CompTIA Cloud+ CV0-004 (CV0-004) — Questions 976984

984 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

A cloud engineer is tasked with automating the deployment of a new web application. Which of the following tools is BEST suited for managing infrastructure as code in a hybrid cloud environment?

A.AWS CloudFormation
B.Ansible
C.Terraform
D.Docker
AnswerC

Terraform is a cloud-agnostic infrastructure as code tool that supports hybrid environments.

Why this answer

Terraform is the best choice because it is a cloud-agnostic Infrastructure as Code (IaC) tool that uses a declarative configuration language (HCL) to manage resources across multiple providers, including AWS, Azure, and on-premises systems. This makes it ideal for hybrid cloud environments where consistent provisioning and state management are required across disparate platforms.

Exam trap

Cisco often tests the distinction between IaC tools (Terraform, CloudFormation) and configuration management tools (Ansible, Puppet) or containerization tools (Docker), leading candidates to choose Ansible because it also supports multi-cloud, but missing that Terraform is purpose-built for declarative infrastructure provisioning in hybrid clouds.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is a proprietary IaC tool that only works within the AWS ecosystem, making it unsuitable for managing resources in a hybrid cloud that includes non-AWS providers. Option B is wrong because Ansible is primarily a configuration management and automation tool that uses imperative playbooks and push-based execution, not a dedicated IaC tool for declarative resource provisioning across hybrid clouds. Option D is wrong because Docker is a containerization platform that packages applications and dependencies into containers, not an IaC tool for managing cloud infrastructure resources like VMs, networks, or storage.

977
MCQhard

A company needs to transfer 200 TB of data from an on-premises NAS to Amazon S3 over the internet within 5 days. The available bandwidth is 1 Gbps. Which AWS service should be used to accelerate the transfer?

A.AWS Snowball
B.AWS DataSync
C.S3 Transfer Acceleration
D.AWS Direct Connect
AnswerB

DataSync accelerates online transfers with parallel operations.

Why this answer

AWS DataSync can accelerate transfers over the internet using parallel multi-threading and compression. Snowball would be faster for 200 TB, but the question specifies over the internet. DataSync is optimized for network transfers.

978
Multi-Selecthard

An organization is migrating workloads to the cloud and after migration, users complain about slow application response times. The administrator reviews the cloud provider's dashboard and sees no resource bottlenecks. Which three factors could still cause poor performance? (Choose three.)

Select 3 answers
A.The application is not optimized for the cloud infrastructure
B.DNS resolution delays due to on-premises DNS server
C.High latency between the cloud region and the users' location
D.Insufficient number of CPU cores in the VM
E.TCP window scaling mismatch
AnswersB, C, E

Slow DNS resolution increases latency without taxing cloud resources.

Why this answer

Correct options are A, B, and D. Option A is correct because DNS delays can increase response times without showing as resource usage. Option B is correct because TCP window scaling mismatch can degrade network throughput transparently.

Option D is correct because geographic latency is not a resource bottleneck. Option C is wrong because insufficient CPU cores would appear as a CPU bottleneck on the dashboard. Option E is wrong because application optimization issues would typically manifest as high resource usage.

979
Multi-Selectmedium

A cloud architect is designing a disaster recovery plan that includes testing. Which TWO activities are commonly performed as part of DR testing?

Select 2 answers
A.Reserved Instance planning
B.Rightsizing recommendations
C.Chaos engineering
D.Scheduled DR drills
E.Tagging resources
AnswersC, D

Chaos engineering injects failures to test resilience.

Why this answer

DR testing includes scheduled drills and chaos engineering to validate recovery procedures.

980
MCQhard

A team uses Terraform to manage infrastructure. After running terraform apply, the state file is stored in an S3 backend with DynamoDB locking. During a subsequent terraform plan, the team notices that the state file shows resources that no longer exist in the cloud. Which command should the team run to reconcile the state with the actual cloud resources?

A.terraform plan
B.terraform refresh
C.terraform import
D.terraform state rm
AnswerB

Refresh updates the state file to reflect the current state of real-world resources.

Why this answer

Terraform import is used to bring existing resources under Terraform management, but if resources are missing, terraform refresh updates the state to match reality.

981
MCQmedium

A cloud administrator is configuring a new virtual private cloud (VPC) for a three-tier application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Which network architecture should be used?

A.Use one subnet with network ACLs to restrict traffic between tiers.
B.Place all tiers in the same subnet and use host-based firewalls.
C.Place each tier in a separate subnet with appropriate security group rules controlling traffic.
D.Deploy each tier in a different VPC and peer them.
AnswerC

Correct. Separate subnets with security groups allow granular control and align with security best practices.

Why this answer

Option C is correct because placing each tier in a separate subnet and using security group rules provides stateful, instance-level traffic control. Security groups act as virtual firewalls at the hypervisor layer, allowing you to specify inbound rules that restrict the application tier to only accept traffic from the web tier's security group, and the database tier to only accept traffic from the application tier's security group. This aligns with the principle of least privilege and ensures that each tier is isolated within the VPC while maintaining necessary connectivity.

Exam trap

The trap here is that candidates often confuse network ACLs (stateless, subnet-level) with security groups (stateful, instance-level) and assume a single subnet with ACLs can achieve the same isolation, but ACLs cannot filter based on source security group IDs and require manual IP management, making them unsuitable for this multi-tier access control requirement.

How to eliminate wrong answers

Option A is wrong because using a single subnet with network ACLs (stateless) would require complex, bidirectional rule management for each tier, and network ACLs cannot filter traffic based on source security group IDs, making it impossible to restrict traffic to only the web tier or application tier without exposing other resources. Option B is wrong because placing all tiers in the same subnet with host-based firewalls violates the security best practice of network segmentation; host-based firewalls are not managed centrally and can be bypassed if the host is compromised, plus they do not provide the same level of isolation as separate subnets with security groups. Option D is wrong because deploying each tier in a different VPC and peering them introduces unnecessary complexity, latency, and cost; VPC peering does not support transitive routing, so you would need additional routing configurations or a transit gateway, and it violates the typical three-tier architecture pattern where all tiers reside within the same VPC for low-latency communication.

982
Multi-Selectmedium

A cloud administrator is configuring an Azure environment for a healthcare application that must comply with HIPAA. Which TWO configurations are required to meet HIPAA security and privacy rules? (Choose two.)

Select 2 answers
A.Implement audit logging for access to ePHI
B.Configure network security groups to allow only HTTPS traffic
C.Enable multi-factor authentication for all administrative accounts
D.Configure automatic patching for all virtual machines
E.Enable encryption at rest for all storage accounts containing ePHI
AnswersA, E

HIPAA requires audit controls to record access to ePHI.

Why this answer

Audit logging for access to ePHI is required by HIPAA to track who accessed, modified, or deleted protected health information. In Azure, this is implemented through Azure Monitor and Log Analytics, which capture detailed audit trails for storage accounts, databases, and applications. Without audit logs, the organization cannot demonstrate compliance with the HIPAA Security Rule's requirement for activity monitoring and accountability.

Exam trap

The trap here is that candidates often confuse 'best practices' (like MFA and automatic patching) with 'required configurations' under HIPAA, leading them to select options that are recommended but not explicitly mandated by the Security Rule.

983
MCQeasy

A company wants to automate the deployment of cloud resources using code. Which tool is BEST suited for this purpose?

A.SSH
B.An IP address management tool
C.Infrastructure as Code (IaC) templates
D.A configuration management database
AnswerC

IaC tools like Terraform or CloudFormation automate resource deployment from code.

Why this answer

Infrastructure as Code (IaC) templates (Option C) are the best tool for automating cloud resource deployment because they allow you to define, version, and provision infrastructure through machine-readable definition files. Tools like Terraform, AWS CloudFormation, or Azure Resource Manager templates enable repeatable, consistent deployments without manual intervention, directly aligning with the goal of automating cloud resource deployment using code.

Exam trap

The trap here is that candidates may confuse SSH (a remote access tool) with automation scripts (like Ansible playbooks) or think that a CMDB can automate deployments, but the question specifically asks for a tool that uses code to deploy resources, which is the core definition of IaC.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) is a network protocol for secure remote access to systems, not a tool for automating the deployment of cloud resources; it lacks the declarative or imperative infrastructure definition capabilities needed for IaC. Option B is wrong because an IP address management (IPAM) tool is used for planning, tracking, and managing IP address spaces, not for provisioning or orchestrating cloud resources via code. Option D is wrong because a configuration management database (CMDB) is a repository that stores information about IT assets and their relationships; it does not automate deployment but rather serves as a reference for configuration items.

984
Multi-Selecteasy

A developer is using a cloud provider's CLI to manage resources. Which TWO commands are commonly used to troubleshoot instance connectivity?

Select 2 answers
A.reboot
B.ssh
C.create-tags
D.traceroute
E.ping
AnswersD, E

Traceroute identifies the path and can pinpoint where connectivity fails.

Why this answer

D is correct because the `traceroute` command is a standard network diagnostic tool that identifies the path packets take from the source to a destination, revealing each hop's latency and any points of failure. It uses ICMP (or UDP on Linux) with incrementing TTL values to map the route, making it essential for troubleshooting connectivity issues between cloud instances and external endpoints.

Exam trap

The trap here is that candidates confuse `ssh` (a connectivity-dependent tool) with a diagnostic command, or assume `reboot` can resolve network issues, when the exam specifically tests the ability to select commands that *diagnose* rather than *fix* connectivity problems.

Page 13

Page 14 of 14