CCNA Soa Deployment Provisioning Questions

75 of 277 questions · Page 3/4 · Soa Deployment Provisioning topic · Answers revealed

151
Multi-Selecthard

A company is using AWS Elastic Beanstalk to manage a web application. The SysOps administrator needs to update the application to a new version with zero downtime. Which THREE steps should the administrator take to achieve this? (Choose three.)

Select 3 answers
A.Terminate all existing instances and replace them with new ones.
B.Create a new Elastic Beanstalk environment with the new application version, then swap the environment URLs.
C.Set the load balancer's health check interval to 300 seconds to allow more time for the new instances to become healthy.
D.Set the Elastic Beanstalk environment's health check grace period to a sufficient time to allow new instances to warm up.
E.Perform a rolling update with a batch size of 1 and set the deployment policy to 'Rolling based on Health' with a pause time.
AnswersB, D, E

Blue/green deployment with URL swap provides zero downtime.

Why this answer

To achieve zero downtime with Elastic Beanstalk, the administrator should use a blue/green deployment or rolling update with a batch size of 1 and pause. Option A is correct because creating a new environment and swapping URLs is blue/green, which provides zero downtime. Option C is correct because rolling updates with a batch size of 1 ensure only one instance is replaced at a time, minimizing impact.

Option E is correct because setting a health check grace period prevents premature termination. Option B is wrong because terminating instances causes downtime. Option D is wrong because increasing the load balancer's health check interval to 300 seconds would cause longer delays in detecting healthy instances, potentially causing issues.

152
MCQeasy

A SysOps administrator needs to automatically deploy a new version of an application to a fleet of Amazon EC2 instances every time changes are pushed to the main branch of a code repository hosted on AWS CodeCommit. Which combination of AWS services should be used?

A.AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy.
B.AWS CloudFormation and AWS CodeDeploy.
C.Amazon EventBridge and AWS Systems Manager.
D.AWS CloudTrail and AWS Lambda.
AnswerA

Correct. CodePipeline orchestrates the flow from CodeCommit (source), to CodeBuild (build), to CodeDeploy (deploy), fully automating deployment on each push.

Why this answer

AWS CodePipeline orchestrates the continuous delivery workflow by detecting changes in the CodeCommit repository, then automatically triggering AWS CodeBuild to compile and package the application, and finally deploying the new version to EC2 instances using AWS CodeDeploy. This combination provides a fully managed, end-to-end CI/CD pipeline that meets the requirement of deploying on every push to the main branch.

Exam trap

The trap here is that candidates often confuse AWS CloudFormation (infrastructure provisioning) with CI/CD pipeline services, or assume EventBridge and Lambda can replace the full pipeline, but they lack built-in artifact management, deployment strategies, and rollback capabilities that CodePipeline, CodeBuild, and CodeDeploy provide together.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation is an infrastructure-as-code service for provisioning resources, not a CI/CD pipeline orchestrator; it cannot automatically detect CodeCommit pushes or trigger deployments without an external event source. Option C is wrong because Amazon EventBridge can capture CodeCommit events but AWS Systems Manager is primarily for operational management and patching, not for orchestrating a multi-stage build-and-deploy pipeline with artifact management. Option D is wrong because AWS CloudTrail records API activity for auditing, not for triggering deployments, and AWS Lambda alone cannot manage the full build, test, and deployment lifecycle required for application updates.

153
MCQmedium

A company uses AWS CloudFormation to deploy EC2 instances across multiple environments. The operations team notices that stack updates fail when parameter values change. What is the MOST likely cause?

A.The parameter uses the AWS::NoValue condition.
B.The parameter has the NoEcho property set to true, and the previous value is not provided.
C.A change set is required but not generated.
D.A stack policy prevents parameter updates.
AnswerB

When NoEcho is true, the parameter value must be re-specified during updates.

Why this answer

Option B is correct because in CloudFormation, parameters with NoEcho set to true cannot be updated without specifying the previous value; the default behavior is to require the parameter to be provided again. Option A is wrong because stack policies protect resources from updates, not parameter changes. Option C is wrong because change sets allow updates, not prevent them.

Option D is wrong because the condition function affects resource creation, not parameter updates.

154
MCQhard

A company runs a critical application on a fleet of EC2 instances managed by an Auto Scaling group. The application is deployed using a custom AMI that is updated monthly. The SysOps administrator uses a launch template that references the latest AMI ID via an AWS Systems Manager parameter. During a recent deployment, the administrator updated the AMI ID in the parameter, but the new instances launched by the Auto Scaling group still use the old AMI. The administrator confirms that the launch template is configured to reference the parameter. The Auto Scaling group has a desired capacity of 5, and the administrator manually terminates one instance to trigger a replacement. The new instance also uses the old AMI. What is the MOST likely cause?

A.The Amazon CloudWatch alarm that triggers scaling is not configured correctly.
B.The IAM role associated with the Auto Scaling group does not have permission to read the Systems Manager parameter.
C.The Auto Scaling group is using a cached version of the launch template and needs to be updated or have its instances replaced.
D.The instance metadata service (IMDS) is disabled on the launch template.
AnswerC

Why B is correct

Why this answer

Option B is correct because the Auto Scaling group caches the resolved AMI ID from the launch template at the time of creation or when the launch template is updated. If the launch template is not updated or the group is not refreshed, the group continues to use the cached value. Option A is incorrect because the Systems Manager parameter does not need special permissions for the launch template to reference it; the launch template resolution happens at the account level.

Option C is incorrect because instance metadata does not affect which AMI is used for launch. Option D is incorrect because Amazon CloudWatch does not control AMI resolution.

155
Matchingmedium

Match each AWS networking concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Isolated virtual network

IP address range within a VPC

Set of rules for traffic routing

Stateful instance-level firewall

Stateless subnet-level firewall

Why these pairings

These are fundamental VPC components.

156
MCQmedium

A company is using AWS Elastic Beanstalk to deploy a web application. The application experiences high traffic during peak hours. The SysOps administrator wants to automatically scale the environment based on CPU utilization. Which configuration change is required?

A.Manually add EC2 instances to the Auto Scaling group.
B.Configure a scaling trigger based on a CloudWatch alarm for CPU utilization.
C.Modify the instance type to a larger size.
D.Increase the number of load balancers.
AnswerB

Auto Scaling uses CloudWatch alarms to trigger scaling actions.

Why this answer

The correct answer is A because Elastic Beanstalk uses Auto Scaling triggers based on CloudWatch alarms. Option B is incorrect because the load balancer handles traffic distribution, not scaling. Option C is incorrect because Elastic Beanstalk manages the Auto Scaling group automatically.

Option D is incorrect because modifying the instance type manually does not enable auto scaling.

157
MCQmedium

A company uses AWS Elastic Beanstalk for a Java application. The environment uses a custom platform. The SysOps administrator wants to update the environment's configuration to use a larger instance type to handle increased load. What is the correct way to perform this change with minimal downtime?

A.Use the Elastic Beanstalk console to update the instance type and choose a rolling update strategy.
B.SSH into each instance and modify the instance type manually.
C.Terminate all instances and launch new ones with the larger instance type.
D.Create a new environment with the larger instance type and swap the environment URLs.
AnswerA

Correct: Rolling updates update instances without downtime.

Why this answer

The correct answer is C because Elastic Beanstalk supports rolling updates or immutable updates that update instances gradually, minimizing downtime. Option A is wrong because terminating all instances causes downtime. Option B is wrong because manually updating each instance is not recommended and may not persist.

Option D is wrong because creating a new environment and swapping URLs can work but is more complex than necessary.

158
MCQeasy

A SysOps administrator is provisioning an Auto Scaling group (ASG) for a stateless web application. The ASG should launch EC2 instances in multiple Availability Zones. The administrator needs to ensure that instances are evenly distributed across Availability Zones. Which configuration should the administrator use?

A.Use an 'availability-zone' health check type in the Auto Scaling group.
B.Create subnets in multiple Availability Zones and specify them in the Auto Scaling group.
C.Create the Auto Scaling group with a single subnet in one Availability Zone.
D.Create subnets in multiple Availability Zones but assign them to the same placement group.
AnswerB

This enables multi-AZ distribution.

Why this answer

Option C is correct because setting the Auto Scaling group to use multiple subnets in different Availability Zones and the 'balanced best effort' distribution policy ensures even distribution. Option A is wrong because a single subnet limits to one AZ. Option B is wrong because same-AZ subnets don't provide multi-AZ.

Option D is wrong because 'availability-zone' health check is not a distribution policy.

159
MCQeasy

A company runs 200 EC2 Linux instances across three accounts. The security team requires that critical OS patches are applied automatically every Sunday at 2 AM UTC. Currently patches are applied manually and inconsistently. What is the recommended AWS-native solution?

A.Configure a Patch Manager patch baseline and maintenance window scheduled for Sunday 02:00 UTC; associate the Run Patch Baseline task with all EC2 instance targets
B.Create a cron job on each instance that runs 'yum update -y' every Sunday at 2 AM
C.Use AWS Config managed rules to detect unpatched instances and send SNS notifications for manual remediation
D.Build a CodePipeline that runs weekly, creates new AMIs with the latest patches, and replaces all instances via an Auto Scaling instance refresh
AnswerA

The patch baseline filters patch approvals by severity (e.g., CRITICAL, IMPORTANT). The maintenance window triggers the AWS-RunPatchBaseline SSM document on schedule. All 200 instances receive the same baseline and schedule, replacing manual inconsistency with automated consistency. Patch compliance is recorded in the Patch Manager compliance dashboard.

Why this answer

Option A is correct because AWS Systems Manager Patch Manager, combined with a Maintenance Window, provides a fully AWS-native, automated solution for patching EC2 instances on a schedule. The Patch Manager service uses a patch baseline to define which patches are approved (e.g., critical OS patches), and the Maintenance Window triggers the 'AWS-RunPatchBaseline' SSM document at the specified time (Sunday 02:00 UTC) against all targeted instances. This eliminates manual effort and ensures consistent, auditable patching across multiple accounts and instances.

Exam trap

The trap here is that candidates may choose Option D (AMI refresh) because it seems more 'complete' for patching, but they overlook that Patch Manager with Maintenance Windows is the simplest, most direct AWS-native solution for scheduled patching, and the question explicitly asks for the 'recommended' solution, not the most elaborate one.

How to eliminate wrong answers

Option B is wrong because it requires manual creation and maintenance of cron jobs on each instance, which is not a centralized, AWS-native solution and does not scale across 200 instances and three accounts; it also lacks auditing and compliance tracking. Option C is wrong because AWS Config rules can only detect unpatched instances and send notifications, but they do not automatically apply patches, leaving remediation to manual action, which fails the requirement for automatic application. Option D is wrong because while CodePipeline and AMI refresh can achieve patching, it is an overly complex, non-native approach that requires building and maintaining a pipeline, creating new AMIs, and performing instance refreshes, which is not the recommended AWS-native solution for simple scheduled patching.

160
MCQhard

An organization is using AWS CodeDeploy with a blue/green deployment configuration for an EC2/On-Premises compute platform. During a deployment, the new instances pass all health checks, but the old instances are not terminated after the deployment completes. What is the most likely cause?

A.The Auto Scaling group has a cooldown period that prevents termination.
B.The new instances failed the initial health check.
C.The deployment configuration specifies 'Reroute traffic to new instances and keep old instances running' with no termination.
D.The deployment was rolled back automatically.
AnswerC

Blue/green deployments can be configured to not terminate old instances automatically.

Why this answer

The correct answer is A because in blue/green deployments, the user must specify how long to wait before terminating old instances. Option B is incorrect because CodeDeploy does not enforce a cooldown. Option C is incorrect because the new instances passed health checks.

Option D is incorrect because the deployment succeeded, so no rollback.

161
MCQhard

An organization uses AWS CloudFormation to manage infrastructure. They have a stack that includes an Amazon RDS DB instance. The administrator wants to update the DB instance's allocated storage without downtime. The DB instance is currently using gp2 storage. Which action should the administrator take?

A.Create a read replica with the new storage size and promote it.
B.Modify the storage size in the CloudFormation template and update the stack.
C.Stop the DB instance, modify the storage, and start it.
D.Take a manual snapshot and restore it with the new storage size.
AnswerB

RDS allows online storage modification for gp2; applying during maintenance window avoids downtime.

Why this answer

RDS allows modifying allocated storage for gp2 volumes. If the modification does not require a reboot (e.g., increasing storage), it can be applied immediately. However, some modifications might require a reboot.

To avoid downtime, the administrator should apply the change during the maintenance window. Option D is correct. Option A is wrong because snapshots are not required for storage changes.

Option B is wrong because read replicas are not needed for storage modification. Option C is wrong because stopping the DB instance causes downtime.

162
MCQmedium

A SysOps administrator needs to deploy a new version of an application to an Auto Scaling group using a blue/green deployment strategy. The application runs on EC2 instances behind an Application Load Balancer. Which AWS service should be used to automate this deployment?

A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CloudFormation
AnswerB

CodeDeploy supports blue/green deployments with traffic routing options.

Why this answer

Option C is correct. AWS CodeDeploy supports blue/green deployments for EC2 instances behind a load balancer, allowing traffic to be shifted gradually. Option A (Elastic Beanstalk) is a PaaS service, not for existing Auto Scaling groups.

Option B (CloudFormation) can create infrastructure but not manage traffic shifting natively. Option D (CodePipeline) orchestrates steps but relies on CodeDeploy for the deployment.

163
MCQhard

A company uses AWS CodePipeline to deploy a serverless application. The pipeline has a source stage (Amazon S3), a build stage (AWS CodeBuild), and a deploy stage (AWS CloudFormation). The deploy stage uses a change set. Recently, the deploy stage fails with the error 'No updates are to be performed.' What is the MOST likely cause?

A.The source code in the S3 bucket has not changed since the last successful deployment.
B.The AWS CloudFormation stack was manually deleted outside of the pipeline.
C.The IAM role for the pipeline does not have sufficient permissions to update the stack.
D.The change set name specified in the pipeline configuration is incorrect.
AnswerA

If the source hasn't changed, CloudFormation finds no updates needed.

Why this answer

Option A is correct because if the source code hasn't changed, CloudFormation detects no changes and reports 'No updates are to be performed.' Option B is incorrect because IAM permissions would cause access denied errors. Option C is incorrect because stack deletion would cause a different error. Option D is incorrect because the change set name is not relevant to this error.

164
MCQeasy

A SysOps administrator is deploying a new application using AWS CloudFormation. The template includes an EC2 instance with a UserData script that installs software from a private S3 bucket. What is the BEST way to ensure the EC2 instance can access the S3 bucket without storing long-term credentials on the instance?

A.Create an IAM user with S3 access and attach the access key to the instance profile.
B.Store the access key ID and secret access key in the UserData script.
C.Create an IAM role with S3 access and associate it with the instance profile.
D.Configure a security group rule that allows the instance to reach S3 via VPC endpoint.
AnswerC

This grants temporary credentials to the instance, a best practice.

Why this answer

Option D is correct because assigning an IAM role to the EC2 instance allows it to obtain temporary credentials via the instance metadata service, which is the recommended secure method. Option A is wrong because storing access keys in UserData is insecure. Option B is wrong because instance profiles require IAM roles, not direct IAM user credentials.

Option C is wrong because security groups control network access, not authentication to S3.

165
MCQeasy

A company wants to deploy a new version of a web application to an Auto Scaling group of EC2 instances behind an Application Load Balancer. The deployment should be automated and must not cause downtime. Which AWS service should be used?

A.AWS CloudFormation
B.AWS OpsWorks
C.AWS Elastic Beanstalk
D.AWS CodeDeploy
AnswerD

CodeDeploy automates application deployments to EC2 instances, including Auto Scaling groups.

Why this answer

AWS CodeDeploy integrates with Auto Scaling groups and supports rolling updates to minimize downtime. CloudFormation can manage infrastructure but not application deployment directly. OpsWorks and Elastic Beanstalk are options but CodeDeploy is the dedicated service for application deployment.

166
MCQmedium

An administrator uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with an error: "The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems." The deployment group has a minimum of 2 instances. What should the administrator check first?

A.The application revision's compatibility with the instance operating system.
B.The Auto Scaling group's health check settings.
C.The deployment group's deployment configuration settings.
D.The deployment logs on the individual EC2 instances.
AnswerD

The logs reveal why the deployment failed on each instance, such as script errors.

Why this answer

Option D is correct because the deployment logs on the instances will show specific failure reasons. Option A is wrong because the issue is not necessarily the deployment group configuration. Option B is wrong because the Auto Scaling group health checks are for instance health, not deployment success.

Option C is wrong because the application revision might be valid for other environments.

167
MCQeasy

An organization wants to automate the creation of AWS resources using AWS CloudFormation. They need to ensure that certain resources, such as an Amazon S3 bucket, are not accidentally deleted when the stack is deleted. Which CloudFormation feature should they use?

A.DeletionPolicy attribute with value 'Retain'
B.DeletionPolicy attribute with value 'Protect'
C.DeletionPolicy attribute with value 'Delete'
D.Stack policy
AnswerA

Setting DeletionPolicy to Retain preserves the resource when the stack is deleted.

Why this answer

The DeletionPolicy attribute with value 'Retain' ensures that the resource is retained even if the stack is deleted. Option D is correct. Option A is wrong because the stack policy controls updates, not deletion.

Option B is wrong because 'Protect' is not a valid DeletionPolicy value. Option C is wrong because 'Delete' is the default behavior, which would delete the bucket.

168
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The SysOps administrator needs to update a stack that contains a critical database. The update may require a replacement of the database resource. The administrator wants to review the changes before they are applied. What is the BEST way to achieve this?

A.Use the AWS CloudFormation update-stack command with the --no-fail-on-empty-changeset flag.
B.Apply a stack policy that prevents replacement of the database resource.
C.Use the AWS CloudFormation create-change-set command and then review the changes before executing.
D.Use the AWS CloudFormation detect-stack-drift command to check for differences.
AnswerC

Change sets allow you to review proposed changes.

Why this answer

Option C is correct because creating a change set allows you to review all changes, including replacements, before executing them. Option A is incorrect because the '--no-fail-on-empty-changeset' flag does not provide a review. Option B is incorrect because a stack policy can protect resources but does not allow reviewing changes.

Option D is incorrect because the drift detection feature detects drift, not planned changes.

169
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The SysOps Administrator needs to deploy a standardized set of baseline resources (VPC, subnets, security groups, and an S3 bucket for logs) into each new member account as soon as the account is created. The administrator wants to automate this process using AWS CloudFormation and ensure that the baseline resources are deployed without manual intervention. The organization uses AWS CloudTrail and AWS Config for governance. What solution should the administrator implement?

A.Use AWS CloudFormation StackSets with automatic deployment to accounts in the organization.
B.Create an AWS Config rule that triggers an AWS Lambda function to deploy the baseline resources when a new account is created.
C.Store the CloudFormation template in Amazon S3 and use S3 event notifications to trigger a Lambda function that deploys the stack into the new account.
D.Use AWS Service Catalog to create a portfolio with the baseline products and grant access to the organization.
AnswerA

StackSets can automatically deploy to new accounts.

Why this answer

Option C is correct. AWS CloudFormation StackSets allow deploying stacks across multiple accounts and regions from a management account. Combined with AWS Organizations, StackSets can automatically deploy to new accounts when they join the organization.

Option A is wrong because AWS Config rules do not deploy resources. Option B is wrong because AWS CloudFormation templates deployed via S3 events require manual triggering. Option D is wrong because AWS Service Catalog allows provisioning but requires users to launch products manually.

170
MCQeasy

A company uses AWS OpsWorks for configuration management. The SysOps administrator needs to deploy a new application version to a stack. What is the recommended way to update the application on the instances?

A.Create a new CloudFormation stack to replace the OpsWorks stack.
B.Update the custom cookbook and run the 'deploy' recipe on the stack.
C.Use the OpsWorks built-in 'deploy' command on each instance.
D.SSH into each instance and manually update the application files.
AnswerB

Correct: Custom cookbooks allow automated application deployment.

Why this answer

The correct answer is D because OpsWorks uses recipes and custom cookbooks to manage application deployment. By updating the custom cookbook and running the appropriate recipe, the administrator can deploy the new version. Option A is wrong because the built-in deploy command may not support custom application logic.

Option B is wrong because SSH access is not recommended for automation. Option C is wrong because CloudFormation is a separate service; OpsWorks has its own deployment mechanism.

171
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. The administrator wants to update a stack that contains an RDS DB instance. The update requires replacing the DB instance. What should the administrator do to minimize downtime?

A.Delete the stack and create a new one with the updated template
B.Disable deletion protection on the DB instance before the update
C.Modify the DB instance endpoint in the application configuration after update
D.Use a CloudFormation stack update with a Replacement update policy and a snapshot
AnswerD

CloudFormation can create a new instance with a snapshot and then delete the old one, minimizing downtime.

Why this answer

Option C is correct because using CloudFormation's update policy with a snapshot and replacement can minimize downtime. Option A is wrong because deletion will cause downtime. Option B is wrong because modifying the endpoint manually is not automated.

Option D is wrong because disabling deletion protection is not enough.

172
MCQmedium

An organization uses AWS OpsWorks to manage a stack of application servers. The stack uses a custom cookbook that is stored in a private GitHub repository. When deploying new instances, the cookbook download fails. What should the administrator do to resolve this?

A.Upload the cookbook to Amazon S3 and reference the S3 URL
B.Make the GitHub repository public
C.Configure an SSH key in the OpsWorks stack to access the private repository
D.Store the GitHub credentials in the OpsWorks stack settings
AnswerC

OpsWorks supports SSH key-based authentication for private Git repositories.

Why this answer

Option B is correct because OpsWorks can use a deploy key or SSH key for private repository access. Option A is wrong because OpsWorks does not support HTTPS authentication easily. Option C is wrong because making the cookbook public is a security risk.

Option D is wrong because S3 is for static content, not dynamic cookbook versions.

173
MCQmedium

A SysOps administrator is deploying a new version of an application using AWS CodeDeploy with an in-place deployment configuration. The deployment group consists of EC2 instances behind an Application Load Balancer. The administrator wants to ensure that traffic is gradually shifted to the new version. Which CodeDeploy feature should be used?

A.Use a canary deployment instead of in-place.
B.Define a BeforeInstall hook to deregister instances.
C.Use a linear deployment configuration.
D.Configure the load balancer deregistration delay and re-registration in the deployment group.
AnswerD

CodeDeploy can automatically deregister and re-register instances with the load balancer.

Why this answer

The load balancer deregistration delay and re-registration are configured in the deployment group settings. By enabling load balancing and setting the deregistration delay, CodeDeploy will deregister instances from the load balancer, deploy the new version, and re-register them after a health check. Option C is correct.

Option A is wrong because the deployment configuration sets the speed, not traffic shifting. Option B is wrong because the AppSpec file defines hooks, not traffic shifting. Option D is wrong because a canary deployment is a different deployment type, not a feature of in-place.

174
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Python web application. The administrator needs to update the environment's configuration to use a larger instance type. What is the correct way to perform this update with minimal downtime?

A.Use the Elastic Beanstalk console to change the instance type and select a rolling update policy.
B.Create a new Elastic Beanstalk environment with the larger instance type and swap the environment URLs.
C.Use the Elastic Beanstalk console to change the instance type and apply the change immediately.
D.Terminate all instances and launch new ones with the larger instance type.
AnswerA

Rolling updates update instances in batches, minimizing downtime.

Why this answer

Elastic Beanstalk supports rolling updates to change instance types without downtime. Option D is correct. Option A is wrong because terminating instances causes downtime.

Option B is wrong because you cannot change the instance type in an existing environment's configuration without a rolling update. Option C is wrong because creating a new environment is more disruptive than a rolling update.

175
MCQeasy

A SysOps administrator sees the deployment failure shown in the exhibit. The deployment group has a minimum of 1 healthy instance. The Auto Scaling group has 2 instances. What is the most likely cause of the failure?

A.The deployment configuration only deploys to one instance at a time, and that instance failed.
B.The Auto Scaling group's health check grace period is too long.
C.The deployment group does not have enough instances.
D.The deployment configuration is set to deploy to all instances at once.
AnswerA

OneAtATime deploys to one instance; if it fails, the deployment stops.

Why this answer

With CodeDeployDefault.OneAtATime, only one instance is deployed at a time. If that instance fails, the deployment fails because there are no other instances to deploy (the other instance is not deployed yet). Option A is correct.

Option B is wrong because the deployment configuration is correct. Option C is wrong because the health check grace period is not relevant. Option D is wrong because the deployment group has 2 instances, which is enough.

176
MCQhard

A company is deploying a critical application using AWS CloudFormation. The deployment must be resilient to failures and ensure that resources are created in a specific order. The template defines a stack that includes an Amazon RDS database and an Auto Scaling group. The Auto Scaling group depends on the database being available. Which CloudFormation feature should the SysOps administrator use to ensure the database is fully created and available before the Auto Scaling group is created?

A.Use the DependsOn attribute on the RDS instance to wait for the Auto Scaling group.
B.Use the DependsOn attribute on the Auto Scaling group to wait for the RDS instance, and also use a CreationPolicy on the RDS instance to signal when it is ready.
C.Use the DependsOn attribute on the Auto Scaling group to wait for the RDS instance, and also use cfn-signal on the Auto Scaling group to wait for the database.
D.Use the DeletionPolicy attribute on the Auto Scaling group to ensure it is not deleted.
AnswerB

DependsOn plus CreationPolicy ensures the Auto Scaling group is created only after the database signals complete readiness.

Why this answer

Use DependsOn to specify that the Auto Scaling group depends on the database resource, and also use CreationPolicy or WaitCondition to wait for the database to be fully ready. DependsOn alone only waits for CloudFormation to mark the resource as created, not for the database to be 'available'. Therefore, combining DependsOn with a CreationPolicy (e.g., AWS::CloudFormation::WaitCondition) ensures the Auto Scaling group is created only after the database signals readiness.

Option A is wrong because DependsOn alone is insufficient. Option B is wrong because cfn-signal is used with Auto Scaling group's CreationPolicy. Option D is wrong because DeletionPolicy affects deletion, not creation.

177
MCQeasy

A SysOps administrator wants to deploy a serverless application using AWS Lambda functions, Amazon API Gateway, and Amazon DynamoDB. The deployment must be automated and repeatable. Which AWS service should the administrator use to define and manage this infrastructure as code?

A.AWS CodeDeploy
B.AWS OpsWorks
C.AWS Elastic Beanstalk
D.AWS CloudFormation with the AWS Serverless Application Model (SAM)
AnswerD

SAM is ideal for defining serverless resources as code.

Why this answer

AWS CloudFormation or the AWS Serverless Application Model (SAM) are the best choices for infrastructure as code. SAM is an extension of CloudFormation specifically for serverless applications. Option B is wrong because Elastic Beanstalk is for web applications on EC2, not serverless.

Option C is wrong because OpsWorks is for Chef/Puppet. Option D is wrong because CodeDeploy is for deploying code, not infrastructure.

178
MCQhard

A company uses AWS OpsWorks to manage a stack of EC2 instances running a web application. They recently migrated to AWS Elastic Beanstalk for easier deployments. However, after the migration, some users report that the application is responding slowly during peak hours. The Elastic Beanstalk environment is configured with a load balancer and auto scaling based on average CPU utilization. What should the SysOps Administrator do to troubleshoot the performance issue?

A.Manually scale the environment to add more instances.
B.Revert to the OpsWorks stack configuration.
C.Review the CloudWatch metrics and logs for the Elastic Beanstalk environment.
D.Increase the instance size in the environment configuration.
AnswerC

CloudWatch metrics and logs help diagnose performance issues.

Why this answer

Option C is correct because reviewing CloudWatch metrics and logs from the Elastic Beanstalk environment can identify if the auto scaling policy is not aggressive enough or if there are other bottlenecks. Option A is wrong because OpsWorks is no longer used. Option B is wrong because switching to manual scaling is not a best practice.

Option D is wrong because increasing instance size without analysis may be inefficient.

179
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The administrator needs to update a stack that includes an Amazon RDS DB instance. The update requires replacing the DB instance with a new one. What is the most efficient way to achieve this with minimal downtime?

A.Modify the stack template to change the DB instance identifier and update the stack.
B.Use a custom resource to create a new DB instance and delete the old one.
C.Delete the stack and create a new one with the updated DB instance.
D.Use CloudFormation's UpdateReplace policy by modifying a property that requires replacement, such as DBInstanceClass, and take a snapshot before update.
AnswerD

This triggers a replacement with minimal downtime if you use a snapshot and update DNS.

Why this answer

Option C is correct. Using CloudFormation's UpdateReplace policy with a snapshot creation and then updating the stack with a new DB instance, then updating DNS to point to the new instance, minimizes downtime. Option A would cause downtime during creation.

Option B (DeletionPolicy Retain) would not create a new instance. Option D (custom resource) is overly complex.

180
MCQeasy

A company uses AWS CloudFormation to deploy a stack that includes an Amazon S3 bucket. The stack creation fails because the S3 bucket name already exists. What should the administrator do to resolve this issue?

A.Add a tag to the existing bucket to make it available for the stack.
B.Change the S3 bucket name in the CloudFormation template to a unique name.
C.Delete the existing S3 bucket and recreate the stack.
D.Update the bucket policy to allow the stack to use the bucket.
AnswerB

Using a unique bucket name avoids the conflict.

Why this answer

Option B is correct because S3 bucket names must be globally unique, so using a different name resolves the conflict. Option A is wrong because deleting the bucket is not viable if it's in use. Option C is wrong because policies do not affect bucket name uniqueness.

Option D is wrong because tags do not affect bucket names.

181
MCQhard

A company is using AWS CloudFormation to manage infrastructure. A recent stack update failed, and the SysOps administrator needs to roll back to the previous known good state. However, the stack is in UPDATE_ROLLBACK_FAILED state. What should the administrator do to recover the stack?

A.Use the ContinueUpdateRollback API or AWS Management Console to resume the rollback after addressing the failure cause
B.Delete the stack and recreate it from the previous template
C.Contact AWS Support to enable automatic rollback recovery
D.Execute another stack update with the same parameters to overwrite the failed state
AnswerA

This is the correct procedure to recover from a UPDATE_ROLLBACK_FAILED state.

Why this answer

Option B is correct because when a stack is in UPDATE_ROLLBACK_FAILED, you can continue the rollback by fixing the underlying issue (e.g., deleting a resource that cannot be rolled back) and then executing ContinueUpdateRollback. Option A is wrong because deleting the stack would remove all resources, causing data loss. Option C is wrong because updating the stack again may not resolve the rollback failure and could compound errors.

Option D is wrong because CloudFormation does not have an automatic rollback recovery feature; manual intervention is required.

182
Multi-Selectmedium

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails because the instances do not have the CodeDeploy agent installed. Which THREE actions are required to resolve this issue?

Select 3 answers
A.Install the CodeDeploy agent on the instances using user data in the launch configuration.
B.Create a new AMI that includes the CodeDeploy agent.
C.Use AWS Systems Manager Run Command to install the agent on existing instances.
D.Change the deployment configuration to 'OneAtATime'.
E.Update the Auto Scaling group's launch configuration to use a different instance type.
AnswersA, B, C

User data can install the agent at launch.

Why this answer

The CodeDeploy agent must be installed on each instance. This can be done by installing it via user data, using a pre-built AMI with the agent, or using AWS Systems Manager Run Command. Changing the deployment configuration does not install the agent.

Updating the Auto Scaling group launch configuration alone does not install the agent on existing instances.

183
Multi-Selectmedium

Which THREE steps are required to deploy a serverless application using AWS CloudFormation? (Choose three.)

Select 3 answers
A.Use the AWS::Serverless::Transform to enable SAM
B.Specify the path to the source code in the template
C.Define the AWS::Serverless::Function resource in the template
D.Define a VPC and subnets for the Lambda function
E.Create an S3 bucket for the deployment artifact
AnswersA, B, C

The SAM transform is required to use serverless resources.

Why this answer

Options A, C, and E are correct. Option B is incorrect because it is not a step; it is a prerequisite. Option D is incorrect because a VPC is optional.

184
MCQhard

A company is using AWS CodePipeline with a multi-branch strategy. They have a pipeline that deploys to a development environment. They want to create a new pipeline for a production environment that only deploys when code is merged to the 'main' branch. What is the most efficient way to set up the production pipeline?

A.Clone the existing pipeline and modify the source stage to use the main branch.
B.Create a new pipeline using a CloudFormation template that defines the pipeline with the main branch as the source.
C.Use CodeCommit triggers to start the pipeline only on pushes to main.
D.Modify the existing pipeline to include both development and production stages, with the production stage only running on manual approval.
AnswerB

Infrastructure as code ensures consistency and automated deployment.

Why this answer

Option C is correct because using a CloudFormation template to create the pipeline allows for infrastructure as code and easy replication. Option A is wrong because cloning the pipeline manually is error-prone. Option B is wrong because this is not a feature of CodeCommit.

Option D is wrong because a single pipeline with multiple stages would deploy to both environments on every push to main, which may not be desired.

185
MCQmedium

A SysOps administrator is updating an AWS CloudFormation stack that contains an Amazon RDS DB instance. The administrator wants to prevent accidental replacement of the database during the update. Which CloudFormation feature should be used?

A.Change sets
B.Stack policies
C.Resource signals
D.Nested stacks
AnswerB

Stack policies can explicitly deny updates or replacements for specific resources. By configuring a stack policy that denies update for the RDS instance, the administrator ensures the database is not replaced during the update.

Why this answer

Stack policies are the correct feature because they allow you to define explicit deny statements that prevent CloudFormation from updating or replacing specific resources, such as an RDS DB instance, during a stack update. By setting a stack policy that denies replacement actions on the database resource, the administrator ensures that even if the template changes would normally trigger a replacement, the update will fail rather than accidentally recreate the database.

Exam trap

The trap here is that candidates often confuse change sets (which only preview changes) with stack policies (which enforce guardrails), leading them to incorrectly select change sets as the mechanism to prevent accidental replacement.

How to eliminate wrong answers

Option A is wrong because change sets allow you to preview the changes that will be made to a stack before executing them, but they do not prevent the changes from being applied; they only provide visibility. Option C is wrong because resource signals are used to coordinate the creation or update of resources by sending success/failure signals (e.g., via cfn-signal), but they have no mechanism to block replacement of a specific resource. Option D is wrong because nested stacks help organize and reuse templates by embedding one stack within another, but they do not provide any resource-level protection against accidental replacement during updates.

186
MCQhard

Refer to the exhibit. A SysOps administrator creates this CloudFormation template. The stack creation fails with the error: 'The security group 'default' does not exist'. What is the most likely cause?

A.The VPC does not have a default security group.
B.The instance is launched in EC2-Classic, which does not support security groups.
C.The instance is launched in a VPC, but the security group is specified by name instead of group ID.
D.The 'default' security group is not present in the account.
AnswerC

In a VPC, security groups are referenced by ID, not name.

Why this answer

The correct answer is B because the default security group exists in a VPC, but the EC2 instance is launched in EC2-Classic (default) which uses the 'default' security group name. However, if the instance is launched in a VPC, the security group must be specified by GroupId, not by name. The template uses a name, which is only valid for EC2-Classic.

Since most AWS accounts now use VPC, the security group name 'default' is not recognized. Option A is incorrect because the VPC does have a default security group, but it's identified by ID. Option C is incorrect because the default group exists.

Option D is incorrect because the instance is launched in the default VPC, but the security group reference is incorrect.

187
Multi-Selecthard

A company uses AWS CodePipeline with AWS CodeBuild and AWS CodeDeploy. The pipeline is failing because the build stage produces artifacts that are too large for CodeDeploy. Which TWO actions can resolve this issue? (Select TWO.)

Select 2 answers
A.Increase the timeout for the CodeBuild stage.
B.Use Amazon S3 as the source for CodeDeploy instead of the pipeline artifact.
C.Store the artifacts in an AWS CodeCommit repository.
D.Compress the application files before creating the artifact.
E.Increase the maximum artifact size limit in CodeDeploy.
AnswersB, D

S3 can store large files and CodeDeploy can pull from S3.

Why this answer

Options B and D are correct. Option B: Using Amazon S3 as the source for CodeDeploy allows large files to be stored in S3 instead of the artifact. Option D: Compressing the artifact reduces its size.

Option A: Increasing the timeout does not help with size. Option C: CodeDeploy has a fixed artifact size limit. Option E: Storing artifacts in CodeCommit does not reduce size.

188
MCQmedium

A SysOps Administrator is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance with an AWS Systems Manager Association that installs software. The stack creation fails because the association fails to apply, and the stack rolls back. The administrator needs to ensure that the stack creation succeeds even if the association fails, and then fix the association later. What should the administrator do?

A.Add a 'DependsOn' attribute to the association to ensure it runs after the instance is fully ready.
B.Modify the CloudFormation template to set the AWS::SSM::Association resource's 'ComplianceSeverity' or 'WaitForSuccessTimeout' to a value that allows the stack to continue.
C.Remove the association from the CloudFormation template and apply it manually after stack creation.
D.Set the deletion policy of the association to 'Retain' in the template.
AnswerB

These settings can prevent the association failure from failing the stack.

Why this answer

Option A is correct. Setting the association's failure target to a value that allows the stack to proceed (e.g., 'All') or using 'no error' will prevent the stack from failing. Option B is wrong because the deletion policy does not affect creation.

Option C is wrong because removing the association does not meet the requirement to fix it later. Option D is wrong because adding a depends on does not change the failure behavior.

189
MCQhard

A SysOps administrator is automating the creation of Amazon RDS instances using AWS CloudFormation. The template includes a DBInstance resource with a DBSubnetGroupName property referencing a subnet group created in the same template. The stack creation fails with the error 'DBSubnetGroup not found'. What is the MOST likely reason?

A.The VPC ID is incorrect or does not exist.
B.The DBSubnetGroup is not associated with a public subnet.
C.A DependsOn clause is missing between the DBInstance and the DBSubnetGroup.
D.The DBSubnetGroup is defined in a different CloudFormation stack.
AnswerC

Without DependsOn, CloudFormation may create resources in parallel, causing a dependency error.

Why this answer

Option C is correct because CloudFormation creates resources in parallel by default, and the DBSubnetGroup may not be created before the DBInstance if there is no DependsOn clause. Option A is wrong because subnet groups can be created in the same template. Option B is wrong because the VPC exists.

Option D is wrong because the database subnet group is not required to be public.

190
MCQmedium

A company uses AWS OpsWorks for configuration management. The SysOps administrator needs to deploy a new application version to existing EC2 instances managed by OpsWorks. Which OpsWorks lifecycle event should the administrator trigger to install the new application?

A.Configure
B.Deploy
C.Shutdown
D.Setup
AnswerB

Deploy is the event for deploying applications.

Why this answer

The 'Deploy' lifecycle event is specifically designed for deploying applications. Option A is wrong because 'Setup' runs only once when the instance boots. Option B is wrong because 'Configure' runs when instances join or leave the stack.

Option D is wrong because 'Shutdown' runs when an instance is terminated.

191
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to a fleet of Amazon EC2 instances. The SysOps administrator needs to implement a deployment strategy that ensures zero downtime by creating a new set of instances alongside the current ones, then gradually shifting traffic to the new instances after they pass health checks. If a problem is detected, traffic can be instantly redirected back to the original instances. Which deployment configuration should the administrator use?

A.Rolling update
B.Blue/green deployment
C.All at once deployment
D.Canary deployment
AnswerB

Blue/green deployments involve provisioning a new set of instances, testing them, and then switching traffic at the load balancer or DNS level. This provides zero downtime and instant rollback if the new environment fails.

Why this answer

Blue/green deployment is the correct choice because it creates a completely new set of instances (green environment) alongside the existing ones (blue environment), shifts traffic gradually to the new instances after health checks pass, and allows instant rollback by redirecting traffic back to the original instances. AWS CodeDeploy supports this strategy natively with a blue/green deployment configuration, ensuring zero downtime during the transition.

Exam trap

The trap here is that candidates often confuse canary deployments with blue/green deployments, but canary deployments do not create a full parallel environment and lack the instant, full-traffic rollback capability that blue/green provides.

How to eliminate wrong answers

Option A is wrong because a rolling update replaces instances incrementally, which can cause temporary capacity reduction and does not guarantee zero downtime or instant rollback to the original fleet. Option C is wrong because an all-at-once deployment updates all instances simultaneously, causing downtime during the deployment and no ability to instantly redirect traffic back. Option D is wrong because a canary deployment shifts a small percentage of traffic to new instances gradually, but it does not create a full parallel environment for instant rollback; it typically requires manual or automated traffic shifting and may not provide the same instant rollback capability as blue/green.

192
Multi-Selecteasy

Which TWO options are best practices for automating deployments using AWS CodeDeploy? (Choose two.)

Select 2 answers
A.Use a single deployment group for all environments
B.Use a blue/green deployment strategy
C.Deploy to all instances simultaneously
D.Configure automatic rollback in case of deployment failure
E.Require manual approval for every deployment
AnswersB, D

Blue/green reduces downtime and risk.

Why this answer

Options B and C are correct. Option A is incorrect because automated rollback is better. Option D is incorrect because large batch size increases risk.

Option E is incorrect because manual approval is not a best practice for automation.

193
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. The SysOps administrator wants to update a stack that contains an Amazon RDS DB instance. The update involves changing the DB instance class. Which THREE steps should the administrator take to perform this update with minimal downtime? (Choose three.)

Select 3 answers
A.Modify the RDS instance class directly in the RDS console and then update the CloudFormation template.
B.Update the CloudFormation stack with a new parameter value for the DB instance class.
C.Delete the existing stack and create a new one with the updated instance class.
D.Take a manual snapshot of the RDS instance before making changes.
E.Enable Multi-AZ on the RDS instance to allow a rolling upgrade.
AnswersB, D, E

Correct: Updating the stack applies the change in a controlled manner.

Why this answer

The correct answers are B, C, and E. Using a snapshot ensures data is backed up (B). Modifying the DB instance class with Multi-AZ enabled allows a rolling update (C).

Updating the CloudFormation stack with the new instance class triggers the change (E). Option A is wrong because deleting the stack is not necessary. Option D is wrong because modifying the DB instance directly outside CloudFormation may cause drift.

194
MCQeasy

A company is using AWS OpsWorks for configuration management. They have a stack with multiple layers, and they want to automate the deployment of a custom configuration file to all instances in a specific layer. What is the MOST efficient way to achieve this?

A.Define the file in an AWS CloudFormation template using the AWS::OpsWorks::App resource.
B.Create a custom cookbook and assign it to the layer.
C.Use AWS Systems Manager Run Command to execute a script on each instance.
D.Add the configuration file as user data in the layer's Auto Scaling group.
AnswerB

Custom cookbooks can deploy files via recipes.

Why this answer

Option B is correct because OpsWorks custom cookbooks allow you to run recipes that can deploy files to instances in a layer. Option A is incorrect because user data scripts run at boot time, not on demand. Option C is incorrect because AWS Systems Manager Run Command can execute commands but is not specific to OpsWorks layers.

Option D is incorrect because the AWS::OpsWorks::App resource is for deploying applications, not configuration files.

195
Multi-Selecthard

A SysOps administrator is troubleshooting a slow deployment with AWS CloudFormation. The stack update is taking a long time because it is waiting for a resource to be created. Which TWO CloudFormation features can help speed up the deployment?

Select 2 answers
A.Remove DependsOn clauses to allow parallel resource creation.
B.Set the '--disable-rollback' flag.
C.Use nested stacks to create resources in parallel.
D.Increase the timeout on the WaitCondition.
E.Use a CreationPolicy with a shorter timeout.
AnswersC, E

Nested stacks can create independent resources concurrently.

Why this answer

CreationPolicy with a short timeout can reduce waiting time for signals. WaitCondition can be used with a timeout. '--disable-rollback' does not speed up deployment. Nested stacks can parallelize resource creation.

DependsOn is required for dependencies but does not speed up; it can actually increase time if not needed.

196
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS database. The company wants to ensure that database credentials are not hard-coded in the application code. Which approach should be used?

A.Pass the credentials via EC2 user data when the instance launches.
B.Store the credentials in a configuration file in the application source code.
C.Use Elastic Beanstalk environment properties to pass the credentials, referencing them from AWS Secrets Manager.
D.Store the credentials in an S3 bucket and retrieve them at runtime.
AnswerC

Secrets Manager securely stores and rotates credentials; environment properties can reference them.

Why this answer

Option D is correct because Elastic Beanstalk can pass environment properties to the application, and these can be stored securely using AWS Systems Manager Parameter Store or Secrets Manager. Option A is wrong because storing in the source code is not secure. Option B is wrong because storing in S3 requires access management and is not best practice.

Option C is wrong because EC2 user data is not encrypted and is visible in the console.

197
MCQeasy

A SysOps administrator is deploying a new version of an application using AWS CodeDeploy. The deployment to an Auto Scaling group fails, and the instances are rolled back. What is the most likely reason for the failure?

A.The instances are in a private subnet without a NAT gateway.
B.The instances do not have internet access.
C.The IAM instance profile does not have permission to download the revision from S3.
D.The application's health check is failing on the target group.
AnswerC

CodeDeploy agent on the instance needs s3:GetObject permission for the revision bucket.

Why this answer

The correct answer is B because CodeDeploy requires the IAM instance profile to have permissions to read from the S3 bucket where the revision is stored. Option A is incorrect because CodeDeploy agent does not need internet access if using VPC endpoints. Option C is incorrect because the application's load balancer health check is separate.

Option D is incorrect because CodeDeploy does not require the instance to be in a public subnet.

198
MCQmedium

A company is using AWS CodeDeploy to automate deployments to an Auto Scaling group of Amazon EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The instances are running Amazon Linux 2 and the CodeDeploy agent is installed. Which of the following is the MOST likely cause of this failure?

A.The CodeDeploy agent requires ruby and wget, which are not installed by default on Amazon Linux 2.
B.The S3 bucket containing the deployment artifacts has a bucket policy that denies access to the instances.
C.The deployment configuration is set to 'OneAtATime', causing insufficient healthy instances during the first deployment.
D.The Auto Scaling group has a minimum of 0 instances, so the deployment cannot start.
AnswerA

Why A is correct

Why this answer

Option A is correct because the CodeDeploy agent needs the ruby and wget packages to function correctly on Amazon Linux 2. Without them, the agent may fail to download or execute the deployment scripts, causing instance failures. Option B is incorrect because S3 bucket policies do not affect CodeDeploy agent functionality directly; the agent uses HTTPS to download revision files.

Option C is incorrect because the deployment configuration controls how many instances can fail, but does not cause individual instance failures. Option D is incorrect because the deployment group can be configured with any number of instances; the error is not due to group size but individual instance failures.

199
MCQeasy

A SysOps administrator needs to deploy a microservices application using AWS Elastic Beanstalk. The application consists of multiple services that need to communicate with each other. Which Elastic Beanstalk environment type should the administrator choose?

A.Worker environment
B.Web server environment
C.Load-balanced environment
D.Single-instance environment
AnswerC

Load-balanced environment provides an ELB for distributing traffic and allows services to communicate.

Why this answer

A load-balanced environment provides an ELB for distributing traffic and is suitable for microservices that need to communicate via HTTP/HTTPS. Option C is correct. Option A is wrong because a single-instance environment does not provide load balancing.

Option B is wrong because a web server environment is for web applications, but the question is about environment type (single vs load-balanced). Option D is wrong because worker environments are for background tasks.

200
Multi-Selecthard

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Linux 2 AMI with specific security agents installed. The company wants to ensure that all environment instances use this custom AMI. Which combination of steps should be taken? (Choose two.)

Select 2 answers
A.Set the AMI ID in a CloudFormation template and associate it with the environment.
B.Use AWS CodeDeploy to deploy the application to the custom AMI.
C.Create a custom AMI using the Elastic Beanstalk platform as the base.
D.Configure the .ebextensions folder to set the AMI ID for the Auto Scaling launch configuration.
E.Use Packer to create the custom AMI from any base image.
AnswersC, D

This ensures compatibility with the platform.

Why this answer

Option A and D are correct. A custom AMI must be created and used in a launch template or configuration. The .ebextensions folder can configure the platform to use the custom AMI via the aws:autoscaling:launchconfiguration namespace.

Option B is wrong because Packer can be used to create the AMI, but it is not a required step. Option C is wrong because the AMI must be built from the base Elastic Beanstalk platform to ensure compatibility. Option E is wrong because the AMI ID is set in the environment configuration, not in a CloudFormation template.

201
MCQeasy

A company needs to deploy a new version of an application to an Auto Scaling group. The deployment must ensure that the new version is deployed to all instances, and if any instance fails, the deployment should roll back. Which deployment strategy should be used?

A.Blue/green deployment
B.Rolling deployment with rollback
C.All-at-once deployment
D.Canary deployment
AnswerB

Rolling deployment updates instances in batches; rollback reverts changes if failures occur.

Why this answer

Option D is correct because CodeDeploy's rolling deployment with rollback allows gradual replacement and automatic rollback on failure. Option A is wrong because all-at-once would replace all instances at once, risking full outage. Option B is wrong because canary is for Lambda.

Option C is wrong because blue/green is for full environment swap.

202
MCQeasy

A company uses AWS Elastic Beanstalk for application deployments. The administrator needs to update the environment's configuration to use a larger instance type. Which method should be used to minimize downtime?

A.Terminate all instances and let the Auto Scaling group launch new ones.
B.Perform an immutable update.
C.Clone the environment with the new configuration and swap URLs.
D.Perform a rolling update based on health.
AnswerD

Rolling updates replace instances in batches, minimizing downtime.

Why this answer

Option B is correct because a rolling update replaces instances in batches, minimizing downtime. Option A is wrong because an immutable update launches new instances in a separate Auto Scaling group and swaps them, which can be faster but may cause brief downtime. Option C is wrong because terminating all instances causes downtime.

Option D is wrong because environment cloning creates a separate environment, not an update.

203
MCQmedium

A SysOps Administrator attached the IAM policy shown in the exhibit to a user. The user is unable to terminate an EC2 instance. What is the MOST likely reason?

A.The policy does not include ec2:TerminateInstances in the Allow statement.
B.The policy does not specify the correct resource ARN.
C.The policy does not allow ec2:* actions.
D.An explicit Deny statement overrides the Allow statement.
AnswerD

Explicit Deny always overrides Allow.

Why this answer

Option C is correct. The Deny statement explicitly denies the ec2:TerminateInstances action, and an explicit Deny overrides any Allow. Option A is wrong because the policy allows ec2:* but the Deny takes precedence.

Option B is wrong because ec2:* includes all ec2 actions. Option D is wrong because the policy allows all ec2 actions; the Deny is the cause.

204
Multi-Selecteasy

A SysOps administrator is tasked with automating the provisioning of EC2 instances that must be able to access an Amazon S3 bucket. The administrator needs to ensure that the instances have the necessary permissions without using long-term access keys. Which TWO actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Store AWS access keys in a configuration file on the instances.
B.Attach the IAM role to the EC2 instances using an instance profile.
C.Create an S3 bucket policy that allows access from the instances' private IP addresses.
D.Create an IAM role that grants the necessary S3 permissions.
E.Store the access keys in AWS Systems Manager Parameter Store.
AnswersB, D

Why E is correct

Why this answer

Options A and E are correct. The best practice is to create an IAM role with S3 access (A) and assign it to the EC2 instances via an instance profile (E). Option B is incorrect because storing access keys in a file is insecure.

Option C is incorrect because S3 bucket policies control access at the bucket level, not directly for EC2 instances. Option D is incorrect because storing keys in Systems Manager Parameter Store is better than hardcoding, but an IAM role is still the preferred approach.

205
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The template uses nested stacks. One of the nested stacks creates an Auto Scaling group. The administrator wants to update the Auto Scaling group's launch configuration to use a new AMI ID. The AMI ID is stored in AWS Systems Manager Parameter Store. The administrator wants to ensure that the stack update automatically uses the latest AMI ID value from Parameter Store. What should the administrator do?

A.Use a CloudFormation dynamic reference to the parameter store in the template.
B.Use a CloudFormation mapping to map the AMI ID.
C.Use a custom resource to call Systems Manager to retrieve the AMI ID.
D.Use a CloudFormation parameter with a default value that matches the AMI ID.
AnswerA

Correct. The {{resolve:ssm:...}} syntax fetches the latest parameter value during stack operations, automatically including the updated AMI ID.

Why this answer

Option A is correct because CloudFormation dynamic references for Systems Manager Parameter Store (using the `{{resolve:ssm:/parameter-name}}` syntax) automatically resolve the latest parameter value at stack creation or update time. This ensures that the launch configuration always uses the current AMI ID from Parameter Store without manual intervention or hardcoding.

Exam trap

The trap here is that candidates may think a CloudFormation parameter with a default value or a mapping can achieve dynamic updates, but both are static unless manually changed, whereas dynamic references automatically pull the latest value from Parameter Store during stack operations.

How to eliminate wrong answers

Option B is wrong because CloudFormation mappings are static key-value pairs defined in the template; they do not dynamically fetch values from external services like Parameter Store at update time. Option C is wrong because a custom resource would require additional Lambda function code and complexity, and it is unnecessary when CloudFormation natively supports dynamic references to Parameter Store. Option D is wrong because a CloudFormation parameter with a default value is static; it does not automatically update when the underlying AMI ID in Parameter Store changes, and the user would need to manually provide a new value during each stack update.

206
MCQmedium

A SysOps administrator uses AWS Systems Manager Run Command to install software on a fleet of EC2 instances. The command fails on some instances with the error 'Instance ID not found'. What is the MOST likely cause?

A.The user data script has overridden the SSM Agent.
B.The instances are not tagged with the correct key-value pair.
C.The SSM Agent is not installed or configured on the instances, or the instances lack the required IAM role.
D.The instances are in a stopped state.
AnswerC

Without SSM Agent and proper IAM role, the instance is not registered with Systems Manager.

Why this answer

Option D is correct because Run Command requires the SSM Agent to be installed and running, and the instance must have an IAM role that allows communication with Systems Manager. Option A is wrong because the command can target instances by tags. Option B is wrong because the SSM Agent is separate from the user data script.

Option C is wrong because the instances are likely running.

207
MCQeasy

A company uses AWS CloudFormation to deploy a three-tier web application. The SysOps administrator wants to update a critical parameter, such as the instance type, and ensure that the change is applied without recreating the EC2 instance, if possible. Which CloudFormation stack update feature should be used to achieve this?

A.Change sets
B.Stack policy
C.Update with drift detection
D.Directly edit the stack template and use the update stack action
AnswerA

Change sets allow you to preview how changes will affect your resources, including whether an update will cause replacement or in-place modification, giving you control to avoid unnecessary recreation.

Why this answer

Change sets allow you to preview the changes that will be made to your stack resources before executing them. For an update that modifies an instance type, CloudFormation will attempt to perform an update without replacement if the resource supports it (e.g., AWS::EC2::Instance supports in-place updates for the InstanceType property). By using a change set, you can confirm that the update will not recreate the EC2 instance before applying it.

Exam trap

The trap here is that candidates confuse change sets with simply updating the stack directly, not realizing that change sets provide a critical preview to avoid unintended resource replacement, especially for properties that may or may not require replacement depending on the resource type.

How to eliminate wrong answers

Option B is wrong because a stack policy is used to prevent specific stack resources from being updated or deleted during a stack update, not to control how updates are applied or to preview changes. Option C is wrong because drift detection identifies differences between the stack's actual resource configuration and the expected template configuration, but it does not perform or preview updates. Option D is wrong because directly editing the template and using the update stack action applies changes immediately without a preview, which could inadvertently cause resource replacement if the property change requires it; change sets provide the necessary preview to avoid this.

208
MCQhard

A SysOps administrator is troubleshooting a failed Auto Scaling group launch. The group uses a launch template that specifies an Amazon Linux 2 AMI. The instances fail to pass the EC2 health check and are terminated. The administrator checks the system log and finds that the instance boots but the cloud-init script fails due to a missing package repository. What is the most likely cause?

A.The launch template is using an incorrect version.
B.The IAM instance profile does not have sufficient permissions.
C.The Auto Scaling group is in a private subnet without a NAT gateway.
D.The AMI used by the launch template is outdated and the repositories are no longer valid.
AnswerD

Outdated AMIs have deprecated repo URLs, causing cloud-init to fail.

Why this answer

If the AMI is outdated, the package repository URLs may be deprecated, causing cloud-init failures. The launch template version is not directly related to repository access. User data script problems could cause failures but the log points to a missing repository, which is often due to an outdated AMI.

IAM role issues would affect API calls, not package repos.

209
MCQmedium

A SysOps administrator manages a CloudFormation stack that deploys a web application. The stack includes an Amazon EC2 instance and an Amazon RDS DB instance. The administrator needs to update the stack to change the EC2 instance type. The administrator wants to ensure that the update does not accidentally replace the RDS database. Which CloudFormation feature should the administrator use to protect the RDS resource from being replaced during the stack update?

A.Use a DeletionPolicy of Retain on the RDS resource.
B.Use a stack policy that denies updates to the RDS resource.
C.Use the Resource Signal and CreationPolicy attributes.
D.Use a Change Set to review changes before executing.
AnswerB

A stack policy can explicitly deny update, replace, or delete actions on specific resources. By applying a policy that denies update to the RDS resource, the CloudFormation update will fail if it attempts to modify the RDS instance, thus protecting it from accidental replacement.

Why this answer

A stack policy is an AWS CloudFormation feature that explicitly denies update or replacement actions on specified resources. By applying a stack policy that denies updates to the RDS resource, the administrator prevents any stack update operation (including changing the EC2 instance type) from modifying or replacing the database, even if the template changes would otherwise affect it. This is the correct approach because it provides a guardrail specifically against accidental replacement during updates.

Exam trap

The trap here is that candidates often confuse DeletionPolicy (which only applies on stack deletion) with stack policies (which control updates), leading them to incorrectly choose Option A as a safety measure during updates.

How to eliminate wrong answers

Option A is wrong because a DeletionPolicy of Retain only protects the resource when the stack is deleted, not during a stack update; it does not prevent replacement or modification during an update. Option C is wrong because Resource Signal and CreationPolicy are used to control stack creation behavior (e.g., waiting for signals before marking a resource as created), not to protect resources from being replaced during updates. Option D is wrong because a Change Set only allows you to review proposed changes before executing them; it does not prevent the update from being executed or protect the RDS resource from replacement if the update is applied.

210
Drag & Dropmedium

Drag and drop the steps to troubleshoot high CPU usage on an Amazon EC2 instance into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start by checking metrics, then connect, find the process, analyze, and act.

211
Multi-Selectmedium

A company is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance and an Amazon RDS DB instance. The SysOps administrator wants to ensure that the RDS instance is created before the EC2 instance and that the EC2 instance receives the database endpoint as a user data parameter. Which THREE steps should be taken? (Select THREE.)

Select 3 answers
A.Use the AWS::CloudFormation::Init metadata to set the creation order.
B.Add a DependsOn attribute to the EC2 instance resource referencing the RDS instance.
C.Use the cfn-init helper script to process the UserData and configure the application.
D.Add a DependsOn attribute to the RDS instance resource referencing the EC2 instance.
E.Use the Fn::GetAtt intrinsic function to retrieve the RDS endpoint and pass it to the EC2 instance's UserData property.
AnswersB, C, E

Ensures RDS is created before EC2.

Why this answer

Options A, C, and D are correct. Option A: Using DependsOn ensures the RDS instance is created first. Option C: Using Fn::GetAtt retrieves the endpoint.

Option D: Using CloudFormation helper scripts (cfn-init) can process the metadata and write user data. Option B: Not necessary because DependsOn is used. Option E: Not necessary because DependsOn ensures order.

212
MCQmedium

A SysOps administrator deploys a web application using AWS Elastic Beanstalk. The administrator wants to deploy a new application version with zero downtime and minimize the risk of failure by launching a completely new set of instances before swapping traffic. Which deployment policy should the administrator choose?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

Deploys a full new Auto Scaling group with the new version, tests it, and then swaps traffic, ensuring zero downtime and easy rollback.

Why this answer

The Immutable deployment policy (Option D) is correct because it launches a completely new set of instances in a separate Auto Scaling group, deploys the new application version to them, and then swaps the Elastic Load Balancer (ELB) traffic from the old instances to the new ones in a single, atomic swap. This ensures zero downtime and minimizes risk by keeping the original environment fully intact until the new instances pass health checks, allowing an immediate rollback by simply swapping traffic back.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' (Option C) with immutable deployments because both add new instances, but they fail to recognize that only Immutable launches a completely separate fleet and swaps traffic atomically, while Rolling with additional batch still modifies the existing environment and does not provide a full isolation or instant rollback capability.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all existing instances simultaneously, causing downtime during the deployment and a full outage if the deployment fails. Option B is wrong because 'Rolling' deploys the new version in batches across existing instances, which reduces capacity during the update and does not launch a completely new set of instances, thus not providing the isolation required to minimize failure risk. Option C is wrong because 'Rolling with additional batch' adds a batch of new instances before starting the rolling update, but it still modifies existing instances and does not swap traffic from a fully separate environment; it only partially reduces capacity impact compared to standard rolling, but does not achieve the zero-downtime, full-isolation swap that Immutable provides.

213
Multi-Selectmedium

A SysOps administrator is designing a deployment pipeline using AWS CodePipeline. The pipeline must include a build stage, a test stage, and a deployment stage. The administrator wants to ensure that if the build stage fails, the pipeline stops and notifies the team. Which TWO actions should the administrator take to meet these requirements? (Choose two.)

Select 2 answers
A.Configure the pipeline to stop on failure in the build stage.
B.Configure an Amazon SNS topic to send notifications on pipeline stage failures.
C.Set up an Amazon CloudWatch Events rule to detect build failures and send an email.
D.Add a manual approval action after the build stage to review results.
E.Use AWS CodeBuild as the build provider and configure it to stop the pipeline on failure.
AnswersA, B

Correct: CodePipeline can be configured to stop on failure.

Why this answer

The correct answers are A and D. CodePipeline automatically stops on failure (A). Amazon SNS can be used to send notifications (D).

Option B is wrong because CodeBuild does not stop the pipeline; it only runs the build. Option C is wrong because CloudWatch Events can trigger notifications but are not the only way; SNS is simpler. Option E is wrong because manual approval is not automatic.

214
MCQeasy

A SysOps administrator uses AWS CodeDeploy to deploy a new version of an application to an Auto Scaling group. The deployment uses the 'CodeDeployDefault.OneAtATime' deployment configuration. During the deployment, the first instance succeeds, but subsequent instances fail because the new application version has a bug that causes the application health check to fail. The administrator wants to immediately roll back the change and restore the previous working version on all instances. Which action should the administrator take?

A.Initiate a rollback from the CodeDeploy console to redeploy the previous working revision.
B.Stop the deployment immediately; the instances that have already been updated will revert automatically.
C.Edit the deployment group settings to pause deployments after a failure, then manually fix the instances.
D.Redeploy the same failing revision but with a different deployment configuration.
AnswerA

Rollback automatically deploys the previously successful revision to all instances, restoring the working version.

Why this answer

Option A is correct because CodeDeploy supports automatic and manual rollbacks to a previous working revision. When a deployment fails, the administrator can initiate a rollback from the CodeDeploy console, which redeploys the last successful revision to all instances in the deployment group, including those that were already updated. This ensures the previous working version is restored across the entire Auto Scaling group.

Exam trap

The trap here is that candidates mistakenly think stopping a deployment automatically reverts instances, but in CodeDeploy, stopping only halts the deployment process without rolling back already-updated instances.

How to eliminate wrong answers

Option B is wrong because stopping a deployment does not trigger an automatic revert; instances that have already been updated remain on the new (failing) revision and require a manual rollback or redeployment of the previous version. Option C is wrong because editing the deployment group to pause after failures does not fix the already-failed instances; it only affects future deployments, and manual fixes are not an automated rollback solution. Option D is wrong because redeploying the same failing revision, even with a different deployment configuration, will still deploy the buggy version and cause the same health check failures.

215
MCQeasy

A SysOps administrator needs to deploy a new version of an application that runs on Amazon EC2 instances in an Auto Scaling group. The deployment should minimize downtime and roll back automatically if health checks fail. Which deployment method should the administrator use?

A.Canary deployment
B.Blue/green deployment using a new Auto Scaling group and an Application Load Balancer
C.Rolling update via an Auto Scaling group
D.In-place deployment
AnswerB

Blue/green minimizes downtime and allows easy rollback.

Why this answer

Blue/green deployment with an Auto Scaling group and an Application Load Balancer allows switching traffic to the new version and rolling back if health checks fail. Option A is wrong because in-place deployments update existing instances and can cause downtime. Option C is wrong because rolling update is an in-place method.

Option D is wrong because canary deployment is a type of blue/green but typically used for canary testing, not automatic rollback based on health checks.

216
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The SysOps Administrator needs to update a stack that contains an Amazon RDS DB instance. The update requires changing the DB instance class from db.t2.medium to db.t3.medium. The RDS instance has a deletion policy of 'Snapshot' in the current template. The administrator wants to minimize downtime and ensure no data loss. The current stack update fails because CloudFormation attempts to replace the DB instance, causing a long downtime. What should the administrator do to successfully update the stack with minimal downtime?

A.Modify the DB instance class directly in RDS using the AWS CLI or console, then update the CloudFormation stack to match.
B.Change the deletion policy to 'Retain' in the template and then update the stack.
C.Create a new CloudFormation stack with the new instance class and migrate the data.
D.Delete the stack, modify the template, and recreate the stack.
AnswerA

This avoids replacement by bringing the resource into compliance.

Why this answer

Option C is correct. Modifying the RDS instance directly via the AWS CLI or console and then performing a stack update with the new instance class will cause CloudFormation to detect that the instance already matches the desired state, avoiding replacement. Option A is wrong because changing the deletion policy does not prevent replacement.

Option B is wrong because deleting the stack causes downtime and potential data loss. Option D is wrong because creating a new stack does not update the existing resources.

217
MCQmedium

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The SysOps administrator checks the deployment logs and finds that the BeforeInstall lifecycle event script is failing on some instances. The instances are Amazon Linux 2. What should the administrator do to troubleshoot this issue?

A.Verify that the CodeDeploy agent on the instances is running and can communicate with the CodeDeploy service.
B.Ensure that the CodeDeploy deployment configuration is set to 'OneAtATime' to reduce instance failures.
C.Check the appspec.yml file for syntax errors in the hooks section.
D.Review the BeforeInstall script's output and exit code in the deployment logs or on the instance.
AnswerD

The script's exit code and output will indicate why it failed.

Why this answer

The BeforeInstall script is failing; checking the script's exit code and logs on the instance is the correct approach. Option A is wrong because the appspec.yml file is likely fine if it runs the script. Option B is wrong because the issue is script execution, not agent connectivity.

Option D is wrong because the issue is not about configuration file format.

218
MCQmedium

A SysOps administrator is deploying a new web application using AWS Elastic Beanstalk. The application requires a high-performance relational database that can scale read capacity. The administrator needs to ensure that the database is highly available and can handle read replicas. The administrator creates an Elastic Beanstalk environment and adds an Amazon RDS DB instance. However, the database is deployed in a single Availability Zone. The administrator wants to modify the environment to use a Multi-AZ deployment for high availability and add read replicas. The administrator has the following options. Which option should the administrator choose?

A.Increase the DB instance class size to improve performance and then create a read replica.
B.Create a read replica of the existing DB instance and then modify the environment to use the replica.
C.Create a new Multi-AZ RDS DB instance with read replicas outside of Elastic Beanstalk. Update the environment's environment properties to point to the new database. Then delete the old DB instance.
D.Modify the Elastic Beanstalk environment configuration to enable Multi-AZ for the existing DB instance.
AnswerC

Decoupling the database allows full control over configuration.

Why this answer

Option A is correct because Elastic Beanstalk cannot add Multi-AZ or read replicas to an RDS instance that was created as part of the environment; the recommended approach is to decouple the database by creating a separate RDS instance outside of Elastic Beanstalk and then configuring the environment to connect to it. Option B is wrong because Elastic Beanstalk does not support converting a single-AZ DB to Multi-AZ after creation. Option C is wrong because read replicas require Multi-AZ or single-AZ with backups, but the environment's DB is not easily modified.

Option D is wrong because increasing DB instance class does not provide Multi-AZ.

219
MCQeasy

A SysOps administrator uses AWS CloudFormation to manage a stack that includes an Amazon EC2 instance. The administrator wants to update the instance type from t3.medium to t3.large without recreating the instance. The instance type change is supported as a simple update in CloudFormation. Which stack update method should the administrator use to apply this change with the least disruption?

A.Directly update the stack by modifying the template and submitting the update via the AWS Management Console, AWS CLI, or API.
B.Create a change set to review the changes, then execute the change set.
C.Apply a stack policy to the EC2 instance to allow the update, then update the stack.
D.Delete the existing stack and create a new stack with the updated instance type.
AnswerA

Direct update applies changes immediately. Since the update is a simple attribute change that does not require replacement, this is the fastest and least disruptive method.

Why this answer

Option A is correct because changing an EC2 instance type from t3.medium to t3.large is a supported simple update in CloudFormation, meaning the resource can be updated in-place without replacement. By directly updating the stack via the AWS Management Console, AWS CLI, or API, the administrator applies the change immediately with minimal disruption, as CloudFormation will stop the instance, modify the instance type, and restart it. This method avoids the overhead of creating a change set or deleting and recreating the stack, which would cause unnecessary downtime or complexity.

Exam trap

The trap here is that candidates often assume a change set is required for all updates or that it reduces disruption, when in fact it is only a review mechanism and does not change the update behavior; the direct update is equally safe and faster for simple, supported changes.

How to eliminate wrong answers

Option B is wrong because creating a change set is an optional review step that adds delay and does not reduce disruption; executing a change set still performs the same in-place update as a direct update, so it is not the least disruptive method. Option C is wrong because stack policies are used to prevent updates to specific resources, not to allow them; applying a stack policy to allow the update is unnecessary and could inadvertently block other updates if misconfigured. Option D is wrong because deleting and recreating the stack would destroy the existing EC2 instance and create a new one, causing complete disruption and data loss (unless data is stored externally), which is far more disruptive than an in-place update.

220
MCQhard

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack creation. The stack includes an AWS::Lambda::Function resource that depends on an AWS::IAM::Role. The error message is 'Resource handler returned message: "The role defined for the function cannot be assumed by Lambda" (Service: Lambda, Status Code: 400).' What is the most likely cause?

A.The Lambda function name conflicts with an existing function
B.The trust policy of the IAM role does not include 'lambda.amazonaws.com' as a trusted entity
C.The IAM role does not have sufficient permissions to execute the Lambda function
D.The Lambda function has a resource-based policy that denies access
AnswerB

The trust policy must allow Lambda to assume the role.

Why this answer

Option C is correct because the role's trust policy must allow the Lambda service principal to assume the role. Option A is wrong because permissions are about actions, not trust. Option B is wrong because resource-based policies are for the function, not the role.

Option D is wrong because the function name is not the issue.

221
MCQmedium

A company is using AWS CloudFormation to deploy a multi-tier web application. After updating the stack template, the update fails with a stack creation rollback in progress error. The SysOps administrator needs to identify the specific resource that caused the failure. What is the MOST efficient way to accomplish this?

A.Use the AWS Management Console to view the stack status and check the stack policy.
B.Use the aws cloudformation describe-change-set command to review the proposed changes.
C.Check the CloudTrail logs for the UpdateStack API call to see the error message.
D.Run the AWS CLI command aws cloudformation describe-stack-events --stack-name <stack-name> and review the resource status reason.
AnswerD

This command returns all events with failure reasons for each resource.

Why this answer

Option B is correct because the describe-stack-events command lists stack events in reverse chronological order, showing the specific resource failure reason. Option A is incorrect because it only shows the overall status not details. Option C is incorrect because viewing the stack will not show event details.

Option D is incorrect because the change set was not used for the update.

222
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The application consists of several Docker containers that run on Amazon ECS with Fargate launch type. The engineer wants to automate the deployment of new container versions. Which AWS service should be used to orchestrate the build, test, and deployment stages?

A.AWS CodeDeploy
B.AWS CodePipeline
C.AWS CloudFormation
D.AWS CodeBuild
AnswerB

CodePipeline orchestrates build, test, and deploy stages.

Why this answer

Option B is correct because AWS CodePipeline is a fully managed continuous delivery service that helps automate the build, test, and deploy phases of the release process. Option A is wrong because AWS CodeBuild is for building and testing code, not for orchestrating the entire pipeline. Option C is wrong because AWS CodeDeploy is for deploying applications to compute services but does not orchestrate the entire pipeline.

Option D is wrong because AWS CloudFormation is for infrastructure as code, not CI/CD orchestration.

223
MCQhard

A SysOps administrator is troubleshooting a CloudFormation stack that failed to create. The stack includes an Amazon RDS DB instance. The error message indicates that the DB instance name already exists. The stack uses a parameter for the DB instance identifier. What should the administrator do to resolve this issue and create the stack?

A.Delete the failed stack, change the DB instance identifier parameter to a unique name, and recreate the stack.
B.Manually delete the DB instance from the AWS Management Console and then retry the stack creation.
C.Use the AWS CLI command aws cloudformation update-stack with a new parameter value.
D.Execute ContinueUpdateRollback on the stack to retry the creation.
AnswerA

This resolves the naming conflict and allows the stack to be created successfully.

Why this answer

Option D is correct because the stack creation failed due to a naming conflict. Updating the stack is not possible since it failed. The best approach is to delete the failed stack, change the parameter value to a unique name, and recreate the stack.

Option A is incorrect because updating a failed stack requires a different approach and the parameter change might not be allowed. Option B is incorrect because continuing update rollback does not change the parameter. Option C is incorrect because the stack failed creation; there is no existing resource to update.

224
MCQmedium

A SysOps administrator is automating the deployment of a three-tier web application using AWS CloudFormation. The administrator wants to ensure that the database tier is created before the application tier. How should the administrator define this dependency in the CloudFormation template?

A.Use the Conditions section to check if the database exists before creating the application tier.
B.Use the Outputs section to export the database endpoint and import it in the application tier.
C.Use the DependsOn attribute on the application tier resources to reference the database tier resources.
D.Use the Parameters section to pass the database instance identifier to the application stack.
AnswerC

Correct: DependsOn explicitly sets creation order.

Why this answer

The correct answer is C because CloudFormation supports the DependsOn attribute to specify resource dependencies. The application tier resources must wait for the database tier resources to be created. Option A is wrong because the Outputs section does not control creation order.

Option B is wrong because the Parameters section defines input values, not dependencies. Option D is wrong because the Conditions section determines whether resources are created, not the order.

225
MCQhard

A DevOps engineer is designing a CI/CD pipeline for a microservices application hosted on Amazon ECS with Fargate. The team wants to deploy updates to the services without downtime. The current pipeline builds a Docker image, pushes it to Amazon ECR, and updates the ECS service using AWS CodeDeploy with a blue/green deployment. However, during the deployment, the new tasks fail to start due to an incorrect environment variable. The engineer wants to validate the task definition before the actual deployment. What should the engineer do?

A.Use Amazon CloudWatch Synthetics canaries to monitor the health of the new tasks after deployment.
B.Run the Docker container locally using 'docker run' with the same environment variables to verify the configuration.
C.Use Amazon ECS Service Auto Scaling to gradually increase the number of tasks and monitor CPU utilization.
D.Configure CodeDeploy to use a validation hook with an AWS Lambda function that tests the new task definition before shifting traffic.
AnswerD

Why B is correct

Why this answer

Option B is correct because CodeDeploy allows specifying a Lambda function as a validation hook. The function can run integration tests against the new tasks before traffic is shifted, preventing the deployment from proceeding if validation fails. Option A is incorrect because ECS Service Auto Scaling adjusts the number of tasks based on load, not validation.

Option C is incorrect because 'docker run' locally does not guarantee the same behavior in ECS Fargate. Option D is incorrect because CloudWatch Synthetics can monitor endpoints but cannot be used as a pre-deployment validation gate in the pipeline.

← PreviousPage 3 of 4 · 277 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Soa Deployment Provisioning questions.