CCNA Deployment, Provisioning, and Automation Questions

52 of 277 questions · Page 4/4 · Deployment, Provisioning, and Automation · Answers revealed

226
MCQeasy

A company uses AWS OpsWorks to manage a stack of web servers. They need to deploy a configuration change that updates the /etc/nginx/nginx.conf file on all instances. Which OpsWorks feature should be used?

A.Custom Chef recipes
B.OpsWorks layers
C.Lifecycle events
D.Custom cookbooks
AnswerA

Chef recipes are used to apply configuration changes.

Why this answer

Option A is correct because Chef recipes are used to configure instances. Option B is wrong because custom cookbooks can be used, but recipes are the specific unit. Option C is wrong because lifecycle events trigger recipes.

Option D is wrong because layers group instances, but do not deploy configurations.

227
MCQhard

A SysOps administrator is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment group has a minimum of 2 healthy instances. What should the administrator check FIRST?

A.The CodeDeploy agent version on the instances
B.The Auto Scaling group's minimum size
C.The load balancer health check configuration
D.The ApplicationStop lifecycle event hook script in the AppSpec file
AnswerD

A failing script can cause instances to fail deployment.

Why this answer

Option D is correct because the most common cause is that the ApplicationStop lifecycle hook script exits with a non-zero code. Option A is wrong because the health check is on the load balancer. Option B is wrong because the Auto Scaling group must be healthy.

Option C is wrong because the error suggests issues with the instances themselves.

228
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. After updating the environment configuration, the deployment fails and the environment health turns red. The SysOps administrator checks the logs and finds a permission error related to the EC2 instance profile. What should the administrator do to resolve the issue?

A.Rebuild the environment from scratch using a saved configuration template.
B.Update the IAM instance profile associated with the environment to include the required permissions.
C.Modify the security group attached to the environment to allow outbound traffic.
D.Update the application version to the latest build.
AnswerB

Correct: Instance profile permissions are needed for EC2 instances to access AWS resources.

Why this answer

The correct answer is B because Elastic Beanstalk uses an IAM instance profile for the EC2 instances. The instance profile must have the necessary permissions to access resources like S3 buckets or DynamoDB tables. Updating the instance profile with the required permissions resolves the issue.

Option A is wrong because updating the application version does not fix permission issues. Option C is wrong because rebuilding the environment from scratch is unnecessary and time-consuming. Option D is wrong because the security group controls network access, not IAM permissions.

229
MCQeasy

A company uses AWS CloudFormation to deploy EC2 instances. The stack creation fails with the error 'Resource creation cancelled' after 20 minutes. What is the most likely cause?

A.The CloudFormation template uses an unsupported template format
B.The EC2 instance creation exceeded the CloudFormation timeout
C.The instance type specified is not available in the chosen Availability Zone
D.Insufficient IAM permissions for CloudFormation to create EC2 instances
AnswerB

CloudFormation has a default timeout of 20 minutes for EC2 resource creation.

Why this answer

Option B is correct because CloudFormation has a default timeout of 20 minutes for EC2 instance creation. Option A is wrong because missing permissions would cause an API error, not a timeout. Option C is wrong because a short instance type would not cause a timeout.

Option D is wrong because CloudFormation supports YAML.

230
MCQeasy

A company uses AWS Systems Manager to automate patching of EC2 instances. The instances are in an Auto Scaling group. The company wants to ensure that patching does not affect application availability. Which feature should be used?

A.State Manager
B.Maintenance Windows
C.Patch Manager
D.Run Command
AnswerB

Maintenance Windows allow scheduling patching during predefined time windows, minimizing impact.

Why this answer

Option A is correct because Systems Manager Maintenance Windows allow scheduling patching during specific time windows, and can be configured to work with Auto Scaling to maintain availability. Option B is wrong because Run Command is for ad-hoc commands. Option C is wrong because Patch Manager is the service, but Maintenance Windows schedule it.

Option D is wrong because State Manager is for configuration, not patching.

231
Multi-Selecthard

A company deploys microservices on Amazon ECS using Fargate. The deployment is managed by AWS CodePipeline. The administrator notices that deployments sometimes fail because the new task definition is not registered before the deployment. Which THREE steps should the administrator take to resolve this issue? (Choose THREE.)

Select 3 answers
A.Ensure that the task definition is registered in the CodePipeline build stage before the deploy stage.
B.Manually update the ECS service with the new task definition after the pipeline runs.
C.Use the ECS deploy action in CodePipeline which automatically registers the task definition.
D.Add a step in the pipeline to register the task definition using the AWS CLI or SDK.
E.Store the task definition in Amazon ECR alongside the container image.
AnswersA, C, D

The build stage should register the new task definition. Without it, the deploy stage may fail.

Why this answer

The issue is that the task definition must be registered before the ECS service update. Options A, D, and E are correct. Option B is wrong because the task definition is not stored in ECR; ECR stores container images.

Option C is wrong because the ECS service update is triggered by CodePipeline, not manually.

232
MCQmedium

A SysOps administrator uses AWS CloudFormation to manage a stack that includes an Amazon RDS DB instance. The administrator needs to update the stack by changing a parameter that, if applied directly, would replace the database. The administrator wants to prevent accidental replacement during the update. Which CloudFormation feature should the administrator use?

A.Change sets
B.Stack policy
C.Resource-level permissions
D.Stack sets
AnswerB

A stack policy can be used to explicitly deny updates that would replace the RDS instance, providing a safety guard.

Why this answer

A stack policy is a CloudFormation feature that defines which stack resources can be updated or replaced during a stack update. By setting a stack policy that explicitly denies replacement updates on the RDS DB instance, the administrator can prevent accidental replacement while still allowing other updates. This is the correct approach because it directly controls the update behavior at the resource level without requiring manual intervention.

Exam trap

The trap here is that candidates often confuse change sets (which only preview changes) with stack policies (which actually enforce update restrictions), leading them to select change sets as a safety mechanism when they only provide visibility, not prevention.

How to eliminate wrong answers

Option A is wrong because change sets allow you to preview the changes that will be made to a stack, including whether a resource will be replaced, but they do not prevent the replacement from occurring; they only show what will happen. Option C is wrong because resource-level permissions (via IAM policies) control who can perform actions on resources, not what specific update actions (like replacement) are allowed or denied during a CloudFormation stack update. Option D is wrong because stack sets are used to deploy stacks across multiple accounts and regions, not to control update behavior or prevent replacement of individual resources within a single stack.

233
MCQmedium

A company is using Elastic Beanstalk to deploy a web application. Recently, a deployment failed due to a missing environment variable. The administrator fixed the configuration and wants to redeploy the same application version without rebuilding the source bundle. What is the MOST efficient way to redeploy?

A.Terminate the environment and create a new environment with the same configuration.
B.Upload a new application version with the same source bundle and deploy it to the environment.
C.Use the AWS CLI command aws elasticbeanstalk update-environment to update the environment, then use the same version label to deploy again.
D.Use the Elastic Beanstalk console to create a new environment with the same application version.
AnswerC

This updates the environment and allows redeployment of the existing version.

Why this answer

Option B is correct because the aws elasticbeanstalk update-environment command can update environment configuration and then the same application version can be deployed again. Option A is incorrect because it creates a new environment. Option C is incorrect because it creates a new application version.

Option D is incorrect because it replaces the environment, which is unnecessary.

234
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is running low on memory, and the administrator needs to change the instance type from t2.micro to t3.small. What is the correct way to perform this change with minimal downtime?

A.Modify the instance type in the Elastic Beanstalk environment's configuration.
B.Terminate the environment and create a new one with the desired instance type.
C.Create a new environment and perform a swap URL.
D.Manually modify the Auto Scaling group's launch configuration.
AnswerA

Changing the instance type triggers a rolling update with minimal downtime.

Why this answer

Elastic Beanstalk environments can be updated by changing the instance type in the environment configuration. The environment will perform a rolling update, replacing instances one by one to minimize downtime. Option A is correct.

Option B is wrong because terminating and recreating causes downtime. Option C is wrong because modifying Auto Scaling groups directly is not supported by Elastic Beanstalk. Option D is wrong because rolling update is the default behavior.

235
MCQmedium

A company uses AWS CodeDeploy to deploy a new version of an application to EC2 instances in an Auto Scaling group behind an Application Load Balancer. The company requires zero downtime during the deployment. Which deployment configuration should be used?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.OneAtATime
C.CodeDeployDefault.EC2/OnPremises: BlueGreenDeployment
D.Create a blue/green deployment by configuring CodeDeploy to launch new instances and shift traffic after validation.
AnswerD

Correct. Blue/green deployment with CodeDeploy allows routing traffic to new instances and cutting over after validation, ensuring zero downtime.

Why this answer

Option D is correct because a blue/green deployment with CodeDeploy, where new instances are launched and traffic is shifted only after validation, ensures zero downtime by keeping the old environment (blue) fully serving traffic until the new environment (green) is verified healthy. This approach avoids any in-place updates that could temporarily reduce capacity or cause service disruption, meeting the requirement for zero downtime during deployment.

Exam trap

The trap here is that candidates confuse the predefined deployment configurations (like AllAtOnce or OneAtATime) with the blue/green deployment method, not realizing that blue/green is a separate deployment type configured in the deployment group settings, not a predefined configuration name.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, which can cause downtime if the new version fails or requires a restart, as there is no gradual traffic shifting or rollback capability. Option B is wrong because CodeDeployDefault.OneAtATime deploys to one instance at a time, which minimizes risk but still involves in-place updates that can cause brief interruptions if the application requires a restart or health check failure during deployment. Option C is wrong because CodeDeployDefault.EC2/OnPremises: BlueGreenDeployment is not a valid predefined deployment configuration name; CodeDeploy does not have a built-in configuration with that exact string, and blue/green deployments must be explicitly configured via the deployment group settings, not selected as a predefined configuration.

236
MCQmedium

Operators have been making direct changes to AWS resources (security group rules, IAM policy modifications) that were originally created by CloudFormation stacks. The team wants to identify which stacks and specific resources have drifted from their template definitions. What is the correct tool and operation sequence?

A.Run drift detection on each CloudFormation stack; review the results in the Drift status panel to see which resources have MODIFIED or DELETED status
B.Enable AWS Config conformance packs that check CloudFormation stack compliance against desired template states
C.Re-deploy all stacks with the original templates using CloudFormation update-stack to overwrite any manual changes
D.Use AWS Trusted Advisor to identify resources that have been modified outside of their originating CloudFormation stacks
AnswerA

Drift detection calls AWS APIs to read the current configuration of each resource and compares it to the template. Resources with live configurations differing from the template are marked MODIFIED. Deleted resources outside the stack are marked DELETED. The results show the exact property-level differences, enabling targeted remediation.

Why this answer

AWS CloudFormation drift detection is the correct tool because it directly compares the current state of resources in a stack (including security group rules and IAM policies) against the stack's template definitions. Running drift detection on each stack and reviewing the Drift status panel reveals which resources have been modified or deleted outside of CloudFormation, providing the exact identification the team needs.

Exam trap

The trap here is that candidates may confuse drift detection with compliance checks (AWS Config) or remediation actions (update-stack), but the question specifically asks for identification of drifted stacks and resources, not remediation or compliance evaluation.

How to eliminate wrong answers

Option B is wrong because AWS Config conformance packs evaluate resource compliance against rules, not against CloudFormation template states; they cannot detect drift from a specific stack template. Option C is wrong because re-deploying stacks with update-stack overwrites manual changes but does not identify which stacks or resources have drifted; it is a remediation action, not a detection tool. Option D is wrong because AWS Trusted Advisor checks for best practices and cost optimization, not for drift between CloudFormation templates and actual resource configurations.

237
MCQmedium

A company uses AWS CloudFormation to deploy a three-tier web application. The template includes an Amazon RDS DB instance. The SysOps administrator needs to ensure that the database password is not exposed in the template or in the stack outputs. The password should be stored securely and rotated automatically every 90 days. Which solution should the administrator use?

A.Store the password as a plaintext parameter in the CloudFormation template and mark it as NoEcho.
B.Use AWS Systems Manager Parameter Store to store the password as a SecureString and reference it using the dynamic reference {{resolve:ssm-secure:password}} in the template.
C.Use AWS Secrets Manager to store the password and reference it using the dynamic reference {{resolve:secretsmanager:secretId:secretString:password}} in the CloudFormation template. Enable automatic rotation.
D.Hardcode the password in a userdata script that is passed to the EC2 instances.
AnswerC

Secrets Manager provides secure storage with automatic rotation, and CloudFormation can dynamically reference the secret.

Why this answer

Option C is correct because AWS Secrets Manager is designed to securely store secrets like database passwords, supports automatic rotation (including a 90-day schedule), and can be referenced in CloudFormation templates using the dynamic reference {{resolve:secretsmanager:secretId:secretString:password}}. This ensures the password is never exposed in the template or stack outputs, and rotation is handled automatically without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store SecureStrings but lacks native rotation) with AWS Secrets Manager (which is purpose-built for secrets with automatic rotation), leading them to choose Option B instead of C.

How to eliminate wrong answers

Option A is wrong because marking a parameter as NoEcho only hides it from console output and logs, but the plaintext value is still stored in the template and can be retrieved by anyone with access to the template or stack metadata; it does not provide secure storage or automatic rotation. Option B is wrong because AWS Systems Manager Parameter Store (SecureString) stores the password securely but does not natively support automatic rotation; you would need to build a custom rotation solution, and the dynamic reference {{resolve:ssm-secure:password}} does not trigger rotation. Option D is wrong because hardcoding the password in a userdata script exposes it in plaintext within the EC2 instance metadata and logs, violating security best practices and providing no rotation capability.

238
Multi-Selecteasy

A SysOps administrator is setting up an AWS Elastic Beanstalk environment for a Node.js application. The administrator wants to ensure that environment variables are set for the application. Which of the following methods can be used to set environment variables in Elastic Beanstalk? (Choose TWO.)

Select 2 answers
A.Use the AWS CLI command update-environment.
B.Set them in the Elastic Beanstalk environment configuration.
C.Use a CloudFormation template to set environment variables.
D.Include them in the AppSpec file.
E.Define them in the EB CLI configuration file.
AnswersA, B

The CLI can set environment variables using the --option-settings parameter.

Why this answer

Environment variables can be set in the Elastic Beanstalk console under Configuration > Software, or via the AWS CLI using the update-environment command. Option A and D are correct. Option B is wrong because the EB CLI does not support setting environment variables directly; it uses configuration files.

Option C is wrong because the AppSpec file is for CodeDeploy, not Elastic Beanstalk. Option E is wrong because CloudFormation templates are not used directly in Elastic Beanstalk for environment variables.

239
MCQhard

A SysOps administrator is using AWS OpsWorks to manage a stack of web servers. The administrator wants to automate the installation of custom software on all new instances that are added to the layer. What is the best approach?

A.Assign a custom Chef recipe to the layer's Setup lifecycle event.
B.Use AWS CloudFormation to install software on new instances.
C.Create a custom AMI with the software pre-installed and use that in the layer.
D.Use EC2 user data scripts in the layer configuration.
AnswerA

OpsWorks runs the Setup recipe on new instances, allowing custom software installation.

Why this answer

Custom Chef recipes can be assigned to a layer's lifecycle events, such as Setup, to run on new instances. Option A is correct. Option B is wrong because user data is for EC2 instances directly, not OpsWorks.

Option C is wrong because custom AMIs require manual management and do not integrate with OpsWorks automation. Option D is wrong because CloudFormation is not part of OpsWorks instance lifecycle.

240
MCQmedium

A company is using Lambda functions to process data from an S3 bucket. The SysOps administrator needs to update the Lambda function code with a new version. The administrator wants to ensure that during the deployment, any in-flight requests are completed with the old code, and new requests use the new code. Which deployment strategy should the administrator use?

A.Update the Lambda function code directly using the AWS CLI.
B.Use AWS CodeDeploy with a canary deployment configuration on the Lambda function.
C.Create a new Lambda function and update the S3 event notification to trigger the new function.
D.Create a new Lambda version and update the alias to gradually shift traffic from the old version to the new version using weighted routing.
AnswerD

Weighted routing allows a percentage of traffic to go to the new version while old requests complete.

Why this answer

Option B is correct because Lambda aliases with weighted routing allow gradual traffic shifting. Option A is incorrect because updating the function directly immediately changes all invocations. Option C is incorrect because a new version can be created but without alias routing, all traffic goes to the new version.

Option D is incorrect because canary deployments are not native to Lambda; weighted routing is the correct method.

241
MCQeasy

A SysOps administrator needs to deploy a web application stack consisting of an Amazon EC2 instance, an Amazon RDS database, and an Application Load Balancer. The administrator wants to define the infrastructure as code and version control it. Which AWS service should the administrator use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerB

CloudFormation allows you to define all resources in a template, enabling version-controlled, repeatable deployments.

Why this answer

AWS CloudFormation is the correct choice because it is an Infrastructure as Code (IaC) service that allows you to define and provision AWS resources—such as EC2 instances, RDS databases, and Application Load Balancers—using declarative templates (JSON or YAML). These templates can be version-controlled in a repository like Git, enabling repeatable, auditable deployments. Elastic Beanstalk abstracts infrastructure management but does not give you the same level of granular control over individual resources as CloudFormation.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk (a PaaS that automates deployment) with Infrastructure as Code, but Elastic Beanstalk does not allow you to version-control the raw infrastructure definition; CloudFormation is the dedicated IaC service for that purpose.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) that automates deployment and scaling of applications but does not provide native version control for the underlying infrastructure definition; it manages resources behind the scenes, not as a user-defined IaC template. Option C is wrong because AWS OpsWorks is a configuration management service based on Chef and Puppet, designed for managing server configurations and application stacks, not for declaratively provisioning and version-controlling infrastructure resources like EC2, RDS, and ALB as code. Option D is wrong because AWS CodeDeploy is a deployment automation service that handles code deployment to compute services (e.g., EC2, Lambda) but does not define or provision the underlying infrastructure resources themselves.

242
MCQhard

An organization uses AWS OpsWorks for configuration management. The SysOps administrator notices that a stack's instances are not receiving the updated custom cookbooks after a new deployment. The cookbooks are stored in a private GitHub repository. What is the most likely cause?

A.The cookbooks are not stored in an S3 bucket.
B.The OpsWorks agent is not running on the instances.
C.The instances do not have internet access.
D.The SSH key for the Git repository is not configured in the stack.
AnswerD

OpsWorks needs the private SSH key to access private repositories.

Why this answer

The correct answer is D because OpsWorks uses the SSH key stored in the stack to clone private repositories. If the key is missing or invalid, the cookbook update fails silently. Option A is incorrect because the agent typically checks periodically.

Option B is incorrect because cookbooks are downloaded via Git, not S3, unless using S3 archives. Option C is incorrect because instances need outbound access to GitHub, but that would be a different symptom.

243
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. A developer accidentally deletes a resource from the stack template, and the next stack update attempts to delete the resource. The SysOps administrator wants to prevent accidental deletion of critical resources. Which CloudFormation feature should be used?

A.Enable termination protection on the stack.
B.Stack policy to deny delete actions.
C.Set a DeletionPolicy attribute to 'Retain' on the resource.
D.Attach an IAM policy that denies cloudformation:DeleteStack.
AnswerC

DeletionPolicy: Retain retains the resource when it's removed from the template.

Why this answer

The correct answer is C because DeletionPolicy: Retain preserves the resource when the stack is deleted or the resource is removed from the template. Option A is incorrect because StackPolicy controls updates, not deletions. Option B is incorrect because TerminationProtection is for EC2 instances, not CloudFormation.

Option D is incorrect because ResourcePolicy is not a CloudFormation feature.

244
Multi-Selectmedium

A company wants to use AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Linux 2 AMI with specific security agents installed. The company wants to ensure that all environment instances use this custom AMI. Which combination of steps should be taken? (Choose three.)

Select 3 answers
A.Configure the Elastic Beanstalk environment to use the custom AMI by specifying the AMI ID in the .ebextensions configuration.
B.Create a CloudFormation template to deploy the environment with the custom AMI.
C.Create a custom AMI using the Elastic Beanstalk platform image as the base.
D.Create a custom AMI using AWS Image Builder.
E.Use a configuration file in the .ebextensions folder to set the AMI ID for the Auto Scaling launch configuration.
AnswersA, C, E

This tells the environment to use the custom AMI.

Why this answer

Options B, C, and D are correct. The custom AMI must be built from the Elastic Beanstalk platform image to ensure compatibility, then the AMI ID must be specified in the environment configuration via .ebextensions or the console. Option A is wrong because the company does not need to manage their own AMI builder.

Option E is wrong because CloudFormation is not required for this task.

245
MCQeasy

A SysOps administrator uses AWS CodeDeploy to deploy applications to Amazon EC2 instances. The administrator wants to ensure that during deployment, traffic is shifted from the original instances to the new instances incrementally in 10-minute intervals. The deployment should automatically roll back if any health check fails. Which deployment configuration should the administrator choose?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.OneAtATime
C.CodeDeployDefault.HalfAtATime
D.Custom deployment configuration with 25% every 10 minutes and traffic routing enabled
AnswerD

A custom deployment configuration allows you to define the exact percentage of traffic to shift and the interval between shifts (e.g., 25% every 10 minutes). Combined with automatic rollback on health check failure, this meets the requirements.

Why this answer

Option D is correct because it allows a custom deployment configuration that shifts traffic in 10-minute intervals (e.g., 25% every 10 minutes) with automatic rollback on health check failure. The built-in configurations (AllAtOnce, OneAtATime, HalfAtATime) do not support incremental traffic shifting with time-based intervals; only a custom configuration can achieve the specified 10-minute interval requirement.

Exam trap

The trap here is that candidates assume built-in configurations like HalfAtATime or OneAtATime can be customized with time intervals, but only a custom deployment configuration allows specifying both the percentage and the interval in minutes for traffic shifting.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, not incrementally in 10-minute intervals. Option B is wrong because CodeDeployDefault.OneAtATime deploys to one instance at a time but does not use 10-minute intervals; it shifts traffic immediately per instance without a fixed time delay. Option C is wrong because CodeDeployDefault.HalfAtATime deploys to half the instances at once, not in incremental 10-minute steps, and lacks the time-based interval control.

246
MCQhard

A company uses AWS OpsWorks for Chef Automate to manage its EC2 instances. The administrator needs to deploy a new cookbook to all instances in a stack. The cookbook is stored in an S3 bucket. What is the MOST efficient way to deploy the cookbook to the instances?

A.Upload the cookbook to the Chef Server and have the instances pull from there.
B.SSH into each instance and manually download the cookbook from S3.
C.Configure the OpsWorks stack to use the S3 bucket as the custom cookbook source and run the 'Update Custom Cookbooks' stack command.
D.Configure a lifecycle event in the OpsWorks layer to run a script that downloads the cookbook from S3.
AnswerC

This method automatically downloads and updates cookbooks on all instances.

Why this answer

OpsWorks can automatically update cookbooks from a custom cookbook source (e.g., S3) by configuring the stack to use that source. Option A is correct. Option B is wrong because manual upload is inefficient.

Option C is wrong because the stack settings can automatically retrieve the cookbook without a separate lifecycle event. Option D is wrong because Chef Server is not used in OpsWorks Chef Automate; it uses Chef Automate server.

247
MCQeasy

An organization is using AWS CloudFormation to manage its infrastructure. The SysOps administrator wants to update a stack that includes an Amazon RDS DB instance. The update requires changing the DB instance class. However, the administrator wants to minimize downtime. What should the administrator do?

A.Use CloudFormation's 'DeletionPolicy' attribute to retain the database during updates.
B.Enable Multi-AZ on the DB instance (if not already enabled) before performing the stack update.
C.Update the stack directly with 'ApplyImmediately' set to true.
D.Create a read replica, promote it, and then delete the original DB instance.
AnswerB

Why C is correct

Why this answer

Option C is correct because changing the DB instance class may require a replacement, which causes downtime. Using a Multi-AZ deployment allows the update to be applied to the standby first, then fail over, minimizing downtime. Option A is incorrect because modifying the DB instance class directly with ApplyImmediately may cause a brief outage.

Option B is incorrect because creating a read replica does not help with updating the instance class. Option D is incorrect because CloudFormation does not automatically create a standby for single-AZ deployments.

248
MCQmedium

A SysOps administrator ran a CloudFormation stack update that failed and rolled back. The stack status is UPDATE_ROLLBACK_FAILED. The administrator needs to fix the issue and bring the stack to a stable state. What should the administrator do FIRST?

A.Identify and resolve the resource issue that caused the rollback failure, then continue the rollback.
B.Wait for CloudFormation to automatically retry the rollback.
C.Execute a new stack update to overwrite the failed resources.
D.Delete the stack and recreate it from the template.
AnswerA

Correct: Resolving the issue allows the rollback to complete.

Why this answer

The correct answer is B because when a rollback fails, the administrator must resolve the underlying issue (e.g., permissions, resource conflict) and then continue the rollback. Option A is wrong because attempting a new update without fixing the issue may fail again. Option C is wrong because deleting the stack may cause data loss.

Option D is wrong because CloudFormation does not automatically retry.

249
MCQhard

A SysOps administrator is troubleshooting a CloudFormation stack creation failure. The stack is designed to create an Amazon RDS DB instance with a specific parameter group. The error message indicates that the DB instance could not be created because the parameter group does not exist. The administrator has verified that the parameter group exists in the same region and account. What is the MOST likely issue?

A.The parameter group name in the template has a typo or does not match the actual resource name.
B.The VPC security group specified for the DB instance does not allow inbound traffic from the application tier.
C.The DB instance class requires a different parameter group family.
D.The parameter group resource is defined in the same template but is not linked to the DB instance using the 'DependsOn' attribute.
AnswerD

Why A is correct

Why this answer

Option A is correct because CloudFormation must create resources in order based on dependencies. If the parameter group is defined in the same template, it might be created after the DB instance, causing an error. The administrator should use the DependsOn attribute to ensure the parameter group is created first.

Option B is incorrect because the error is about the parameter group not existing, not about security groups. Option C is incorrect because the parameter group name being incorrect would result in a different error. Option D is incorrect because the DB instance class does not affect parameter group existence.

250
MCQhard

A company runs a critical production workload on a fleet of EC2 instances managed by an Auto Scaling group. The instances are behind an Application Load Balancer (ALB). Recently, the company experienced a regional outage that caused all instances to become unhealthy. The SysOps administrator must design a solution to automatically recover from such an outage with minimal downtime. The solution must be cost-effective and not require manual intervention. The administrator considers four options. Which option meets the requirements?

A.Configure the Auto Scaling group to launch instances across multiple Availability Zones and configure the ALB to route traffic to healthy targets.
B.Increase the desired capacity of the Auto Scaling group and use larger instance types to absorb the load during failover.
C.Create a warm standby environment in another AWS Region with a smaller Auto Scaling group. Use Route53 failover routing to switch traffic.
D.Use AWS Lambda to periodically check the health of instances and automatically relaunch failed instances in another region.
AnswerA

Multi-AZ automatically handles AZ failure.

Why this answer

Option C is correct because using an Auto Scaling group across multiple Availability Zones ensures that if one AZ fails, the ASG can launch instances in other AZs, and the ALB will route traffic to healthy instances. Option A is wrong because a warm standby in another region can be costly and may not be fully automated. Option B is wrong because increasing instance size does not provide AZ failover.

Option D is wrong because manual scripts introduce single points of failure and latency.

251
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The pipeline has a source stage (Amazon S3) and a deploy stage (AWS Elastic Beanstalk). The SysOps administrator needs to add a manual approval step before the deployment proceeds to the production environment. Which action should the administrator take?

A.Add an approval stage in the pipeline using the Amazon SNS topic as a notification method.
B.Add a manual approval action in the pipeline using the AWS CodePipeline approval action type.
C.Use an AWS CloudFormation change set to require manual approval.
D.Create a separate pipeline for production and trigger it manually.
AnswerB

CodePipeline provides a built-in approval action that can be added to any stage. When configured, the pipeline pauses and waits for manual approval, with optional SNS notifications.

Why this answer

Option B is correct because AWS CodePipeline natively supports a manual approval action type that can be added as a stage in the pipeline. This action pauses the pipeline execution until an authorized user manually approves or rejects the deployment, allowing the SysOps administrator to gate the deployment to the production environment without external services.

Exam trap

The trap here is that candidates may confuse notification mechanisms (like SNS) with the actual approval action, or assume that external tools like CloudFormation change sets can serve as manual approval gates within a pipeline.

How to eliminate wrong answers

Option A is wrong because while Amazon SNS can be used to notify approvers, the approval action itself must be the CodePipeline approval action type; adding an SNS topic alone does not create a manual approval gate. Option C is wrong because AWS CloudFormation change sets are used to review infrastructure changes before execution, not to add manual approval steps within a CodePipeline deployment workflow. Option D is wrong because creating a separate pipeline for production and triggering it manually bypasses the automated pipeline integration and does not add a manual approval step within the existing pipeline.

252
Multi-Selecthard

Which TWO actions should a SysOps administrator take to automate the deployment of a multi-tier application with AWS CloudFormation? (Choose two.)

Select 2 answers
A.Hardcode CIDR blocks and instance types to avoid parameter input
B.Use nested stacks to separate concerns such as network, app, and database
C.Use AWS::Include to reuse snippets instead of parameters
D.Use cross-stack references to pass outputs between stacks
E.Define all resources in a single template to simplify management
AnswersB, D

Nested stacks promote reusability and manageability.

Why this answer

Options B and D are correct. Option A is incorrect because nested stacks are not always necessary. Option C is incorrect because hardcoding CIDR blocks reduces flexibility.

Option E is incorrect because parameters should be used for dynamic values.

253
MCQmedium

Refer to the exhibit. A SysOps administrator ran the describe-stack-events command for a CloudFormation stack named 'my-stack'. The stack creation failed with 'Resource creation cancelled'. What is the most likely reason?

A.The stack creation was manually cancelled by the administrator.
B.The IAM role for the stack does not have sufficient permissions.
C.The nested stack creation failed due to an invalid template.
D.The nested stack creation timed out and was cancelled.
AnswerD

The 'Resource creation cancelled' error often occurs when a nested stack times out.

Why this answer

The correct answer is C because the nested stack creation was cancelled, likely due to a timeout or user interruption. The parent stack shows CREATE_FAILED with reason 'Resource creation cancelled', and the nested stack is in CREATE_IN_PROGRESS. This indicates that the nested stack was cancelled, possibly because it exceeded a timeout.

Option A is incorrect because the event shows the nested stack is in progress, not failed. Option B is incorrect because there is no explicit cancellation event from the user. Option D is incorrect because there is no evidence of an IAM permission issue.

254
MCQhard

A CloudFormation stack manages an RDS database, an S3 bucket, and several Lambda functions. During a recent stack update, a property change caused CloudFormation to replace the RDS instance, deleting the database and re-creating it — resulting in data loss. The team wants to prevent any future stack update from replacing or deleting the RDS instance without an explicit override. What CloudFormation feature accomplishes this?

A.Set a stack policy that denies Replace and Delete actions on the RDS resource; require an override policy to be explicitly provided when a replacement is intentional
B.Enable deletion protection on the RDS instance to prevent CloudFormation from deleting it
C.Use CloudFormation change sets to preview the update and manually reject any change set that includes a replacement
D.Add a DeletionPolicy: Retain attribute to the RDS resource in the template
AnswerA

The stack policy evaluates each update action per resource. A Deny on Replace for the RDS logical resource ID prevents CloudFormation from completing any update that would recreate the database — the update fails with a clear policy error. A temporary override policy passed via --stack-policy-during-update can explicitly allow the replacement for a deliberate migration.

Why this answer

Option A is correct because a CloudFormation stack policy can explicitly deny Update (which includes replacement) and Delete actions on specific resources, such as the RDS instance. To intentionally perform a replacement, the user must provide an override stack policy during the update that allows the action, ensuring that no accidental replacement occurs without explicit consent.

Exam trap

The trap here is that candidates confuse RDS deletion protection or DeletionPolicy: Retain with stack policies, mistakenly believing those features can block CloudFormation from replacing a resource during an update, when in fact they only protect against deletion in specific scenarios (e.g., stack deletion or direct API calls).

How to eliminate wrong answers

Option B is wrong because RDS deletion protection prevents the database from being deleted via the RDS API or console, but CloudFormation can still replace the instance (which involves creating a new one and deleting the old one) if the template triggers a replacement; deletion protection does not block CloudFormation from performing a replacement. Option C is wrong because change sets only provide a preview of changes and require manual approval, but they do not prevent a user from accidentally executing a change set that includes a replacement; the team wants a guardrail that blocks replacement without an explicit override, not just a manual review step. Option D is wrong because DeletionPolicy: Retain only preserves the resource when the stack is deleted, but it does not prevent CloudFormation from replacing the resource during a stack update; a replacement still deletes the original resource and creates a new one, and the Retain policy does not block that deletion.

255
MCQmedium

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The deployment uses AWS CodeDeploy with an in-place update. During a deployment, the new application version fails health checks, and CodeDeploy automatically rolls back. However, the rollback also fails. What is the MOST likely cause?

A.The Auto Scaling group's minimum size is too low for a rollback.
B.The load balancer is configured with an incorrect target group for the Elastic Beanstalk environment.
C.The CodeDeploy agent on the EC2 instances is not running the latest version.
D.The health check path specified in the AppSpec file is not valid for the previous application version.
AnswerD

If the health check path is not valid for the previous version, the rollback will also fail health checks.

Why this answer

Option D is correct because if the health check configuration in the CodeDeploy AppSpec file points to a path that is not valid in the previous version, the rollback will also fail health checks. Option A is incorrect because insufficient capacity would cause a different error. Option B is incorrect because CodeDeploy does not use Elastic Beanstalk.

Option C is incorrect because the issue is with health checks, not with the agent.

256
MCQeasy

A SysOps administrator uses AWS CloudFormation to deploy a three-tier application. The administrator has a single template that can be used for development, test, and production environments. The only differences between environments are the EC2 instance type and the RDS DB instance class. Which CloudFormation feature should the administrator use to define these environment-specific values without duplicating the template?

A.Parameters
B.Conditions
C.Mappings
D.Outputs
AnswerA

Parameters enable you to input custom values for instance types and DB classes when creating or updating a stack. The same template can be reused for multiple environments.

Why this answer

Parameters allow you to input environment-specific values (e.g., EC2 instance type, RDS DB instance class) at stack creation or update time without modifying the template. This is the correct feature because the question explicitly requires defining values that differ per environment while reusing a single template.

Exam trap

The trap here is that candidates confuse Conditions (which toggle resource creation) with Parameters (which supply variable values), leading them to think Conditions can handle environment-specific instance types when they cannot.

How to eliminate wrong answers

Option B (Conditions) is wrong because conditions control whether to create or include specific resources or properties based on a condition (e.g., environment type), but they cannot inject variable values like instance types; they only toggle existence. Option C (Mappings) is wrong because mappings provide static lookup tables (e.g., mapping environment names to instance types) but require hardcoded keys and values in the template, which still requires template duplication if the values change per deployment; parameters are more flexible for runtime input. Option D (Outputs) is wrong because outputs are used to return information about the stack (e.g., endpoint URLs) after creation, not to define input values for resources.

257
Multi-Selecteasy

A SysOps administrator is planning to deploy a web application using AWS Elastic Beanstalk. The application requires high availability across multiple Availability Zones. The administrator needs to configure the environment to automatically replace a failed instance. Which TWO configuration options should the administrator enable? (Choose TWO.)

Select 2 answers
A.Enable the environment's health check and set the health check path to a valid endpoint.
B.Attach an Application Load Balancer to distribute traffic to healthy instances.
C.Configure the environment's Auto Scaling group with a minimum of 2 instances spread across multiple Availability Zones.
D.Use AWS OpsWorks Stacks to manage the instance lifecycle.
E.Create a CloudWatch alarm that triggers an SNS notification when an instance fails.
AnswersA, C

Health checks allow the load balancer to detect unhealthy instances and Auto Scaling to replace them.

Why this answer

Option A (Auto Scaling group with a minimum of 2 instances) is correct for high availability. Option B (Load balancer) is correct for distributing traffic. Option D (Health check) is correct for detecting failures.

Option C is incorrect because OpsWorks is a different service. Option E is incorrect because CloudWatch alarms alert but do not automatically replace instances without Auto Scaling.

258
MCQeasy

An organization uses AWS Service Catalog to manage approved IT services. A SysOps administrator needs to update a CloudFormation template used by a product. The administrator wants to ensure that existing provisioned products are updated with the new template version. What step must the administrator take after updating the product?

A.Update the portfolio that contains the product.
B.Create a new product version and update the provisioned products to use the new version.
C.Update the product's CloudFormation template directly in the Service Catalog console.
D.Terminate the existing provisioned products and reprovision them.
AnswerB

Why B is correct

Why this answer

Option B is correct because in Service Catalog, to update existing provisioned products, you need to create a new product version and update the provisioned product to that version. Simply updating the template does not automatically trigger updates. Option A is incorrect because Service Catalog uses versions, not direct template updates.

Option C is incorrect because terminating and reprovisioning is disruptive and not recommended. Option D is incorrect because updating the portfolio does not update provisioned products.

259
MCQeasy

A company uses AWS OpsWorks for configuration management of EC2 instances. The administrator needs to ensure that a custom recipe runs on all instances after the instance is fully configured. Which lifecycle event should the recipe be associated with?

A.Undeploy
B.Deploy
C.Configure
D.Setup
AnswerC

Configure runs on instance state changes and after setup.

Why this answer

Option C is correct because the Configure lifecycle event occurs after the instance is fully set up and runs whenever the instance enters a new state. Option A is wrong because Setup runs only once when the instance boots. Option B is wrong because Deploy runs when a deploy command is issued.

Option D is wrong because Undeploy runs when the instance is removed.

260
MCQeasy

A company uses AWS CodeDeploy to deploy applications to Amazon EC2 instances. The SysOps administrator wants to deploy a new version of the application by first shifting 10% of traffic to the new version, monitoring for errors, and then after manual approval, shifting the remaining 90%. Which deployment configuration should be used?

A.In-place deployment
B.Blue/green deployment with Canary10Percent configuration
C.Blue/green deployment with Linear10PercentEvery10Minutes configuration
D.Blue/green deployment with AllAtOnce configuration
AnswerB

This configuration shifts 10% of traffic to the new instances, then the remaining 90% after a manual approval (or after a set time if automated).

Why this answer

Option B is correct because a Blue/green deployment with Canary10Percent configuration shifts 10% of traffic to the new version, waits for a specified period (default 10 minutes), and then requires manual approval to shift the remaining 90%. This matches the requirement of shifting 10% first, monitoring, and then manually approving the full traffic shift.

Exam trap

The trap here is that candidates may confuse 'Canary10Percent' with 'Linear10PercentEvery10Minutes' because both shift 10% increments, but only Canary10Percent supports manual approval between shifts, while Linear10PercentEvery10Minutes is fully automated.

How to eliminate wrong answers

Option A is wrong because in-place deployment updates existing instances without traffic shifting, so it cannot shift 10% of traffic to a new version. Option C is wrong because Linear10PercentEvery10Minutes automatically shifts 10% every 10 minutes without requiring manual approval, which does not meet the manual approval requirement. Option D is wrong because AllAtOnce shifts 100% of traffic immediately, which does not allow for a 10% initial shift and monitoring.

261
MCQmedium

A SysOps administrator uses AWS CloudFormation to deploy infrastructure. The administrator has a template that creates an Amazon EC2 instance and an Amazon RDS DB instance. The administrator needs to reuse the same template for development, test, and production environments, where the only differences are the EC2 instance type and the RDS DB instance class. Which CloudFormation feature should be used to define these environment-specific values?

A.Mappings
B.Conditions
C.Parameters
D.Outputs
AnswerC

Parameters accept input values at stack creation, making it easy to reuse the template across environments.

Why this answer

Parameters are the correct CloudFormation feature to define environment-specific values because they allow you to input custom values (e.g., EC2 instance type and RDS DB instance class) at stack creation or update time without modifying the template. This enables reuse of the same template across development, test, and production environments by simply passing different parameter values for each environment.

Exam trap

The trap here is that candidates often confuse Parameters with Mappings, thinking Mappings can handle environment-specific values, but Mappings are static and cannot accept runtime input, whereas Parameters are designed exactly for this purpose.

How to eliminate wrong answers

Option A is wrong because Mappings are static lookup tables used to define fixed key-value pairs (e.g., mapping AWS regions to AMI IDs) and cannot accept dynamic user input per environment. Option B is wrong because Conditions control whether certain resources or properties are created based on logical expressions (e.g., create a resource only in production), but they do not define variable values like instance types. Option D is wrong because Outputs are used to return information about the created stack (e.g., endpoint URLs or resource IDs) and cannot be used to pass input values into the template.

262
MCQhard

A SysOps administrator has created the IAM policy shown in the exhibit. The policy is attached to a role used by an automation script that manages Amazon EBS snapshots. The script is failing when it tries to delete snapshots. What is the likely cause?

A.The script does not have permission to delete any snapshots.
B.The script is trying to delete snapshots in a different region or account.
C.The script does not have permission to describe snapshots.
D.The script does not have permission to create tags on snapshots.
AnswerB

Correct: The resource ARN restricts deletion to snapshots in us-east-1 and account 123456789012.

Why this answer

The correct answer is D because the 'ec2:DeleteSnapshot' action is allowed only for snapshots in the specified account and region, but the script may be trying to delete snapshots in another region. Option A is wrong because 'ec2:Describe*' can describe snapshots. Option B is wrong because 'ec2:CreateTags' is allowed on any resource.

Option C is wrong because the policy allows 'ec2:DeleteSnapshot' but with a resource restriction.

263
MCQmedium

A company is using AWS CloudFormation to manage its infrastructure. A stack update fails because a change set includes a modification to an RDS database that triggers a replacement. The engineer needs to allow updates that may cause a replacement but wants to be warned first. What should the engineer do?

A.Use the '--disable-rollback' flag when updating the stack.
B.Use a nested stack to isolate the RDS resource.
C.Create a change set and review it before executing the update.
D.Use the '--parameters' option to specify a parameter that controls replacement.
AnswerC

Change sets allow you to preview changes, including replacements, before applying them.

Why this answer

Using a change set allows the engineer to review the changes before executing them. Disabling rollback on failure is not a warning mechanism, and using a nested stack does not provide a warning. The '--parameters' option does not warn about replacements.

264
MCQeasy

A SysOps administrator wants to automate the creation of an Amazon RDS MySQL instance using AWS CloudFormation. Which CloudFormation resource type should be used?

A.AWS::RDS::DBInstance
B.AWS::DynamoDB::Table
C.AWS::AppStream::DirectoryConfig
D.AWS::Redshift::Cluster
AnswerA

This is the correct resource for an RDS database instance.

Why this answer

Option B is correct because AWS::RDS::DBInstance is the resource for creating an RDS instance. Option A is wrong because that is for AppStream. Option C is wrong because that is for DynamoDB.

Option D is wrong because that is for Redshift.

265
MCQmedium

A SysOps administrator is troubleshooting a failed AWS Elastic Beanstalk environment update. The update changed the configuration of the EC2 instances in the Auto Scaling group, but the new instances fail to launch. The administrator checks the Auto Scaling group's scaling activities and sees a 'Failed' status with the message: 'Instance failed to reach the desired state.' What should the administrator check next?

A.Check the IAM role attached to the environment's EC2 instances for missing permissions.
B.Check the account service quotas for EC2 instances.
C.Check the CloudWatch logs for the failed instance to identify application or configuration errors.
D.Check the termination protection setting on the Auto Scaling group.
AnswerC

The instance likely launched but failed health checks due to application errors; logs will show the root cause.

Why this answer

The error 'failed to reach desired state' often indicates an issue with the instance's health checks, such as ELB health check failures. Checking the CloudWatch logs for the instance's application is the most direct way to diagnose why the instance is not passing health checks. Option A is wrong because IAM roles would cause a different error.

Option B is wrong because the error is not about termination protection. Option D is wrong because the error is not about scaling limits.

266
MCQmedium

A company is using AWS CloudFormation to deploy a web application. The stack creation fails with the error 'Resource creation cancelled' for an EC2 instance. The instance type is t3.micro, and the AMI ID is specified in the template. Which of the following is the most likely cause of the failure?

A.The instance type 't3.micro' is not available in the region.
B.The instance type is invalid for the specified AMI.
C.The AMI ID is not specified for the region.
D.The account has reached the vCPU limit for On-Demand Instances in the region.
AnswerD

CloudFormation cancels resource creation if the account exceeds its vCPU limit. The limit must be increased via a support request.

Why this answer

The error 'Resource creation cancelled' indicates that the instance launch was aborted, likely due to reaching the vCPU limit (On-Demand Instance limit per region). The t3.micro instance consumes vCPUs; if the account has a standard limit of 5 vCPUs, launching a t3.micro (2 vCPUs) might exceed the limit if other instances are running. Option A is correct because CloudFormation does not automatically request a limit increase.

Option B is wrong because the AMI ID is specified, so no default AMI is used. Option C is wrong because t3.micro is supported. Option D is wrong because the instance type is valid.

267
MCQeasy

A SysOps administrator needs to deploy a new application version to an Auto Scaling group without causing any downtime. The application runs on EC2 instances behind an Application Load Balancer. Which deployment method should the administrator use?

A.Perform an in-place update by updating the launch template and manually replacing instances one by one.
B.Use a rolling update with a batch size of 100% of the instances.
C.Use a rolling update with a batch size of 1 instance and enable the health check grace period.
D.Create a new Auto Scaling group with the new launch template and gradually shift traffic using a load balancer target group.
AnswerC

This replaces one instance at a time, maintaining capacity and availability.

Why this answer

Option C is correct because a rolling update with a batch size of 1 instance at a time minimizes impact and can be done without downtime if health checks are configured. Option A is incorrect because it does not use Auto Scaling. Option B is incorrect because it terminates all instances at once.

Option D is incorrect because immutable updates launch new instances in a new Auto Scaling group, which is also zero-downtime but not the only option.

268
MCQmedium

An administrator is using AWS CodePipeline to deploy a web application. The pipeline includes a build stage using AWS CodeBuild and a deploy stage using AWS Elastic Beanstalk. The build succeeds, but the deployment fails with 'Access Denied' when Elastic Beanstalk tries to read the artifact from S3. What should the administrator check?

A.The IAM role assumed by the Elastic Beanstalk environment
B.The IAM role used by CodeBuild
C.Whether the artifact bucket is in the same region as the pipeline
D.The S3 bucket policy for the artifact bucket
AnswerA

The service role must have s3:GetObject on the artifact bucket.

Why this answer

Option A is correct because the Elastic Beanstalk service role needs permissions to read the artifact bucket. Option B is wrong because the CodeBuild role is for building, not deploying. Option C is wrong because S3 bucket policies are not the most likely issue.

Option D is wrong because the artifact bucket is internal.

269
MCQhard

A SysOps administrator is responsible for deploying a critical application using AWS CloudFormation. The stack creation fails during the creation of an Amazon EC2 instance. The error message indicates that the instance type is not supported in the specified Availability Zone. What should the administrator do to prevent this issue in future deployments?

A.Hardcode the Availability Zone in the template to one that supports the instance type.
B.Use a different instance type that is available in all Availability Zones.
C.Change the AWS region to one where the instance type is supported.
D.Use an AWS Systems Manager parameter to dynamically select an available instance type based on the Availability Zone.
AnswerD

Correct: SSM parameters can store and retrieve instance type availability.

Why this answer

The correct answer is A because using an AWS Systems Manager parameter can provide the latest supported instance types per Availability Zone. Option B is wrong because specifying a specific Availability Zone does not solve the unsupported instance type issue. Option C is wrong because changing the region may not be feasible.

Option D is wrong because selecting a different instance type may not meet requirements.

270
MCQmedium

A company uses AWS Systems Manager Patch Manager to automate patching of Amazon EC2 instances. The SysOps administrator needs to configure a maintenance window that will patch instances on the second Tuesday of every month at 2:00 AM. The administrator wants to ensure that patches are automatically applied but reboots are only performed if required. Which combination of configurations should the administrator use?

A.Create a maintenance window with a cron schedule of cron(0 2 ? * TUE#2 *) and use an AWS-RunPatchBaseline document with operation 'Install' and reboot option 'RebootIfNeeded'.
B.Create a maintenance window with a rate schedule of 30 days and use an AWS-ApplyPatchBaseline document with operation 'Scan' and reboot option 'RebootIfNeeded'.
C.Create a maintenance window with a cron schedule of cron(0 2 14 * ? *) and use an AWS-RunPatchBaseline document with operation 'Install' and reboot option 'RebootIfNeeded'.
D.Create a maintenance window with a cron schedule of cron(0 2 2 * 2 *) and use an AWS-InstallPatchBaseline document with operation 'Install' and reboot option 'NoReboot'.
AnswerA

This schedule correctly specifies the second Tuesday of each month at 2 AM. The document and operation apply patches, and RebootIfNeeded only reboots if necessary.

Why this answer

Option A is correct because it uses the cron expression `cron(0 2 ? * TUE#2 *)` to schedule the maintenance window for the second Tuesday of every month at 2:00 AM, and the `AWS-RunPatchBaseline` document with operation `Install` and reboot option `RebootIfNeeded` ensures patches are applied automatically and reboots only occur when required by the patch installation.

Exam trap

The trap here is that candidates often confuse the cron syntax for 'second Tuesday' with simpler day-of-month or day-of-week expressions, or mistakenly use invalid SSM document names like `AWS-ApplyPatchBaseline` or `AWS-InstallPatchBaseline`, which do not exist in AWS Systems Manager.

How to eliminate wrong answers

Option B is wrong because it uses a rate schedule of 30 days, which does not guarantee execution on the second Tuesday of every month and can drift over time; also, `AWS-ApplyPatchBaseline` is not a valid SSM document name (the correct document is `AWS-RunPatchBaseline`), and operation `Scan` only reports missing patches without applying them. Option C is wrong because the cron expression `cron(0 2 14 * ? *)` runs on the 14th day of every month regardless of the day of the week, which does not target the second Tuesday specifically. Option D is wrong because the cron expression `cron(0 2 2 * 2 *)` runs on the 2nd day of the month only when it is also a Tuesday, which is not the second Tuesday; additionally, `AWS-InstallPatchBaseline` is not a valid SSM document name, and reboot option `NoReboot` prevents reboots even when required, contradicting the requirement.

271
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes an AWS::RDS::DBInstance resource. The administrator wants to ensure that the database is not deleted when the stack is deleted. Which CloudFormation resource property should be set?

A.Set the 'DeletionPolicy' attribute to 'Retain' on the DBInstance resource.
B.Set the 'DeletionPolicy' attribute to 'Snapshot' on the DBInstance.
C.Set the 'RetainOnDeletion' property to 'true' on the DBInstance.
D.Set the 'DeletionProtection' property to 'true' on the DBInstance.
AnswerA

DeletionPolicy: Retain prevents deletion.

Why this answer

Option C is correct because the DeletionPolicy attribute with value Retain prevents the database from being deleted when the stack is deleted. Option A is wrong because the deletion policy is not a property of the DBInstance; it's a top-level attribute. Option B is wrong because the DBInstance does not have a 'DeletionProtection' property in CloudFormation for RDS; that's a separate RDS feature.

Option D is wrong because there is no 'RetainOnDeletion' property.

272
MCQeasy

A SysOps administrator needs to deploy an application to a fleet of EC2 instances in an Auto Scaling group. The application code is stored in an S3 bucket. The administrator wants to automate the deployment so that new instances automatically download the latest code on launch. Which approach should the administrator use?

A.Use AWS CloudFormation with a user data script that downloads the code from S3.
B.Use AWS Systems Manager Automation to run a document that downloads the code each time the instance is started.
C.Use AWS OpsWorks Stacks with a custom layer and a Chef recipe that downloads the code.
D.Create a lifecycle hook in the Auto Scaling group that triggers a Lambda function or runs a Systems Manager command to download the code.
AnswerD

Lifecycle hooks allow custom actions during instance launch and termination.

Why this answer

Option C is correct because a lifecycle hook can execute a custom script via EC2 Run Command to download code from S3. Option A is incorrect because CloudFormation does not run scripts on instances. Option B is incorrect because OpsWorks Stacks is not being used.

Option D is incorrect because Systems Manager Automation runs remotely but not automatically on instance launch without a lifecycle hook.

273
Multi-Selecthard

A company is deploying a microservices application on AWS using Amazon ECS with Fargate launch type. The SysOps administrator needs to automate the deployment process so that when a new Docker image is pushed to Amazon ECR, the ECS service is updated with the new image. Which THREE AWS services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS CloudFormation
B.AWS CodePipeline
C.Amazon Elastic Container Registry (ECR)
D.Amazon Elastic Container Service (ECS)
E.AWS Systems Manager
AnswersB, C, D

CodePipeline can be triggered by ECR push and deploy to ECS.

Why this answer

Option A (Amazon ECR) is correct for storing Docker images. Option B (Amazon ECS) is correct for running containers. Option D (AWS CodePipeline) is correct for orchestrating the CI/CD pipeline triggered by ECR push.

Option C is incorrect because CloudFormation is for infrastructure provisioning, not continuous deployment. Option E is incorrect because Systems Manager is for management, not CI/CD.

274
Multi-Selectmedium

A SysOps administrator is designing an automated deployment pipeline using AWS CodePipeline. The pipeline must include a manual approval step before deploying to production. Which TWO actions are required to implement this?

Select 2 answers
A.Add a separate stage for approval in the pipeline.
B.Create an Amazon SNS topic for approval notifications.
C.Configure an AWS Lambda function to approve automatically.
D.Grant the CodePipeline service role permission to publish to SNS.
E.Enable CloudWatch Logs for the pipeline.
AnswersB, D

SNS is used to notify approvers.

Why this answer

The correct answers are A and D. A is correct because a manual approval action requires an SNS topic to send notifications. D is correct because the IAM role used by CodePipeline needs permission to publish to SNS.

B is incorrect because CloudWatch Logs is not for notifications. C is incorrect because Lambda is not required. E is incorrect because the approval action is configured in the pipeline, not as a separate stage.

275
MCQhard

A SysOps administrator wants to automate the deployment of an application to an EC2 instance. The instance is running, but the deployment script fails because the instance is not reachable via SSH. The administrator checks the instance state as shown in the exhibit. What should the administrator check NEXT to troubleshoot the SSH connectivity issue?

A.Check the security group rules to ensure SSH (port 22) is allowed from the administrator's IP.
B.Verify the instance is in a public subnet with an internet gateway.
C.Verify the instance ID is correct.
D.Check if the instance is in a stopped state.
AnswerA

Correct: Security groups control inbound traffic; lack of SSH rule prevents connectivity.

Why this answer

The correct answer is C because the instance is running, so the issue is likely network-related. Checking the security group rules ensures the correct inbound SSH rule exists. Option A is wrong because the instance is running, so no need to start it.

Option B is wrong because the instance ID is correct. Option D is wrong because the subnet is likely correct if the instance is running.

276
MCQhard

A company is using AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Machine Image (AMI) that includes specific software. The administrator creates a custom AMI and configures the Elastic Beanstalk environment to use it. However, new instances launched during scaling use the default platform AMI instead. What is the MOST likely cause?

A.The custom AMI ID is specified in the environment properties instead of the launch configuration.
B.The custom AMI is encrypted, and the instance profile does not have permissions to decrypt it.
C.The Elastic Beanstalk platform version is incompatible with the custom AMI.
D.The custom AMI is configured in the environment's launch configuration, but the environment has not been updated to replace existing instances.
AnswerD

Existing instances must be replaced to use the new AMI; scaling launches new instances using the current configuration.

Why this answer

Option D is correct because the custom AMI must be specified in the launch configuration or launch template used by the Auto Scaling group, and if the environment is updated, the existing instances may not be replaced. Option A is wrong because the Elastic Beanstalk platform version determines the base AMI, but custom AMIs can override it. Option B is wrong because the AMI ID must be specified in the launch configuration, not the environment properties.

Option C is wrong because encryption does not prevent the custom AMI from being used.

277
MCQmedium

A company uses AWS Organizations with multiple member accounts. The SysOps administrator needs to deploy a common AWS CloudFormation template that creates an IAM role across all member accounts in the organization. Which AWS service should be used to deploy this template across accounts?

A.AWS CloudFormation StackSets
B.AWS CodePipeline with cross-account deployment actions
C.AWS CloudFormation cross-stack references
D.AWS Service Catalog
AnswerA

StackSets extend CloudFormation's capabilities to create, update, and delete stacks across multiple accounts and regions from a single template. They are designed for this exact use case.

Why this answer

AWS CloudFormation StackSets is the correct service because it extends CloudFormation functionality to deploy templates across multiple accounts and regions from a single management account. StackSets uses a self-managed or service-managed permission model, and with AWS Organizations, it can automatically deploy to all member accounts in the organization or specified organizational units (OUs), making it ideal for deploying a common IAM role across all accounts.

Exam trap

The trap here is that candidates confuse AWS Service Catalog's ability to launch templates in individual accounts with automatic multi-account deployment, overlooking that StackSets is the only service designed for bulk, automated deployment across all organization accounts.

How to eliminate wrong answers

Option B (AWS CodePipeline with cross-account deployment actions) is wrong because CodePipeline orchestrates CI/CD pipelines and, while it can deploy to multiple accounts using cross-account actions, it requires manual setup of each target account and does not natively scale to all member accounts in an organization without additional custom logic. Option C (AWS CloudFormation cross-stack references) is wrong because cross-stack references (using Fn::ImportValue) allow sharing outputs between stacks within the same account or region, not deploying a template across multiple accounts. Option D (AWS Service Catalog) is wrong because Service Catalog enables end users to launch pre-approved products (CloudFormation templates) in their own accounts, but it does not automatically deploy a template across all member accounts; it requires users to provision the product individually.

← PreviousPage 4 of 4 · 277 questions total

Ready to test yourself?

Try a timed practice session using only Deployment, Provisioning, and Automation questions.