CompTIA Cloud+ CV0-004 (CV0-004) — Questions 901975

984 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A company uses a configuration management tool to enforce desired state on cloud servers. During an audit, it is discovered that some servers have deviated from the baseline configuration. The administrator runs a report and finds that the configuration management agent was not running on those servers. Which of the following is the BEST solution to ensure continuous compliance?

A.Reinstall the configuration management agent on all servers.
B.Remove the drifit servers from the environment and rebuild them.
C.Manually update the configuration on the deviated servers.
D.Implement a periodic compliance scan and auto-remediation job.
AnswerD

Automated scans and remediation enforce continuous compliance.

Why this answer

Option D is correct because it automates the detection and correction of configuration drift without manual intervention. By implementing a periodic compliance scan (e.g., using AWS Config rules or Azure Policy) coupled with an auto-remediation action (e.g., a Lambda function or runbook), the system can restart the configuration management agent or reapply the desired state automatically, ensuring continuous compliance even if the agent stops temporarily.

Exam trap

The trap here is that candidates focus on fixing the immediate deviation (options A, B, or C) rather than implementing a proactive, automated process to detect and correct future agent failures, which is the core of continuous compliance in cloud operations.

How to eliminate wrong answers

Option A is wrong because reinstalling the agent does not address the root cause of why the agent stopped running; it only provides a temporary fix without ensuring the agent remains active. Option B is wrong because removing and rebuilding servers is an extreme, disruptive approach that does not scale and does not prevent future agent failures. Option C is wrong because manual updates are error-prone, do not scale across multiple servers, and do not provide a mechanism to detect or correct future deviations automatically.

902
MCQeasy

Which of the following is a benefit of using a Web Application Firewall (WAF)?

A.Filtering malicious HTTP/HTTPS traffic to a web application
B.Encrypting data at rest in a database
C.Protecting against DDoS attacks at the network layer
D.Managing user identities and access
AnswerA

WAFs analyze HTTP/HTTPS requests and block malicious ones.

Why this answer

WAFs protect web applications from common attacks like SQL injection, cross-site scripting, and other OWASP Top 10 threats by filtering and monitoring HTTP/HTTPS traffic.

903
MCQhard

A company uses a public cloud IaaS model to host a database. They want to ensure the database remains available if an entire availability zone fails. Which configuration would provide the highest availability with automatic failover?

A.Use a single database instance with automated snapshots to a different region
B.Deploy the database in a single availability zone with multiple EC2 instances
C.Use a read replica in a different region with asynchronous replication
D.Deploy the database with a stand-by replica in a different availability zone using synchronous replication
AnswerD

Synchronous replication and automatic failover protect against zone failure.

Why this answer

Option D is correct because deploying a database with a stand-by replica in a different availability zone using synchronous replication ensures that all committed transactions are written to both the primary and the stand-by before acknowledging the client. This provides automatic failover with zero data loss (RPO=0) and high availability, as the stand-by replica can immediately take over if the entire availability zone fails.

Exam trap

Cisco often tests the distinction between high availability (automatic failover within the same region) and disaster recovery (manual or automated recovery to a different region), and the trap here is that candidates confuse a read replica or cross-region snapshot with a true high-availability solution that provides automatic failover and zero data loss.

How to eliminate wrong answers

Option A is wrong because automated snapshots to a different region provide point-in-time recovery but do not enable automatic failover; the database would still be unavailable until a manual restore is performed, resulting in significant downtime. Option B is wrong because deploying multiple EC2 instances in a single availability zone does not protect against an availability zone failure; if the entire zone fails, all instances become unavailable simultaneously. Option C is wrong because a read replica in a different region with asynchronous replication is designed for read scaling and disaster recovery, not for automatic failover with high availability; asynchronous replication introduces replication lag, which can cause data loss (RPO > 0) and failover is not automatic.

904
MCQhard

A DevOps team is implementing a canary deployment for a microservice running on Amazon ECS. They want to gradually shift 10% of traffic to the new version and automatically roll back if error rates exceed 1% in 5 minutes. Which combination of services should they use?

A.AWS CloudFormation and SSM
B.AWS Lambda and Step Functions
C.AWS CodeDeploy with CloudWatch alarms
D.AWS Elastic Beanstalk and Route 53
AnswerC

CodeDeploy supports canary deployments and integrates with CloudWatch alarms for automatic rollback.

Why this answer

AWS CodeDeploy natively supports canary deployments for Amazon ECS, allowing you to specify a traffic shift percentage (e.g., 10%) and integrate with CloudWatch alarms to automatically trigger a rollback when error rates exceed a defined threshold (e.g., 1% over 5 minutes). This combination directly fulfills the gradual traffic shifting and automated rollback requirements without custom scripting.

Exam trap

Cisco often tests the misconception that any orchestration service (like Step Functions) is equivalent to a native deployment service, but the key is that CodeDeploy provides built-in traffic shifting and alarm-based rollback without custom code, which is the exact requirement in the question.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation and SSM are infrastructure provisioning and management tools; they do not provide built-in traffic shifting or automated rollback based on error rate thresholds for ECS deployments. Option B is wrong because AWS Lambda and Step Functions can orchestrate custom deployment logic but require significant custom code to implement traffic shifting and alarm-based rollback, whereas CodeDeploy offers this natively. Option D is wrong because AWS Elastic Beanstalk is a PaaS service that does not support canary deployments for ECS microservices, and Route 53 is a DNS service that cannot shift traffic at the application load balancer level for ECS tasks.

905
MCQeasy

A cloud engineer is managing infrastructure as code using Terraform. Which command should be run to preview changes before applying them to the cloud environment?

A.terraform apply
B.terraform destroy
C.terraform plan
D.terraform init
AnswerC

Correct. It shows the execution plan without making any changes.

Why this answer

The terraform plan command creates an execution plan, showing what actions Terraform will take to change the infrastructure. It is used as a dry run before applying changes.

906
MCQhard

A company uses a cloud provider's IAM service to manage access. An administrator creates a new IAM role for an application running on an EC2 instance to access an S3 bucket. The application is unable to read objects from the bucket, even though the role has an attached policy that allows s3:GetObject on the bucket. The administrator verifies that the instance is correctly associated with the role. What is the most likely cause?

A.The S3 bucket policy denies access to the role.
B.The role's trust policy does not allow the EC2 service to assume the role.
C.The role's permissions policy has a condition key that restricts access to a specific IP range.
D.The instance's security group is blocking outbound traffic to S3.
AnswerC

A condition like ipAddress could limit access to allowed IPs, and the instance's IP may not be included.

Why this answer

Option D is correct because a condition (e.g., ipAddress) could restrict access if the instance's IP is not in the allowed range. Option A is wrong but plausible; bucket policy could deny, but the stem doesn't indicate that. Option B is wrong because if the trust policy were wrong, the instance wouldn't get the role credentials.

Option C is wrong because S3 uses HTTPS, and security groups outbound all is default.

907
MCQmedium

A DevOps team is deploying a containerized application to Google Kubernetes Engine (GKE). The team wants to automate the deployment of the application along with its dependencies, such as ConfigMaps and Services, using a single package. Which tool should the team use?

A.Helm charts
B.kubectl apply with multiple manifest files
C.Kustomize overlays
D.Docker Compose
AnswerA

Helm packages Kubernetes resources as charts.

Why this answer

Helm charts package Kubernetes resources into a single deployable unit. Docker Compose is for local development, not production. kubectl apply can apply manifests but not as a package manager. Kustomize overlays but not package management.

908
MCQeasy

A company deployed a web application on an EC2 instance in a public subnet. The instance passes status checks and has a public IP address. The security group allows HTTP (80) from 0.0.0.0/0. Users report that the website is not accessible. What should the administrator check next?

A.The network ACL inbound rules.
B.The route table for the subnet.
C.The instance's operating system firewall.
D.The instance's user data script.
AnswerA

Network ACLs are stateless and can block inbound traffic even if the security group allows it.

Why this answer

The security group allows HTTP (80) from 0.0.0.0/0, so inbound traffic is permitted at the instance level. However, the network ACL (NACL) is a stateless firewall that operates at the subnet level. If the NACL inbound rules do not explicitly allow HTTP traffic from the internet (e.g., port 80 from 0.0.0.0/0), the traffic will be dropped before it reaches the EC2 instance, even though the security group allows it.

Since the instance passes status checks and has a public IP, the most likely remaining issue is the NACL.

Exam trap

Cisco often tests the distinction between stateful security groups and stateless network ACLs, trapping candidates who assume that allowing traffic in the security group is sufficient without checking the subnet-level NACL.

How to eliminate wrong answers

Option B is wrong because the route table for the subnet must have a route to an internet gateway (IGW) for public internet access, but the instance has a public IP and is in a public subnet, so the route table is likely already correctly configured; checking it again is less immediate than verifying the NACL. Option C is wrong because the instance's operating system firewall (e.g., iptables or Windows Firewall) could block traffic, but the question states the instance passes status checks and has a public IP, and the security group allows HTTP; the OS firewall is a possible secondary check but not the next logical step after confirming security group rules, and the NACL is a more common oversight in AWS networking. Option D is wrong because the instance's user data script runs only at launch and is used for bootstrapping; it would not affect ongoing network accessibility unless it misconfigured the web server, but the question indicates the instance is running and passes status checks, so user data is not the immediate cause.

909
MCQhard

A company runs a stateless web application on AWS EC2 instances behind an Application Load Balancer. The application experiences varying traffic patterns, with spikes on weekdays. The company wants to minimize costs while ensuring performance during spikes. Which combination of purchasing options and scaling strategy is most cost-effective?

A.Spot instances for all capacity with a large buffer
B.On-demand instances for baseline and reserved instances for spikes
C.Reserved instances for baseline capacity and spot instances for spikes
D.Reserved instances for baseline capacity and on-demand instances for spikes
AnswerD

Reserved instances cover predictable load, reducing cost; on-demand instances handle variable spikes.

Why this answer

Using spot instances for the baseline capacity is risky because spot instances can be interrupted, causing instability. Reserved instances provide a discount for steady-state usage, and on-demand instances handle spikes. Auto-scaling with on-demand only would be more expensive.

Spot instances for the entire workload are unreliable.

910
Multi-Selecthard

Which THREE are common tasks in a CI/CD pipeline? (Select THREE.)

Select 3 answers
A.Manual code review by a senior developer
B.Handwritten notes for deployment steps
C.Source code checkout from version control
D.Deployment to a staging or production environment
E.Automated testing (unit, integration, etc.)
AnswersC, D, E

CI starts with fetching code from a repository.

Why this answer

Source code checkout from version control is a fundamental first step in any CI/CD pipeline. The pipeline agent must retrieve the latest code from a repository (e.g., Git) to build, test, and deploy the application. Without this checkout, subsequent automated steps have no codebase to work with.

Exam trap

CompTIA often tests the distinction between manual, human-in-the-loop activities (like code review or handwritten notes) and fully automated, scripted steps that are essential to a CI/CD pipeline, leading candidates to mistakenly include manual tasks as pipeline tasks.

911
Multi-Selectmedium

A company's application is unable to connect to a managed cloud database. The database is deployed in a VPC with public accessibility disabled. The application runs on an EC2 instance in the same VPC. Which three troubleshooting steps should the administrator take? (Choose three.)

Select 3 answers
A.Ensure the VPC has an internet gateway attached.
B.Check the network ACL associated with the database subnet for appropriate rules.
C.Verify that the database endpoint is correctly configured in the application.
D.Verify that the EC2 instance has a public IP address.
E.Check the security group for the database to ensure it allows inbound traffic from the EC2 instance's security group.
AnswersB, C, E

Network ACLs are stateless and can block traffic if rules are not correctly configured.

Why this answer

Options B, C, and E are correct. Option A is wrong because a public IP is not needed for same VPC communication. Option D is wrong because an internet gateway is not needed for internal traffic.

B checks security group inbound, C verifies the endpoint configuration, and E checks network ACLs.

912
MCQmedium

A cloud administrator needs to apply security patches to a fleet of EC2 instances running Windows Server. The patches must be applied during a maintenance window to minimize downtime. Which AWS service can automate patching?

A.AWS CloudFormation
B.AWS Systems Manager Patch Manager
C.AWS Config
D.Amazon Inspector
AnswerB

Patch Manager automates OS patching and integrates with maintenance windows.

Why this answer

AWS Systems Manager Patch Manager automates the process of patching managed instances with security updates and allows you to define maintenance windows.

913
MCQmedium

A cloud engineer needs to deploy a virtual machine with a specific configuration that includes a custom script to install software after boot. The deployment must be repeatable and version-controlled. Which approach should be used?

A.Run a shell script after the VM is deployed
B.Create a golden image with the software pre-installed
C.Manually install software after creating the VM
D.Use an Infrastructure as Code template with a user data script
AnswerD

IaC provides repeatable, version-controlled deployments.

Why this answer

Option D is correct because Infrastructure as Code (IaC) templates, such as AWS CloudFormation or Azure Resource Manager, allow you to define the entire VM configuration declaratively, including a user data script that runs custom software installation commands at first boot. This approach ensures repeatability, version control through template files stored in Git, and automated deployment without manual intervention.

Exam trap

CompTIA often tests the distinction between static golden images and dynamic IaC with user data, where candidates mistakenly choose the golden image option because they think it is more reliable, but the question specifically requires repeatability and version control, which IaC provides through code-based templates.

How to eliminate wrong answers

Option A is wrong because running a shell script after deployment is a manual or ad-hoc step that is not inherently repeatable or version-controlled; it relies on external execution and does not capture the configuration in a template. Option B is wrong because a golden image with pre-installed software is static and requires manual updates to the image for each software change, making it less flexible for version-controlled, repeatable deployments compared to IaC with user data. Option C is wrong because manually installing software after creating the VM is error-prone, not repeatable, and cannot be version-controlled, violating the core requirements of the question.

914
MCQmedium

A company recently migrated an application to the cloud. The application uses a load balancer in front of multiple EC2 instances. After the migration, users report that they occasionally receive 'Connection refused' errors. The administrator checks the load balancer health check logs and finds that some instances are marked unhealthy intermittently. The application's health check endpoint returns HTTP 200 when tested manually from the admin's workstation. What is the most likely cause?

A.The health check interval is too short
B.Security group rules blocking the load balancer health checks
C.The instances are running out of memory
D.The application is not binding to the correct IP address
AnswerB

If the security group blocks health check traffic, the load balancer may intermittently mark instances unhealthy.

Why this answer

Option A is correct because if the security group does not allow traffic from the load balancer's health check source, the health checks will fail intermittently. Option B is wrong because a short interval would not cause intermittent failures; it would cause constant failures. Option C is wrong because the application binding to an incorrect IP would cause constant failures, not intermittent.

Option D is wrong because memory exhaustion would cause overall application failure, not just health checks.

915
Multi-Selecthard

A cloud administrator is troubleshooting a performance issue where a web application is responding slowly. The application runs on virtual machines in a private cloud. The administrator has verified that CPU and memory utilization are within normal limits. Which TWO additional metrics should the administrator check to diagnose the issue?

Select 2 answers
A.Number of running processes
B.Network latency between the application and database servers
C.Disk I/O wait time on the hypervisor
D.Virtual machine snapshot size
E.Hypervisor version
AnswersB, C

High network latency can cause slow response times even if CPU and memory are fine, as the application waits for database queries.

Why this answer

Network latency between the application and database servers is a critical metric because slow database queries or network congestion can cause the web application to respond slowly even when CPU and memory on the VMs are normal. High latency increases round-trip time for SQL queries, directly impacting page load times. Disk I/O wait time on the hypervisor is also essential because excessive I/O wait indicates storage contention, which can throttle read/write operations for the VMs, leading to application sluggishness.

Exam trap

CompTIA often tests the distinction between VM-level metrics (CPU/memory) and infrastructure-level metrics (network/storage), trapping candidates who overlook that application performance can degrade due to external dependencies even when the VM itself appears healthy.

916
MCQmedium

A cloud architect is designing a multi-tier web application in a cloud environment. The application must handle unpredictable traffic spikes while minimizing costs. The architect decides to use auto-scaling groups for the web tier and a managed database service for the data tier. Which additional design consideration is MOST important to ensure the application remains available during a regional outage?

A.Distribute the auto-scaling group across multiple availability zones
B.Configure the auto-scaling group to burst into on-premises resources during spikes
C.Increase the size of the web tier instances to handle more traffic
D.Use a read replica of the database to distribute read traffic
AnswerA

Multi-AZ deployment ensures high availability during zone failures.

Why this answer

Distributing the auto-scaling group across multiple Availability Zones (AZs) ensures that if one AZ fails, the web tier continues to serve traffic from the remaining AZs. This is the most critical design consideration for maintaining availability during a regional outage because it provides fault isolation at the AZ level, which is a fundamental principle of high availability in cloud architecture.

Exam trap

CompTIA often tests the misconception that scaling up (increasing instance size) or using read replicas alone can provide high availability, when in fact only distributing resources across multiple Availability Zones ensures fault tolerance against an AZ outage.

How to eliminate wrong answers

Option B is wrong because bursting into on-premises resources introduces latency, security, and connectivity dependencies that are not designed for cloud-native auto-scaling and would not help during a regional cloud outage. Option C is wrong because increasing instance size improves performance but does not provide redundancy or fault tolerance against an AZ or regional failure. Option D is wrong because a read replica only offloads read traffic and does not provide write availability or failover capability during a regional outage; it is not a substitute for multi-AZ deployment.

917
MCQeasy

A company is migrating its on-premises data center to the cloud. The current backup solution uses a tape library. The company wants to implement a cloud-based backup strategy that ensures data durability and rapid restoration. Which of the following is the BEST option?

A.Use cloud virtual tape library (VTL).
B.Use cloud storage with versioning and lifecycle policies.
C.Use block storage snapshots.
D.Use a third-party backup software that backs up to cloud storage.
AnswerB

Versioning protects against accidental deletion/corruption and allows immediate restore; lifecycle policies automate tiering for cost.

Why this answer

Option A is correct because cloud storage with versioning and lifecycle policies provides high durability (redundant storage) and allows quick restore of previous versions. Option B is wrong because virtual tape libraries (VTL) may have slower restore times. Option C is wrong because third-party backup software may add complexity and does not inherently ensure rapid restoration.

Option D is wrong because block storage snapshots are designed for cloud instances, not on-premises data migration.

918
MCQhard

The exhibit shows VPC flow log entries for an EC2 instance (eni-12345678). The administrator is troubleshooting a connectivity problem where an application on 10.0.1.5 occasionally cannot connect to a web server at 10.0.2.10 on port 80. What action should the administrator take?

A.Increase the MTU on the instance to 9001.
B.Add a security group rule allowing inbound TCP/80 from 10.0.1.5.
C.Add a network ACL rule allowing inbound TCP/80 from 10.0.1.5 to the subnet of 10.0.2.10.
D.Add a route to the VPC route table for 10.0.1.5.
AnswerC

NACLs are stateless and require explicit inbound rules; the REJECT indicates a NACL block.

Why this answer

Option B is correct because the REJECT entry indicates that traffic is being blocked by a stateless firewall (NACL) because security groups are stateful and would not generate REJECT at network level. The REJECT is from a NACL. Adding an inbound allow rule in NACL for the target subnet would fix it.

Option A is wrong because security groups are stateful and allow return traffic; the initial connection may be allowed but not specified; but flow logs show REJECT which is typical from NACL. Option C is wrong because routes are for routing, not filtering. Option D is wrong because MTU doesn't cause reject.

919
MCQhard

A company uses a hybrid cloud model with an AWS Direct Connect connection to its on-premises network. Users report intermittent connectivity to cloud resources. A network engineer finds packet loss on the Direct Connect virtual interface. Which of the following should be checked FIRST to resolve the issue?

A.The physical port status of the Direct Connect router
B.The MTU setting on the on-premises firewall
C.The BGP session status between the on-premises router and the AWS Direct Connect endpoint
D.The VPN tunnel status for the Direct Connect link
AnswerC

BGP flapping can cause intermittent packet loss and connectivity issues.

Why this answer

Intermittent packet loss on a Direct Connect virtual interface is most commonly caused by BGP session flapping or misconfiguration, as BGP is the routing protocol that establishes and maintains connectivity between the on-premises router and the AWS Direct Connect endpoint. Checking the BGP session status first allows the engineer to quickly identify if the issue is due to route advertisement problems, hold timer mismatches, or session resets, which are frequent root causes of intermittent packet loss.

Exam trap

The trap here is that candidates often confuse Direct Connect with VPN-based connections and assume a VPN tunnel is involved, leading them to check VPN status (Option D) instead of the BGP session that actually governs the virtual interface routing.

How to eliminate wrong answers

Option A is wrong because the physical port status of the Direct Connect router would show a hard failure (e.g., link down) rather than intermittent packet loss; intermittent issues are rarely caused by physical port problems unless there is a duplex mismatch or cable fault, but these are less likely to be the first check. Option B is wrong because MTU settings on the on-premises firewall typically cause fragmentation or black-hole issues for large packets, not intermittent packet loss across all traffic; MTU mismatches usually result in consistent packet drops for packets exceeding the MTU, not sporadic loss. Option D is wrong because Direct Connect does not use a VPN tunnel; it is a dedicated physical connection, and VPN tunnels are used for AWS Site-to-Site VPN, not Direct Connect virtual interfaces.

920
MCQeasy

A cloud architect is designing a network to protect a web application from common attacks such as SQL injection and cross-site scripting. Which cloud service should be used?

A.DDoS Protection
B.Network ACL
C.Web Application Firewall (WAF)
D.Security Group
AnswerC

WAF protects against OWASP top 10 attacks at the application layer.

Why this answer

A Web Application Firewall (WAF) inspects HTTP traffic and blocks web exploits like SQL injection and XSS.

921
MCQmedium

A cloud administrator receives an alert that the CPU usage on a virtual machine has spiked to 100% for 10 minutes. The VM hosts a critical application. What is the best first step?

A.Check the VM's performance metrics for the last hour to identify the process causing the spike.
B.Immediately reboot the VM.
C.Move the VM to a different host.
D.Increase the VM's CPU limits.
AnswerA

Identifying the root cause through metrics is the best first step before any remediation.

Why this answer

Checking the VM's performance metrics for the last hour is the best first step because it allows the administrator to identify the specific process or application causing the CPU spike without disrupting service. This diagnostic approach aligns with the ITIL problem management framework, which emphasizes root cause analysis before taking corrective action. In a virtualized environment, tools like vCenter Performance Charts or Hyper-V Performance Monitor can pinpoint whether the spike is due to a runaway process, a memory leak, or a scheduled task, enabling a targeted resolution.

Exam trap

The trap here is that candidates often jump to immediate remediation actions like rebooting or migrating the VM, overlooking the fundamental troubleshooting principle of gathering diagnostic data first to avoid recurring issues and unnecessary downtime.

How to eliminate wrong answers

Option B is wrong because immediately rebooting the VM is a reactive measure that may temporarily clear the symptom but does not address the root cause, and it causes unnecessary downtime for a critical application. Option C is wrong because moving the VM to a different host (vMotion) only shifts the resource contention to another physical server without resolving the underlying process issue, and it may not help if the spike is application-specific. Option D is wrong because increasing the VM's CPU limits without first investigating the cause can mask the problem, potentially leading to resource starvation for other VMs and violating capacity planning best practices.

922
MCQmedium

A cloud administrator needs to perform a disaster recovery test for a critical application running in a different AWS region. The RTO is 1 hour, and the RPO is 15 minutes. Which replication strategy should be used to meet the RPO?

A.Hourly snapshot-based replication
B.Daily snapshot-based replication
C.Cross-region replication with eventual consistency
D.Continuous replication
AnswerD

Continuous replication provides near real-time data replication, easily meeting a 15-minute RPO.

Why this answer

Continuous replication ensures data is replicated with minimal lag, typically meeting a 15-minute RPO. Snapshot-based replication would have longer intervals.

923
Multi-Selecteasy

A cloud administrator wants to set up cost monitoring and receive alerts when spending exceeds the budget. Which TWO AWS services should they use? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Billing Metrics
B.AWS Trusted Advisor
C.AWS Budgets
D.AWS Cost Explorer
E.AWS Config
AnswersC, D

AWS Budgets can send alerts when actual or forecasted costs exceed budgeted amounts.

Why this answer

AWS Budgets allows you to set custom budgets and receive alerts when costs exceed thresholds. Cost Explorer provides visualization and analysis of costs and usage.

924
MCQmedium

A security engineer is configuring a network security group (NSG) in Azure to allow inbound HTTPS traffic to a web server. The engineer creates an inbound rule allowing TCP port 443 from the Internet. What must be done to ensure the web server can respond to clients?

A.Create an outbound rule allowing all traffic to the Internet.
B.Create an inbound rule allowing TCP port 443 from the web server.
C.Create an outbound rule allowing TCP port 443 to the Internet.
D.No additional rule is needed because the NSG is stateful.
AnswerD

Stateful firewalls track connection state and allow return traffic.

Why this answer

NSGs are stateful; allowing inbound traffic automatically allows the corresponding outbound response traffic.

925
MCQeasy

A cloud administrator needs to deploy a new application that requires a static IP address. The administrator is using a cloud provider that allows the reservation of elastic IP addresses. Which deployment step should be taken to ensure the IP address is not lost when the resource is stopped?

A.Configure the instance to obtain an IP via DHCP.
B.Allocate an elastic IP address and associate it with the resource.
C.Assign a private IP address from a reserved range.
D.Set up an external DNS service to point to the public IP.
AnswerB

Elastic IPs are static and persist independent of instance state.

Why this answer

Elastic IP addresses are static public IPv4 addresses that you can allocate to your account and associate with a resource. When you associate an elastic IP with an instance, it persists even if the instance is stopped, because the IP is reserved in your account until you explicitly release it. This ensures the IP address is not lost when the resource is stopped, unlike ephemeral public IPs that change on stop/start.

Exam trap

CompTIA often tests the distinction between ephemeral public IPs (which are lost on stop/start) and elastic/reserved IPs (which persist), and the trap here is that candidates may confuse a static private IP (Option C) with a static public IP, or think DNS alone (Option D) can prevent IP loss.

How to eliminate wrong answers

Option A is wrong because configuring DHCP only assigns a dynamic private IP address, which does not provide a static public IP and may change on stop/start. Option C is wrong because assigning a private IP from a reserved range gives a static private address, but the question requires a static public IP address for external access. Option D is wrong because setting up an external DNS service only maps a domain name to an IP; it does not prevent the underlying public IP from changing when the instance is stopped.

926
MCQmedium

A security engineer is configuring an AWS IAM policy for a new application. The policy must allow the application to read objects from a specific S3 bucket. Which IAM policy element determines whether the action is allowed or denied?

A.Effect
B.Action
C.Resource
D.Condition
AnswerA

Effect is set to 'Allow' or 'Deny' to permit or block the action.

Why this answer

The Effect element in an IAM policy specifies whether the policy allows or denies the requested action.

927
MCQeasy

A cloud engineer is writing Terraform code to provision AWS resources. They need to define the cloud provider and authentication details. Which block should they use in their HCL configuration?

A.resource block
B.provider block
C.variable block
D.module block
AnswerB

The provider block configures the cloud provider and authentication.

Why this answer

In Terraform, the provider block is used to configure the cloud provider (e.g., AWS, Azure, GCP) and specify authentication settings such as region and credentials.

928
MCQeasy

A company experiences a cloud service outage that affects multiple customers. The cloud provider publishes a post-incident report identifying the root cause. As a cloud administrator, which of the following actions should be taken to prevent recurrence?

A.Request a service credit from the provider for the outage
B.Submit a formal complaint to the cloud provider's regulatory body
C.Design the application to be deployed across multiple availability zones or regions
D.Migrate all workloads to a different cloud provider immediately
AnswerC

Redundancy improves resilience to provider outages.

Why this answer

Option C is correct because designing the application for multi-AZ or multi-region deployment ensures high availability and fault tolerance, which directly mitigates the impact of a single cloud provider's infrastructure failure. This architectural pattern leverages redundancy to maintain service continuity even when one availability zone or region experiences an outage, preventing recurrence of customer-facing downtime.

Exam trap

The trap here is that candidates may confuse reactive measures (service credits, complaints) or drastic migrations with the proactive, architectural solution that actually prevents recurrence, which is the core focus of the question.

How to eliminate wrong answers

Option A is wrong because requesting a service credit addresses financial compensation for the outage, not the technical prevention of future occurrences. Option B is wrong because submitting a formal complaint to a regulatory body may address contractual or compliance issues but does not implement any technical changes to prevent recurrence. Option D is wrong because migrating all workloads to a different cloud provider immediately is an extreme, costly, and time-consuming reaction that does not guarantee prevention of similar outages with the new provider; it also ignores the root cause analysis and the possibility of architectural improvements within the current provider.

929
MCQmedium

A cloud administrator notices that a cloud-based web application is experiencing intermittent latency during peak hours. The application runs on an auto-scaling group of virtual machines behind a load balancer. Which of the following should the administrator investigate FIRST to resolve the issue?

A.Review the auto-scaling group's scaling policies and thresholds
B.Enable SSL offloading on the load balancer
C.Verify the load balancer's health check interval
D.Check DNS resolution times for the application domain
AnswerA

Incorrect scaling policies can lead to insufficient capacity during peak times, causing latency.

Why this answer

The intermittent latency during peak hours is most likely caused by the auto-scaling group's scaling policies not reacting quickly enough or being set with thresholds that are too high, leading to insufficient capacity under load. Investigating the scaling policies and thresholds first directly addresses the root cause—whether the group is adding instances too slowly or at too high a utilization trigger—rather than symptoms like health checks or DNS. This aligns with the operational best practice of verifying capacity management before tuning network or load-balancer settings.

Exam trap

The trap here is that candidates confuse load balancer tuning (SSL offloading, health checks) with capacity issues, overlooking that auto-scaling policies directly control the number of instances available to handle peak load.

How to eliminate wrong answers

Option B is wrong because enabling SSL offloading on the load balancer reduces CPU overhead on backend VMs but does not address insufficient capacity during peak hours; it is a performance optimization, not a scaling fix. Option C is wrong because verifying the load balancer's health check interval checks instance health status, not scaling responsiveness; a misconfigured health check might cause traffic misrouting but not intermittent latency from under-provisioning. Option D is wrong because checking DNS resolution times addresses client-side name resolution delays, which are unrelated to backend capacity or auto-scaling behavior; DNS caching typically masks such issues and does not cause intermittent peak-hour latency.

930
Multi-Selecthard

A company is migrating on-premises storage to Google Cloud Storage (GCS) using Storage Transfer Service. The source is an on-premises NAS with 100 TB of data. Which THREE considerations are relevant for this migration? (Select THREE.)

Select 3 answers
A.The possibility to schedule periodic transfers for ongoing sync
B.Data integrity verification using checksums
C.Requirement to install an agent on the NAS
D.Network bandwidth between on-premises and GCP
E.The need for a physical appliance like Snowball Edge
AnswersA, B, D

Storage Transfer Service supports recurring transfers for continuous synchronization.

Why this answer

Storage Transfer Service supports online transfers from sources like Amazon S3, HTTP/HTTPS, and on-premises via a staging area. Bandwidth, data integrity, and transfer time are key considerations.

931
MCQeasy

According to the shared responsibility model, which of the following is the cloud provider responsible for?

A.Operating system patching
B.Physical infrastructure security
C.Application code security
D.Identity and access management configuration
AnswerB

The provider secures the physical data centers.

Why this answer

The cloud provider is responsible for the physical infrastructure, hypervisor, and global network, while the customer is responsible for OS patching, IAM, data encryption, etc.

932
Multi-Selectmedium

A company wants to implement automated patching for their cloud resources. Which TWO services are designed for patch management?

Select 2 answers
A.Amazon Inspector
B.GCP Cloud Audit Logs
C.AWS Config
D.Azure Update Management
E.AWS Systems Manager Patch Manager
AnswersD, E

Update Management handles patching on Azure.

Why this answer

AWS Systems Manager Patch Manager and Azure Update Management are dedicated patch management services.

933
MCQhard

A cloud administrator is troubleshooting a performance issue where an application occasionally experiences high latency. The application runs on AWS and uses EC2, ELB, and RDS. Which combination of tools would best help trace the request flow and identify the bottleneck?

A.AWS X-Ray and VPC Flow Logs
B.AWS Trusted Advisor and AWS Personal Health Dashboard
C.Amazon CloudWatch Logs and AWS Shield
D.AWS CloudTrail and AWS Config
AnswerA

X-Ray traces requests across services; VPC Flow Logs show network latency.

Why this answer

AWS X-Ray provides end-to-end tracing, and VPC Flow Logs capture network traffic details, together helping pinpoint latency sources.

934
Multi-Selectmedium

A cloud architect is designing a CI/CD pipeline for a microservices application deployed on AWS. The pipeline should include stages for source code checkout, building, testing, and deploying to production. Which TWO of the following tools are suitable for implementing this pipeline?

Select 2 answers
A.Docker
B.CloudFormation
C.Terraform
D.GitHub Actions
E.AWS CodePipeline
AnswersD, E

GitHub Actions can create workflows for CI/CD.

Why this answer

GitHub Actions and AWS CodePipeline are both CI/CD services that can manage the entire pipeline lifecycle. Terraform and CloudFormation are IaC tools, and Docker is a containerization tool.

935
MCQeasy

A deployment of a new application version fails with a '503 Service Unavailable' error after a rolling update. The previous version was working. What is the most likely cause?

A.Database connection pool exhausted
B.DNS propagation delay
C.SSL certificate expired
D.New version missing a required dependency
AnswerD

Missing dependency can cause health check failure, resulting in 503.

Why this answer

A 503 Service Unavailable error during a rolling update typically indicates that the new application version cannot start or serve traffic. The most likely cause is a missing required dependency (e.g., a library, module, or runtime component) that the previous version did not need, causing the new pods or containers to fail readiness probes and be removed from the load balancer pool.

Exam trap

The trap here is that candidates often assume a 503 error always means server overload or scaling issues, but Cisco tests the nuance that a failing new version during a rolling update is more likely a dependency or configuration problem, not a capacity issue.

How to eliminate wrong answers

Option A is wrong because a database connection pool exhaustion would usually result in 500-level errors (e.g., 500 Internal Server Error) or timeouts, not a 503, and it is not specific to a rolling update failure of a new version. Option B is wrong because DNS propagation delay affects client-side resolution and would cause 'Server Not Found' or connection timeouts, not a 503 from an already-reachable service. Option C is wrong because an expired SSL certificate would produce TLS handshake failures (e.g., ERR_CERT_DATE_INVALID) or 502 Bad Gateway if the certificate is on the backend, but not a 503 Service Unavailable.

936
Multi-Selectmedium

A cloud security team is implementing the principle of least privilege for IAM roles. Which TWO actions are consistent with this principle?

Select 2 answers
A.Grant full administrative access to all users to simplify management
B.Regularly review and revoke unused permissions
C.Create custom roles with only the specific permissions needed for each job function
D.Use wildcard (*) permissions to allow all actions on a resource
E.Assign root user access to all developers
AnswersB, C

Removing unused permissions reduces attack surface.

Why this answer

Least privilege means granting only the permissions necessary for a task and periodically reviewing access.

937
Multi-Selectmedium

A cloud architect is designing a cost-optimized architecture for a batch processing workload that runs every hour for 10 minutes. The workload is fault-tolerant and can be interrupted. Which TWO pricing models should the architect consider to minimize costs? (Select TWO.)

Select 2 answers
A.Dedicated hosts
B.Savings plans
C.On-demand instances
D.Spot instances
E.Reserved instances
AnswersC, D

On-demand offers no commitment and can be used when spot instances are not available, but it's more expensive.

Why this answer

On-demand instances (C) are correct because they allow the architect to pay only for the compute capacity used per hour, with no upfront commitment, which is ideal for a short-duration (10-minute) batch workload that runs every hour. Spot instances (D) are correct because the workload is fault-tolerant and can be interrupted, enabling the use of spare cloud capacity at significantly discounted rates (often 60-90% off on-demand), further minimizing costs for this interruptible batch processing task.

Exam trap

Cisco often tests the misconception that reserved instances or savings plans are always cheaper for any recurring workload, but the trap here is that these require long-term commitments and are cost-inefficient for short-duration, interruptible batch jobs where spot instances provide greater savings without upfront risk.

938
MCQeasy

A cloud architect is designing a serverless application using Azure Functions. The function must process messages from an Azure Storage Queue. How should the architect configure the trigger?

A.Blob trigger
B.Event Grid trigger
C.Queue trigger
D.HTTP trigger with queue polling
AnswerC

Queue trigger is designed for Azure Storage Queue messages.

Why this answer

The correct answer is C because Azure Functions natively supports a Queue trigger that automatically polls an Azure Storage Queue for new messages and executes the function code when a message is detected. This is the simplest and most efficient way to process messages from a Storage Queue without custom polling logic.

Exam trap

Cisco often tests the distinction between native triggers (Queue trigger) and event-driven triggers (Event Grid, Blob), so candidates may mistakenly choose Event Grid because it is event-driven, but it does not directly integrate with Storage Queues without custom event subscriptions.

How to eliminate wrong answers

Option A is wrong because a Blob trigger is designed to respond to blob storage events (e.g., new or updated blobs), not queue messages. Option B is wrong because an Event Grid trigger handles events from Azure Event Grid, which is a separate event routing service, not a direct queue message source. Option D is wrong because an HTTP trigger with queue polling would require custom code to poll the queue, which defeats the purpose of using a built-in trigger and adds unnecessary complexity.

939
MCQhard

A company is moving a legacy monolithic application to the cloud. The application has interdependencies that make it difficult to refactor. The architect needs to minimize changes while gaining cloud benefits like elasticity and pay-as-you-go. Which migration strategy is BEST?

A.Retire
B.Repurchase
C.Refactor / Re-architect
D.Rehost (Lift and shift)
AnswerD

Rehost moves the existing application to the cloud with minimal changes, meeting the requirement.

Why this answer

Rehosting (lift and shift) is the best strategy because it moves the monolithic application to the cloud with minimal changes, preserving existing interdependencies. This allows the company to immediately gain cloud benefits like elasticity and pay-as-you-go pricing without refactoring the tightly coupled codebase. The application runs on cloud infrastructure (e.g., EC2 instances) as-is, leveraging auto-scaling and resource optimization.

Exam trap

CompTIA often tests the misconception that 'cloud-native benefits require refactoring,' but the trap here is that rehosting still provides elasticity and pay-as-you-go via infrastructure-level scaling, even without application changes.

How to eliminate wrong answers

Option A is wrong because retiring the application would eliminate it entirely, which does not meet the goal of gaining cloud benefits while keeping the application running. Option B is wrong because repurchasing involves replacing the application with a SaaS product, which requires significant changes and may not support the existing interdependencies. Option C is wrong because refactoring/re-architecting involves modifying the application code to break dependencies, which contradicts the requirement to minimize changes.

940
MCQmedium

A security auditor is reviewing the IAM configuration for a cloud account. The auditor finds that a user has permissions to create and delete resources in all services. Which principle of security is being violated?

A.Need to know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerC

Least privilege requires minimal permissions; full access is a clear violation.

Why this answer

The principle of least privilege dictates that users should only have the minimum permissions necessary to perform their job functions. Granting full access to all services violates this principle.

941
Multi-Selectmedium

A cloud operations team is designing a disaster recovery plan that includes regular testing. Which TWO activities should be part of the DR testing process? (Select TWO.)

Select 2 answers
A.Updating security patches
B.Reviewing billing reports
C.Chaos engineering experiments
D.Scheduled DR drills
E.Performing daily backups
AnswersC, D

Chaos engineering proactively tests system resilience.

Why this answer

Scheduled drills validate the plan, and chaos engineering tests resilience.

942
MCQeasy

A cloud architect needs to monitor CPU utilization across a fleet of EC2 instances and receive an alert when the average CPU exceeds 80% for 10 minutes. Which AWS service should be used to collect the metric and trigger the alert?

A.AWS Systems Manager
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerD

CloudWatch collects metrics and can set alarms.

Why this answer

CloudWatch collects metrics and can trigger alarms based on thresholds.

943
MCQhard

A company runs a critical application on a cloud VM that must achieve a 99.99% monthly uptime SLA. The VM is deployed in a single availability zone. The current architecture has no redundancy. What is the most effective design change to meet the SLA requirement?

A.Schedule daily backups to a different region
B.Deploy the application across two availability zones with a load balancer
C.Upgrade the VM to a larger instance type for better reliability
D.Add a second VM in the same availability zone with a load balancer
AnswerB

Multi-AZ deployment eliminates single zone as a point of failure, enabling failover and meeting 99.99% uptime.

Why this answer

Option B is correct because deploying the application across two availability zones with a load balancer provides high availability by eliminating a single point of failure. A 99.99% monthly uptime SLA requires a design that can withstand an entire availability zone failure, which a single-zone deployment cannot achieve. The load balancer distributes traffic to healthy VMs, automatically failing over if one zone becomes unavailable, thus meeting the SLA target.

Exam trap

CompTIA often tests the distinction between high availability (redundancy across zones) and disaster recovery (backups to another region), leading candidates to mistakenly choose backup solutions for uptime requirements.

How to eliminate wrong answers

Option A is wrong because daily backups to a different region provide disaster recovery, not high availability; they do not prevent downtime during an availability zone failure, as restoring from backup takes significant time and cannot achieve 99.99% uptime. Option C is wrong because upgrading to a larger instance type improves performance and may reduce hardware-related failures, but it does not protect against availability zone outages or other infrastructure failures that cause downtime. Option D is wrong because adding a second VM in the same availability zone with a load balancer still creates a single point of failure at the zone level; if the entire availability zone fails, both VMs become unavailable simultaneously.

944
Multi-Selectmedium

A cloud architect is designing a solution for a financial analytics application that requires consistent, low-latency block storage for a database. The database will be deployed on a virtual machine in a public cloud. Which TWO storage types are appropriate for this requirement? (Select TWO.)

Select 2 answers
A.Block storage (EBS / Azure Disk)
B.File storage (EFS / Azure Files)
C.Archive storage
D.Instance store
E.Object storage
AnswersA, D

Block storage provides low-latency, persistent storage for VMs.

Why this answer

Block storage (e.g., Amazon EBS, Azure Disk) is designed for low-latency, consistent performance for databases running on VMs. Instance store provides temporary block-level storage physically attached to the host, offering very low latency but is ephemeral. Object storage is not suitable for databases due to latency.

945
MCQhard

A company is migrating a 50 TB on-premises database to AWS RDS with minimal downtime. They plan to use AWS DMS with ongoing change data capture (CDC). Which additional AWS service should be used to handle the initial full load efficiently before enabling CDC replication?

A.Amazon S3 Transfer Acceleration
B.AWS Snowball Edge
C.AWS DataSync
D.AWS Database Migration Service (DMS)
AnswerB

Snowball Edge can physically transfer large data sets, then DMS continues with CDC.

Why this answer

AWS DMS can use Snowball Edge for large initial loads to avoid lengthy network transfers. S3 Transfer Acceleration speeds up uploads but is not optimal for 50 TB initial load. Database Migration Service is the tool itself.

DataSync is for file storage, not databases.

946
MCQmedium

A company runs a production application on multiple cloud regions for high availability. They want to minimize latency for global users. Which DNS routing policy should they use?

A.Latency routing
B.Failover routing
C.Geolocation routing
D.Simple routing
AnswerC

Correct. Geolocation routing directs users to the closest region.

Why this answer

Geolocation routing policy directs traffic based on the user's geographic location to reduce latency.

947
MCQmedium

A cloud administrator launches a new EC2 instance with a userdata script that installs a web server. The instance launches but the web server is not running. The administrator checks the cloud-init logs and sees the warning shown in the exhibit. What is the most likely cause?

A.The userdata script contains a syntax error.
B.The instance type does not have enough memory.
C.The instance does not have an IAM role assigned.
D.The security group does not allow HTTP traffic.
AnswerA

Syntax errors cause cloud-init modules to fail.

Why this answer

The warning in cloud-init logs indicates that the userdata script failed to execute, which most commonly occurs due to a syntax error in the script. Cloud-init processes userdata as a shell script by default, and any syntax error (e.g., missing quotes, incorrect commands) will cause the script to exit prematurely, preventing the web server from starting. The administrator confirmed the instance launched successfully, so the issue is isolated to the script execution, not infrastructure or permissions.

Exam trap

CompTIA often tests the misconception that security groups or IAM roles are the cause of application startup failures, but the trap here is that cloud-init warnings specifically point to script execution issues, not network or permission problems.

How to eliminate wrong answers

Option B is wrong because insufficient memory would cause the instance to fail to launch or the web server to crash after starting, not prevent the script from executing entirely; cloud-init logs would show OOM errors, not syntax warnings. Option C is wrong because an IAM role is not required to run userdata scripts or install software; it is only needed if the script calls AWS APIs (e.g., fetching files from S3), which is not indicated. Option D is wrong because security group rules control network access, not the execution of userdata scripts; the web server not running means it never started, so HTTP traffic rules are irrelevant.

948
MCQeasy

An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?

A.Enable multi-factor authentication (MFA) for all console users.
B.Implement strong password policies with complex passwords.
C.Disable the web console and require API access only.
D.Restrict console access to a specific IP address range.
AnswerA

MFA provides strong authentication by requiring two or more factors.

Why this answer

Multi-factor authentication (MFA) is the best method because it adds an additional layer of security beyond just a password, requiring a second factor (e.g., a time-based one-time password from an authenticator app or a hardware token). This significantly reduces the risk of unauthorized access even if credentials are compromised, as the attacker would also need the second factor. In cloud environments like AWS, Azure, or GCP, MFA is a fundamental security best practice for protecting the management console.

Exam trap

The trap here is that candidates often choose strong password policies (Option B) as the best method, overlooking that MFA is the industry-standard defense against credential compromise, not just password complexity.

How to eliminate wrong answers

Option B is wrong because while strong password policies are important, they are insufficient on their own; passwords alone can be phished, guessed, or brute-forced, and MFA provides a critical additional layer. Option C is wrong because disabling the web console and requiring API access only does not inherently improve security—API access still requires authentication and can be just as vulnerable if not protected with MFA or proper IAM roles, and it reduces operational flexibility. Option D is wrong because restricting console access to a specific IP address range can be bypassed by attackers using VPNs or compromised machines within that range, and it does not protect against credential theft or insider threats; it is a network-level control, not an identity-level control.

949
MCQmedium

An organization has a site-to-site VPN connection between its on-premises network and a cloud VPC. Users report intermittent connectivity to applications hosted in the cloud. The administrator checks the VPN tunnel status and sees it is up. However, ping tests from on-premises to a cloud instance fail at random times. Which factor should the administrator investigate first?

A.The on-premises firewall is blocking outbound ICMP.
B.The security group on the cloud instance is blocking ICMP.
C.The routing tables on the cloud VPC are missing routes for the on-premises network.
D.The VPN tunnel is experiencing packet loss due to a mismatch in the IPSec parameters.
AnswerD

Mismatched IPSec parameters can cause intermittent connectivity despite the tunnel appearing up.

Why this answer

Option C is correct because intermittent connectivity despite tunnel being up suggests packet loss or misconfiguration in IPSec (e.g., mismatched phase 2 parameters). Option A is wrong because routes would cause complete failure. Option B is wrong but could cause failure; however, it's intermittent.

Option D is wrong because it would cause consistent failure.

950
Multi-Selecthard

An organization is implementing a canary deployment strategy for a microservice running on Kubernetes. The deployment should automatically roll back if the error rate exceeds 2% within the first 5 minutes. Which THREE components are essential for implementing this strategy? (Choose three.)

Select 3 answers
A.Service mesh (e.g., Istio, Linkerd)
B.Horizontal Pod Autoscaler
C.Monitoring system (e.g., Prometheus)
D.Progressive delivery tool (e.g., Flagger, Argo Rollouts)
E.Kubernetes Service with label selectors
AnswersA, C, D

Service mesh can route a percentage of traffic to the canary version.

Why this answer

To implement canary with automatic rollback, you need a traffic split mechanism (service mesh), monitoring (Prometheus), and progressive delivery tool (Flagger).

951
MCQmedium

A cloud administrator notices that a virtual machine running a critical application is using 95% CPU consistently. The application is single-threaded and performance is degraded. Which action should the administrator take to resolve the issue?

A.Deploy additional VMs and load balance the application.
B.Increase the RAM allocation to the VM.
C.Migrate the VM to a host with a higher CPU clock speed.
D.Increase the number of vCPUs assigned to the VM.
AnswerC

Higher clock speed improves single-threaded performance.

Why this answer

The application is single-threaded, meaning it can only utilize one CPU core at a time. Increasing the CPU clock speed directly improves the processing speed of that single thread, which resolves the performance degradation. Option C is correct because migrating to a host with a higher CPU clock speed provides a faster core for the single-threaded workload.

Exam trap

CompTIA often tests the misconception that adding more vCPUs always improves performance, but for single-threaded workloads, higher clock speed is the correct solution, not vCPU count.

How to eliminate wrong answers

Option A is wrong because deploying additional VMs and load balancing would distribute requests across multiple instances, but a single-threaded application cannot parallelize its work across VMs; this adds complexity without addressing the core bottleneck. Option B is wrong because increasing RAM allocation does not affect CPU utilization or single-threaded performance; the issue is CPU-bound, not memory-bound. Option D is wrong because increasing the number of vCPUs does not help a single-threaded application; the application can only use one vCPU at a time, and additional vCPUs may even cause scheduling overhead or NUMA issues.

952
MCQeasy

A company wants to migrate its on-premises workloads to the cloud while maintaining the ability to run some sensitive applications on-premises. Which cloud deployment model best meets this requirement?

A.Hybrid cloud
B.Multi-cloud
C.Private cloud
D.Public cloud
AnswerA

Hybrid cloud connects on-prem and public cloud, meeting the requirement.

Why this answer

A hybrid cloud connects on-premises infrastructure with public cloud resources, allowing workloads to run in both environments as needed.

953
MCQhard

An organization uses Azure DevOps for CI/CD. They want to implement a deployment strategy where a new version of an application is deployed to a small subset of users (e.g., 5%) and if no errors are detected, the percentage is gradually increased to 100%. Which deployment strategy should they use?

A.Rolling
B.Recreate
C.Canary
D.Blue/green
AnswerC

Canary releases traffic to a small percentage and increases gradually.

Why this answer

Canary deployment releases to a small subset and gradually increases traffic while monitoring.

954
Multi-Selecthard

A cloud operations team needs to implement a monitoring solution for a microservices architecture. The solution must provide centralized logging, metrics, and alerting, and must be able to correlate data from multiple services. Which THREE of the following components should the team include?

Select 3 answers
A.A security information and event management (SIEM) system.
B.A centralized logging system (e.g., ELK stack).
C.A correlation engine and alerting system (e.g., event correlation).
D.A metrics collection agent and dashboard (e.g., Prometheus+Grafana).
E.An application performance monitoring (APM) tool.
AnswersB, C, D

Centralized logging aggregates logs from all services.

Why this answer

Option B is correct because a centralized logging system like the ELK stack (Elasticsearch, Logstash, Kibana) aggregates logs from all microservices into a single searchable repository. This enables the team to correlate events across services by timestamp and metadata, which is essential for debugging distributed transactions and identifying root causes of failures.

Exam trap

CompTIA often tests the distinction between specialized tools (SIEM, APM) and the core triad of centralized logging, metrics, and correlation/alerting, leading candidates to over-select security or tracing tools that do not fulfill the requirement for correlating data from multiple services at the log and metric level.

955
MCQeasy

Which of the following is a key benefit of using a Cloud Access Security Broker (CASB)?

A.Automates resource provisioning
B.Provides DDoS protection
C.Manages encryption keys for on-premises data
D.Discovers and controls use of unauthorized cloud applications
AnswerD

CASBs can detect shadow IT and enforce policies.

Why this answer

CASBs provide visibility and control over SaaS applications, including shadow IT discovery.

956
Multi-Selectmedium

A cloud architect is designing a hybrid cloud environment that connects an on-premises data center to a public cloud. The architect needs to ensure secure, low-latency connectivity and isolate traffic between different business units. Which TWO solutions should the architect implement? (Choose two.)

Select 2 answers
A.Configure a NAT gateway to allow outbound internet access
B.Establish a dedicated VPN or direct connect between on-premises and cloud
C.Implement VPC peering to connect VPCs for different business units
D.Deploy a bastion host in a public subnet for administrative access
E.Use a transit gateway to interconnect all VPCs
AnswersB, C

Provides secure, low-latency connectivity.

Why this answer

Option B is correct because a dedicated VPN or Direct Connect establishes a secure, low-latency, and private connection between the on-premises data center and the public cloud, bypassing the public internet to reduce latency and improve security. This is essential for hybrid cloud environments where consistent performance and isolation from internet-based threats are required.

Exam trap

The trap here is that candidates often confuse transit gateways with VPC peering for isolation, but VPC peering directly connects two VPCs with no transitive routing, ensuring traffic isolation between business units, whereas a transit gateway can inadvertently route traffic between all connected VPCs unless carefully configured with route tables and network ACLs.

957
MCQmedium

A company is migrating a financial application to the cloud and must comply with PCI DSS. Which of the following cloud compliance programs is most relevant to demonstrate compliance?

A.PCI DSS Level 1
B.ISO 27001
C.SOC 2 Type II
D.HIPAA BAA
AnswerA

PCI DSS is the standard for payment card data security.

Why this answer

PCI DSS Level 1 is the highest level of compliance for organizations handling credit card data. Cloud providers offer PCI DSS attestations to support customer compliance.

958
MCQmedium

An organization uses a cloud-based load balancer to distribute traffic to a web application across multiple availability zones. Users report that the application is intermittently unavailable. The cloud administrator finds that the load balancer health checks are failing on instances in one availability zone. What is the most likely cause?

A.The availability zone is experiencing a partial outage.
B.A single instance in the failing AZ has a misconfigured web server.
C.The DNS settings for the application domain are misconfigured.
D.The load balancer's listener configuration is incorrect.
AnswerA

AZ outage would cause all instances to fail health checks.

Why this answer

When health checks fail for all instances in a single availability zone (AZ) while other AZs remain healthy, the most likely cause is a partial outage or degradation within that AZ. Cloud providers like AWS, Azure, or GCP isolate AZs to prevent single points of failure, but an AZ can experience issues such as network connectivity loss, power disruption, or hardware failures that affect all instances in that zone. The load balancer's health checks are designed to detect such zone-level failures by probing each instance; if an entire AZ is impaired, all its instances will fail the health check simultaneously.

Exam trap

CompTIA often tests the distinction between instance-level failures and zone-level failures; the trap here is that candidates may assume a single misconfigured instance (Option B) is the cause, but the key clue is that all instances in one AZ are failing health checks, which points to an AZ-wide issue rather than a per-instance configuration problem.

How to eliminate wrong answers

Option B is wrong because a misconfigured web server on a single instance would cause only that instance to fail health checks, not all instances in the AZ; the scenario describes all instances in the AZ failing. Option C is wrong because DNS misconfiguration would affect client resolution to the load balancer's DNS name, not the load balancer's ability to perform health checks on backend instances; health checks operate at the network layer between the load balancer and instances, independent of DNS. Option D is wrong because an incorrect listener configuration (e.g., wrong port or protocol) would cause health checks to fail for all instances across all AZs, not just one AZ; the issue is isolated to a single AZ, pointing to a zone-level problem.

959
Multi-Selectmedium

Which THREE of the following are recommended practices for securing cloud API access? (Choose three.)

Select 3 answers
A.Use role-based access control to limit permissions for each API user
B.Embed API keys directly in application source code for convenience
C.Enable detailed logging of all API calls to a centralized service
D.Expose API endpoints publicly for easy access by all clients
E.Rotate API keys and tokens on a regular schedule
AnswersA, C, E

Least privilege reduces attack surface.

Why this answer

Role-based access control (RBAC) is a fundamental security practice for cloud API access because it enforces the principle of least privilege. By assigning permissions based on job functions rather than individual identities, RBAC limits the potential damage from compromised credentials or insider threats. This approach is recommended by cloud providers like AWS (IAM roles), Azure (RBAC roles), and Google Cloud (IAM roles) to ensure API users only have the permissions necessary for their tasks.

Exam trap

Cisco often tests the misconception that embedding API keys in source code is acceptable for convenience, but this violates secure coding standards and is a common cause of data breaches in cloud environments.

960
MCQmedium

A cloud architect is designing an auto-scaling policy for a web application that experiences predictable traffic spikes every weekday morning from 8 to 10 AM. The application runs on a group of virtual machines behind a load balancer. Which scaling approach is MOST cost-effective while ensuring performance during the spike?

A.Dynamic scaling based on CPU utilization threshold
B.Proactive scaling using machine learning to predict spikes
C.Manual scaling by the operations team each morning
D.Scheduled scaling to increase capacity before 8 AM and decrease after 10 AM
AnswerD

Scheduled scaling directly matches the predictable pattern, ensuring resources are ready in advance and minimizing waste.

Why this answer

Scheduled scaling is the most cost-effective approach because the traffic pattern is predictable (every weekday 8–10 AM). By configuring the auto-scaling group to add instances before the spike and remove them after, you avoid paying for idle resources during off-peak hours while ensuring capacity is ready when needed. This approach directly matches the known schedule without relying on reactive metrics or manual intervention.

Exam trap

CompTIA often tests the distinction between reactive (dynamic) and proactive (scheduled) scaling, where candidates mistakenly choose dynamic scaling for predictable patterns because they assume it is always the most efficient, ignoring the latency of metric-based triggers.

How to eliminate wrong answers

Option A is wrong because dynamic scaling based on CPU utilization reacts to load after it occurs, which can cause a lag in provisioning and potential performance degradation during the initial spike. Option B is wrong because proactive scaling using machine learning is overkill for a predictable, repeating schedule and introduces unnecessary complexity and cost. Option C is wrong because manual scaling is error-prone, requires human intervention every morning, and cannot guarantee timely scaling for a predictable pattern.

961
MCQmedium

A DevOps team uses CloudFormation to manage multi-account infrastructure. They need to deploy a common set of resources across multiple AWS accounts in an organization. Which CloudFormation feature should they use?

A.Nested stacks
B.Drift detection
C.Stack sets
D.Change sets
AnswerC

StackSets enable cross-account, cross-region deployments.

Why this answer

CloudFormation StackSets allow you to deploy stacks across multiple accounts and regions from a single template, ideal for multi-account scenarios.

962
Multi-Selectmedium

A cloud administrator is configuring a CASB (Cloud Access Security Broker) for SaaS applications. Which TWO capabilities should the administrator expect from the CASB? (Choose two.)

Select 2 answers
A.Discover and control shadow IT usage
B.Manage on-premises server patches
C.Apply data loss prevention (DLP) policies
D.Provide local DNS resolution
E.Replace the cloud provider's infrastructure
AnswersA, C

CASBs discover unauthorized cloud services and enforce policies.

Why this answer

CASBs provide visibility into shadow IT, enforce data loss prevention policies, and control access to SaaS applications.

963
Multi-Selecthard

A cloud architect is designing a disaster recovery plan for a critical application. The application runs on virtual machines in a public cloud. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. Which three strategies should the architect implement? (Select THREE).

Select 3 answers
A.Implement active-passive failover with automated DNS.
B.Use synchronous replication to a secondary region.
C.Take daily snapshots of the VMs.
D.Use asynchronous replication with a 10-minute lag.
E.Maintain a warm standby in another region.
AnswersA, B, E

Correct. Automated DNS failover speeds up recovery, helping achieve the RTO.

Why this answer

Option A is correct because active-passive failover with automated DNS allows traffic to be redirected to a standby environment within minutes, meeting the 1-hour RTO. The passive site remains ready with pre-provisioned resources, and DNS propagation can be controlled via low TTL values to achieve rapid failover.

Exam trap

Cisco often tests the distinction between replication strategies and recovery environments—candidates mistakenly think asynchronous replication alone meets RPO without considering that it must be paired with a standby site to achieve the RTO, or they overlook that daily snapshots are too infrequent for a 15-minute RPO.

964
Multi-Selecthard

A company is migrating to GCP and needs to ensure data encryption in transit for all external communications. Which THREE measures should be implemented? (Choose three.)

Select 3 answers
A.Configure load balancer to redirect HTTP to HTTPS
B.Disable TLS for internal VPC traffic
C.Use TLS 1.2 or higher for all API endpoints
D.Enable AES-256 encryption at rest
E.Implement certificate management with auto-renewal
AnswersA, C, E

Redirecting HTTP to HTTPS enforces encrypted communications.

Why this answer

TLS 1.2+ ensures strong encryption in transit. Certificate management ensures valid certificates. Enforcing HTTPS via load balancer policies redirects HTTP traffic.

965
MCQhard

A company uses Azure and wants to centrally audit all management operations across subscriptions. Which service should be used to collect and analyze these logs?

A.GCP Cloud Audit Logs
B.Azure Monitor
C.AWS CloudTrail
D.Azure Security Center
AnswerB

Azure Monitor collects and analyzes activity logs and metrics.

Why this answer

Azure Monitor is the correct service because it provides a centralized platform for collecting, analyzing, and acting on telemetry data from Azure resources, including management operations across subscriptions. Specifically, the Azure Activity Log within Azure Monitor captures all control-plane events (e.g., resource creation, deletion, policy changes) at the subscription level, enabling auditing and alerting. This directly meets the requirement for centrally auditing management operations across multiple subscriptions.

Exam trap

The trap here is that candidates may confuse Azure Security Center (now Defender for Cloud) with a logging and auditing service, but it is a security management tool, not a centralized log collection and analysis platform like Azure Monitor.

How to eliminate wrong answers

Option A is wrong because GCP Cloud Audit Logs is a Google Cloud Platform service, not an Azure service, and cannot collect or analyze Azure management logs. Option C is wrong because AWS CloudTrail is an Amazon Web Services service for auditing AWS API calls, and it has no integration with Azure subscriptions. Option D is wrong because Azure Security Center (now Microsoft Defender for Cloud) focuses on security posture management, threat detection, and vulnerability assessment, not on collecting and analyzing all management operation logs for auditing purposes.

966
MCQeasy

During a cloud deployment, a virtual machine is created from a custom image. After boot, the VM is not accessible via SSH. Which of the following should the administrator check FIRST?

A.The security group rules for inbound SSH
B.The boot volume is encrypted
C.The hypervisor version compatibility
D.The image's OS license activation status
AnswerA

Security group rules are the first line of defense; if SSH (port 22) is not allowed, connection will fail.

Why this answer

The most common reason a newly deployed VM is inaccessible via SSH is that the security group or network ACL does not permit inbound TCP port 22 traffic. Security groups act as a virtual firewall at the instance level, and if the rule allowing SSH from the administrator's IP is missing or misconfigured, the connection will be refused. This should be the first check because it is a frequent misconfiguration during deployment.

Exam trap

The trap here is that candidates may assume the issue is with the OS or image itself (e.g., licensing or encryption) and overlook the most common and easily verified network-layer misconfiguration of security group rules.

How to eliminate wrong answers

Option B is wrong because boot volume encryption affects data at rest security, not network connectivity; an encrypted volume does not block SSH access. Option C is wrong because hypervisor version compatibility is a pre-deployment concern and would typically cause the VM to fail to boot or run, not just block SSH after boot. Option D is wrong because OS license activation status might cause grace-period warnings or feature restrictions but does not prevent SSH connectivity; SSH is a network service that operates independently of activation state.

967
MCQhard

A cloud administrator is troubleshooting a performance issue where an application running on a VM in a private cloud is experiencing high latency. The VM is connected to a virtual switch that uses SR-IOV. The administrator suspects network bottlenecks. Which of the following is the MOST likely cause of the latency?

A.The physical network interface card (NIC) is saturated.
B.The virtual switch is dropping packets due to buffer exhaustion.
C.The VM's virtual NIC is not using the correct driver.
D.The hypervisor's CPU is overloaded due to SR-IOV emulation.
AnswerA

Saturation of the physical NIC is a common cause of latency with SR-IOV.

Why this answer

SR-IOV allows a physical NIC to present multiple virtual functions (VFs) directly to VMs, bypassing the virtual switch for data plane traffic. When the physical NIC reaches its bandwidth capacity, all VFs sharing that NIC experience increased latency and packet drops, making NIC saturation the most likely cause of the high latency.

Exam trap

The trap here is that candidates assume SR-IOV eliminates all bottlenecks, but the physical NIC remains a shared resource that can become saturated, causing latency for all VMs using its VFs.

How to eliminate wrong answers

Option B is wrong because SR-IOV bypasses the virtual switch for data plane traffic, so buffer exhaustion on the virtual switch does not affect SR-IOV passthrough traffic. Option C is wrong because SR-IOV requires a specific driver (e.g., ixgbevf or mlx5_core) on the VM; an incorrect driver would prevent the VF from being recognized or cause connectivity failure, not just high latency. Option D is wrong because SR-IOV offloads network processing to the NIC hardware, so the hypervisor's CPU is not involved in emulating the NIC for SR-IOV VFs; CPU overload would affect other components but is not a direct consequence of SR-IOV.

968
MCQhard

A company uses a multi-cloud strategy with both AWS and Azure. The cloud operations team needs to centrally monitor all cloud resources and receive alerts when resource usage exceeds predefined thresholds. Which of the following solutions should the team implement?

A.Azure Monitor with Log Analytics
B.AWS CloudWatch with cross-account monitoring
C.A third-party monitoring tool that supports both AWS and Azure
D.Custom scripts that log to a central syslog server
AnswerC

Third-party tools like Datadog can aggregate metrics from multiple clouds into a single dashboard.

Why this answer

Option C is correct because a third-party monitoring tool (e.g., Datadog, Splunk, or Dynatrace) can natively ingest metrics and logs from both AWS and Azure APIs, providing a single pane of glass for alerting across a multi-cloud environment. This avoids the vendor lock-in and integration gaps that arise when using native tools from only one cloud provider.

Exam trap

The trap here is that candidates assume native tools like Azure Monitor or AWS CloudWatch can be extended to monitor other clouds, but they are architecturally limited to their own ecosystems, making a third-party tool the only viable multi-cloud solution.

How to eliminate wrong answers

Option A is wrong because Azure Monitor with Log Analytics is designed to monitor Azure resources only; it cannot natively pull metrics from AWS services without complex, unsupported workarounds. Option B is wrong because AWS CloudWatch with cross-account monitoring is limited to AWS accounts and cannot monitor Azure resources at all. Option D is wrong because custom scripts logging to a central syslog server lack native integration with cloud provider APIs, requiring manual metric collection and failing to provide real-time, threshold-based alerting for dynamic cloud resources.

969
MCQeasy

A company hosts a critical application on a single virtual machine in a public cloud. The virtual machine has been running without issues for months. Recently, the application became unresponsive, and users report a '500 Internal Server Error'. The cloud administrator checks the virtual machine's status and finds it is 'Running'. The administrator can successfully ping the virtual machine's public IP address. The administrator then attempts to SSH into the virtual machine but receives 'Connection timed out'. The virtual machine's security group allows SSH (port 22) from the administrator's IP address. The operating system firewall is enabled and configured to allow SSH. What should the administrator do next to troubleshoot the issue?

A.Use a serial console or out-of-band management to access the virtual machine's console.
B.Reset the virtual machine from the cloud provider's management console.
C.Create a new virtual machine and migrate the application.
D.Check the application logs from the cloud provider's monitoring service.
AnswerA

Serial console access bypasses the network stack and allows the administrator to log in and check the SSH service status or firewall rules.

Why this answer

The administrator can ping the VM (ICMP works) but SSH (TCP/22) times out, indicating the application is running but the SSH service or network stack is not responding to new connections. Since the cloud security group and OS firewall are correctly configured, the issue is likely at the OS level (e.g., SSH daemon crashed, kernel panic, or network service hung). Using a serial console or out-of-band management (e.g., AWS EC2 Serial Console, Azure Serial Console) provides direct, network-independent access to the VM's console, bypassing the broken network stack to diagnose and fix the OS-level problem.

Exam trap

CompTIA often tests the distinction between ICMP reachability (ping) and TCP service availability (SSH), and the trap here is that candidates assume a 'Running' status and successful ping mean the OS is fully functional, overlooking that the network stack or SSH daemon can be broken while the VM appears healthy from the hypervisor's perspective.

How to eliminate wrong answers

Option B is wrong because resetting the VM (power cycle) might temporarily fix the symptom but does not diagnose the root cause, and could cause data loss or downtime without understanding why SSH failed. Option C is wrong because creating a new VM and migrating the application is a drastic, time-consuming recovery action that should only be taken after exhausting troubleshooting steps; it does not help identify the current issue. Option D is wrong because the cloud provider's monitoring service (e.g., CloudWatch, Azure Monitor) typically collects metrics and logs from the guest OS via an agent, but if the OS is unresponsive or the network stack is broken, those logs may not be accessible or up-to-date; the immediate need is to access the console, not check stale logs.

970
Multi-Selectmedium

A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?

Select 2 answers
A.Physical access logs from the data center.
B.Firewall configuration backup files.
C.Employee vacation schedule.
D.DNS query logs from the cloud DNS service.
E.Network flow logs from virtual network appliances.
AnswersD, E

DNS logs can reveal C2 communications.

Why this answer

DNS query logs from the cloud DNS service (Option D) are essential because they provide visibility into domain resolution activities, which can reveal command-and-control (C2) communications, data exfiltration via DNS tunneling, or connections to malicious domains. In a cloud-based SIEM, these logs are critical for detecting threats that leverage DNS as a covert channel, as they capture the source IP, queried domain, and response codes in real time.

Exam trap

The trap here is that candidates often mistake static configuration files (like firewall backups) or non-security data (like vacation schedules) as valid SIEM sources, overlooking that a SIEM requires real-time, event-driven logs (e.g., DNS queries and network flows) to perform effective threat detection and correlation.

971
Multi-Selecthard

A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?

Select 3 answers
A.Use a single virtual switch for all tenants.
B.Deploy tenant workloads on dedicated hypervisors.
C.Implement micro-segmentation using virtual firewalls.
D.Use separate VLANs for each tenant.
E.Place all tenants on the same storage array for efficiency.
AnswersB, C, D

Dedicated hypervisors prevent hypervisor-level attacks.

Why this answer

Deploying tenant workloads on dedicated hypervisors provides strong physical isolation, preventing a compromised hypervisor from affecting other tenants. This approach eliminates the risk of side-channel attacks or resource contention that could cross tenant boundaries, ensuring each tenant's virtual machines run on separate hardware with no shared compute resources.

Exam trap

CompTIA often tests the misconception that a single virtual switch can be securely partitioned using VLANs alone, but the trap is that VLANs only provide Layer 2 isolation and do not protect against misconfigurations or attacks within the shared virtual switch control plane.

972
MCQmedium

An organization is designing a cloud architecture for a data analytics workload that processes large datasets. The workload is CPU-intensive and runs once per day. The company wants to minimize costs. Which compute model should be used?

A.On-demand instances with auto scaling
B.Dedicated hosts with a savings plan
C.Reserved instances for a 1-year term
D.Spot instances with a fallback to on-demand
AnswerD

Spot instances are cost-effective for batch processing.

Why this answer

Option D is correct because spot/preemptible instances offer significant cost savings for fault-tolerant, interruptible workloads like batch processing. Option A is wrong because on-demand instances are more expensive. Option B is wrong because reserved instances are for steady-state usage.

Option C is wrong because dedicated hosts are the most expensive option.

973
MCQeasy

A cloud administrator cannot deploy a new VM from a custom image. The deployment fails with an error stating 'Incompatible hypervisor version'. What is the most likely cause?

A.The image was created on a newer hypervisor than the current host.
B.The VM's virtual hardware version is too old.
C.The image file is corrupt.
D.The storage backend does not support the image format.
AnswerA

Hypervisor backward compatibility may not extend to previous versions.

Why this answer

Option D is correct because the image was created on a different hypervisor version. Option A is incorrect because the image file exists. Option B is incorrect as compatibility is about hypervisor, not driver.

Option C is incorrect because storage is separate.

974
MCQhard

A company needs to connect its on-premises data center to a public cloud provider with a dedicated, consistent network connection that bypasses the internet. Which connectivity method should be used?

A.VPC peering
B.Internet gateway
C.Site-to-Site VPN
D.Direct Connect or ExpressRoute
AnswerD

Correct. These provide dedicated private connections.

Why this answer

Dedicated connections like AWS Direct Connect or Azure ExpressRoute provide private, consistent connectivity.

975
MCQeasy

A cloud administrator needs to protect a web application from common attacks such as SQL injection and cross-site scripting (XSS). Which cloud service should be implemented?

A.DDoS protection service
B.Network ACL
C.Security group
D.Web Application Firewall (WAF)
AnswerD

WAF inspects HTTP requests and can block SQL injection, XSS, etc.

Why this answer

A Web Application Firewall (WAF) is specifically designed to filter and monitor HTTP traffic, blocking common web exploits like SQL injection and XSS. Cloud providers offer WAF services (e.g., AWS WAF, Azure WAF, Cloud Armor).

Page 12

Page 13 of 14

Page 14