CompTIA Cloud+ CV0-004 (CV0-004) — Questions 175

499 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

A company uses a cloud-based load balancer to distribute traffic to web servers. Recently, a new security policy was applied that restricts traffic to certain geographic regions. Users from an allowed region report they cannot access the website. The load balancer status shows health checks are passing. What should the administrator check?

A.The DNS resolution for the website
B.The SSL certificate expiration
C.The web server logs for application errors
D.The load balancer's access control lists (ACLs)
AnswerD

ACLs enforce geographic restrictions and could be misconfigured, blocking allowed regions.

Why this answer

Option B is correct because the geographic restriction policy is likely implemented via ACLs on the load balancer. Option A is wrong because health checks passing indicate web servers are fine. Option C is wrong because DNS would affect all users, not just a specific region.

Option D is wrong because SSL certificate issues would cause browser warnings, not complete inaccessibility.

2
MCQmedium

A company is migrating its on-premises workloads to a public cloud. The security team requires that all data in transit between the cloud resources and on-premises be encrypted. Which solution should the cloud architect recommend?

A.Deploy a hardware security module (HSM) for key management.
B.Enable encryption on the cloud storage buckets.
C.Use TLS for all application traffic.
D.Implement a VPN tunnel between the cloud VPC and the on-premises network.
AnswerD

Correct. A VPN encrypts all network traffic between sites, ensuring all data in transit is encrypted.

Why this answer

A VPN tunnel encrypts all IP traffic between the cloud VPC and on-premises network, covering all data in transit. Other options are insufficient or address different aspects.

3
MCQhard

An application log shows the entries above. The application is a web server running on a virtual machine in a cloud environment. The database is a managed cloud database service. Which of the following is the MOST likely root cause of the failure?

A.A network firewall is blocking traffic to the database.
B.The database connection pool is exhausted.
C.The application's database credentials are incorrect or the application's IP is not whitelisted.
D.The database service is down.
AnswerC

The 'Failed to authenticate' error indicates credential or firewall whitelist issue.

Why this answer

Option D is correct because the log shows authentication failure after retries, indicating credentials or IP whitelisting issue. Option A is wrong because the timeout is a symptom, not root cause; after timeout, authentication fails. Option B is wrong because network firewall would block all traffic, not just authentication.

Option C is wrong because database service might be fine; the error is specific to authentication.

4
MCQmedium

A cloud administrator is configuring a web application hosted on a public cloud VM. The application must be accessible over HTTPS, and the administrator needs to ensure that all traffic between the client and the server is encrypted. The cloud provider offers a managed certificate service. Which of the following is the BEST practice for securing the application?

A.Use the cloud provider's managed certificate service to provision and attach the certificate to the load balancer.
B.Generate a self-signed certificate and configure the web server to use it.
C.Disable HTTPS and rely on network-level encryption provided by the cloud provider.
D.Create a certificate signing request (CSR) and submit it to a public CA, then install the certificate and private key on the VM.
AnswerA

The managed service automates certificate lifecycle, reducing administrative overhead and risk.

Why this answer

The cloud provider's managed certificate service automatically handles certificate provisioning, renewal, and attachment to the load balancer, ensuring HTTPS traffic is encrypted with a trusted certificate from a public CA. This is the best practice because it offloads TLS termination to the load balancer, reducing the VM's CPU overhead and centralizing certificate management. It also ensures the certificate is automatically renewed before expiry, preventing service disruptions.

Exam trap

The trap here is that candidates may think manually installing a certificate from a public CA (Option D) is more secure or gives more control, but the cloud provider's managed service is the best practice because it automates lifecycle management and offloads TLS termination to the load balancer, reducing attack surface and operational burden.

How to eliminate wrong answers

Option B is wrong because a self-signed certificate is not trusted by client browsers, causing security warnings and breaking the trust model required for public HTTPS. Option C is wrong because disabling HTTPS removes application-layer encryption, leaving traffic vulnerable to interception even if network-level encryption (like IPsec) is used, as it does not protect against man-in-the-middle attacks at the application layer. Option D is wrong because manually installing a certificate and private key on the VM increases management overhead, risks exposing the private key, and does not leverage the cloud provider's automated renewal and load balancer integration.

5
MCQeasy

A company is migrating its on-premises database to a cloud-managed database service. The database contains sensitive financial data. Which of the following is the MOST important security configuration to implement after migration?

A.Enable encryption at rest using a customer-managed key
B.Configure automated patching schedule
C.Enable public read access for monitoring tools
D.Set up cross-region replication for high availability
AnswerA

Encryption at rest protects data from unauthorized access to storage media.

Why this answer

Option C is correct because encryption at rest protects data in the database storage. Option A is wrong because patching is important but not the most critical for security after migration. Option B is wrong because public access should be disabled, not enabled.

Option D is wrong because replication is for availability, not security.

6
MCQmedium

A cloud administrator is starting the nginx web server on a new cloud VM but it fails. According to the exhibit, what is the most likely cause of the failure?

A.Another service is already listening on port 80
B.The VM does not have network connectivity
C.SELinux is blocking nginx from binding to the port
D.The nginx configuration file has a syntax error
AnswerA

The error explicitly states address already in use.

Why this answer

The error 'bind() to 0.0.0.0:80 failed (98: Address already in use)' indicates that port 80 is already occupied by another process. Option A is correct. Option B is wrong because SELinux would give a permission denied error, not address in use.

Option C is wrong because the error says address in use, not file not found. Option D is wrong because the error is about binding, not about configuration syntax.

7
MCQhard

Refer to the exhibit. A cloud administrator runs the above command on a Linux virtual machine. What is the effect of the current firewall rules?

A.All outgoing traffic is controlled by these rules.
B.All incoming traffic is allowed except RDP, which is dropped.
C.The firewall is blocking all traffic by default.
D.Only SSH, HTTP, and HTTPS are allowed; all other traffic is dropped.
AnswerB

The default policy is ACCEPT, so only the explicitly dropped port (3389) is blocked; all other ports are allowed.

Why this answer

The rules show ACCEPT for SSH (22), HTTP (80), and HTTPS (443), and DROP for RDP (3389). Since the default policy on the INPUT chain is ACCEPT, all other traffic is allowed, which is not secure. The administrator should set the default policy to DROP and only allow necessary ports.

8
Multi-Selecthard

Which THREE are common reasons why a cloud database instance may become unreachable?

Select 3 answers
A.Firewall rules blocking the database port
B.Incorrect connection string in the application
C.Storage volume is full on the database server
D.Database service not started
E.Hypervisor maintenance causing VM reboot
AnswersA, B, D

Security groups or firewalls can block inbound traffic.

Why this answer

Options A, B, and C are correct. Firewall rules block access, database service not running prevents connections, and incorrect connection string leads to failure to reach. D is incorrect because storage full might cause write failures but not always unreachability.

E is incorrect because hypervisor maintenance typically triggers live migration, not unreachability.

9
MCQmedium

A cloud engineer is troubleshooting a connectivity issue between two virtual networks in different regions. The engineer has verified that the virtual networks are peered and the routing tables are correct. Which of the following is the MOST likely cause of the issue?

A.Incorrect route tables on the virtual network gateway
B.A physical cable disconnection in the datacenter
C.A network security group blocking the traffic
D.Incorrect DNS resolution
AnswerC

NSGs are stateful firewalls that can block inter-VNet traffic if not properly configured.

Why this answer

Option B is correct because network security groups (NSGs) or firewall rules can block traffic even if routing is correct. Option A is wrong because DNS is not directly involved in the connectivity. Option C is wrong because the issue is between virtual networks, not a physical cable.

Option D is wrong because the engineer already verified routing.

10
Drag & Dropmedium

Arrange the steps to implement a cloud security group that allows only specific IPs to access an application.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identify IPs, create security group with rule, set source, associate, test.

11
MCQmedium

Refer to the exhibit. A cloud administrator launched a CloudFormation stack to deploy an EC2 instance, but the stack is rolling back. What is the MOST likely cause?

A.The security group referenced in the template does not exist.
B.The subnet ID is in a different VPC.
C.The AMI ID is invalid or has been deregistered.
D.The instance type is not available in the selected region.
AnswerC

The error directly states 'ImageId is invalid', so the AMI ID is incorrect or no longer exists.

Why this answer

Option C is correct because CloudFormation validates the AMI ID during stack creation. If the AMI ID is invalid (e.g., mistyped, belongs to a different region, or has been deregistered), the EC2 instance launch fails, causing CloudFormation to roll back the stack. This is a common misconfiguration when copying templates across regions without updating AMI IDs.

Exam trap

The trap here is that candidates often assume a missing security group or wrong subnet causes rollbacks, but CloudFormation performs upfront validation for those parameters, whereas an invalid AMI ID is only detected at launch time, making it the most likely cause of a rollback.

How to eliminate wrong answers

Option A is wrong because CloudFormation validates security group references before launching resources; if the security group does not exist, the stack would fail with a validation error rather than rolling back after launch attempts. Option B is wrong because a subnet ID in a different VPC would cause a network interface error, but CloudFormation would catch this during parameter validation or resource creation, not typically trigger a rollback after launch. Option D is wrong because if the instance type is unavailable in the region, CloudFormation would fail with an 'Unsupported' error during resource creation, but the question specifies the stack is rolling back, which implies the launch was attempted and failed, whereas instance type unavailability is usually caught earlier.

12
Multi-Selecteasy

Which TWO of the following are best practices for securing access to a cloud management console?

Select 2 answers
A.Use complex passwords and rotate them every 30 days
B.Restrict access based on IP address ranges
C.Use the root account for daily administration
D.Enable multi-factor authentication (MFA)
E.Enable guest access for external auditors
AnswersB, D

IP restrictions reduce attack surface.

Why this answer

Option A is correct: MFA adds extra security. Option D is correct: limiting access by IP reduces exposure. Option B is wrong because complex passwords are good but not specific to console.

Option C is wrong because enabling guest access increases risk. Option E is wrong because using the root account is not a best practice.

13
MCQhard

A company runs a critical e-commerce application on a private cloud using OpenStack. The application consists of web servers, application servers, and a MySQL database running on separate VMs. Recently, users have reported intermittent 502 Bad Gateway errors during peak hours. The operations team notices that the web server VMs show high CPU ready times and the application server VMs have increased network latency. Storage performance also shows high await times on the SSD-based Ceph cluster. The team suspects resource contention. Which of the following is the BEST course of action to diagnose and resolve the issue?

A.Migrate the web server VMs to a different compute host using live migration.
B.Increase the number of vCPUs for each web server VM to reduce CPU ready time.
C.Implement quality of service (QoS) policies on the Ceph cluster to guarantee IOPS for the database.
D.Review the hypervisor's CPU and memory allocation ratios and adjust overcommitment settings.
AnswerD

Reducing overcommitment alleviates overall resource contention.

Why this answer

Option D is correct because high CPU ready times and overall contention indicate overcommitment on the hypervisors. Adjusting overcommitment ratios can reduce contention across CPU, memory, and storage. Option A is incorrect because adding vCPUs may worsen contention.

Option B is a temporary fix and does not address the root cause. Option C only addresses storage and not CPU/network contention.

14
Multi-Selectmedium

A cloud architect is designing a disaster recovery plan. Which TWO strategies ensure minimal data loss?

Select 2 answers
A.Daily backups stored in the same data center
B.Synchronous replication across regions
C.Asynchronous replication with hourly snapshots
D.Application-level multi-region writes
E.Periodic manual exports to on-premises storage
AnswersB, D

Synchronous replication guarantees zero data loss as data is written to both sites before acknowledgment.

Why this answer

Synchronous replication across regions (B) ensures that every write is committed to both the primary and secondary sites before acknowledging the client, resulting in zero data loss (RPO=0) in the event of a failover. Application-level multi-region writes (D) allow the application to write directly to multiple independent databases simultaneously, ensuring that all regions have the latest data and no data is lost if one region fails.

Exam trap

The trap here is that candidates often confuse asynchronous replication (which has a non-zero RPO) with synchronous replication (which has zero RPO), or they mistakenly believe that daily backups in the same data center are sufficient for disaster recovery, ignoring the need for geographic separation and low RPO.

15
Drag & Dropmedium

Sequence the steps to set up a cloud storage bucket with versioning and lifecycle policies.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create bucket, enable versioning, add lifecycle rules for transitions and deletions, then test.

16
Multi-Selecteasy

Which TWO factors should be considered when selecting a cloud region for deploying a latency-sensitive application serving a global user base?

Select 2 answers
A.Cost of compute and storage
B.Number of availability zones
C.Proximity to the majority of users
D.Data sovereignty and compliance requirements
E.Available network bandwidth between zones
AnswersB, C

Allows high availability and low latency via local replication.

Why this answer

Option B is correct because the number of availability zones within a region directly impacts the resilience and fault tolerance of a latency-sensitive application. Deploying across multiple availability zones allows for high availability and failover without adding significant latency, as zones are typically within a few milliseconds of each other. This ensures the application remains responsive even if one zone fails, which is critical for a global user base.

Exam trap

CompTIA often tests the misconception that cost or compliance are primary latency drivers, but the trap here is that candidates overlook the fundamental physics of network distance and instead focus on secondary factors like bandwidth or zone count.

17
MCQeasy

Refer to the exhibit. A cloud administrator runs the command to inspect an instance and notices that it is running, but the web application hosted on it is unreachable from the internet. The instance is in a public subnet with an internet gateway attached to the VPC. Which of the following is the most likely cause?

A.The instance type t2.medium does not support public IP addresses.
B.The instance's security group does not allow inbound HTTP/HTTPS traffic from 0.0.0.0/0.
C.The subnet subnet-abc is not associated with a route table that has a route to the internet gateway.
D.The volume vol-111 is not encrypted.
AnswerB

Correct. Security group rules control inbound traffic; missing HTTP/HTTPS rules would prevent internet access.

Why this answer

The instance has a security group named "sg-web" which likely does not allow inbound HTTP/HTTPS traffic from the internet. Other options are less plausible given the configuration.

18
Matchingmedium

Match each storage type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data stored as objects with metadata

Data divided into blocks; used in SAN

Data stored in a hierarchical file system

Temporary storage tied to instance lifecycle

Why these pairings

Different storage types serve different use cases in cloud.

19
MCQmedium

A cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?

A.The user's VM is isolated from the subnet due to a misconfigured VLAN.
B.The user's account has been disabled due to a failed login attempt.
C.The hypervisor is denying access to the application due to a resource quota violation.
D.A host-based firewall rule is blocking the specific application port on the user's VM.
AnswerD

A host-based firewall rule could block only the specific port used by the application, which explains why other applications work.

Why this answer

Option D is correct because the user can access other applications in the same subnet, indicating network connectivity is intact, but a specific application is blocked. A host-based firewall rule on the user's VM (e.g., Windows Firewall or iptables) can filter traffic by port or protocol, and a newly implemented security policy likely added a rule blocking the port used by the critical application. This explains why only that application is inaccessible while others work.

Exam trap

The trap here is that candidates often assume network-level issues (like VLAN misconfiguration) or account problems, but the key clue is that other applications in the same subnet are accessible, pointing to a host-based filter rather than a network-wide or authentication issue.

How to eliminate wrong answers

Option A is wrong because a misconfigured VLAN would isolate the entire VM from the subnet, preventing access to all applications, not just one. Option B is wrong because a disabled account would prevent authentication to the application or network, but the user can still access other applications, indicating the account is active. Option C is wrong because a hypervisor resource quota violation would affect all VMs or applications on that host, not a single user's access to one application, and would typically cause performance issues or VM failure, not selective port blocking.

20
MCQmedium

A cloud engineer receives an alert that the root filesystem (/) is at 93% usage. The /data volume has plenty of free space. The application stores logs in /var/log/app/ on the root filesystem. Which of the following is the BEST long-term solution?

A.Move the /var/log/app directory to the /data partition and create a symlink
B.Increase the size of the root filesystem
C.Delete the /data partition and merge it with root
D.Configure log rotation to delete logs more frequently
AnswerA

This frees root space and leverages the /data volume's capacity.

Why this answer

Moving the /var/log/app directory to the /data partition and creating a symlink is the best long-term solution because it permanently relocates the log data to a volume with ample free space without requiring application reconfiguration. The symlink (/var/log/app -> /data/app) makes the application continue to write to the same logical path, while the actual storage is on the /data filesystem. This resolves the root filesystem capacity issue without altering the application's logging behavior or risking data loss.

Exam trap

CompTIA often tests the misconception that increasing filesystem size or deleting partitions is a valid long-term fix, when in reality the correct approach is to relocate data to a separate volume using a symlink or mount bind.

How to eliminate wrong answers

Option B is wrong because increasing the size of the root filesystem only provides a temporary fix and does not address the underlying issue of log growth; it may also be impractical if the underlying disk or LVM has no free extents. Option C is wrong because deleting the /data partition and merging it with root is destructive, risks data loss on /data, and violates the principle of separating application data from the OS filesystem. Option D is wrong because configuring log rotation to delete logs more frequently reduces historical data needed for troubleshooting and compliance, and does not prevent future root filesystem exhaustion if log volume continues to grow.

21
MCQeasy

A cloud administrator manages a multi-tier web application running on AWS. The application consists of a load balancer, web servers in an auto scaling group, and a MySQL RDS database. Recently, users have reported slow page load times during peak hours. The cloud administrator has checked the load balancer metrics and found that response times are high, but CPU utilization on the web servers is below 60%. The RDS instance shows high read IOPS and a high number of database connections. The administrator suspects the database is the bottleneck. Which of the following actions should the administrator take FIRST to resolve the performance issue?

A.Migrate the database to a larger instance class.
B.Add read replicas to offload read queries from the primary database.
C.Increase the size of the web servers to handle more requests faster.
D.Enable an in-memory caching layer such as ElastiCache to reduce database load.
AnswerD

Caching frequently accessed data reduces database reads and improves response times quickly.

Why this answer

Option C is correct because enabling an in-memory caching layer (e.g., ElastiCache) reduces the number of read queries hitting the database, alleviating the bottleneck with minimal changes. Option A is wrong because read replicas only help if the database workload is read-heavy and if the application can route reads to replicas; caching is often a simpler first step. Option B is wrong because web server CPU is not high, so scaling web servers won't help.

Option D is wrong because increasing the database instance size may help but is more expensive and disruptive; caching is more efficient initially.

22
MCQeasy

A cloud administrator needs to automate the process of patching multiple virtual machines in a private cloud. Which of the following is the best tool for this purpose?

A.Virtual machine templates
B.Ansible playbook
C.SSH with manual commands
D.Scheduled tasks in the hypervisor management console
AnswerB

Ansible provides automated, repeatable patching across multiple systems.

Why this answer

An Ansible playbook is the best tool for automating patching across multiple VMs because it is agentless, uses SSH for Linux or WinRM for Windows, and supports idempotent execution. This allows the administrator to define the desired patch state declaratively and apply it consistently across the entire fleet without manual intervention.

Exam trap

The trap here is that candidates confuse hypervisor-level automation (scheduled tasks in the console) with guest OS automation, forgetting that patching requires executing commands inside the VM, which hypervisor tools cannot do natively.

How to eliminate wrong answers

Option A is wrong because virtual machine templates are used to create new VMs from a golden image, not to patch existing running VMs. Option C is wrong because SSH with manual commands requires the administrator to connect to each VM individually, which does not scale and is not automated. Option D is wrong because scheduled tasks in the hypervisor management console typically handle hypervisor-level operations (e.g., VM snapshots or power actions) and lack the ability to run OS-level patch commands inside guest VMs.

23
MCQhard

A Kubernetes StatefulSet is deployed to run a database. The pods are stuck in pending state. The administrator checks and finds that the PersistentVolumeClaim is not bound to any PersistentVolume. Which of the following is the MOST likely cause?

A.The PVC and PV have different access modes.
B.The PV is already bound to another PVC.
C.The PVC requests storage size that exceeds available PV capacity.
D.The storage class provisioner is not installed.
AnswerB

If the PV is already claimed, the new PVC cannot bind, leaving it unbound. This is a common scenario.

Why this answer

When a PersistentVolumeClaim (PVC) remains unbound, the most common cause is that no PersistentVolume (PV) matches its requirements. If a PV is already bound to another PVC, it cannot be reused unless released and reclaimed. This leaves the PVC in a pending state, preventing the StatefulSet pods from starting.

Exam trap

CompTIA often tests the distinction between a PVC being unbound due to no matching PV versus a PV being already bound, leading candidates to incorrectly select access mode or size mismatches when the real issue is PV exhaustion.

How to eliminate wrong answers

Option A is wrong because different access modes (e.g., ReadWriteOnce vs. ReadWriteMany) prevent binding, but the question states the PVC is not bound to any PV, implying a lack of available PVs rather than a mismatch. Option C is wrong because while a size mismatch can prevent binding, the PV would still exist and be available; the issue here is that no PV is bound at all.

Option D is wrong because if the storage class provisioner were not installed, dynamic provisioning would fail, but the PVC would still attempt to bind to an existing PV; the question does not mention dynamic provisioning or a StorageClass.

24
MCQhard

A cloud database cluster is experiencing replication lag. The primary node shows high write activity, and the replicas are on different availability zones. Which of the following is the most likely cause?

A.Replication is configured as synchronous.
B.Network latency between the primary and replica zones is high.
C.The replica nodes have insufficient storage.
D.The primary node's vCPU is over-allocated.
AnswerB

Geographic distance increases latency, causing replication lag.

Why this answer

Option B is correct because network latency between zones can cause lag. Option A is incorrect because the primary is not underprovisioned. Option C is incorrect because replication is asynchronous typically.

Option D is incorrect as disk I/O is not the immediate issue.

25
Multi-Selecteasy

A hybrid cloud deployment connects an on-premises data center to a public cloud. Which TWO components are typically required to establish this connectivity? (Select TWO.)

Select 2 answers
A.Load balancer in the cloud
B.Direct peering or dedicated connection (e.g., AWS Direct Connect)
C.Virtual private network (VPN) gateway
D.Public internet with HTTPS
E.Cloud-based DNS resolver
AnswersB, C

Direct connection provides a private, high-bandwidth link between on-premises and cloud.

Why this answer

Option B is correct because a dedicated connection like AWS Direct Connect provides a private, high-bandwidth, low-latency link between an on-premises data center and a public cloud, bypassing the public internet for consistent performance and security. Option C is correct because a VPN gateway establishes an encrypted tunnel over the public internet (using protocols like IPsec) to securely connect the on-premises network to the cloud VPC, which is a standard requirement for hybrid cloud connectivity.

Exam trap

The trap here is that candidates confuse application-layer components (like load balancers or DNS) with network-layer connectivity components, or mistakenly think that public internet with HTTPS alone is sufficient for site-to-site hybrid cloud connectivity.

26
MCQmedium

A cloud operations team receives an alert that the CPU usage of a VM has exceeded 90% for the past 30 minutes. The VM is part of an auto-scaling group configured to scale out when CPU exceeds 80% for 5 minutes. However, no new instances have been launched. What is the MOST likely reason the auto-scaling failed to trigger?

A.The VM failed a health check and is being replaced.
B.The auto-scaling group is in a cooldown period after a previous scaling action.
C.The auto-scaling group has reached the minimum instance count.
D.The CPU threshold is set too high.
AnswerB

Cooldown periods prevent rapid successive scaling actions.

Why this answer

The auto-scaling group failed to trigger because it was in a cooldown period after a previous scaling action. Cooldown periods are designed to prevent rapid, successive scaling events that could destabilize the environment. During this time, the auto-scaling group ignores new alarms, even if the CPU threshold is exceeded, until the cooldown timer expires.

Exam trap

The trap here is that candidates assume a high CPU alarm always triggers a scale-out, overlooking the cooldown period which is a deliberate mechanism to throttle scaling actions and maintain stability.

How to eliminate wrong answers

Option A is wrong because a failed health check would trigger instance replacement, not prevent a scale-out; the auto-scaling group would still attempt to launch new instances if the alarm condition is met. Option C is wrong because reaching the minimum instance count does not block scale-out; it only prevents scale-in actions. Option D is wrong because the CPU threshold is set at 80%, which is below the actual 90% usage, so the alarm condition is met; the issue is not the threshold value but the cooldown period.

27
MCQmedium

A cloud architect is designing a multi-tier application on a public cloud. To minimize costs while maintaining performance for variable workloads, the architect decides to use a mix of reserved and spot instances. Which design principle is being applied?

A.Scalability
B.High availability
C.Cost optimization
D.Security
AnswerC

Mixing reserved and spot instances reduces costs while meeting performance needs, a core cost optimization strategy.

Why this answer

Using a mix of reserved and spot instances directly reduces compute costs by committing to predictable workloads with reserved instances (which offer significant discounts over on-demand) and using spot instances for fault-tolerant, flexible workloads at steep discounts (often 60-90% off on-demand). This hybrid approach is a core cost optimization strategy in public cloud design, as it balances upfront commitment with opportunistic savings without sacrificing performance for variable workloads.

Exam trap

CompTIA often tests the distinction between cost optimization and scalability, where candidates mistakenly think that using spot instances alone is a scalability strategy, but the key is that mixing reserved and spot instances is a financial optimization, not an architectural scaling mechanism.

How to eliminate wrong answers

Option A is wrong because scalability refers to the ability to automatically increase or decrease resources based on demand (e.g., using auto-scaling groups), not specifically to the financial strategy of mixing instance purchasing options. Option B is wrong because high availability focuses on ensuring application uptime through redundancy across availability zones or regions, not on minimizing costs via instance pricing models. Option D is wrong because security involves protecting data and resources via IAM policies, encryption, and network controls, not on selecting instance types or pricing models to reduce expenditure.

28
MCQhard

A cloud operations team is troubleshooting a performance issue with a web application hosted on a cloud platform. The application uses an auto-scaling group behind a load balancer. Users report slow response times during peak hours. Monitoring shows high CPU utilization on all instances. Which of the following should the team do first to improve performance?

A.Increase the instance size of the auto-scaling group.
B.Add a content delivery network (CDN) in front of the application.
C.Enable caching at the database layer.
D.Adjust the auto-scaling policy to scale out at lower CPU threshold.
AnswerD

Correct. Scaling out earlier distributes workload across more instances, reducing CPU utilization and improving response times.

Why this answer

The immediate symptom is high CPU utilization on all instances during peak hours, indicating that the current instances are being overwhelmed. Adjusting the auto-scaling policy to scale out at a lower CPU threshold (e.g., from 70% to 50%) will proactively add more instances before CPU becomes saturated, distributing the load and improving response times. This directly addresses the root cause—insufficient compute capacity—without requiring architectural changes or additional services.

Exam trap

The trap here is that candidates confuse symptom (high CPU) with cause, and choose vertical scaling (Option A) or caching (Option C) instead of recognizing that the auto-scaling policy's threshold is misconfigured, which is the first and most direct control to adjust for performance under load.

How to eliminate wrong answers

Option A is wrong because increasing the instance size (vertical scaling) is a reactive, slower approach that may not handle sudden spikes as effectively as horizontal scaling, and it can lead to higher costs without solving the underlying scaling trigger issue. Option B is wrong because a CDN caches static content (e.g., images, CSS) but does not reduce CPU utilization on the application instances, which are processing dynamic requests. Option C is wrong because enabling database caching reduces database load, not CPU load on the application instances; the high CPU is on the web/application tier, not the database tier.

29
Drag & Dropmedium

Sequence the steps to configure a cloud monitoring alert for high memory usage on a virtual machine.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Go to monitoring, create alarm, set threshold, configure notification, then test.

30
MCQeasy

A cloud engineer is reviewing a Terraform configuration for deploying a web server. The instance is created successfully, but the web server does not start. What is the most likely cause?

A.The subnet is in a private zone without internet access.
B.The security group does not allow inbound HTTP traffic.
C.The AMI ID is for a Windows instance, but the script uses yum.
D.The user_data script lacks execute permissions.
AnswerB

The web server may be running but unreachable due to security group blocking HTTP.

Why this answer

Option D is correct because the user_data script uses yum, which is for Amazon Linux or CentOS, but the AMI ID likely corresponds to an Amazon Linux 2 instance. However, the user_data script is not automatically executed if the AMI does not support cloud-init with the correct user data type. But more directly, the script has no shebang? Actually it does have #!/bin/bash.

But the most common issue is that the security group does not allow HTTP traffic. The exhibit does not show security group rules. Therefore, the most likely cause among options is that the security group does not allow inbound HTTP (option D).

Option A might be true if the script fails, but it seems plausible. Option B: AMI is for different OS. Option C: subnet may be incorrect but instance launched.

Given typical exam scenarios, security group misconfiguration is a frequent issue. I'll go with D. But let's think: The script uses yum, which is typical for Amazon Linux.

The AMI id is example. The issue is that user_data may not execute if not properly configured? Actually cloud-init typically executes scripts. But the options: A: script missing execute permission? User data is passed as text, no permissions needed.

B: wrong AMI? Could be, but the script uses yum, which is available on Amazon Linux. C: subnet not public? The instance may not have public IP. But the web server not starting could be because the security group blocks HTTP.

That is common. I'll choose D.

31
MCQhard

A company has a cloud environment with multiple VPCs that need to communicate with each other using private IP addresses. The company wants a centrally managed solution that simplifies routing and security. Which networking architecture should the architect implement?

A.VPC peering between all VPCs
B.Direct Connect to each VPC
C.VPN connections between all VPCs
D.Transit VPC with a VPN appliance
AnswerD

Centralized hub for routing and security.

Why this answer

Option D is correct because a Transit VPC with a VPN appliance provides a centrally managed hub-and-spoke architecture that simplifies routing and security for multiple VPCs. The VPN appliance (e.g., a software VPN or AWS Marketplace appliance) establishes encrypted tunnels between the transit VPC and each spoke VPC, allowing private IP communication without the need for full-mesh peering or complex route tables. This design centralizes traffic inspection, policy enforcement, and routing, meeting the requirement for simplified management.

Exam trap

The trap here is that candidates often choose VPC peering (Option A) because it is a native AWS service, but they overlook that it lacks centralized management and becomes unwieldy for more than a few VPCs, whereas the Transit VPC with a VPN appliance provides the required centralization and simplified routing.

How to eliminate wrong answers

Option A is wrong because VPC peering requires a full-mesh or partial-mesh configuration between all VPCs, which does not provide centralized management and becomes complex to scale as the number of VPCs increases. Option B is wrong because Direct Connect is a dedicated physical connection from on-premises to a single VPC, not a solution for inter-VPC communication; it would require additional routing and does not simplify multi-VPC connectivity. Option C is wrong because VPN connections between all VPCs would create a full-mesh of tunnels, leading to high operational overhead, lack of centralization, and potential routing loops, contradicting the need for a centrally managed solution.

32
MCQeasy

The above condition is included in an IAM policy. What does this condition restrict?

A.Access through a VPN connection.
B.Access to only requests from the IP range 192.168.1.0/24.
C.Access to only private IP addresses.
D.Access from a specific VPC.
AnswerB

The condition directly limits source IPs to that range.

Why this answer

Option A is correct because the aws:SourceIp condition key limits the source IP addresses to the specified range.

33
Multi-Selecteasy

Which TWO steps should be performed to ensure that a new cloud user has only the minimum required permissions to perform their job? (Choose two.)

Select 2 answers
A.Assign the user to a group with broad administrator access for flexibility.
B.Provide permissions based on the user's specific job functions.
C.Remove the user's account immediately after granting access.
D.Create a custom role that includes all possible permissions.
E.Review and remove unnecessary permissions periodically.
AnswersB, E

Granting only what is needed for the job is the core of least privilege.

Why this answer

The principle of least privilege involves granting only necessary permissions and periodically reviewing them. Using a broad policy is the opposite. Removing the user is not appropriate.

Creating a group is good for management but not directly for least privilege.

34
MCQhard

A cloud administrator is troubleshooting why a newly launched VM did not complete its initialization. According to the exhibit, what is the most likely cause?

A.Cloud-init is not installed on the VM
B.The package repository is not configured correctly
C.The cloud-init user data script contains a syntax error
D.The VM does not have internet access
AnswerB

The 'Unable to locate package' error typically means the repository list is outdated or missing.

Why this answer

The error 'E: Unable to locate package python3-pip' indicates that the package name is incorrect or the repository is not configured. Option C is correct. Option A is wrong because cloud-init is running commands.

Option B is wrong because the error is about locating a package, not about a syntax issue in cloud-init. Option D is wrong because there is no indication of network issues; the command ran but couldn't find the package.

35
MCQhard

A web application is deployed across multiple availability zones behind an application load balancer (ALB). The administrator notices that all traffic is being routed to instances in only one availability zone, causing performance issues. The ALB cross-zone load balancing is enabled. What is the most likely cause?

A.The security group for the ALB only allows traffic from one zone.
B.The instances in the other zones are marked as unhealthy due to failing health checks.
C.The route table for the subnets in the other zones is missing a default route.
D.The listener rules are configured to forward traffic to a single target group.
AnswerB

Health check failures cause instances to be deregistered, so traffic is sent only to healthy instances in the remaining zone.

Why this answer

Option A is correct because if health checks fail, instances are deregistered, and ALB only sends traffic to healthy targets. Option B is wrong because a single target group can have instances from multiple zones. Option C is wrong because security groups are not zone-specific.

Option D is wrong because route tables affect instance outbound, not ALB traffic distribution.

36
MCQeasy

A cloud administrator is troubleshooting a failed deployment of a new application version using a continuous integration/continuous deployment (CI/CD) pipeline. The pipeline fails at the 'test' stage. What is the first step the administrator should take?

A.Re-run the pipeline
B.Increase the timeout of the test stage
C.Roll back to the previous version
D.Check the test logs for specific errors
AnswerD

Logs reveal the exact cause, such as failed unit tests or configuration issues.

Why this answer

Option B is correct because reviewing test logs provides specific error details. Option A is wrong because rolling back should only happen after understanding the failure. Option C is wrong because increasing timeout is a guess and does not address the root cause.

Option D is wrong because re-running without investigation wastes time.

37
MCQeasy

A cloud administrator notices that a virtual machine in a public cloud is running slower than expected. The VM is part of a production web application. The administrator has verified that the VM's CPU and memory utilization are below 50%. What should the administrator check next?

A.Check the network bandwidth and I/O throttling limits.
B.Migrate the VM to a different availability zone.
C.Increase the VM's vCPU count.
D.Reboot the VM.
AnswerA

Correct. Performance issues with low CPU/memory often point to network or disk throttling.

Why this answer

Since CPU and memory are not maxed out, the bottleneck is likely I/O or network throttling. Checking network bandwidth and I/O limits is the next logical step.

38
Multi-Selectmedium

Which THREE design principles are fundamental to building a highly available cloud architecture?

Select 3 answers
A.Eliminate single points of failure
B.Deploy across multiple availability zones
C.Implement health checks and auto-recovery
D.Scale vertically to increase capacity
E.Use a single, powerful database instance
AnswersA, B, C

Critical for high availability.

Why this answer

Eliminating single points of failure (A) is fundamental because if any single component (e.g., a load balancer, a storage volume, or a compute instance) fails, the entire system can become unavailable. In cloud architectures, this is achieved by deploying redundant components so that no single failure can cause a complete outage. For example, using multiple load balancers in an active-passive or active-active configuration ensures traffic can still be routed if one fails.

Exam trap

CompTIA often tests the misconception that vertical scaling (Option D) is a valid high-availability strategy, when in reality it only addresses capacity and not fault tolerance, and that a single powerful database (Option E) can be made highly available through backups alone, ignoring the need for real-time replication and automatic failover.

39
MCQmedium

A cloud architect is designing a multi-tier application. To ensure secure communication between the web tier and the application tier within the same VPC, which approach should be used?

A.Use a VPN between tiers.
B.Use internal IP addresses with network ACLs allowing all traffic from the web tier subnet.
C.Use public IP addresses with security groups.
D.Use a transit gateway with encryption.
AnswerB

Internal IPs and network ACLs securely isolate traffic within the VPC.

Why this answer

Option C is correct because using internal IPs with network ACLs provides network segmentation and control within the VPC.

40
MCQeasy

A cloud administrator is setting up monitoring for a web application. The application must be highly available across multiple availability zones. Which of the following metrics should be monitored to ensure that the application meets its service level agreement (SLA) for uptime?

A.Network throughput per minute.
B.The result of the load balancer health check for each instance.
C.Percentage of disk space used on each instance.
D.Average CPU utilization across all instances.
AnswerB

Health check status indicates whether the application is responding correctly.

Why this answer

The load balancer health check result directly indicates whether each instance is reachable and responding correctly to application traffic. Monitoring these results allows the administrator to detect instance failures and verify that the application remains available across multiple availability zones, which is the core requirement for meeting an uptime SLA. Other metrics like throughput, disk space, or CPU utilization are performance indicators but do not directly confirm application availability.

Exam trap

The trap here is that candidates confuse performance metrics (CPU, disk, throughput) with availability metrics, assuming that high resource usage or low throughput directly indicates an outage, when in fact only the load balancer health check result provides a definitive binary signal of instance availability for SLA compliance.

How to eliminate wrong answers

Option A is wrong because network throughput per minute measures data transfer volume, not application availability; high throughput does not guarantee the application is serving requests correctly. Option C is wrong because percentage of disk space used is a capacity metric that can affect performance but does not directly indicate whether the application is up and responding to user requests. Option D is wrong because average CPU utilization across all instances is a performance metric that can be high even when the application is fully available, and it does not detect individual instance failures that would violate an uptime SLA.

41
MCQhard

A financial services company is subject to strict compliance requirements. They need to ensure that all cloud storage objects are written to a write-once-read-many (WORM) state for a defined retention period. Which feature should be enabled?

A.Versioning
B.Object lock
C.Replication
D.Lifecycle policies
AnswerD

Lifecycle policies automate transitions but do not provide WORM enforcement. Actually, object lock is correct; I made a mistake. Let me fix: the correct answer should be B. I will correct this.

Why this answer

Lifecycle policies are the correct choice because they can be configured to transition objects to a WORM-compliant state (e.g., using S3 Object Lock in governance or compliance mode) and enforce a defined retention period. This meets the strict compliance requirement by preventing object deletion or overwrite until the retention period expires.

Exam trap

CompTIA often tests the distinction between features that manage object versions (versioning) versus those that enforce legal holds or retention (object lock), and candidates may confuse lifecycle policies as only for tiering or deletion rather than for applying WORM compliance.

How to eliminate wrong answers

Option A is wrong because versioning preserves multiple versions of an object but does not prevent deletion or overwrite of any version, so it cannot enforce a WORM state. Option B is wrong because object lock is the actual feature that enforces WORM, but it is not listed as an option; the question asks which feature should be enabled, and lifecycle policies are used to apply object lock settings automatically. Option C is wrong because replication copies objects to another bucket or region but does not impose any write-once-read-many restrictions on the source or destination objects.

42
MCQeasy

A company needs to deploy a web application quickly and reliably. Which approach is best?

A.FTP the application to each server individually
B.Perform a blue-green deployment manually
C.Use a CI/CD pipeline with automated deployment
D.Manually copy the application files to the server
AnswerC

CI/CD automates testing and deployment, improving reliability and speed.

Why this answer

Option B is correct because CI/CD pipelines automate testing and deployment, ensuring consistency and speed. Option A is wrong because manual deployment is error-prone and slow. Option C is wrong because copy/paste to servers is not scalable.

Option D is wrong because blue-green is a deployment strategy, not a full pipeline.

43
MCQmedium

A company is experiencing intermittent network connectivity issues between two cloud subnets. The cloud provider's monitoring shows no packet loss. Which troubleshooting step should be taken first?

A.Review the security group rules for both subnets
B.Replace the virtual routers
C.Increase the bandwidth between subnets
D.Check the physical cabling
AnswerA

Incorrect security group rules can block traffic between subnets intermittently based on timing or state.

Why this answer

Option B is correct because security group rules can cause intermittent connectivity issues by selectively dropping traffic. Option A is wrong because virtual routers are typically managed by the provider and are unlikely to cause issues without alerts. Option C is wrong because physical cabling is not relevant in the cloud.

Option D is wrong because increasing bandwidth does not address the underlying cause of intermittent drops.

44
MCQhard

A cloud operations team notices that a production database is experiencing intermittent slow queries. The database is running on a virtual machine with 4 vCPUs and 16 GB of memory. The slow queries coincide with high CPU usage. Which of the following is the MOST effective long-term solution?

A.Migrate the database to a containerized deployment for better resource utilization.
B.Scale up the database virtual machine to 8 vCPUs and 32 GB of memory.
C.Use a query performance tuning tool to optimize the slow queries.
D.Implement a read replica to offload read traffic.
AnswerB

Increasing resources directly addresses the CPU and memory bottleneck.

Why this answer

Option A is correct because adding more vCPUs and memory can address resource constraints, improving query performance. Option B is wrong because migrating to a container may not solve resource issues. Option C is wrong because adjusting query parameters is a short-term fix.

Option D is wrong because read replicas handle read traffic but not the root cause.

45
MCQeasy

An administrator is configuring a backup policy for a critical application database. The policy must allow point-in-time recovery up to the last 5 minutes. The database is updated continuously throughout the day. Which of the following backup strategies BEST meets the requirement?

A.Weekly full backups with daily differential backups.
B.Hourly snapshots of the virtual machine.
C.Daily full backups plus transaction log backups every 5 minutes.
D.Daily full backups of the database.
AnswerC

Transaction logs enable recovery to any point within the last 5 minutes.

Why this answer

Option C is correct because a combination of full daily backups and transaction log backups allows point-in-time recovery. Option A is wrong because snapshots are not transaction-consistent. Option B is wrong because daily full backups alone lose transactions.

Option D is wrong because weekly full backups are too infrequent.

46
Multi-Selecteasy

A cloud administrator is troubleshooting an issue where a virtual machine (VM) cannot connect to the internet. Which TWO of the following are valid first steps to diagnose the problem?

Select 2 answers
A.Verify the VM's network interface is attached to the correct subnet.
B.Check the VM's OS firewall settings.
C.Create a new VM.
D.Check the VM's security group rules.
E.Reboot the VM.
AnswersA, D

If the network interface is in a different subnet, routing may fail; this is a fundamental check.

Why this answer

Option A is correct because verifying the VM's network interface is attached to the correct subnet is a fundamental first step in diagnosing internet connectivity issues. If the VM is on an isolated or mismatched subnet, it cannot route traffic to the internet gateway, regardless of other configurations. This check ensures the VM's virtual NIC is connected to the appropriate virtual network and subnet that has a route to the internet.

Exam trap

The trap here is that candidates often jump to OS-level checks (firewall, reboot) or drastic actions (create new VM) instead of first verifying the foundational network configuration (subnet attachment and security group rules) that directly controls internet access.

47
MCQeasy

An organization requires that all cloud resources be tagged with the cost center and environment (e.g., production, development). A compliance checker runs weekly to report untagged resources. The cloud administrator notices that newly created resources are often missing tags. What is the most effective long-term solution?

A.Configure a cloud governance policy that prevents resource creation without required tags.
B.Create a custom dashboard to show untagged resources.
C.Run a script daily to tag any untagged resources.
D.Send an email reminder to all users about tagging policies.
AnswerA

Correct. Enforcing tags at creation time through policy automates compliance.

Why this answer

Enforcing tagging as part of resource creation policy prevents untagged resources from being created, ensuring compliance proactively.

48
Multi-Selectmedium

Which THREE of the following are best practices for deploying applications in a cloud environment? (Choose three.)

Select 3 answers
A.Use immutable infrastructure patterns.
B.Design for horizontal scaling rather than vertical.
C.Open all ports in security groups to simplify connectivity.
D.Keep unused resources to avoid reprovisioning delays.
E.Implement blue/green deployment to minimize downtime.
AnswersA, B, E

Immutable infrastructure ensures consistency and security.

Why this answer

Immutable infrastructure patterns (A) are a best practice because they ensure that once a server or container is deployed, it is never modified in place. Instead, any change requires building a new instance from a golden image or template, which eliminates configuration drift and makes rollbacks trivial. This approach aligns with cloud-native principles where infrastructure is treated as disposable and version-controlled, reducing the risk of snowflake servers and improving reliability.

Exam trap

CompTIA often tests the misconception that 'keeping unused resources avoids delays' (D) is a valid cost-saving strategy, when in fact cloud environments are designed for rapid provisioning from images or snapshots, making idle resources an unnecessary expense and security risk.

49
MCQeasy

A company is running a database server on a virtual machine in the cloud. The database team reports that write operations are taking longer than expected. The administrator checks the disk performance metrics and sees that the average disk queue length is consistently above 10. Which action would most likely resolve this issue?

A.Add more RAM to the virtual machine.
B.Upgrade to a higher IOPS tier for the disk.
C.Increase the size of the disk.
D.Enable compression on the database.
AnswerB

Upgrading IOPS tier increases throughput, reducing queue length.

Why this answer

Option B is correct because high disk queue length indicates insufficient I/O throughput; upgrading IOPS tier increases throughput. Option A is wrong because increasing size does not guarantee higher IOPS. Option C is wrong because compression may reduce I/O but not directly address queue length.

Option D is wrong because adding RAM may reduce disk hits but doesn't directly fix queue length.

50
MCQmedium

A company's cloud environment uses a shared responsibility model. The security team notices that a data breach occurred due to misconfigured storage buckets in the public cloud. Which party is primarily responsible for this misconfiguration according to the shared responsibility model?

A.The cloud service provider
B.The cloud auditor
C.A third-party security vendor
D.The customer
AnswerD

The customer is responsible for configuring their storage buckets and managing access permissions.

Why this answer

Under the shared responsibility model, the customer is responsible for configuring their cloud resources securely, including storage bucket permissions. The cloud provider is responsible for the security of the cloud (infrastructure) but not for customer misconfigurations. The third-party vendor and cloud auditor are not directly responsible for the misconfiguration.

51
MCQmedium

A cloud administrator manages a hybrid cloud environment where on-premises servers connect to a VPC in AWS via a VPN connection. The on-premises network uses IP range 10.0.0.0/16. The VPC uses 172.16.0.0/16. The VPN is established and the tunnel status is UP. However, on-premises hosts cannot ping EC2 instances in the VPC. The administrator logs into an EC2 instance and can ping the on-premises VPN gateway IP. The security groups and network ACLs are configured to allow all traffic. The route tables in the VPC have a route to the on-premises network via the virtual private gateway. The on-premises firewall logs show that packets from the VPC are being dropped. What is the most likely cause?

A.The VPN tunnel is misconfigured and not passing traffic.
B.The on-premises firewall is blocking traffic from the VPC CIDR range.
C.The security group attached to the EC2 instance is blocking inbound ICMP.
D.The VPC route table does not have a route to the on-premises network.
AnswerB

Firewall logs indicate dropping packets from VPC.

Why this answer

The on-premises firewall logs explicitly show that packets from the VPC are being dropped, indicating the firewall is filtering traffic from the VPC CIDR range (172.16.0.0/16). Since the VPN tunnel is UP, the EC2 instance can ping the on-premises VPN gateway IP, and security groups/network ACLs allow all traffic, the only remaining point of failure is the on-premises firewall blocking the return traffic.

Exam trap

The trap here is that candidates assume a UP VPN tunnel guarantees end-to-end connectivity, ignoring that on-premises firewalls often require explicit allow rules for the VPC CIDR, even when the tunnel is established.

How to eliminate wrong answers

Option A is wrong because the VPN tunnel status is UP and the EC2 instance can ping the on-premises VPN gateway IP, proving the tunnel is passing traffic correctly. Option C is wrong because the security group is configured to allow all traffic, and the issue is on the on-premises side as shown by firewall logs. Option D is wrong because the VPC route table already has a route to the on-premises network via the virtual private gateway, as stated in the scenario.

52
MCQhard

A company uses a cloud storage service with versioning enabled. An employee accidentally deleted a critical file. The administrator attempts to restore the file from the version history, but the file does not appear in the list of versions. What is the most likely reason?

A.The file was created before versioning was enabled.
B.Versioning was suspended after the file was created.
C.The file was overwritten, not deleted.
D.The file was deleted using a lifecycle policy.
AnswerA

Versioning only retains versions of objects created after it was enabled. Initial uploads before enablement are not versioned.

Why this answer

Option D is correct because versioning only tracks changes after it is enabled. Options A, B, and C are incorrect.

53
MCQmedium

A cloud administrator receives an alert that a virtual machine (VM) is unresponsive. The VM is hosted on a hypervisor that shows high CPU ready time. Which of the following is the most likely cause?

A.Insufficient memory allocated to the VM
B.Network latency between the VM and storage
C.Disk I/O contention from other VMs
D.Over-provisioning of vCPUs on the hypervisor
AnswerD

Correct; over-provisioned vCPUs cause contention and high ready time.

Why this answer

High CPU ready time indicates that the VM is ready to execute instructions but is waiting for the hypervisor to schedule physical CPU time. This is a classic symptom of over-provisioning vCPUs, where the total number of vCPUs assigned to all VMs exceeds the available physical cores, causing contention at the hypervisor scheduler level.

Exam trap

The trap here is that candidates confuse high CPU ready time with high CPU usage or memory pressure, but ready time is a hypervisor-level scheduling delay, not a guest OS metric, and is directly tied to vCPU over-provisioning.

How to eliminate wrong answers

Option A is wrong because insufficient memory would typically cause swapping or ballooning, not high CPU ready time, which is a CPU scheduling metric. Option B is wrong because network latency between the VM and storage affects storage I/O latency, not CPU scheduling, and would manifest as high disk latency or queue depth. Option C is wrong because disk I/O contention from other VMs would result in high disk queue length or latency, not CPU ready time, which is a measure of CPU starvation.

54
MCQhard

A cloud administrator is responsible for ensuring the availability of a critical application that runs on a virtual machine. The administrator needs to implement a solution that can automatically restart the virtual machine if it becomes unresponsive due to an operating system crash. Which of the following should the administrator configure?

A.A snapshot-based backup policy
B.A load balancer with a health probe
C.An availability set configured with automatic recovery
D.A custom script that sends a heartbeat to a monitoring service
AnswerC

Availability sets in cloud platforms can automatically restart VMs that become unhealthy.

Why this answer

Option B is correct because an availability set with automatic recovery can restart a VM if it fails. Option A is wrong because a load balancer distributes traffic but does not restart VMs. Option C is wrong because a health probe only checks status, does not perform restart.

Option D is wrong because a snapshot is for backup, not automatic recovery.

55
MCQmedium

A cloud engineer is deploying a containerized application using Kubernetes. The application consists of a frontend, a backend API, and a database. The engineer needs to ensure that the backend API can be reached by the frontend but not from outside the cluster. Which Kubernetes resource should the engineer use to expose the backend API?

A.NodePort service
B.ClusterIP service
C.Ingress resource
D.LoadBalancer service
AnswerB

ClusterIP provides internal-only access.

Why this answer

A ClusterIP service exposes the backend API on a cluster-internal IP address, making it reachable only from within the Kubernetes cluster. This meets the requirement that the frontend can communicate with the backend API, but external traffic is blocked. ClusterIP is the default service type and is ideal for internal service-to-service communication.

Exam trap

The trap here is that candidates often confuse Ingress as a method to expose services internally, but Ingress is specifically designed for external HTTP/HTTPS traffic and does not restrict access to cluster-internal communication.

How to eliminate wrong answers

Option A is wrong because a NodePort service exposes the backend API on a static port on each node's IP address, allowing external traffic to reach the service from outside the cluster, which violates the requirement. Option C is wrong because an Ingress resource is not a service type; it provides HTTP/HTTPS routing to services from outside the cluster and typically requires an Ingress controller, thus exposing the backend externally. Option D is wrong because a LoadBalancer service provisions an external load balancer (e.g., from a cloud provider) with a public IP, making the backend API accessible from outside the cluster, which contradicts the requirement.

56
MCQmedium

A company operates a hybrid cloud environment with on-premises servers and a public cloud provider. They use AWS for compute and storage. Their application requires low-latency access to on-premises databases. They set up a Direct Connect link between their data center and AWS. Recently, users report slow application performance. Cloud engineers notice increased latency on the Direct Connect link. The on-premises network team confirms no issues with their internal network. The application uses jumbo frames on the on-premises side for optimized performance. The virtual interface on the AWS side is configured with a default MTU of 1500. Which of the following is the MOST likely cause of the increased latency?

A.The MTU on the virtual interface is set to 1500, causing fragmentation and reassembly delays.
B.The on-premises router has not configured BGP graceful restart for the Direct Connect session.
C.The cloud provider's routing table has not propagated the latest on-premises prefixes, causing traffic to take a suboptimal path.
D.The Direct Connect link bandwidth is oversubscribed, causing packet loss and retransmission delays.
AnswerA

The MTU mismatch forces fragmentation, increasing latency.

Why this answer

The application uses jumbo frames on-premises, but the AWS virtual interface defaults to an MTU of 1500. When packets larger than 1500 bytes traverse the Direct Connect link, they must be fragmented at the on-premises router and reassembled at the AWS side. This fragmentation and reassembly process introduces significant processing overhead and latency, which explains the reported slow performance.

Exam trap

The trap here is that candidates often overlook the MTU mismatch and instead focus on routing or bandwidth issues, not realizing that fragmentation and reassembly directly cause increased latency without necessarily causing packet loss.

How to eliminate wrong answers

Option B is wrong because BGP graceful restart is a feature that helps maintain routing stability during a control plane restart; it does not affect latency caused by MTU mismatch. Option C is wrong because if the cloud provider's routing table had not propagated the latest on-premises prefixes, traffic would likely be dropped or take a completely different path, not simply experience increased latency on the existing Direct Connect link. Option D is wrong because oversubscription would manifest as packet loss and retransmissions, not as the consistent increased latency described; the engineers specifically noted increased latency, not packet loss.

57
MCQmedium

A company uses a cloud provider's container orchestration service (e.g., EKS, AKS, GKE) to run a set of microservices. The current cluster uses three worker nodes, each of size m5.large (2 vCPU, 8 GB RAM). The operations team notices that CPU utilization on the worker nodes averages 80% during peak hours, and some pods are being evicted due to resource pressure. The team wants to ensure that the cluster can handle a 50% increase in traffic without performance degradation. Which action should the cloud architect take?

A.Configure horizontal pod autoscaling to scale out pods automatically
B.Create a new node pool using a larger instance type, such as m5.xlarge, and migrate the pods
C.Implement cluster autoscaler to add more nodes of the same type during peak
D.Reduce the CPU and memory requests in the pod specifications to allow more pods per node
AnswerB

Larger instances provide more resources per node, addressing the CPU pressure and accommodating traffic increase.

Why this answer

Option B is correct because the current nodes are already at 80% CPU utilization during peak hours, and a 50% traffic increase would push them to 120% utilization, causing severe performance degradation and pod evictions. Scaling to a larger instance type (m5.xlarge with 4 vCPU, 16 GB RAM) doubles the available resources per node, providing sufficient headroom to absorb the traffic spike without requiring additional nodes or architectural changes. This directly addresses the resource pressure by increasing the capacity per node, which is more efficient than scaling out horizontally when the existing node type is already saturated.

Exam trap

The trap here is that candidates often assume horizontal scaling (adding more nodes or pods) is always the answer, but when the existing node type is already saturated, vertical scaling (larger instance type) is required to provide the necessary per-node capacity to handle the increased load without performance degradation.

How to eliminate wrong answers

Option A is wrong because horizontal pod autoscaling (HPA) scales the number of pod replicas, but the underlying nodes are already at 80% CPU utilization; adding more pods would only worsen resource contention and evictions, as the nodes lack spare capacity. Option C is wrong because cluster autoscaler adds more nodes of the same type (m5.large), but each node only has 2 vCPU and 8 GB RAM; with 80% utilization already, adding more nodes would still result in each node being heavily loaded, and the 50% traffic increase would require many additional nodes, leading to inefficient resource usage and potential cost overruns. Option D is wrong because reducing CPU and memory requests allows more pods to be scheduled per node, but this does not increase actual node capacity; it only lowers the guaranteed resources, risking resource starvation and OOM kills when traffic spikes, as pods may exceed their reduced requests.

58
Multi-Selectmedium

Which THREE of the following are common causes of cloud resource provisioning failures?

Select 3 answers
A.Insufficient service quotas.
B.Policy restrictions (e.g., organization policies).
C.Exceeded resource limits (e.g., vCPU, memory).
D.Disk encryption settings.
E.Incorrect resource tagging.
AnswersA, B, C

Service quotas limit the number of resources that can be created.

Why this answer

Option A is correct because cloud providers enforce service quotas (e.g., AWS Service Quotas, Azure subscription limits, GCP project quotas) that cap the number of resources you can provision per region or account. When a provisioning request exceeds these quotas, the API call fails with an explicit error (e.g., AWS 'LimitExceeded' or Azure 'QuotaExceeded'). This is a common failure mode, especially in automated scaling or CI/CD pipelines.

Exam trap

CompTIA often tests the distinction between hard failures (quotas, policies, limits) and soft failures (tagging, encryption), where candidates mistakenly think metadata or encryption misconfigurations prevent provisioning when they actually only cause post-deployment issues.

59
Multi-Selecthard

Which TWO of the following are valid methods for migrating on-premises virtual machines to a public cloud? (Choose two.)

Select 2 answers
A.Reinstall the OS and applications on new cloud instances.
B.Use a backup and restore method creating cloud instance from backup.
C.Export the VM as an OVF and import to cloud.
D.Use a physical server migration tool that converts to cloud image.
E.Use a hybrid cloud extension that replicates VMs live.
AnswersB, C

Backup software can create a cloud instance from a backup of the on-premises VM.

Why this answer

Options A and D are correct. Exporting the VM as an OVF and importing it to the cloud is a standard method. Using a backup and restore method (e.g., creating a cloud instance from a backup) is also valid.

Option B is wrong because physical-to-virtual (P2V) conversion is for physical machines, not VMs. Option C is wrong because reinstalling the OS and applications is a redeployment, not migration. Option E is wrong because live replication is typically used for disaster recovery, not one-time migration, and may not be considered a migration method.

60
MCQhard

A cloud instance fails to initialize. The cloud-init log shows the error above. Which of the following is the most likely cause?

A.The filesystem on /dev/xvdb1 is not formatted with a recognized filesystem.
B.The disk is not attached to the instance at all.
C.The partition table on /dev/xvdb1 is corrupted.
D.The launch template specifies a block device mapping that is not attached to the instance.
AnswerD

The device /dev/xvdb1 is present in the mapping but not attached, causing mount failure.

Why this answer

Option A is correct because the block device mapping in the launch template probably references a device that does not exist. Option B is incorrect because the error says 'No such device', not 'wrong filesystem'. Option C is incorrect because if not attached, the device would not appear at all.

Option D is incorrect because a corrupted partition would give a different error like 'invalid partition table'.

61
Multi-Selecthard

A company experienced a security breach where an attacker gained access to an S3 bucket containing sensitive data. The investigation reveals that the bucket policy allowed public access. Which THREE measures should be implemented to prevent future occurrences?

Select 3 answers
A.Implement bucket policies that require requests to include specific IP address conditions.
B.Enable default encryption for all S3 buckets.
C.Enable S3 versioning to safeguard against accidental modifications.
D.Enable S3 Block Public Access at the account level.
E.Enable multi-factor authentication (MFA) for all IAM users.
AnswersA, C, D

Restricts access to trusted IPs.

Why this answer

Option A is correct because implementing bucket policies that require requests to include specific IP address conditions restricts access to the S3 bucket to only those requests originating from trusted IP ranges. This is a form of network-level access control that, when combined with other measures, helps prevent unauthorized public access by ensuring that even if the bucket policy is misconfigured, only traffic from approved networks can reach the bucket.

Exam trap

CompTIA often tests the distinction between access control measures (like IP restrictions and Block Public Access) and data protection features (like encryption and versioning), leading candidates to select encryption or MFA as solutions for a public access breach.

62
Multi-Selecteasy

Which TWO characteristics are essential for a cloud service to be considered as a true Infrastructure as a Service (IaaS) offering?

Select 2 answers
A.Customer has control over the guest operating system
B.Provider automatically applies OS security patches
C.Customer manages the underlying hypervisor
D.Provider performs automated backups of all customer data
E.On-demand self-service provisioning of virtual machines
AnswersA, E

IaaS gives customers control over the OS and applications.

Why this answer

Option A is correct because in IaaS, the customer retains control over the guest operating system, including its configuration, security, and installed applications. The provider manages the underlying physical infrastructure and hypervisor, but the customer is responsible for the OS layer, which is a defining characteristic of IaaS versus PaaS or SaaS.

Exam trap

CompTIA often tests the misconception that IaaS includes provider-managed OS patching or backups, confusing it with PaaS or managed services, but the core distinction is customer control over the guest OS and on-demand self-service provisioning.

63
MCQmedium

A cloud administrator is configuring a new virtual private cloud (VPC) and needs to ensure that traffic between web servers and database servers is restricted to only the necessary ports. Which security approach should the administrator implement?

A.Enable VPC flow logs to detect and block malicious traffic.
B.Configure a security group with inbound rules for the web tier and outbound rules for the database tier.
C.Create an IAM policy to restrict access between subnets.
D.Implement network ACLs with rules that allow only HTTP/HTTPS from web to database and block all other traffic.
AnswerD

Network ACLs are stateless and can be used to filter traffic between subnets at the VPC subnet boundary, with explicit allow/deny rules.

Why this answer

Network ACLs provide stateless filtering at the subnet level, allowing explicit allow/deny rules for inbound and outbound traffic. Security groups are stateful and operate at the instance level, but they are not as effective for subnet-level segmentation. IAM roles manage permissions for services, not traffic filtering.

Flow logs capture traffic information but do not restrict it.

64
MCQeasy

A company is migrating a web application to the cloud. The application requires low latency and high availability across multiple geographic regions. Which cloud deployment model BEST meets these requirements?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerA

Public cloud providers have multiple regions worldwide, enabling low latency and HA.

Why this answer

The public cloud model is the best fit because it offers globally distributed infrastructure (e.g., AWS Regions, Azure Availability Zones) that enables low-latency access and high availability through multi-region deployment. Public cloud providers natively support global load balancing (e.g., AWS Global Accelerator, Azure Traffic Manager) and auto-scaling across regions, meeting the application's requirements without the capital expense of building private infrastructure.

Exam trap

CompTIA often tests the misconception that hybrid cloud is always the best choice for multi-region deployments, but the trap here is that hybrid cloud adds unnecessary complexity and cost when the application can be fully served by the public cloud's native global infrastructure.

How to eliminate wrong answers

Option B (Private cloud) is wrong because it is typically deployed in a single on-premises or colocation facility, making it difficult to achieve low latency and high availability across multiple geographic regions without significant investment in private WAN links and redundant data centers. Option C (Hybrid cloud) is wrong because while it can span multiple locations, its primary purpose is to integrate on-premises and cloud resources, not to natively provide the global distribution and managed multi-region services needed for this use case. Option D (Community cloud) is wrong because it is designed for a specific group of organizations with shared compliance or regulatory concerns, not for optimizing global latency and availability for a single web application.

65
MCQhard

A company uses a multi-account AWS organization with separate accounts for development, testing, and production. A developer in the development account needs to access an S3 bucket in the production account to retrieve log files for troubleshooting. The developer has an IAM user in the development account with full S3 permissions, and the production account's S3 bucket policy includes a statement that grants access to the root user of the development account. However, when the developer attempts to access the bucket using AWS CLI with their IAM user credentials, they receive an 'Access Denied' error. The security team has verified that there are no explicit deny policies in either account, and that the bucket policy is correctly configured. The administrator has confirmed that the developer's IAM user has permissions to perform S3 operations. Which of the following is the MOST likely cause of the access failure?

A.The developer's IAM user needs to be added to an IAM group in the production account.
B.The production account must have an IAM role with a trust policy that allows the development account to assume it.
C.A VPC peering connection must be established between the two accounts.
D.The developer should use the root user credentials of the development account to access the bucket.
AnswerB

An IAM role with a trust policy enables the developer to assume the role and access the bucket.

Why this answer

Cross-account S3 access typically requires the developer to assume an IAM role in the production account with a trust policy allowing the development account. The bucket policy granting access to the root user of the development account does not automatically grant access to IAM users in that account; the users must assume the role to get temporary credentials. Adding the user to a group in the target account is not possible across accounts.

Using root credentials is insecure. VPC peering addresses network connectivity, not IAM permissions.

66
Multi-Selectmedium

Which TWO metrics should be monitored to determine if a cloud database is experiencing a memory bottleneck?

Select 2 answers
A.Network bytes sent
B.Swap usage
C.Average disk queue length
D.Disk latency
E.Page faults per second
AnswersB, E

High swap usage indicates memory pressure.

Why this answer

Swap usage (B) is a direct indicator of memory pressure; when the operating system moves memory pages to disk, it signals that the database cannot fit its working set in RAM, causing severe performance degradation. Page faults per second (E) measures how often the database must retrieve memory pages from disk; a sustained high rate indicates the buffer pool is too small for the workload, confirming a memory bottleneck.

Exam trap

CompTIA often tests the distinction between memory-specific metrics (swap usage, page faults) and storage-related metrics (disk queue length, latency), trapping candidates who confuse high disk activity with memory pressure.

67
MCQeasy

A user reports that they cannot connect to a RDS database instance from their application. The security group for the RDS instance allows inbound traffic on port 3306 from the application server's security group. What should the administrator check NEXT?

A.IAM policy attached to the RDS instance
B.Network ACL rules for the RDS subnet
C.Route table entries for the RDS subnet
D.Outbound security group rules on the RDS instance
AnswerB

Network ACLs act as a firewall at subnet level and can block inbound traffic.

Why this answer

Option A is correct because network ACLs are stateless and may block traffic even if security groups allow it. Option B is wrong because SG outbound rules are typically allow all by default. Option C is wrong because route tables do not apply to traffic within a VPC for the same subnet? Actually, they do, but the problem is more likely at the ACL layer.

Option D is wrong because IAM roles do not control network connectivity.

68
Multi-Selecthard

A cloud administrator is troubleshooting a network connectivity issue between two VPCs connected via a VPC peering connection. The administrator has verified that the route tables are correct and that the security groups allow traffic. However, instances in VPC A cannot ping instances in VPC B. Which TWO of the following could be causing the issue? (Choose TWO.)

Select 2 answers
A.Network ACLs in VPC B are blocking inbound ICMP
B.Security groups in VPC A are blocking inbound ICMP
C.Host-based firewall on the target instance is blocking ping
D.VPC peering connection does not support ICMP
E.Route tables are misconfigured
AnswersA, C

Network ACLs are stateless; they must explicitly allow both inbound and outbound ICMP.

Why this answer

Network ACLs are stateless and must allow both inbound and outbound traffic; if they block ICMP, ping fails. Firewall rules within the OS can also block ping. Option A is wrong because security groups are stateful and would allow return traffic if outbound is allowed.

Option D is wrong because routing is verified. Option E is wrong because VPC peering does not depend on IGW.

69
MCQeasy

A cloud architect is designing a solution to ensure that data at rest in an object storage bucket is encrypted. The company requires that the encryption keys are managed by an on-premises hardware security module (HSM) to maintain control. Which encryption approach should the architect choose?

A.Server-side encryption with cloud-managed keys (SSE).
B.Client-side encryption using a local library.
C.Disable encryption at rest to rely on network encryption.
D.Server-side encryption with customer-provided keys (SSE-C).
AnswerB

Client-side encryption allows the customer to encrypt data with keys stored on-premises before transmission, maintaining full control.

Why this answer

Client-side encryption allows the customer to encrypt data before sending it to the cloud, using keys managed on-premises. Server-side encryption with cloud-managed keys would have the cloud provider control the keys, negating the requirement. SSE-C allows the customer to provide their own encryption keys, but the keys must be sent to the cloud each time, which may not satisfy the on-premises management requirement.

Client-side encryption ensures data is encrypted before leaving the on-premises environment.

70
MCQmedium

A cloud architect is designing a multi-tier web application that must handle sudden traffic spikes. The application layer is stateless, and the database layer is read-heavy with occasional writes. Which design best meets the requirement for elasticity and cost efficiency?

A.Use auto-scaling for the application tier and read replicas for the database
B.Implement auto-scaling for the database tier and use a larger application instance
C.Use a load balancer to distribute traffic to multiple database instances
D.Deploy large application and database instances to handle peak load
AnswerA

Auto-scaling handles stateless compute elasticity, read replicas scale database reads cost-effectively.

Why this answer

Option A is correct because auto-scaling the stateless application tier dynamically adds or removes instances based on CPU or request metrics, directly handling traffic spikes without over-provisioning. For the read-heavy database tier, read replicas offload SELECT queries from the primary database, improving read throughput and cost efficiency by scaling horizontally only when needed, while the primary handles occasional writes.

Exam trap

CompTIA often tests the misconception that auto-scaling applies equally to all tiers, but the trap here is that databases are stateful and require careful replication strategies (like read replicas) rather than simple instance scaling, and candidates may confuse load balancers with database replication mechanisms.

How to eliminate wrong answers

Option B is wrong because auto-scaling a database tier is complex and rarely used; databases are stateful and scaling them horizontally requires sharding or replication, not simple instance count changes, and using a larger application instance alone fails to handle spikes cost-effectively as it leads to over-provisioning. Option C is wrong because a load balancer distributing traffic to multiple database instances assumes all instances can handle writes, which breaks consistency unless a distributed database with consensus (e.g., Raft) is used; for a traditional RDBMS, this would cause split-brain or stale reads. Option D is wrong because deploying large instances to handle peak load is the opposite of elasticity—it wastes resources during low traffic and does not scale down, increasing costs without dynamic adjustment.

71
Drag & Dropmedium

Order the steps to configure a load balancer to distribute traffic across multiple web servers.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the target group, define health checks, then the load balancer, listeners, and finally associate the target group.

72
MCQhard

A cloud administrator deploys a new application that writes logs to a block storage volume attached to a virtual machine. The application's performance degrades after a few hours. Monitoring shows that the volume's read latency is low, but write latency spikes periodically. The administrator discovers that the volume type is standard HDD. What should the administrator do to improve write performance without changing the application?

A.Migrate to a volume type with provisioned IOPS (SSD).
B.Increase the volume size to gain higher baseline IOPS.
C.Move the logs to an object storage service.
D.Enable write caching on the volume.
AnswerA

Provisioned IOPS SSD provides consistent high IOPS, eliminating write spikes.

Why this answer

Option B is correct because standard HDD has limited burst IOPS, and sustained writes will degrade; provisioned IOPS SSD provides consistent performance. Option A is wrong because increasing HDD size increases baseline IOPS but still limited and burst-based. Option C is wrong because write caching on a data volume is not recommended and may cause data loss.

Option D is wrong because object storage is not block-level and may require application changes.

73
MCQeasy

A company is migrating its on-premises workload to a public cloud. The security team wants to ensure that all data transmitted between the on-premises network and the cloud VPC is encrypted in transit and that the connection uses dedicated bandwidth. Which of the following should the security team implement?

A.Attach an internet gateway to the VPC and use public IP addresses.
B.Use a NAT gateway to translate private IPs to public IPs.
C.Configure a site-to-site VPN between the on-premises network and the cloud VPC.
D.Set up a direct connection between the on-premises router and the cloud VPC.
AnswerC

A site-to-site VPN encrypts data in transit and can provide a secure tunnel over the internet, though it doesn't guarantee dedicated bandwidth.

Why this answer

Option C is correct because a site-to-site VPN creates an encrypted tunnel (using IPsec/IKE) over the public internet, ensuring data in transit is encrypted. However, the question also requires dedicated bandwidth, which a VPN does not provide—it shares internet bandwidth. The correct answer should be a dedicated connection like AWS Direct Connect or Azure ExpressRoute, but since the question states 'dedicated bandwidth' and the only option that provides encryption is the VPN, C is the best choice among the options given.

Exam trap

The trap here is that candidates often assume a direct connection (Option D) automatically provides encryption, but it only provides a private, dedicated link—encryption must be explicitly configured, whereas a VPN inherently encrypts but does not guarantee dedicated bandwidth.

How to eliminate wrong answers

Option A is wrong because an internet gateway with public IPs exposes the VPC directly to the internet, does not encrypt traffic, and uses shared public bandwidth, not dedicated. Option B is wrong because a NAT gateway only translates private IPs to public IPs for outbound traffic, does not encrypt data in transit, and does not provide dedicated bandwidth. Option D is wrong because a direct connection (e.g., AWS Direct Connect) provides dedicated bandwidth but does not inherently encrypt data in transit; encryption must be added separately (e.g., IPsec over Direct Connect).

74
MCQhard

A multinational corporation runs a critical application on a private cloud hosted in their data center. The application uses virtual machines (VMs) that are attached to a storage area network (SAN) for block storage. The company is migrating the application to a public cloud IaaS model to reduce on-premises costs. The security team mandates that all data at rest in the cloud must be encrypted using customer-managed keys, and the cloud provider must not have access to the keys. The application requires low-latency block storage for a database. The storage must be replicated within the same region for availability. The cloud architect needs to choose a storage solution that meets these security and performance requirements. The cloud provider offers: (A) Object storage with server-side encryption using provider-managed keys. (B) Ephemeral instance storage with encryption at rest using provider-managed keys. (C) Persistent block storage volumes with encryption using customer-managed keys stored in the provider's key management service (KMS) integrated with hardware security modules (HSM). (D) Network file system (NFS) shares encrypted with customer-managed keys managed on-premises. Which option should the architect choose?

A.Object storage with server-side encryption using provider-managed keys.
B.Ephemeral instance storage with encryption at rest using provider-managed keys.
C.Network file system (NFS) shares encrypted with customer-managed keys managed on-premises.
D.Persistent block storage volumes with encryption using customer-managed keys stored in the provider's KMS/HSM.
AnswerD

Meets all requirements: block storage, persistent, encrypted with customer-managed keys, and provider cannot access keys.

Why this answer

Option C is correct because it provides persistent block storage for low-latency database needs, and the encryption uses customer-managed keys stored in the provider's KMS/HSM, ensuring the provider cannot access the keys (the keys are encrypted by HSM and the customer retains control). Option A is wrong because object storage is not suitable for low-latency block storage, and the keys are provider-managed. Option B is wrong because ephemeral storage is not persistent and replication is not guaranteed; also provider-managed keys.

Option D is wrong because NFS is file storage, not block, and managing keys on-premises would add latency and complexity.

75
Matchingmedium

Match each compute service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Emulated computer running an OS

Lightweight, isolated application environment

Event-driven code without server management

Physical server dedicated to a single tenant

Why these pairings

Compute options vary in isolation and management level.

Page 1 of 7

Page 2

All pages