CompTIA Cloud+ CV0-004 (CV0-004) — Questions 676750

984 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQeasy

A cloud engineer is configuring a web application on AWS and needs to ensure that only HTTP and HTTPS traffic from the internet is allowed to reach the EC2 instances. Which AWS service should be used to control inbound traffic at the instance level?

A.Security Group
B.AWS Shield
C.AWS WAF
D.Network ACL
AnswerA

Security groups are stateful instance-level firewalls that can allow HTTP/HTTPS inbound traffic.

Why this answer

Security groups are stateful virtual firewalls that control inbound and outbound traffic at the instance level. Network ACLs operate at the subnet level and are stateless.

677
MCQmedium

A cloud architect is designing an auto-scaling policy for a web application. The application's traffic spikes predictably every weekday at 9 AM and decreases after 5 PM. Which scaling policy is most cost-effective?

A.Step scaling policy that adds instances when CPU > 70%
B.Simple scaling policy with a cooldown of 300 seconds
C.Scheduled scaling policy that increases capacity at 8:45 AM and decreases at 5:15 PM
D.Target tracking policy with a target CPU of 50%
AnswerC

Scheduled scaling aligns capacity with predictable traffic patterns, optimizing cost.

Why this answer

Scheduled scaling can add capacity before 9 AM and remove it after 5 PM, aligning capacity with predictable patterns without reacting to real-time metrics.

678
MCQeasy

A cloud administrator notices that a web application is experiencing intermittent latency spikes. The application runs on a load-balanced set of virtual machines in a public cloud. Which of the following should the administrator investigate FIRST?

A.Verify that the VMs are in the same availability zone.
B.Inspect the network ACLs for any recent changes.
C.Check the load balancer health checks to ensure all instances are healthy.
D.Review the application logs for errors or performance issues.
AnswerD

Application logs can reveal slow queries, resource contention, or code errors that cause intermittent latency.

Why this answer

Option D is correct because intermittent latency spikes in a load-balanced web application are most effectively diagnosed by first reviewing application logs for errors or performance issues. Application logs can reveal slow database queries, memory exhaustion, or code-level bottlenecks that cause latency, which is the most direct source of evidence before investigating network or infrastructure components.

Exam trap

CompTIA often tests the principle of starting with the most direct evidence (application logs) rather than jumping to network or infrastructure checks, trapping candidates who assume latency must be a network issue.

How to eliminate wrong answers

Option A is wrong because VMs in the same availability zone do not prevent latency spikes; in fact, placing all VMs in one zone increases risk of zone failure and does not address intermittent performance issues. Option B is wrong because network ACLs are stateless and changes would typically cause consistent connectivity failures or denials, not intermittent latency spikes. Option C is wrong because load balancer health checks only verify instance reachability and basic responsiveness, not application-level performance; healthy instances can still suffer from internal latency issues.

679
MCQmedium

A company uses a public cloud PaaS service to run a custom application. They need to ensure the application can handle increased load without downtime. Which action should they take?

A.Deploy a load balancer in front of the application
B.Move to IaaS to gain more control over scaling
C.Configure auto-scaling for the PaaS service
D.Upgrade the underlying virtual machines manually
AnswerC

Auto-scaling adjusts resources automatically based on demand.

Why this answer

Configuring auto-scaling for the PaaS service allows it to automatically add instances based on load, ensuring high availability without manual intervention.

680
Multi-Selectmedium

Which TWO of the following are benefits of a multi-cloud strategy? (Select exactly two.)

Select 2 answers
A.Reduces data transfer costs
B.Ensures regulatory compliance in all regions
C.Avoids vendor lock-in
D.Improves disaster recovery by allowing failover across providers
E.Simplifies management by using a single cloud provider
AnswersC, D

Multi-cloud allows portability and reduces dependency on a single provider.

Why this answer

Option C is correct because a multi-cloud strategy distributes workloads across multiple cloud providers (e.g., AWS, Azure, GCP), which prevents dependency on a single vendor's proprietary services, APIs, and pricing models. This avoids vendor lock-in, giving organizations the flexibility to migrate workloads or negotiate better terms without being forced to use a specific provider's ecosystem.

Exam trap

Cisco often tests the misconception that multi-cloud reduces costs or simplifies management, when in reality it increases complexity and data transfer expenses, while the primary benefits are avoiding vendor lock-in and improving disaster recovery resilience.

681
MCQmedium

A company is migrating its on-premises application to the cloud and wants to ensure high availability across multiple geographic regions. The application consists of stateless web servers and a stateful database. Which architecture should the company implement?

A.Active-passive web servers in two regions with a single database in the primary region
B.Active-active web servers in two regions with read replicas in each region
C.Active-active web servers in two regions with a multi-region database replication
D.Active-active web servers in one region with a standby database in another region
AnswerC

Multi-region replication allows failover for both reads and writes.

Why this answer

Option C is correct because the application requires high availability across multiple geographic regions for both stateless web servers and a stateful database. Active-active web servers in two regions ensure traffic distribution and failover, while multi-region database replication (e.g., using synchronous or asynchronous replication such as MySQL Group Replication or Aurora Global Database) keeps the stateful database synchronized across regions, enabling read/write capabilities and automatic failover without data loss.

Exam trap

CompTIA often tests the misconception that read replicas alone provide high availability for a stateful database, but candidates must remember that read replicas are read-only and cannot handle writes, so they do not ensure full database availability during a primary failure.

How to eliminate wrong answers

Option A is wrong because a single database in the primary region creates a single point of failure; if the primary region fails, the database becomes unavailable, breaking high availability. Option B is wrong because read replicas are read-only and cannot handle write operations; if the primary database fails, writes cannot be processed, so the stateful database is not fully highly available. Option D is wrong because active-active web servers in one region cannot survive a regional outage; the standby database in another region is passive and requires manual or automated failover, which introduces downtime and potential data loss.

682
MCQmedium

A security administrator is configuring a web application firewall (WAF) to protect against SQL injection attacks. Which WAF feature should be enabled?

A.Geo-blocking
B.Rate limiting
C.OWASP rule set
D.DDoS protection
AnswerC

OWASP rules include SQL injection detection/prevention.

Why this answer

OWASP rules include protections against SQL injection, XSS, and other common web vulnerabilities.

683
Multi-Selectmedium

A company is migrating a legacy stateful application to the cloud. The application currently runs on a single server and stores session data locally. To enable horizontal scaling, which two design changes should the architect recommend? (Select TWO.)

Select 2 answers
A.Add more storage to the existing instance
B.Implement sticky sessions on the load balancer
C.Move session state to a shared database or cache
D.Use a larger instance type for the application server
E.Refactor the application to be stateless
AnswersC, E

Externalizing session state allows any instance to serve any user.

Why this answer

To horizontally scale a stateful application, session data must be externalized (e.g., to a database or cache) and the application should be designed to be stateless so any instance can handle any request.

684
MCQmedium

An organization uses multiple cloud providers and wants to centralize secrets management. Which solution would best meet this requirement?

A.Azure Key Vault
B.AWS Secrets Manager
C.HashiCorp Vault
D.Google Cloud Secret Manager
AnswerC

Vault is cloud-agnostic and supports multiple backends.

Why this answer

HashiCorp Vault is a multi-cloud secrets management solution that can store and rotate secrets across different providers.

685
MCQeasy

A cloud architect is designing a serverless application on AWS Lambda. The function needs to process messages from an SQS queue. Which event trigger should be configured for the Lambda function?

A.API Gateway
B.SQS trigger
C.S3 bucket event
D.EventBridge rule
AnswerB

Correct. Lambda can be triggered directly from SQS.

Why this answer

AWS Lambda can be triggered by SQS messages. By configuring an SQS trigger, Lambda automatically polls the queue and invokes the function with each message.

686
MCQmedium

An organization uses a cloud-based monitoring service to track CPU utilization across a fleet of virtual machines. The administrator notices that one VM consistently shows 100% CPU utilization at the same time each day. Which of the following should the administrator do NEXT?

A.Add the VM to an auto scaling group to distribute the load
B.Immediately increase the VM size to accommodate the peak
C.Check the VM's local task scheduler for any jobs running during the peak times
D.Scan the VM for malware that might be causing the activity
AnswerC

Scheduled tasks could be the cause of the recurring CPU spike.

Why this answer

Option C is correct because the consistent daily spike in CPU utilization at the same time strongly suggests a scheduled task or cron job is triggering the load. Checking the VM's local task scheduler (e.g., Task Scheduler on Windows or cron on Linux) is the logical first step to identify the specific process causing the spike before taking any remediation actions.

Exam trap

The trap here is that candidates may jump to scaling or security responses (auto scaling, resizing, malware scan) without first performing basic troubleshooting to identify the predictable, recurring process causing the CPU spike.

How to eliminate wrong answers

Option A is wrong because adding the VM to an auto scaling group does not distribute the load within a single VM; auto scaling adds or removes instances horizontally, which would not address a local process consuming 100% CPU on one VM. Option B is wrong because immediately increasing the VM size (vertical scaling) is a reactive, costly approach that does not identify the root cause; the administrator should first investigate what is causing the spike. Option D is wrong because while malware can cause high CPU usage, the predictable daily pattern at the same time is more indicative of a scheduled job than malware, which typically exhibits random or persistent activity.

687
Multi-Selectmedium

A cloud architect is designing a CI/CD pipeline for a containerized application. The pipeline must include stages for building, testing, and deploying to a Kubernetes cluster. Which TWO of the following are common stages in a CI/CD pipeline for containerized applications? (Select TWO.)

Select 2 answers
A.Monitoring
B.Alerting
C.Build
D.Source
E.Capacity planning
AnswersC, D

Build stage compiles code and creates container image.

Why this answer

Source, build, test, deploy, and verify are common stages. Monitoring and alerting are not pipeline stages; capacity planning is not a stage.

688
MCQeasy

A cloud engineer is configuring encryption for data stored in an S3 bucket. The company requires that encryption keys be managed by the organization, not the cloud provider. Which encryption option should be used?

A.SSE-KMS
B.SSE-S3
C.SSE-C
D.Client-side encryption
AnswerC

SSE-C allows the customer to supply and manage their own keys.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) allows the organization to manage their own encryption keys while AWS handles the encryption and decryption process. The customer provides the encryption key in each request, and AWS discards the key after the operation, ensuring the cloud provider never stores the key. This meets the requirement that keys be managed by the organization, not the cloud provider.

Exam trap

The trap here is that candidates confuse SSE-KMS with customer-managed keys, but KMS keys are still managed by AWS as a service, whereas SSE-C requires the customer to provide the key directly with each request, giving the organization full control.

How to eliminate wrong answers

Option A (SSE-KMS) is wrong because AWS Key Management Service (KMS) manages the keys, meaning the cloud provider retains control over key lifecycle and policies, which does not satisfy the requirement for organization-managed keys. Option B (SSE-S3) is wrong because Amazon S3 manages the encryption keys entirely, with no customer control or visibility into key material. Option D (Client-side encryption) is wrong because encryption occurs on the client side before data is sent to S3, which is a different approach than server-side encryption and does not involve AWS handling the encryption process; the question specifies configuring encryption for data stored in an S3 bucket, implying server-side encryption.

689
MCQeasy

A company is migrating its on-premises e-commerce application to a public cloud provider. The application consists of a web tier, an application tier, and a database tier. The cloud architect has designed a three-tier architecture using virtual machines (VMs) in a virtual private cloud (VPC). During the deployment, the web servers are placed in a public subnet, the application servers in a private subnet, and the database servers in a separate private subnet. All security groups and network ACLs have been configured to allow the required traffic. After deploying the application, the operations team reports that the web servers cannot communicate with the application servers. The web servers are able to reach the internet, and the application servers can be reached from the operations team's management bastion host. Which of the following is the MOST likely cause of the issue?

A.The route table associated with the web servers' subnet is missing a route to the application servers' subnet.
B.The web servers do not have a route to the internet gateway.
C.The network ACL on the application servers' subnet is blocking inbound traffic from the web servers.
D.The security group on the web servers is blocking outbound traffic to the application servers.
AnswerA

Correct: Without a route to the private subnet, traffic is dropped.

Why this answer

The web servers are in a public subnet with a route table that typically includes a default route (0.0.0.0/0) pointing to an internet gateway, enabling internet access. However, for the web servers to reach the application servers in a private subnet, the route table associated with the web servers' subnet must also contain a route to the destination CIDR block of the application servers' subnet, pointing to a local route or a virtual private cloud (VPC) peering connection. Without this explicit route, traffic from the web servers to the application servers is dropped because the route table does not know how to forward packets to that subnet, even though security groups and network ACLs are correctly configured.

Exam trap

CompTIA often tests the misconception that security groups or network ACLs are the primary cause of connectivity issues between subnets, when in reality the missing route in the subnet's route table is the root cause, especially when internet access works but inter-subnet communication fails.

How to eliminate wrong answers

Option B is wrong because the web servers can already reach the internet, which means they have a valid route to the internet gateway (0.0.0.0/0 via IGW), so the issue is not a missing internet gateway route. Option C is wrong because the network ACL on the application servers' subnet is stateless and must allow both inbound and outbound traffic; if it were blocking inbound traffic from the web servers, the operations team's management bastion host (which is in a different subnet) would also likely be blocked, but the bastion host can reach the application servers, indicating the network ACL is not the issue. Option D is wrong because the security group on the web servers controls inbound traffic to the web servers, not outbound traffic; outbound traffic from the web servers is controlled by the security group on the web servers' outbound rules, but the problem states all security groups have been configured to allow required traffic, and the web servers can reach the internet (which requires outbound rules), so outbound rules are not blocking traffic to the application servers.

690
MCQmedium

A cloud administrator is configuring encryption for data at rest in a cloud storage service. The administrator wants to use a key that is generated and managed by the cloud provider but stored in the customer's account. Which key management option is being described?

A.Customer-supplied keys (SSE-C)
B.No encryption
C.Cloud provider-managed keys (SSE-S3)
D.Customer-managed keys (CMK)
AnswerD

CMKs are generated and managed by the provider but stored in the customer's account, providing more control.

Why this answer

Cloud-managed keys (CMK) are generated and managed by the cloud provider but stored in the customer's account, giving the customer control over key usage. Cloud provider-managed keys (SSE-S3) are fully managed by the provider.

691
Multi-Selectmedium

A cloud operations team is setting up log-based alerting for security events. They want to use structured logging to facilitate querying. Which TWO practices support effective log-based alerting? (Choose TWO.)

Select 2 answers
A.Enable verbose logging for all services
B.Centralize logs in a log management system
C.Use random log formats for different applications
D.Send all logs to syslog servers
E.Output logs in JSON format
AnswersB, E

Centralization allows correlation and alerting across all sources.

Why this answer

Structured logging (JSON) makes logs machine-parseable and easier to query. Using a centralized logging platform enables search and alerting across all logs. Verbose logging generates noise.

Random log formats hinder querying. Syslog is not structured.

692
MCQmedium

A cloud load balancer is not distributing traffic evenly to backend servers. All servers pass health checks. Which of the following is the most likely cause?

A.The health check interval is set too long.
B.One of the backend servers has reached its connection limit.
C.Session persistence is enabled and directing traffic to specific servers.
D.The health check path is incorrect.
AnswerC

Sticky sessions bind clients to a server, causing imbalance.

Why this answer

Option A is correct because session persistence (sticky sessions) can cause uneven distribution. Option B is incorrect because health checks pass. Option C is incorrect as capacity is sufficient.

Option D is incorrect because health check interval affects removal, not distribution.

693
MCQeasy

A cloud administrator notices that a storage bucket in a cloud object storage service is publicly accessible. The bucket contains sensitive customer data. What is the most likely cause of this issue?

A.The bucket policy or ACL was set to allow public access.
B.The bucket has versioning enabled.
C.The bucket has a lifecycle policy to transition objects to archival storage.
D.The bucket is using server-side encryption with customer-provided keys.
AnswerA

Misconfigured permissions are the typical cause of public buckets.

Why this answer

Option B is correct because misconfigured bucket policies or ACLs often lead to public access. Option A is wrong because encryption does not affect access control. Option C is wrong because versioning does not cause public access.

Option D is wrong because lifecycle policies do not change access permissions.

694
MCQhard

A cloud administrator runs the `iostat` command on a Linux VM experiencing slow performance. Based on the exhibit, what is the most likely bottleneck?

A.Disk I/O is saturated.
B.Network bandwidth is limited.
C.CPU is overloaded.
D.Memory is insufficient.
AnswerA

High %iowait and disk utilization indicate I/O bottleneck.

Why this answer

The `iostat` command reports CPU and I/O statistics. The exhibit shows high `%util` (e.g., 99.9%) and elevated `await` or `svctm` values, indicating that the disk device is operating at or near its maximum capacity. This means the disk I/O subsystem is saturated, causing requests to queue and slowing overall VM performance.

Exam trap

The trap here is that candidates may misinterpret high `%util` as a CPU bottleneck because `iostat` also displays CPU stats, but the question specifically asks about the bottleneck indicated by the exhibit, which clearly points to disk I/O saturation.

How to eliminate wrong answers

Option B is wrong because `iostat` does not measure network bandwidth; network issues would be diagnosed with tools like `netstat`, `ss`, or `iperf`. Option C is wrong because `iostat` shows CPU statistics (e.g., `%user`, `%system`), and if the CPU were overloaded, those values would be high while disk `%util` might remain low; the exhibit indicates disk saturation, not CPU exhaustion. Option D is wrong because insufficient memory would manifest as high swap usage or out-of-memory (OOM) events, not as high disk `%util`; memory issues are diagnosed with `free`, `vmstat`, or `top`.

695
Multi-Selectmedium

A cloud engineer is planning a database migration from an on-premises Oracle database to Amazon RDS for PostgreSQL. The migration must minimize downtime and preserve ongoing changes. Which TWO services should the engineer consider using together? (Choose two.)

Select 2 answers
A.AWS DataSync
B.AWS Snowball
C.AWS Database Migration Service (DMS)
D.Amazon S3 Transfer Acceleration
E.AWS Schema Conversion Tool (SCT)
AnswersC, E

DMS supports full load and CDC for minimal downtime migration.

Why this answer

AWS DMS can migrate data and replicate ongoing changes using CDC, while the Schema Conversion Tool can convert the Oracle schema to PostgreSQL.

696
MCQeasy

A cloud administrator wants to troubleshoot network connectivity issues between two VPCs. Which AWS feature provides detailed logs of IP traffic for analysis?

A.AWS CloudTrail
B.VPC Route Tables
C.AWS CloudWatch Logs
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture metadata of network traffic for troubleshooting.

Why this answer

VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC. CloudTrail logs API calls. CloudWatch Logs is for application logs.

Route Tables define routing rules but don't log traffic.

697
MCQmedium

A company is migrating 200 TB of archival data from on-premises storage to Amazon S3. The network bandwidth is limited to 100 Mbps. Which AWS service should be used to accelerate the transfer and reduce the migration time?

A.AWS DataSync
B.AWS Snowball
C.S3 Transfer Acceleration
D.AWS Direct Connect
AnswerB

Correct. Snowball accelerates transfer by shipping storage devices, bypassing network limitations.

Why this answer

AWS Snowball is a physical device for offline data transfer. For large datasets with limited bandwidth, Snowball can transfer data faster by shipping the device, bypassing network constraints.

698
MCQmedium

A company wants to optimize cloud costs by identifying underutilized EC2 instances. Which AWS service provides rightsizing recommendations?

A.AWS Trusted Advisor
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Compute Optimizer
AnswerD

Compute Optimizer provides rightsizing recommendations based on utilization.

Why this answer

AWS Compute Optimizer analyzes resource utilization and provides recommendations to reduce cost and improve performance. AWS Cost Explorer is for cost visualization. AWS Trusted Advisor provides general best practice checks but not specific rightsizing.

AWS Budgets is for budget alerts.

699
Multi-Selectmedium

A cloud operations team is analyzing a security incident in which an unauthorized user accessed a storage bucket. The bucket was configured with public access. Which three best practices should the team implement to prevent such incidents in the future? (Select THREE).

Select 3 answers
A.Enable access logging and monitor logs.
B.Enable encryption on the storage bucket.
C.Implement least privilege access policies.
D.Enable versioning on the bucket.
E.Use bucket policies to deny all public access.
AnswersA, C, E

Correct. Logging provides visibility into access patterns and aids in detecting anomalies.

Why this answer

Enabling access logging (e.g., AWS S3 server access logs or Azure Storage analytics logs) allows the team to record all requests made to the bucket, including the requester, IP address, and action. Monitoring these logs with a SIEM or log analysis tool helps detect unauthorized access attempts early, providing forensic evidence and enabling proactive threat response. This is a critical detective control for security incidents.

Exam trap

Cisco often tests the distinction between detective controls (logging, monitoring) and preventive controls (policies, IAM), and candidates mistakenly choose encryption or versioning as access control mechanisms when they serve different security objectives.

700
Multi-Selectmedium

Which TWO factors should be considered when choosing a cloud deployment model (public, private, hybrid)? (Select TWO.)

Select 2 answers
A.Number of monitors connected to the server
B.Data sensitivity and classification
C.Compliance requirements (e.g., GDPR, HIPAA)
D.Brand of physical servers used
E.Color of server racks in the data center
AnswersB, C

Sensitive data may require private cloud for tighter control.

Why this answer

Data sensitivity and classification (B) are critical because public cloud providers operate a shared responsibility model where the customer retains control over data classification and access policies, while the provider manages the infrastructure. Highly sensitive data (e.g., PII, trade secrets) often mandates a private or hybrid model to maintain strict network isolation and encryption at rest/in transit. Compliance requirements (C) such as GDPR or HIPAA impose legal obligations on data residency, audit logging, and breach notification, which may restrict the use of certain public cloud regions or require dedicated hardware, directly influencing the deployment model choice.

Exam trap

CompTIA often tests the misconception that physical hardware attributes (brand, color, monitor count) influence cloud deployment decisions, when in fact the choice is driven solely by data governance, compliance, and operational requirements.

701
MCQmedium

A cloud administrator needs to apply security patches to a fleet of 50 Linux servers running on AWS without interrupting business hours. Which approach should the administrator use to schedule patching during a maintenance window?

A.Use AWS Systems Manager Patch Manager with a maintenance window
B.Create a Lambda function that stops instances, patches them, and restarts
C.Manually SSH into each server and run yum update
D.Use AWS Config to apply patch baselines
AnswerA

Patch Manager automates patching and respects maintenance windows.

Why this answer

AWS Systems Manager Patch Manager allows defining maintenance windows for automated patching, minimizing disruption.

702
MCQeasy

An organization wants to audit all API calls made in their AWS account. Which AWS service should be enabled to capture these logs?

A.Amazon CloudWatch
B.AWS Trusted Advisor
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail records all API calls in the AWS account.

Why this answer

AWS CloudTrail records API activity for governance, compliance, and auditing.

703
MCQmedium

A DevOps team sets up a CI/CD pipeline for a containerized application on Kubernetes. They want to test a new version with a small subset of users before full rollout. Which deployment method should they use?

A.Canary
B.Recreate
C.Rolling update
D.Blue/green
AnswerA

Canary sends a small percentage of traffic to the new version for testing.

Why this answer

A canary deployment releases the new version to a small subset of users (e.g., 5-10% of traffic) while the rest continue using the stable version. This allows the team to monitor performance, errors, and user feedback before gradually increasing the rollout. Kubernetes supports canary deployments natively through techniques like multiple Deployments with shared labels and service mesh traffic splitting (e.g., Istio or Linkerd).

Exam trap

CompTIA often tests the distinction between canary and rolling update by implying that rolling updates can also target a subset of users, but rolling updates replace pods gradually across the entire cluster without user-based traffic splitting.

How to eliminate wrong answers

Option B (Recreate) is wrong because it terminates all existing pods before creating new ones, causing full downtime and no ability to test with a subset of users. Option C (Rolling update) is wrong because it gradually replaces pods but does not allow fine-grained traffic splitting to a specific user subset; all users eventually receive the new version during the update. Option D (Blue/green) is wrong because it runs two full environments and switches all traffic at once, which does not provide a gradual, user-subset testing phase.

704
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline for a cloud-native application. They require a deployment strategy that supports traffic shifting in small increments and automatic rollback based on health checks. Which TWO strategies meet these requirements?

Select 2 answers
A.Rolling deployment
B.Recreate deployment
C.Immutable deployment
D.Canary deployment
E.Blue/green deployment
AnswersD, E

Canary shifts traffic incrementally and supports automated rollback based on monitoring.

Why this answer

Canary deploys traffic incrementally and can auto-rollback; blue/green switches all at once but can also roll back by switching back to the old environment.

705
MCQeasy

A cloud administrator sets up a monitoring alarm to trigger when CPU utilization exceeds 90% for 5 minutes. The alarm uses a period of 5 minutes and an evaluation period of 1. The alarm does not trigger even though CPU spikes above 90% for several minutes. What is the most likely cause?

A.The monitoring service does not support CPU utilization.
B.The alarm's evaluation period is set to 2 periods.
C.The alarm's statistic is set to 'Average', which smooths out short spikes.
D.The alarm action is not configured.
AnswerC

The 5-minute average might not exceed 90% if the spike is not sustained for most of the period.

Why this answer

Option C is correct because the average statistic smooths out the spike. Options A, B, and D are incorrect or not the cause.

706
MCQmedium

A company uses a cloud-based object storage service to store backups. The backups must be retained for seven years to meet compliance requirements. Which storage tier should be used to minimize cost while meeting the retention requirement?

A.Archival storage with a minimum retention period of 90 days.
B.Cold storage with a retrieval time of several hours.
C.Infrequent access storage with a retrieval fee.
D.Standard storage with life-cycle policies to delete after seven years.
AnswerB

Correct. Cold storage offers low cost for long-term retention, and retrieval time is acceptable for backup restoration.

Why this answer

Option B is correct because cold storage (e.g., Amazon S3 Glacier Deep Archive or Azure Blob Storage Cool/Archive tier) offers the lowest cost for long-term retention while still allowing retrieval within several hours, which is acceptable for backup compliance. The seven-year retention requirement exceeds the typical 90-day minimum for archival tiers, but cold storage has no such minimum and is optimized for data accessed less than once a year, making it the most cost-effective choice.

Exam trap

The trap here is that candidates often confuse 'archival storage' (which has a 90-day minimum and higher retrieval costs) with 'cold storage' (which has no minimum and lower storage costs), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because archival storage with a 90-day minimum retention period (e.g., Amazon S3 Glacier) would incur early deletion fees if data is deleted before 90 days, but the requirement is to retain for seven years, not delete early; however, the key issue is that archival storage is typically more expensive than cold storage for long-term retention and may have higher retrieval costs. Option C is wrong because infrequent access storage (e.g., Amazon S3 Standard-IA) is designed for data accessed less frequently but still has higher storage costs than cold storage and includes retrieval fees, making it less cost-effective for seven-year retention with rare access. Option D is wrong because standard storage (e.g., Amazon S3 Standard) is the most expensive tier and using lifecycle policies to delete after seven years does not minimize cost during the retention period; the data would incur high storage costs for the entire seven years before deletion.

707
MCQmedium

A company is deploying a containerized microservices application on a cloud platform. The operations team needs to manage secrets, such as database credentials and API keys, securely without embedding them in container images. Which solution should they use?

A.Include secrets in the container image at build time and encrypt the image
B.Use a cloud-native secrets management service to inject secrets at runtime
C.Encrypt secrets and store them in a cloud storage bucket
D.Store secrets as environment variables in the container orchestration platform
AnswerB

Provides secure storage and access control.

Why this answer

Option C is correct because a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault) securely stores and rotates secrets, and containers can retrieve them at runtime via API. Option A is wrong because environment variables in the orchestration platform may expose secrets in logs. Option B is wrong because encrypted configuration files in a storage bucket still require key management.

Option D is wrong because storing secrets in the image build process is insecure.

708
MCQmedium

A company uses AWS and wants to optimize costs by receiving recommendations to downsize over-provisioned EC2 instances. Which tool provides rightsizing recommendations?

A.AWS Budgets
B.AWS Trusted Advisor
C.AWS Cost Explorer
D.AWS Compute Optimizer
AnswerD

Compute Optimizer uses machine learning to recommend optimal instance types based on utilization.

Why this answer

AWS Compute Optimizer analyzes instance configurations and utilization to provide rightsizing recommendations, helping reduce costs by downsizing underutilized instances.

709
MCQeasy

A company has a policy that all cloud resources must be tagged with 'CostCenter' and 'Project' tags. The cloud operations team uses a monitoring tool to alert when untagged resources are created. The team receives an alert for a new EC2 instance that lacks the required tags. The instance was launched two hours ago by a DevOps engineer who is on leave. The instance is critical for production. What should the administrator do to resolve the compliance violation?

A.Terminate the instance immediately and launch a new one with proper tags.
B.Apply the required tags to the existing instance using the cloud provider's console or CLI.
C.Ignore the alert because the instance is critical and the engineer will fix it when back.
D.Modify the tag policy to exempt instances launched by senior engineers.
AnswerB

Tagging can be applied post-creation; this resolves the compliance issue without affecting operations.

Why this answer

Option B is correct because the compliance violation is the absence of required tags, not a problem with the instance itself. The administrator can use the AWS Management Console, CLI (e.g., `aws ec2 create-tags`), or SDK to apply the 'CostCenter' and 'Project' tags to the existing EC2 instance without disrupting its operation. This resolves the alert and maintains production continuity.

Exam trap

Cisco often tests the misconception that a compliance violation requires resource recreation (Option A), when in fact tagging is a non-disruptive metadata operation that can be applied to existing resources.

How to eliminate wrong answers

Option A is wrong because terminating a critical production instance causes unnecessary downtime and data loss; tagging is a metadata operation that does not require recreation. Option C is wrong because ignoring the alert violates the company's tagging policy and leaves the resource non-compliant, which could affect cost allocation and auditing. Option D is wrong because modifying the policy to exempt certain users undermines the governance objective and sets a dangerous precedent; the policy should be enforced uniformly.

710
MCQmedium

An organization uses Azure and wants to ensure that only authenticated users from its on-premises Active Directory can access cloud resources. The company has Azure AD Connect set up and wants to enable single sign-on (SSO) for cloud applications. Which federation standard should be used?

A.Kerberos
B.OAuth 2.0
C.SAML
D.OpenID Connect
AnswerC

SAML enables federation and SSO between identity providers and service providers.

Why this answer

SAML (Security Assertion Markup Language) is the correct federation standard because it enables browser-based single sign-on (SSO) by exchanging authentication and authorization assertions between an identity provider (on-premises Active Directory via Azure AD Connect) and a service provider (cloud applications). SAML 2.0 is specifically designed for federated identity scenarios where users authenticate on-premises and gain access to cloud resources without re-entering credentials.

Exam trap

The trap here is that candidates confuse OAuth 2.0 or OpenID Connect as the default for all SSO scenarios, but the question specifically describes a traditional on-premises AD federation with browser-based cloud applications, which is the classic SAML use case.

How to eliminate wrong answers

Option A is wrong because Kerberos is a network authentication protocol that uses tickets and is designed for on-premises environments, not for federated SSO across cloud boundaries; it cannot pass assertions to cloud applications. Option B is wrong because OAuth 2.0 is an authorization framework, not an authentication protocol; it does not provide identity assertions or user authentication information by itself. Option D is wrong because OpenID Connect is built on top of OAuth 2.0 for authentication but is primarily used for modern web and mobile applications with RESTful APIs, not for the traditional browser-based SAML federation pattern that Azure AD Connect uses for SSO with on-premises AD.

711
Multi-Selecteasy

Which TWO are advantages of using containers over virtual machines? (Select TWO.)

Select 2 answers
A.Better hardware isolation
B.Less overhead because they share the host OS kernel
C.Requires a hypervisor to run
D.Larger resource consumption
E.Faster startup time
AnswersB, E

Shared kernel reduces memory and CPU overhead.

Why this answer

Option B is correct because containers share the host operating system kernel, eliminating the need for a separate guest OS per instance. This reduces overhead significantly compared to virtual machines, which each require their own full OS, leading to more efficient use of system resources.

Exam trap

CompTIA often tests the misconception that containers provide stronger isolation than VMs, when in fact VMs offer better security boundaries due to hardware-level virtualization.

712
MCQeasy

A cloud engineer needs to troubleshoot network connectivity issues between two subnets. Which feature can help capture and analyze network traffic metadata?

A.Amazon Inspector
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
AnswerC

Flow Logs capture information about IP traffic going to and from network interfaces.

Why this answer

VPC Flow Logs capture IP traffic metadata for analysis.

713
Matchingmedium

Match each troubleshooting command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test network connectivity

Trace path to destination

Query DNS records

Display network connections and ports

Transfer data using various protocols

Why these pairings

Common CLI tools for network troubleshooting.

714
MCQmedium

A company's compliance policy requires that all virtual machine (VM) instances must have security patches applied within 30 days of release. The cloud environment automatically deploys VMs from a golden image. Which strategy would BEST ensure compliance without manual intervention?

A.Use a configuration management tool like Ansible to apply patches on boot.
B.Schedule a nightly job to scan each VM for missing patches and apply them.
C.Update the golden image with the latest patches and redeploy all VMs from it.
D.Install a patch management server and configure VMs to update from it on startup.
AnswerC

This ensures that any VM provisioned from the image is compliant at launch, meeting the 30-day requirement.

Why this answer

Regularly updating the golden image and using it to create new VMs ensures that all new instances are patched within the required timeframe. Automated patch scanning per instance is reactive and may not enforce the golden image. Using a configuration management tool to apply patches after VM creation can work but may cause a delay; updating the golden image is proactive and ensures consistency.

A patch management server is good but not as comprehensive as updating the baseline.

715
MCQmedium

A cloud administrator notices that a security group rule allowing SSH (port 22) from any IP address (0.0.0.0/0) was created for a Linux server. The server is used for administrative purposes only. Which security best practice should be applied to reduce the attack surface?

A.Disable password authentication and use SSH keys only
B.Change the SSH port to a non-standard port
C.Add a deny rule for SSH in the network ACL
D.Restrict the source IP address to the company's public IP range
AnswerD

This limits SSH access to trusted IPs only.

Why this answer

Restricting the source IP address to the company's public IP range (option D) directly reduces the attack surface by limiting SSH access to only trusted administrative networks. This is the most effective security best practice because it prevents unauthorized external hosts from even attempting to connect to port 22, regardless of authentication method or port obscurity. In cloud environments like AWS, security group rules are stateful and evaluated before any packet reaches the instance, making source IP restriction a fundamental layer of defense.

Exam trap

The trap here is that candidates often confuse authentication hardening (option A) or port obfuscation (option B) with network-layer access control, failing to recognize that the most fundamental security best practice is to limit the source IP range to trusted administrative networks.

How to eliminate wrong answers

Option A is wrong because disabling password authentication and using SSH keys only addresses authentication strength, not the exposure of SSH to the entire internet; an attacker can still attempt to exploit SSH service vulnerabilities or perform brute-force attacks on the key exchange. Option B is wrong because changing the SSH port to a non-standard port relies on security through obscurity, which does not prevent automated scanners or targeted attackers from discovering the open port; it also complicates management and may violate compliance policies. Option C is wrong because adding a deny rule for SSH in the network ACL (NACL) is redundant and less effective than a security group rule; NACLs are stateless and require explicit allow rules for return traffic, and the existing security group rule allowing 0.0.0.0/0 would still permit inbound SSH traffic unless the NACL is properly configured, but the best practice is to restrict the source at the security group level.

716
MCQhard

An organization is designing a VPC with public and private subnets. The web servers must be accessible from the internet, but database servers must not. The architecture also requires high availability across two Availability Zones. What is the minimum number of public subnets and private subnets needed?

A.Two public, two private
B.One public, two private
C.Two public, one private
D.One public, one private
AnswerA

Each AZ gets a public and a private subnet.

Why this answer

For high availability across two AZs, you need at least two public subnets (one per AZ) and two private subnets (one per AZ).

717
MCQeasy

An Azure administrator runs the command and gets the output shown. The virtual machine 'web-01' is not accessible over the network. Which of the following is the MOST likely reason?

A.The VM name is incorrect.
B.The VM is stopped and deallocated.
C.The VM failed to provision.
D.The VM is in the wrong region.
AnswerB

PowerState shows deallocated, so the VM is not running.

Why this answer

The command output shows the VM 'web-01' with a 'PowerState' of 'Stopped (deallocated)'. When a VM is deallocated, it releases its assigned public IP and underlying compute resources, making it unreachable over the network. The VM must be in a 'Running' state to accept network traffic.

Exam trap

Cisco often tests the distinction between 'Stopped' (VM retains resources and private IP) and 'Stopped (deallocated)' (VM releases all resources and IP), leading candidates to assume any stopped VM is still reachable.

How to eliminate wrong answers

Option A is wrong because the VM name 'web-01' is correctly displayed in the output, so an incorrect name is not the issue. Option C is wrong because the VM shows a 'ProvisioningState' of 'Succeeded', indicating provisioning completed successfully. Option D is wrong because the VM's region is listed as 'eastus' in the output, and being in a different region does not prevent network access; it only affects latency and regional services.

718
MCQmedium

A company is designing a disaster recovery plan for its cloud infrastructure. The primary site is in US-East, and the DR site is in US-West. The RPO is 15 minutes, and the RTO is 2 hours. Which replication strategy best meets these requirements at the lowest cost?

A.Scheduled nightly backups to DR
B.Asynchronous replication from primary to DR
C.Synchronous replication between sites
D.No replication; manual failover
AnswerB

Asynchronous replication achieves near-real-time RPO with lower cost and bandwidth requirements.

Why this answer

Asynchronous replication sends data changes from the primary site to the DR site with minimal delay, typically within seconds to minutes, which meets the 15-minute RPO. It does not require the low-latency link that synchronous replication demands, making it more cost-effective for geographically separated sites. The 2-hour RTO is achievable because the DR site can be activated quickly from the replicated data, without the overhead of restoring from backups.

Exam trap

CompTIA often tests the misconception that synchronous replication is always better for DR, but the trap here is that the 15-minute RPO allows asynchronous replication, which is far more cost-effective across long distances than the expensive low-latency links required for synchronous replication.

How to eliminate wrong answers

Option A is wrong because scheduled nightly backups cannot achieve a 15-minute RPO; the backup window is too long, and recovery from backups would likely exceed the 2-hour RTO due to restore time. Option C is wrong because synchronous replication requires very low latency between sites (typically under 5-10 ms round-trip) to avoid application performance impact, and the distance between US-East and US-West introduces latency that makes this impractical and expensive (dedicated high-bandwidth circuits). Option D is wrong because no replication means no data is copied to the DR site, so manual failover would result in data loss exceeding the RPO and recovery time far beyond the RTO.

719
MCQmedium

A company is deploying a stateful application that requires persistent storage. They are using Kubernetes. Which resource should they create to ensure data persists across pod restarts?

A.Deployment
B.Secret
C.PersistentVolumeClaim
D.ConfigMap
AnswerC

PVC provides persistent storage that survives pod restarts.

Why this answer

A PersistentVolumeClaim (PVC) is the correct resource because it abstracts the underlying storage details and allows a pod to request persistent storage that survives pod restarts. When a pod is recreated, the PVC ensures the same volume is reattached, preserving application state. This is essential for stateful applications in Kubernetes, as pods are ephemeral by default.

Exam trap

The trap here is that candidates confuse a Deployment's ability to manage replicas with data persistence, overlooking that a Deployment alone does not guarantee storage survival across pod restarts without an explicit PVC.

How to eliminate wrong answers

Option A is wrong because a Deployment manages stateless replicas and does not inherently provide persistent storage; it can use PVCs but is not a storage resource itself. Option B is wrong because a Secret is used to store sensitive data like passwords or tokens, not for persistent application data. Option D is wrong because a ConfigMap is designed for non-sensitive configuration data (e.g., environment variables or config files) and does not persist across pod restarts as a volume.

720
MCQeasy

Which cloud deployment model involves using services from multiple public cloud providers to avoid vendor lock-in and leverage best-of-breed solutions?

A.Public cloud
B.Hybrid cloud
C.Private cloud
D.Multi-cloud
AnswerD

Multi-cloud uses multiple public clouds to avoid vendor lock-in.

Why this answer

Multi-cloud is the use of multiple public cloud providers to gain flexibility and avoid dependency on a single vendor.

721
MCQmedium

A company wants to minimize cloud costs for a batch processing job that runs for a few hours each night and can be interrupted. Which pricing model is most appropriate?

A.Dedicated hosts
B.On-demand instances
C.Spot instances
D.Reserved instances
AnswerC

Spot instances are low-cost but can be reclaimed.

Why this answer

Spot/preemptible instances offer significant discounts but can be terminated if capacity is needed elsewhere, suitable for fault-tolerant and interruptible workloads.

722
Multi-Selectmedium

Which TWO of the following are valid considerations when deploying a virtual machine in a cloud environment? (Choose two.)

Select 2 answers
A.The log retention policy
B.The password complexity requirements
C.The instance size and family
D.The number of virtual CPUs assigned to the hypervisor
E.The type of storage (SSD or HDD)
AnswersC, E

Instance size determines vCPU, memory, and cost.

Why this answer

Option C is correct because the instance size and family directly determine the virtual machine's compute capacity, including vCPUs, memory, and network performance. Selecting the appropriate size and family ensures the workload has sufficient resources without over-provisioning, which is a fundamental deployment consideration in cloud environments like AWS EC2 or Azure VMs.

Exam trap

CompTIA often tests the distinction between VM-level deployment decisions (instance size, storage type) and post-deployment or hypervisor-level configurations (log retention, password policies, hypervisor vCPU assignment) to catch candidates who confuse operational settings with provisioning choices.

723
MCQmedium

A company is adopting a CI/CD pipeline using Jenkins to deploy a web application. The pipeline must include steps to compile code, run unit tests, package the application, deploy to a test environment, and then deploy to production. Which pipeline stage should be configured immediately after the build stage?

A.Verify
B.Test
C.Deploy to production
D.Source
AnswerB

Testing follows building to ensure code quality before deployment.

Why this answer

In a typical CI/CD pipeline, after build (compile) comes test (e.g., unit tests) to validate the code before proceeding to deploy.

724
MCQeasy

A company's cloud environment has experienced a sudden spike in network traffic, causing a critical application to become unresponsive. Which of the following is the FIRST step the cloud administrator should take to address this issue?

A.Restart the application server to restore service.
B.Analyze the network traffic logs to identify the source of the spike.
C.Contact the cloud provider to report the issue.
D.Increase the bandwidth for the affected application.
AnswerB

Log analysis is the first step in troubleshooting to understand the cause of the spike.

Why this answer

Option D is correct because the first step in troubleshooting is to identify the problem, which involves analyzing traffic logs. Option A is wrong because increasing resources without understanding the cause can waste resources. Option B is wrong because contacting the provider should be done after internal diagnosis.

Option C is wrong because restarting may resolve symptoms but not the root cause.

725
MCQhard

An organization uses a cloud management platform (CMP) to orchestrate resources across multiple cloud providers. The CMP has a policy that automatically terminates any VM that exceeds 85% CPU utilization for more than 15 minutes. The operations team receives complaints that some VMs are being terminated while performing legitimate batch processing jobs. What should the operations team do to resolve this issue?

A.Create a separate VM group with a different policy that allows higher CPU for longer.
B.Disable the automatic termination policy.
C.Add an exclusion list for known batch processing VMs.
D.Increase the CPU threshold to 95% and extend the duration to 30 minutes.
AnswerC

Excluding specific VMs allows the policy to remain effective while protecting batch jobs.

Why this answer

Option C is correct because it allows the operations team to exclude known batch processing VMs from the automatic termination policy without disabling the policy entirely or altering its thresholds. This approach maintains the policy's protective intent for other VMs while accommodating legitimate workloads that require sustained high CPU utilization. Cloud management platforms typically support exclusion lists or tags to selectively apply or bypass policies based on VM metadata or resource groups.

Exam trap

Cisco often tests the candidate's ability to recognize that modifying thresholds (Option D) or creating new groups (Option A) are overly complex or insufficient solutions, while disabling the policy (Option B) is too drastic, and the correct answer is a targeted exclusion mechanism that preserves the original policy's intent.

How to eliminate wrong answers

Option A is wrong because creating a separate VM group with a different policy adds administrative overhead and may not integrate seamlessly with the existing CMP policy structure, potentially leading to policy conflicts or gaps in coverage. Option B is wrong because disabling the automatic termination policy entirely removes protection against runaway processes or resource abuse for all VMs, which could lead to cost overruns or performance degradation across the environment. Option D is wrong because increasing the CPU threshold to 95% and extending the duration to 30 minutes does not guarantee that batch processing VMs will not be terminated, as some legitimate batch jobs may still exceed even these relaxed limits, and it also reduces the policy's effectiveness for other VMs that should be terminated under the original criteria.

726
Multi-Selecthard

A cloud security team is investigating a potential data breach. Which THREE actions should be taken immediately?

Select 3 answers
A.Delete all logs to prevent further evidence exposure
B.Isolate the affected systems from the network
C.Capture a forensic snapshot of the affected storage
D.Notify all users via email
E.Preserve logs and system state
AnswersB, C, E

Isolation contains the breach and prevents lateral movement.

Why this answer

Isolating affected systems from the network (B) is a critical immediate action to contain a potential data breach. This prevents lateral movement by an attacker and stops further data exfiltration, aligning with incident response best practices such as NIST SP 800-61. In a cloud environment, this could involve applying a security group rule to deny all traffic or disconnecting a virtual network interface.

Exam trap

CompTIA often tests the misconception that deleting logs or notifying all users immediately is a valid first response, when in fact containment and evidence preservation are the top priorities.

727
MCQmedium

A load balancer log entry shows the above for a request. What is the MOST likely cause of the 504 error?

A.The DNS resolution for the domain name has failed.
B.The backend server took too long to respond to the request.
C.The requested resource does not exist on the backend server.
D.The load balancer's health check is misconfigured.
AnswerB

The 30s response time exceeds typical timeouts, causing the gateway to timeout.

Why this answer

A 504 Gateway Timeout error from a load balancer indicates that the load balancer sent the request to a backend server but did not receive a timely response. The load balancer has a configured timeout value (often 30-120 seconds), and if the backend server fails to respond within that window, the load balancer terminates the connection and returns a 504. This is the most common cause of 504 errors in load-balanced environments.

Exam trap

CompTIA often tests the distinction between 502 (bad gateway, often DNS or upstream connection failure) and 504 (gateway timeout, upstream response delay), and candidates mistakenly attribute 504 errors to health check failures or DNS issues.

How to eliminate wrong answers

Option A is wrong because a DNS resolution failure would typically result in a 502 Bad Gateway error (the load balancer cannot resolve the backend server's hostname) or a 503 Service Unavailable, not a 504 timeout. Option C is wrong because a missing resource on the backend server would return a 404 Not Found response from the backend itself, which the load balancer would forward to the client; the load balancer does not generate a 504 for missing resources. Option D is wrong because a misconfigured health check would cause the load balancer to mark the backend as unhealthy and stop sending traffic to it, resulting in a 503 Service Unavailable error, not a 504 timeout.

728
MCQeasy

A cloud administrator runs a deployment script that creates multiple resources using Infrastructure as Code (IaC). The script fails with a "400 Bad Request" error when attempting to create a storage account. Which troubleshooting step should the administrator take first?

A.Check the network connectivity to the cloud API endpoint.
B.Increase the timeout value for the API call.
C.Review the error message details for a specific validation error.
D.Verify that the script has the correct region parameter.
AnswerC

The first step is to examine the error message to identify the invalid parameter.

Why this answer

Option C is correct because a 400 error indicates a client error, so the first step is to examine the error details to understand what parameter is invalid. Option A is wrong because 400 is not a network error (would be 5xx). Option B is wrong but plausible; however, the error message would specify the exact issue.

Option D is wrong because timeouts result in different errors.

729
MCQmedium

A systems administrator notices that an application is slow to respond. They want to analyze the latency of individual requests across microservices. Which tool should they use?

A.AWS X-Ray
B.CloudWatch Logs
C.VPC Flow Logs
D.AWS CloudTrail
AnswerA

X-Ray provides end-to-end tracing for request latency.

Why this answer

Distributed tracing tools like AWS X-Ray help identify latency across services.

730
MCQhard

A cloud engineer is configuring an auto-scaling group with a lifecycle hook to run a custom script when instances are launched. The script installs software and registers the instance with a load balancer. The engineer wants to ensure the instance does not receive traffic until the script completes successfully. What should the engineer do?

A.Set the lifecycle hook to 'terminating:wait' to delay termination.
B.Use a lifecycle hook with a 'pending:wait' state and then send a 'complete-lifecycle-action' signal after the script succeeds.
C.Configure the load balancer health check to fail until the script runs.
D.Configure the launch configuration with a user-data script that runs after the instance is in service.
AnswerB

This pauses the instance in a pending state until the custom action completes, preventing traffic until ready.

Why this answer

Lifecycle hooks pause the instance launch process until you complete an action and notify the auto-scaling group to continue. By setting the hook to 'pending:wait', the instance remains in a pending state and does not become healthy until you send a 'complete-lifecycle-action' signal.

731
MCQeasy

Refer to the exhibit. An administrator runs the command shown and receives the output. The administrator wants to ensure the VM uses SSDs for the OS disk. Based on the output, what is the current storage type?

A.Premium SSD (Premium_LRS)
B.Ultra Disk (UltraSSD_LRS)
C.Standard HDD (Standard_LRS)
D.Standard SSD (StandardSSD_LRS)
AnswerA

Correct; Premium_LRS indicates premium SSD.

Why this answer

The output shows the OS disk is using `Premium_LRS` as the storage account type, which corresponds to Premium SSD. This is confirmed by the `storageAccountType` field in the JSON output, indicating the disk is backed by solid-state drives with premium performance characteristics.

Exam trap

CompTIA often tests the distinction between storage account type names and their corresponding hardware (e.g., confusing `StandardSSD_LRS` with `Premium_LRS`), leading candidates to overlook the exact string in the output and assume any SSD type is correct.

How to eliminate wrong answers

Option B is wrong because Ultra Disk (UltraSSD_LRS) is a separate storage type that offers higher IOPS and lower latency but is not shown in the output; the output explicitly lists `Premium_LRS`. Option C is wrong because Standard HDD (Standard_LRS) uses magnetic spinning disks, not SSDs, and would appear as `Standard_LRS` in the output. Option D is wrong because Standard SSD (StandardSSD_LRS) is a different tier that uses SSDs but with lower performance than Premium SSD; the output shows `Premium_LRS`, not `StandardSSD_LRS`.

732
MCQmedium

A company is deploying a global web application and wants to reduce latency for users around the world. The application serves static content (images, CSS) and dynamic API responses. Which combination of services should the architect use?

A.CDN for static content and a global load balancer with latency-based routing for dynamic content
B.CDN for all content without backend routing
C.A single load balancer in one region with a CDN
D.DNS round-robin for both static and dynamic content
AnswerA

CDN reduces latency for static files; latency-based routing directs dynamic requests to the nearest region.

Why this answer

CDN caches static content at edge locations, reducing latency. For dynamic content, a global load balancer with latency-based routing directs users to the closest region. DNS alone cannot reduce latency for dynamic content.

A single load balancer does not provide global distribution.

733
Multi-Selectmedium

A company is deploying a web application using Azure Kubernetes Service (AKS). The deployment manifest includes a probe to check if the application is ready to serve traffic. Which TWO types of probes can be used to determine pod health in Kubernetes? (Select TWO.)

Select 2 answers
A.Secret probe
B.Liveness probe
C.Startup probe
D.Readiness probe
E.ConfigMap probe
AnswersB, D

Indicates whether the container is running; restarts if fails.

Why this answer

Readiness and liveness probes are used for health checking. Startup probes are also available but less common. ConfigMap and Secret are not probes.

734
MCQeasy

Which of the following is the cloud provider's responsibility under the shared responsibility model?

A.Encrypting data stored in cloud resources
B.Configuring identity and access management policies
C.Securing the physical data center
D.Patching guest operating systems
AnswerC

Physical security is always provider's responsibility.

Why this answer

The cloud provider is responsible for physical infrastructure, hypervisor, and global network. Customer manages OS, apps, IAM, data, and network security groups.

735
MCQeasy

A startup is deploying a web application on a public cloud and expects variable traffic throughout the day. The team wants to minimize costs while ensuring that the application can handle sudden spikes in demand. Which scaling strategy best meets these requirements?

A.Auto scaling based on CPU utilization thresholds
B.Horizontal scaling using a fixed schedule
C.Vertical scaling during off-peak hours
D.Manual scaling based on historical data
AnswerA

Auto scaling adjusts resources dynamically to meet demand.

Why this answer

Auto scaling based on CPU utilization thresholds is the correct strategy because it dynamically adjusts the number of compute instances in response to real-time demand, ensuring the application can handle sudden spikes while minimizing costs during low-traffic periods. This approach aligns with the startup's requirement for variable traffic and cost efficiency, as it only provisions resources when needed, unlike fixed schedules or manual interventions that cannot react to unpredictable spikes.

Exam trap

CompTIA often tests the misconception that vertical scaling is more cost-effective than horizontal scaling, but the trap here is that vertical scaling requires downtime and has a hard limit on instance size, making it unsuitable for handling sudden, unpredictable spikes in a cost-minimizing, variable-traffic scenario.

How to eliminate wrong answers

Option B is wrong because horizontal scaling using a fixed schedule cannot handle sudden spikes that occur outside the scheduled times, leading to either over-provisioning during low demand or under-provisioning during unexpected surges. Option C is wrong because vertical scaling during off-peak hours involves resizing an existing instance (e.g., increasing vCPUs or RAM), which requires downtime and cannot react to real-time spikes, plus it is limited by the maximum size of a single instance. Option D is wrong because manual scaling based on historical data relies on human intervention, which introduces latency and cannot respond to sudden, unpredictable spikes in demand, making it unsuitable for a startup needing automated, cost-effective scaling.

736
Multi-Selecteasy

A cloud engineer is using Terraform to manage infrastructure. They need to store the state file remotely for team collaboration and to enable state locking. Which TWO of the following backends support state locking? (Select TWO.)

Select 2 answers
A.Consul backend
B.Local file system
C.HTTP backend
D.Azure Blob Storage with blob lease
E.Amazon S3 with DynamoDB for locking
AnswersD, E

Azure Blob Storage uses lease mechanism for locking.

Why this answer

Terraform backends like S3 (with DynamoDB), Azure Blob Storage, and GCS support state locking for safe concurrent operations.

737
MCQhard

Refer to the exhibit. A cloud administrator sees this log after a nightly backup job. Which of the following is the most likely cause of the timeout?

A.The volume has a high I/O load during the snapshot.
B.The volume is attached to an instance that is powered off.
C.The snapshot target region is unreachable.
D.The backup agent is not installed.
AnswerA

High I/O can slow snapshot creation and cause timeouts.

Why this answer

The log indicates a timeout during a nightly backup job that involves creating a snapshot. A high I/O load on the volume during the snapshot process can cause the snapshot to take longer than the configured timeout threshold, as the snapshot must capture a consistent point-in-time state while the volume is actively being written to. This is a common issue in cloud environments where the snapshot process competes for disk resources, leading to delays that exceed the timeout limit.

Exam trap

Cisco often tests the misconception that a powered-off instance or missing backup agent is the root cause of snapshot timeouts, when in reality the most common cause is high I/O load on the volume during the snapshot operation.

How to eliminate wrong answers

Option B is wrong because if the volume is attached to an instance that is powered off, the snapshot would typically complete quickly without I/O contention, not cause a timeout. Option C is wrong because the snapshot target region being unreachable would result in a connectivity error (e.g., 'unreachable' or 'access denied'), not a generic timeout during the snapshot creation phase. Option D is wrong because the backup agent is not required for native cloud snapshot operations; snapshots are initiated by the cloud provider's API, not an agent installed on the instance.

738
Multi-Selecthard

A DevOps team is implementing an automated deployment pipeline for a cloud application. Which THREE steps are essential components of a continuous delivery pipeline? (Select THREE.)

Select 3 answers
A.Deploying to a staging environment for integration tests
B.Deploying to production automatically without approval
C.Monitoring and rollback capability
D.Source code compilation
E.Running unit tests
AnswersA, D, E

Staging allows integration testing in an environment similar to production before final deployment.

Why this answer

Option A is correct because deploying to a staging environment for integration tests is a core step in a continuous delivery pipeline. It validates that the application works correctly in an environment that mirrors production before any release decision is made, ensuring that integration and end-to-end tests can run safely without impacting live users.

Exam trap

CompTIA often tests the distinction between continuous delivery and continuous deployment, where candidates mistakenly select automatic production deployment as an essential step, but the question explicitly asks for continuous delivery, which requires a manual approval before production.

739
MCQmedium

A company uses a multi-cloud environment with AWS and Azure. They want to centralize log collection and enable advanced querying for troubleshooting. Which combination of services should they use?

A.AWS CloudTrail and Azure Monitor
B.AWS CloudWatch Logs and Azure Log Analytics
C.AWS S3 and Azure Blob Storage
D.AWS CloudWatch and Azure Application Insights
AnswerB

CloudWatch Logs collects logs from AWS resources; Azure Log Analytics does the same for Azure resources.

Why this answer

AWS CloudWatch Logs and Azure Log Analytics are the centralized logging services for each cloud. They can be aggregated using third-party tools, but the question asks for the native services to use. CloudWatch Logs for AWS, Log Analytics for Azure.

CloudTrail is for API auditing, not general log collection.

740
MCQmedium

A cloud engineer is troubleshooting an issue where users cannot connect to a web application hosted on a cloud VM. The VM's security group allows HTTP (port 80) from 0.0.0.0/0, and the VM's OS firewall is disabled. The engineer can ping the VM's public IP from the internet. What is the most likely cause of the issue?

A.OS firewall is blocking port 80
B.Incorrect routing table on the VM
C.Security group rule is applied to the wrong subnet
D.Web server service is not running on the VM
AnswerD

If the web server is not running, it won't respond on port 80, even though the network allows it.

Why this answer

Since the OS firewall is disabled and the security group allows HTTP from 0.0.0.0/0, the only remaining layer that could block connectivity is the application itself. If the web server service (e.g., Apache, Nginx, IIS) is not running on the VM, it will not listen on TCP port 80, so HTTP requests will be refused even though network-level access is permitted. The ability to ping the VM confirms IP-level reachability, isolating the issue to the application layer.

Exam trap

The trap here is that candidates assume a ping success implies all services are reachable, but ICMP (ping) operates at the network layer (Layer 3) and does not test TCP port availability, so a running web server is required for HTTP connectivity.

How to eliminate wrong answers

Option A is wrong because the OS firewall is explicitly stated as disabled, so it cannot be blocking port 80. Option B is wrong because routing tables on the VM control outbound traffic, not inbound connections to the VM; inbound traffic is handled by the cloud provider's virtual network and security groups. Option C is wrong because security groups are stateful and applied at the VM network interface level, not to subnets; even if the rule were misapplied, the VM's security group explicitly allows HTTP from 0.0.0.0/0, so this is not the cause.

741
Multi-Selecthard

An organization is migrating to AWS and wants to optimize costs for a production database that runs 24/7. Which TWO pricing models would provide the most cost savings while ensuring the database is not interrupted? (Select TWO.)

Select 2 answers
A.Dedicated hosts
B.On-demand instances
C.Reserved instances
D.Spot instances
E.Compute Savings Plans
AnswersC, E

Reserved instances offer up to 75% discount for 1- or 3-year terms, suitable for steady-state workloads.

Why this answer

Reserved instances provide significant discounts for steady-state workloads. On-demand is flexible but more expensive. Spot instances can be interrupted.

Savings Plans also offer discounts for committed use. Options A and C are correct.

742
MCQmedium

A cloud engineer is deploying a web application to a Kubernetes cluster. The application requires zero downtime during updates, and the team wants to test new versions with a small percentage of users before full rollout. Which deployment strategy should the engineer use?

A.Rolling deployment
B.Blue/green deployment
C.Canary deployment
D.Immutable deployment
AnswerC

Canary deploys the new version to a subset of users, enabling gradual traffic shift and monitoring.

Why this answer

A canary deployment routes a small percentage of traffic to the new version, allowing monitoring and automatic rollback if issues arise, meeting the requirements.

743
MCQhard

Refer to the exhibit. A cloud administrator deployed a Compute Engine instance in the default VPC. The instance has a public IP but cannot be accessed via SSH from the internet. The firewall rules allow ingress on port 22 from 0.0.0.0/0. What is the most likely cause?

A.The instance does not have a firewall tag matching the SSH rule.
B.The instance is not assigned to a service account.
C.The subnetwork does not have an external IP range.
D.The instance is running an incompatible OS.
AnswerA

If the SSH rule is targeted to a specific network tag that the instance lacks, the rule does not apply.

Why this answer

The most likely cause is that the instance does not have a firewall tag matching the SSH rule. In Google Cloud, firewall rules can be applied to target instances using network tags. Even if the rule allows ingress on port 22 from 0.0.0.0/0, it will only apply to instances that have the corresponding tag (e.g., 'allow-ssh').

Without the tag, the rule is not enforced on the instance, blocking SSH access despite the public IP.

Exam trap

Cisco often tests the misconception that a firewall rule allowing all traffic (0.0.0.0/0) automatically applies to all instances, but in Google Cloud, target tags must match for the rule to be effective.

How to eliminate wrong answers

Option B is wrong because a service account is not required for SSH access; it is used for API authentication and permissions, not for network connectivity. Option C is wrong because the subnetwork does not need an external IP range; the instance itself has a public IP, and the subnetwork's internal IP range is sufficient for routing. Option D is wrong because an incompatible OS would not prevent SSH access at the network level; the firewall rule and tag mismatch are the issue, not the OS.

744
MCQhard

A cloud administrator is deploying a critical application that requires the lowest possible latency between compute instances. The instances will be running in a private subnet and must communicate with each other using their private IP addresses. Which of the following deployment configurations would best meet these requirements?

A.Deploy instances in different Availability Zones within the same region.
B.Deploy instances in the same subnet behind a NAT gateway.
C.Deploy instances in different regions and use inter-region peering.
D.Deploy instances in a placement group within the same Availability Zone.
AnswerD

Placement groups ensure low latency and high throughput.

Why this answer

Deploying instances in a placement group within the same Availability Zone ensures they are physically close together, often in the same rack or cluster, which minimizes network hops and achieves the lowest possible latency. This configuration is ideal for latency-sensitive applications because it leverages non-blocking, high-bandwidth inter-instance communication without traversing additional network infrastructure.

Exam trap

The trap here is that candidates often assume distributing instances across Availability Zones improves performance due to high availability, but for latency-sensitive workloads, the physical proximity of a placement group within a single AZ is the correct choice, not fault tolerance.

How to eliminate wrong answers

Option A is wrong because deploying instances in different Availability Zones introduces additional network latency due to the physical separation and the need to traverse Availability Zone boundaries, even within the same region. Option B is wrong because placing instances behind a NAT gateway adds a network hop and processing overhead, which increases latency and is unnecessary for private subnet communication using private IPs. Option C is wrong because deploying instances in different regions and using inter-region peering incurs significant latency due to long-distance data transfer and is not suitable for low-latency requirements.

745
MCQhard

Refer to the exhibit. What action should the administrator take to bring the environment into compliance?

A.Modify the policy file to accept t2.large and t2.xlarge.
B.Ignore the compliance check because it is advisory.
C.Resize the non-compliant VMs to t2.medium.
D.Delete the non-compliant VMs.
AnswerC

Resizing brings VMs into compliance with the existing policy.

Why this answer

Option C is correct because the exhibit shows that the environment has a compliance policy requiring all VMs to be of type t2.medium, but two VMs are running as t2.large and t2.xlarge. Resizing the non-compliant VMs to t2.medium brings them into alignment with the policy, ensuring the environment meets the defined compliance standard. This action directly remediates the violation without unnecessary deletion or ignoring the check.

Exam trap

CompTIA often tests the misconception that compliance checks are merely advisory warnings, but in reality, they are enforceable policies that require active remediation to avoid audit failures or security risks.

How to eliminate wrong answers

Option A is wrong because modifying the policy file to accept t2.large and t2.xlarge would change the compliance standard rather than enforcing it, which defeats the purpose of the policy and could lead to resource over-provisioning or cost issues. Option B is wrong because compliance checks are not advisory; they are mandatory enforcement mechanisms in cloud governance frameworks, and ignoring a non-compliant state can result in security vulnerabilities or audit failures. Option D is wrong because deleting the non-compliant VMs is an overly aggressive action that would cause data loss and service disruption when a simple resize operation can achieve compliance without destroying resources.

746
MCQhard

An organization maintains a private cloud using OpenStack and also uses AWS for additional capacity. They have a critical application that must remain available even if one cloud provider goes offline. The application is deployed in both environments with active load balancing. Which cloud deployment model best describes this architecture?

A.Multi-cloud
B.Public cloud
C.Private cloud
D.Hybrid cloud
AnswerD

Hybrid cloud combines on-premises private cloud with public cloud.

Why this answer

The architecture uses both a private cloud (OpenStack) and a public cloud (AWS) with active load balancing to ensure availability even if one provider fails. This is the defining characteristic of a hybrid cloud, which integrates private and public cloud resources while maintaining orchestration between them.

Exam trap

Cisco often tests the distinction between hybrid cloud and multi-cloud by including a private cloud component in the scenario; candidates mistakenly choose multi-cloud when they see multiple providers, but hybrid cloud is correct when one of them is private.

How to eliminate wrong answers

Option A is wrong because multi-cloud refers to using multiple public cloud providers (e.g., AWS and Azure) without a private cloud component, whereas this scenario includes a private cloud. Option B is wrong because public cloud alone would not include the organization's private OpenStack infrastructure. Option C is wrong because private cloud alone would not include the AWS public cloud resources.

747
MCQhard

A security administrator needs to enforce least privilege for a Kubernetes cluster in a cloud environment. Which approach should be used to restrict permissions for pods that need to access the cloud provider's API?

A.Assign the pod a static cloud IAM user credential
B.Disable cloud API access for all pods
C.Use a service account with a role that has only the required permissions
D.Grant the pod cluster-admin privileges in Kubernetes
AnswerC

Service accounts provide secure, scoped access for pods.

Why this answer

Using a service account with a role that has minimal permissions and attaching it to the pod ensures least privilege for pod-to-cloud API access.

748
MCQmedium

A company uses AWS and wants to centralize security monitoring across multiple accounts. Which service should they use to aggregate security findings and check compliance against standards like CIS AWS Foundations?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub is designed for centralized security and compliance management.

Why this answer

AWS Security Hub aggregates security alerts from various AWS services and third-party tools, and provides compliance checks against standards like CIS, PCI DSS, and AWS Foundational Security Best Practices.

749
MCQeasy

A cloud administrator notices that a cloud-based application is running slowly. The administrator checks the cloud monitoring dashboard and sees that CPU utilization is at 95% for the application server. Which of the following should the administrator do first?

A.Add an additional network interface.
B.Scale out by adding another instance.
C.Reboot the server.
D.Increase the memory allocation.
AnswerB

Adding instances distributes the CPU load, alleviating the bottleneck.

Why this answer

Option D is correct because scaling out by adding another instance distributes the load, reducing CPU pressure. Option A provides only temporary relief. Option B may not help if the bottleneck is CPU.

Option C addresses network, which is not indicated as the issue.

750
MCQmedium

A cloud engineer is deploying a serverless function using AWS Lambda. The function needs to process messages from an SQS queue. Which event source should be configured to trigger the Lambda function?

A.Amazon S3
B.Amazon SQS
C.Amazon API Gateway
D.Amazon EventBridge
AnswerB

Lambda can poll SQS queue and process messages.

Why this answer

Lambda can be triggered by SQS, S3, API Gateway, etc. For SQS, the trigger is SQS. S3 triggers on object events; API Gateway for HTTP; EventBridge for events.

Page 9

Page 10 of 14

Page 11