CompTIA Cloud+ CV0-004 (CV0-004) — Questions 751825

984 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecteasy

Which TWO are common causes of virtual machine performance degradation in a cloud environment?

Select 2 answers
A.Misconfigured security groups
B.Insufficient memory allocation
C.Network latency to storage
D.Incorrect DNS settings
E.High CPU ready time
AnswersB, E

Causes swapping and slow performance.

Why this answer

Options A and D are correct. CPU ready time indicates contention, and insufficient memory causes swapping. B is incorrect because security groups affect connectivity, not performance.

C is partially true but network latency is less common than CPU/memory. E is incorrect as incorrect DNS causes resolution issues, not performance.

752
MCQeasy

A cloud administrator needs to automate the patching of operating systems on a fleet of EC2 instances. Which AWS service should be used?

A.AWS Update Manager
B.AWS Config
C.Amazon Inspector
D.AWS Systems Manager Patch Manager
AnswerD

Designed for automated patching.

Why this answer

AWS Systems Manager Patch Manager automates the process of patching managed nodes with both security-related and other types of updates. It uses a patch baseline to define which patches should be installed and can schedule patching across a fleet of EC2 instances, making it the correct service for this task.

Exam trap

The trap here is that candidates may confuse Amazon Inspector (which only identifies vulnerabilities) with a patching solution, or assume 'AWS Update Manager' is a real service because it sounds plausible, when in fact the correct service is AWS Systems Manager Patch Manager.

How to eliminate wrong answers

Option A is wrong because AWS Update Manager is not a real AWS service; the correct service for update management is AWS Systems Manager Patch Manager. Option B is wrong because AWS Config is a service for evaluating, auditing, and assessing the configurations of your resources against desired policies, not for automating patch installation. Option C is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and unintended network exposure, but it does not perform patching itself.

753
MCQmedium

A cloud engineer is deploying a Lambda function that processes events from an SQS queue. The function must be able to handle a burst of up to 1000 concurrent invocations. Which configuration should the engineer set to ensure the function can scale to meet this demand?

A.Set the function's reserved concurrency to 1000
B.Enable provisioned concurrency for the function
C.Configure SQS to batch messages in groups of 100
D.Set the function's unreserved account concurrency to 1000
AnswerA

Reserved concurrency guarantees capacity.

Why this answer

Lambda scales by increasing concurrency. The reserved concurrency sets a limit; burst concurrency is a regional limit. To handle 1000 concurrent, set reserved concurrency to at least 1000.

Unreserved account concurrency is shared.

754
MCQmedium

A company uses Azure and needs shared file storage accessible from multiple Linux VMs using standard file sharing protocols. Which storage type should they choose?

A.Azure Files
B.Azure Archive Storage
C.Azure Disk Storage
D.Azure Blob Storage
AnswerA

Azure Files offers fully managed file shares accessible via SMB and NFS.

Why this answer

Azure Files provides managed file shares accessible via SMB and NFS protocols.

755
MCQeasy

A cloud engineer notices that an application is running slower than expected. Monitoring shows that the CPU utilization is consistently below 30%, but memory usage is at 95%. Which of the following is the most likely cause of the performance issue?

A.Insufficient disk space for application logs
B.Insufficient memory causing swapping to disk
C.Network bandwidth saturation
D.CPU contention due to overprovisioning
AnswerB

Correct; high memory usage leads to swapping, slowing performance.

Why this answer

When memory usage is at 95% and CPU utilization is low, the system is likely thrashing—the operating system is forced to page memory to disk (swap) to free RAM. Disk I/O is orders of magnitude slower than RAM, so even with idle CPU, the application stalls waiting for swap operations. This explains the performance degradation despite low CPU load.

Exam trap

The trap here is that candidates often associate performance issues solely with CPU or network bottlenecks, overlooking the severe impact of memory exhaustion and disk swapping, which can masquerade as a slow application with ample CPU headroom.

How to eliminate wrong answers

Option A is wrong because insufficient disk space for logs would cause write failures or application crashes, not a gradual slowdown with high memory and low CPU. Option C is wrong because network bandwidth saturation would manifest as high latency or packet loss, not as high memory usage with low CPU. Option D is wrong because CPU contention due to overprovisioning would show high CPU ready times or steal time, not consistently low CPU utilization; overprovisioning typically leads to CPU starvation, not memory exhaustion.

756
MCQmedium

A cloud administrator is reviewing a security audit report that shows an instance has been sending outbound traffic to a known malicious IP address. The instance hosts a production application. Which action should the administrator take first?

A.Run an antivirus scan on the instance.
B.Immediately shut down the instance.
C.Isolate the instance by modifying the security group to deny all traffic.
D.Review the application logs to understand the traffic.
AnswerC

Containment is the first priority in incident response. Isolating via security group is quick and reversible.

Why this answer

Option C is correct because the first priority in a confirmed security incident is containment. Modifying the security group to deny all traffic immediately stops the outbound communication to the malicious IP, preventing data exfiltration or further compromise while preserving the instance for forensic analysis. This aligns with the incident response process, where isolation precedes investigation.

Exam trap

The trap here is that candidates may choose immediate shutdown (Option B) thinking it is the fastest containment method, but the exam emphasizes preserving forensic evidence and using network-level isolation (security groups) as the correct first step in incident response.

How to eliminate wrong answers

Option A is wrong because running an antivirus scan is a remediation step that should occur after containment; it does not stop ongoing malicious outbound traffic and may be ineffective against advanced threats. Option B is wrong because immediately shutting down the instance destroys volatile data (e.g., running processes, memory contents) that could be critical for forensic investigation, and it may cause unnecessary downtime for the production application. Option D is wrong because reviewing application logs is a post-containment investigative action; delaying containment to first review logs risks continued data exfiltration or lateral movement.

757
MCQmedium

During a security assessment, a cloud auditor discovers that a virtual machine has a publicly accessible SSH port (22) open to the entire internet (0.0.0.0/0). The VM is a bastion host intended for administration. What should be done to reduce risk?

A.Remove the security group rule for SSH and rely on the operating system firewall.
B.Disable SSH and use a serial console for administration.
C.Enable SSH key authentication and disable password login.
D.Remove the network security group rule allowing SSH from 0.0.0.0/0 and add a rule allowing only the corporate VPN's public IP range.
AnswerD

This restricts access to authorized users only.

Why this answer

Option C is correct because a bastion host should only be accessible from trusted IPs, typically the corporate VPN or a specific IP range. Option A is wrong because security groups are the proper tool. Option B is wrong because closing SSH externally would block administration.

Option D is wrong because disabling password auth alone does not limit access.

758
MCQeasy

A cloud administrator for a large e-commerce company receives an alert that the response time of the production web application has increased by 300% in the last hour. The application is deployed on a Kubernetes cluster with three worker nodes, each running multiple pods. The administrator checks the Kubernetes dashboard and notices that one of the worker nodes has a CPU utilization of 95%, while the other two nodes are at 40%. The pods on the overloaded node are experiencing resource throttling. The application uses a deployment with a replica count of 6, and all pods are currently running. The administrator needs to resolve the performance issue quickly and prevent future occurrences. Which of the following actions should the administrator take FIRST?

A.Increase the replica count from 6 to 12 to distribute load across more pods.
B.Add a new worker node to the cluster to increase overall capacity.
C.Cordon and drain the overloaded node to redistribute its pods to other nodes.
D.Modify the deployment to set resource requests and limits for CPU on all pods.
AnswerC

This immediately relieves the overloaded node and redistributes pods, restoring performance.

Why this answer

C is correct because the immediate symptom is an overloaded node (95% CPU) causing resource throttling on its pods. Cordon and drain the node to safely evict its pods, allowing the Kubernetes scheduler to redistribute them to the underutilized nodes (40% CPU), which quickly resolves the performance bottleneck without adding unnecessary resources or changing the deployment configuration.

Exam trap

The trap here is that candidates often choose to increase replica count or add nodes as a knee-jerk reaction to high CPU, but the correct first step is to isolate and redistribute the load from the overloaded node using cordon and drain, which directly addresses the immediate throttling without over-provisioning.

How to eliminate wrong answers

Option A is wrong because increasing the replica count from 6 to 12 would create more pods, but the overloaded node would still be at 95% CPU and the new pods might be scheduled onto the same node, worsening the throttling. Option B is wrong because adding a new worker node increases cluster capacity but is a slower, more disruptive action; the immediate issue can be resolved by redistributing existing pods to the two nodes with 40% CPU utilization. Option D is wrong because setting resource requests and limits is a preventive measure that should have been configured before deployment; it does not resolve the current performance issue and would require a rolling update, which takes time and does not immediately relieve the overloaded node.

759
MCQmedium

A company has a hybrid cloud environment with an on-premises data center and Microsoft Azure. The on-premises infrastructure includes a VPN gateway connected to an Azure virtual network via site-to-site VPN. The network team reports that traffic from on-premises to Azure is experiencing high latency and packet loss. The VPN tunnel status shows as connected. The team has verified that the on-premises firewall is not dropping packets. The Azure administrator checks the virtual network gateway metrics and sees high inbound packet drops and a high number of VPN tunnel rekeys. What is the MOST likely cause of the issue?

A.The on-premises VPN device does not support the same encryption algorithms.
B.The Azure virtual network has overlapping address space with on-premises.
C.There is a misconfiguration in the local network gateway address space.
D.The VPN gateway SKU is too small for the traffic volume.
AnswerD

Under-provisioned gateways drop packets under load and trigger rekeys due to timeouts.

Why this answer

Option A is correct because a VPN gateway SKU that is too small for the traffic volume causes packet drops and frequent rekeys, leading to high latency and loss. Option B is wrong because a misconfigured local network gateway address space would cause connectivity failure, not just high latency. Option C is wrong because mismatched encryption algorithms would prevent the tunnel from establishing or cause constant renegotiation, not just increased rekeys.

Option D is wrong because overlapping address spaces would cause routing conflicts and connectivity issues, not specifically packet drops and rekeys.

760
MCQmedium

A company is using Azure VMs and wants to centralize logs from multiple applications for security analysis. The logs must be retained for 2 years. Which Azure service should they use?

A.Azure Activity Log
B.Azure Application Insights
C.Azure Log Analytics
D.Azure Storage Analytics
AnswerC

Log Analytics centralizes logs and supports long retention.

Why this answer

Azure Log Analytics (now part of Azure Monitor) provides centralized log management and configurable retention up to 2 years (or more with archive).

761
Multi-Selecthard

A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which TWO metrics should be monitored to identify CPU contention on the hypervisor?

Select 2 answers
A.Swap rate
B.CPU ready time
C.Memory ballooning
D.CPU utilization per core
E.CPU co-stopping time
AnswersB, E

CPU ready time is a direct indicator of CPU contention, as it measures the time a vCPU is waiting for physical CPU resources.

Why this answer

CPU ready time (B) measures the time a virtual machine is ready to execute but must wait for the hypervisor to schedule it on a physical core. High ready time directly indicates CPU contention, as the VM is being starved of CPU cycles. CPU co-stopping time (E) occurs when multiple vCPUs in a single VM must wait to be scheduled simultaneously, which also signals CPU overcommitment and contention on the hypervisor.

Exam trap

The trap here is that candidates confuse CPU utilization per core (which shows how busy the CPU is) with CPU ready time (which shows how long VMs are waiting), but high utilization alone does not prove contention—only ready and co-stop times directly measure scheduling delays.

762
Multi-Selectmedium

A company is migrating its on-premises database to a cloud-based managed database service. The database is currently 500 GB and is expected to grow by 10% monthly. Which TWO factors should the company consider when selecting the storage type?

Select 2 answers
A.Backup frequency and retention.
B.Physical location of the data center.
C.Encryption at rest requirements.
D.Operating system compatibility with the storage.
E.IOPS requirements for the database workload.
AnswersC, E

Some storage types may not support encryption or may have additional cost.

Why this answer

Encryption at rest is a critical consideration when selecting storage for a cloud-based managed database service, as it ensures data is encrypted when stored on disk. Many cloud providers offer transparent data encryption (TDE) or server-side encryption with customer-managed keys (CMKs), and the storage type must support these features to meet compliance requirements.

Exam trap

CompTIA often tests the distinction between operational policies (like backup frequency) and infrastructure decisions (like storage type), leading candidates to mistakenly select backup-related options when the question explicitly asks about storage type selection.

763
MCQeasy

An organization needs to store archival data for 7 years to meet compliance requirements. The data is rarely accessed, and retrieval time is not critical. Which cloud storage type is most cost-effective?

A.Block storage
B.File storage
C.Object storage
D.Archive storage
AnswerD

Archive storage is optimized for long-term retention at low cost.

Why this answer

Archive storage (e.g., AWS Glacier, Azure Archive) is designed for long-term, infrequently accessed data at the lowest cost. Block storage is for VMs. Object storage is for frequent access.

File storage is for shared file systems.

764
MCQhard

A team is developing a serverless application on AWS Lambda. The application uses several third-party libraries that are large in size. To reduce deployment package size and enable reuse across functions, the team wants to include these libraries as a separate layer. However, the total unzipped size of all layers exceeds the Lambda limits. What should the team do to resolve this?

A.Increase the Lambda function's reserved concurrency
B.Use a container image for the Lambda function instead of layers
C.Reduce the number of layers by combining libraries into fewer custom layers
D.Request a service limit increase from AWS for layer size
AnswerB

Container images allow larger packages (up to 10 GB).

Why this answer

Lambda allows up to 5 layers with a total unzipped size of 250 MB. If exceeded, the team can split the libraries into multiple functions or use a custom runtime with a container image. Reducing concurrency does not affect package size.

765
MCQmedium

A company runs a web application on AWS EC2 instances behind an Application Load Balancer. They want to handle traffic spikes automatically. Which scaling approach should they implement?

A.Vertical scaling
B.Auto-scaling
C.Manual scaling
D.Horizontal scaling
AnswerB

Auto-scaling automatically adjusts capacity based on defined metrics.

Why this answer

Auto-scaling adds or removes instances based on metrics like CPU utilization, handling traffic spikes automatically.

766
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for MySQL. The migration must have minimal downtime and must handle ongoing changes during migration. The schema needs to be converted to MySQL-compatible format. Which combination of AWS services should the team use?

A.AWS SCT alone
B.AWS DMS with AWS Schema Conversion Tool (SCT)
C.AWS DataSync
D.AWS DMS alone
AnswerB

SCT converts schema, DMS with CDC achieves minimal downtime.

Why this answer

AWS DMS can perform ongoing replication using CDC, and SCT converts schemas between different database engines.

767
MCQhard

A DevOps team uses infrastructure as code to deploy cloud resources. Security policy requires that all storage buckets have versioning enabled and are not publicly accessible. How can these requirements be enforced automatically?

A.Add pre-commit hooks to check the IAC templates for compliance.
B.Use security group rules to restrict access to the storage buckets.
C.Implement a cloud policy that disallows public access and requires versioning on all storage resources.
D.Configure a manual approval gate in the deployment pipeline for any storage changes.
AnswerC

Cloud policies provide preventive governance at the resource level.

Why this answer

Option D is correct because using a cloud policy service (e.g., AWS Service Control Policy or Azure Policy) can enforce rules like 'deny public access' and 'require versioning' at the account level. Option A is wrong because it relies on manual review. Option B is wrong because the CI/CD pipeline can be bypassed.

Option C is wrong because security groups do not apply to storage.

768
Multi-Selectmedium

A cloud administrator wants to choose an auto-scaling policy that can respond to changing demand patterns. Which TWO policy types support dynamic adjustments based on real-time metrics? (Choose TWO)

Select 2 answers
A.Predictive scaling
B.Target tracking scaling
C.Step scaling
D.Scheduled scaling
E.Simple scaling
AnswersB, C

Target tracking maintains a target metric value.

Why this answer

Target tracking and step scaling both adjust capacity dynamically based on real-time metrics.

769
MCQeasy

Which of the following compliance frameworks is specifically designed for handling healthcare information in the United States?

A.SOC 2 Type II
B.ISO 27001
C.PCI DSS
D.HIPAA
AnswerD

HIPAA is for healthcare information privacy and security.

Why this answer

HIPAA (Health Insurance Portability and Accountability Act) sets standards for protecting sensitive patient data. PCI DSS is for payment card data, SOC 2 is for service organizations, ISO 27001 is for information security management.

770
MCQmedium

A cloud administrator is deploying a virtual machine (VM) in a public cloud and must ensure that the VM can be recovered quickly in case of failure. The administrator configures the VM to use a managed disk. What additional deployment step should be taken to meet the recovery objective with minimal cost?

A.Set the VM's boot diagnostics to store logs in a storage account.
B.Configure automated snapshots of the managed disk on a schedule.
C.Deploy a second VM in a different region as a pilot light.
D.Attach the VM to multiple managed disks in an availability set.
AnswerB

Snapshots are cheap and allow quick restoration.

Why this answer

Option B is correct because configuring automated snapshots of the managed disk provides a cost-effective, incremental backup mechanism that enables rapid recovery of the VM in case of failure. Snapshots capture point-in-time copies of the disk and can be used to create a new managed disk or restore the VM quickly, meeting the recovery objective without the expense of maintaining a separate, always-on replica.

Exam trap

The trap here is that candidates often confuse high availability (e.g., availability sets or pilot light deployments) with backup and recovery, assuming that redundancy alone satisfies the recovery objective, when in fact snapshots provide a lower-cost, backup-focused solution for quick recovery after failure.

How to eliminate wrong answers

Option A is wrong because boot diagnostics store logs for troubleshooting boot failures, not for recovering the VM itself; they do not provide a recoverable copy of the VM's disk. Option C is wrong because deploying a second VM in a different region as a pilot light incurs ongoing compute and storage costs for a standby instance, which is more expensive than using snapshots for recovery. Option D is wrong because attaching multiple managed disks in an availability set provides high availability within a single region but does not create recoverable backups; it protects against hardware failure but not against data corruption or accidental deletion, and it increases cost without meeting the recovery objective.

771
MCQmedium

A company requires multi-factor authentication (MFA) for all users accessing the cloud management console. Which IAM policy element should be used to enforce this?

A.Action
B.Effect
C.Resource
D.Condition
AnswerD

Condition can require MFA by using the aws:MultiFactorAuthPresent key.

Why this answer

A Condition element in an IAM policy can require MFA by checking the aws:MultiFactorAuthPresent key.

772
MCQmedium

A company wants to deploy a containerized application to Google Kubernetes Engine (GKE) using a rolling update strategy. They have defined a Kubernetes Deployment manifest. Which field controls the number of pods that can be unavailable during the update?

A.spec.strategy.rollingUpdate.maxSurge
B.spec.template.spec.containers[].readinessProbe
C.spec.strategy.rollingUpdate.maxUnavailable
D.spec.replicas
AnswerC

maxUnavailable defines how many pods can be unavailable during the rolling update.

Why this answer

Option C is correct because the `spec.strategy.rollingUpdate.maxUnavailable` field in a Kubernetes Deployment manifest explicitly controls the maximum number of Pods that can be unavailable during a rolling update. This field can be set as an absolute number or a percentage of the desired Pod count, ensuring that the update proceeds without dropping below a specified availability threshold.

Exam trap

Cisco often tests the confusion between `maxSurge` and `maxUnavailable`, where candidates mistakenly think `maxSurge` controls unavailability, but in reality `maxSurge` governs the number of extra Pods created above the target, not the number of Pods that can be taken down.

How to eliminate wrong answers

Option A is wrong because `spec.strategy.rollingUpdate.maxSurge` controls the maximum number of Pods that can be created above the desired replica count during an update, not the number of unavailable Pods. Option B is wrong because `spec.template.spec.containers[].readinessProbe` defines a health check that determines when a container is ready to serve traffic, but it does not control the number of Pods that can be unavailable during a rolling update. Option D is wrong because `spec.replicas` sets the desired number of Pod replicas for the Deployment, but it has no direct role in managing the availability constraints during a rolling update.

773
MCQmedium

A company uses an automated patching solution that reboots instances after applying patches. After a recent patching cycle, several web servers failed to rejoin the load balancer pool. The administrator checks the application logs and finds that the web service failed to start because a required dependency was removed during patching. Which of the following should the administrator implement to prevent this issue in the future?

A.Require manual approval before each patching operation.
B.Increase the patching frequency to reduce the number of patches per cycle.
C.Implement a rolling update strategy for the web servers.
D.Configure a pre-patch health check and verify critical dependencies.
AnswerD

Pre-patch checks can validate that required services and dependencies are present and functional.

Why this answer

Option D is correct because implementing a pre-patch health check that verifies critical dependencies ensures that the patching process does not remove or break required components. This proactive validation can detect missing dependencies before the reboot, allowing the administrator to remediate or halt the patching cycle, preventing the web service from failing to start.

Exam trap

The trap here is that candidates often confuse operational strategies like rolling updates (which maintain availability during updates) with dependency validation, failing to recognize that rolling updates do not prevent the underlying dependency removal issue that causes the service to fail after reboot.

How to eliminate wrong answers

Option A is wrong because requiring manual approval before each patching operation does not address the root cause of dependency removal; it only adds a manual gate without validating dependencies, which is inefficient and still allows the same issue to occur if the approval is granted. Option B is wrong because increasing patching frequency to reduce patches per cycle does not prevent dependency removal; it merely distributes patches over time, and a single patch could still remove a critical dependency, leading to the same failure. Option C is wrong because a rolling update strategy for the web servers manages the order of updates to maintain availability, but it does not validate dependencies before patching; if a dependency is removed during the update, the web service will still fail to start on the updated instances, causing them to drop out of the load balancer pool.

774
Multi-Selecthard

A cloud security team is implementing encryption for data at rest using customer-managed keys in a cloud KMS. Which THREE practices should be followed?

Select 3 answers
A.Use IAM policies to restrict who can use and manage the keys.
B.Enable automatic key rotation.
C.Store the key material in plaintext in the application code.
D.Use a default cloud provider key to simplify management.
E.Back up the key material securely in a separate location.
AnswersA, B, E

IAM controls access to KMS keys.

Why this answer

Option A is correct because IAM policies are essential for enforcing the principle of least privilege in cloud KMS. By restricting who can use (encrypt/decrypt) and manage (rotate/disable/destroy) customer-managed keys, the security team ensures that only authorized principals can access the key material. This prevents unauthorized users or services from compromising data at rest, which is a core requirement for compliance frameworks like PCI DSS or HIPAA.

Exam trap

Cisco often tests the misconception that storing keys in code is acceptable if the code is in a private repository, but the trap here is that any plaintext key in code is a critical vulnerability, regardless of repository access controls.

775
MCQmedium

A company uses CloudFormation to manage infrastructure across multiple AWS accounts. They want to deploy a common set of resources (e.g., VPC, IAM roles) to all accounts in their organization. Which CloudFormation feature should they use?

A.Change sets
B.Nested stacks
C.Stack sets
D.Drift detection
AnswerC

StackSets enable deploying stacks to multiple accounts/regions.

Why this answer

CloudFormation StackSets allow deploying stacks across multiple accounts and regions.

776
MCQeasy

A cloud architect is designing a multi-tenant SaaS application on AWS. Which of the following security responsibilities is the CUSTOMER responsible for under the shared responsibility model?

A.Global network infrastructure
B.Patching the hypervisor
C.Physical security of data centers
D.Configuring security groups
AnswerD

Security groups are a customer-configurable network security control.

Why this answer

Under the shared responsibility model, the customer is responsible for data encryption, OS patching, and IAM configuration, while the provider secures the physical infrastructure.

777
Multi-Selecteasy

A company wants to reduce its cloud storage costs for infrequently accessed data that must be retained for 7 years. Which two storage lifecycle policies should they implement? (Select TWO.)

Select 2 answers
A.Move data from object storage to block storage after 30 days
B.Use reserved capacity for object storage
C.Transition data to a lower-cost infrequent access tier after 30 days
D.Archive data to cold storage after 1 year
E.Delete all data older than 1 year
AnswersC, D

Infrequent access tiers are cheaper for data accessed less often.

Why this answer

Option C is correct because transitioning data to a lower-cost infrequent access tier after 30 days aligns with the requirement to reduce costs for infrequently accessed data. This lifecycle policy moves objects from a standard tier to a cheaper tier (e.g., Amazon S3 Standard-IA or Azure Cool Blob Storage) after a specified period, reducing storage costs while maintaining low-latency retrieval. Option D is correct because archiving data to cold storage after 1 year (e.g., Amazon S3 Glacier or Azure Archive Blob Storage) further reduces costs for data that is rarely accessed but must be retained for 7 years, as cold storage offers the lowest storage cost at the expense of longer retrieval times.

Exam trap

Cisco often tests the distinction between lifecycle policies (which automate tier transitions) and billing optimizations (like reserved capacity), leading candidates to incorrectly select reserved capacity as a lifecycle policy instead of a cost-saving commitment.

778
MCQhard

A cloud operations team uses a configuration management tool (e.g., Chef, Puppet) to manage a fleet of Linux servers in a public cloud. After a recent update, the team notices that some servers are failing to apply the new configuration. The logs on the failing servers show connection timeouts to the configuration management server. Other servers in the same subnet and security group apply configurations successfully. The configuration management server is reachable from the admin's workstation. Which of the following is the MOST likely cause of the issue?

A.The failing servers are missing the configuration management agent.
B.The configuration management server certificate has expired.
C.The failing servers have a firewall rule blocking outbound connections.
D.The failing servers have a misconfigured DNS resolver.
AnswerD

DNS misconfiguration prevents the server from resolving the configuration management server's hostname, causing timeouts.

Why this answer

Option A is correct because a misconfigured DNS resolver on the failing servers can cause hostname resolution failures, leading to connection timeouts to the configuration management server. Option B is wrong because all servers share the same security group, so firewall rules are identical. Option C is wrong because if the certificate had expired, all servers would be affected, not just a few.

Option D is wrong because if the agent were missing, the logs would show agent-related errors, not connection timeouts.

779
MCQmedium

A cloud administrator needs to centralize logs from multiple AWS services, including VPC flow logs and application logs, to enable searching and querying. Which solution should be used?

A.AWS CloudTrail
B.Amazon S3 with Athena
C.AWS Config
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs centralizes logs and supports querying with Logs Insights.

Why this answer

CloudWatch Logs is the central log service that can collect logs from various sources and allow querying with Logs Insights.

780
MCQhard

A cloud architect is designing a multi-account AWS environment and wants to deploy CloudFormation stacks consistently across many accounts. The architect needs a solution that can manage stack instances across multiple accounts and Regions from a single administrator account. Which AWS feature should be used?

A.Stack sets
B.Drift detection
C.Nested stacks
D.Change sets
AnswerA

StackSets enable deploying stacks across multiple accounts and regions with centralized management.

Why this answer

AWS CloudFormation StackSets allow you to create, update, or delete stacks across multiple accounts and Regions from a single admin account.

781
Multi-Selectmedium

A company is designing a hybrid cloud storage solution. Which TWO storage services are suitable for a shared file system accessible from both on-premises and cloud VMs? (Select TWO.)

Select 2 answers
A.Azure Blob
B.Azure Files
C.Amazon S3
D.Amazon EBS
E.Amazon EFS
AnswersB, E

Azure Files offers managed SMB file shares accessible from cloud VMs and on-premises.

Why this answer

File storage services like Amazon EFS and Azure Files provide shared file systems accessible over NFS or SMB. Block and object storage are not typically used as shared file systems.

782
MCQhard

A DevOps team deploys a containerized application on Amazon EKS. The security team wants to ensure that containers do not run as root and that read-only root filesystems are enforced. Which Kubernetes mechanism should be used?

A.Pod Security Standards
B.Kubernetes RBAC
C.Network Policies
D.Secrets management
AnswerA

Pod Security Standards enforce security constraints at the pod level.

Why this answer

Pod Security Standards (formerly PSP) define security contexts, including runAsNonRoot and readOnlyRootFilesystem, to enforce these policies.

783
Multi-Selectmedium

A cloud administrator is troubleshooting a virtual machine that is experiencing high CPU utilization during peak hours. The VM runs a web application and is hosted on a public cloud platform. Which TWO steps should the administrator take first to diagnose the issue?

Select 2 answers
A.Adjust the autoscaling policy to add more instances immediately.
B.Check for memory leaks in the application that could indirectly affect CPU.
C.Review the load balancer health check and traffic distribution settings for the backend pool.
D.Identify the process consuming the most CPU using the OS performance monitoring tools.
E.Immediately increase the number of vCPUs assigned to the VM.
AnswersC, D

Improper load balancer configuration can direct excessive traffic to this VM, causing high CPU.

Why this answer

Option C is correct because reviewing the load balancer health check and traffic distribution settings helps determine if the high CPU utilization is caused by uneven traffic distribution or unhealthy backend instances. If the load balancer is sending excessive traffic to a single VM due to misconfigured health checks or sticky sessions, the VM's CPU will spike. This is a first-step diagnostic action to rule out load balancing issues before investigating the VM itself.

Exam trap

The trap here is that candidates often jump to scaling actions (like adding vCPUs or instances) as a first step, but the exam emphasizes systematic troubleshooting—starting with load balancer and OS-level diagnostics before making changes.

784
MCQhard

During a penetration test, a cloud security engineer discovers that a storage bucket is publicly accessible because of a misconfigured block public access setting. The bucket contains encrypted data. Which of the following is the primary risk?

A.The bucket name is exposed to enumeration.
B.Data is unreadable because it is encrypted.
C.The encryption key is exposed.
D.Unauthorized users can list and download objects, but encryption at rest protects content if the key is also not accessible.
AnswerD

This accurately describes the primary risk: data exfiltration is possible, but encryption provides a layer of protection if the key is secure.

Why this answer

Option D is correct because unauthorized users can list and download encrypted objects, even if the data is encrypted at rest. The primary risk is data exfiltration if the encryption key is compromised or the data is not properly encrypted.

785
MCQhard

During a security audit, it is discovered that a cloud storage bucket contains sensitive data that should have been encrypted at rest. The bucket was created with default settings. Which step must be taken to encrypt the data that is already stored?

A.Encrypt the objects using client-side encryption before upload
B.Copy the objects to a new bucket that has default encryption enabled, then delete the original bucket
C.Use a server-side encryption with customer-provided keys (SSE-C) on each existing object
D.Enable default encryption on the bucket; all existing objects will be automatically encrypted
AnswerB

Copying objects applies the new bucket's encryption settings.

Why this answer

Enabling default encryption only affects new objects. Existing objects must be re-encrypted by copying them, which applies the new encryption settings.

786
MCQmedium

A cloud engineer is tasked with automating the deployment of a three-tier application. The engineer wants to ensure that the database tier is not directly accessible from the internet but can be reached by the application tier. Which of the following should be implemented?

A.Use the same subnet for all tiers and allow traffic via security groups
B.Place the database tier in a public subnet with a restrictive security group
C.Connect the database tier to a site-to-site VPN and disable public access
D.Place the database tier in a private subnet and configure a security group to allow traffic only from the application tier
AnswerD

Private subnet has no internet gateway, and security group restricts access.

Why this answer

Option D is correct because placing the database tier in a private subnet ensures it has no direct route to the internet, while a security group configured to allow inbound traffic only from the application tier's security group (or CIDR) enforces least-privilege access. This design aligns with the AWS Well-Architected Framework's security pillar, using network segmentation and stateful firewall rules to isolate the database from public exposure.

Exam trap

The trap here is that candidates confuse 'restrictive security group' with network isolation, failing to realize that a public subnet inherently provides internet accessibility regardless of security group rules, so the database must be placed in a private subnet to meet the requirement.

How to eliminate wrong answers

Option A is wrong because using the same subnet for all tiers eliminates network segmentation, allowing any tier (including the web tier) to potentially reach the database directly, and security groups alone cannot prevent lateral movement within the same subnet without additional rules. Option B is wrong because placing the database tier in a public subnet assigns a public IP address by default, making it directly reachable from the internet even with a restrictive security group, which violates the requirement of no direct internet access. Option C is wrong because a site-to-site VPN connects on-premises networks to the cloud, not the application tier to the database tier; it does not isolate the database from the internet and is irrelevant for internal tier-to-tier communication.

787
MCQmedium

An organization is designing a cloud architecture that must be fault-tolerant within a single region. The architect decides to deploy application instances in multiple Availability Zones (AZs). Which cloud characteristic is being leveraged?

A.Resource pooling
B.Measured service
C.Elasticity
D.On-demand self-service
AnswerA

Resource pooling allows the provider to serve multiple customers and distribute resources across AZs for fault tolerance.

Why this answer

Deploying application instances across multiple Availability Zones (AZs) within a single region leverages resource pooling, a key cloud characteristic. Resource pooling allows the cloud provider to aggregate compute, storage, and network resources from multiple physical locations (AZs) into a shared pool that can be dynamically allocated to tenants. By distributing instances across AZs, the architect ensures that if one AZ fails, the application remains available using resources from other AZs, directly utilizing the provider's pooled infrastructure.

Exam trap

CompTIA often tests the distinction between resource pooling and elasticity, where candidates mistakenly think distributing across AZs is about scaling (elasticity) rather than leveraging the provider's shared physical infrastructure (resource pooling).

How to eliminate wrong answers

Option B (Measured service) is wrong because it refers to the metering and billing of cloud resource usage (e.g., per-hour or per-GB charges), not the architectural placement of instances across AZs for fault tolerance. Option C (Elasticity) is wrong because elasticity describes the ability to automatically scale resources up or down based on demand, not the geographic or fault-isolated distribution of instances. Option D (On-demand self-service) is wrong because it describes the ability to provision resources without human interaction via a web portal or API, not the multi-AZ deployment strategy for high availability.

788
MCQhard

A cloud technician is troubleshooting connectivity from a VM with IP 10.0.0.1 to another VM at 10.0.1.10 in a different subnet. The ping output shows 'Destination Host Unreachable'. Which of the following is the most likely cause?

A.ARP resolution for the destination IP is failing
B.The network interface on the source VM is disabled
C.A firewall is blocking ICMP on the destination
D.The source's default gateway does not have a route to the destination network
AnswerD

The gateway (10.0.0.1) sends 'Destination Host Unreachable' when it has no route to the destination.

Why this answer

The 'Destination Host Unreachable' error indicates that the source VM (10.0.0.1) cannot find a path to the destination subnet (10.0.1.0/24). Since the VMs are in different subnets, the source must send traffic to its default gateway. If that gateway lacks a route to 10.0.1.0/24, it will drop the packet and send an ICMP Destination Unreachable message back, causing the observed error.

This is the most likely cause because the issue is at Layer 3 routing, not Layer 2 ARP or local interface problems.

Exam trap

CompTIA often tests the distinction between 'Destination Host Unreachable' (Layer 3 routing failure) and 'Request Timed Out' (Layer 4 or firewall blocking), tricking candidates into blaming ARP or firewalls when the real issue is a missing route on the gateway.

How to eliminate wrong answers

Option A is wrong because ARP resolution for the destination IP would only be attempted if the destination were on the same subnet; since 10.0.0.1 and 10.0.1.10 are in different subnets, the source VM will ARP for its default gateway, not the destination. Option B is wrong because if the network interface on the source VM were disabled, the ping would typically fail with a 'Network is unreachable' or 'No route to host' error, not 'Destination Host Unreachable', and the interface state would be visible in the VM's configuration. Option C is wrong because a firewall blocking ICMP on the destination would cause a timeout (no response) or 'Request timed out', not an immediate 'Destination Host Unreachable' message, which is generated by an intermediate router.

789
Multi-Selecteasy

A company is planning to migrate a legacy application to the cloud. They want to leverage cloud-native features while minimizing code changes. Which TWO migration strategies should they consider?

Select 2 answers
A.Replatform
B.Rehost
C.Rebuild
D.Replace
E.Refactor
AnswersA, D

Replatform offers cloud-native benefits with minimal changes.

Why this answer

Replatform (A) is correct because it involves migrating the application to a cloud-managed platform (e.g., moving from a self-managed database to Amazon RDS or Azure SQL Database) with minimal code changes, allowing the company to leverage cloud-native features like automated backups and scaling. Replace (D) is correct because it means adopting a SaaS alternative (e.g., replacing a custom CRM with Salesforce) that provides cloud-native capabilities without modifying existing code, aligning with the goal of minimizing code changes.

Exam trap

CompTIA often tests the distinction between 'Replatform' and 'Refactor,' where candidates mistakenly choose Refactor thinking it allows minimal changes, but Refactor actually requires significant code rework to adopt cloud-native patterns like containerization or serverless.

790
MCQeasy

A cloud administrator is troubleshooting a performance issue where users report slow access to a web application hosted in a public cloud. The application uses an auto-scaling group of web servers behind a load balancer. The administrator notices that the CPU utilization on the web servers is low, but the load balancer metrics show a high number of pending requests. What is the most likely cause?

A.The web servers are throttled by the cloud provider's API rate limiting.
B.The DNS records point to an incorrect IP address.
C.The security group is blocking inbound traffic on port 80.
D.The load balancer health checks are misconfigured, causing healthy instances to be removed.
AnswerD

Misconfigured health checks can cause the load balancer to stop sending traffic to healthy instances, leading to pending requests.

Why this answer

Option A is correct because misconfigured health checks can cause the load balancer to stop sending traffic to healthy instances, leading to pending requests. Option B is wrong because API rate limiting affects API calls, not web traffic. Option C is wrong because DNS would cause total inaccessibility, not just slowness.

Option D is wrong because blocking port 80 would cause connection failures, not pending requests.

791
MCQmedium

A cloud administrator needs to provide external partners with access to a cloud application using their existing corporate credentials. Which federation protocol should be used?

A.RADIUS
B.Kerberos
C.SAML
D.LDAP
AnswerC

SAML allows identity federation and SSO with external identity providers.

Why this answer

SAML is a standard federation protocol that enables single sign-on using existing identity providers.

792
MCQhard

A cloud engineer is designing a CI/CD pipeline using Azure DevOps. They need to ensure that code changes are automatically built, tested, and deployed to a staging environment, and then after manual approval, deployed to production. Which pipeline configuration should they use?

A.Multi-stage pipeline with environment approvals on the production stage
B.Single stage pipeline with conditional deployment
C.Release pipeline with continuous deployment trigger
D.Build pipeline only
AnswerA

Correct. Multi-stage pipelines with approval gates meet the requirement.

Why this answer

Azure DevOps multi-stage pipelines allow defining stages such as build, test, and deploy, with gates and approvals. An approval gate on the production stage ensures manual review before deployment.

793
MCQmedium

A cloud engineer is troubleshooting a network connectivity issue between two VPCs in AWS. To analyze traffic patterns and identify dropped packets, which feature should be enabled?

A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon Inspector
D.AWS X-Ray
AnswerA

Flow Logs capture network traffic metadata for troubleshooting.

Why this answer

VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, useful for troubleshooting connectivity and security issues.

794
MCQeasy

After deploying a new cloud application, users report that they cannot connect to the application. The cloud administrator checks the security group rules and finds that the inbound rule for HTTP traffic is missing. What is the best practice to prevent this issue in future deployments?

A.Create a checklist for manual review before each deployment.
B.Use an Infrastructure as Code (IaC) template to define security group rules.
C.Clone a security group that already has the correct rules.
D.Configure the security group to allow all traffic by default.
AnswerB

IaC forces explicit, reviewable configuration.

Why this answer

Option A is correct because using Infrastructure as Code (IaC) templates ensures that security groups are defined consistently and can be reviewed before deployment. Option B (manual checks) are error-prone. Option C (default rules) may be too permissive.

Option D (cloning) does not address the root cause.

795
MCQmedium

A company runs a web application on three virtual machines behind a load balancer. During a traffic spike, one VM becomes unresponsive. The load balancer continues sending traffic to it, causing errors. Which configuration change would prevent this issue in the future?

A.Set a longer connection timeout on the load balancer.
B.Configure health checks on the load balancer.
C.Increase the number of VMs to five.
D.Change the load balancing algorithm to round-robin.
AnswerB

Health checks automatically remove unhealthy VMs from the pool.

Why this answer

Health checks allow the load balancer to periodically probe the status of each backend VM (e.g., via HTTP GET or TCP SYN). If a VM fails a configurable number of consecutive checks, the load balancer automatically marks it as unhealthy and stops routing traffic to it, preventing errors during a spike. This is the standard mechanism in AWS ELB, Azure Load Balancer, and HAProxy to detect and isolate failed instances.

Exam trap

CompTIA often tests the misconception that simply adding more servers or changing the algorithm solves availability issues, when in fact without health checks the load balancer has no mechanism to detect and avoid failed instances.

How to eliminate wrong answers

Option A is wrong because a longer connection timeout would only delay the detection of an unresponsive VM, not prevent traffic from being sent to it; the load balancer would still forward new requests and wait longer for a response, increasing user-facing errors. Option C is wrong because simply increasing the number of VMs does not address the root cause—the load balancer will still blindly send traffic to an unresponsive VM, so errors persist regardless of pool size. Option D is wrong because changing the algorithm to round-robin does not include any failure detection; it merely distributes requests evenly, so an unresponsive VM will still receive its share of traffic and cause errors.

796
MCQmedium

A company is designing a disaster recovery plan for its critical application. The application must be recovered within 4 hours (RTO) and can tolerate up to 1 hour of data loss (RPO). Which replication strategy is most cost-effective?

A.No replication; rely on backups restored from archive
B.Asynchronous replication
C.Synchronous replication
D.Daily snapshots with no replication
AnswerB

Asynchronous replication can achieve RPO of 1 hour at lower cost.

Why this answer

Asynchronous replication meets the RPO of 1 hour (data loss up to 1 hour) and can be lower cost than synchronous replication, which requires high bandwidth. Synchronous replication would be more expensive and unnecessary. No replication would not meet RPO.

Daily backups would exceed RPO.

797
MCQhard

A company is deploying a critical application in the cloud and needs to ensure that it can automatically recover from an intent—a failure of an entire cloud provider region. Which of the following architectures should be implemented?

A.Active-passive deployment across two regions with DNS-based failover
B.Active-passive deployment across multiple availability zones in the same region
C.Single-region deployment with auto-scaling groups
D.Active-active deployment across multiple availability zones in the same region
AnswerA

Cross-region failover provides disaster recovery if a region fails.

Why this answer

Option C is correct because an active-passive cross-region deployment with DNS failover provides disaster recovery. Option A is wrong because active-active in one region does not cover region failure. Option B is wrong because multi-AZ within one region does not cover region failure.

Option D is wrong because a single region with auto-scaling does not survive region failure.

798
Multi-Selectmedium

A company is deploying a critical application on Google Kubernetes Engine (GKE) and needs to ensure high availability and automatic scaling. Which THREE features should be configured?

Select 3 answers
A.Single cluster in one zone
B.StatefulSets for all deployments
C.Multiple node pools with multiple nodes
D.Horizontal Pod Autoscaler
E.Cluster auto-scaling
AnswersC, D, E

Multiple nodes across zones improve availability.

Why this answer

Horizontal Pod Autoscaler (HPA) scales pods based on metrics. Node pools with multiple nodes provide redundancy. Cluster auto-scaling adds nodes as needed.

StatefulSets are for stateful apps, not high availability by themselves. Regional clusters provide multi-zone HA.

799
Multi-Selectmedium

A company is designing an auto-scaling solution for a stateless application. Which TWO features are essential for the application to scale horizontally without issues? (Select TWO.)

Select 2 answers
A.Stateless application design
B.Stateful session management
C.Use of local storage for application data
D.Vertical scaling on the existing instances
E.A load balancer to distribute traffic
AnswersA, E

Stateless design allows any instance to handle any request without session affinity.

Why this answer

Stateless applications store session state externally (e.g., in a database or cache) and can be deployed from a golden image to ensure consistency. Load balancers distribute traffic. Options B and D are essential.

800
MCQmedium

A company is migrating an on-premises MySQL database to Azure SQL Database using Azure Database Migration Service. They want minimal downtime. Which migration mode should they choose?

A.Bulk copy
B.Offline migration
C.Online migration with continuous sync
D.Schema conversion only
AnswerC

Correct. Online mode uses CDC to minimize downtime.

Why this answer

Azure DMS offers online migration mode that uses CDC to replicate ongoing changes, allowing near-zero downtime. Offline mode requires stopping writes during migration.

801
MCQeasy

An organization wants to deploy a new application with zero downtime by switching traffic between two identical production environments. Which deployment strategy should be used?

A.Rolling deployment
B.Canary deployment
C.In-place deployment
D.Blue/green deployment
AnswerD

Correct description of blue/green.

Why this answer

Blue/green deployment involves maintaining two identical environments; traffic is switched from the old (blue) to the new (green) environment via DNS or load balancer, enabling zero downtime.

802
MCQeasy

A cloud administrator needs to provide a shared file system that can be accessed by multiple Linux-based virtual machines in the same VPC. Which storage type should be used?

A.Object storage
B.Archive storage
C.Block storage
D.File storage
AnswerD

File storage provides a shared file system over NFS/SMB.

Why this answer

File storage (e.g., Amazon EFS, Azure Files) provides a shared file system accessible via NFS or SMB, suitable for multiple VMs.

803
MCQhard

A company is deploying a stateless application across multiple Availability Zones in AWS. The application must automatically scale based on CPU utilization. Which combination of services should the architect use to achieve this?

A.Auto Scaling group and CloudFront
B.Auto Scaling group and Network Load Balancer
C.Auto Scaling group and Classic Load Balancer
D.Auto Scaling group and Application Load Balancer
AnswerD

Auto Scaling group handles scaling, and Application Load Balancer distributes HTTP/HTTPS traffic across instances.

Why this answer

Auto Scaling groups manage instance scaling across AZs, and Application Load Balancer distributes traffic; this combination provides elasticity and high availability.

804
Multi-Selectmedium

Which THREE factors should be considered when selecting a cloud region for deploying a globally distributed application to minimize latency?

Select 3 answers
A.Geographic proximity to target user base
B.Number of available virtual machine sizes
C.Presence of multiple Availability Zones
D.Local tax rate for cloud services
E.Availability of edge caching services (CDN)
AnswersA, C, E

Closer regions reduce network latency.

Why this answer

Geographic proximity to the target user base is a primary factor for minimizing latency because network latency is fundamentally limited by the speed of light and the physical distance data must travel. Deploying application instances in a cloud region close to users reduces round-trip time (RTT) and packet loss, directly improving user experience for latency-sensitive applications like real-time gaming or video conferencing.

Exam trap

CompTIA often tests the misconception that more Availability Zones or larger VM sizes directly reduce latency, when in fact latency is primarily a function of geographic distance and network path optimization.

805
MCQeasy

Refer to the exhibit. This log message is from a cloud security scanner. Which principle did the scanner likely detect?

A.Separation of duties
B.Defense in depth
C.Fail securely
D.Least privilege
AnswerD

Storing credentials where many users can access them gives more privilege than necessary.

Why this answer

The message indicates that user credentials were stored in user data (such as instance metadata) and are accessible to all users with read access to that metadata. This violates the principle of least privilege because credentials should not be widely accessible.

806
MCQhard

An organization must comply with a regulation requiring that all data stored in the cloud be encrypted at rest using a cloud provider's native encryption service. The company also needs to maintain control over the encryption keys. Which solution should the architect recommend?

A.Use the cloud provider's native encryption service with customer-managed keys
B.Encrypt the data on-premises before uploading to the cloud
C.Use the cloud provider's default encryption with provider-managed keys
D.Use a third-party hardware security module (HSM) hosted on-premises
AnswerA

This meets compliance and provides key control through the provider's key management service.

Why this answer

Option A is correct because the regulation requires cloud-native encryption at rest with customer-controlled keys. Cloud providers offer services like AWS KMS with customer-managed keys (CMKs) or Azure Key Vault with customer-managed keys, which allow the organization to create, rotate, and disable keys independently while the provider handles the underlying encryption of data at rest using envelope encryption. This satisfies both the 'native encryption service' and 'maintain control over the encryption keys' requirements.

Exam trap

CompTIA often tests the distinction between 'native encryption service' and 'encryption at rest'—candidates mistakenly think any encryption (like client-side or third-party HSM) satisfies the requirement, but the question explicitly demands the cloud provider's native service with customer-managed keys.

How to eliminate wrong answers

Option B is wrong because encrypting data on-premises before upload does not use the cloud provider's native encryption service, violating the explicit requirement to use the provider's service. Option C is wrong because provider-managed keys mean the cloud provider controls the encryption keys, which fails the requirement that the company maintain control over the keys. Option D is wrong because a third-party HSM hosted on-premises is not a cloud provider's native encryption service, and it introduces additional complexity and latency without meeting the 'native service' mandate.

807
Multi-Selectmedium

A cloud administrator is deploying a web application that must be highly available across two availability zones. The deployment includes an application load balancer and multiple EC2 instances. Which TWO configurations are required to meet the high availability requirement?

Select 2 answers
A.Launch EC2 instances in at least two availability zones
B.Use a single EC2 instance with an auto-recovery policy
C.Set up health checks to automatically replace unhealthy instances
D.Configure the load balancer to route traffic to both availability zones
E.Enable cross-zone load balancing on the ALB
AnswersA, D

Distributes instances across zones to withstand zone failure.

Why this answer

Option A is correct because launching EC2 instances in at least two availability zones ensures that if one AZ fails, the application continues to serve traffic from the other AZ. This is a fundamental requirement for achieving high availability across AZs, as it distributes the compute capacity across physically separate data centers.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which optimizes traffic distribution) with the fundamental requirement of deploying resources across multiple AZs, leading them to select Option E instead of recognizing that multi-AZ instance placement is the non-negotiable prerequisite for high availability.

808
MCQeasy

A cloud administrator is tasked with monitoring CPU utilization across a fleet of EC2 instances. Which AWS service should be used to collect and visualize this metric?

A.Amazon CloudWatch
B.AWS CloudTrail
C.AWS Config
D.AWS Trusted Advisor
AnswerA

CloudWatch collects and visualizes metrics from AWS resources.

Why this answer

Amazon CloudWatch is the native AWS monitoring service that collects and visualizes metrics such as CPU utilization.

809
Multi-Selectmedium

A cloud administrator is designing a hybrid cloud environment that connects on-premises resources to a public cloud. To ensure data protection, the administrator needs to implement controls for data in transit and data at rest. Which TWO security controls should the administrator implement? (Choose two.)

Select 2 answers
A.TLS 1.2
B.AES-256
C.MFA
D.IPsec
E.RBAC
AnswersA, B

TLS 1.2 encrypts data in transit, ensuring confidentiality over networks (e.g., HTTPS).

Why this answer

TLS 1.2 (option B) protects data in transit (e.g., HTTPS), and AES-256 (option D) protects data at rest (e.g., encrypted storage). IPsec also protects transit but is less commonly used for general data transfer; RBAC and MFA address access control, not data encryption.

810
MCQeasy

A company wants to move its on-premises web application to the cloud with minimal code changes to reduce risk. Which deployment strategy is most appropriate?

A.Refactor
B.Rehost
C.Replatform
D.Rebuild
AnswerB

Rehost moves the application as-is, minimizing code changes.

Why this answer

The Rehost (lift-and-shift) strategy is most appropriate because it moves the on-premises web application to the cloud with minimal code changes, directly reducing risk. By migrating the existing virtual machines or physical servers to cloud instances (e.g., AWS EC2 or Azure VMs) without modifying the application architecture, the company preserves the current codebase and operational behavior. This approach avoids the complexity and potential errors associated with rewriting or refactoring code, making it the safest choice for a risk-averse migration.

Exam trap

The trap here is that candidates often confuse 'Replatform' with 'Rehost' because both involve moving to the cloud, but Replatform requires code changes to leverage managed services (e.g., replacing a self-managed database with Amazon RDS), which increases risk and violates the 'minimal code changes' constraint.

How to eliminate wrong answers

Option A (Refactor) is wrong because it involves modifying the application code to optimize it for cloud-native features (e.g., using serverless functions or microservices), which contradicts the requirement for minimal code changes and increases risk. Option C (Replatform) is wrong because it requires some code changes to adapt the application to a managed cloud service (e.g., moving from a self-hosted database to Amazon RDS), which still introduces risk beyond a pure lift-and-shift. Option D (Rebuild) is wrong because it entails completely rewriting the application from scratch using cloud-native architectures (e.g., containers or serverless), which maximizes code changes and risk, directly opposing the stated goal.

811
MCQhard

After deploying a new application version, users get 503 errors. The application runs on Kubernetes in a private cloud. What is the most likely cause?

A.Application health check failing
B.Incorrect ingress configuration
C.Insufficient pod resources
D.Node port exhaustion
AnswerA

Health check failures cause pods to be removed from service, resulting in 503.

Why this answer

Option C is correct because 503 errors often indicate the application is not responding to health checks, causing the load balancer to remove pods from service. Option A is wrong because insufficient resources would cause OOM or CPU throttling, not necessarily 503. Option B is wrong because incorrect ingress would cause 404 or connection timeouts.

Option D is wrong because node port exhaustion is rare and would cause connection refused.

812
MCQmedium

A company wants to migrate its existing on-premises web application to the cloud to reduce operational overhead. The application runs on a custom Linux distribution with specific kernel modules. Which cloud deployment model would best minimize the need to refactor the application while still reducing maintenance of the underlying infrastructure?

A.Container as a Service (CaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Infrastructure as a Service (IaaS)
AnswerD

IaaS offers virtual machines with full OS control, allowing the custom Linux distribution and kernel modules to run without modification.

Why this answer

IaaS (Infrastructure as a Service) provides virtualized compute resources where you retain full control over the operating system, including custom Linux distributions and kernel modules. This allows you to migrate the application as-is without refactoring, while the cloud provider handles the underlying physical infrastructure maintenance, such as hardware failures and network cabling.

Exam trap

The trap here is that candidates often choose PaaS or CaaS thinking they reduce operational overhead more, but they overlook the critical requirement for custom kernel modules, which only IaaS can support without refactoring.

How to eliminate wrong answers

Option A is wrong because CaaS (e.g., Kubernetes, Docker Swarm) requires the application to be containerized, which would necessitate refactoring to package the custom kernel modules into the container image or use host-level kernel sharing, potentially breaking compatibility. Option B is wrong because PaaS abstracts the OS layer entirely, preventing you from installing custom kernel modules or using a non-standard Linux distribution, forcing significant refactoring. Option C is wrong because SaaS delivers a fully managed application with no control over the underlying OS or runtime, making it impossible to migrate a custom web application without complete redevelopment.

813
MCQeasy

A company wants to track cloud spending by department and project. Which strategy should be implemented to enable cost attribution?

A.Use a single account for all workloads
B.Enable detailed billing reports
C.Implement a resource tagging strategy
D.Use AWS Organizations only
AnswerC

Tags like 'Department' and 'Project' enable cost allocation.

Why this answer

Resource tagging allows filtering and grouping costs by tags like department or project.

814
Multi-Selectmedium

A cloud administrator is setting up auto-scaling for a web application that uses an SQS queue for incoming requests. The administrator wants to scale the number of EC2 instances based on the queue depth. Which two metrics are appropriate for this auto-scaling policy? (Choose TWO.)

Select 2 answers
A.CPU utilization of instances
B.ApproximateNumberOfMessagesVisible (queue depth)
C.Memory utilization of instances
D.Network throughput
E.BacklogPerInstance (queue depth per instance)
AnswersB, E

This is the direct metric for the number of messages in the queue.

Why this answer

SQS queue depth (ApproximateNumberOfMessagesVisible) is a common metric. CPU utilization of instances is also relevant but not directly queue-related. The correct ones are ApproximateNumberOfMessagesVisible and BacklogPerInstance (which combines queue depth and instance count).

815
MCQeasy

A cloud administrator is tasked with ensuring that all API requests to the cloud management plane are encrypted. Which protocol should be enforced to meet this requirement?

A.TLS
B.IPsec
C.SSL
D.SSH
AnswerA

TLS encrypts HTTP traffic (HTTPS) and is the standard for API security.

Why this answer

TLS (Transport Layer Security) encrypts data in transit and is the standard protocol for securing API communications. SSH is for remote shell access, SSL (deprecated) is similar but newer is TLS, and IPsec is used for VPN tunnels.

816
MCQhard

A cloud administrator notices that a scheduled backup job for a virtual machine has been failing with the error "insufficient storage space". The VM has 100 GB OS disk. The backup solution creates snapshots. What is the most likely cause?

A.The VM's data disk is full.
B.The backup software requires temporary local storage that is full.
C.The backup service is using local disks for staging.
D.The snapshot is being stored on the same disk as the OS.
AnswerB

Backup software often uses a temp directory on the local disk; if that disk is full, the backup fails.

Why this answer

The error 'insufficient storage space' during a snapshot-based backup typically occurs because the backup software requires temporary local storage to stage the snapshot data before transferring it to the backup target. When this staging area (often a local cache or temporary directory) runs out of space, the backup fails. Option B correctly identifies that the backup software's temporary local storage is full, which is a common cause of this error.

Exam trap

The trap here is that candidates confuse the VM's internal disk space (OS or data disk) with the backup software's temporary storage requirements, leading them to incorrectly select option A or D, when the actual cause is the staging area being full.

How to eliminate wrong answers

Option A is wrong because the VM's data disk being full does not directly cause a snapshot backup failure; snapshots are stored on the same datastore as the VM's OS disk, not on the data disk, and the error is about storage space for the backup process, not the VM's internal disk. Option C is wrong because while the backup service may use local disks for staging, this is essentially the same as option B but less specific; the core issue is that the temporary local storage (staging area) is full, not that local disks are being used in general. Option D is wrong because snapshots are stored on the same datastore as the OS disk, not on the OS disk itself; the error 'insufficient storage space' refers to the backup software's staging area, not the snapshot storage location.

817
MCQeasy

Which encryption standard is most commonly used for data at rest in cloud storage services?

A.Blowfish
B.DES
C.AES-256
D.RSA
AnswerC

AES-256 is widely used for encrypting data at rest.

Why this answer

AES-256 is the industry standard for encrypting data at rest in cloud environments.

818
MCQmedium

A company is deploying a web application across multiple cloud regions for high availability. The application must maintain session state. Which deployment strategy should be used?

A.Active-passive failover
B.Geo-routing with DNS
C.Sticky sessions with a load balancer
D.Round-robin load balancing
AnswerC

Sticky sessions route a client to the same server, preserving session state.

Why this answer

Sticky sessions (also known as session persistence) ensure that all requests from a client during a session are directed to the same backend server. This is critical for a multi-region deployment where the application must maintain session state, as it prevents session data loss when a load balancer distributes traffic. By using a load balancer with sticky sessions, the application can maintain stateful interactions even across multiple cloud regions, assuming the load balancer is configured for cross-region routing.

Exam trap

The trap here is that candidates often confuse high availability with stateless architectures, assuming that any load balancing strategy (like round-robin or geo-routing) will automatically preserve session state, when in fact only sticky sessions explicitly bind a client to a specific backend server.

How to eliminate wrong answers

Option A is wrong because active-passive failover provides redundancy but does not inherently maintain session state; if the active region fails, sessions are lost unless state is replicated externally. Option B is wrong because geo-routing with DNS directs users to the nearest region based on geographic location, but it does not ensure session persistence; subsequent requests from the same user could be routed to different servers, breaking session state. Option D is wrong because round-robin load balancing distributes requests evenly across servers without any session awareness, causing session state to be lost as each request may go to a different backend instance.

819
MCQhard

An organization uses Azure DevOps for CI/CD. They need to deploy a Bicep template that creates resources in multiple Azure regions. The deployment must be idempotent and handle dependencies between resources. Which Azure DevOps task should they use?

A.Azure PowerShell task with New-AzResourceGroupDeployment
B.Azure File Copy task
C.Azure CLI task with az deployment group create
D.Azure Resource Group Deployment task
AnswerD

This task is specifically designed for deploying ARM and Bicep templates, handling dependencies and idempotency.

Why this answer

The Azure Resource Group Deployment task in Azure DevOps can deploy ARM/Bicep templates and handle resource dependencies and idempotency through Azure Resource Manager.

820
Multi-Selecthard

A company is designing a multi-cloud strategy to ensure high availability across AWS and Azure. They want to use a global load balancer to route traffic based on latency. Which THREE components are required for this setup? (Select THREE.)

Select 3 answers
A.Health checks for endpoints in both clouds
B.A separate global load balancer in each cloud
C.A CDN to cache content at edge locations
D.A global DNS service like Amazon Route 53 or Azure DNS
E.Latency-based routing policy
AnswersA, D, E

Health checks ensure traffic is only sent to healthy endpoints.

Why this answer

Health checks, latency-based routing, and DNS services are essential. Global load balancers at each provider and a CDN are not required for latency-based routing.

821
Multi-Selecthard

A company is experiencing intermittent performance issues in a microservices application. Which TWO tools can help diagnose latency problems through distributed tracing? (Choose TWO)

Select 2 answers
A.AWS CloudWatch Logs
B.Azure Monitor
C.Azure Application Insights
D.AWS CloudTrail
E.AWS X-Ray
AnswersC, E

Application Insights provides distributed tracing.

Why this answer

AWS X-Ray and Azure Application Insights provide distributed tracing capabilities.

822
MCQhard

A hybrid cloud setup uses a site-to-site VPN between on-premises and a public cloud. Users report intermittent connectivity failures. Traceroutes show packets dropping after a specific hop. What is the most likely cause?

A.The routing tables on the cloud side are missing routes for the on-premises network.
B.The VPN tunnel is misconfigured with incorrect pre-shared keys.
C.The VPN gateway is overloaded due to too many tunnels.
D.The MTU setting on the VPN endpoint is too low, causing packet fragmentation.
AnswerD

Low MTU can cause packets to be dropped if DF flag is set.

Why this answer

Option C is correct because MTU mismatch can cause fragmentation issues leading to drops. Option A is incorrect because the VPN tunnel itself is up. Option B is incorrect as routing appears correct.

Option D is incorrect because authentication failures would drop the tunnel, not cause intermittent drops.

823
Multi-Selectmedium

A cloud administrator is optimizing costs for a batch processing workload that runs nightly for 2 hours. The workload can tolerate interruptions. Which THREE purchasing options should the administrator consider? (Choose three.)

Select 3 answers
A.Preemptible VMs
B.Spot instances
C.Dedicated hosts
D.Reserved instances
E.On-demand instances
AnswersA, B, E

Preemptible VMs are cost-effective and can be interrupted, ideal for batch jobs.

Why this answer

Spot/Preemptible instances are ideal for fault-tolerant workloads. On-demand can be used but is more expensive. Reserved instances are for steady-state.

Savings plans are like reserved. So best three: Spot, Preemptible, and On-demand with auto-scaling (but on-demand is not the best; however, the question asks for which to consider. Actually, three correct: Spot, Preemptible, and maybe On-demand as a fallback? But typical answer: Spot, Preemptible, and On-demand (for baseline).

However, let's design: Spot, Preemptible, and On-demand (since the workload runs only 2 hours, reserved not economical). I'll make three correct: A, B, D.

824
MCQmedium

A financial services firm requires a cloud deployment that keeps sensitive customer data on-premises while bursting compute-intensive risk analysis workloads to a public cloud during peak times. Which deployment model best meets this requirement?

A.Hybrid cloud
B.Public cloud
C.Multi-cloud
D.Private cloud
AnswerA

Correct. Hybrid cloud allows data to remain on-premises while bursting workloads to public cloud.

Why this answer

Hybrid cloud connects on-premises infrastructure with public cloud, enabling data residency and burst capacity.

825
Multi-Selecthard

Which THREE of the following are essential components of a cloud incident response plan? Select three.

Select 3 answers
A.Data backup schedule
B.Cost optimization strategies
C.Root cause analysis
D.Communication plan
E.Containment procedures
AnswersC, D, E

Identifies the underlying cause to prevent recurrence.

Why this answer

Options A, B, and D are correct because communication, root cause analysis, and containment are critical to incident response. Cost optimization and backup schedule are operational concerns.

Page 10

Page 11 of 14

Page 12