CompTIA Cloud+ CV0-004 (CV0-004) — Questions 151225

499 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Drag & Dropmedium

Order the steps to perform a disaster recovery failover to a secondary cloud region.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Failover: activate secondary, update DNS, restore data, verify, then monitor before failback.

152
MCQhard

A financial services company must store sensitive customer data in the cloud. The compliance team requires that data at rest be encrypted using customer-managed keys (CMK), and that the keys are rotated every 90 days. Additionally, the cloud provider must not have access to the keys. Which key management solution should the company choose?

A.Store the encryption keys in the cloud provider's parameter store with rotation policy
B.Use the cloud provider's default server-side encryption with a managed key
C.Use a dedicated HSM (hardware security module) with automated key rotation
D.Implement client-side encryption using a third-party key management service
AnswerC

Dedicated HSM ensures exclusive customer control and supports rotation.

Why this answer

Option C is correct because a dedicated HSM provides a tamper-resistant hardware appliance where the customer exclusively controls the encryption keys, ensuring the cloud provider has no access. Automated key rotation policies can be configured on the HSM to meet the 90-day rotation requirement, satisfying both the CMK and provider non-access mandates.

Exam trap

The trap here is that candidates often confuse a cloud provider's managed HSM service (e.g., AWS KMS with custom key store) with a dedicated HSM, but the former still allows the provider logical access to the key management plane, whereas a dedicated HSM enforces physical and logical isolation.

How to eliminate wrong answers

Option A is wrong because the cloud provider's parameter store is a software-based service that typically stores keys in a shared infrastructure, and the provider retains administrative access to the underlying key material, violating the requirement that the provider must not have access to the keys. Option B is wrong because the cloud provider's default server-side encryption with a managed key means the provider generates and controls the key, which fails the customer-managed key (CMK) requirement and the provider non-access mandate. Option D is wrong because client-side encryption using a third-party KMS does not inherently prevent the cloud provider from accessing the keys if the third-party service operates within the provider's environment or shares infrastructure, and it may not offer the same hardware-level isolation and automated rotation guarantees as a dedicated HSM.

153
Multi-Selecthard

A cloud administrator is troubleshooting an application that fails to connect to a database. The application and database are in the same VPC. Which THREE steps should the administrator take to diagnose the issue?

Select 3 answers
A.Check the routing table for a route to the internet.
B.Test connectivity to the database using a telnet or netcat command from the application server.
C.Verify that the security group associated with the database instance allows inbound traffic from the application's security group on the database port.
D.Check the DNS resolution of the database endpoint in the application's subnet.
E.Verify that the network ACL for the database subnet allows inbound traffic on the database port.
AnswersB, C, E

Direct connectivity test isolates the issue.

Why this answer

Option B is correct because telnet or netcat can test basic TCP connectivity to the database port, confirming whether the database is reachable from the application server at the network layer. This step isolates whether the issue is a network connectivity problem versus an authentication or configuration issue within the database itself.

Exam trap

CompTIA often tests the distinction between stateful security groups and stateless network ACLs, and candidates mistakenly assume that allowing inbound traffic in the security group alone is sufficient, forgetting that network ACLs must also permit the traffic.

154
MCQmedium

A deployment fails with a message about missing dependencies. What should the administrator check first?

A.Change the instance type to one with more memory
B.Review the deployment logs to identify missing packages
C.Reinstall the operating system
D.Restart the server and retry the deployment
AnswerB

Logs provide details on what dependencies are missing.

Why this answer

When a deployment fails with a 'missing dependencies' message, the first step is to review the deployment logs. Logs will contain specific error messages indicating which packages or libraries are absent, allowing the administrator to install them directly. This aligns with standard troubleshooting methodology: identify the root cause from logs before taking corrective action.

Exam trap

The trap here is that candidates may assume a generic 'fix' like restarting or resizing the instance will resolve the issue, when the specific error message about missing dependencies demands log inspection to identify and install the exact missing packages.

How to eliminate wrong answers

Option A is wrong because changing the instance type to one with more memory addresses resource constraints (e.g., out-of-memory errors), not missing dependencies, which are package or library absences. Option C is wrong because reinstalling the operating system is an extreme, time-consuming measure that would likely resolve the dependency issue only if the OS image already includes the required packages, but it bypasses the need to identify the specific missing dependencies from logs. Option D is wrong because restarting the server and retrying the deployment does not install missing packages; it merely re-executes the same failing process without addressing the root cause.

155
MCQeasy

A company wants to protect data in transit between its on-premises data center and a public cloud environment. Which technology should be used to create a secure encrypted tunnel over the internet?

A.SSH
B.Firewall
C.TLS
D.VPN
AnswerD

VPNs (IPsec or SSL VPNs) are designed to create secure tunnels over public networks.

Why this answer

A VPN (Virtual Private Network) creates an encrypted tunnel over the internet. TLS is used for web traffic, not for site-to-site tunnels. SSH is for remote admin, and a firewall is for filtering, not encrypting tunnels.

156
MCQeasy

A cloud architect is selecting a deployment model for a workload that has strict data sovereignty requirements; data must remain within the company's on-premises data center. Which cloud deployment model should be chosen?

A.Private cloud
B.Community cloud
C.Hybrid cloud
D.Public cloud
AnswerA

Private cloud can be deployed on-premises, ensuring data remains within the company's control.

Why this answer

A private cloud deployment model is the correct choice because it provides dedicated infrastructure that is exclusively used by a single organization, ensuring that all data and workloads remain within the company's on-premises data center. This model meets strict data sovereignty requirements by allowing full control over data residency, network boundaries, and physical security, unlike shared or public environments where data may cross jurisdictional lines.

Exam trap

CompTIA often tests the misconception that a hybrid cloud can satisfy data sovereignty by keeping sensitive data on-premises, but the trap is that the hybrid model inherently involves public cloud integration, which may still expose data to off-premises processing or storage, failing the strict 'must remain within the on-premises data center' requirement.

How to eliminate wrong answers

Option B (Community cloud) is wrong because it is shared among several organizations with common concerns (e.g., compliance or security), but data may still be processed or stored across multiple participants' sites, potentially violating strict on-premises data sovereignty. Option C (Hybrid cloud) is wrong because it combines private and public cloud resources, and while it can keep some data on-premises, the public cloud component introduces the risk of data leaving the data center, which conflicts with the requirement that data must remain within the on-premises data center. Option D (Public cloud) is wrong because it uses shared infrastructure owned and operated by a third-party provider, with data stored in off-premises data centers that may be located in different geographic regions, directly violating data sovereignty constraints.

157
MCQmedium

A cloud administrator receives an alert that a virtual machine is unresponsive. The hypervisor shows the VM status as 'running'. Which of the following should the administrator check FIRST to diagnose the issue?

A.Access the VM's console to view the operating system screen.
B.Verify the security group rules for the VM's subnet.
C.Review the hypervisor's CPU and memory utilization for the VM.
D.Check the virtual network interface for disconnection.
AnswerA

The console shows the OS state; if the OS is hung, it can be diagnosed there.

Why this answer

When a VM is unresponsive but the hypervisor shows its status as 'running', the most direct way to determine if the guest OS has crashed or is stuck in a boot loop is to access the VM's console. This provides a direct view of the OS screen, allowing the administrator to see if the OS is hung, at a login prompt, or displaying an error, which is the first step in isolating the issue before checking network or resource configurations.

Exam trap

CompTIA often tests the distinction between 'VM status' (hypervisor-level) and 'guest OS responsiveness' (OS-level), and the trap here is that candidates assume a 'running' VM is fully operational and immediately check network or resource issues, ignoring the need to verify the OS state via console.

How to eliminate wrong answers

Option B is wrong because security group rules control network traffic at the subnet level; if the VM is unresponsive due to an OS crash, security groups would not affect the VM's ability to respond, and checking them first would be premature without confirming the OS is operational. Option C is wrong because reviewing hypervisor CPU and memory utilization for the VM would help identify resource contention, but the VM is already marked as 'running', meaning the hypervisor is allocating resources; the issue is likely within the guest OS, not resource starvation. Option D is wrong because checking the virtual network interface for disconnection would only be relevant if the VM were unreachable over the network, but the alert states the VM is unresponsive, which could be due to an OS-level hang; network disconnection would not cause the VM to be unresponsive from the hypervisor's perspective.

158
MCQmedium

A cloud architect is planning a disaster recovery (DR) strategy for a mission-critical application. The RTO must be under 1 hour and RPO under 15 minutes. The primary site is in a different region. Which DR pattern meets these requirements?

A.Backup and restore
B.Cold standby
C.Pilot light
D.Multi-site active-active
AnswerC

Pilot light keeps minimal resources running and can scale up quickly to meet RTO/RPO.

Why this answer

The pilot light pattern meets the RTO under 1 hour and RPO under 15 minutes because it keeps a minimal core set of services (e.g., database replicating via asynchronous replication) running in the DR region, allowing rapid scale-up of the full application stack during failover. This pattern balances cost and recovery speed, as the replicated data ensures an RPO of seconds to minutes, and the pre-provisioned core infrastructure enables failover within minutes, satisfying the strict RTO.

Exam trap

CompTIA often tests the misconception that 'pilot light' is only for low-criticality apps, but the trap here is that candidates confuse it with cold standby, failing to recognize that pilot light's pre-provisioned core and continuous replication can meet strict RTO/RPO targets without the cost of full active-active.

How to eliminate wrong answers

Option A is wrong because backup and restore typically involves periodic snapshots (e.g., daily or hourly) that cannot achieve an RPO under 15 minutes, and the restore process often takes hours to days, failing the RTO under 1 hour. Option B is wrong because cold standby has no pre-provisioned resources; provisioning and configuring infrastructure from scratch can take hours, exceeding the 1-hour RTO, and data replication is not continuous, so RPO is often hours or days. Option D is wrong because multi-site active-active requires both regions to handle live traffic simultaneously, which is overkill for a mission-critical application with a 1-hour RTO and 15-minute RPO, and it introduces complexity and cost without additional benefit for these specific recovery targets.

159
Drag & Dropmedium

Sequence the steps to troubleshoot a cloud-based application that is not accessible from the internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with basic checks: security groups, VM state, connectivity, then move to higher-level components and logs.

160
MCQmedium

A KVM host has three VMs. The db-server VM is in a paused state. Which of the following is the most likely cause?

A.Storage I/O error on the VM disk
B.CPU overcommitment on the host
C.Insufficient memory on the host
D.Network interface is down
AnswerA

Hypervisors pause VMs when storage errors occur to prevent corruption.

Why this answer

Option B is correct because storage I/O errors can cause a VM to be paused. Option A is incorrect because memory shortage would cause performance issues but not necessarily pause. Option C is incorrect because network issues do not cause pausing.

Option D is incorrect because CPU overcommitment leads to slowdowns, not pausing.

161
MCQmedium

A company is deploying a containerized application using Kubernetes on a public cloud. The development team has created a Docker image and pushed it to a private container registry. The deployment YAML points to the registry. However, when the deployment is applied, the pods fail to start with an 'ImagePullBackOff' error. The cloud administrator verifies that the registry is reachable from the cluster nodes and that the image exists. What is the most likely reason for the failure?

A.The deployment lacks a secret for registry authentication.
B.The cluster nodes are out of disk space.
C.The image tag is incorrect.
D.The pod does not have sufficient CPU resources.
AnswerA

Without authentication, the private registry denies pull requests.

Why this answer

The most likely reason for the ImagePullBackOff error is that the deployment lacks a Kubernetes secret for registry authentication. Since the image is stored in a private container registry, the kubelet must authenticate with the registry to pull the image. Without a properly configured imagePullSecret in the pod spec, the kubelet cannot obtain credentials, resulting in a failed pull and the ImagePullBackOff status.

Exam trap

CompTIA often tests the distinction between image existence and registry authentication, trapping candidates who assume that because the image is present and the registry is reachable, the pull should succeed without considering the need for explicit credentials.

How to eliminate wrong answers

Option B is wrong because if the cluster nodes were out of disk space, the error would typically be 'Evicted' or 'OutOfDisk', not ImagePullBackOff, and the administrator would see disk pressure events. Option C is wrong because an incorrect image tag would cause a 'ErrImagePull' or 'ImagePullBackOff' error, but the administrator has already verified that the image exists; the issue is authentication, not a missing tag. Option D is wrong because insufficient CPU resources would cause a 'Pending' state with 'Insufficient cpu' events, not an ImagePullBackOff error, which is specific to image retrieval failures.

162
MCQeasy

A company wants to ensure high availability for a stateless web application. Which architecture should be recommended?

A.Two VMs in the same availability zone with a load balancer
B.One VM in each of two availability zones with a load balancer
C.Single VM with daily backups
D.A single large VM with auto-recovery
AnswerB

This provides HA across zones; if one zone fails, traffic is routed to the other.

Why this answer

Option B is correct because deploying one VM in each of two availability zones with a load balancer ensures high availability by eliminating a single point of failure. If one availability zone fails, the load balancer automatically routes traffic to the healthy VM in the other zone, keeping the stateless web application accessible. This architecture aligns with the principle of fault tolerance for stateless applications, where no session state is lost during failover.

Exam trap

The trap here is that candidates often confuse high availability with redundancy within a single zone, failing to recognize that true high availability requires geographic or zone-level separation to survive infrastructure failures.

How to eliminate wrong answers

Option A is wrong because placing two VMs in the same availability zone still creates a single point of failure at the zone level; if that zone goes down, both VMs become unavailable. Option C is wrong because a single VM with daily backups does not provide high availability — backups only aid recovery after a failure, not automatic failover, and the application will experience downtime. Option D is wrong because a single large VM with auto-recovery still represents a single point of failure; auto-recovery only restarts the VM after a crash, but it does not prevent downtime during the recovery period and cannot protect against zone-level failures.

163
MCQhard

A global company runs a SaaS application in multiple cloud regions. They use DNS-based global load balancing to route users to the nearest region. Recently, users in Asia are experiencing high latency and timeouts. The administrator checks the health of the Asian region's resources and finds everything operational. Latency measurements from a monitoring tool show that traffic from Asian users is being routed to the European region. What should the administrator investigate first?

A.The latency-based routing policy
B.The DNS TTL settings
C.The geo-location records in the DNS provider
D.The load balancer configuration in the Asian region
AnswerA

Misconfiguration in latency-based routing can send traffic to a farther region.

Why this answer

Option C is correct because the latency-based routing policy may be incorrectly configured or not properly measuring latency, causing traffic to be routed to a distant region. Option A is wrong because TTL settings affect caching, not routing decisions. Option B is wrong because geo-location records are used for geographic routing, but the problem is latency-based routing sending traffic to Europe.

Option D is wrong because the Asian load balancer is operational; the issue is at the DNS level.

164
MCQmedium

A company is deploying a new web application in a hybrid cloud environment. The application must be able to scale out automatically during peak usage and scale in during low usage. The deployment must also ensure that the application remains available if a single Availability Zone fails. Which deployment strategy should the architect recommend?

A.Deploy a cluster of instances in a single Availability Zone with a load balancer.
B.Create an auto-scaling group spanning multiple Availability Zones.
C.Use a single large instance and manually resize during peak periods.
D.Deploy a load balancer in front of a single instance.
AnswerB

Auto-scaling provides automatic scaling and multi-AZ ensures high availability.

Why this answer

Option B is correct because an auto-scaling group spanning multiple Availability Zones ensures both automatic scaling based on demand and high availability. If one Availability Zone fails, the load balancer distributes traffic to healthy instances in the remaining zones, meeting the requirement for continuous availability during a zone failure.

Exam trap

The trap here is that candidates may think a load balancer alone provides high availability, but without multiple instances across zones and auto-scaling, a single zone failure still causes downtime.

How to eliminate wrong answers

Option A is wrong because deploying instances in a single Availability Zone creates a single point of failure; if that zone fails, the entire application becomes unavailable, violating the availability requirement. Option C is wrong because manually resizing a single large instance does not provide automatic scaling and still results in a single point of failure; it also lacks the elasticity needed for peak usage. Option D is wrong because a load balancer in front of a single instance does not provide automatic scaling or fault tolerance; if the instance or its Availability Zone fails, the application goes down.

165
MCQhard

A company has deployed a multi-tier application on a public cloud platform. The security team discovers that a Compute Instance is communicating with an external IP address known for malicious activity. The instance is part of an auto scaling group. What is the BEST immediate action to contain the threat while minimizing downtime?

A.Suspend the auto scaling group to prevent additional instances from being launched.
B.Remove the instance from the auto scaling group and attach a security group that blocks all traffic.
C.Use a routing table blackhole to drop traffic from the instance.
D.Modify the network ACL for the subnet to deny traffic to the malicious IP.
AnswerB

This isolates the specific instance without affecting other instances, and blocking traffic stops the malicious communication.

Why this answer

Isolating the compromised instance by detaching it from the auto scaling group and applying a security group that denies all traffic can quickly contain the threat. Network ACLs are attached to subnets and changing them could affect other instances. Suspending the auto scaling group alone may not stop the current instance.

Updating routing tables is complex and could disrupt legitimate traffic.

166
MCQmedium

A company uses a cloud object storage service to store backup data. The cloud provider charges for storage and retrieval. The operations team wants to minimize costs while ensuring data is available within 24 hours of a restore request. Which storage tier should they use?

A.Archive storage tier with retrieval time of 48 hours
B.Hot storage tier
C.Cold storage tier with retrieval time of 12 hours
D.Infrequent access tier with retrieval time of 1 hour
AnswerC

Cold storage offers low cost and retrieval within 24 hours.

Why this answer

Option C is correct because the cold storage tier offers a retrieval time of 12 hours, which meets the requirement of making data available within 24 hours while minimizing costs compared to hotter tiers. Cold storage is designed for infrequently accessed data with longer retrieval times, providing a cost-effective balance between availability and expense for backup data that does not need immediate access.

Exam trap

The trap here is that candidates may confuse 'cold storage' with 'archive storage' or assume that any tier with a retrieval time under 24 hours is equally cost-effective, overlooking that cold storage specifically balances cost and retrieval time for infrequent access needs.

How to eliminate wrong answers

Option A is wrong because the archive storage tier with a 48-hour retrieval time exceeds the 24-hour availability requirement, making it unsuitable for the stated restore window. Option B is wrong because the hot storage tier, while providing immediate retrieval, incurs higher storage costs that are unnecessary for backup data that does not require real-time access, thus failing to minimize costs. Option D is wrong because the infrequent access tier with a 1-hour retrieval time, though cheaper than hot storage, still costs more than cold storage and provides faster retrieval than needed, leading to higher expenses without operational benefit.

167
MCQhard

Refer to the exhibit. A cloud engineer is using AzCopy to transfer files to Azure Blob Storage. The copy fails with the above error. Which of the following is the most likely cause?

A.The network throughput is insufficient
B.The SAS token used has expired
C.The storage account firewall is blocking the IP
D.The destination container does not exist
AnswerB

An expired SAS token causes the server to reject the request with this exact error.

Why this answer

Option B is correct because the error explicitly indicates an authentication failure, which is typically due to an expired or invalid SAS token. Option A is wrong because a firewall block would result in a different error (e.g., 403 Forbidden). Option C is wrong because a non-existent container would return a 404 error.

Option D is wrong because insufficient throughput would cause a timeout, not an authentication error.

168
MCQmedium

A company is migrating a legacy application to the cloud using a replatforming strategy. The application uses a proprietary logging framework that writes logs to local disk. The cloud architecture uses ephemeral storage for the application servers. The operations team notices that logs are lost when servers are replaced during auto-scaling events. What is the best solution to ensure logs are preserved?

A.Increase the size of the ephemeral storage.
B.Use memory-only logging to speed up disk I/O.
C.Disable auto-scaling for the application servers.
D.Configure the logging framework to write to a central log server over the network.
AnswerD

Ensures logs are stored externally and persist beyond instance lifecycle.

Why this answer

Option D is correct because the core issue is that ephemeral storage is lost when instances are terminated or replaced during auto-scaling events. By configuring the logging framework to write to a central log server over the network (e.g., using syslog, HTTP, or a dedicated log aggregation service), logs are persisted independently of the application server's lifecycle. This decouples log storage from compute resources, ensuring logs survive scaling events.

Exam trap

The trap here is that candidates may think increasing storage or optimizing local I/O solves the persistence problem, but the exam tests understanding that ephemeral storage is inherently non-persistent and that logs must be sent off-instance to survive instance replacement.

How to eliminate wrong answers

Option A is wrong because increasing the size of ephemeral storage does not solve the fundamental problem that ephemeral storage is non-persistent and is destroyed when the instance is terminated or replaced. Option B is wrong because memory-only logging would cause logs to be lost even more quickly on instance termination or crash, and it does not address the persistence requirement; it also introduces performance and capacity constraints. Option C is wrong because disabling auto-scaling defeats the purpose of cloud elasticity and scalability, and it does not address the logging persistence issue—logs would still be lost if a server fails or is manually replaced.

169
Multi-Selecthard

A company is experiencing high latency in their cloud-based database. The database is provisioned with SSD storage. Which THREE factors should the administrator investigate? (Choose three.)

Select 3 answers
A.Network bandwidth between application and database
B.Database query optimization
C.Number of database replicas
D.Storage IOPS limits
E.Region latency
AnswersA, B, D

Network congestion or high latency affects database response.

Why this answer

Options A, B, and C are correct because IOPS limits cause throttling, network latency between tiers adds delay, and unoptimized queries increase response time. Option D is wrong because number of replicas primarily affects read throughput and disaster recovery, not latency. Option E is wrong because region latency is infrastructure-level and less likely to change suddenly.

170
MCQeasy

A small business hosts a web application on a single cloud server. The server has 2 vCPUs and 4 GB RAM. Recently, the application crashes when the number of concurrent users exceeds 50. The administrator checks the system logs and finds out-of-memory (OOM) errors. What is the best course of action to resolve this issue without redesigning the application?

A.Add a load balancer and another server
B.Reduce the application's memory footprint by code optimization
C.Increase the server's RAM to 8 GB
D.Enable swap space on the server
AnswerC

Increasing memory directly resolves OOM errors without application changes.

Why this answer

Option A is correct because increasing RAM directly addresses the OOM errors and is the simplest fix. Option B is wrong because adding a load balancer and another server is more complex and may require application changes. Option C is wrong because enabling swap space is a temporary workaround that can degrade performance.

Option D is wrong because code optimization is a redesign effort and not a quick fix.

171
MCQeasy

A company plans to use a public cloud to host a static website with minimal configuration. The website content is stored in an object storage bucket. Users access the site via a custom domain name. Which cloud service should the company use to serve the content with low latency globally?

A.Reverse proxy server in each region
B.DNS-based round-robin to multiple storage buckets
C.Load balancer distributing traffic to multiple object storage endpoints
D.Content delivery network (CDN) with the object storage as origin
AnswerD

CDN caches content for low latency.

Why this answer

A CDN caches static content at edge locations worldwide, reducing latency for global users. By configuring the object storage bucket as the origin, the CDN pulls content on cache miss and serves it from the nearest edge node. This meets the requirement of minimal configuration while providing low-latency delivery via a custom domain.

Exam trap

CompTIA often tests the misconception that a load balancer or DNS round-robin alone can provide global low-latency delivery, when in fact they lack caching and edge distribution, which are essential for static content performance.

How to eliminate wrong answers

Option A is wrong because deploying a reverse proxy server in each region requires manual provisioning and maintenance, contradicting the 'minimal configuration' requirement and not leveraging the public cloud's managed services. Option B is wrong because DNS-based round-robin to multiple storage buckets does not cache content; each request still hits the origin bucket, and DNS alone cannot provide low-latency global delivery or handle traffic spikes efficiently. Option C is wrong because a load balancer distributing traffic to multiple object storage endpoints does not cache content; it only distributes requests across buckets, still requiring each request to reach the origin, and adds complexity without reducing latency for geographically distributed users.

172
MCQmedium

A cloud administrator is troubleshooting a performance issue where a virtual machine running a database is experiencing high latency. The hypervisor shows the VM has been allocated 4 vCPUs and 16 GB of RAM, but the host server has 32 GB of RAM and 16 cores. Which of the following is most likely the cause of the latency?

A.The VM is over-provisioned on vCPUs relative to physical cores.
B.The VM's storage is on a network share.
C.The VM has too little RAM.
D.The VM is using paravirtualized drivers.
AnswerA

Over-provisioning vCPUs causes contention and context switching, increasing latency.

Why this answer

The VM is allocated 4 vCPUs, but the host has only 16 physical cores. If the VM's workload (e.g., a database) is CPU-intensive and the hypervisor is oversubscribing vCPUs across multiple VMs, the vCPUs may be waiting for physical cores, causing CPU ready time and high latency. This is a classic symptom of CPU over-provisioning.

Exam trap

CompTIA often tests the misconception that more vCPUs always improve performance, when in fact over-provisioning leads to CPU scheduling contention and increased latency.

How to eliminate wrong answers

Option B is wrong because network-attached storage can introduce latency, but the question focuses on CPU/RAM allocation and the host has ample resources; storage is not indicated as the bottleneck. Option C is wrong because 16 GB RAM for a database VM is often sufficient, and the host has 32 GB total, so memory starvation is unlikely to cause high latency without other symptoms. Option D is wrong because paravirtualized drivers typically reduce latency by bypassing emulation overhead; they are a best practice for performance, not a cause of high latency.

173
Multi-Selecthard

Which THREE elements are required for a complete key lifecycle management strategy in a cloud environment? (Choose three.)

Select 3 answers
A.Secure key generation
B.Key destruction
C.Key backup and recovery
D.Key rotation
E.Key access control
AnswersA, B, D

Keys must be generated securely, often from a hardware security module or using cryptographically sound methods.

Why this answer

Secure key generation is the foundational first step in a key lifecycle management strategy. In a cloud environment, keys must be generated using a FIPS 140-2 validated hardware security module (HSM) or a cloud provider's equivalent (e.g., AWS CloudHSM, Azure Key Vault Premium) to ensure cryptographic strength and prevent exposure of the private key material during creation.

Exam trap

CompTIA often tests the distinction between the mandatory lifecycle phases (generation, rotation, destruction) and supporting security controls (access control, backup) to trap candidates who confuse operational best practices with the required lifecycle stages.

174
Multi-Selectmedium

Which TWO of the following are best practices for managing cloud costs? (Select TWO.)

Select 2 answers
A.Implementing resource tagging for cost allocation
B.Consolidating all environments into a single subscription
C.Using reserved instances for predictable workloads
D.Overprovisioning resources to ensure high performance
E.Manually stopping idle virtual machines
AnswersA, C

Tags help identify cost centers and optimize spend.

Why this answer

Options B and D are correct. Option B is correct because tagging resources allows tracking costs by project. Option D is correct because using reserved instances reduces costs for predictable workloads.

Option A is wrong because manual shutdown is error-prone; automation is better. Option C is wrong because overprovisioning increases costs. Option E is wrong because multiple environments require separate management for cost control.

175
Multi-Selectmedium

Which TWO of the following are advantages of using a configuration management tool (e.g., Ansible, Chef, Puppet) in cloud deployments? (Choose two.)

Select 2 answers
A.Automatically configure network devices.
B.Enable idempotent infrastructure changes.
C.Ensure consistent software configurations across multiple instances.
D.Provide dynamic auto-scaling of resources.
E.Monitor application performance in real-time.
AnswersB, C

Idempotency ensures repeated runs converge to the same state.

Why this answer

Option B is correct because configuration management tools like Ansible, Chef, and Puppet enforce idempotency, meaning that applying the same configuration multiple times results in the same desired state without unintended side effects. This is achieved by checking the current state of the system before making changes, ensuring that resources are only modified when necessary. Idempotency is critical for reliable, repeatable infrastructure changes in cloud deployments.

Exam trap

The trap here is that candidates confuse configuration management tools with broader cloud management or monitoring services, mistakenly attributing capabilities like auto-scaling or real-time monitoring to tools that are strictly focused on state-based configuration and idempotent provisioning.

176
MCQhard

A company has a hybrid cloud environment where on-premises servers communicate with cloud resources via a VPN connection. The network team notices intermittent connectivity issues and packet loss. The VPN tunnel is established, but performance is degraded. Which step should the team take first to diagnose the issue?

A.Restart the VPN tunnel and monitor logs
B.Use traceroute and ping to measure latency and packet loss
C.Increase the MTU size on the VPN tunnel
D.Check the CPU utilization of the on-premises VPN appliance
AnswerB

Identifies network path issues.

Why this answer

B is correct because traceroute and ping are the foundational diagnostic tools to measure latency and packet loss across a VPN tunnel. Intermittent connectivity and packet loss often stem from path issues, MTU mismatches, or routing problems that these tools can isolate. Since the tunnel is established, the first step is to quantify the performance degradation before making configuration changes.

Exam trap

The trap here is that candidates assume the VPN tunnel is fully healthy because it is established, and they jump to restarting the tunnel or tweaking MTU without first using basic network diagnostics to isolate the performance issue.

How to eliminate wrong answers

Option A is wrong because restarting the VPN tunnel is a disruptive action that should only be taken after gathering diagnostic data; it may temporarily mask the issue without identifying the root cause. Option C is wrong because increasing the MTU size could worsen fragmentation or cause packet drops if the underlying path has a lower MTU; the correct first step is to test with ping to determine the optimal MTU. Option D is wrong because checking CPU utilization of the on-premises VPN appliance is a secondary step; while high CPU could cause performance issues, it is not the first diagnostic step when the tunnel is established and the primary symptom is packet loss.

177
Multi-Selecteasy

A cloud administrator is planning a migration of on-premises workloads to the cloud. Which TWO factors should be considered when selecting the appropriate cloud service model (IaaS, PaaS, SaaS)?

Select 2 answers
A.The scalability requirements of the application.
B.The level of control required over the operating system and runtime environment.
C.The security compliance requirements for data at rest.
D.The compatibility of the application with managed database or middleware services.
E.The total cost of ownership compared to on-premises.
AnswersB, D

Determines if IaaS (full control) or PaaS (less control) is needed.

Why this answer

Option B is correct because the level of control over the operating system and runtime environment is a defining factor when choosing between IaaS, PaaS, and SaaS. IaaS provides full control over the OS and runtime, PaaS abstracts the OS and runtime but allows control over application deployment, and SaaS offers no control over the underlying infrastructure. This directly impacts migration decisions, especially for legacy applications that require specific OS configurations or custom runtime dependencies.

Exam trap

CompTIA often tests the misconception that security compliance or scalability are primary factors for service model selection, when in fact they are operational requirements that apply across all models, while control over the OS and runtime is the key differentiator.

178
Multi-Selecteasy

A cloud administrator wants to ensure that patches are applied to cloud workloads with minimal risk. Which TWO practices should the administrator follow? (Choose two.)

Select 2 answers
A.Automate patch deployment using orchestration tools.
B.Skip patches for legacy systems to avoid regression.
C.Patch in production during peak hours to save time.
D.Always apply patches manually to ensure control.
E.Test patches in a staging environment first.
AnswersA, E

Automation ensures timely, consistent patching and reduces human error.

Why this answer

Testing patches in a staging environment before production deployment reduces the risk of unexpected issues. Automating patch deployment using orchestration tools ensures consistency and reduces manual errors.

179
MCQhard

A cloud application is intermittently slow. Based on the exhibit, which of the following is the most likely cause?

A.A network security group is blocking port 3306.
B.The database server is overloaded.
C.The database endpoint DNS record is incorrect.
D.The application has insufficient memory.
AnswerA

Blocking the port prevents TCP handshake, causing a timeout. This matches the error logs.

Why this answer

The intermittent slowness points to a network security group blocking port 3306, which is used by MySQL/MariaDB. When the NSG intermittently drops packets to this port, the application experiences timeouts and retries, causing sporadic slowdowns. This is a common issue in cloud environments where security rules are misconfigured or applied at the wrong priority level.

Exam trap

CompTIA often tests the distinction between intermittent failures (caused by network filtering or transient connectivity issues) versus persistent failures (caused by overload or misconfiguration), leading candidates to incorrectly choose database overload or DNS errors.

How to eliminate wrong answers

Option B is wrong because a database server overload would cause consistent slowness or errors, not intermittent issues, and the exhibit likely shows no CPU/memory spikes. Option C is wrong because an incorrect DNS record would cause a complete failure to resolve the endpoint, not intermittent slowness, and DNS caching would mask transient changes. Option D is wrong because insufficient application memory would manifest as out-of-memory errors or crashes, not intermittent slowness, and would be visible in application metrics.

180
MCQeasy

A cloud administrator notices that a virtual machine has been running for 180 days without a reboot. The administrator needs to install critical security patches that require a reboot. Which of the following actions should the administrator take FIRST?

A.Pause the virtual machine before applying patches.
B.Check for existing snapshots and create a new snapshot.
C.Shut down the virtual machine and apply patches offline.
D.Migrate the virtual machine to a different host to avoid disruption.
AnswerB

Creating a snapshot before patching provides a rollback point in case of failure.

Why this answer

Option B is correct because checking for snapshots ensures that the VM can be rolled back if the patching fails. Option A is wrong because pausing the VM is not necessary before checking snapshots. Option C is wrong because migrating to another host is a later step.

Option D is wrong because shutting down before checking snapshots risks losing state.

181
Multi-Selecthard

A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which THREE of the following metrics should the administrator analyze to identify potential resource contention? (Select THREE.)

Select 3 answers
A.CPU ready time
B.Disk queuing
C.Swap file usage
D.Network latency
E.Memory ballooning
AnswersA, B, E

High CPU ready time means the VM is waiting for CPU cycles due to contention.

Why this answer

CPU ready time measures the time a virtual machine is ready to execute instructions but is waiting for the hypervisor to schedule physical CPU resources. High ready time directly indicates CPU contention, as the VM is being starved of CPU cycles by other VMs on the same host.

Exam trap

The trap here is that candidates often select network latency or swap file usage as signs of resource contention, but these metrics are not direct indicators of hypervisor-level contention for CPU, memory, or storage in a virtualized environment.

182
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud object storage bucket?

Select 2 answers
A.Enable bucket versioning.
B.Set the bucket ACL to public-read-write for ease of access.
C.Configure a lifecycle policy to delete objects after 30 days.
D.Use bucket policies to restrict access to specific AWS accounts or IAM roles.
E.Encrypt all objects using server-side encryption.
AnswersA, D

Versioning allows recovery from accidental deletion or ransomware.

Why this answer

Options A and D are correct. Enabling versioning helps protect against accidental deletion or overwrite, and bucket policies can restrict access to specific principals. Option B is wrong because public access is generally not recommended.

Option C is wrong because lifecycle policies are for management, not security. Option E is wrong because encryption is important but does not enforce access control.

183
Multi-Selecthard

Which TWO are best practices for designing a multi-tenant SaaS application on a public cloud?

Select 2 answers
A.Assign a dedicated database instance per tenant
B.Use separate virtual networks or VPCs for each tenant
C.Implement row-level security in a shared database
D.Deploy all tenants on a single large compute instance
E.Offer the same service tier to all tenants
AnswersB, C

Provides network isolation.

Why this answer

Options A and C are correct. Tenant isolation at the network layer (VLANs or VPCs) and using row-level security in a shared database are common approaches. Option B is wrong because a dedicated database per tenant is costly for many tenants.

Option D is wrong because a single large instance for all tenants creates a noisy neighbor problem. Option E is wrong because a tiered service model is a business decision, not a design best practice for multi-tenancy.

184
MCQeasy

A company is designing a cloud architecture that must meet a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour for a critical database. The database is 500 GB and runs on a virtual machine. Which backup strategy should be used?

A.Take daily snapshots and transaction log backups every hour
B.Take full backups weekly and differential backups daily
C.Use continuous database replication to a standby instance
D.Perform block-level incremental backups every 4 hours
AnswerA

Meets both RTO and RPO.

Why this answer

Option A is correct because daily snapshots provide a baseline recovery point, and hourly transaction log backups ensure that the RPO of 1 hour is met by limiting data loss to at most one hour of transactions. Combined with the ability to restore from the latest snapshot and apply transaction logs, this strategy can achieve an RTO of 4 hours for a 500 GB database, assuming adequate infrastructure and restore automation.

Exam trap

The trap here is that candidates confuse high-availability replication (Option C) with a backup strategy, failing to recognize that replication does not protect against logical corruption or allow granular point-in-time recovery to meet RPO requirements.

How to eliminate wrong answers

Option B is wrong because weekly full backups with daily differentials can only restore to the last differential, which may be up to 24 hours old, failing the 1-hour RPO. Option C is wrong because continuous database replication to a standby instance is a high-availability solution, not a backup strategy; it does not provide point-in-time recovery to meet the RPO of 1 hour if logical corruption occurs. Option D is wrong because block-level incremental backups every 4 hours would allow up to 4 hours of data loss, exceeding the 1-hour RPO requirement.

185
MCQeasy

An organization wants to migrate its on-premises virtual machines to the cloud with minimal changes. Which deployment model is most appropriate?

A.Re-platform to PaaS
B.Refactor into SaaS
C.Lift-and-shift to IaaS
D.Re-architect as containerized applications
AnswerC

Lift-and-shift moves VMs without modifications, using infrastructure as a service.

Why this answer

The lift-and-shift (rehost) model migrates on-premises virtual machines to IaaS with minimal changes, preserving the OS, applications, and configurations. This approach avoids refactoring or re-architecting, making it the most appropriate for minimizing modifications during cloud migration.

Exam trap

CompTIA often tests the misconception that 'minimal changes' means using a fully managed service (PaaS or SaaS), but the correct answer is IaaS because it preserves the existing VM architecture without requiring code or configuration modifications.

How to eliminate wrong answers

Option A is wrong because re-platforming to PaaS requires modifying the application to use platform-managed services (e.g., replacing a database with a cloud-native DB), which introduces changes beyond minimal. Option B is wrong because refactoring into SaaS involves rewriting the application as a multi-tenant service, which is a fundamental architectural change and not minimal. Option D is wrong because re-architecting as containerized applications requires packaging the VM workloads into containers, altering the deployment model and often requiring orchestration (e.g., Kubernetes), which is not minimal.

186
Multi-Selecteasy

A cloud administrator is designing a backup strategy for a virtual machine running a critical application. The application stores data on a separate data disk. Which TWO of the following practices should the administrator include to ensure a reliable backup?

Select 2 answers
A.Ensure the backup includes the system state and data disk.
B.Encrypt the backup files before storing them off-site.
C.Use file-level backups for the data disk only.
D.Perform guest-level backups with application-aware processing.
E.Rely solely on hypervisor-level snapshots.
AnswersA, D

Including both system state and data disk allows full restore of the VM.

Why this answer

Option A is correct because guest-level backups ensure application consistency. Option D is correct because snapshot consistency ensures crash-consistent not application-consistent. Option B is wrong because file-level backups are less efficient.

Option C is wrong because snapshot-only lacks application consistency. Option E is wrong because encryption not directly backup reliability.

187
MCQeasy

A company stores sensitive data in a cloud object storage. They want to ensure that data is automatically deleted after a retention period of 7 years to comply with legal requirements. Which feature should be used?

A.Versioning with delete markers.
B.Object lock with retention mode.
C.Lifecycle policy with expiration.
D.AWS Config rules.
AnswerC

Lifecycle policies automate object expiration based on age.

Why this answer

Option C is correct because lifecycle policies can automatically expire objects after a specified number of days.

188
MCQmedium

A cloud administrator is troubleshooting an application that is experiencing intermittent timeouts. The application runs on a cloud VM and connects to a cloud database. The administrator sees no errors in the application logs but notices high network latency during peak hours. Which of the following is the MOST likely cause?

A.Insufficient provisioned IOPS on the database
B.Incorrect database schema
C.SSL certificate mismatch between app and database
D.Missing route table entry for the database subnet
AnswerA

Low IOPS leads to queueing and increased latency under load.

Why this answer

Option B is correct because insufficient provisioned IOPS can cause queue buildup and latency. Option A is wrong because database schema issues would cause query errors, not latency. Option C is wrong because a missing route would cause complete failure, not intermittent timeouts.

Option D is wrong because SSL misconfiguration would cause handshake failures.

189
MCQmedium

Refer to the exhibit. What is the effect of this bucket policy?

A.It requires users to authenticate with AWS IAM before accessing the bucket.
B.It allows anyone to read objects in example-bucket only if they come from the specified IP range.
C.It allows only the specified IP range to write objects.
D.It denies all access to the bucket except from the specified IP range.
AnswerB

The effect is Allow, principal is *, action is GetObject, and condition restricts by source IP.

Why this answer

The policy allows s3:GetObject to any principal (*) but only if the request originates from the IP range 203.0.113.0/24. This is a common way to restrict access to a specific network. It does not deny other IPs explicitly; it just doesn't allow them.

It does not require authentication; the principal is *.

190
Multi-Selecteasy

A cloud engineer is deploying a new application that requires high availability. The solution must include automated failover and load balancing. Which TWO of the following should the engineer implement?

Select 2 answers
A.Configure an auto scaling group with a minimum of two instances across two availability zones.
B.Take daily snapshots of the instance and store them in a different region.
C.Configure a read replica in a different region for failover.
D.Deploy the application on a single large instance with more resources.
E.Place the instances behind an application load balancer with health checks.
AnswersA, E

Auto scaling provides automated replacement and multi-AZ distribution.

Why this answer

Option A is correct because deploying an auto scaling group with a minimum of two instances across two availability zones ensures that if one instance or zone fails, the other can continue serving traffic, providing high availability. This setup also supports automated failover by replacing unhealthy instances automatically, and it works with a load balancer to distribute traffic. The combination of multi-AZ placement and auto scaling is a foundational pattern for fault-tolerant architectures in cloud environments.

Exam trap

The trap here is that candidates often confuse data backup or database replication (options B and C) with application-level high availability and load balancing, failing to recognize that automated failover and load balancing require multiple active compute instances and a traffic distributor, not just data redundancy.

191
MCQmedium

A cloud architect reviews the above IAM policy attached to a user. What is the effect of this policy on the user's ability to stop or terminate instances?

A.The user can stop any instance but cannot terminate any instance
B.The user can stop only production-tagged instances and cannot terminate any instances
C.The user can stop only production-tagged instances and terminate only production-tagged instances
D.The user can stop any instance and terminate any instance
AnswerB

Allow is scoped to production-tagged, and Deny explicitly blocks termination.

Why this answer

The policy uses a Condition block with StringNotEquals to explicitly deny ec2:StopInstances and ec2:TerminateInstances when the resource tag 'environment' is not equal to 'production'. Since the Deny effect overrides any Allow, the user can only stop instances tagged with 'environment=production' and cannot terminate any instances because the TerminateInstances action is also denied for non-production tags and there is no Allow for termination.

Exam trap

CompTIA often tests the nuance that a Deny with a condition does not implicitly allow the action for matching resources—you must have an explicit Allow statement for the action to be permitted, and here termination is never allowed.

How to eliminate wrong answers

Option A is wrong because the policy denies stopping instances that are not tagged as production, so the user cannot stop any instance. Option C is wrong because the policy denies terminating instances regardless of tags (the Deny applies to all instances where the tag is not production, and there is no Allow for termination), so the user cannot terminate any instances. Option D is wrong because the policy explicitly denies both stop and terminate actions for non-production-tagged instances, and termination is never allowed.

192
Multi-Selectmedium

A cloud architect is designing a highly available web application. Which THREE of the following components should be configured in at least two availability zones? (Choose THREE.)

Select 3 answers
A.Web server instances
B.Application load balancer
C.Database instance (primary and standby)
D.DNS service (e.g., Route 53)
E.Auto-scaling group
AnswersA, B, C

Instances should be deployed across AZs to handle requests if one AZ fails.

Why this answer

To achieve high availability across AZs, the load balancer, application servers, and database should be multi-AZ. Auto-scaling groups can launch instances across AZs, but they are not a component themselves; they are a management service. The DNS service is globally redundant by nature, not usually limited to AZs.

193
MCQmedium

A cloud administrator is reviewing cost reports and notices that a development environment is incurring high costs due to idle compute resources. The environment is used only during business hours on weekdays. Which of the following actions would MOST effectively reduce costs?

A.Implement an auto-scaling schedule to shut down instances during off-hours.
B.Move the development environment to a different region with lower costs.
C.Change all instances to smaller instance types.
D.Use spot instances for all development servers.
AnswerA

This stops instances when not in use, significantly reducing costs without impacting availability during business hours.

Why this answer

An auto-scaling schedule allows you to define time-based rules to automatically scale in (terminate) instances during off-hours and scale out (launch) them during business hours. This directly addresses the idle compute waste by ensuring resources are only running when needed, which is the most effective cost reduction strategy for a predictable usage pattern like weekdays 9-to-5.

Exam trap

CompTIA often tests the distinction between reducing per-unit cost (e.g., smaller instances, spot, different region) versus reducing total runtime cost, and the trap here is that candidates choose a cost-reduction method that still leaves resources running 24/7 instead of aligning compute with actual usage patterns.

How to eliminate wrong answers

Option B is wrong because moving to a different region may reduce per-hour costs but does not eliminate the idle time waste; instances would still run 24/7, just at a lower rate. Option C is wrong because downsizing instance types reduces per-instance cost but still leaves instances running idle during off-hours, failing to address the core issue of unnecessary runtime. Option D is wrong because spot instances can be interrupted at any time and are not suitable for a development environment that requires consistent availability during business hours; they also do not automatically stop during off-hours.

194
MCQeasy

A cloud engineer needs to ensure that a web application can scale out automatically during traffic spikes. Which design best practice should be implemented?

A.Deploy a larger instance size.
B.Use a single powerful VM with more vCPUs.
C.Manually provision additional VMs during peak times.
D.Configure an auto scaling group with a load balancer.
AnswerD

Auto scaling automatically adjusts capacity.

Why this answer

Option D is correct because an auto scaling group combined with a load balancer automatically adds or removes VM instances based on predefined metrics (e.g., CPU utilization, request count), ensuring the web application scales out horizontally during traffic spikes without manual intervention. This aligns with cloud elasticity best practices for handling variable workloads.

Exam trap

CompTIA often tests the distinction between vertical scaling (scaling up) and horizontal scaling (scaling out), where candidates mistakenly choose a larger instance size or a single powerful VM because they think 'more resources' is the solution, ignoring the need for automatic, elastic scaling and fault tolerance.

How to eliminate wrong answers

Option A is wrong because deploying a larger instance size (vertical scaling) has a hard limit based on the maximum available instance type and does not provide true elasticity; it also incurs downtime during resizing and cannot handle sudden spikes beyond the single instance's capacity. Option B is wrong because using a single powerful VM with more vCPUs is also vertical scaling, creating a single point of failure and a scalability ceiling; it cannot distribute traffic across multiple instances. Option C is wrong because manually provisioning additional VMs during peak times is reactive, error-prone, and introduces latency, failing to meet the requirement for automatic scaling during traffic spikes.

195
MCQmedium

Refer to the exhibit. A cloud administrator is trying to retrieve a secret from a cloud secrets manager using a script with an access key and secret key. The script returns the error shown. The keys were newly created. What is the most likely cause?

A.The secret is encrypted with a different KMS key.
B.The script is using the wrong region.
C.The secret does not exist.
D.The access key is not activated or has a propagation delay.
AnswerD

Newly created keys can take a few minutes to propagate; until then, they may be considered invalid.

Why this answer

Option D is correct. Newly created access keys may have a propagation delay and are not immediately active. Options A, B, and C would yield different error messages.

196
MCQmedium

The exhibit shows the health check status for targets in an application load balancer's target group. The target group has a health check on port 80. An administrator notices that one target is unhealthy on port 80 but healthy on port 443. What is the most likely cause?

A.The web server on the target is not listening on port 443.
B.The security group for the target is blocking port 80 from the load balancer.
C.The load balancer is in a different VPC.
D.The health check path is incorrect.
AnswerB

A security group blocking port 80 would cause the health check on port 80 to fail, while port 443 remains healthy.

Why this answer

Option A is correct because the target is healthy on 443 but not on 80, suggesting port 80 is blocked. Option B is wrong because it's healthy on 443, so server is listening. Option C is wrong because if path were wrong, both would fail.

Option D is wrong because the same target group is used.

197
MCQmedium

Refer to the exhibit. An administrator created this policy and attached it to a user. When the user attempts to terminate an instance from an IP address outside the 10.0.0.0/8 range, what will happen?

A.The user will be denied because the action is not allowed.
B.The effect will be evaluated as Deny.
C.The user will be denied because the condition fails.
D.The user will be allowed to terminate instances.
AnswerC

Without a matching Allow, the default Deny takes effect.

Why this answer

Option B is correct because the condition restricts the Allow to requests from the specified IP range. Requests from outside that range do not match the condition, so the Allow is not applied, resulting in an implicit Deny. Option A is incorrect because the condition fails.

Option C is incorrect because the action is allowed under the correct condition. Option D is incorrect because the effect is not changed to Deny; it is simply not allowed.

198
Matchingmedium

Match each cost management concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prepaid compute for discounted rate

Cheap compute with possible termination

Adjust resources based on demand

Label resources for cost allocation

Upfront purchase vs operational expense

Why these pairings

Cost optimization strategies are critical for Cloud+.

199
MCQmedium

A company uses AWS for its production environment. The company has deployed a web application behind an Application Load Balancer (ALB) with a target group containing two EC2 instances in different Availability Zones. The application is stateless and stores session data in an external Redis cluster. Recently, users report that they are occasionally logged out during a session. The load balancer health checks pass for both instances. The application logs show no errors. Which of the following is the most likely cause of the issue?

A.The Redis cluster is not configured for replication.
B.The instances are using different AMI versions.
C.The target group is configured with slow start.
D.Sticky sessions are not enabled on the ALB.
AnswerA

Without replication, a failure in the Redis node can cause session data loss, resulting in intermittent logouts.

Why this answer

The application is stateless and stores session data in an external Redis cluster. If the Redis cluster lacks replication, a failure of the primary node will cause all session data to be lost, logging users out. The ALB health checks pass and application logs show no errors because the EC2 instances themselves are healthy; the issue lies entirely in the Redis layer's lack of high availability.

Exam trap

The trap here is that candidates often assume sticky sessions are required for session persistence, but the question explicitly states the application is stateless and uses an external Redis cluster, making the Redis architecture the real culprit.

How to eliminate wrong answers

Option B is wrong because different AMI versions would cause inconsistent application behavior or deployment failures, not intermittent session loss when health checks pass. Option C is wrong because slow start gradually increases traffic to new targets, which affects load distribution but does not cause session data loss or logouts. Option D is wrong because sticky sessions (session affinity) are unnecessary for a stateless application that stores session data externally in Redis; enabling them would not prevent data loss from a non-replicated Redis cluster.

200
MCQhard

A cloud administrator sees the output above when troubleshooting a virtual machine that is unresponsive. The VM is critical and must be restored quickly. What should the administrator do first?

A.Resume the VM using the virsh resume command.
B.Restart the libvirtd service on the host.
C.Increase the memory allocation for the host to free resources.
D.Migrate the VM to another host in the cluster.
AnswerA

This directly addresses the paused state and will restore the VM to a running state.

Why this answer

The output from `virsh list --all` shows the VM is in a 'paused' state, which means it is still resident in memory but not executing. The fastest way to restore a paused VM is to resume it with `virsh resume <vm-name>`, which immediately continues CPU execution without requiring a reboot or migration. This directly addresses the unresponsive behavior while preserving the VM's current memory state.

Exam trap

The trap here is that candidates assume a paused VM requires a full restart or host-level intervention, but the CV0-004 exam expects you to recognize that `virsh resume` is the immediate, low-risk recovery action for a paused domain.

How to eliminate wrong answers

Option B is wrong because restarting the libvirtd service would disrupt all VMs on the host and is unnecessary when only a single VM is paused; the issue is at the VM level, not the hypervisor daemon. Option C is wrong because increasing host memory allocation does not affect a paused VM—pausing is triggered by storage I/O errors, disk full conditions, or host memory overcommitment, not by insufficient host memory. Option D is wrong because migrating a paused VM requires resuming it first or using `virsh migrate --live` which cannot work on a paused domain; migration adds unnecessary complexity and downtime when a simple resume command will restore service immediately.

201
MCQhard

A cloud administrator is troubleshooting an issue where users from the 192.0.2.0/24 network cannot access objects in an S3 bucket. The bucket policy is shown in the exhibit. What is the most likely cause of the issue?

A.The condition uses an incorrect IP address format.
B.The policy does not grant the s3:ListBucket action.
C.The policy is missing a required statement ID.
D.The resource ARN does not include the bucket itself.
AnswerB

Without ListBucket, users cannot list objects, only get them if they know the exact key.

Why this answer

The bucket policy grants s3:GetObject but not s3:ListBucket. Without s3:ListBucket, users cannot list the objects in the bucket, so they cannot discover the object keys needed to access objects. Even if they know the exact object key, the missing ListBucket action prevents the initial listing operation, which is required for many S3 access patterns.

Exam trap

CompTIA often tests the distinction between object-level actions (s3:GetObject) and bucket-level actions (s3:ListBucket), trapping candidates who assume that granting read access automatically includes listing permissions.

How to eliminate wrong answers

Option A is wrong because the IP address format '192.0.2.0/24' is a valid CIDR notation and is correctly used in the condition block. Option C is wrong because a Statement ID (Sid) is optional in S3 bucket policies; its absence does not cause access failures. Option D is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' correctly specifies all objects in the bucket, and the bucket itself is not required for object-level operations like s3:GetObject.

202
MCQeasy

A cloud administrator notices that a virtual machine is running but cannot be reached over the network. The administrator verifies that the VM is configured with the correct IP address and subnet mask. Which of the following is the MOST likely cause of this issue?

A.Cloud provider firewall blocking all traffic
B.Incorrect DNS server settings
C.Missing port forwarding rule
D.Misconfigured default gateway
AnswerD

Without a correct gateway, traffic cannot exit the subnet.

Why this answer

Option B is correct because a misconfigured default gateway is a common cause of network unreachability when IP and subnet are correct. Option A is wrong because incorrect DNS would affect name resolution, not basic connectivity. Option C is wrong because firewall rules within the cloud provider may block traffic, but the question suggests the VM itself is reachable? Actually, if the VM is running but cannot be reached, a misconfigured gateway prevents return traffic.

Option D is wrong because port forwarding is not typically used for general network connectivity.

203
MCQhard

During a disaster recovery test, a cloud administrator finds that the replicated VMs in the secondary site fail to start because they are assigned to a resource pool that does not exist in the secondary site. Which of the following should the administrator have done to prevent this issue?

A.Map the resource pools between primary and secondary sites.
B.Use storage snapshot replication instead.
C.Ensure the secondary site has identical hardware.
D.Configure the replication job to use a different datastore.
AnswerA

Resource pool mappings allow VMs to start on appropriate clusters or hosts in the DR site.

Why this answer

Option C is correct because mapping resource pools between primary and secondary sites ensures that replicated VMs can find their intended compute resources. Option A addresses storage, not compute association. Option B would change datastore, not fix the resource pool issue.

Option D is not necessary; hardware differences can be managed with proper mappings.

204
Multi-Selecthard

A cloud engineer is troubleshooting a performance issue with a web application that uses a cloud load balancer and multiple backend instances. Users report intermittent slow responses. The engineer reviews metrics and finds that CPU utilization on backend instances stays below 50% but network throughput is near the instance limit. Which THREE actions should the engineer take to improve performance?

Select 3 answers
A.Change the load balancing algorithm to least connections.
B.Distribute instances across multiple availability zones.
C.Upgrade to an instance type with higher network bandwidth.
D.Increase the number of backend instances.
E.Enable connection draining on the load balancer.
AnswersB, C, E

Multi-zone deployment can improve resilience and distribute load across network paths.

Why this answer

Distributing instances across multiple availability zones (AZs) improves fault tolerance and can reduce network congestion by spreading traffic across physically separate infrastructure. In this scenario, network throughput is near the instance limit, so adding instances in different AZs allows the load balancer to distribute traffic more evenly, preventing any single instance from being overwhelmed. This also leverages the load balancer's cross-zone load balancing capability, which can improve overall throughput and reduce latency for users.

Exam trap

CompTIA often tests the misconception that increasing the number of instances always solves performance issues, when in reality the bottleneck may be the network bandwidth per instance, requiring a larger instance type or distribution across AZs to utilize aggregate bandwidth.

205
MCQeasy

A cloud engineer notices that a virtual machine (VM) in a public cloud environment is consistently running at 90% CPU during business hours. The VM hosts a customer-facing web application. Which of the following is the BEST initial troubleshooting step?

A.Migrate the VM to a different availability zone.
B.Review the VM's performance metrics and application logs.
C.Reboot the VM to reset resource usage.
D.Scale up the VM to a larger instance size.
AnswerB

Reviewing metrics and logs is the standard first step in troubleshooting.

Why this answer

Option B is correct because the initial step in troubleshooting high CPU usage is to gather diagnostic data. Reviewing the VM's performance metrics (e.g., CPU utilization, memory, disk I/O) and application logs helps identify whether the issue is caused by a legitimate workload spike, a memory leak, or a misconfiguration. This aligns with the 'identify before act' principle in cloud operations, ensuring the engineer understands the root cause before making changes.

Exam trap

The trap here is that candidates often jump to a 'fix' like scaling up or rebooting, but Cisco tests the foundational troubleshooting methodology of 'gather data first' to avoid unnecessary changes and ensure the solution is targeted and cost-effective.

How to eliminate wrong answers

Option A is wrong because migrating the VM to a different availability zone does not address high CPU usage; it only changes the physical location, which may introduce latency or availability issues without resolving the performance bottleneck. Option C is wrong because rebooting the VM is a disruptive action that only temporarily resets resource usage; it does not diagnose or fix the underlying cause, and it can lead to application downtime for a customer-facing web app. Option D is wrong because scaling up to a larger instance size is a reactive measure that may mask the problem without investigation; it increases costs and could be unnecessary if the issue is due to a software bug or misconfiguration.

206
Multi-Selectmedium

A cloud architect is designing a deployment pipeline for a multi-tier application. The team wants to automate testing and deployment while ensuring that only healthy code reaches production. Which TWO practices should they implement?

Select 2 answers
A.Infrastructure as Code
B.Immutable infrastructure
C.Blue/green deployment
D.Canary releases
E.Manual approval gates
AnswersC, D

Blue/green enables automated switchover after health checks.

Why this answer

Blue/green deployment (C) is correct because it allows the team to route traffic to a new 'green' environment while keeping the old 'blue' environment idle, enabling instant rollback if testing fails. Canary releases (D) are correct because they incrementally shift a small percentage of traffic to a new version, allowing automated monitoring to detect issues before full rollout. Both practices ensure only healthy code reaches production by validating changes in a controlled, reversible manner.

Exam trap

CompTIA often tests the distinction between deployment strategies (blue/green, canary) and infrastructure management practices (IaC, immutable), so candidates mistakenly select IaC or immutable infrastructure because they associate 'automation' with provisioning rather than traffic management and health gating.

207
MCQhard

A cloud administrator notices that a virtual machine is consuming excessive CPU resources with no apparent workload. Which of the following should the administrator investigate FIRST to determine the cause?

A.A misconfigured load balancer sending traffic to the VM
B.CPU hotplug settings on the hypervisor
C.A runaway process inside the VM
D.Memory overcommitment ratio
AnswerC

A runaway process (e.g., infinite loop) can consume 100% CPU even with no intended workload.

Why this answer

Option D is correct because a VM with no workload but high CPU is often due to a runaway process, such as a background service or malware. Option A is wrong because CPU hotplug is not common and would not cause continuous high usage without workload. Option B is wrong because memory overcommitment affects memory, not CPU.

Option C is wrong while possibly true, it is less likely than a process running inside the VM.

208
MCQhard

A company uses a hybrid cloud model with an on-premises data center and a public cloud. The network team reports that traffic between the cloud and on-premises is experiencing high latency and packet loss. The cloud administrator verifies that the VPN connection is up. What is the most likely cause?

A.A firewall rule is blocking ICMP packets.
B.VMs are placed in different cloud regions.
C.The VPN tunnel has a mismatched MTU size.
D.The cloud provider is throttling bandwidth.
AnswerC

Mismatched MTU causes fragmentation and packet loss.

Why this answer

When a VPN tunnel is up but traffic experiences high latency and packet loss, a mismatched Maximum Transmission Unit (MTU) size is a common cause. This occurs because packets larger than the tunnel's MTU must be fragmented, and if fragmentation is not properly handled (e.g., due to the DF bit being set), packets are dropped, leading to retransmissions and increased latency. The symptoms align with MTU issues rather than simple connectivity or throttling problems.

Exam trap

The trap here is that candidates assume a 'VPN is up' means all traffic flows perfectly, but CompTIA often tests the subtlety that MTU mismatch causes performance degradation without breaking the tunnel itself, leading them to incorrectly blame firewall rules or bandwidth throttling.

How to eliminate wrong answers

Option A is wrong because ICMP packets are not required for VPN tunnel operation; blocking ICMP would cause ping failures but not necessarily high latency and packet loss on data traffic, and the VPN is already verified as up. Option B is wrong because VMs in different cloud regions would affect latency between those VMs, but the question specifies traffic between the cloud and on-premises data center, which is routed through the VPN tunnel regardless of VM placement. Option D is wrong because cloud providers typically throttle bandwidth based on usage limits or burst credits, which would manifest as reduced throughput rather than the combination of high latency and packet loss described.

209
MCQeasy

A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?

A.Use HTTP with a custom header.
B.Allow FTP but restrict to specific IPs.
C.Require HTTPS for all uploads.
D.Enable SFTP access to the bucket.
AnswerC

HTTPS encrypts data in transit.

Why this answer

HTTPS (HTTP over TLS) encrypts data in transit using TLS, ensuring that files uploaded to a cloud storage bucket are protected from eavesdropping and tampering. By requiring HTTPS for all uploads, the administrator enforces encrypted connections as mandated by the security policy, which is a standard practice for cloud storage services like AWS S3 or Azure Blob Storage.

Exam trap

The trap here is that candidates may confuse SFTP (which is encrypted) with FTP (which is not), and incorrectly assume that enabling SFTP is the correct answer, but the question specifically targets the standard encrypted protocol for cloud storage bucket uploads, which is HTTPS.

How to eliminate wrong answers

Option A is wrong because HTTP with a custom header does not provide encryption; the data is still transmitted in plaintext, making it vulnerable to interception. Option B is wrong because FTP transmits data and credentials in cleartext, and restricting by IP does not encrypt the connection, leaving it susceptible to packet sniffing. Option D is wrong because SFTP (SSH File Transfer Protocol) encrypts the connection, but the question specifically asks for encrypted connections to transfer files to a cloud storage bucket; while SFTP is encrypted, it is not the standard protocol for cloud storage bucket uploads (which typically use HTTPS), and enabling it may introduce unnecessary complexity or security risks if not properly managed.

210
MCQhard

A DevOps engineer is deploying an application on Kubernetes. The exhibit shows the status of pods and a describe output. The frontend pod is stuck in Pending state. Which action should the engineer take to resolve the issue?

A.Reduce the resource requests in the frontend deployment manifest.
B.Add a node affinity rule to schedule on nodes with more memory.
C.Change the service type from ClusterIP to NodePort.
D.Modify the image pull policy to Always.
AnswerA

Decreasing requests may allow the pod to fit on a node.

Why this answer

The frontend pod is stuck in Pending state because the cluster nodes lack sufficient resources (CPU or memory) to satisfy the pod's resource requests. Reducing the resource requests in the deployment manifest lowers the scheduling threshold, allowing the pod to fit on an available node. This directly addresses the most common cause of Pending pods: insufficient allocatable resources on any node.

Exam trap

CompTIA often tests the misconception that changing service types or image pull policies can resolve scheduling failures, when the root cause is almost always resource insufficiency or taints/tolerations.

How to eliminate wrong answers

Option B is wrong because adding a node affinity rule does not free up resources; it only constrains scheduling to specific nodes, which would likely fail if those nodes already lack capacity. Option C is wrong because changing the service type from ClusterIP to NodePort affects external access, not pod scheduling or resource availability. Option D is wrong because modifying the image pull policy to Always only forces a fresh image pull on pod start; it does not resolve resource constraints that prevent the pod from being scheduled.

211
Multi-Selectmedium

A cloud administrator notices that an IAM user has permissions that are not explicitly assigned. The administrator suspects that the user is inheriting permissions through group membership or role assignment. Which TWO methods can the administrator use to identify all effective permissions for this user? (Choose TWO.)

Select 2 answers
A.List the user's group memberships and examine the policies attached to those groups and any roles the user can assume.
B.Review the user's recent access logs to see which actions were allowed.
C.Check the resource-based policies on each resource the user might access.
D.Use a 'simulate principal policy' API call to evaluate the user's effective permissions.
E.Log in as the root user and run a permissions report.
AnswersA, D

This helps in understanding the inherited permissions.

Why this answer

Option A is correct because group memberships and assumable roles are common sources of inherited permissions. By listing the user's groups and examining the policies attached to those groups, as well as any roles the user can assume, the administrator can trace the origin of the unexpected permissions. This method directly identifies the inheritance chain that grants permissions not explicitly assigned to the user.

Exam trap

CompTIA often tests the distinction between inherited permissions (from groups/roles) and explicit permissions, and the trap here is that candidates may confuse reviewing access logs (which show past actions) with evaluating effective permissions (which shows potential actions).

212
MCQeasy

A startup wants to develop a new web application with minimal upfront infrastructure management. They want to focus on writing code and not worry about operating system patches or scaling servers. Which cloud service model is MOST appropriate?

A.Functions as a Service (FaaS)
B.Infrastructure as a Service (IaaS)
C.Platform as a Service (PaaS)
D.Software as a Service (SaaS)
AnswerC

PaaS abstracts the underlying infrastructure, so the startup only writes and deploys code.

Why this answer

Platform as a Service (PaaS) provides a managed platform where the startup can deploy and run their web application code without managing the underlying infrastructure, including operating system patches and server scaling. This aligns with the requirement to focus on writing code while the cloud provider handles the operational overhead.

Exam trap

CompTIA often tests the distinction between PaaS and FaaS, where candidates mistakenly choose FaaS for any 'code-only' scenario, but FaaS is unsuitable for stateful web applications requiring persistent connections or long-running processes.

How to eliminate wrong answers

Option A (FaaS) is wrong because it is designed for event-driven, stateless functions that execute in response to triggers, not for hosting a full web application with persistent state and routing. Option B (IaaS) is wrong because it requires the startup to manage virtual machines, including OS patches and scaling, which contradicts the goal of minimal infrastructure management. Option D (SaaS) is wrong because it delivers ready-to-use software applications over the internet, not a platform for developing and deploying custom web applications.

213
MCQeasy

Refer to the exhibit. A cloud administrator runs this command on a VM. Which of the following is most likely causing the high 'wa' value?

A.Disk I/O bottleneck
B.Network congestion
C.High CPU load
D.Insufficient memory
AnswerA

High 'wa' indicates CPU waiting for disk I/O, suggesting a bottleneck.

Why this answer

Option C is correct because a high 'wa' (wait) value in vmstat indicates that the CPU is waiting for I/O operations to complete, pointing to a disk I/O bottleneck. Option A (insufficient memory) would show high swapping activity or high si/so values. Option B (high CPU load) would show high us or sy.

Option D (network congestion) is not directly indicated by this metric.

214
MCQmedium

During a deployment using a script, an administrator receives a 'Permission Denied' error. What is the most likely cause?

A.The service account lacks necessary IAM roles
B.Network latency is causing timeouts
C.The deployment is targeting the wrong region
D.The instance has insufficient storage
AnswerA

Insufficient permissions are a common cause of permission denied errors.

Why this answer

Option A is correct because the service account may not have the required IAM roles to execute the actions. Option B is wrong because region does not affect permissions. Option C is wrong because storage issues cause different errors.

Option D is wrong because network latency does not cause permission errors.

215
MCQeasy

A company uses a cloud load balancer to distribute traffic to web servers. The load balancer health checks are failing for all instances. The instances are running and can be accessed directly via their private IPs from within the VPC. What is the most likely cause?

A.The load balancer's cross-zone load balancing is disabled.
B.The load balancer's listeners are configured on the wrong ports.
C.The security group of the instances is not allowing traffic from the load balancer.
D.The instances are not registered with the target group.
AnswerC

The load balancer sends health checks from a specific source; if the security group doesn't allow it, health checks fail.

Why this answer

Option C is correct because the security group must allow health check traffic from the load balancer. Options A, B, and D are incorrect or less likely.

216
MCQhard

A company is designing a cloud network architecture for a three-tier application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. The company uses a single VPC with multiple subnets. The security team requires that all traffic between tiers be encrypted in transit. The architect proposes using security groups and network ACLs. Which combination of security group rules meets these requirements while following the principle of least privilege?

A.Web: inbound 443 from 0.0.0.0/0, outbound to app SG:8443. App: inbound from web SG:8443, outbound to db SG:3306. DB: inbound from app SG:3306.
B.Web: inbound 443 from 0.0.0.0/0, outbound to 0.0.0.0/0:0-65535. App: inbound from web SG:443, outbound to 0.0.0.0/0:0-65535. DB: inbound from app SG:3306, outbound to 0.0.0.0/0:0-65535.
C.Web: inbound 443 from 0.0.0.0/0 and 22 from 0.0.0.0/0, outbound to app SG:443. App: inbound from web SG:443, outbound to db SG:3306. DB: inbound from app SG:3306.
D.Web: inbound 443 from 0.0.0.0/0, outbound to app subnet CIDR:1433. App: inbound from web subnet CIDR:443, outbound to db subnet CIDR:3306. DB: inbound from app subnet CIDR:3306.
AnswerA

Uses security groups for fine-grained control, allows only required traffic, and encrypts traffic (HTTPS on web, database encryption assumed).

Why this answer

Option A is correct because it uses security group (SG) references to enforce strict, stateful traffic flow between tiers: the web SG allows inbound HTTPS (443) from the internet and outbound to the app SG on port 8443; the app SG allows inbound only from the web SG on port 8443 and outbound to the DB SG on port 3306; the DB SG allows inbound only from the app SG on port 3306. This follows least privilege by restricting each tier’s communication to only the necessary ports and source/destination SGs, and the use of TLS/SSL on port 443 and 8443 ensures encryption in transit as required.

Exam trap

The trap here is that candidates often confuse security group statefulness with network ACL statelessness, or they mistakenly use broad CIDR ranges (like 0.0.0.0/0) for outbound rules instead of specific SG references, violating least privilege and encryption requirements.

How to eliminate wrong answers

Option B is wrong because it allows overly permissive outbound rules (0.0.0.0/0 on all ports) from each tier, violating least privilege by permitting unnecessary outbound traffic and potentially exposing the app and DB tiers to the internet. Option C is wrong because it includes inbound SSH (port 22) from 0.0.0.0/0 on the web tier, which is not required for the three-tier architecture and introduces an unnecessary attack surface; also, it uses port 443 for web-to-app traffic instead of the specified port 8443, which may not match the application’s encryption requirements. Option D is wrong because it uses subnet CIDR ranges instead of security group references, which is less granular and does not automatically adapt to changes in instance IPs; additionally, it uses port 1433 (SQL Server) instead of the required port 3306 (MySQL) for the database tier, and port 443 for web-to-app traffic instead of 8443.

217
MCQhard

A cloud engineer is troubleshooting an issue where an application running in a container on a Kubernetes cluster is unable to resolve DNS names. The cluster uses CoreDNS. The engineer checks the CoreDNS pod logs and sees no errors. Which of the following should the engineer check next?

A.The Kubernetes DNS service IP address
B.The container's /etc/resolv.conf file
C.The cloud provider's DNS resolver settings
D.The network policy for the namespace
AnswerB

If this file does not point to CoreDNS, DNS resolution fails.

Why this answer

Option A is correct because the container's /etc/resolv.conf should list the CoreDNS service IP; if misconfigured, DNS resolution fails. Option B is wrong because the DNS service IP is typically automatically set. Option C is wrong because network policies would block traffic entirely, not just DNS.

Option D is wrong because cloud provider DNS is upstream; the issue is within the cluster.

218
Multi-Selecthard

A cloud engineer is troubleshooting a performance issue where a web server cluster experiences high latency during peak hours. The cluster uses an auto-scaling group behind a load balancer. Which THREE steps should the engineer take to identify the root cause?

Select 3 answers
A.Monitor CPU and memory utilization on the web servers
B.Analyze web server access logs for slow requests
C.Check the load balancer's backend instance health status
D.Reduce the number of instances in the auto-scaling group
E.Review security group rules for the load balancer
AnswersA, B, C

High resource usage can cause slow responses.

Why this answer

Option A is correct because high CPU or memory utilization on web servers directly indicates resource contention, which can cause increased request processing time and latency. Monitoring these metrics helps identify if the auto-scaling group is under-provisioned or if a specific instance is overloaded, guiding scaling policy adjustments.

Exam trap

The trap here is that candidates may think reducing instances (Option D) is a valid troubleshooting step, but it is a remediation action that can mask the root cause and potentially crash the application under load.

219
Multi-Selectmedium

A cloud architect is evaluating deployment strategies for a microservices application that requires high availability and minimal downtime during updates. Which TWO deployment methods should the architect consider?

Select 2 answers
A.Immutable deployment
B.Rolling deployment
C.In-place deployment
D.Canary deployment
E.Blue/green deployment
AnswersB, E

Correct: Rolling updates a subset of instances at a time, maintaining availability.

Why this answer

Blue/green deployment allows instant switchover with minimal downtime. Rolling deployment updates instances gradually, maintaining availability.

220
MCQhard

A cloud administrator is troubleshooting why web-server-01 is not receiving traffic from an internet-facing load balancer. The load balancer is in the same VPC and subnet. According to the exhibit, what is the most likely reason?

A.The security group attached to the instance does not allow traffic from the load balancer
B.The instance is in a stopped state
C.The instance is not in the same VPC as the load balancer
D.The instance does not have a public IP address
AnswerA

The security group must allow inbound HTTP/HTTPS from the load balancer's security group or CIDR.

Why this answer

The instance has no public IP address (not shown) and the security group 'web-sg' may not allow HTTP traffic. However, the exhibit does not show security group rules or public IP. The most likely issue is that the instance is in a private subnet without a route to the internet? But the question says load balancer is internet-facing and in same VPC.

The load balancer can route to private instances if security groups allow. However, the exhibit shows no public IP, so the load balancer can still reach it via private IP. Actually, the most common issue is security group rules: the load balancer's security group must allow inbound HTTP, and the instance's security group must allow traffic from the load balancer.

Without that, traffic is blocked. Option C is correct. Option A is wrong because the load balancer can route to private IPs.

Option B is wrong because the instance is running. Option D is wrong because load balancer does not require a public IP on the instance.

221
MCQmedium

A company's IaaS environment has a high rate of failed login attempts to a critical database server. The security team wants to temporarily block the source IPs after 5 failed attempts within 10 minutes. Which security control should be implemented?

A.Enable TLS mutual authentication for the database.
B.Deploy a web application firewall (WAF) with rate-limiting rules.
C.Implement a cloud access security broker (CASB).
D.Configure host-based firewall rules on each database server.
AnswerB

WAF can inspect traffic and block IPs after a threshold of failed attempts.

Why this answer

Option C is correct because a web application firewall (WAF) can rate-limit and block IPs based on failed login attempts. Option A is wrong because host-based firewalls are not centrally managed. Option B is wrong because WAF is not for cloud access management.

Option D is wrong because TLS encryption does not prevent brute force.

222
MCQeasy

What is the primary benefit of using Infrastructure as Code (IaC)?

A.Improved network performance
B.Full manual control over resources
C.Consistent and repeatable deployments
D.Lower cloud service costs
AnswerC

IaC codifies infrastructure, ensuring the same environment every time.

Why this answer

Option C is correct because IaC ensures consistent and repeatable deployments by defining infrastructure in code. Option A is wrong while improved network performance is not a direct benefit. Option B is wrong because IaC may reduce costs through automation but consistency is key.

Option D is wrong because manual control is the opposite of automation.

223
MCQeasy

Which of the following is the best practice for securely storing secrets such as database passwords in a cloud environment?

A.Hard-code the secrets in the application code.
B.Store secrets in a configuration file in the repository.
C.Encrypt secrets and store them in a shared storage.
D.Use a dedicated secrets management service.
AnswerD

Services like AWS Secrets Manager or Azure Key Vault are purpose-built for secure secret storage.

Why this answer

Option D is correct because dedicated secrets management services provide secure storage, rotation, and access control.

224
Multi-Selecteasy

Which TWO of the following are common security concerns specific to a public cloud infrastructure?

Select 2 answers
A.Exposure of insecure application programming interfaces (APIs).
B.Physical theft of servers from data centers.
C.Packet sniffing on the provider's internal network.
D.Misconfiguration of cloud resources leading to data exposure.
E.Hypervisor-level malware.
AnswersA, D

APIs are often targeted by attackers if not properly secured.

Why this answer

Options A and C are correct. Insecure APIs are a top cloud security concern because they allow programmatic access, and misconfigured storage can lead to data exposure. Option B is wrong because physical security is the provider's responsibility.

Option D is wrong because packet sniffing is unlikely in multitenant clouds. Option E is wrong because hypervisor vulnerabilities are rare and quickly patched.

225
MCQhard

An organization is migrating a legacy monolithic application to the cloud using a re-platform approach (lift and shift with minimal changes). After migration, performance is worse than on-premises. Which of the following is the BEST next step to improve performance without significant application changes?

A.Refactor the application into microservices and use Kubernetes.
B.Increase the size of the virtual machines and allocate more vCPUs.
C.Move the application to a containerized environment using Docker.
D.Implement a content delivery network (CDN) to cache static assets.
AnswerB

Scaling up provides more CPU and memory, which can improve performance for resource-intensive applications without requiring architectural changes.

Why this answer

In a re-platform (lift and shift) migration, the application's architecture remains unchanged, so performance issues often stem from insufficient cloud resources. Increasing the VM size and allocating more vCPUs directly addresses resource contention without requiring code modifications, making it the best immediate step.

Exam trap

CompTIA often tests the misconception that cloud-native solutions like containers or microservices are always the answer, but the trap here is that the question explicitly limits changes, making vertical scaling the only viable option without re-architecting.

How to eliminate wrong answers

Option A is wrong because refactoring into microservices and using Kubernetes requires significant application changes, contradicting the 'minimal changes' constraint. Option C is wrong because containerization with Docker still requires application packaging and orchestration changes, and does not inherently improve performance without addressing resource allocation. Option D is wrong because a CDN caches only static assets, which does not resolve performance bottlenecks in a monolithic application's dynamic processing or database queries.

Page 2

Page 3 of 7

Page 4

All pages