CompTIA Cloud+ CV0-004 (CV0-004) — Questions 76150

499 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selecteasy

Which TWO of the following are characteristics of a hybrid cloud deployment? (Select exactly two.)

Select 2 answers
A.Combines on-premises private cloud with public cloud resources
B.Allows data and application portability between environments
C.Simplifies data governance across environments
D.Typically uses a single public cloud provider
E.Uses only community cloud services
AnswersA, B

Hybrid cloud spans both on-premises and public cloud environments.

Why this answer

Option A is correct because a hybrid cloud explicitly combines on-premises private cloud infrastructure with public cloud resources, such as AWS, Azure, or GCP. This allows organizations to keep sensitive workloads on-premises while leveraging the scalability of the public cloud for burst or less-sensitive workloads. The connection is typically established via a dedicated VPN or direct link (e.g., AWS Direct Connect or Azure ExpressRoute) to ensure low-latency, secure communication between environments.

Exam trap

The trap here is that candidates often confuse 'hybrid cloud' with 'multi-cloud' or assume it simplifies governance, but Cisco tests the specific definition of hybrid cloud as a combination of private and public cloud environments with portability, not a single-provider or community-only model.

77
Multi-Selectmedium

A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which TWO metrics should the administrator monitor to identify CPU contention? (Choose two.)

Select 2 answers
A.CPU usage percentage
B.CPU ready time
C.CPU co-stop time
D.CPU frequency
E.CPU load average
AnswersB, C

High ready time indicates the VM is waiting for CPU cycles due to contention.

Why this answer

Options A and D are correct. CPU ready time indicates the time a VM is ready to run but is waiting for CPU resources, and CPU co-stop time indicates contention when two vCPUs of the same VM are scheduled simultaneously. Option B (CPU usage) shows usage, not contention.

Option C (CPU load average) is an OS-level metric that can indicate load but not direct contention. Option E (CPU frequency) is about clock speed, not contention.

78
MCQhard

A company runs a critical e-commerce application on AWS. The architecture includes an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances across two Availability Zones. The instances are in a private subnet and use a NAT Gateway for outbound internet access. The application stores session data in an ElastiCache Redis cluster. During a flash sale, users report that the site is extremely slow and some requests time out. Monitoring shows the ALB's latency metric is high, and the number of healthy hosts fluctuates. The CPU utilization on the EC2 instances averages 60% and memory averages 70%. The Redis cluster's CPU utilization is 90%, and its memory usage is 95%. The NAT Gateway's metrics show high BytesOutToSource but no errors. Which of the following is the most likely cause of the performance issue?

A.The NAT Gateway is throttling traffic due to bandwidth limits
B.The ElastiCache Redis cluster is overloaded and becoming a bottleneck for session lookups
C.The Auto Scaling group is not scaling quickly enough due to cooldown periods
D.The ALB's idle timeout setting is too low, causing premature connection drops
AnswerB

Correct; high Redis CPU and memory cause slow responses and timeouts.

Why this answer

The ElastiCache Redis cluster is the most likely bottleneck because its CPU utilization is at 90% and memory usage at 95%, indicating it is near capacity. Since the application stores session data in Redis, high latency and timeouts during a flash sale are consistent with an overloaded session store that cannot keep up with request volume, causing the ALB to experience increased latency and healthy host fluctuations as sessions fail to be retrieved or written.

Exam trap

The trap here is that candidates may focus on the NAT Gateway or Auto Scaling group because they are common bottlenecks, but the key clue is the Redis cluster's high CPU and memory metrics, which directly correlate with session store performance issues in a stateful application.

How to eliminate wrong answers

Option A is wrong because the NAT Gateway shows high BytesOutToSource but no errors, and NAT Gateway bandwidth limits are typically high (up to 10 Gbps per AZ) and would cause packet drops or errors if throttled, not just high latency. Option C is wrong because the Auto Scaling group's cooldown periods could delay scaling, but the EC2 instances are only at 60% CPU and 70% memory, which are not saturated, so scaling is not the primary issue. Option D is wrong because the ALB's idle timeout setting (default 60 seconds) controls how long the ALB keeps a connection open without data; premature connection drops would manifest as immediate disconnects, not high latency and timeouts.

79
MCQhard

An organization is migrating a legacy application to the cloud. The application writes logs to a local file system. The cloud architect recommends using a centralized logging service. Which of the following BEST explains why this change is important?

A.To meet regulatory compliance requirements for log retention
B.To reduce storage costs by using object storage for logs
C.Because cloud instances are ephemeral and local logs would be lost if instances terminate
D.To encrypt log data at rest and in transit
AnswerC

Cloud instances can terminate, so logs must be sent off-instance.

Why this answer

Option C is correct because centralized logging aggregates logs from ephemeral instances that may be terminated. Option A is wrong because encryption is handled by the logging service, not the reason for centralization. Option B is wrong while compliance is a benefit, but the primary reason is ephemeral nature of cloud instances.

Option D is wrong because cost is not the primary driver.

80
Multi-Selecthard

Which THREE of the following are key considerations when designing a cloud-native application for high availability? (Select exactly three.)

Select 3 answers
A.Use multithreading for all components
B.Use synchronous replication for databases
C.Implement loose coupling between services
D.Use stateless application components
E.Design for horizontal scaling using auto-scaling groups
AnswersC, D, E

Loose coupling (e.g., queues, APIs) isolates failures and improves resilience.

Why this answer

Option C is correct because loose coupling between services, typically achieved via asynchronous messaging or API gateways, ensures that the failure of one service does not cascade to others, which is fundamental for high availability in cloud-native architectures. This design pattern allows individual services to be updated, scaled, or fail independently, maintaining overall system resilience.

Exam trap

CompTIA often tests the misconception that high availability requires synchronous replication or multithreading, when in fact these can introduce tight coupling and single points of failure; the trap is confusing performance optimization with architectural resilience.

81
MCQmedium

A cloud administrator is troubleshooting a performance issue with a relational database hosted on a cloud provider. The application team reports that queries are taking much longer than usual. The administrator checks the database monitoring dashboard and sees that the queries per second are within normal ranges, but the average query latency has doubled. The database is running on a VM with 4 vCPUs and 16 GB RAM. The storage type is SSD-backed General Purpose (GP2) with provisioned 3000 IOPS. The administrator notices that the Disk I/O Wait metric is consistently above 20%. What should the administrator do to improve query performance?

A.Shrink the database by archiving old data.
B.Increase the provisioned IOPS or upgrade to a higher-performance storage class like Provisioned IOPS SSD.
C.Add more memory to the VM to increase the database cache.
D.Add more vCPUs to the database VM.
AnswerB

Raising IOPS reduces disk queue depth and I/O wait, directly addressing the performance issue.

Why this answer

High I/O Wait indicates that the CPU is spending significant time waiting for disk I/O to complete. Increasing storage IOPS or switching to a higher-performance storage class (e.g., Provisioned IOPS SSD) will reduce I/O latency and improve query performance. Option B directly addresses the bottleneck.

82
MCQmedium

A developer deployed a new version of a cloud function, but the function is returning 500 errors. The previous version worked fine. What is the most likely cause?

A.The function is using an outdated runtime.
B.The new code contains a runtime error.
C.The function's memory allocation is too low.
D.The function's timeout is set too short.
AnswerB

A bug in the new code is the most common cause of 500 errors after deployment.

Why this answer

The most likely cause of 500 errors after deploying a new version of a cloud function is a runtime error in the new code. A 500 Internal Server Error indicates that the function's code executed but threw an unhandled exception or logic error, which did not exist in the previous working version. Since the environment (runtime, memory, timeout) remained unchanged, the introduction of faulty code is the primary suspect.

Exam trap

CompTIA often tests the distinction between code-level errors (500) and resource/configuration errors (memory, timeout, runtime), tempting candidates to blame environment settings when the actual cause is a bug introduced in the new code.

How to eliminate wrong answers

Option A is wrong because an outdated runtime would cause deployment failures or compatibility warnings, not a sudden 500 error after a code change; the runtime version is typically fixed during deployment. Option C is wrong because memory allocation being too low would manifest as out-of-memory (OOM) errors or timeouts, not a generic 500 error, and the previous version worked with the same allocation. Option D is wrong because a timeout set too short would produce a 504 Gateway Timeout or a specific timeout error, not a 500 Internal Server Error, and the previous version succeeded with the same timeout value.

83
MCQeasy

A company has a cloud-based application that uses a relational database. The database team performs daily backups to an on-premises storage system using a VPN connection. Recently, backups have been failing with timeout errors. The network team confirms the VPN is up and stable. Which of the following is the MOST likely cause?

A.The database service is not responding
B.The VPN bandwidth is insufficient for the backup data volume
C.The VPN tunnel is not properly configured
D.The on-premises firewall is blocking the backup port
AnswerB

Large backups can exceed VPN capacity, leading to timeouts.

Why this answer

The VPN connection is confirmed stable, so tunnel configuration and firewall issues are unlikely. Backup timeout errors with large data volumes typically indicate insufficient bandwidth, causing the transfer to exceed the timeout threshold. The database service itself is responding (backups are attempted), ruling out service unavailability.

Exam trap

The trap here is that candidates assume a stable VPN means the link has sufficient capacity, but CompTIA often tests the distinction between connectivity (layer 3) and throughput (layer 4/performance), where a stable tunnel can still be too slow for large data transfers.

How to eliminate wrong answers

Option A is wrong because if the database service were not responding, backups would fail immediately with a connection error, not a timeout after data transfer begins. Option C is wrong because the network team confirmed the VPN is up and stable, meaning the tunnel is properly configured and operational. Option D is wrong because a firewall block would cause a consistent failure (e.g., connection refused), not intermittent timeouts, and the VPN tunnel encrypts traffic, making port-specific blocking less likely.

84
MCQmedium

A cloud architect is designing a multi-tier application that must meet a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 hour. Which disaster recovery strategy is MOST cost-effective while meeting these requirements?

A.Backup and restore from object storage
B.Warm standby with database replication
C.Pilot light with database replication
D.Active-active across two regions
AnswerB

Meets RTO and RPO cost-effectively.

Why this answer

Warm standby with database replication is the most cost-effective strategy that meets an RTO of 15 minutes and an RPO of 1 hour. It maintains a scaled-down but fully functional copy of the production environment in another region, with synchronous or asynchronous database replication ensuring data loss is within the 1-hour RPO. Failover can be automated to achieve the 15-minute RTO without the expense of running full production capacity in the standby region.

Exam trap

CompTIA often tests the distinction between pilot light and warm standby, where candidates mistakenly believe pilot light can achieve a 15-minute RTO because it has database replication, but they overlook the time needed to provision and configure compute resources, which pushes the RTO beyond the requirement.

How to eliminate wrong answers

Option A is wrong because backup and restore from object storage typically has an RTO of hours or days due to the time required to download and restore large volumes of data, and the RPO depends on backup frequency, which often exceeds 1 hour. Option C is wrong because pilot light with database replication can meet the RPO but usually has an RTO longer than 15 minutes, as it requires provisioning compute resources and scaling up the environment before failover. Option D is wrong because active-active across two regions is over-engineered and costly for these requirements, as it runs full production capacity in both regions simultaneously, which is unnecessary when an RTO of 15 minutes and RPO of 1 hour can be met with a warm standby.

85
MCQmedium

Refer to the exhibit. The auto scaling group is fluctuating between 2 and 3 instances every few minutes. What is the most likely cause?

A.The instances are taking too long to become healthy.
B.The launch configuration has incorrect user data.
C.The load balancer is not properly distributing traffic.
D.The scaling policies are based on metrics that are too sensitive.
AnswerD

Oscillation occurs when metrics trigger both scale-out and scale-in frequently.

Why this answer

The auto scaling group fluctuating between 2 and 3 instances every few minutes indicates a scaling policy that is too sensitive, likely based on a metric such as CPU utilization or request count per target that oscillates rapidly. When the metric crosses the scale-out threshold, a new instance launches, causing the metric to drop below the scale-in threshold, which then terminates an instance, creating a cycle. This is a classic symptom of thrashing due to overly aggressive or poorly configured scaling policies.

Exam trap

CompTIA often tests the concept of scaling thrashing, and the trap here is that candidates may incorrectly attribute the oscillation to load balancer misconfiguration or instance health delays, rather than recognizing it as a direct symptom of overly sensitive scaling policies with insufficient cooldown or threshold margins.

How to eliminate wrong answers

Option A is wrong because instances taking too long to become healthy would cause the auto scaling group to launch additional instances while waiting, but it would not cause rapid fluctuation between 2 and 3 instances; instead, it would lead to a sustained higher count or failed health checks. Option B is wrong because incorrect user data in the launch configuration would cause instances to fail to initialize properly, leading to unhealthy instances and potential replacement, but not the specific 2-to-3 oscillation pattern. Option C is wrong because the load balancer not properly distributing traffic would cause uneven load but would not directly cause the auto scaling group to scale in and out every few minutes; the scaling policies are based on aggregated metrics, not load balancer distribution issues.

86
MCQmedium

A healthcare organization uses a cloud-based virtual private cloud (VPC) to host a web application that processes protected health information (PHI). The application consists of a public-facing load balancer, a web server tier in a public subnet, and a database tier in a private subnet. The database runs on a managed relational database service with encryption at rest enabled using a cloud provider-managed key. The security auditor requires that the database encryption key must be controlled by the organization and rotated every 90 days. Additionally, the database must only be accessible from the web server tier. The database is currently accessible from the entire VPC CIDR block. What should the cloud administrator do to meet these requirements?

A.Export the database, disable encryption, and import into a new database with a customer-managed key.
B.Enable encryption with a provider-managed key and restrict database access using a network ACL.
C.Re-encrypt the database using a customer-managed key in the cloud provider's key management service, and update the database security group to only allow traffic from the web server security group.
D.Encrypt the web server's storage with a customer-managed key and keep the database encryption as is.
AnswerC

Customer-managed keys allow rotation, and security groups restrict access to the web tier only.

Why this answer

Option B is correct because enabling encryption using a customer-managed key in the provider's KMS allows the organization to control and rotate the key, and updating the security group to allow traffic only from the web server tier's security group restricts access. Option A is wrong because provider-managed keys do not give the organization control. Option C is wrong because moving to an unencrypted database is not acceptable.

Option D is wrong because encrypting the web server does not address database encryption or access control.

87
MCQhard

A company recently migrated its database to a cloud-managed database service. After the migration, the application team reports that some queries are returning stale data. The database is configured with read replicas. What is the most likely reason for the stale data?

A.The database parameter group is misconfigured.
B.The application is reading from a read replica that has replication lag.
C.The network latency between the application and database is high.
D.The database’s backup and restore process has corrupted the data.
AnswerB

Correct. Replication lag causes replicas to return older data; application should direct write-after-read to primary.

Why this answer

Read replicas can have replication lag, causing stale reads if the application queries a replica expecting the latest data.

88
MCQeasy

A cloud administrator notices that a virtual machine (VM) is running slowly. The hypervisor shows high CPU ready time for that VM. Which of the following is the most likely cause?

A.High disk I/O latency on the datastore
B.Insufficient memory allocated to the VM
C.Overcommitted physical CPU resources on the host
D.Misconfigured virtual switch
AnswerC

Overcommitted CPU means the VM competes for physical cores, causing high ready time.

Why this answer

High CPU ready time indicates that the VM is ready to execute instructions but is waiting for the physical CPU to become available. This is a classic symptom of CPU overcommitment, where the host has more virtual CPUs (vCPUs) assigned to VMs than physical cores, causing contention. Option C correctly identifies this as the most likely cause.

Exam trap

CompTIA often tests the distinction between CPU ready time and other performance metrics, trapping candidates who confuse high CPU ready time with memory pressure or storage latency.

How to eliminate wrong answers

Option A is wrong because high disk I/O latency would manifest as high disk queue depth or high kernel latency, not as CPU ready time. Option B is wrong because insufficient memory would cause ballooning or swapping, not CPU ready time. Option D is wrong because a misconfigured virtual switch would cause network connectivity issues or packet loss, not CPU scheduling delays.

89
MCQeasy

An architect is designing a cloud application that must handle unpredictable spikes in traffic. The application should automatically add resources during peak demand and remove them when demand decreases to minimize costs. Which scaling strategy should be used?

A.Scheduled scaling based on historical patterns
B.Vertical scaling of existing instances
C.Manual scaling by operations team
D.Horizontal auto-scaling based on CPU utilization
AnswerD

Automatically adds/removes instances as needed.

Why this answer

Horizontal auto-scaling based on CPU utilization is the correct strategy because it dynamically adds or removes instances in response to real-time demand, ensuring the application can handle unpredictable traffic spikes while minimizing costs. This approach aligns with cloud elasticity principles, where resources scale out (add instances) during high CPU load and scale in (remove instances) when load decreases, without manual intervention.

Exam trap

The trap here is that candidates often confuse vertical scaling (scaling up) with horizontal scaling (scaling out), assuming resizing existing instances is more cost-effective, but vertical scaling has hard limits and cannot match the elasticity required for unpredictable spikes.

How to eliminate wrong answers

Option A is wrong because scheduled scaling relies on predefined historical patterns, which cannot adapt to unpredictable spikes that deviate from those patterns. Option B is wrong because vertical scaling (resizing existing instances) has hardware limits and often requires downtime, making it unsuitable for handling sudden, unpredictable demand changes. Option C is wrong because manual scaling by the operations team introduces latency and human error, failing to provide the automatic, real-time response needed for unpredictable traffic.

90
MCQmedium

A cloud administrator notices that an IAM role in a public cloud environment has permissions to perform all actions on all resources. The principle of least privilege should be applied. What is the best first step to reduce the security risk?

A.Delete the role and create a new one with minimal permissions immediately.
B.Create a new role with fewer permissions and ask users to switch roles.
C.Review the role's attached policies and identify unused or unnecessary permissions.
D.Modify the role's trust policy to restrict which users can assume it.
AnswerC

This allows targeted removal of excessive permissions while maintaining functionality.

Why this answer

Option A is correct because reviewing current permissions identifies specific unnecessary privileges before making changes, minimizing disruption. Other options are too drastic or do not address the root cause.

91
MCQhard

Your organization operates a three-tier web application hosted on a public cloud platform. The application tier consists of an auto-scaling group of virtual machines running a custom web service. The database tier is a managed MySQL service. Recently, users have reported slow response times during business hours, especially when the application performs write operations. Reviewing the monitoring dashboards shows that the CPU utilization on the application instances averages 80% and the database connection pool is consistently maxed out at 200 connections. The auto-scaling group is configured to add instances when CPU exceeds 70% for 5 minutes, but scaling events are not triggering as expected. The application team has confirmed that there are no code changes in the last week. You check the CloudWatch alarms and see no metric alarms for CPU. What is the MOST likely reason the auto-scaling group is not scaling out?

A.The auto-scaling group has reached the maximum instance count
B.The CPU metric alarm that triggers the scaling policy has been deleted or never configured
C.The auto-scaling group has a default cooldown period that is too long
D.The application instances are not responding to health checks
AnswerB

Auto-scaling policies require a metric alarm to trigger; missing alarm means no scaling.

Why this answer

Option A is correct: without a CPU alarm configured, the scaling policy has no trigger. Option B is wrong: scaling cool-down only delays after a scaling event, but no event occurs. Option C is wrong: health checks are for instance health, not scaling.

Option D is wrong: instance count limit would prevent scaling after attempts, but policy would still trigger.

92
MCQhard

A company runs a critical application on a single VM in a public cloud. The VM uses a 500 GB managed disk. The company takes daily snapshots of the disk for backup. The operations team notices that the snapshot creation time has increased from 5 minutes to over an hour over the past month. The VM's disk usage has remained stable at around 200 GB. The VM runs a database that writes logs to a separate data disk (100 GB) which is not snapshotted. Which of the following is the MOST likely cause of the increasing snapshot time?

A.The VM's used disk space has increased significantly, requiring larger snapshots.
B.High write activity (churn) on the OS disk causing more data to be captured in each snapshot.
C.The data disk is consuming space on the OS disk due to log file growth.
D.The backup software is compressing snapshots, causing CPU overhead and longer times.
AnswerB

Snapshots capture blocks changed since last snapshot; high churn increases the volume of changed blocks.

Why this answer

The snapshot creation time has increased because of high write activity (churn) on the OS disk. Azure and other cloud platforms use a block-level incremental snapshot mechanism; when a disk has high churn, many blocks change between snapshots, forcing the snapshot process to read and store a large number of changed blocks even if the total used space remains stable. Since the VM runs a database that writes logs to a separate data disk (not snapshotted), the OS disk still experiences frequent writes from the database's log flushing or other system operations, causing the snapshot to capture many changed blocks and thus take longer.

Exam trap

The trap here is that candidates assume snapshot time correlates only with total used disk space, ignoring that write churn (block-level changes) is the primary driver of incremental snapshot duration in cloud environments.

How to eliminate wrong answers

Option A is wrong because the VM's used disk space has remained stable at around 200 GB, so the snapshot size is not increasing due to used space growth. Option C is wrong because the data disk is a separate 100 GB disk that is not snapshotted, and log file growth on that disk does not consume space on the OS disk or affect the OS disk's snapshot. Option D is wrong because the question does not mention any backup software performing compression; the snapshots are taken natively by the cloud provider's snapshot service, which does not apply CPU-intensive compression that would increase snapshot time.

93
MCQmedium

During a cloud migration, a database server is moved from on-premises to a cloud-managed database service. After migration, the application team reports that some queries are running slower than before. The database CPU utilization is low. What is the most likely cause?

A.The network latency between the application and the database has increased
B.The database is not indexed properly
C.The database connection pooling is misconfigured
D.The cloud database instance type has insufficient memory
AnswerA

Higher latency increases query response time without affecting CPU.

Why this answer

Option C is correct because increased network latency between the application and the cloud database can slow queries without increasing CPU usage. Option A is wrong because indexing issues would affect specific queries but would also cause higher CPU. Option B is wrong because insufficient memory would cause swapping and higher CPU.

Option D is wrong because pool misconfiguration would cause connection errors, not slow queries.

94
MCQhard

A company uses a cloud provider's identity federation to allow employees to sign in using their corporate Active Directory credentials. After a merger, employees from the acquired company need access. What must be modified to enable federated access for the new users without disrupting existing access?

A.Create a separate federation agreement for the new domain.
B.Manually create cloud IAM users for each employee.
C.Create a new identity provider in the cloud.
D.Update the trust policy to include the new Active Directory domain.
AnswerD

This seamlessly adds the new domain to the existing federation setup.

Why this answer

Option A is correct because updating the trust policy to include the new domain allows federation from both domains under the same identity provider.

95
MCQmedium

A company has a three-tier application in a cloud VPC: web servers in a public subnet, application servers in a private subnet, and database servers in a private subnet. The web servers can connect to the application servers, but the application servers cannot connect to the database servers. The security groups are configured as follows: - Web SG: inbound HTTP from 0.0.0.0/0, outbound all - App SG: inbound HTTP from Web SG, outbound all - DB SG: inbound MySQL from App SG, outbound all What is the most likely cause of the connectivity issue?

A.The database security group is missing an inbound rule for MySQL.
B.The application security group is missing an outbound rule for MySQL.
C.The network access control list (NACL) on the database subnet is blocking inbound traffic from the application subnet.
D.The web security group is blocking traffic to the database.
AnswerC

NACLs are stateless, so they must have explicit rules for traffic. A missing rule can block connectivity.

Why this answer

Option D is correct because security groups are stateful and allow outbound traffic automatically, so outbound rules are not the issue. The inbound rule on DB SG allows MySQL from App SG, so A is not the issue. B is not needed because outbound is all.

C is irrelevant. The issue likely is a NACL on the private subnet blocking the traffic, as NACLs are stateless and need explicit rules.

96
Multi-Selectmedium

A company is considering a multi-cloud deployment to avoid vendor lock-in. Which TWO factors should they consider? (Select TWO.)

Select 2 answers
A.Unified management tools support
B.Consistent security policies across clouds
C.Data egress costs between clouds
D.Performance differences between providers
E.Software licensing compatibility
AnswersB, C

Ensuring consistent security across different cloud providers is essential to avoid gaps.

Why this answer

Option B is correct because consistent security policies across clouds ensure a unified security posture, which is critical for compliance and risk management in a multi-cloud environment. Without consistent policies, vulnerabilities can arise from misconfigurations or gaps in coverage between providers. Option C is correct because data egress costs between clouds can be significant, as each cloud provider charges for data leaving their network, and these costs must be factored into the total cost of ownership to avoid budget overruns.

Exam trap

The trap here is that candidates often confuse operational benefits (like unified management or performance tuning) with strategic lock-in avoidance, leading them to select options A or D instead of focusing on cost and security consistency as the key differentiators.

97
MCQhard

A company is deploying a microservices architecture that must scale dynamically based on traffic. Which technology should be used?

A.Manually add more virtual machines during peak hours
B.Deploy a monolithic application on a single large instance
C.Kubernetes with Horizontal Pod Autoscaler
D.Use a single large instance with a load balancer
AnswerC

Kubernetes automates container orchestration and HPA scales pods based on demand.

Why this answer

Option A is correct because Kubernetes with HPA automatically scales pods based on metrics. Option B is wrong because monolithic deployments are not scalable. Option C is wrong because manual scaling is not dynamic.

Option D is wrong while a large instance may handle more load, it does not provide dynamic scaling.

98
MCQmedium

A cloud administrator receives an alert that a virtual machine's disk usage is at 95%. The VM hosts a database. Which of the following troubleshooting steps should the administrator take FIRST?

A.Expand the virtual disk by resizing the volume in the cloud console
B.Reboot the virtual machine to free up temporary files
C.Query the database for active connections to determine if there are long-running transactions
D.Check the disk to identify which files are consuming space
AnswerD

First step to understand the cause of high disk usage.

Why this answer

When a VM's disk usage reaches 95%, the first step is to identify what is consuming the space. Checking the disk to identify which files are consuming space (Option D) allows the administrator to determine whether the issue is caused by database logs, temporary files, or other data, and to plan an appropriate remediation without unnecessary risk or downtime.

Exam trap

The trap here is that candidates may assume high disk usage is always caused by temporary files or transactions, leading them to reboot or query the database first, rather than performing a simple disk space analysis to identify the actual culprit.

How to eliminate wrong answers

Option A is wrong because expanding the virtual disk without first identifying the cause of high usage may lead to uncontrolled growth and does not address the root cause; it also risks exceeding storage quotas or costs. Option B is wrong because rebooting the VM to free temporary files is a disruptive action that may not resolve the issue if the space is consumed by database logs or persistent data, and it could cause unnecessary downtime for a production database. Option C is wrong because querying for long-running transactions addresses performance issues, not disk space consumption; high disk usage is typically caused by data files, logs, or temporary files, not by active connections.

99
MCQeasy

A cloud administrator notices that a virtual machine (VM) hosting a web application is consistently running at 95% CPU utilization during business hours. End users complain that the application is slow. The application is stateless and can scale horizontally. The VM is part of an auto-scaling group configured with a target tracking scaling policy based on average CPU utilization. The administrator checks CloudWatch metrics and sees that the CPU utilization has been above the target of 70% for the last two hours, but no new instances have been launched. What should the administrator do FIRST to resolve the issue?

A.Verify that the CloudWatch agent is sending CPU metrics and that the metric names match the scaling policy configuration.
B.Manually increase the desired capacity of the auto-scaling group.
C.Reduce the target tracking value to 50% so scaling happens sooner.
D.Replace the instance with a larger instance type that has more vCPUs.
AnswerA

If metrics are missing or misconfigured, auto-scaling cannot trigger. This is the most direct diagnostic step.

Why this answer

The auto-scaling policy is not triggering despite sustained high CPU. The most likely cause is that the metric collection is not functioning correctly. Checking the CloudWatch agent and metrics will reveal if data is being sent properly.

Option B is the correct first step because without valid metrics, auto-scaling cannot adjust capacity.

100
MCQmedium

A company uses a hybrid cloud model with on-premises servers and a public cloud. The IT team wants to ensure that critical data is backed up daily and retained for 30 days. The backup solution must be cost-effective. Which of the following backup strategies BEST meets these requirements?

A.Full backup daily to cloud storage with a 30-day lifecycle policy.
B.Full backup daily to tape, retained for 30 days.
C.Differential backup daily to cloud storage, with full backup every 30 days.
D.Incremental backup daily to cloud storage, with weekly full backup.
AnswerD

Incremental backups are small and cost-effective; weekly full provides baseline; retention can be set to 30 days.

Why this answer

Option B is correct because incremental backups daily and full backup weekly reduces storage costs while allowing 30-day retention by keeping weekly fulls. Option A is wrong because full daily to tape is expensive and not cloud-based. Option C is wrong because differential backups grow large and cost more than incremental.

Option D is wrong because full daily backups to cloud storage are costly.

101
MCQhard

A cloud administrator receives an alert that a virtual machine has unexpectedly shut down. The administrator checks the hypervisor logs and finds an entry "Out of memory: killed process" in the VM's OS logs. Which of the following is the most likely cause?

A.The hypervisor memory overcommitment is too high.
B.The VM has a memory leak in its application.
C.The VM's memory balloon driver is not installed.
D.The VM's swap space is insufficient.
AnswerB

A memory leak causes the VM's memory to be exhausted, triggering the OOM killer.

Why this answer

Option C is correct because the OOM killer message in the VM's OS indicates that a process consumed too much memory, likely due to a memory leak. Option A would cause host-side OOM, not VM-side. Option B would affect the host, not the VM.

Option D could be a factor but a memory leak is the most direct cause of running out of memory.

102
MCQhard

A cloud engineer runs the commands shown in the exhibit. Based on the output, which security issue is present?

A.The bastion host is not used for SSH access.
B.The web servers are not running.
C.The firewall rule allows SSH access from any source IP.
D.There are too many firewall rules allowing SSH.
AnswerC

The sourceRanges is 0.0.0.0/0, meaning all IPs can SSH into the instances.

Why this answer

Option B is correct because the firewall rule allow-ssh allows SSH (tcp:22) from all IP addresses (0.0.0.0/0), which is a security risk. Option A is wrong because the bastion host is separate. Option C is wrong because there is only one rule shown.

Option D is wrong because the instances are running normally.

103
MCQmedium

A company is deploying a cloud-based application that requires consistent, low-latency access to shared database files. Which storage option should be used for the database files?

A.Block storage volumes attached to the database server
B.Network file system (NFS) mount
C.Object storage (e.g., Amazon S3)
D.Ephemeral instance storage
AnswerA

Block storage offers high performance and low latency for random I/O, making it ideal for databases.

Why this answer

Block storage volumes (e.g., Amazon EBS or Azure Managed Disks) provide consistent, low-latency I/O performance because they are directly attached to the database server via a high-speed network and support protocols like NVMe or SCSI. This allows the database to perform synchronous writes and reads with minimal jitter, which is critical for transactional workloads that require ACID compliance. Unlike shared file systems or object storage, block storage offers the raw disk-level access that database engines (e.g., MySQL, PostgreSQL, SQL Server) expect for their data and log files.

Exam trap

CompTIA often tests the misconception that NFS is suitable for database workloads because it provides shared access, but the trap is that NFS lacks the low-latency, synchronous write guarantees required for transactional databases, and candidates overlook the performance penalties of network file locking and cache coherency protocols.

How to eliminate wrong answers

Option B is wrong because NFS mounts introduce network latency and protocol overhead (e.g., lock management, stateless operations) that can cause performance degradation and consistency issues for database workloads, especially under concurrent write operations. Option C is wrong because object storage (e.g., Amazon S3) uses a RESTful API with eventual consistency models and higher latency, making it unsuitable for low-latency database file access that requires immediate read-after-write consistency. Option D is wrong because ephemeral instance storage is temporary and data is lost when the instance is stopped or terminated, which violates the requirement for persistent, shared database files.

104
MCQeasy

A cloud administrator is troubleshooting a connectivity issue between two virtual machines in the same VPC but different subnets. Both VMs have security groups that allow all traffic from the VPC CIDR. What should the administrator check first?

A.The VPC flow logs.
B.The network ACLs for both subnets.
C.The route tables for both subnets.
D.The DHCP option set.
AnswerB

NACLs are stateless and may be blocking traffic even if security groups allow it.

Why this answer

Option A is correct because network ACLs are stateless and must explicitly allow traffic in both directions. Option B is unlikely due to the automatic local route. Options C and D are not the first step.

105
MCQmedium

A cloud security analyst finds the above JSON policy attached to an S3 bucket containing confidential customer data. What change must be made to comply with the principle of least privilege?

A.Restrict the Principal to a specific AWS account or user.
B.Change the Effect to 'Deny'.
C.Change the Action to 's3:PutObject'.
D.Remove the Resource field.
AnswerA

This limits access to only authorized identities.

Why this answer

Option D is correct because a wildcard Principal allows anonymous access; restricting to a specific principal ensures only authorized entities can access the data.

106
Multi-Selectmedium

Which TWO actions should a cloud administrator take to protect against data exfiltration from a cloud storage bucket? (Choose two.)

Select 2 answers
A.Implement server-side encryption with SSE-S3.
B.Enable object versioning on the bucket.
C.Configure bucket access logs for monitoring.
D.Block all public access by configuring bucket policies and ACLs.
E.Enable MFA delete on the bucket.
AnswersA, D

Encryption protects data at rest; even if exfiltrated, the data is unreadable without the key.

Why this answer

Enabling object versioning allows recovery if data is deleted or overwritten but does not prevent exfiltration. Requiring MFA for delete operations prevents unauthorized deletion but not reading. Restricting public access and encrypting data at rest are effective controls against exfiltration.

Audit logging is detective, not preventive.

107
MCQmedium

Refer to the exhibit. A cloud engineer is reviewing logs from an EC2 instance. Which of the following is the MOST likely root cause of the application failure?

A.The application experienced a segmentation fault due to a code bug
B.The instance ran out of memory because the application had a memory leak
C.The instance was stopped by the cloud provider due to a license violation
D.The disk space reached 100% capacity, preventing the application from writing logs
AnswerD

The sequence shows disk warnings before application failures.

Why this answer

When disk space reaches 100% capacity, the operating system cannot write new data to the filesystem. Since the application relies on writing logs (and potentially other data) to disk, it will fail when it cannot perform these write operations. This is a common root cause in cloud environments where log rotation is not configured or monitoring thresholds are not set.

Exam trap

CompTIA often tests the distinction between memory-related failures (segfaults, OOM) and disk-related failures, where candidates mistakenly attribute a log-write failure to a memory issue instead of checking disk space.

How to eliminate wrong answers

Option A is wrong because a segmentation fault is a memory access violation caused by a code bug, which would generate a core dump and specific error messages in logs, not a gradual failure due to disk space exhaustion. Option B is wrong because running out of memory due to a memory leak would manifest as the kernel OOM killer terminating processes or the application crashing with out-of-memory errors, not as a failure to write logs. Option C is wrong because cloud providers like AWS do not stop instances for license violations; they may disable the instance or revoke access, but the instance itself would not be stopped by the provider for this reason.

108
MCQmedium

An administrator notices that a cloud-hosted database is experiencing high latency during peak usage. The CPU and memory utilization on the DB server are below 50%, but disk IOPS are consistently at the provisioned limit. What should the administrator check first?

A.Check network bandwidth between the DB and application servers.
B.Add additional storage volumes and stripe data.
C.Check if the storage volume has an IOPS cap.
D.Increase the number of vCPUs on the DB server.
AnswerC

Saturating the IOPS limit causes queuing and high latency.

Why this answer

Option B is correct because saturating IOPS is a common cause of high latency. Option A is incorrect because CPU is not maxed. Option C is incorrect because network latency is not indicated.

Option D is incorrect as scaling would increase IOPS but not address the limit.

109
MCQhard

A cloud administrator is troubleshooting a database failover issue. The database is a managed service with a primary and standby replica in different availability zones. The application uses a read-write endpoint. During a recent maintenance event, the primary database failed over automatically, but the application experienced a 10-minute outage. The administrator checks the failover logs and sees that it completed within 2 minutes. What is the most likely cause of the extended outage?

A.The application's database connection pool does not retry DNS resolution
B.The application was not configured to use multiple availability zones
C.The standby replica was not in sync
D.The failover triggered a change in the endpoint DNS record
AnswerA

Stale connections continue to point to the old primary IP, causing failures until the pool refreshes.

Why this answer

Option A is correct because if the application's connection pool caches the IP address of the primary database, it will not automatically re-resolve the DNS after failover, causing prolonged outages. Option B is wrong because if the standby was out of sync, failover would not complete cleanly. Option C is wrong because the DNS change is usually fast but the application may not re-query DNS.

Option D is wrong because multi-AZ configuration is about the database, not the application's endpoint configuration.

110
MCQmedium

A cloud administrator notices that a virtual machine is running out of memory and causing performance issues. The VM is part of a production web application. Which of the following actions should the administrator take FIRST to resolve the issue without impacting availability?

A.Stop the VM and increase its memory allocation, then restart it.
B.Add a swap file to the VM's virtual disk.
C.Take a snapshot of the VM and then increase memory allocation.
D.Perform a live migration of the VM to a host with more memory.
AnswerD

Live migration moves the VM without downtime, allowing access to more resources.

Why this answer

Option D is correct because live migration (e.g., VMware vMotion or Hyper-V Live Migration) allows the administrator to move the running VM to a host with more physical memory without any downtime, directly resolving the memory pressure while maintaining production availability. This is the only option that addresses the root cause (insufficient host memory) without stopping the VM or risking data loss.

Exam trap

CompTIA often tests the misconception that increasing memory requires a VM restart, but the trap here is that candidates overlook live migration as a zero-downtime solution and instead choose options that either cause downtime or degrade performance.

How to eliminate wrong answers

Option A is wrong because stopping the VM to increase memory allocation causes downtime, which violates the requirement to not impact availability. Option B is wrong because adding a swap file to the VM's virtual disk only shifts memory pressure to disk I/O, degrading performance further, and does not resolve the underlying physical memory shortage. Option C is wrong because taking a snapshot before increasing memory is unnecessary for a memory change and does not prevent the need to stop the VM (unless using hot-add memory, which is not implied), and snapshots can cause performance overhead and storage issues.

111
MCQeasy

A cloud architect needs to choose a compute service for a batch processing job that runs once a day and takes about 30 minutes. The job is CPU-intensive and can tolerate interruptions. Which compute option is the most cost-effective?

A.Reserved instances
B.Spot (preemptible) instances
C.Dedicated hosts
D.On-demand instances
AnswerB

Spot instances provide the lowest cost for fault-tolerant, short-lived workloads.

Why this answer

Option B is correct because spot instances offer significant discounts and are suitable for interruptible workloads. On-demand (A) costs more. Reserved instances (C) require a long commitment.

Dedicated hosts (D) are expensive and unnecessary.

112
MCQmedium

A company migrated to a hybrid cloud and users report slow access to files stored in the cloud. The on-premises network is 100 Mbps. What troubleshooting step should be taken?

A.Enable compression on the cloud storage gateway
B.Check VPN bandwidth and latency
C.Increase cloud storage performance tier
D.Move files to on-premises storage
AnswerB

VPN bandwidth and latency directly affect file transfer speeds.

Why this answer

Option B is correct because slow file access over a hybrid connection is often due to limited VPN bandwidth or high latency. Option A is wrong because increasing storage performance tier may not address network bottlenecks. Option C is wrong because moving files back defeats the hybrid cloud purpose.

Option D is wrong because compression may help but isn't the first step to diagnose the issue.

113
MCQeasy

A cloud engineer is troubleshooting a performance issue in a virtualized environment. A critical application is running slowly, and the engineer suspects resource contention. The host server has 32 vCPUs and 256 GB of RAM, running four VMs. Which tool should the engineer use to determine if CPU ready time is causing the performance degradation?

A.Run the 'top' command inside the affected VM
B.Deploy a network analyzer to capture traffic between VMs
C.Check the performance monitor in the guest operating system
D.Use the hypervisor's monitoring console to view CPU ready time
AnswerD

Hypervisor consoles provide CPU ready metrics indicating contention.

Why this answer

CPU ready time is a hypervisor-level metric that measures the time a VM is ready to execute but must wait for a physical CPU core to become available. Since the engineer suspects resource contention among VMs on the same host, the hypervisor's monitoring console (e.g., vSphere, Hyper-V Manager) is the only tool that can expose this metric directly. Guest OS tools like 'top' or Performance Monitor cannot see CPU ready time because it occurs at the virtualization layer, not inside the VM.

Exam trap

The trap here is that candidates assume guest OS tools like 'top' or Performance Monitor can detect all CPU-related bottlenecks, but they cannot see hypervisor-level metrics like CPU ready time, which requires the hypervisor's own monitoring console.

How to eliminate wrong answers

Option A is wrong because the 'top' command inside the affected VM shows guest-level CPU utilization, not hypervisor-level CPU ready time, which is invisible to the guest OS. Option B is wrong because a network analyzer captures traffic between VMs and is used for network latency or packet loss issues, not CPU scheduling contention. Option C is wrong because the guest OS performance monitor reports CPU usage from the guest's perspective, but CPU ready time is a hypervisor metric that the guest cannot measure or report.

114
MCQeasy

A cloud engineer is troubleshooting performance issues in a virtualized environment. Which of the following tools would BEST help identify CPU contention on a hypervisor?

A.iperf
B.esxtop
C.ping
D.nslookup
AnswerB

Shows CPU metrics like ready time and co-stop.

Why this answer

Option C is correct because 'esxtop' (on VMware) provides real-time performance data including CPU ready time. Option A is wrong because 'iperf' is for network throughput. Option B is wrong because 'ping' tests basic connectivity.

Option D is wrong because 'nslookup' is for DNS resolution.

115
Matchingmedium

Match each networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Isolated private network in the cloud

Logical subdivision of a VPC

Enables private instances to access internet

Secure tunnel over public internet

Distributed network for content delivery

Why these pairings

These are fundamental cloud networking components.

116
MCQeasy

A cloud engineer needs to deploy a stateless application across multiple availability zones. The application must scale horizontally based on CPU utilization. Which of the following is the BEST configuration?

A.Deploy a single large instance and increase its size as needed
B.Create an auto-scaling group spanning multiple zones with a load balancer
C.Use a managed container service and manually add containers
D.Deploy instances in one zone using spot instances to reduce cost
AnswerB

This provides automated horizontal scaling and fault tolerance.

Why this answer

Option A is correct because auto-scaling groups across zones with a load balancer provide high availability and scaling. Option B is wrong: vertical scaling is not horizontal. Option C is wrong: manual scaling is not automated.

Option D is wrong: spot instances may be terminated, causing instability.

117
MCQhard

Refer to the exhibit. A cloud security engineer is reviewing an S3 bucket policy that controls access to the 'example-bucket' bucket. The 'AdminRole' IAM role attempts to upload an object to the bucket using the AWS CLI without specifying the '--server-side-encryption' parameter. The object transfer uses HTTPS. What will be the outcome?

A.The upload succeeds but the object is stored without server-side encryption.
B.The upload succeeds because the request uses HTTPS and the role is allowed.
C.The upload fails because the condition in the Allow statement is not satisfied.
D.The upload fails because the Deny statement blocks all requests that are not using HTTPS.
AnswerC

The Allow requires the encryption header to equal AES256, which is not provided.

Why this answer

The S3 bucket policy includes an Allow statement with a condition that requires `s3:x-amz-server-side-encryption` to be `AES256`. Since the `AdminRole` IAM role did not specify the `--server-side-encryption` parameter, the condition is not satisfied, and the Allow statement does not grant permission. Without a matching Allow, the default implicit deny applies, causing the upload to fail.

Exam trap

CompTIA often tests the nuance that a condition in an Allow statement can cause a request to fail even when the principal and action are permitted, because the condition must be satisfied for the Allow to grant access.

How to eliminate wrong answers

Option A is wrong because the condition in the Allow statement explicitly requires server-side encryption with AES256; without it, the request is not allowed, so the upload does not succeed. Option B is wrong because HTTPS alone does not satisfy the condition for server-side encryption; the policy requires both the role to be allowed and the encryption header to be present. Option D is wrong because the Deny statement blocks requests not using HTTPS, but the request does use HTTPS, so the Deny does not apply; the failure is due to the Allow condition not being met.

118
MCQhard

A security analyst is investigating a potential data exfiltration from a cloud environment. The analyst finds that an instance IAM role was assumed by a compromised user, and the role has permissions to read from a sensitive database. What is the BEST way to prevent this type of attack in the future?

A.Enforce MFA for all users and require MFA when assuming the role.
B.Add a resource-based policy to the database to deny access from the role.
C.Rotate the IAM role's access keys every 30 days.
D.Remove the IAM role and use a service account instead.
AnswerA

MFA adds a second factor, making it much harder for attackers to use stolen credentials.

Why this answer

Option C is correct because using multi-factor authentication (MFA) for all users and requiring MFA for role assumption can prevent unauthorized access even if credentials are compromised. Option A is wrong because rotating keys after the fact does not prevent future compromise. Option B is wrong because resource policies do not prevent compromised users from assuming roles.

Option D is wrong because removing the role would break functionality.

119
MCQhard

A cloud administrator is managing a fleet of virtual machines that run a batch processing job. The job is memory-intensive and runs once a day. The administrator wants to optimize cost without affecting performance. Which of the following is the BEST approach?

A.Purchase dedicated hosts to ensure resource isolation
B.Use a mix of reserved instances for the minimum required capacity and spot instances to handle the daily workload
C.Manually shut down instances when the job completes
D.Use only on-demand instances to avoid commitment
AnswerB

Reserved instances provide discount; spot instances offer cheap compute for tolerant jobs.

Why this answer

Option A is correct: using a combination of reserved instances for baseline and spot instances for spikes reduces cost. Option B is wrong: on-demand is most expensive. Option C is wrong: dedicated hosts are costly and unnecessary.

Option D is wrong: shutting down manually is inefficient and may miss jobs.

120
MCQeasy

Refer to the exhibit. An application running on an EC2 instance is failing to connect to an RDS database. What is the most likely issue?

A.The database instance is in a different VPC
B.The security group for the RDS instance does not allow inbound traffic from the EC2 instance
C.The database instance is stopped
D.The application is using the wrong database port
AnswerB

A security group denying inbound traffic causes a TCP reset, resulting in connection refused.

Why this answer

Option B is correct because a 'connection refused' error typically indicates that the database is reachable but the port is blocked, likely by a security group. Option A is wrong if the database is in a different VPC, the error would be timeout or no route. Option C is wrong because a stopped database would result in a 'no route to host' or timeout.

Option D is wrong because port 3306 is standard for MySQL and the error is not about wrong port.

121
Multi-Selectmedium

Which TWO of the following are best practices for securing an API gateway in a cloud environment?

Select 2 answers
A.Implement rate limiting to control the number of requests per client.
B.Expose the API endpoints without authentication for ease of integration.
C.Return detailed error messages including stack traces to help developers.
D.Use API keys or OAuth for authentication and authorization.
E.Disable HTTPS to reduce latency.
AnswersA, D

Rate limiting protects against abuse and DoS attacks.

Why this answer

Option A is correct because rate limiting is a fundamental security control for API gateways. It mitigates abuse and denial-of-service (DoS) attacks by restricting the number of requests a client can make within a specified time window, typically enforced via token bucket or leaky bucket algorithms. This ensures fair resource usage and protects backend services from being overwhelmed.

Exam trap

CompTIA often tests the misconception that 'detailed error messages help developers debug faster'—but in a cloud environment, exposing stack traces is a critical security flaw, not a best practice.

122
MCQhard

A cloud architect must design a deployment for a containerized microservices application. The requirements include automated scaling based on CPU utilization, rolling updates with zero downtime, and service discovery. Which orchestration feature should be used?

A.Docker Compose with a reverse proxy
B.Kubernetes with Horizontal Pod Autoscaler
C.Ansible playbooks with Docker modules
D.AWS ECS with Fargate
AnswerB

Kubernetes natively supports autoscaling, rolling updates, and service discovery.

Why this answer

Kubernetes with Horizontal Pod Autoscaler (HPA) is the correct choice because HPA automatically scales the number of pod replicas based on observed CPU utilization (or custom metrics), meeting the automated scaling requirement. Kubernetes also supports rolling updates with zero downtime via its Deployment controller, which gradually replaces old pods with new ones while maintaining service availability. Additionally, Kubernetes provides built-in service discovery through DNS (CoreDNS) and Services, allowing microservices to find each other by name without external dependencies.

Exam trap

The trap here is that candidates may confuse a container runtime or provisioning tool (like Docker Compose or Ansible) with a full orchestration platform, or assume that a managed service like ECS is an orchestration feature rather than a cloud implementation, missing that Kubernetes is the specific feature set that directly satisfies all three requirements.

How to eliminate wrong answers

Option A is wrong because Docker Compose with a reverse proxy lacks native automated scaling based on CPU utilization; it requires manual intervention or external tools to adjust replica counts, and it does not provide built-in rolling updates with zero downtime or integrated service discovery beyond a static reverse proxy configuration. Option C is wrong because Ansible playbooks with Docker modules are configuration management and provisioning tools, not an orchestration platform; they cannot natively perform automated scaling based on CPU metrics, manage rolling updates with zero downtime, or provide service discovery without additional components like Consul or etcd. Option D is wrong because AWS ECS with Fargate is a managed container service that supports scaling and service discovery, but it is a cloud-specific solution, not an orchestration feature; the question asks for an orchestration feature, and Kubernetes is the platform-agnostic, industry-standard orchestrator that directly provides HPA, rolling updates, and DNS-based service discovery.

123
MCQhard

A company is implementing a cloud governance strategy. They need to ensure that all resources are tagged with cost center and environment, and any untagged resources are automatically remediated. Which of the following best practices should be applied?

A.Implement role-based access control to restrict resource creation
B.Set up budget alerts to notify when costs exceed thresholds
C.Create a manual audit process to check tags weekly
D.Use policy-as-code to enforce tagging and automatically apply tags to untagged resources
AnswerD

Correct; policy-as-code can enforce and auto-remediate tagging.

Why this answer

Option D is correct because policy-as-code (e.g., Azure Policy, AWS Config Rules, or Open Policy Agent) allows you to define tagging requirements declaratively and automatically remediate non-compliant resources. This approach enforces governance in real-time without manual intervention, ensuring all resources are tagged with cost center and environment as specified.

Exam trap

The trap here is that candidates often confuse manual audit processes (Option C) with automated governance, failing to recognize that policy-as-code provides the required automatic remediation in real-time.

How to eliminate wrong answers

Option A is wrong because role-based access control (RBAC) restricts who can create resources but does not automatically tag or remediate untagged resources. Option B is wrong because budget alerts notify when costs exceed thresholds but do not enforce tagging or remediate untagged resources. Option C is wrong because a manual audit process is reactive, time-consuming, and does not provide automatic remediation, which is required by the question.

124
MCQhard

After reviewing the Terraform plan, a cloud administrator notices that the instance will be created with a public IP address. However, the company policy requires that all instances in this subnet remain private. What should the administrator do to meet the policy before applying the plan?

A.Add a shell command in user_data to remove the public IP after boot.
B.Use a different AMI that does not require public access.
C.Change the 'associate_public_ip_address' argument to 'false' in the resource block.
D.Modify the subnet_id to point to a private subnet with no internet gateway.
AnswerC

Correct: This explicitly disables public IP assignment.

Why this answer

Option B is correct because setting 'associate_public_ip_address' to false will prevent the instance from receiving a public IP. Option A is wrong because changing subnet may not resolve the policy if the new subnet also allows public IP. Option C is wrong because using a non-default VPC does not automatically prevent public IPs.

Option D is wrong because user_data does not affect network configuration.

125
MCQhard

A user attempted to copy an encrypted snapshot to a different region and received the above error. What is the most likely cause?

A.The snapshot size exceeds the regional limit.
B.The user does not have permission to create snapshots in the destination region.
C.The snapshot was created in a different region using a regional KMS key that is not present in the destination region.
D.The KMS key used to encrypt the snapshot has been deleted.
AnswerC

Regional keys cannot be used across regions by default.

Why this answer

Option B is correct because the error indicates the KMS key is not present in the destination region, which occurs when a regional key is used.

126
MCQmedium

Refer to the exhibit. After deploying a new version of the application, users report that some requests fail intermittently. The administrator checks the load balancer configuration and health checks, and both servers are marked as healthy. Which of the following is the MOST likely cause of the intermittent failures?

A.The health check interval is too short, marking servers down incorrectly.
B.The backend servers are not configured to accept traffic on port 80.
C.The health check path '/health' is no longer valid after the application update.
D.The load balancer is configured for round-robin, which is causing session persistence issues.
AnswerC

After an update, the health check endpoint might change; if the load balancer still points to the old path, servers may be considered healthy but actually serve errors on the new application.

Why this answer

Option D is correct because the health check is using the path '/health', but the application may have changed its health endpoint to '/status' after the update. This would cause the load balancer to think servers are healthy when they are not responding correctly to the new health check path.

127
Multi-Selecteasy

A cloud engineer receives alerts that a storage volume is reaching capacity. Which three immediate actions should the engineer consider? (Choose three.)

Select 3 answers
A.Attach additional volumes
B.Create a snapshot before making changes
C.Enable compression on the volume
D.Delete unnecessary files
E.Increase the size of the storage volume
AnswersA, D, E

Adding new volumes expands total storage instantly.

Why this answer

Correct options are A, B, and D. Option A is correct because increasing the volume size provides more space. Option B is correct because deleting unnecessary files frees up space immediately.

Option D is correct because attaching additional volumes can increase total capacity. Option C is wrong because enabling compression may not work on existing data and is not immediate. Option E is wrong because creating a snapshot is a precaution, not an immediate remedy for capacity.

128
Multi-Selecteasy

A cloud administrator is configuring a new virtual private cloud (VPC) with a public subnet for a web application. The administrator must ensure that the web application can receive HTTPS traffic from the internet but cannot be directly accessed via SSH. Which TWO security controls should the administrator implement? (Choose two.)

Select 2 answers
A.Attach an internet gateway (IGW) to the VPC and enable auto-assign public IP on the subnet.
B.Configure a network ACL on the subnet to allow inbound TCP ports 80 and 443 from 0.0.0.0/0 and deny inbound TCP port 22.
C.Place the web server in a private subnet and use a NAT gateway for outbound traffic.
D.Configure a security group that allows inbound TCP port 443 from 0.0.0.0/0 and denies inbound TCP port 22.
E.Deploy a web application firewall (WAF) in front of the web server.
AnswersB, D

Network ACLs are stateless and provide subnet-level filtering; allowing HTTP/HTTPS and denying SSH adds defense.

Why this answer

Option B is correct because a network ACL (NACL) is a stateless firewall that operates at the subnet level, allowing you to explicitly deny inbound TCP port 22 (SSH) while allowing TCP ports 80 and 443 (HTTP/HTTPS) from 0.0.0.0/0. Option D is correct because a security group (SG) is a stateful firewall at the instance level; by default, SGs deny all inbound traffic, so you must explicitly allow TCP port 443 from 0.0.0.0/0, and since SSH (port 22) is not allowed, it is implicitly denied. Together, these provide defense-in-depth: the NACL blocks SSH at the subnet boundary, and the SG ensures only HTTPS is permitted to the web server.

Exam trap

CompTIA often tests the distinction between stateless (NACL) and stateful (security group) firewalls, and the trap here is that candidates may think a security group alone is sufficient to deny SSH, forgetting that a permissive NACL could allow SSH traffic to reach the subnet, or they may incorrectly assume a WAF can block SSH at the network layer.

129
MCQhard

A DevOps engineer runs a rollout status command for a Kubernetes deployment and receives the error shown. The deployment specification includes a rolling update strategy with maxSurge=25% and maxUnavailable=25%. What is the most likely cause of the failure?

A.The cluster does not have enough CPU resources to schedule new pods
B.The new pod template contains an invalid container image tag
C.The maxSurge and maxUnavailable settings are too restrictive
D.The old ReplicaSet is still running and preventing the new one from scaling up
AnswerB

Invalid image causes pods to fail readiness, leading to rollout timeout.

Why this answer

The error message from the rollout status command indicates that the new ReplicaSet is unable to create pods, which typically occurs when the pod template in the deployment specification references an invalid container image tag. Kubernetes attempts to pull the image, fails, and marks the pods as ImagePullBackOff or ErrImagePull, preventing the rollout from progressing. The rolling update strategy with maxSurge=25% and maxUnavailable=25% is not the cause, as these settings control the rate of pod replacement, not the validity of the image reference.

Exam trap

CompTIA often tests the distinction between resource constraints (which cause Pending pods) and image-related errors (which cause ImagePullBackOff), tempting candidates to choose CPU or memory issues when the error message points to a pod template problem.

How to eliminate wrong answers

Option A is wrong because insufficient CPU resources would cause pods to remain in a Pending state due to resource constraints, not produce an error related to image pulling or invalid container configuration. Option C is wrong because maxSurge=25% and maxUnavailable=25% are standard, permissive settings that allow the rollout to proceed; they are not too restrictive and would not cause a rollout failure unless the cluster has zero capacity. Option D is wrong because the old ReplicaSet is expected to remain running during a rolling update until the new ReplicaSet becomes healthy; its presence does not prevent the new ReplicaSet from scaling up, as the rolling update strategy explicitly allows both ReplicaSets to coexist within the surge and unavailable limits.

130
MCQhard

A cloud administrator is troubleshooting connectivity to a web server running on a Linux VM. The web server is configured to listen on ports 80 (HTTP) and 443 (HTTPS). The administrator runs the iptables command shown in the exhibit. Based on the output, what is the MOST likely reason that external users cannot access the web server on port 443?

A.The web server is not configured to listen on port 443, so iptables rules are irrelevant.
B.The iptables default policy is ACCEPT, but the rule for port 443 explicitly drops traffic from external sources.
C.The rule for port 80 is placed before the rule for port 443, causing all HTTPS traffic to be evaluated as HTTP and dropped.
D.The iptables rule for port 443 only allows traffic from the 10.0.0.0/8 subnet, which does not include external IP addresses.
AnswerD

The rule for HTTPS only accepts from the private subnet, so external traffic is dropped by the default DROP policy.

Why this answer

Option D is correct because the iptables rule for port 443 specifies a source IP range of 10.0.0.0/8, which is a private RFC 1918 address space. External users have public IP addresses that do not fall within this subnet, so their HTTPS traffic is implicitly dropped by the rule's match condition. The default policy being ACCEPT does not override the explicit rule that only permits traffic from the 10.0.0.0/8 subnet.

Exam trap

The trap here is that candidates assume a default ACCEPT policy means all traffic is allowed, overlooking that an explicit rule with a restrictive source match will only permit traffic from that source, effectively denying all others by not matching.

How to eliminate wrong answers

Option A is wrong because the question states the web server is configured to listen on port 443, so the issue is not a misconfigured web server. Option B is wrong because the iptables output does not show an explicit DROP rule for port 443; instead, it shows an ACCEPT rule restricted to a specific source subnet, which implicitly drops all other traffic. Option C is wrong because iptables processes rules sequentially, but the rule for port 80 (HTTP) does not affect HTTPS traffic on port 443; each rule is evaluated independently based on protocol and port match.

131
MCQmedium

A cloud administrator is designing a backup strategy for a critical database that must achieve a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 30 minutes. The database has a high write throughput. Which of the following backup methods BEST meets these requirements?

A.Synchronous log shipping to a standby database.
B.Full daily backups with transaction log backups every hour.
C.Snapshot replication to a secondary datastore every 10 minutes.
D.Incremental backups every 10 minutes.
AnswerC

Snapshots provide point-in-time copies that can be restored quickly, meeting RPO and RTO.

Why this answer

Option C is correct because snapshot replication provides near-instant recovery with minimal data loss, meeting both RPO and RTO. Option A is wrong because full daily backups have a higher RPO. Option B is wrong because incremental backups require a full restore, increasing RTO.

Option D is wrong because log shipping may have a longer recovery time.

132
MCQeasy

A cloud administrator notices that a load balancer is marking all instances as unhealthy. The health check is configured to check a specific URL path. Which of the following is the MOST likely cause?

A.The health check path does not exist on the instances.
B.The auto scaling group's minimum size is too low.
C.The security group for the instances blocks traffic from the load balancer.
D.The instances are under high CPU load.
AnswerA

If the path is missing, the load balancer receives non-200 responses.

Why this answer

The health check is configured to check a specific URL path. If that path does not exist on the instances (e.g., returns a 404 or 403 status), the load balancer will consider the instances unhealthy. This is the most direct cause because the health check relies on a successful HTTP response (typically 200 OK) from that exact path.

Exam trap

CompTIA often tests the distinction between connectivity issues (security groups, network ACLs) and application-level health check failures, leading candidates to incorrectly choose security group misconfiguration when the real issue is a missing or misconfigured health check endpoint.

How to eliminate wrong answers

Option B is wrong because the auto scaling group's minimum size affects the number of instances running, not the health check status of individual instances; a low minimum size could cause scaling issues but does not cause all instances to be marked unhealthy. Option C is wrong because if the security group blocked traffic from the load balancer, the instances would be unreachable entirely (e.g., connection timeout), not just fail a specific URL path health check. Option D is wrong because high CPU load might degrade performance but does not inherently cause the health check to fail unless the application crashes or the web server stops responding; the load balancer's health check is a simple HTTP request that typically succeeds even under moderate load.

133
MCQmedium

A cloud administrator is debugging a failed CloudFormation stack creation. The exhibit shows the stack events. What is the most likely cause of the failure?

A.The instance type is not supported in the region.
B.The stack name already exists.
C.The AMI ID is incorrect.
D.The referenced security group does not exist in the chosen VPC.
AnswerD

The error explicitly mentions invalid groupId.

Why this answer

The stack creation fails with a 'CREATE_FAILED' status on the security group resource, and the error message indicates that the security group does not exist in the specified VPC. This is a common issue when a CloudFormation template references a security group by ID or name that is not present in the target VPC, causing the resource creation to fail. The stack events show the security group resource as the point of failure, confirming that the referenced security group is missing.

Exam trap

CompTIA often tests the ability to read CloudFormation stack events and correlate the failing resource with the specific error message, rather than assuming a generic failure like an incorrect AMI or instance type.

How to eliminate wrong answers

Option A is wrong because an unsupported instance type would cause a failure on the EC2 instance resource, not on a security group resource, and the error would typically mention 'instance type' or 'not supported'. Option B is wrong because a stack name that already exists would cause a stack creation to fail immediately with a 'Stack with id [name] already exists' error, not a failure on a specific resource like a security group. Option C is wrong because an incorrect AMI ID would cause a failure on the EC2 instance resource with an error like 'AMI [ami-id] does not exist' or 'AMI not found', not on a security group resource.

134
MCQhard

Refer to the exhibit. A developer is trying to upload an object to S3 bucket 'example-bucket' using the IAM policy shown. The upload fails with an AccessDenied error. Which of the following is the MOST likely reason?

A.The IAM policy requires server-side encryption with AES256, but the upload request did not specify that header.
B.The bucket policy has a deny that overrides this IAM policy.
C.The developer's user is not in the same account as the bucket.
D.The IAM policy does not grant the s3:ListBucket permission.
AnswerB

The bucket policy denies PutObject unless encryption is aws:kms, which conflicts with the IAM policy's AES256 requirement, resulting in a deny.

Why this answer

Option C is correct because the bucket policy denies PutObject unless the encryption is aws:kms, while the IAM policy requires AES256. The bucket policy's explicit deny overrides the IAM allow, causing the failure.

135
MCQmedium

A cloud architect is designing a disaster recovery plan for a cloud-based application. The primary site is in a cloud region, and the recovery site is in a different geographic region. The application uses a relational database with synchronous replication. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. Which replication strategy BEST meets these objectives?

A.Perform daily backups of the database and restore at the recovery site
B.Use storage-level asynchronous replication between regions
C.Use a script to copy database logs every hour to the recovery site
D.Configure synchronous database replication with automated failover
AnswerD

Synchronous replication provides near-zero RPO and fast failover.

Why this answer

Synchronous database replication with automated failover ensures that every write transaction is committed to both the primary and recovery site databases before acknowledging success, guaranteeing zero data loss (RPO=0) and near-instantaneous failover within seconds to minutes, which comfortably meets the RTO of 1 hour and RPO of 15 minutes. This strategy directly satisfies the strict RPO requirement by maintaining a fully synchronized, hot standby replica that can be promoted immediately upon failure.

Exam trap

CompTIA often tests the misconception that asynchronous replication (Option B) can meet a low RPO like 15 minutes, but the trap is that asynchronous replication inherently risks data loss equal to the replication lag, which can spike unpredictably under load or network congestion, making it unsuitable for strict RPO requirements.

How to eliminate wrong answers

Option A is wrong because daily backups provide an RPO of up to 24 hours, far exceeding the 15-minute requirement, and restoration from backup typically takes hours, violating the 1-hour RTO. Option B is wrong because storage-level asynchronous replication introduces a replication lag that can result in data loss exceeding the 15-minute RPO, as transactions may be committed at the primary but not yet replicated to the recovery site. Option C is wrong because copying database logs every hour provides an RPO of up to 60 minutes, which does not meet the 15-minute RPO, and log replay for recovery can be time-consuming, risking the RTO.

136
MCQhard

Refer to the exhibit. An application in a cloud environment logs multiple database connection errors. The database is a managed MySQL instance in the same VPC. The timeouts and connection refused errors occur intermittently. Which of the following is the most likely cause?

A.The database is hitting its maximum connections limit.
B.The database instance is out of storage.
C.The security group for the database is not allowing inbound traffic from the application.
D.The database's DNS resolves to multiple IP addresses.
AnswerA

Correct. When max connections are reached, new connections are refused, and timeouts occur when waiting for a slot.

Why this answer

Intermittent connection refused and timeouts indicate that the database is reaching its maximum connections limit, causing new connections to be refused or timeout.

137
MCQhard

A company is deploying a multi-tier application with web servers and a database. Which architecture ensures high availability?

A.Deploy web servers in an auto-scaling group across two AZs and database in a multi-AZ configuration
B.Deploy a single large web server and a single database instance
C.Deploy web servers in an auto-scaling group in one AZ and database in single instance
D.Deploy web servers and database in a single availability zone
AnswerA

This provides redundancy for both web and database tiers.

Why this answer

Option A is correct because deploying web servers in an auto-scaling group across two Availability Zones (AZs) ensures that if one AZ fails, the other continues serving traffic, while a multi-AZ database configuration (e.g., Amazon RDS Multi-AZ) automatically synchronously replicates data to a standby instance in a different AZ, enabling automatic failover. This combination eliminates single points of failure at both the web and database tiers, meeting high availability requirements.

Exam trap

The trap here is that candidates often assume auto-scaling alone guarantees high availability, but without distributing instances across multiple AZs, a single AZ failure still causes downtime.

How to eliminate wrong answers

Option B is wrong because a single large web server and a single database instance create a single point of failure; if either component or its underlying hardware fails, the entire application becomes unavailable. Option C is wrong because deploying web servers in an auto-scaling group within a single AZ still leaves the web tier vulnerable to an AZ-level outage, and a single database instance lacks failover capability. Option D is wrong because placing both web servers and the database in a single AZ means any failure affecting that AZ (e.g., power loss, network partition) will bring down the entire application, violating high availability principles.

138
MCQhard

A company deploys a multi-tier application in a public cloud. The web tier uses an auto scaling group across multiple availability zones. The database tier runs on a single large VM. The application experiences intermittent slowdowns during peak load. Which of the following is the BEST long-term solution?

A.Migrate the database to a managed database service with read replicas
B.Add a load balancer in front of the database tier
C.Upgrade the database VM to a larger instance type
D.Increase the number of web servers in the auto scaling group
AnswerA

Managed service provides scaling and high availability.

Why this answer

Option D is correct because moving the database to a managed service with replication improves scalability and reduces single points of failure. Option A is wrong because increasing web tier instances may not help if database is bottleneck. Option B is wrong because vertical scaling of the database has limits.

Option C is wrong because placing a load balancer in front of a single database does not solve the scaling problem.

139
MCQhard

A company uses a cloud-based load balancer to distribute traffic to a fleet of web servers. Users report intermittent timeouts. The administrator reviews the load balancer logs and notices that one backend server has a significantly higher error rate than the others. Which of the following is the BEST course of action?

A.Immediately add two more backend servers to distribute the load.
B.Drain connections to the unhealthy server and troubleshoot its configuration.
C.Enable sticky sessions on the load balancer to maintain user sessions.
D.Increase the health check interval for all servers to reduce false positives.
AnswerB

Draining prevents further impact while allowing investigation of the root cause.

Why this answer

Option B is correct because draining connections from the unhealthy server allows the load balancer to stop sending new traffic to it while existing sessions complete, preventing further timeouts. Troubleshooting the server's configuration addresses the root cause of the high error rate, such as misconfigured web server software, resource exhaustion, or application bugs. This approach follows the principle of isolating and resolving the faulty component rather than masking the issue with workarounds.

Exam trap

CompTIA often tests the misconception that adding more servers or increasing health check intervals will solve performance issues, but the trap here is that the problem is a specific faulty backend server, not a capacity or health check sensitivity issue, so the correct action is to isolate and troubleshoot that server.

How to eliminate wrong answers

Option A is wrong because adding more backend servers does not fix the underlying problem with the unhealthy server; it only distributes load away from it temporarily, and the faulty server will continue to serve errors to any traffic it receives. Option C is wrong because enabling sticky sessions (session persistence) would lock users to the unhealthy server, worsening the timeouts for those users and increasing error rates. Option D is wrong because increasing the health check interval makes the load balancer less responsive to failures, allowing the unhealthy server to remain in the pool longer and serve more errors before being marked down.

140
Multi-Selecthard

A cloud administrator is reviewing the security posture of a cloud deployment. The company has a policy of least privilege and must ensure that only authorized services can access storage buckets. Which THREE mechanisms should the administrator configure to enforce this policy? (Choose three.)

Select 3 answers
A.Network ACLs that block unauthorized IP ranges
B.Bucket policies that restrict access to specific AWS services
C.Service control policies (SCPs) to restrict permissions at the account level
D.IAM roles that grant permissions to services requiring access
E.Security groups that allow traffic from authorized services
AnswersB, C, D

Bucket policies define who can access the bucket and under what conditions.

Why this answer

Option B is correct because bucket policies, such as AWS S3 bucket policies, can explicitly grant or deny access to specific AWS services (e.g., AWS CloudTrail or AWS Config) using the `Principal` element with a service principal (e.g., `Service: cloudtrail.amazonaws.com`). This aligns with the least privilege policy by ensuring only authorized services can access the storage buckets, without relying on network-level controls.

Exam trap

The trap here is that candidates often confuse network-level controls (ACLs and security groups) with identity-based controls, assuming they can restrict service access to storage buckets, but these mechanisms cannot enforce service identity and are not applicable to cloud storage services.

141
MCQeasy

A company wants to deploy a cloud application that requires predictable performance and dedicated resources for a critical database. Which cloud service model is MOST appropriate?

A.Infrastructure as a Service (IaaS)
B.Function as a Service (FaaS)
C.Software as a Service (SaaS)
D.Platform as a Service (PaaS)
AnswerA

IaaS allows provisioning of dedicated compute and storage for the database.

Why this answer

Infrastructure as a Service (IaaS) provides virtualized computing resources, such as dedicated virtual machines, storage, and networking, that can be configured to meet the predictable performance and dedicated resource requirements of a critical database. With IaaS, the company can provision a dedicated server instance with guaranteed CPU, memory, and I/O, avoiding the resource contention common in shared platforms. This model offers full control over the operating system, database software, and security settings, which is essential for a critical database workload.

Exam trap

The trap here is that candidates often choose PaaS (Option D) thinking it provides dedicated resources for databases (e.g., Azure SQL Database or Amazon RDS), but these services run on shared infrastructure with resource governance rather than true dedicated hardware, which can lead to performance variability under load.

How to eliminate wrong answers

Option B (FaaS) is wrong because Function as a Service is designed for event-driven, stateless, short-lived functions that run in a shared environment with no dedicated resources, making it unsuitable for a persistent, resource-intensive database. Option C (SaaS) is wrong because Software as a Service delivers pre-built applications managed entirely by the provider, offering no control over underlying infrastructure or dedicated resource allocation for a custom database. Option D (PaaS) is wrong because while PaaS abstracts infrastructure management, it typically runs on shared multi-tenant platforms with resource limits and less granular control over dedicated resources, which can lead to performance unpredictability for a critical database.

142
MCQmedium

A cloud administrator needs to deploy a web application in a public cloud. The application must automatically scale out based on CPU utilization and scale in during low demand. Which of the following is the BEST approach?

A.Configure an auto scaling group with a scaling policy based on average CPU utilization
B.Use a script to increase the instance size when CPU exceeds 80%
C.Implement scheduled scaling to add instances during business hours
D.Create a load balancer and manually add instances during peak hours
AnswerA

Auto scaling with CPU metric provides automated horizontal scaling.

Why this answer

An auto scaling group with a scaling policy based on average CPU utilization is the best approach because it dynamically adjusts the number of instances in response to real-time demand. This method uses CloudWatch metrics to trigger scale-out when CPU exceeds a threshold (e.g., 70%) and scale-in when it drops, ensuring the application remains responsive while minimizing cost during low usage.

Exam trap

CompTIA often tests the distinction between horizontal scaling (adding/removing instances) and vertical scaling (resizing instances), where candidates mistakenly choose vertical scaling (Option B) because it seems simpler, but it does not provide the elasticity required for cloud-native applications.

How to eliminate wrong answers

Option B is wrong because increasing the instance size (vertical scaling) does not provide the horizontal scaling required for distributed load handling and can cause downtime during resizing; it also does not automatically scale in. Option C is wrong because scheduled scaling assumes predictable traffic patterns and cannot adapt to unexpected spikes or lulls in CPU utilization, which is the specified trigger. Option D is wrong because manually adding instances during peak hours is not automated and defeats the purpose of elastic scaling, leading to potential delays and human error.

143
Multi-Selectmedium

Which TWO of the following are common causes of performance degradation in a cloud-based application?

Select 2 answers
A.Over-provisioned virtual machines
B.Resource contention from other tenants on the same hypervisor (noisy neighbor)
C.Load balancer distributing traffic evenly
D.Insufficient IOPS on the storage volume
E.Insufficient bandwidth to the cloud provider
AnswersB, D

Noisy neighbor is a classic cloud performance issue.

Why this answer

Option A is correct: noisy neighbors impact performance. Option D is correct: insufficient storage IOPS can cause I/O bottlenecks. Option B is wrong because over-provisioned resources would not degrade performance.

Option C is wrong while correct but not as common as other options. Option E is wrong because load balancing improves performance.

144
MCQeasy

A cloud application returns HTTP 503 errors during high traffic. The application runs on VMs behind a load balancer. Which action is most likely to resolve the issue?

A.Restart the web server service on one VM.
B.Change the DNS TTL to a lower value.
C.Increase the health check interval on the load balancer.
D.Add additional VMs to the backend pool.
AnswerD

Scaling out increases capacity to handle traffic.

Why this answer

Option C is correct because scaling out adds capacity. Option A is incorrect because it affects only one host. Option B is incorrect as health checks are passing.

Option D is incorrect because DNS changes don't add capacity.

145
MCQeasy

A small business uses a public cloud IaaS to host a single Windows virtual machine (VM) running a line-of-business application. The VM has a public IP address and is in a network security group that allows RDP (port 3389) from the internet (0.0.0.0/0). The administrator frequently connects from home and various client sites. The administrator is concerned about brute force attacks on the RDP service. The business does not have a VPN server. What is the best way to secure the RDP access without changing the public IP address or blocking all external access?

A.Remove the public IP address and use a bastion service like Azure Bastion or AWS Systems Manager Session Manager to access the VM via RDP over HTTPS.
B.Change the RDP port to a non-standard port (e.g., 3390).
C.Enable multi-factor authentication (MFA) on the local Windows user accounts.
D.Disable password authentication and require smart card certificates for RDP.
AnswerA

This eliminates direct public exposure of RDP and provides secure, audited access.

Why this answer

Option C is correct because using Azure Bastion or AWS Systems Manager Session Manager allows RDP access without exposing a public RDP port. Option A is wrong because changing the port is security through obscurity and does not prevent brute force. Option B is wrong because enabling MFA on the VM itself is not straightforward without domain join, and still leaves port open.

Option D is wrong because disabling password and using only certificates still leaves the port open to brute force on the certificate challenges.

146
Multi-Selecteasy

Which TWO of the following are best practices when configuring a cloud-based virtual private cloud (VPC) for a multi-tier application?

Select 2 answers
A.Place each application tier in a separate subnet.
B.Disable VPC flow logs to reduce costs.
C.Use the default security group for all instances.
D.Place all instances in the same subnet for simplicity.
E.Restrict SSH access to management IP addresses using security groups.
AnswersA, E

Separate subnets allow for network segmentation and security controls.

Why this answer

Option A is correct because placing each application tier (e.g., web, application, database) in a separate subnet allows you to apply distinct network access control lists (NACLs) and security groups per tier. This segmentation enforces the principle of least privilege, ensuring that only the web tier can communicate with the application tier on specific ports, and only the application tier can reach the database tier. It also isolates failures and simplifies troubleshooting by containing traffic within defined network boundaries.

Exam trap

CompTIA often tests the misconception that simplicity (placing all instances in one subnet) is a best practice, when in fact proper segmentation is critical for security and compliance in multi-tier architectures.

147
MCQmedium

An automated snapshot of a cloud VM is failing with the error 'Quota exceeded for resource snapshots'. What is the most likely cause?

A.The snapshot is being created during a backup window.
B.The maximum number of snapshots allowed has been reached.
C.The snapshot retention policy is set too high.
D.The VM's disk is too full to create a snapshot.
AnswerB

Quota exceeded means the limit on number of snapshots is hit.

Why this answer

Option D is correct because the snapshot count limit is reached. Option A is incorrect because disk space is separate. Option B is incorrect as policy applies to all snapshots.

Option C is incorrect if snapshot creation is automated.

148
MCQeasy

A company hosts its critical applications on a cloud provider's virtual machines within a virtual private cloud. The security team receives an alert from the intrusion detection system indicating that one of the VMs is exhibiting signs of a ransomware infection. The administrator connects to the VM via a bastion host and observes that several important files have been encrypted and a ransom note has been left. The incident response plan is still being developed, but the administrator knows the immediate priority is to contain the threat and prevent it from spreading to other VMs and storage resources. The company has daily backups stored in a separate cloud storage service that is not directly accessible from the production network. Which of the following actions should the administrator take FIRST to contain the incident and minimize further damage?

A.Restore the VM from the most recent backup.
B.Notify law enforcement about the ransomware attack.
C.Run a full antivirus scan on the infected VM.
D.Immediately disconnect the network interface of the infected VM.
AnswerD

This isolates the VM, preventing lateral movement and further encryption.

Why this answer

Isolating the infected VM by disconnecting its network interface stops the ransomware from communicating with command-and-control servers and prevents lateral movement. Restoring from backup without verification may reintroduce the infection. Notifying law enforcement is important but not the first step.

Running antivirus on the active VM could trigger further encryption or be ineffective.

149
MCQmedium

Refer to the exhibit. A cloud administrator is troubleshooting why an EC2 instance in subnet-12345678 cannot be reached from the internet. The instance has a public IP and the security group allows all inbound traffic. Based on the exhibit, what is the most likely cause?

A.The security group is not applied.
B.The route table is missing a default route to the internet gateway.
C.The instance is stopped.
D.The network ACL is misconfigured and blocking all inbound traffic.
AnswerD

The network ACL has a deny rule for all inbound traffic, which overrides the security group's allow.

Why this answer

Option B is correct. The network ACL associated with the subnet has an inbound deny rule for all traffic, blocking access despite the security group. Options A, C, and D are not supported by the exhibit.

150
MCQmedium

A company is deploying a new web application in a hybrid cloud environment. The application must be highly available and able to handle traffic spikes. The cloud team decides to use an auto-scaling group across multiple availability zones with a load balancer. Which additional step should the team take to ensure session persistence during scaling events?

A.Implement a stateless application design
B.Increase the instance size to handle more sessions
C.Configure the load balancer to use a round-robin algorithm
D.Enable sticky sessions on the load balancer
AnswerD

Sticky sessions maintain session affinity during scaling.

Why this answer

Sticky sessions (also known as session affinity) ensure that all requests from a user during a session are directed to the same backend instance. In an auto-scaling group, instances are added or removed dynamically; without sticky sessions, a load balancer using a default algorithm could route a user to a different instance after a scale-out event, losing the in-memory session state. Enabling sticky sessions on the load balancer preserves session persistence across scaling events by binding the user's session to a specific instance for its duration.

Exam trap

The trap here is that candidates often confuse high availability with session persistence, assuming that distributing traffic evenly (round-robin) or scaling instances is sufficient, but they overlook that stateful applications require session affinity to maintain user context during dynamic scaling events.

How to eliminate wrong answers

Option A is wrong because implementing a stateless application design would eliminate the need for session persistence entirely, but the question asks how to ensure session persistence during scaling events, implying the application is stateful and requires sticky sessions. Option B is wrong because increasing the instance size does not solve session persistence; it only increases the capacity of individual instances, but during scaling events, new instances are added and traffic can still be routed to instances that do not hold the user's session. Option C is wrong because configuring the load balancer to use a round-robin algorithm distributes traffic evenly but does not guarantee that a user's subsequent requests go to the same instance, which breaks session persistence during scaling events.

Page 1

Page 2 of 7

Page 3

All pages