CCNA Sdlc Automation Questions

75 of 397 questions · Page 4/6 · Sdlc Automation topic · Answers revealed

226
MCQhard

An organization uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The engineer reviews the deployment logs and finds that the AppSpec file is correctly formatted and the scripts run successfully on some instances. What is the MOST likely cause?

A.The CodeDeploy agent is not installed on some instances.
B.The target group is not configured to route traffic to the instances.
C.The health check grace period for the Auto Scaling group is too short.
D.The IAM role assigned to the EC2 instances does not have sufficient permissions.
AnswerC

Instances may be terminated before the application starts, causing deployment failure.

Why this answer

Option B is correct because if health check grace period is too short, instances might be marked unhealthy before the application starts. Option A would affect all instances. Option C would cause consistent failures.

Option D might not cause instance failure.

227
MCQmedium

A company uses AWS CodePipeline with a multi-branch strategy. A new feature branch triggers a pipeline that runs unit tests and deploys to a test environment. The deployment step uses AWS CodeDeploy with a deployment group configured for in-place deployment to Amazon EC2 instances. The deployment fails intermittently with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The instances are healthy and pass health checks. What is the most likely cause?

A.The pipeline has a failed execution that is blocking subsequent executions.
B.The CodeDeploy agent on the instances is not running, causing the deployment to fail.
C.The pipeline is configured with a high frequency of changes, causing throttling from CodePipeline.
D.A previous deployment is still in progress or frozen in the CodeDeploy deployment group.
AnswerD

CodeDeploy limits concurrent deployments per deployment group; a frozen deployment prevents new ones.

Why this answer

Option D is correct because CodeDeploy enforces a per-deployment-group concurrency limit of one deployment at a time. If a previous deployment is still in progress or in a 'frozen' state (e.g., due to a failed or stopped deployment that hasn't been explicitly rolled back or cleaned up), new deployments will fail with the 'too many individual instances failed' error even when instances are healthy. The error message is misleading because it reflects CodeDeploy's inability to proceed with the new deployment, not actual instance health issues.

Exam trap

The trap here is that candidates misinterpret the generic 'too many instances failed' error as a sign of instance health issues or agent problems, when in reality it often indicates a concurrency or state conflict within the CodeDeploy deployment group.

How to eliminate wrong answers

Option A is wrong because a failed pipeline execution does not block subsequent executions in CodePipeline; each execution is independent and a new execution can be triggered even if a previous one failed. Option B is wrong because if the CodeDeploy agent were not running, the deployment would fail on those specific instances with a distinct 'Agent not found' or 'Host not reachable' error, not the generic 'too many instances failed' error, and the question states instances are healthy and pass health checks. Option C is wrong because CodePipeline does not throttle based on change frequency; it can handle concurrent executions, and throttling would manifest as API rate limit errors (HTTP 429), not deployment failures within CodeDeploy.

228
Multi-Selectmedium

Which THREE steps are required to set up a cross-account CI/CD pipeline where the source stage is in Account A (CodeCommit) and the deploy stage is in Account B (ECS)? (Choose 3.)

Select 3 answers
A.Create an IAM role in Account B that the pipeline in Account A can assume for the deploy action.
B.Configure an AWS KMS key in Account B and share it with Account A for encrypting artifacts.
C.Update the CodePipeline service role in Account A to include a trust policy that allows assuming the role in Account B.
D.Create a resource-based policy on the CodeCommit repository in Account B that grants access to the CodePipeline service role in Account A.
E.Create an S3 bucket in Account B to store the artifacts and grant cross-account access.
AnswersA, C, D

The pipeline needs permissions in Account B to deploy to ECS.

Why this answer

Options A, B, and D are correct. Option A provides cross-account access for CodePipeline in Account A to pull source from Account B. Option B is necessary for the pipeline to deploy to Account B.

Option D ensures the pipeline can assume the execution role in Account B. Option C is wrong because KMS keys are not required for cross-account pipelines unless encryption is used. Option E is wrong because S3 buckets are not required for CodeCommit source.

229
MCQmedium

A company uses AWS CodePipeline with a source stage from Amazon S3. The pipeline triggers on changes to the S3 bucket. However, the pipeline does not trigger when a new object is uploaded. What is the MOST likely cause?

A.The S3 bucket policy denies the CodePipeline service role.
B.The S3 bucket is in a different AWS Region than the pipeline.
C.The S3 bucket does not have versioning enabled.
D.The S3 bucket does not have an event notification configured to invoke the pipeline.
AnswerD

CodePipeline requires S3 event notifications to automatically start.

Why this answer

Option C is correct because S3 event notifications need to be configured to trigger CodePipeline. Option A is wrong because the source stage bucket and pipeline must be in the same region, but the question implies it's not triggering. Option B is wrong because versioning is not required for pipeline triggers.

Option D is wrong because bucket policies do not affect event notifications.

230
Multi-Selectmedium

Which TWO are valid use cases for using AWS CodeArtifact in a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Caching dependencies from public repositories to improve build speed and reliability.
B.Storing Docker images that are used by ECS tasks.
C.Hosting npm packages that are consumed by CodeBuild during the build phase.
D.Storing source code archives for use in deployment stages.
E.Hosting static website assets for deployment to S3.
AnswersA, C

CodeArtifact can proxy public repositories.

Why this answer

A: CodeArtifact can store npm packages for use in CodeBuild. C: It can proxy public registries to reduce external dependencies. B is wrong because CodeArtifact stores artifacts, not source code.

D is wrong because Docker images are stored in ECR, not CodeArtifact (which supports npm, Maven, PyPI, etc.). E is wrong because CodeArtifact does not host static websites.

231
MCQmedium

A company is implementing a CI/CD pipeline using AWS CodePipeline to deploy a serverless application using the AWS Serverless Application Model (SAM). The pipeline must build and package the application, then deploy it to multiple environments (dev, test, prod) sequentially with manual approval gates before production. Which stage configuration should be used?

A.Use a single CloudFormation stack with a change set approval step
B.Use a CodeBuild build stage to run 'sam package' and 'sam deploy' commands, then separate deploy stages for each environment with manual approval actions
C.Configure CodePipeline with a deploy action provider set to AWS CloudFormation
D.Use CodeDeploy to deploy the SAM template directly to Lambda
AnswerB

This covers packaging and sequential deployments with approvals.

Why this answer

Option D is correct because SAM deploy commands can be run in CodeBuild, and multiple deploy stages can be created in CodePipeline with approval actions. Option A is wrong because CloudFormation alone does not handle packaging. Option B is wrong because CodeDeploy is for EC2/ECS, not Lambda.

Option C is wrong because CodePipeline cannot directly deploy SAM templates without a build action to package.

232
MCQeasy

A DevOps engineer is setting up an AWS CodePipeline to deploy a web application to an EC2 instance using AWS CodeDeploy. The deployment group uses an in-place deployment configuration. The pipeline's deploy stage fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The engineer checks the CodeDeploy logs on the instance and finds that the 'BeforeInstall' lifecycle hook script is failing. The script attempts to download a package from an Amazon S3 bucket that is encrypted with SSE-KMS. What is the MOST likely cause of the failure?

A.The EC2 instance does not have internet access to reach the S3 bucket.
B.The S3 bucket name is misspelled in the 'BeforeInstall' script.
C.The IAM role attached to the EC2 instance lacks the 'kms:Decrypt' permission for the AWS KMS key used to encrypt the S3 object.
D.The CodeDeploy agent does not have permissions to read from the S3 bucket.
AnswerC

Without kms:Decrypt permission, the script cannot download the encrypted object, causing the hook to fail.

Why this answer

The error occurs because the EC2 instance's IAM role lacks the `kms:Decrypt` permission for the AWS KMS key used to encrypt the S3 object. When the `BeforeInstall` script attempts to download the package, the AWS SDK or CLI on the instance must decrypt the object using the KMS key. Without this permission, the download fails, causing the lifecycle hook to fail and the overall deployment to abort due to too many failed instances.

Exam trap

The trap here is that candidates often assume the CodeDeploy agent handles all S3 access, but the script runs under the instance's IAM role, and missing KMS permissions are a common oversight when using encrypted artifacts.

How to eliminate wrong answers

Option A is wrong because the EC2 instance can access S3 via a VPC endpoint or NAT gateway without requiring internet access; the error is specifically about decryption, not network connectivity. Option B is wrong because a misspelled bucket name would cause a 'NoSuchBucket' error, not a KMS-related decryption failure. Option D is wrong because the CodeDeploy agent itself does not directly read from S3; the script runs under the instance's IAM role, and the agent's permissions are separate from the script's S3 access.

233
MCQmedium

A DevOps team is implementing a CI/CD pipeline using AWS CodePipeline. The pipeline has a Source stage using CodeCommit, a Build stage using CodeBuild, and a Deploy stage using CloudFormation. The team wants to add manual approval before the Deploy stage for production deployments. How should this be configured?

A.Configure a CloudWatch event to send an email on build success.
B.Use a Lambda function to approve based on build status.
C.Add an Approval stage to the pipeline with SNS topic for notification.
D.Create a separate pipeline for production and trigger it manually.
AnswerC

CodePipeline supports manual approval actions that pause the pipeline.

Why this answer

Option A is correct because CodePipeline has a built-in Approval action type. Option B is wrong because SNS notifications do not block the pipeline. Option C is wrong because Lambda cannot pause the pipeline.

Option D is wrong because a separate approval pipeline adds complexity.

234
Multi-Selecteasy

A company is designing a CI/CD pipeline using AWS CodePipeline. They want to automatically run unit tests when a pull request is created in AWS CodeCommit. Which TWO actions should be taken to implement this?

Select 2 answers
A.Include a buildspec file in the repository that defines the unit test commands.
B.Configure a CodePipeline stage that uses the pull request source action.
C.Set up an Amazon CloudWatch Events rule to detect pull request creation and invoke an AWS Lambda function that starts CodeBuild.
D.Add a CodeDeploy deployment group to run the tests on an EC2 instance.
E.Create an AWS CodeBuild project with a webhook trigger that listens to pull request events from CodeCommit.
AnswersA, E

The buildspec file tells CodeBuild how to run the tests.

Why this answer

Option A is correct because CodeBuild can be triggered by pull request events. Option D is correct because the buildspec file defines the commands to run tests. Option B is wrong because CodePipeline does not natively support pull request triggers from CodeCommit.

Option C is wrong because CloudWatch Events can trigger Lambda, but the direct integration with CodeBuild is simpler. Option E is wrong because CodeDeploy is for deployment, not testing.

235
MCQhard

A DevOps engineer is designing a CI/CD pipeline using AWS CodePipeline. The source stage is AWS CodeCommit, and the build stage uses AWS CodeBuild. The pipeline must only trigger on changes to the main branch. However, the engineer notices that the pipeline is also triggering on changes to feature branches that are merged via pull requests. What configuration change should the engineer make to ensure the pipeline only triggers on direct commits to the main branch?

A.Configure the CodeCommit repository to disable events for all branches except main.
B.Add a branch filter in the CloudWatch Events rule that triggers the pipeline, specifying only the main branch.
C.Modify the pipeline's source stage to use a branch name filter, which will ignore events from other branches.
D.Use a Lambda function as a source action to check the branch before starting the build.
AnswerB

Why this answer

Option B is correct because AWS CodePipeline pipelines are triggered by CloudWatch Events rules that monitor CodeCommit repository events. By default, the rule may trigger on all branch changes. Adding a branch filter in the CloudWatch Events rule that specifies only the main branch ensures that only direct commits to main trigger the pipeline, ignoring feature branch merges.

Exam trap

The trap here is that candidates often confuse the pipeline source stage branch filter (which only affects which branch is used as source code) with the CloudWatch Events rule branch filter (which controls which events actually trigger the pipeline), leading them to incorrectly select option C.

Why the other options are wrong

A

CodeCommit does not have a per-branch event setting; events are emitted for all branches.

C

The branch name in the source action only defines which branch to pull; the trigger event still comes from any branch unless filtered at the event rule.

D

This is a workaround but not the standard or efficient solution; the event rule filter is simpler.

236
Drag & Dropmedium

Drag and drop the steps to configure an AWS Elastic Load Balancer (ALB) with HTTPS listeners and target groups.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the target group, then create the ALB, then configure HTTPS listener, then register targets, then add redirect rule.

237
MCQmedium

A company uses AWS CodePipeline to orchestrate a multi-stage deployment. The pipeline has a source, build, test, and deploy stage. The test stage runs integration tests against a temporary environment. The team wants to ensure that the deploy stage only runs if the test stage succeeds. What configuration is needed?

A.Add a manual approval action in the test stage that requires a developer to confirm success
B.Set the test stage to retry on failure three times before allowing deploy to proceed
C.No additional configuration needed; the pipeline will not proceed to deploy if the test stage fails
D.Configure the deploy stage to skip if the test stage fails using a condition
AnswerC

By default, CodePipeline stops execution if a stage fails, so deploy will not run.

Why this answer

In AWS CodePipeline, each stage has a status (Succeeded, Failed, InProgress, etc.). By default, the pipeline transitions to the next stage only if the current stage completes with a status of Succeeded. If the test stage fails, the pipeline stops and does not proceed to the deploy stage.

Therefore, no additional configuration is required to enforce this behavior.

Exam trap

The trap here is that candidates may overthink the need for explicit failure handling, not realizing that CodePipeline's default behavior already prevents progression on failure, making options like adding a condition or manual approval unnecessary.

How to eliminate wrong answers

Option A is wrong because adding a manual approval action in the test stage would require a developer to manually confirm success, which is unnecessary and adds overhead; the pipeline already stops on failure. Option B is wrong because setting the test stage to retry on failure three times would still allow the pipeline to proceed to deploy only if the test eventually succeeds; if it fails after retries, the pipeline stops, but retrying does not change the default behavior of not proceeding on failure. Option D is wrong because configuring the deploy stage to skip if the test stage fails is redundant; the pipeline inherently does not proceed to the next stage if the current stage fails, so no explicit skip condition is needed.

238
Multi-Selectmedium

An IAM policy is attached to a service role used by AWS CodePipeline. Which TWO statements about this policy are correct?

Select 2 answers
A.The policy allows updating the pipeline definition
B.The policy allows starting any CodeBuild project
C.The policy allows starting a pipeline execution
D.The policy allows reporting job success or failure to CodePipeline
E.The policy allows reading and writing objects to any S3 bucket
AnswersC, D

StartPipelineExecution is allowed for all pipelines (Resource: *)

Why this answer

The policy allows codepipeline:StartPipelineExecution and codepipeline:PutJobSuccessResult, PutJobFailureResult. These actions are used by custom actions or Lambda functions to report job status. However, CodePipeline itself does not call StartPipelineExecution; it's used by external triggers.

The policy does not allow codepipeline:UpdatePipeline, so updating the pipeline definition is not allowed. Option B is correct: the policy allows reporting success or failure of a job. Option D is correct: the policy allows starting a pipeline execution.

Option A is wrong because codebuild:StartBuild is allowed only for the specific project. Option C is wrong because s3:PutObject is allowed for the artifact bucket, but s3:GetObject is also allowed. Option E is wrong because updating the pipeline is not allowed.

239
MCQeasy

A team wants to automatically deploy a new version of a Lambda function when code is pushed to a CodeCommit repository. Which AWS service should orchestrate this workflow?

A.AWS CodeDeploy
B.AWS CodeBuild
C.AWS CodePipeline
D.AWS CloudFormation
AnswerC

CodePipeline is designed for CI/CD orchestration.

Why this answer

Option A is correct because CodePipeline can orchestrate source, build, and deploy stages. Option B is wrong because CodeDeploy alone cannot monitor CodeCommit. Option C is wrong because CloudFormation is for infrastructure, not continuous deployment.

Option D is wrong because CodeBuild is for building, not deploying.

240
MCQhard

A company deploys a serverless application using AWS SAM. The application includes an API Gateway REST API and multiple Lambda functions. The team wants to implement canary deployments for the API to gradually shift traffic to a new version. Which SAM template configuration should be used?

A.Use the CanaryDeployment property on the Serverless::Function resource with a DeploymentPreference
B.Create multiple Lambda function versions and use API Gateway stage variables to switch between them
C.Define the Lambda function with AutoPublishAlias: live and set the API Gateway integration to point to the alias
D.Use AWS CloudFormation's UpdatePolicy with AutoScalingRollingUpdate
AnswerA

CanaryDeployment enables CodeDeploy to shift traffic in increments (e.g., 10% for 5 minutes).

Why this answer

Option A is correct because AWS SAM's `CanaryDeployment` property on the `AWS::Serverless::Function` resource, combined with a `DeploymentPreference` of type `Canary10Percent5Minutes`, enables gradual traffic shifting for API Gateway integrations. This configuration automatically creates a Lambda alias, publishes new versions, and shifts a percentage of API traffic to the new version over a specified time window, all without manual intervention.

Exam trap

The trap here is that candidates often confuse `AutoPublishAlias` with canary deployments, assuming that publishing a new version and pointing an alias to it automatically shifts traffic gradually, when in fact it requires an explicit `DeploymentPreference` with a canary type to enable traffic shifting.

How to eliminate wrong answers

Option B is wrong because manually creating multiple Lambda function versions and using API Gateway stage variables to switch between them is a manual, error-prone approach that does not provide automated canary traffic shifting or rollback capabilities. Option C is wrong because while `AutoPublishAlias: live` creates a Lambda alias and publishes new versions, it does not by itself implement canary deployments; it only points the API Gateway integration to a single alias, requiring additional custom logic for traffic shifting. Option D is wrong because `AWS CloudFormation's UpdatePolicy with AutoScalingRollingUpdate` is designed for Auto Scaling groups or EC2-based rolling updates, not for serverless resources like Lambda functions or API Gateway, and it does not support canary traffic shifting for API endpoints.

241
Multi-Selecteasy

Which TWO AWS services can be used as source actions in AWS CodePipeline to automatically trigger a pipeline when changes are made? (Choose two.)

Select 2 answers
A.Amazon CloudWatch
B.Amazon S3
C.Amazon EC2
D.AWS CloudFormation
E.AWS CodeCommit
AnswersB, E

S3 can trigger a pipeline when a new object is uploaded.

Why this answer

Options A and C are correct. CodeCommit and S3 can serve as source actions. Option B is wrong because EC2 is not a source action.

Option D is wrong because CloudWatch is a monitoring service, not a source. Option E is wrong because CloudFormation is an infrastructure provisioning service.

242
MCQhard

Refer to the exhibit. A DevOps engineer created this IAM policy for a CodeDeploy service role. The deployment fails with an 'AccessDenied' error when attempting to register instances with an Auto Scaling group. What is the likely cause?

A.The policy does not allow autoscaling:CompleteLifecycleAction.
B.The role is not trusted by the EC2 service.
C.The iam:PassRole action is not scoped to the correct resource.
D.The policy is missing autoscaling:UpdateAutoScalingGroup and autoscaling:SetDesiredCapacity.
AnswerD

CodeDeploy needs these permissions to manage instance registration.

Why this answer

The correct answer is D because the CodeDeploy service role must include permissions for autoscaling:UpdateAutoScalingGroup and autoscaling:SetDesiredCapacity to allow CodeDeploy to register instances with an Auto Scaling group during a deployment. Without these actions, the deployment fails with an 'AccessDenied' error when CodeDeploy attempts to attach instances to the Auto Scaling group or adjust its capacity.

Exam trap

The trap here is that candidates often assume the error is due to missing lifecycle hook permissions (Option A) or a trust relationship issue (Option B), but the actual cause is the lack of specific Auto Scaling write permissions required for instance registration.

How to eliminate wrong answers

Option A is wrong because autoscaling:CompleteLifecycleAction is used for lifecycle hooks, not for registering instances with an Auto Scaling group, and its absence would not cause the described error. Option B is wrong because the role is trusted by CodeDeploy (not EC2), and the error occurs during instance registration with Auto Scaling, not during EC2 instance launch. Option C is wrong because iam:PassRole is used to pass a role to a service, but the error is about Auto Scaling actions, not about passing roles; the policy likely already allows PassRole for the correct resource.

243
MCQeasy

A team uses AWS CodeBuild to build Docker images and push them to Amazon ECR. The buildspec.yml includes a post_build step that runs a security scan. The team wants to ensure that only images that pass the security scan are tagged as 'latest'. Which approach should be used?

A.Build the image with the 'latest' tag first, then run the security scan. If it fails, delete the 'latest' tag.
B.In the post_build phase, run the security scan, and if it passes, tag the image with 'latest' and push.
C.Use ECR lifecycle policies to remove images that do not pass the security scan.
D.Tag the image with 'latest' only after the build phase, regardless of scan results.
AnswerB

This ensures only passing images get the 'latest' tag.

Why this answer

Option A is correct because it tags the image only after successful scan. Option B tags before scan. Option D tags all images, not just passing.

Option C uses ECR lifecycle, not relevant.

244
MCQeasy

A DevOps team is implementing infrastructure as code using AWS CloudFormation. They want to ensure that stack updates are reviewed and approved before execution. Which feature should they use?

A.Drift detection
B.Stack policies
C.StackSets
D.Change Sets
AnswerD

Change Sets allow you to review proposed changes before applying them.

Why this answer

Option B is correct because Change Sets allow you to preview changes before executing. Option A is wrong because stack policies prevent updates to specific resources, not overall review. Option C is wrong because drift detection identifies differences, not updates.

Option D is wrong because stack sets deploy across accounts, not preview changes.

245
Multi-Selecteasy

Which TWO criteria must be met for an AWS CloudFormation stack update to be successful? (Choose 2.)

Select 2 answers
A.The update template must be valid and must not contain any syntax errors.
B.The stack must be in a steady state with no previous failed updates.
C.The stack must be in a state that allows updates (e.g., CREATE_COMPLETE, UPDATE_COMPLETE).
D.A change set must be created and executed before the update.
E.The stack must have no drift detected.
AnswersA, C

CloudFormation validates the template before applying changes.

Why this answer

Options A and D are correct. Option A is required to update the stack. Option D ensures the template is valid and resources are correctly defined.

Option B is wrong because CloudFormation does not require a change set; you can update directly. Option C is wrong because drift detection is not a prerequisite. Option E is wrong because you can update a stack that is in a failed state after a previous update.

246
Multi-Selectmedium

A DevOps team is implementing a CI/CD pipeline for a microservices architecture. Each microservice is built and deployed independently. The team wants to ensure that only one build runs per microservice at a time to avoid resource contention, and that the build artifacts are stored securely. Which THREE steps should the team take?

Select 3 answers
A.Store build artifacts in AWS CodeArtifact
B.Enable versioning on the S3 bucket storing build artifacts
C.Configure a concurrency limit in the CodeBuild project for each microservice
D.Create a separate CodePipeline for each microservice
E.Enable server-side encryption on the S3 bucket storing build artifacts
AnswersB, C, E

Versioning retains all artifact versions for rollback

Why this answer

To ensure only one build per microservice at a time, use a concurrency limit in CodePipeline or CodeBuild. CodeBuild supports batch builds and concurrency settings. Secure storage of artifacts can be achieved by encrypting the S3 bucket where artifacts are stored and enabling versioning to retain history.

Option A (concurrency limit) is correct. Option C (encrypt artifacts bucket) is correct. Option E (enable versioning on artifacts bucket) is correct.

Option B is wrong because separate pipelines are not necessary for concurrency control. Option D is wrong because CodeArtifact is for package management, not build artifacts.

247
MCQmedium

A development team uses AWS CodeCommit for source control. They want to enforce that all commits include a JIRA issue key in the commit message. What is the MOST efficient way to achieve this?

A.Use Amazon CloudWatch Events to detect new commits and invoke a Lambda function to validate the commit message.
B.Implement a pre-commit hook in each developer's local repository.
C.Configure a branch policy on the repository that requires commit message format.
D.Create a CodeCommit trigger that invokes an AWS Lambda function on every push to validate commit messages.
AnswerD

CodeCommit triggers can invoke Lambda on push events, allowing validation of all commits.

Why this answer

Option D is correct because CodeCommit can trigger a Lambda function on pushes to run custom validation. Option A is wrong because branch policies are for pull requests, not commit messages. Option B is wrong because CloudWatch Events can trigger Lambda, but direct trigger from CodeCommit is simpler.

Option C is wrong because pre-commit hooks are client-side and not enforceable.

248
Multi-Selecthard

Which TWO actions should a DevOps engineer take to ensure that an AWS CodeBuild project's artifacts are automatically deployed to an Amazon S3 bucket with server-side encryption using AWS KMS? (Choose 2.)

Select 2 answers
A.Enable versioning on the S3 bucket.
B.Configure the S3 bucket policy to require HTTPS for all uploads.
C.In the buildspec.yaml, set the 'artifacts' section to include 'encryptionDisabled: false' and specify the KMS key ID.
D.Enable default encryption on the S3 bucket using SSE-KMS.
E.Grant the CodeBuild service role permission to use the KMS key via the key policy.
AnswersC, E

This configures CodeBuild to encrypt the artifacts with the specified KMS key.

Why this answer

Options A and C are correct. Option A ensures the CodeBuild service role has permission to use the KMS key. Option C configures the artifacts to be uploaded with KMS encryption.

Option B is wrong because setting the S3 bucket default encryption does not affect CodeBuild uploads if CodeBuild specifies its own encryption. Option D is wrong because encryption in transit (HTTPS) does not relate to server-side encryption. Option E is wrong because enabling versioning does not enforce encryption.

249
Multi-Selecthard

A company uses AWS CloudFormation to deploy a multi-tier application. The stack creation fails with a 'CREATE_FAILED' error for a resource. The engineer wants to troubleshoot the issue. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Use the 'describe-stack-events' AWS CLI command to view the events.
B.Review the CloudWatch Logs log group for the stack to find detailed error logs.
C.Check the 'ResourceStatusReason' field of the failed resource in the stack events.
D.Run 'delete-stack' to remove the failed stack and start over.
E.Use the 'describe-stacks' AWS CLI command to get the stack outputs.
AnswersA, B, C

Events show detailed failure messages.

Why this answer

A, B, and E are correct. A: Viewing events shows failure details. B: Checking the resource's status reason provides specific error.

E: CloudFormation logs are in CloudWatch Logs. C is incorrect because delete_stack would remove resources. D is incorrect because DescribeStacks is less detailed than events.

250
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a static website to an Amazon S3 bucket. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild that runs a build tool), and a deploy stage (S3). After a recent code change, the build stage succeeded but the deploy stage failed with the error: 'Access Denied' when uploading artifacts to the S3 bucket. What should the team do to fix the issue?

A.Configure the S3 bucket to allow public access
B.Add 's3:PutObject' permission to the CodePipeline service role
C.Add an S3 bucket policy that grants the CodeBuild service role s3:PutObject access
D.Verify that the CodeCommit repository has the correct permissions for the pipeline
AnswerB

The pipeline role needs S3 write access for the deploy stage.

Why this answer

Option C is correct because the CodePipeline service role needs permissions to put objects into the S3 bucket. The error indicates the role used by CodePipeline lacks s3:PutObject permission. Option A is wrong because the build project role is for build, not deploy.

Option B is wrong because the error is about the deploy stage, not the source stage. Option D is wrong because bucket policy is not the typical issue if the role exists.

251
MCQeasy

Which AWS service is primarily used to automate the building, testing, and deployment of code changes to AWS infrastructure based on a defined release process?

A.AWS CodeCommit
B.AWS CodePipeline
C.AWS CodeBuild
D.AWS CodeDeploy
AnswerB

Why this answer

AWS CodePipeline is the correct service because it is a fully managed continuous delivery service that orchestrates the building, testing, and deployment of code changes through a defined release process. It integrates with source control (e.g., CodeCommit, GitHub), build services (e.g., CodeBuild), and deployment services (e.g., CodeDeploy) to automate the entire pipeline from commit to production.

Exam trap

The trap here is that candidates often confuse the individual services (CodeBuild for building, CodeDeploy for deploying) with the orchestrator (CodePipeline) that ties them together, leading them to select a service that performs only one part of the process rather than the full automation of the release process.

Why the other options are wrong

A

CodeCommit is a source control service, not a CI/CD pipeline orchestrator.

C

CodeBuild is a build service that compiles source code and runs tests, but it does not orchestrate the entire release process.

D

CodeDeploy automates code deployment to compute services, but it is not a full pipeline orchestrator.

252
MCQmedium

A company uses AWS CodePipeline to deploy a web application to an Elastic Beanstalk environment. The pipeline has a source stage (S3), a build stage (CodeBuild), and a deploy stage (Elastic Beanstalk). Recently, the deployment started failing with the error 'The Elastic Beanstalk environment is not in a ready state'. The team found that the environment was in an 'Updating' state because a previous deployment was still in progress. They need a solution that prevents concurrent deployments and ensures that the environment is ready before starting a new deployment. Which action should the DevOps engineer take?

A.Increase the deployment timeout in the Elastic Beanstalk environment
B.Disable rolling updates in the Elastic Beanstalk environment
C.Configure a 'Wait for Environment to be Ready' action before the deploy stage
D.Create multiple Elastic Beanstalk environments for blue/green deployment
AnswerC

This action checks the environment status and waits until it's ready

Why this answer

To prevent concurrent deployments, configure the pipeline with a concurrency limit or use a stage that checks the environment status before proceeding. The simplest solution is to set the Elastic Beanstalk environment's 'Rolling update type' to 'Immutable' and use a manual approval gate, but the best practice is to use a CodePipeline action that waits for the environment to be ready. Option A is correct.

Option B (increase timeout) does not prevent concurrent deployments. Option C (multiple environments) adds complexity. Option D (disable rolling updates) may cause downtime.

253
MCQeasy

A team wants to automate the deployment of a serverless application using AWS SAM. They have a template.yaml file defining Lambda functions, an API Gateway, and a DynamoDB table. Which command should they use to build and deploy the application?

A.aws cloudformation deploy --template-file template.yaml
B.sam package --output-template-file packaged.yaml
C.sam build && sam deploy
D.sam deploy --guided
AnswerC

sam build prepares the application, and sam deploy deploys it using CloudFormation.

Why this answer

Option A is correct because 'sam build' compiles the application and 'sam deploy' deploys it. Option B is wrong because 'aws cloudformation deploy' does not build the SAM artifacts. Option C is wrong because 'sam package' only packages code; it does not build or deploy.

Option D is wrong because 'sam deploy --guided' is interactive and not suitable for automation.

254
MCQhard

A DevOps engineer runs the above AWS CLI commands and notices that the CodeBuild project 'my-project' exists but builds fail with the error 'Access Denied' when trying to fetch source code from CodeCommit. The IAM role 'CodeBuildServiceRole' has a policy that allows 'codecommit:GitPull' on all repositories. What is the most likely cause of the failure?

A.The IAM role does not have permissions to access the CodeCommit repository.
B.The IAM role does not have a trust policy that allows CodeBuild to assume the role.
C.The CodeCommit repository does not exist.
D.The source location in the build project is incorrect.
AnswerB

CodeBuild must be able to assume the role via trust policy.

Why this answer

The error 'Access Denied' when CodeBuild tries to fetch source code from CodeCommit typically indicates that the IAM role CodeBuild is using does not have the necessary permissions to perform the action. Even though the role 'CodeBuildServiceRole' has a policy allowing 'codecommit:GitPull', the role itself must have a trust policy that allows the CodeBuild service to assume it. Without a proper trust policy, CodeBuild cannot assume the role, and any attached permissions are irrelevant, leading to an access denied error.

Exam trap

The trap here is that candidates often focus on the IAM policy permissions (e.g., 'codecommit:GitPull') and overlook the necessity of a trust policy, assuming that if the policy allows the action, the role is automatically usable by the service.

How to eliminate wrong answers

Option A is wrong because the IAM role does have a policy that allows 'codecommit:GitPull' on all repositories, so the permissions are present; the issue is that the role cannot be assumed. Option C is wrong because the problem states the CodeBuild project 'my-project' exists and the error occurs when fetching source code, implying the repository exists; if it didn't, the error would be 'RepositoryNotFound' or similar. Option D is wrong because an incorrect source location would typically result in a 'RepositoryNotFound' or 'InvalidSourceLocation' error, not an 'Access Denied' error.

255
Multi-Selecthard

A DevOps engineer is designing a deployment pipeline for a serverless application using AWS SAM. The pipeline must include the following stages: source, build, deploy to a development environment, run integration tests, and promote to production after manual approval. Which AWS services and features should be used to implement this pipeline? (Choose two.)

Select 2 answers
A.AWS CodeDeploy for deploying the SAM application.
B.AWS CodePipeline to orchestrate the pipeline stages.
C.AWS CodeCommit to build the SAM application.
D.AWS CodeBuild to run the SAM build, package, and test commands.
AnswersB, D

Why this answer

AWS CodePipeline is the correct service for orchestrating the pipeline stages because it provides native support for defining source, build, deploy, test, and manual approval stages in a sequential workflow. It integrates directly with AWS SAM and can trigger builds and deployments based on source code changes, making it the ideal orchestrator for this multi-stage pipeline.

Exam trap

The trap here is that candidates often confuse AWS CodeDeploy with the deployment mechanism for SAM applications, not realizing that SAM deployments are actually handled through AWS CloudFormation (via CodeBuild or CodePipeline), not CodeDeploy directly.

Why the other options are wrong

A

SAM applications are deployed via CloudFormation, not CodeDeploy.

C

CodeCommit is a source control service, not a build service.

256
MCQeasy

A development team uses AWS CodeCommit to store source code and AWS CodePipeline to automate builds and deployments. The team wants to ensure that every commit to the main branch triggers a build and deployment to a test environment. Which action should be taken?

A.Create a CodeBuild project that watches the main branch and starts a pipeline.
B.Use AWS Lambda to poll the repository and start the pipeline on new commits.
C.Set up an Amazon CloudWatch Events rule that matches commits to the main branch and targets the CodePipeline.
D.Configure the source stage of the CodePipeline to use the CodeCommit repository and specify the main branch.
AnswerD

This directly triggers the pipeline on commits to main.

Why this answer

Option A is correct because CodePipeline can be configured with a source stage that uses CodeCommit to detect changes on a specific branch and automatically start the pipeline. Option B is wrong because CodeBuild does not monitor branches. Option C is wrong because CloudWatch Events can also trigger pipelines, but the simplest and direct method is configuring the source stage in CodePipeline.

Option D is wrong because the pipeline itself needs to be triggered.

257
MCQeasy

A developer wants to automatically deploy a new version of an AWS Lambda function whenever code is pushed to a specific branch in AWS CodeCommit. Which combination of services should be used?

A.AWS CodeCommit, Amazon EventBridge, AWS CodePipeline
B.AWS CodeCommit, Amazon S3, AWS Lambda
C.AWS CodeCommit, AWS CodeBuild
D.AWS CodeCommit, Amazon CloudWatch Logs
AnswerA

EventBridge can detect CodeCommit push events and trigger CodePipeline.

Why this answer

Option A is correct because CodeCommit triggers an EventBridge event, which can invoke a pipeline or Lambda. Option B is incorrect because S3 is not needed. Option C is incorrect because CodeBuild alone does not deploy.

Option D is incorrect because CloudWatch Logs is for monitoring.

258
MCQmedium

Refer to the exhibit. A DevOps engineer runs this AWS CLI command to list all CodeBuild projects with 'production' in their name. The command returns an empty list, but the engineer knows there are projects named 'production-app' and 'production-backend'. What is the most likely reason?

A.The IAM user does not have list-projects permission.
B.The AWS CLI is not configured with valid credentials.
C.The --query parameter syntax is incorrect.
D.The region specified is incorrect.
AnswerC

The JMESPath query is malformed; it should be something like 'projects[?contains(@, `production`)]'.

Why this answer

Option C is correct because the --query parameter uses JMESPath syntax, and the filter expression `contains(Name, 'production')` is incorrectly written. The correct syntax should be `contains(Name, 'production')` without extra quotes or brackets around the string. The empty result indicates the query failed to match due to syntax error, not because the projects don't exist.

Exam trap

The trap here is that candidates assume an empty list means no matching projects exist, rather than suspecting a query syntax error, especially when the command otherwise runs without errors.

How to eliminate wrong answers

Option A is wrong because if the IAM user lacked the `codebuild:ListProjects` permission, the CLI would return an 'AccessDenied' error, not an empty list. Option B is wrong because invalid credentials would produce an authentication error (e.g., 'Unable to locate credentials' or 'ExpiredToken'), not an empty list. Option D is wrong because the `list-projects` command returns all projects in the account regardless of region; the region parameter only affects the endpoint used, not the project list scope.

259
Multi-Selecthard

A DevOps team is using AWS CloudFormation to deploy a three-tier web application. The stack includes an Application Load Balancer, an Auto Scaling group, and an RDS database. They want to update the stack to change the instance type of the Auto Scaling group without downtime. Which three steps should they take? (Choose THREE.)

Select 3 answers
A.Create a new Auto Scaling group with the new instance type and attach it to the load balancer, then delete the old group.
B.Modify the RDS instance type to match the new EC2 instance type for consistency.
C.Update the Auto Scaling group's launch template or launch configuration to specify the new instance type.
D.Terminate all instances in the Auto Scaling group before updating the launch configuration.
E.Perform a rolling update with a batch size of 1 and a pause time.
AnswersA, C, E

Blue/green deployment avoids downtime.

Why this answer

Option A is correct because using a rolling update with a pause before replacing instances minimizes downtime. Option C is correct because updating the launch template with the new instance type is necessary. Option D is correct because creating a new Auto Scaling group first allows a blue/green approach.

Option B is wrong because terminating all instances at once causes downtime. Option E is wrong because modifying the RDS instance type is not part of the change.

260
MCQhard

A company uses AWS CodePipeline with a GitHub source action. They want to automatically start the pipeline when a pull request is merged to the main branch. However, the pipeline also starts on every push to any branch. How can they limit the pipeline to only trigger on push events to the main branch?

A.Use a Lambda function as a source action instead of GitHub.
B.Create a GitHub webhook manually and point it to a Lambda function that starts the pipeline only for main branch pushes.
C.Configure the source action's 'Branch' field to 'main' and set 'PollForSourceChanges' to false, and use a webhook with filters.
D.Add a condition in the pipeline's first stage to check the branch name.
AnswerC

This ensures only push events to main trigger the pipeline.

Why this answer

Option A is correct because the GitHub source action supports configuring branch and event filters, such as 'push' and 'pull_request' with specific branches. Option B is wrong because the webhook is managed by CodePipeline; you can configure filters within the pipeline definition. Option C is wrong because the source action can filter on branch without a Lambda.

Option D is wrong because CodePipeline does not have a branch filter condition; it's configured in the source action.

261
MCQmedium

Refer to the exhibit. A team uses this buildspec.yml file in AWS CodeBuild. After the build, they expect the artifacts to be placed in a folder structure, but all files are in the root of the output artifact. What is the reason?

A.The 'files' section only includes '**/*' which does not preserve paths.
B.The 'discard-paths' option is set to 'yes', which flattens the directory structure.
C.The 'base-directory' is not specified, so CodeBuild uses the root of the build output.
D.The 'name' property is missing, causing artifacts to be stored without structure.
AnswerB

When discard-paths is yes, all files are placed in the root without preserving paths.

Why this answer

Option A is correct because 'discard-paths: yes' flattens the structure. Option B is wrong because it only shows files. Option C is wrong because 'base-directory' is not set.

Option D is wrong because it would be 'no'.

262
Multi-Selecthard

A company is using AWS CodePipeline with multiple stages: Source (GitHub), Build (CodeBuild), Test (CodeBuild), and Deploy (CloudFormation). The deployment stage is failing intermittently with a 'Rate exceeded' error. The team needs to reduce deployment failures. Which TWO actions should the team take?

Select 2 answers
A.Implement a manual approval step before deployment to stagger multiple pipeline executions.
B.Use exponential backoff and retry in the deployment action.
C.Increase the timeout of the deploy action.
D.Enable CloudWatch detailed monitoring for the deployed resources.
E.Change the deployment to use an in-place deployment type.
AnswersA, B

Correct: Staggers deployments to reduce concurrent calls.

Why this answer

Option A reduces the chance of hitting API rate limits. Option E implements retry logic. Option B is not related to rate limits.

Option C could cause new issues. Option D is irrelevant.

263
MCQeasy

A DevOps engineer is configuring a webhook trigger in AWS CodePipeline to automatically start a pipeline when changes are pushed to a specific branch in a CodeCommit repository. The webhook is created and the trigger is set to the 'main' branch. However, when a developer pushes a commit to the 'main' branch, the pipeline does not start. What is the MOST likely reason?

A.The webhook is not properly registered with CodeCommit due to a conflict with an existing webhook.
B.The CodeCommit repository is set to send events to Amazon S3, which conflicts with the webhook.
C.The pipeline requires an Amazon SNS notification to be configured for the trigger to work.
D.The CloudWatch Events rule that triggers the pipeline on repository changes is not configured.
AnswerD

CodePipeline webhooks rely on CloudWatch Events to detect changes; without the rule, the pipeline won't start.

Why this answer

Option A is correct because CodePipeline webhooks use AWS CloudWatch Events (EventBridge) to detect changes; if the CloudWatch Events rule is missing, the webhook won't trigger. Option B is incorrect because multiple webhooks can exist. Option C is incorrect because webhooks do not require SNS.

Option D is incorrect because S3 notifications are for S3 sources, not CodeCommit.

264
MCQhard

You are a DevOps engineer at a company that runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application is deployed using AWS CodeDeploy with an in-place deployment strategy. The deployment group contains 10 EC2 instances in an Auto Scaling group. Recently, a deployment failed with the error 'The overall deployment failed because too many individual instances failed deployment.' You check the CodeDeploy agent logs on one of the failed instances and see the error 'Script at /opt/codedeploy-agent/deployment-root/deployment-logs/scripts/application_start.sh failed with exit code 1.' The application_start.sh script is part of the AppSpec file. The script attempts to restart the web server. You notice that the script uses a path that exists only on some instances. What should you do to resolve this issue and prevent future failures?

A.Increase the deployment timeout in CodeDeploy.
B.Modify the application_start.sh script to check for the existence of the path before running the restart command.
C.Remove the application_start.sh script from the AppSpec file.
D.Reinstall the CodeDeploy agent on all instances.
AnswerB

Adding a check prevents failure when the path does not exist.

Why this answer

Option D is correct because the script should check if the path exists before using it, preventing failure. Option A is wrong because it does not fix the script logic. Option B is wrong because the failure is due to the script, not the agent.

Option C is wrong because the script should be fixed, not bypassed.

265
MCQmedium

Refer to the exhibit. Despite scaling up, CPU utilization remains high. What is the MOST likely cause?

A.The instance type t2.micro is too small for the application.
B.The desired capacity is not updated by the scaling policy.
C.The user data script fails to start the application on new instances.
D.The CloudWatch alarm is configured with a threshold different from the target tracking policy's target.
AnswerD

The alarm triggers at 60%, but the target is 50%, causing the scaling policy to not activate correctly or causing conflicts.

Why this answer

The scaling policy uses target tracking with a target of 50%, but the alarm triggers at 60%, which is inconsistent and may cause the scaling to not respond appropriately. Also, with target tracking, the ASG should scale to bring CPU to 50%, but it stays at 70%, suggesting the scaling policy is not being honored or there is an issue with the policy.

266
MCQmedium

Your organization uses AWS CodePipeline to orchestrate a multi-stage pipeline for a Java application. The pipeline has a source stage (Amazon S3), a build stage (CodeBuild), and a deploy stage (CodeDeploy to EC2). Recently, the build stage started failing with the error 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE'. The build project uses a managed image for Java. You checked the CodeBuild project settings and confirmed that the image is correct. No changes were made to the build project. What is the most likely cause?

A.The S3 bucket policy has been changed to deny access.
B.The build project's environment variables are incorrectly configured.
C.The Docker image specified in the build project is no longer available or the registry is unreachable.
D.The buildspec.yml file contains invalid syntax.
AnswerC

The image pull failure indicates registry issues.

Why this answer

Option C is correct because the managed image may have been updated and the pull failed due to network issues. Option A is wrong because the source is S3, not CodeCommit. Option B is wrong because the buildspec is not the cause.

Option D is wrong because the environment variables are not related.

267
MCQmedium

A company uses AWS CodePipeline with an S3 source action and a CodeBuild project. The pipeline fails intermittently during the build stage with an error indicating that the source code archive is corrupt. Which action should the DevOps engineer take to resolve this issue?

A.Increase the timeout for the CodeBuild project.
B.Enable versioning on the S3 bucket and use versioned objects in the pipeline.
C.Configure the pipeline to use AWS CodeCommit as the source instead of S3.
D.Add a manual approval step before the build stage.
AnswerB

Versioning prevents corruption issues by preserving object versions.

Why this answer

Enabling versioning on the S3 bucket ensures that object versions are preserved, preventing corruption from overwrites. Option D is correct because using S3 source with versioning guarantees that the pipeline always retrieves the correct version.

268
MCQeasy

A company uses AWS CodeCommit for source control. Developers report that their local branches are out of sync with the remote repository, and they are unable to push changes because of 'non-fast-forward' errors. What should the developers do to fix this?

A.Create a new branch and push that instead.
B.Use 'git push --force' to overwrite the remote branch.
C.Pull the latest changes using 'git pull --rebase' and then push.
D.Delete the remote branch and push again.
AnswerC

Rebase applies local commits on top of remote changes, allowing fast-forward.

Why this answer

Option B is correct because 'non-fast-forward' means the remote branch has commits not in the local branch; pull rebase integrates remote changes. Option A is wrong because force push overwrites remote commits. Option C is wrong because deleting remote branch is not needed.

Option D is wrong because creating a new branch does not resolve the conflict.

269
MCQeasy

A DevOps engineer needs to automate the creation of an Amazon ECS cluster using AWS CloudFormation. The cluster will run a web application that requires a load balancer. Which resource should be used to define the ECS cluster?

A.AWS::ECS::Service
B.AWS::ECS::TaskDefinition
C.AWS::ECS::ContainerInstance
D.AWS::ECS::Cluster
AnswerD

This resource defines an ECS cluster.

Why this answer

Option A is correct because AWS::ECS::Cluster is the CloudFormation resource for an ECS cluster. Option B is wrong because AWS::ECS::Service is for running tasks. Option C is wrong because AWS::ECS::TaskDefinition defines the task.

Option D is wrong because AWS::ECS::ContainerInstance is not a resource; instances are managed by Auto Scaling.

270
MCQmedium

Refer to the exhibit. A CodePipeline service role has this IAM policy attached. The pipeline's deploy stage uses CodeDeploy to perform an ECS blue/green deployment. The deployment fails with an access denied error. What is the MOST likely missing permission?

A.ecs:RegisterTaskDefinition
B.codedeploy:CreateDeployment
C.ecs:UpdateService
D.ecs:CreateService
AnswerC

Required to update the service with a new task definition during deployment.

Why this answer

Option C is correct because ECS blue/green deployments require the 'ecs:UpdateService' permission to update the service with the new task definition. The policy only allows 'ecs:DescribeServices'. Option A is not needed for blue/green.

Option B is needed but already allowed. Option D is not a standard action.

271
MCQhard

A company uses AWS CodePipeline to deploy a serverless application using AWS SAM. The pipeline has a source stage from CodeCommit, a build stage that runs 'sam build', and a deploy stage that runs 'sam deploy --no-confirm-changeset'. The deploy stage fails with the error 'The security token included in the request is invalid.' What is the MOST likely cause?

A.The CloudFormation stack is in a 'ROLLBACK_COMPLETE' state and cannot be updated.
B.The CodeBuild project does not have access to the CodeCommit repository.
C.The IAM role used by CodeBuild has expired credentials or insufficient permissions to call AWS CloudFormation.
D.The SAM template is invalid and contains syntax errors.
AnswerC

Expired or invalid credentials result in a 'security token invalid' error.

Why this answer

Option B is correct because the '--no-confirm-changeset' flag requires the AWS CLI to make API calls, and if the credentials used by CodeBuild are expired, the error occurs. Option A is incorrect because SAM template syntax errors cause different errors. Option C is incorrect because CloudFormation stack drift does not cause token errors.

Option D is incorrect because CodeBuild logs do not affect deployment.

272
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user who needs to start a CodePipeline pipeline and view its details. The user reports that they cannot see the pipeline in the AWS Management Console. What is the MOST likely reason?

A.There is an explicit deny statement elsewhere that is overriding the allow.
B.The user does not have permission to start the pipeline execution.
C.The pipeline ARN is incorrect.
D.The policy does not include the codepipeline:ListPipelines action, which is needed to view pipelines in the console.
AnswerD

ListPipelines is required to list pipelines in the console.

Why this answer

Option B is correct because the policy only allows specific actions on a specific resource, but the console also requires the codepipeline:ListPipelines action to list pipelines. Without ListPipelines, the user cannot see the pipeline in the console. Option A is wrong because the actions are allowed.

Option C is wrong because there is no explicit deny. Option D is wrong because the pipeline exists.

273
MCQhard

You are a DevOps engineer for a company that runs a containerized microservices application on Amazon ECS with Fargate. The CI/CD pipeline uses AWS CodePipeline, with CodeBuild for building Docker images and pushing them to Amazon ECR, and CodeDeploy for deploying to ECS. The pipeline has a manual approval step before production deployment. Recently, the production deployment failed after approval, with the error: 'The service my-service could not be deployed because the task definition arn:aws:ecs:us-east-1:123456789012:task-definition/my-task:5 references an image that does not exist in the repository.' The image was built and pushed successfully in the Build stage. The task definition is updated by CodeDeploy to reference the new image URI. The ECS service is configured with 'deploymentController: CODE_DEPLOY' and uses a blue/green deployment. The CodeDeploy deployment group uses a 'Lambda' compute platform (incorrectly set). The pipeline uses the default CodeDeploy provider for ECS. What is the most likely cause of the failure?

A.The CodeDeploy deployment group's compute platform is set to 'Lambda' instead of 'ECS'.
B.The manual approval step changed the task definition ARN to a previous version.
C.The ECR repository has a lifecycle policy that expired the image tag before deployment.
D.The CodePipeline is not configured to use the CodeDeploy provider for ECS.
AnswerA

Incorrect compute platform causes deployment failure.

Why this answer

Option C is correct because CodeDeploy for ECS requires the compute platform to be 'ECS' (or 'Server' for EC2), not 'Lambda'. Setting it to 'Lambda' would cause the deployment to fail as it tries to use a Lambda deployment configuration. Option A is wrong because the image was pushed successfully.

Option B is wrong because the pipeline does use CodeDeploy. Option D is wrong because the approval step is manual and would not cause image reference issues.

274
MCQeasy

A development team is using AWS CodeCommit as a source control repository. They want to automate code builds and run unit tests every time a developer pushes code to the 'develop' branch. Which AWS service should they use to trigger the build automatically?

A.Create an AWS CodePipeline with CodeCommit as source and CodeBuild as build stage, configured to start on source changes.
B.Set up AWS CodeDeploy to run builds on code push.
C.Configure AWS CodeCommit to invoke AWS CodeBuild directly.
D.Use Amazon CloudWatch Events to detect a push to CodeCommit and trigger AWS CodeBuild.
AnswerA

CodePipeline can automatically start when a change is pushed to the repository.

Why this answer

Option D is correct because AWS CodePipeline can be configured with a webhook on CodeCommit to trigger a build in CodeBuild on every push. Option A is wrong because CodeCommit itself does not run builds. Option B is wrong because CloudWatch Events can trigger based on API calls but is not the direct service for build automation.

Option C is wrong because CodeDeploy is for deployment, not building.

275
MCQmedium

A company uses AWS CodePipeline to deploy a microservices application to Amazon ECS. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). Recently, deployments have been failing intermittently during the deploy stage with the error: 'The service has reached its maximum number of running tasks.' How should a DevOps engineer resolve this issue?

A.Increase the memory reservation for the task definition
B.Update the ECS service configuration to increase the maximum number of tasks
C.Configure an Amazon ECS Service Auto Scaling policy to scale out
D.Increase the number of concurrent deployments allowed in CodeDeploy
AnswerB

Directly resolves the error by allowing more tasks.

Why this answer

Option B is correct because the error indicates that the ECS service's desired count or maximum tasks limit has been reached. Updating the service to increase the maximum number of tasks resolves the issue. Option A is wrong because CodeDeploy does not have a deployment limit that causes this error.

Option C is wrong because scaling policies are for auto scaling, not for the error about maximum tasks. Option D is wrong because the issue is not related to insufficient memory but to task count limits.

276
Multi-Selectmedium

A company uses AWS CodeDeploy for deploying applications to an Auto Scaling group of Amazon EC2 instances. The deployment is failing with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' Which two actions should the DevOps engineer take to troubleshoot and resolve the issue? (Choose two.)

Select 2 answers
A.Check the CodeDeploy agent logs on the failed instances to identify script errors or missing dependencies.
B.Increase the size of the Auto Scaling group to ensure more instances are available.
C.Verify that the deployment group's Auto Scaling group has the correct tags and that the instances have the CodeDeploy agent installed.
D.Change the deployment configuration to 'CodeDeployDefault.AllAtOnce' to bypass the error.
E.Redeploy the application using a different revision.
AnswersA, C

Why this answer

Option A is correct because the CodeDeploy agent logs on each EC2 instance contain detailed error messages about script failures, missing dependencies, or permission issues that cause the deployment to fail. Checking these logs is the first step in diagnosing why individual instances are failing, as the agent executes the AppSpec lifecycle hooks and reports back to the CodeDeploy service.

Exam trap

The trap here is that candidates often jump to scaling or configuration changes (like AllAtOnce) without first checking the instance-level logs, which are the definitive source for diagnosing deployment failures in CodeDeploy.

Why the other options are wrong

B

Increasing the group size does not address the underlying cause; it might mask the issue.

D

Changing the deployment configuration does not resolve the underlying issue; it may cause downtime.

E

Redeploying the same revision will likely fail again; the root cause must be addressed.

277
MCQhard

A company uses AWS CodeBuild to run security scans. The scans require access to a private Amazon ECR repository. The build project is configured with a service role. What is the correct way to provide access to ECR?

A.Set environment variables with ECR credentials in the build project.
B.Configure the ECR repository policy to allow access from the CodePipeline service role.
C.Include the ECR credentials in the buildspec file.
D.Attach an IAM policy to the CodeBuild service role that allows ECR operations.
AnswerD

The service role is the correct place to grant permissions to the build project.

Why this answer

Option D is correct because CodeBuild uses an IAM service role to define the permissions granted to the build environment. By attaching an IAM policy that allows ECR operations (such as ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:GetAuthorizationToken) to the CodeBuild service role, the build project can authenticate and pull images from the private ECR repository without needing to embed or manage static credentials.

Exam trap

The trap here is that candidates often think they need to embed credentials (options A or C) or rely on another service's role (option B), when the correct approach is to attach the necessary IAM policy directly to the CodeBuild service role.

How to eliminate wrong answers

Option A is wrong because setting environment variables with ECR credentials (e.g., access keys) is insecure and unnecessary; CodeBuild should never require long-term credentials when a service role can be used. Option B is wrong because the CodePipeline service role is not involved in the CodeBuild build process; the ECR repository policy could allow access from the CodeBuild service role's principal, but the question specifically asks about the CodeBuild project's access, and the repository policy alone does not grant the CodeBuild service role the required permissions. Option C is wrong because including ECR credentials in the buildspec file would expose sensitive information in plaintext and violates security best practices; the buildspec should rely on the service role's IAM permissions.

278
MCQmedium

A company uses AWS CodePipeline to deploy a web application to an Elastic Beanstalk environment. The pipeline has a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage to Elastic Beanstalk. Recently, deployments started failing with an error: 'The deployment failed because the Elastic Beanstalk environment is in an UPDATE_ROLLBACK_IN_PROGRESS state.' What is the MOST likely cause?

A.The buildspec.yml file contains an invalid command that prevents artifact generation
B.A previous deployment failed and triggered an automatic rollback, leaving the environment in an unstable state
C.A CloudWatch alarm is blocking the deployment due to high error rates
D.Insufficient IAM permissions for CodePipeline to pull source code from CodeCommit
AnswerB

Elastic Beanstalk environments can enter UPDATE_ROLLBACK_IN_PROGRESS if a previous deployment failed, blocking new deployments until the rollback completes.

Why this answer

Option B is correct because a failed previous deployment can leave the environment in a rolling back state, preventing subsequent deployments. Option A is wrong because CodeCommit authentication issues would cause the source stage to fail, not the deploy stage. Option C is wrong because build spec errors would cause the build stage to fail.

Option D is wrong because CloudWatch alarms do not block deployments.

279
MCQhard

A DevOps engineer is designing a CI/CD pipeline that must enforce a policy: any change to the production branch in CodeCommit must be reviewed and approved by two senior developers before the change can be merged. The pipeline must also automatically build and deploy to a staging environment after approval. Which combination of AWS services and configurations should be used?

A.Configure CodeBuild to run a script that checks the commit author and rejects if not approved
B.Use Amazon EventBridge to trigger a Lambda function that validates the number of approvers before merging
C.Use IAM policies to restrict write access to the production branch to only senior developers
D.Use CodeCommit pull request approval rules and a CodePipeline with a manual approval step triggered by a Lambda function that checks approval status
AnswerD

This enforces the two-approval requirement and automates staging deployment.

Why this answer

Option C is correct because AWS CodeCommit does not have native approval workflows; however, CodePipeline can use approval actions and CodeCommit can be configured with pull request notifications to trigger pipelines. A Lambda function can be used to automatically approve the pipeline after the required number of approvals in a pull request. Option A is wrong because IAM does not enforce manual approvals.

Option B is wrong because CodeBuild does not have approval capabilities. Option D is wrong because CloudWatch Events cannot enforce two-approver rule directly.

280
MCQmedium

A DevOps team uses AWS CodePipeline to deploy a microservices application. The pipeline includes a CodeBuild project that runs unit tests. Recently, builds have been failing intermittently due to test timeouts. The team wants to improve the reliability of the pipeline without increasing the build timeout. Which action should the team take?

A.Increase the build timeout to the maximum allowed value of 8 hours.
B.Use AWS CodeDeploy to run the unit tests on EC2 instances with more CPU and memory.
C.Modify the unit tests to be non-flaky by adding retries for network calls.
D.Configure the CodeBuild project to run tests in parallel by using separate build environments or test splits.
AnswerD

Running tests in parallel can reduce total test execution time, helping to avoid timeouts without changing the timeout setting.

Why this answer

Option A correctly identifies that running tests in parallel reduces overall build time and helps avoid timeouts without increasing the timeout limit. Option B increases timeout but does not address intermittent failures. Option C addresses flaky tests but does not directly solve timeout issues.

Option D moves testing to CodeDeploy, which is not designed for unit testing.

281
Multi-Selecthard

A company uses AWS CodeBuild to run security scans on code. The scan requires access to a private Amazon ECR repository for downloading scanning tools. The CodeBuild project is configured with a VPC and uses an IAM role. However, the build fails with 'Error: unable to pull image from registry.' Which TWO steps should be taken to resolve this?

Select 2 answers
A.Change the ECR repository policy to allow public access.
B.Remove the VPC configuration from the CodeBuild project so it can access the public internet.
C.Add 'ecr:GetDownloadUrlForLayer' and 'ecr:BatchGetImage' permissions to the CodeBuild service role.
D.Grant 'kms:Decrypt' permissions for the KMS key used by ECR.
E.Create a VPC endpoint for Amazon ECR and associate it with the VPC used by CodeBuild.
AnswersC, E

These permissions are required to pull images from ECR.

Why this answer

Options A and C are correct. The error suggests the build environment cannot authenticate or reach ECR. Adding ECR permissions to the IAM role allows pulling images.

Configuring VPC endpoints allows the build to reach ECR privately without NAT. Option B is unnecessary if the build already has a VPC. Option D is for public access, but the repository is private.

Option E is about KMS, not related.

282
MCQeasy

Refer to the exhibit. A developer has a buildspec.yaml for a React application. The build completes successfully, but the artifacts output is empty. What is the most likely cause?

A.The base-directory specified does not exist after the build phase.
B.The install phase did not run because npm install is not in the correct phase.
C.The artifacts files pattern '**/*' is invalid.
D.The runtime version nodejs 14 is not supported by CodeBuild.
AnswerA

If the build outputs to 'dist', the 'build' directory may be empty.

Why this answer

Option D is correct because the base-directory is set to 'build' but the build command 'npm run build' likely outputs to a different directory (e.g., 'dist'). Option A is wrong because the install phase runs npm install. Option B is wrong because runtime version is valid.

Option C is wrong because '**/*' matches all files.

283
Multi-Selecteasy

A DevOps engineer is designing a CI/CD pipeline for a containerized application using AWS CodeBuild and Amazon ECS. Which TWO actions will help reduce the frequency of Docker image pulls from the public Docker Hub registry?

Select 2 answers
A.Create a Docker Hub access token and store it in AWS Secrets Manager
B.Enable CodeBuild local caching for the cache type 'LOCAL_DOCKER_LAYER_CACHE'
C.Store the base image in Amazon ECR and use it in the build
D.Use AWS CodeArtifact as a proxy for Docker Hub
E.Configure CodeBuild to use a VPC with a NAT gateway
AnswersC, D

Using ECR as a local cache avoids pulling from Docker Hub.

Why this answer

Options A and B are correct. Option A: Using a VPC with a NAT gateway does not reduce pulls. Option C: CodeArtifact can cache images, reducing pulls from Docker Hub.

Option D: CodeBuild local caching can cache layers, reducing pulls. Option E: ECR is a registry, not a cache for Docker Hub.

284
MCQmedium

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. The pipeline has a source stage that pulls from a CodeCommit repository, a build stage using AWS CodeBuild, and a deploy stage that uses AWS CodeDeploy to deploy to an EC2 Auto Scaling group. The team notices that the pipeline frequently fails at the deploy stage with the error 'The deployment failed because the deployment group's deployment configuration specifies a minimum healthy host count of 1, but 0 healthy hosts are available.' What is the MOST likely cause of this issue?

A.The IAM role for CodePipeline does not have sufficient permissions to access the CodeCommit repository.
B.The build artifacts are not being stored in an S3 bucket.
C.The EC2 instances are not registered with a Classic Load Balancer.
D.The CodeDeploy agent is not installed or is not running on the EC2 instances.
AnswerD

Without a running agent, instances cannot report health, causing the deployment to fail with the given error.

Why this answer

Option D is correct because if the CodeDeploy agent is not installed or not running on the EC2 instances, the instances will not report as healthy, causing the deployment to fail with the given error. Option A is incorrect because CodeDeploy does not require the instances to be behind a load balancer. Option B is incorrect because CodeCommit permissions do not affect the deploy stage.

Option C is incorrect because CodeBuild artifacts not being stored in S3 would cause a build failure, not a deploy failure.

285
MCQhard

A developer is troubleshooting a failed CodeBuild build. The build is triggered by a pull request from a forked repository. The buildspec includes a command to fetch pull request references. What is the most likely cause of the failure?

A.The IAM role for CodeBuild does not have permission to read from the repository.
B.The buildspec file is not present in the source code.
C.The CodeBuild project is not configured to allow pull requests from forked repositories.
D.The buildspec contains invalid syntax.
AnswerC

Fetching PR refs from forks requires explicit configuration.

Why this answer

Option B is correct because by default, CodeBuild does not fetch pull request references from forked repositories for security reasons. The build project must be configured to allow pull request builds from forked repositories. Option A is wrong because the error is about fetching, not about file not found.

Option C is wrong because the buildspec is being executed, so it is valid. Option D is wrong because the error is about fetching, not about insufficient permissions.

286
MCQhard

A company has a monorepo in AWS CodeCommit with multiple microservices. They want to use AWS CodePipeline to build and deploy only the microservice that changed. What is the MOST efficient approach?

A.Configure a single pipeline that always builds all microservices.
B.Create separate CodeCommit repositories for each microservice.
C.Use an AWS Lambda function triggered by CloudWatch Events for CodeCommit to start the specific pipeline for the changed microservice.
D.Use a single pipeline with multiple build actions that each check if their microservice changed.
AnswerC

Lambda can analyze the commit and start the relevant pipeline, building only the changed microservice.

Why this answer

Option C is correct because Lambda can parse the commit and trigger the appropriate pipeline. Option A is wrong because it builds everything. Option B is wrong because it requires multiple repos.

Option D is wrong because it still builds all.

287
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices application using AWS CodePipeline. Each microservice has its own CodeCommit repository. The engineer wants to run unit tests in parallel for all services when any repository receives a push, then run integration tests only after all unit tests pass. Which pipeline structure should the engineer use?

A.Create a single pipeline with a parallel action for unit tests, then a serial stage for integration tests
B.Create a single pipeline with a serial stage for unit tests, then integration tests
C.Create one pipeline per microservice, each triggering integration tests via SNS
D.Use AWS CodeBuild batch builds with a fan-out/fan-in pattern
AnswerA

Parallel unit tests reduce time; integration tests run after all unit tests succeed.

Why this answer

Option C is correct because having a single pipeline with a parallel action for unit tests and then a serial integration test stage is the simplest and most straightforward design. Option A is incorrect because it suggests separate pipelines, which would require complex coordination. Option B is incorrect because a serial stage for unit tests would increase overall time.

Option D is incorrect because CodeBuild does not have built-in fan-out/fan-in; the pipeline provides that.

288
MCQhard

A company uses AWS CodeBuild to run integration tests as part of a pipeline. The tests require access to an Amazon RDS database. The RDS instance is in a private subnet with no public access. The CodeBuild project is configured with a VPC. Which additional configuration is necessary to ensure the build can connect to the database?

A.Add an IAM policy that grants the CodeBuild service role access to the RDS instance.
B.Configure the security group for the RDS instance to allow inbound traffic from the security group associated with the CodeBuild project.
C.Create a VPC endpoint for Amazon RDS.
D.Attach a NAT gateway to the private subnet.
AnswerB

Security group rules must allow traffic between CodeBuild and RDS for connectivity.

Why this answer

Option C is correct because CodeBuild needs security group rules that allow outbound traffic to the RDS instance and the RDS security group must allow inbound traffic from CodeBuild. Option A is wrong because NAT gateway is for internet access, not for database connectivity within VPC. Option B is wrong because VPC endpoints are for AWS services, not for RDS connectivity.

Option D is wrong because IAM roles do not control network connectivity.

289
MCQmedium

A company uses AWS CodeDeploy with a blue/green deployment configuration. After a deployment, the new instances are not registered with the load balancer, causing downtime. What is the MOST likely cause?

A.The IAM role for CodeDeploy does not have permission to register instances with the load balancer.
B.The original instances are still registered with the load balancer.
C.The load balancer health check is misconfigured.
D.The CodeDeploy deployment group does not have a load balancer configured or the deregistration delay is too long.
AnswerD

CodeDeploy needs a load balancer configured to register new instances; without it, instances may not be registered.

Why this answer

Option C is correct because without a health check, CodeDeploy doesn't know when to register. Option A is wrong because ELB health checks are separate. Option B is wrong because original instances are deregistered after.

Option D is wrong because CodeDeploy does registration.

290
Multi-Selecteasy

A company uses AWS CodePipeline to automate their software release process. They want to add a stage that runs security scanning on the code before deployment. Which two AWS services can be integrated into the pipeline for this purpose? (Choose TWO.)

Select 2 answers
A.Amazon Inspector
B.Amazon GuardDuty
C.Amazon Detective
D.AWS CodeBuild
E.AWS CodeDeploy
AnswersA, D

Inspector can scan code for vulnerabilities and integrate with CodePipeline.

Why this answer

Option A (CodeBuild) is correct because it can run custom security scanning tools. Option D (Amazon Inspector) is correct because it can be integrated as a test action to scan for vulnerabilities. Option B (CodeDeploy) is for deployment, not scanning.

Option C (GuardDuty) is for threat detection in the AWS environment, not code scanning. Option E (Detective) is for analyzing security findings, not scanning code.

291
MCQmedium

A DevOps engineer is reviewing the IAM policy attached to a CodeBuild service role. The policy allows starting builds and viewing logs. However, when CodeBuild tries to download artifacts from an S3 bucket in the same account, it fails with an access denied error. What is the missing permission?

A.s3:GetObject
B.kms:Decrypt
C.s3:PutObject
D.logs:DescribeLogGroups
AnswerA

To download artifacts from S3, GetObject permission is required.

Why this answer

The error occurs because CodeBuild needs to download artifacts from S3, which requires the s3:GetObject permission on the bucket or object. Without this permission, the service role cannot read the artifact files, even though it can start builds and view logs. The s3:GetObject action is the specific permission that grants read access to S3 objects.

Exam trap

The trap here is that candidates may confuse s3:GetObject with s3:PutObject or assume KMS decryption is always required, but the direct cause is the lack of read access to the S3 object.

How to eliminate wrong answers

Option B is wrong because kms:Decrypt is only needed if the S3 bucket uses server-side encryption with AWS KMS (SSE-KMS), but the question does not mention encryption, so the missing permission is not KMS-related. Option C is wrong because s3:PutObject is for uploading objects to S3, not downloading them; the error is about downloading artifacts, not uploading. Option D is wrong because logs:DescribeLogGroups is for listing CloudWatch log groups, which is unrelated to S3 access; it would not cause an S3 access denied error.

292
Multi-Selectmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The engineer wants to ensure that the stack is not accidentally deleted and that critical resources like databases are retained even if the stack is deleted. Which THREE steps should the engineer take?

Select 3 answers
A.Create a StackPolicy that denies updates to the RDS instance
B.Use nested stacks to isolate the database
C.Use a StackPolicy to deny delete actions
D.Set the DeletionPolicy attribute to Retain on the RDS instance
E.Enable termination protection on the stack
AnswersA, D, E

Protects the database from accidental updates.

Why this answer

Options A, C, and D are correct. Option A: Enable termination protection to prevent stack deletion. Option C: Set DeletionPolicy to Retain on the RDS instance so it is not deleted.

Option D: Use a StackPolicy to protect resources from updates. Option B is incorrect because stack policy does not prevent deletion. Option E is incorrect because nested stacks do not provide protection.

293
Multi-Selecthard

A company uses AWS CodePipeline to deploy a serverless application using AWS SAM. The pipeline includes a build stage that runs 'sam build' and a deploy stage that runs 'sam deploy'. The team wants to automatically test the deployed application before promoting it to production. Which THREE steps should be included in the pipeline?

Select 3 answers
A.Add a stage that runs a performance or load test.
B.Add a stage that automatically rolls back the deployment if tests fail.
C.Add a manual approval stage after testing before promoting to production.
D.Add a stage that deploys the application to a separate production environment.
E.Add a stage after deployment that runs integration tests against the deployed API.
AnswersA, C, E

Load testing validates performance.

Why this answer

Options A, C, and D are correct. After deployment, an integration test stage validates the deployment. A manual approval stage allows review before promotion.

Additional testing (e.g., load test) can be added. Option B is wrong because a separate deployment to a different environment is not necessary. Option E is wrong because rolling back is not a testing step.

294
Multi-Selecteasy

A DevOps team is implementing a CI/CD pipeline for a microservices application deployed on Amazon ECS. They want to automatically build, test, and deploy container images to Amazon ECR and then update the ECS service. Which TWO steps are essential to achieve this goal?

Select 2 answers
A.Use AWS CodeDeploy to update the ECS service with a new task definition.
B.Use AWS Secrets Manager to store Docker credentials.
C.Use AWS CodeBuild to build the Docker image and push it to Amazon ECR.
D.Use AWS X-Ray for tracing.
E.Use Amazon CodeGuru for code review.
AnswersA, C

Correct: CodeDeploy can deploy to ECS.

Why this answer

Option A is needed to build and push the image. Option D is needed to update the ECS service. Option B is for secrets retrieval, but not essential for the pipeline flow.

Option C is for static analysis, not required. Option E is for load testing, not required.

295
MCQmedium

A CloudFormation stack is created with the template above and the parameter Environment set to 'dev'. Later, the stack is deleted. What happens to the S3 bucket?

A.The bucket is retained only if it contains objects.
B.The bucket is retained.
C.The bucket is deleted.
D.The bucket is deleted but the objects are retained.
AnswerC

DeletionPolicy evaluates to Delete.

Why this answer

Option B is correct because the condition 'IsProd' is false when Environment is 'dev', so the DeletionPolicy evaluates to 'Delete', meaning the bucket will be deleted when the stack is deleted. Option A is wrong because the DeletionPolicy is set to Delete. Option C is wrong because the condition is evaluated at stack creation and deletion.

Option D is wrong because the bucket is deleted.

296
Multi-Selecteasy

A company is designing a CI/CD pipeline for a serverless application using AWS CodePipeline. Which TWO actions are valid ways to deploy an AWS Lambda function?

Select 2 answers
A.Use AWS CloudFormation to update the Lambda function's stack.
B.Use Amazon S3 to trigger the Lambda function deployment.
C.Use AWS CodeBuild to directly deploy the Lambda function.
D.Use AWS CodeCommit to push the Lambda code.
E.Use AWS CodeDeploy to deploy the Lambda function with traffic shifting.
AnswersA, E

CloudFormation can manage Lambda deployments.

Why this answer

Option A is correct because AWS CloudFormation can manage Lambda function deployments as part of a stack update. By defining the Lambda function resource in a CloudFormation template, CodePipeline can trigger a stack update that creates or updates the function, ensuring infrastructure-as-code best practices and consistent deployments.

Exam trap

The trap here is that candidates often confuse build or source control actions (CodeBuild, CodeCommit) with deployment actions, or mistake event-driven invocations (S3 triggers) for deployment mechanisms, leading them to select options that are valid for other purposes but not for deploying Lambda functions.

297
MCQmedium

A development team is using AWS CodeCommit as a source repository and AWS CodePipeline to automate their CI/CD pipeline. The pipeline includes a build stage that runs on AWS CodeBuild. The team wants to automatically trigger the pipeline when changes are pushed to the 'develop' branch of the CodeCommit repository. Which configuration change should be made to the pipeline?

A.Enable S3 event notifications on the repository to invoke the pipeline.
B.Add a manual approval action before the build stage.
C.Configure the source action to use CodeCommit as the source provider and specify the 'develop' branch.
D.Create a CodeBuild webhook on the CodeCommit repository.
AnswerC

This sets up a CloudWatch Events rule to start the pipeline on changes to that branch.

Why this answer

Option B is correct because CodePipeline can be configured with a source action that uses the 'Amazon S3' (via CodeCommit webhook) or directly with CodeCommit as the source provider, and a cloudwatch event rule is automatically created to trigger the pipeline on changes to the specified branch. Option A is wrong because manual approval is not needed for automatic triggering. Option C is wrong because CodeBuild can be triggered independently, but the pipeline itself needs a source trigger.

Option D is wrong because S3 events are not used for CodeCommit.

298
MCQeasy

A developer is using AWS CodeBuild to compile code. The build takes a long time because dependencies are downloaded each time. What can the developer do to reduce build time?

A.Split the build into multiple parallel build actions.
B.Use multiple build environments to distribute the work.
C.Enable caching in the build project to store dependencies in Amazon S3.
D.Use a larger compute type for the build project.
AnswerC

Caching avoids re-downloading dependencies.

Why this answer

Option C is correct because caching dependencies in a S3 bucket allows subsequent builds to reuse them. Option A is wrong because upgrading instance type may not help if the bottleneck is network. Option B is wrong because parallel builds don't reduce single build time.

Option D is wrong because multiple build environments don't reduce time.

299
MCQhard

The exhibit shows an IAM policy attached to an AWS Lambda execution role. The Lambda function is triggered by an S3 event and writes to the same bucket. However, the function fails with a permission error when trying to write to 'my-bucket'. What is the likely issue?

A.The S3 bucket is in a different region than the Lambda function.
B.The policy is missing the 'lambda:InvokeFunction' permission on the function itself.
C.The Lambda function does not have an S3 trigger configured.
D.The policy grants s3:PutObject only on objects (my-bucket/*), but the action also requires permission on the bucket (my-bucket) for certain operations like s3:PutObject with ACLs.
AnswerD

Some S3 operations require bucket-level permissions; adding a statement for the bucket ARN without /* can resolve.

Why this answer

Option A is correct: the policy is missing s3:PutObject on the bucket itself (not just the objects). Option B is not relevant. Option C is not relevant.

Option D is not relevant.

300
MCQhard

Refer to the exhibit. Why does the build fail?

A.The CodeBuild role does not have permission to create CloudFront invalidations.
B.The S3 bucket policy denies write access to the CodeBuild role.
C.The CodeBuild project is not associated with the correct service role.
D.The CloudFront distribution ID is incorrect.
AnswerA

The error message explicitly states AccessDenied for CreateInvalidation.

Why this answer

The CodeBuild role lacks the cloudfront:CreateInvalidation permission. The error message clearly indicates AccessDenied for that action.

← PreviousPage 4 of 6 · 397 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Sdlc Automation questions.