log group or put log events to the log group itself.
C.The policy has an incorrect action name.
D.The policy is missing the 'logs:CreateLogGroup' action.
AnswerB

The resource ARN should be the log group ARN, not the log stream pattern.

Why this answer

Option B is correct. The policy allows actions on log streams within the log group, but it does not allow creating the log group itself (logs:CreateLogGroup) or putting events to the log group resource. The resource ARN should be the log group ARN without the wildcard for log streams.

Option A is incorrect because the region is correct. Option C is incorrect because the policy allows CreateLogGroup, but the resource is wrong. Option D is incorrect because the actions are correct but the resource is insufficient.

256
Multi-Selecteasy

A DevOps engineer is troubleshooting a performance issue with an Amazon RDS for MySQL database. The engineer suspects that slow queries are causing high CPU utilization. Which TWO actions can the engineer take to identify the slow queries?

Select 2 answers
A.Create an RDS event subscription for 'low storage' events.
B.Monitor the 'CPUUtilization' metric in CloudWatch.
C.Enable the slow query log and publish it to CloudWatch Logs.
D.Enable Performance Insights to visualize database load and identify top SQL statements.
E.Enable Enhanced Monitoring to view process list and SQL queries.
AnswersC, D

Slow query logs capture queries that exceed a specified time threshold, and sending them to CloudWatch Logs enables querying and analysis.

Why this answer

Options A and C are correct. Option A: Enabling the slow query log and sending it to CloudWatch Logs allows analysis. Option C: Enabling Performance Insights provides a dashboard to view database load and identify slow queries.

Option B is wrong because Enhanced Monitoring provides OS-level metrics, not query details. Option D is wrong because the RDS event subscription notifies about database events, not slow queries. Option E is wrong because CloudWatch database metrics include CPU, but not query text.

257
MCQeasy

A Lambda function is timing out. The log above shows a recent invocation. What is the most likely cause?

A.The function is running out of memory.
B.The function is being invoked too frequently.
C.The function is experiencing a cold start.
D.The function timeout is set too low.
AnswerD

The duration is 3000 ms, which is the default timeout.

Why this answer

Option B is correct because the function timed out at 3000 ms, which is the default timeout (3 seconds). The function needs a longer timeout or optimization. Option A is wrong because memory usage is only 64 MB out of 128 MB.

Option C is wrong because there was only one invocation. Option D is wrong because the init duration is normal.

258
Multi-Selecteasy

A DevOps engineer needs to collect and analyze logs from multiple AWS services, including EC2, Lambda, and API Gateway. The logs must be stored in a central location for long-term retention and analyzed using SQL queries. Which TWO services should be combined to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.Amazon Kinesis Data Firehose
D.Amazon SQS
E.Amazon Athena
AnswersB, E

CloudWatch Logs can aggregate logs from many services.

Why this answer

Correct options: B and E. Option B: CloudWatch Logs can collect logs from many AWS services. Option E: Exporting logs to S3 and using Athena allows SQL-based analysis.

Option A is wrong because CloudTrail is for API logs, not all service logs. Option C is wrong because Kinesis Data Firehose is for real-time streaming, not for ad-hoc SQL queries. Option D is wrong because SQS is a message queue, not a log store.

259
Multi-Selectmedium

A DevOps engineer is designing a centralized logging solution for a multi-account AWS environment. The solution must be cost-effective and provide real-time log analysis. Which THREE services should they consider?

Select 3 answers
A.Amazon OpenSearch Service (Elasticsearch)
B.Amazon Kinesis Data Firehose
C.Amazon S3
D.Amazon CloudWatch Logs
E.AWS CloudTrail
AnswersA, B, D

Provides real-time log search and analysis.

Why this answer

Option A is correct because CloudWatch Logs can collect logs from various sources. Option C is correct because Kinesis Data Firehose can stream logs to destinations like S3 or Elasticsearch. Option E is correct because Amazon OpenSearch Service can be used for log analysis.

Option B is wrong because S3 is for storage, not real-time analysis. Option D is wrong because CloudTrail is for API logs only.

260
MCQhard

A company runs a fleet of EC2 instances behind an Auto Scaling group. The DevOps team wants to detect and respond to memory leaks in their application. They have configured CloudWatch agent to collect memory metrics. However, the metric shows unpredictable spikes. The team needs to correlate these spikes with application logs to identify the root cause. Which solution provides the BEST correlation?

A.Export the memory metric and application logs to Amazon S3 and use Amazon Athena to join them
B.Enable AWS X-Ray on the application to trace requests and identify memory-heavy requests
C.Use CloudWatch Logs Insights to query application logs for error patterns around the time of memory spikes
D.Use Amazon EventBridge to capture EC2 instance state changes and correlate with memory spikes
AnswerC

Logs Insights allows time-based correlation between metrics and logs.

Why this answer

Option C is correct because CloudWatch Logs Insights allows you to query application logs directly in CloudWatch Logs using a purpose-built query language. By filtering logs around the timestamps of memory spikes, you can correlate specific error patterns or log entries with the metric data, enabling root cause analysis without moving data or adding complexity.

Exam trap

The trap here is that candidates often confuse AWS X-Ray's request tracing with OS-level metric correlation, or assume that exporting to S3 and using Athena is a universal solution, when in fact CloudWatch Logs Insights provides the most direct and efficient correlation within the same monitoring ecosystem.

How to eliminate wrong answers

Option A is wrong because exporting metrics and logs to S3 and using Athena to join them introduces unnecessary latency, cost, and complexity; Athena is designed for ad-hoc analysis of structured data, not real-time correlation of streaming metrics and logs. Option B is wrong because AWS X-Ray traces requests and identifies latency or errors, but it does not capture memory metrics or correlate them with memory leaks; it focuses on distributed tracing, not OS-level resource usage. Option D is wrong because EventBridge captures EC2 instance state changes (e.g., start, stop, terminate), which are unrelated to memory spikes caused by application-level memory leaks; state changes do not provide the granular log correlation needed.

261
Multi-Selecteasy

A DevOps engineer needs to monitor the health of a web application running on EC2 instances behind an Application Load Balancer (ALB). Which TWO metrics from ALB should be monitored to detect application errors? (Choose TWO.)

Select 2 answers
A.RequestCount.
B.HTTPCode_ELB_5XX_Count.
C.HTTPCode_Target_5XX_Count.
D.HealthyHostCount.
E.TargetResponseTime.
AnswersC, E

This metric counts HTTP 5xx responses from targets.

Why this answer

Option A is correct because HTTPCode_Target_5XX_Count indicates server errors. Option B is correct because TargetResponseTime can indicate performance issues leading to errors. Option C is wrong because RequestCount is total requests, not errors.

Option D is wrong because HealthyHostCount is about host health, not application errors. Option E is wrong because HTTPCode_ELB_5XX_Count is for ALB itself, not targets.

← PreviousPage 4 of 4 · 261 questions total

Ready to test yourself?

Try a timed practice session using only Monitoring Logging questions.