CompTIA Cloud+ CV0-004 (CV0-004) — Questions 451499

499 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQhard

A cloud architect is designing a multi-tier application in a public cloud that must comply with PCI DSS. The web tier must be accessible from the internet, but the application tier should not have any public IP addresses. Which architecture meets these requirements?

A.Assign public IP addresses to both tiers and use security group rules to restrict traffic.
B.Deploy both tiers in private subnets and use a VPC peering connection to the corporate data center.
C.Use a site-to-site VPN between the cloud VPC and an on-premises network for all traffic.
D.Place the web tier in a public subnet behind an internet-facing load balancer, and the app tier in a private subnet with a NAT gateway for outbound traffic.
AnswerD

This provides internet access to the web tier while keeping the app tier isolated from direct internet.

Why this answer

Option A is correct because placing the web tier in a public subnet with a load balancer and the app tier in a private subnet with no public IPs fulfills the requirement. Option B is wrong because a direct VPC peering does not restrict public access. Option C is wrong because a VPN adds unnecessary complexity.

Option D is wrong because the app tier should not have public IPs.

452
MCQmedium

A company uses a hybrid cloud model and experiences intermittent connectivity issues between the on-premises network and the public cloud VPC. The administrator has verified that the VPN connection is established. Which of the following should the administrator check next?

A.Firewall rules for outbound traffic.
B.Public IP address of the VPN gateway.
C.Routing tables on both sides.
D.DNS resolution of cloud endpoints.
AnswerC

Incorrect routes can lead to intermittent packet loss or misrouting.

Why this answer

Since the VPN connection is established (tunnel is up), the issue is likely with traffic routing rather than basic connectivity. Routing tables on both the on-premises router and the cloud VPC must have correct routes pointing to the VPN gateway and the remote subnets; a missing or misconfigured route (e.g., a missing static route or incorrect VPC route table entry) will cause intermittent connectivity even when the VPN tunnel itself is active.

Exam trap

The trap here is that candidates assume an established VPN tunnel guarantees end-to-end connectivity, but CompTIA often tests that routing misconfigurations (e.g., missing static routes or incorrect VPC route propagation) are the most common cause of intermittent connectivity when the tunnel is up.

How to eliminate wrong answers

Option A is wrong because firewall rules for outbound traffic are typically checked after routing; if the VPN tunnel is up, outbound firewall rules are not the primary cause of intermittent connectivity between two specific networks. Option B is wrong because the public IP address of the VPN gateway is already verified as part of the established VPN connection; changing it would break the tunnel, not cause intermittent issues. Option D is wrong because DNS resolution of cloud endpoints affects name resolution, not the underlying network path; if the VPN is up and routes are correct, DNS issues would manifest as name resolution failures, not intermittent connectivity.

453
MCQhard

A company is deploying a critical financial application on a private cloud. The compliance team requires that all data at rest be encrypted with a key managed by the company's hardware security module (HSM). The cloud architect must select a storage solution that supports customer-managed keys and integrates with the existing HSM. Which storage option should the architect choose?

A.Object storage with server-side encryption using a cloud provider key
B.Instance store volumes on the compute nodes
C.Encrypted volumes on a software-defined storage (SDS) cluster
D.Network-attached storage (NAS) appliance with built-in encryption
AnswerC

SDS volumes can use customer-managed keys and integrate with HSMs.

Why this answer

Option C is correct because a software-defined storage (SDS) cluster can be configured to use customer-managed encryption keys that integrate directly with the company's existing hardware security module (HSM) via standard interfaces like PKCS#11 or KMIP. This allows the company to maintain full control over key management and meet the compliance requirement for data-at-rest encryption with HSM-managed keys.

Exam trap

The trap here is that candidates often confuse 'built-in encryption' on a NAS appliance with the ability to integrate with an external HSM, but NAS appliances typically lack native KMIP or PKCS#11 support for HSM-backed key management, making SDS the only option that explicitly supports such integration.

How to eliminate wrong answers

Option A is wrong because object storage with server-side encryption using a cloud provider key means the cloud provider manages the encryption key, not the company's HSM, failing the customer-managed key requirement. Option B is wrong because instance store volumes are ephemeral and do not persist data beyond the instance lifecycle, making them unsuitable for a critical financial application that requires durable, encrypted storage with HSM integration. Option D is wrong because a NAS appliance with built-in encryption typically uses its own internal key management or a simple passphrase, and does not natively integrate with an external HSM for key management without additional complex configuration, which is not a standard feature.

454
MCQeasy

A cloud administrator is tasked with ensuring that a cloud database is backed up daily. The backup must be stored off-site for disaster recovery. Which of the following is the most cost-effective solution?

A.Schedule a backup to an object storage bucket in a different region.
B.Perform a full backup to tape and store off-site.
C.Perform incremental backups to a local network share.
D.Use snapshot replication to a different region.
AnswerA

Object storage is cheap, durable, and off-site.

Why this answer

Option D is correct because object storage in a different region is cost-effective and provides off-site storage. Option A is expensive and slow. Option B is replication, not backup.

Option C is on-site, not off-site.

455
MCQhard

An organization's hybrid cloud environment uses a VPN connection between on-premises and the cloud. Intermittent connectivity drops are reported during peak hours. The VPN logs show rekeying failures. Which configuration is most likely the cause?

A.The VPN tunnel is using a pre-shared key that has expired
B.The IPSec dead peer detection interval is set too high
C.The VPN gateway throughput is exceeded
D.The on-premises firewall is blocking IKE packets
AnswerB

A high DPD interval delays detection of unresponsive peers, causing rekeying failures during high traffic.

Why this answer

Option B is correct because a dead peer detection (DPD) interval set too high delays detection of lost peers, causing rekeying failures under load. Option A is wrong because pre-shared keys don't expire. Option C is wrong because throughput exceeded would show packet loss or high latency, not rekeying failures.

Option D is wrong because blocking IKE packets would prevent the VPN from establishing at all.

456
MCQeasy

A company is migrating its on-premises application to the cloud and needs to ensure high availability. The application requires a stateless web tier and a stateful database tier. Which design approach BEST meets these requirements?

A.Deploy one large web server and one large database server.
B.Deploy web servers behind a load balancer and use a managed database with multi-AZ replication.
C.Use round-robin DNS for web servers and a read replica for the database.
D.Use auto-scaling for web servers and a single database instance.
AnswerB

Provides redundancy for both tiers.

Why this answer

Option B is correct because deploying web servers behind a load balancer provides horizontal scaling and fault tolerance for the stateless web tier, while using a managed database with multi-AZ replication ensures automatic failover and data durability for the stateful database tier. This combination meets high availability requirements by eliminating single points of failure and providing redundancy across Availability Zones.

Exam trap

CompTIA often tests the misconception that round-robin DNS or a single read replica provides high availability, but candidates must recognize that DNS-based load balancing lacks health checking and automatic failover, and a read replica cannot handle write failures, making multi-AZ replication essential for database high availability.

How to eliminate wrong answers

Option A is wrong because deploying one large web server and one large database server creates a single point of failure; if either server fails, the entire application becomes unavailable, violating high availability. Option C is wrong because round-robin DNS does not provide health checking or automatic failover; if a web server goes down, DNS will still direct traffic to it, causing service disruption, and a read replica for the database does not support automatic failover for writes, leaving the database tier without high availability. Option D is wrong because auto-scaling for web servers addresses scaling but not high availability if all instances are in a single Availability Zone, and a single database instance is a single point of failure; without multi-AZ replication, database failure causes complete downtime.

457
MCQmedium

A company uses a configuration management tool to enforce desired state on cloud servers. During an audit, it is discovered that some servers have deviated from the baseline configuration. The administrator runs a report and finds that the configuration management agent was not running on those servers. Which of the following is the BEST solution to ensure continuous compliance?

A.Reinstall the configuration management agent on all servers.
B.Remove the drifit servers from the environment and rebuild them.
C.Manually update the configuration on the deviated servers.
D.Implement a periodic compliance scan and auto-remediation job.
AnswerD

Automated scans and remediation enforce continuous compliance.

Why this answer

Option D is correct because a periodic compliance scan will detect and remediate drift. Option A is wrong because manual checks are not automated and scalable. Option B is wrong because re-running agent installation doesn't ensure it stays running.

Option C is wrong because removing drifit servers doesn't fix the root cause.

458
MCQhard

A company uses a cloud provider's IAM service to manage access. An administrator creates a new IAM role for an application running on an EC2 instance to access an S3 bucket. The application is unable to read objects from the bucket, even though the role has an attached policy that allows s3:GetObject on the bucket. The administrator verifies that the instance is correctly associated with the role. What is the most likely cause?

A.The S3 bucket policy denies access to the role.
B.The role's trust policy does not allow the EC2 service to assume the role.
C.The role's permissions policy has a condition key that restricts access to a specific IP range.
D.The instance's security group is blocking outbound traffic to S3.
AnswerC

A condition like ipAddress could limit access to allowed IPs, and the instance's IP may not be included.

Why this answer

Option D is correct because a condition (e.g., ipAddress) could restrict access if the instance's IP is not in the allowed range. Option A is wrong but plausible; bucket policy could deny, but the stem doesn't indicate that. Option B is wrong because if the trust policy were wrong, the instance wouldn't get the role credentials.

Option C is wrong because S3 uses HTTPS, and security groups outbound all is default.

459
MCQeasy

A company deployed a web application on an EC2 instance in a public subnet. The instance passes status checks and has a public IP address. The security group allows HTTP (80) from 0.0.0.0/0. Users report that the website is not accessible. What should the administrator check next?

A.The network ACL inbound rules.
B.The route table for the subnet.
C.The instance's operating system firewall.
D.The instance's user data script.
AnswerA

Network ACLs are stateless and can block inbound traffic even if the security group allows it.

Why this answer

Option A is correct because network ACLs are stateless and can block traffic even if the security group allows it. Options B, C, and D are less likely or secondary steps.

460
Multi-Selecthard

Which THREE are common tasks in a CI/CD pipeline? (Select THREE.)

Select 3 answers
A.Manual code review by a senior developer
B.Handwritten notes for deployment steps
C.Source code checkout from version control
D.Deployment to a staging or production environment
E.Automated testing (unit, integration, etc.)
AnswersC, D, E

CI starts with fetching code from a repository.

Why this answer

Source code checkout from version control is a fundamental first step in any CI/CD pipeline. The pipeline agent must retrieve the latest code from a repository (e.g., Git) to build, test, and deploy the application. Without this checkout, subsequent automated steps have no codebase to work with.

Exam trap

CompTIA often tests the distinction between manual, human-in-the-loop activities (like code review or handwritten notes) and fully automated, scripted steps that are essential to a CI/CD pipeline, leading candidates to mistakenly include manual tasks as pipeline tasks.

461
Multi-Selectmedium

A company's application is unable to connect to a managed cloud database. The database is deployed in a VPC with public accessibility disabled. The application runs on an EC2 instance in the same VPC. Which three troubleshooting steps should the administrator take? (Choose three.)

Select 3 answers
A.Ensure the VPC has an internet gateway attached.
B.Check the network ACL associated with the database subnet for appropriate rules.
C.Verify that the database endpoint is correctly configured in the application.
D.Verify that the EC2 instance has a public IP address.
E.Check the security group for the database to ensure it allows inbound traffic from the EC2 instance's security group.
AnswersB, C, E

Network ACLs are stateless and can block traffic if rules are not correctly configured.

Why this answer

Options B, C, and E are correct. Option A is wrong because a public IP is not needed for same VPC communication. Option D is wrong because an internet gateway is not needed for internal traffic.

B checks security group inbound, C verifies the endpoint configuration, and E checks network ACLs.

462
MCQmedium

A cloud engineer needs to deploy a virtual machine with a specific configuration that includes a custom script to install software after boot. The deployment must be repeatable and version-controlled. Which approach should be used?

A.Run a shell script after the VM is deployed
B.Create a golden image with the software pre-installed
C.Manually install software after creating the VM
D.Use an Infrastructure as Code template with a user data script
AnswerD

IaC provides repeatable, version-controlled deployments.

Why this answer

Option D is correct because Infrastructure as Code (IaC) templates, such as AWS CloudFormation or Azure Resource Manager, allow you to define the entire VM configuration declaratively, including a user data script that runs custom software installation commands at first boot. This approach ensures repeatability, version control through template files stored in Git, and automated deployment without manual intervention.

Exam trap

CompTIA often tests the distinction between static golden images and dynamic IaC with user data, where candidates mistakenly choose the golden image option because they think it is more reliable, but the question specifically requires repeatability and version control, which IaC provides through code-based templates.

How to eliminate wrong answers

Option A is wrong because running a shell script after deployment is a manual or ad-hoc step that is not inherently repeatable or version-controlled; it relies on external execution and does not capture the configuration in a template. Option B is wrong because a golden image with pre-installed software is static and requires manual updates to the image for each software change, making it less flexible for version-controlled, repeatable deployments compared to IaC with user data. Option C is wrong because manually installing software after creating the VM is error-prone, not repeatable, and cannot be version-controlled, violating the core requirements of the question.

463
MCQmedium

A company recently migrated an application to the cloud. The application uses a load balancer in front of multiple EC2 instances. After the migration, users report that they occasionally receive 'Connection refused' errors. The administrator checks the load balancer health check logs and finds that some instances are marked unhealthy intermittently. The application's health check endpoint returns HTTP 200 when tested manually from the admin's workstation. What is the most likely cause?

A.The health check interval is too short
B.Security group rules blocking the load balancer health checks
C.The instances are running out of memory
D.The application is not binding to the correct IP address
AnswerB

If the security group blocks health check traffic, the load balancer may intermittently mark instances unhealthy.

Why this answer

Option A is correct because if the security group does not allow traffic from the load balancer's health check source, the health checks will fail intermittently. Option B is wrong because a short interval would not cause intermittent failures; it would cause constant failures. Option C is wrong because the application binding to an incorrect IP would cause constant failures, not intermittent.

Option D is wrong because memory exhaustion would cause overall application failure, not just health checks.

464
Multi-Selecthard

A cloud administrator is troubleshooting a performance issue where a web application is responding slowly. The application runs on virtual machines in a private cloud. The administrator has verified that CPU and memory utilization are within normal limits. Which TWO additional metrics should the administrator check to diagnose the issue?

Select 2 answers
A.Number of running processes
B.Network latency between the application and database servers
C.Disk I/O wait time on the hypervisor
D.Virtual machine snapshot size
E.Hypervisor version
AnswersB, C

High network latency can cause slow response times even if CPU and memory are fine, as the application waits for database queries.

Why this answer

Network latency between the application and database servers is a critical metric because slow database queries or network congestion can cause the web application to respond slowly even when CPU and memory on the VMs are normal. High latency increases round-trip time for SQL queries, directly impacting page load times. Disk I/O wait time on the hypervisor is also essential because excessive I/O wait indicates storage contention, which can throttle read/write operations for the VMs, leading to application sluggishness.

Exam trap

CompTIA often tests the distinction between VM-level metrics (CPU/memory) and infrastructure-level metrics (network/storage), trapping candidates who overlook that application performance can degrade due to external dependencies even when the VM itself appears healthy.

465
MCQmedium

A cloud architect is designing a multi-tier web application in a cloud environment. The application must handle unpredictable traffic spikes while minimizing costs. The architect decides to use auto-scaling groups for the web tier and a managed database service for the data tier. Which additional design consideration is MOST important to ensure the application remains available during a regional outage?

A.Distribute the auto-scaling group across multiple availability zones
B.Configure the auto-scaling group to burst into on-premises resources during spikes
C.Increase the size of the web tier instances to handle more traffic
D.Use a read replica of the database to distribute read traffic
AnswerA

Multi-AZ deployment ensures high availability during zone failures.

Why this answer

Distributing the auto-scaling group across multiple Availability Zones (AZs) ensures that if one AZ fails, the web tier continues to serve traffic from the remaining AZs. This is the most critical design consideration for maintaining availability during a regional outage because it provides fault isolation at the AZ level, which is a fundamental principle of high availability in cloud architecture.

Exam trap

CompTIA often tests the misconception that scaling up (increasing instance size) or using read replicas alone can provide high availability, when in fact only distributing resources across multiple Availability Zones ensures fault tolerance against an AZ outage.

How to eliminate wrong answers

Option B is wrong because bursting into on-premises resources introduces latency, security, and connectivity dependencies that are not designed for cloud-native auto-scaling and would not help during a regional cloud outage. Option C is wrong because increasing instance size improves performance but does not provide redundancy or fault tolerance against an AZ or regional failure. Option D is wrong because a read replica only offloads read traffic and does not provide write availability or failover capability during a regional outage; it is not a substitute for multi-AZ deployment.

466
MCQeasy

A company is migrating its on-premises data center to the cloud. The current backup solution uses a tape library. The company wants to implement a cloud-based backup strategy that ensures data durability and rapid restoration. Which of the following is the BEST option?

A.Use cloud virtual tape library (VTL).
B.Use cloud storage with versioning and lifecycle policies.
C.Use block storage snapshots.
D.Use a third-party backup software that backs up to cloud storage.
AnswerB

Versioning protects against accidental deletion/corruption and allows immediate restore; lifecycle policies automate tiering for cost.

Why this answer

Option A is correct because cloud storage with versioning and lifecycle policies provides high durability (redundant storage) and allows quick restore of previous versions. Option B is wrong because virtual tape libraries (VTL) may have slower restore times. Option C is wrong because third-party backup software may add complexity and does not inherently ensure rapid restoration.

Option D is wrong because block storage snapshots are designed for cloud instances, not on-premises data migration.

467
MCQhard

The exhibit shows VPC flow log entries for an EC2 instance (eni-12345678). The administrator is troubleshooting a connectivity problem where an application on 10.0.1.5 occasionally cannot connect to a web server at 10.0.2.10 on port 80. What action should the administrator take?

A.Increase the MTU on the instance to 9001.
B.Add a security group rule allowing inbound TCP/80 from 10.0.1.5.
C.Add a network ACL rule allowing inbound TCP/80 from 10.0.1.5 to the subnet of 10.0.2.10.
D.Add a route to the VPC route table for 10.0.1.5.
AnswerC

NACLs are stateless and require explicit inbound rules; the REJECT indicates a NACL block.

Why this answer

Option B is correct because the REJECT entry indicates that traffic is being blocked by a stateless firewall (NACL) because security groups are stateful and would not generate REJECT at network level. The REJECT is from a NACL. Adding an inbound allow rule in NACL for the target subnet would fix it.

Option A is wrong because security groups are stateful and allow return traffic; the initial connection may be allowed but not specified; but flow logs show REJECT which is typical from NACL. Option C is wrong because routes are for routing, not filtering. Option D is wrong because MTU doesn't cause reject.

468
MCQhard

A company uses a hybrid cloud model with an AWS Direct Connect connection to its on-premises network. Users report intermittent connectivity to cloud resources. A network engineer finds packet loss on the Direct Connect virtual interface. Which of the following should be checked FIRST to resolve the issue?

A.The physical port status of the Direct Connect router
B.The MTU setting on the on-premises firewall
C.The BGP session status between the on-premises router and the AWS Direct Connect endpoint
D.The VPN tunnel status for the Direct Connect link
AnswerC

BGP flapping can cause intermittent packet loss and connectivity issues.

Why this answer

Intermittent packet loss on a Direct Connect virtual interface is most commonly caused by BGP session flapping or misconfiguration, as BGP is the routing protocol that establishes and maintains connectivity between the on-premises router and the AWS Direct Connect endpoint. Checking the BGP session status first allows the engineer to quickly identify if the issue is due to route advertisement problems, hold timer mismatches, or session resets, which are frequent root causes of intermittent packet loss.

Exam trap

The trap here is that candidates often confuse Direct Connect with VPN-based connections and assume a VPN tunnel is involved, leading them to check VPN status (Option D) instead of the BGP session that actually governs the virtual interface routing.

How to eliminate wrong answers

Option A is wrong because the physical port status of the Direct Connect router would show a hard failure (e.g., link down) rather than intermittent packet loss; intermittent issues are rarely caused by physical port problems unless there is a duplex mismatch or cable fault, but these are less likely to be the first check. Option B is wrong because MTU settings on the on-premises firewall typically cause fragmentation or black-hole issues for large packets, not intermittent packet loss across all traffic; MTU mismatches usually result in consistent packet drops for packets exceeding the MTU, not sporadic loss. Option D is wrong because Direct Connect does not use a VPN tunnel; it is a dedicated physical connection, and VPN tunnels are used for AWS Site-to-Site VPN, not Direct Connect virtual interfaces.

469
MCQmedium

A cloud administrator receives an alert that the CPU usage on a virtual machine has spiked to 100% for 10 minutes. The VM hosts a critical application. What is the best first step?

A.Check the VM's performance metrics for the last hour to identify the process causing the spike.
B.Immediately reboot the VM.
C.Move the VM to a different host.
D.Increase the VM's CPU limits.
AnswerA

Identifying the root cause through metrics is the best first step before any remediation.

Why this answer

Checking the VM's performance metrics for the last hour is the best first step because it allows the administrator to identify the specific process or application causing the CPU spike without disrupting service. This diagnostic approach aligns with the ITIL problem management framework, which emphasizes root cause analysis before taking corrective action. In a virtualized environment, tools like vCenter Performance Charts or Hyper-V Performance Monitor can pinpoint whether the spike is due to a runaway process, a memory leak, or a scheduled task, enabling a targeted resolution.

Exam trap

The trap here is that candidates often jump to immediate remediation actions like rebooting or migrating the VM, overlooking the fundamental troubleshooting principle of gathering diagnostic data first to avoid recurring issues and unnecessary downtime.

How to eliminate wrong answers

Option B is wrong because immediately rebooting the VM is a reactive measure that may temporarily clear the symptom but does not address the root cause, and it causes unnecessary downtime for a critical application. Option C is wrong because moving the VM to a different host (vMotion) only shifts the resource contention to another physical server without resolving the underlying process issue, and it may not help if the spike is application-specific. Option D is wrong because increasing the VM's CPU limits without first investigating the cause can mask the problem, potentially leading to resource starvation for other VMs and violating capacity planning best practices.

470
MCQeasy

A cloud administrator needs to deploy a new application that requires a static IP address. The administrator is using a cloud provider that allows the reservation of elastic IP addresses. Which deployment step should be taken to ensure the IP address is not lost when the resource is stopped?

A.Configure the instance to obtain an IP via DHCP.
B.Allocate an elastic IP address and associate it with the resource.
C.Assign a private IP address from a reserved range.
D.Set up an external DNS service to point to the public IP.
AnswerB

Elastic IPs are static and persist independent of instance state.

Why this answer

Elastic IP addresses are static public IPv4 addresses that you can allocate to your account and associate with a resource. When you associate an elastic IP with an instance, it persists even if the instance is stopped, because the IP is reserved in your account until you explicitly release it. This ensures the IP address is not lost when the resource is stopped, unlike ephemeral public IPs that change on stop/start.

Exam trap

CompTIA often tests the distinction between ephemeral public IPs (which are lost on stop/start) and elastic/reserved IPs (which persist), and the trap here is that candidates may confuse a static private IP (Option C) with a static public IP, or think DNS alone (Option D) can prevent IP loss.

How to eliminate wrong answers

Option A is wrong because configuring DHCP only assigns a dynamic private IP address, which does not provide a static public IP and may change on stop/start. Option C is wrong because assigning a private IP from a reserved range gives a static private address, but the question requires a static public IP address for external access. Option D is wrong because setting up an external DNS service only maps a domain name to an IP; it does not prevent the underlying public IP from changing when the instance is stopped.

471
MCQeasy

A company experiences a cloud service outage that affects multiple customers. The cloud provider publishes a post-incident report identifying the root cause. As a cloud administrator, which of the following actions should be taken to prevent recurrence?

A.Request a service credit from the provider for the outage
B.Submit a formal complaint to the cloud provider's regulatory body
C.Design the application to be deployed across multiple availability zones or regions
D.Migrate all workloads to a different cloud provider immediately
AnswerC

Redundancy improves resilience to provider outages.

Why this answer

Option C is correct because designing the application for multi-AZ or multi-region deployment ensures high availability and fault tolerance, which directly mitigates the impact of a single cloud provider's infrastructure failure. This architectural pattern leverages redundancy to maintain service continuity even when one availability zone or region experiences an outage, preventing recurrence of customer-facing downtime.

Exam trap

The trap here is that candidates may confuse reactive measures (service credits, complaints) or drastic migrations with the proactive, architectural solution that actually prevents recurrence, which is the core focus of the question.

How to eliminate wrong answers

Option A is wrong because requesting a service credit addresses financial compensation for the outage, not the technical prevention of future occurrences. Option B is wrong because submitting a formal complaint to a regulatory body may address contractual or compliance issues but does not implement any technical changes to prevent recurrence. Option D is wrong because migrating all workloads to a different cloud provider immediately is an extreme, costly, and time-consuming reaction that does not guarantee prevention of similar outages with the new provider; it also ignores the root cause analysis and the possibility of architectural improvements within the current provider.

472
MCQmedium

A cloud administrator notices that a cloud-based web application is experiencing intermittent latency during peak hours. The application runs on an auto-scaling group of virtual machines behind a load balancer. Which of the following should the administrator investigate FIRST to resolve the issue?

A.Review the auto-scaling group's scaling policies and thresholds
B.Enable SSL offloading on the load balancer
C.Verify the load balancer's health check interval
D.Check DNS resolution times for the application domain
AnswerA

Incorrect scaling policies can lead to insufficient capacity during peak times, causing latency.

Why this answer

The intermittent latency during peak hours is most likely caused by the auto-scaling group's scaling policies not reacting quickly enough or being set with thresholds that are too high, leading to insufficient capacity under load. Investigating the scaling policies and thresholds first directly addresses the root cause—whether the group is adding instances too slowly or at too high a utilization trigger—rather than symptoms like health checks or DNS. This aligns with the operational best practice of verifying capacity management before tuning network or load-balancer settings.

Exam trap

The trap here is that candidates confuse load balancer tuning (SSL offloading, health checks) with capacity issues, overlooking that auto-scaling policies directly control the number of instances available to handle peak load.

How to eliminate wrong answers

Option B is wrong because enabling SSL offloading on the load balancer reduces CPU overhead on backend VMs but does not address insufficient capacity during peak hours; it is a performance optimization, not a scaling fix. Option C is wrong because verifying the load balancer's health check interval checks instance health status, not scaling responsiveness; a misconfigured health check might cause traffic misrouting but not intermittent latency from under-provisioning. Option D is wrong because checking DNS resolution times addresses client-side name resolution delays, which are unrelated to backend capacity or auto-scaling behavior; DNS caching typically masks such issues and does not cause intermittent peak-hour latency.

473
MCQeasy

A deployment of a new application version fails with a '503 Service Unavailable' error after a rolling update. The previous version was working. What is the most likely cause?

A.Database connection pool exhausted
B.DNS propagation delay
C.SSL certificate expired
D.New version missing a required dependency
AnswerD

Missing dependency can cause health check failure, resulting in 503.

Why this answer

A 503 Service Unavailable error during a rolling update typically indicates that the new application version cannot start or serve traffic. The most likely cause is a missing required dependency (e.g., a library, module, or runtime component) that the previous version did not need, causing the new pods or containers to fail readiness probes and be removed from the load balancer pool.

Exam trap

The trap here is that candidates often assume a 503 error always means server overload or scaling issues, but Cisco tests the nuance that a failing new version during a rolling update is more likely a dependency or configuration problem, not a capacity issue.

How to eliminate wrong answers

Option A is wrong because a database connection pool exhaustion would usually result in 500-level errors (e.g., 500 Internal Server Error) or timeouts, not a 503, and it is not specific to a rolling update failure of a new version. Option B is wrong because DNS propagation delay affects client-side resolution and would cause 'Server Not Found' or connection timeouts, not a 503 from an already-reachable service. Option C is wrong because an expired SSL certificate would produce TLS handshake failures (e.g., ERR_CERT_DATE_INVALID) or 502 Bad Gateway if the certificate is on the backend, but not a 503 Service Unavailable.

474
MCQhard

A company is moving a legacy monolithic application to the cloud. The application has interdependencies that make it difficult to refactor. The architect needs to minimize changes while gaining cloud benefits like elasticity and pay-as-you-go. Which migration strategy is BEST?

A.Retire
B.Repurchase
C.Refactor / Re-architect
D.Rehost (Lift and shift)
AnswerD

Rehost moves the existing application to the cloud with minimal changes, meeting the requirement.

Why this answer

Rehosting (lift and shift) is the best strategy because it moves the monolithic application to the cloud with minimal changes, preserving existing interdependencies. This allows the company to immediately gain cloud benefits like elasticity and pay-as-you-go pricing without refactoring the tightly coupled codebase. The application runs on cloud infrastructure (e.g., EC2 instances) as-is, leveraging auto-scaling and resource optimization.

Exam trap

CompTIA often tests the misconception that 'cloud-native benefits require refactoring,' but the trap here is that rehosting still provides elasticity and pay-as-you-go via infrastructure-level scaling, even without application changes.

How to eliminate wrong answers

Option A is wrong because retiring the application would eliminate it entirely, which does not meet the goal of gaining cloud benefits while keeping the application running. Option B is wrong because repurchasing involves replacing the application with a SaaS product, which requires significant changes and may not support the existing interdependencies. Option C is wrong because refactoring/re-architecting involves modifying the application code to break dependencies, which contradicts the requirement to minimize changes.

475
MCQhard

A company runs a critical application on a cloud VM that must achieve a 99.99% monthly uptime SLA. The VM is deployed in a single availability zone. The current architecture has no redundancy. What is the most effective design change to meet the SLA requirement?

A.Schedule daily backups to a different region
B.Deploy the application across two availability zones with a load balancer
C.Upgrade the VM to a larger instance type for better reliability
D.Add a second VM in the same availability zone with a load balancer
AnswerB

Multi-AZ deployment eliminates single zone as a point of failure, enabling failover and meeting 99.99% uptime.

Why this answer

Option B is correct because deploying the application across two availability zones with a load balancer provides high availability by eliminating a single point of failure. A 99.99% monthly uptime SLA requires a design that can withstand an entire availability zone failure, which a single-zone deployment cannot achieve. The load balancer distributes traffic to healthy VMs, automatically failing over if one zone becomes unavailable, thus meeting the SLA target.

Exam trap

CompTIA often tests the distinction between high availability (redundancy across zones) and disaster recovery (backups to another region), leading candidates to mistakenly choose backup solutions for uptime requirements.

How to eliminate wrong answers

Option A is wrong because daily backups to a different region provide disaster recovery, not high availability; they do not prevent downtime during an availability zone failure, as restoring from backup takes significant time and cannot achieve 99.99% uptime. Option C is wrong because upgrading to a larger instance type improves performance and may reduce hardware-related failures, but it does not protect against availability zone outages or other infrastructure failures that cause downtime. Option D is wrong because adding a second VM in the same availability zone with a load balancer still creates a single point of failure at the zone level; if the entire availability zone fails, both VMs become unavailable simultaneously.

476
MCQmedium

A cloud administrator launches a new EC2 instance with a userdata script that installs a web server. The instance launches but the web server is not running. The administrator checks the cloud-init logs and sees the warning shown in the exhibit. What is the most likely cause?

A.The userdata script contains a syntax error.
B.The instance type does not have enough memory.
C.The instance does not have an IAM role assigned.
D.The security group does not allow HTTP traffic.
AnswerA

Syntax errors cause cloud-init modules to fail.

Why this answer

The warning in cloud-init logs indicates that the userdata script failed to execute, which most commonly occurs due to a syntax error in the script. Cloud-init processes userdata as a shell script by default, and any syntax error (e.g., missing quotes, incorrect commands) will cause the script to exit prematurely, preventing the web server from starting. The administrator confirmed the instance launched successfully, so the issue is isolated to the script execution, not infrastructure or permissions.

Exam trap

CompTIA often tests the misconception that security groups or IAM roles are the cause of application startup failures, but the trap here is that cloud-init warnings specifically point to script execution issues, not network or permission problems.

How to eliminate wrong answers

Option B is wrong because insufficient memory would cause the instance to fail to launch or the web server to crash after starting, not prevent the script from executing entirely; cloud-init logs would show OOM errors, not syntax warnings. Option C is wrong because an IAM role is not required to run userdata scripts or install software; it is only needed if the script calls AWS APIs (e.g., fetching files from S3), which is not indicated. Option D is wrong because security group rules control network access, not the execution of userdata scripts; the web server not running means it never started, so HTTP traffic rules are irrelevant.

477
MCQeasy

An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?

A.Enable multi-factor authentication (MFA) for all console users.
B.Implement strong password policies with complex passwords.
C.Disable the web console and require API access only.
D.Restrict console access to a specific IP address range.
AnswerA

MFA provides strong authentication by requiring two or more factors.

Why this answer

Multi-factor authentication (MFA) is the best method because it adds an additional layer of security beyond just a password, requiring a second factor (e.g., a time-based one-time password from an authenticator app or a hardware token). This significantly reduces the risk of unauthorized access even if credentials are compromised, as the attacker would also need the second factor. In cloud environments like AWS, Azure, or GCP, MFA is a fundamental security best practice for protecting the management console.

Exam trap

The trap here is that candidates often choose strong password policies (Option B) as the best method, overlooking that MFA is the industry-standard defense against credential compromise, not just password complexity.

How to eliminate wrong answers

Option B is wrong because while strong password policies are important, they are insufficient on their own; passwords alone can be phished, guessed, or brute-forced, and MFA provides a critical additional layer. Option C is wrong because disabling the web console and requiring API access only does not inherently improve security—API access still requires authentication and can be just as vulnerable if not protected with MFA or proper IAM roles, and it reduces operational flexibility. Option D is wrong because restricting console access to a specific IP address range can be bypassed by attackers using VPNs or compromised machines within that range, and it does not protect against credential theft or insider threats; it is a network-level control, not an identity-level control.

478
MCQmedium

An organization has a site-to-site VPN connection between its on-premises network and a cloud VPC. Users report intermittent connectivity to applications hosted in the cloud. The administrator checks the VPN tunnel status and sees it is up. However, ping tests from on-premises to a cloud instance fail at random times. Which factor should the administrator investigate first?

A.The on-premises firewall is blocking outbound ICMP.
B.The security group on the cloud instance is blocking ICMP.
C.The routing tables on the cloud VPC are missing routes for the on-premises network.
D.The VPN tunnel is experiencing packet loss due to a mismatch in the IPSec parameters.
AnswerD

Mismatched IPSec parameters can cause intermittent connectivity despite the tunnel appearing up.

Why this answer

Option C is correct because intermittent connectivity despite tunnel being up suggests packet loss or misconfiguration in IPSec (e.g., mismatched phase 2 parameters). Option A is wrong because routes would cause complete failure. Option B is wrong but could cause failure; however, it's intermittent.

Option D is wrong because it would cause consistent failure.

479
MCQmedium

A cloud administrator notices that a virtual machine running a critical application is using 95% CPU consistently. The application is single-threaded and performance is degraded. Which action should the administrator take to resolve the issue?

A.Deploy additional VMs and load balance the application.
B.Increase the RAM allocation to the VM.
C.Migrate the VM to a host with a higher CPU clock speed.
D.Increase the number of vCPUs assigned to the VM.
AnswerC

Higher clock speed improves single-threaded performance.

Why this answer

The application is single-threaded, meaning it can only utilize one CPU core at a time. Increasing the CPU clock speed directly improves the processing speed of that single thread, which resolves the performance degradation. Option C is correct because migrating to a host with a higher CPU clock speed provides a faster core for the single-threaded workload.

Exam trap

CompTIA often tests the misconception that adding more vCPUs always improves performance, but for single-threaded workloads, higher clock speed is the correct solution, not vCPU count.

How to eliminate wrong answers

Option A is wrong because deploying additional VMs and load balancing would distribute requests across multiple instances, but a single-threaded application cannot parallelize its work across VMs; this adds complexity without addressing the core bottleneck. Option B is wrong because increasing RAM allocation does not affect CPU utilization or single-threaded performance; the issue is CPU-bound, not memory-bound. Option D is wrong because increasing the number of vCPUs does not help a single-threaded application; the application can only use one vCPU at a time, and additional vCPUs may even cause scheduling overhead or NUMA issues.

480
Multi-Selecthard

A cloud operations team needs to implement a monitoring solution for a microservices architecture. The solution must provide centralized logging, metrics, and alerting, and must be able to correlate data from multiple services. Which THREE of the following components should the team include?

Select 3 answers
A.A security information and event management (SIEM) system.
B.A centralized logging system (e.g., ELK stack).
C.A correlation engine and alerting system (e.g., event correlation).
D.A metrics collection agent and dashboard (e.g., Prometheus+Grafana).
E.An application performance monitoring (APM) tool.
AnswersB, C, D

Centralized logging aggregates logs from all services.

Why this answer

Option B is correct because a centralized logging system like the ELK stack (Elasticsearch, Logstash, Kibana) aggregates logs from all microservices into a single searchable repository. This enables the team to correlate events across services by timestamp and metadata, which is essential for debugging distributed transactions and identifying root causes of failures.

Exam trap

CompTIA often tests the distinction between specialized tools (SIEM, APM) and the core triad of centralized logging, metrics, and correlation/alerting, leading candidates to over-select security or tracing tools that do not fulfill the requirement for correlating data from multiple services at the log and metric level.

481
Multi-Selectmedium

A cloud architect is designing a hybrid cloud environment that connects an on-premises data center to a public cloud. The architect needs to ensure secure, low-latency connectivity and isolate traffic between different business units. Which TWO solutions should the architect implement? (Choose two.)

Select 2 answers
A.Configure a NAT gateway to allow outbound internet access
B.Establish a dedicated VPN or direct connect between on-premises and cloud
C.Implement VPC peering to connect VPCs for different business units
D.Deploy a bastion host in a public subnet for administrative access
E.Use a transit gateway to interconnect all VPCs
AnswersB, C

Provides secure, low-latency connectivity.

Why this answer

Option B is correct because a dedicated VPN or Direct Connect establishes a secure, low-latency, and private connection between the on-premises data center and the public cloud, bypassing the public internet to reduce latency and improve security. This is essential for hybrid cloud environments where consistent performance and isolation from internet-based threats are required.

Exam trap

The trap here is that candidates often confuse transit gateways with VPC peering for isolation, but VPC peering directly connects two VPCs with no transitive routing, ensuring traffic isolation between business units, whereas a transit gateway can inadvertently route traffic between all connected VPCs unless carefully configured with route tables and network ACLs.

482
MCQmedium

An organization uses a cloud-based load balancer to distribute traffic to a web application across multiple availability zones. Users report that the application is intermittently unavailable. The cloud administrator finds that the load balancer health checks are failing on instances in one availability zone. What is the most likely cause?

A.The availability zone is experiencing a partial outage.
B.A single instance in the failing AZ has a misconfigured web server.
C.The DNS settings for the application domain are misconfigured.
D.The load balancer's listener configuration is incorrect.
AnswerA

AZ outage would cause all instances to fail health checks.

Why this answer

When health checks fail for all instances in a single availability zone (AZ) while other AZs remain healthy, the most likely cause is a partial outage or degradation within that AZ. Cloud providers like AWS, Azure, or GCP isolate AZs to prevent single points of failure, but an AZ can experience issues such as network connectivity loss, power disruption, or hardware failures that affect all instances in that zone. The load balancer's health checks are designed to detect such zone-level failures by probing each instance; if an entire AZ is impaired, all its instances will fail the health check simultaneously.

Exam trap

CompTIA often tests the distinction between instance-level failures and zone-level failures; the trap here is that candidates may assume a single misconfigured instance (Option B) is the cause, but the key clue is that all instances in one AZ are failing health checks, which points to an AZ-wide issue rather than a per-instance configuration problem.

How to eliminate wrong answers

Option B is wrong because a misconfigured web server on a single instance would cause only that instance to fail health checks, not all instances in the AZ; the scenario describes all instances in the AZ failing. Option C is wrong because DNS misconfiguration would affect client resolution to the load balancer's DNS name, not the load balancer's ability to perform health checks on backend instances; health checks operate at the network layer between the load balancer and instances, independent of DNS. Option D is wrong because an incorrect listener configuration (e.g., wrong port or protocol) would cause health checks to fail for all instances across all AZs, not just one AZ; the issue is isolated to a single AZ, pointing to a zone-level problem.

483
Multi-Selectmedium

Which THREE of the following are recommended practices for securing cloud API access? (Choose three.)

Select 3 answers
A.Use role-based access control to limit permissions for each API user
B.Embed API keys directly in application source code for convenience
C.Enable detailed logging of all API calls to a centralized service
D.Expose API endpoints publicly for easy access by all clients
E.Rotate API keys and tokens on a regular schedule
AnswersA, C, E

Least privilege reduces attack surface.

Why this answer

Options A, C, and D are correct. API keys should be rotated regularly (A), access should be logged and monitored (C), and principle of least privilege should be applied (D). Option B is wrong: hardcoding keys is insecure.

Option E is wrong: public exposure increases risk.

484
MCQmedium

A cloud architect is designing an auto-scaling policy for a web application that experiences predictable traffic spikes every weekday morning from 8 to 10 AM. The application runs on a group of virtual machines behind a load balancer. Which scaling approach is MOST cost-effective while ensuring performance during the spike?

A.Dynamic scaling based on CPU utilization threshold
B.Proactive scaling using machine learning to predict spikes
C.Manual scaling by the operations team each morning
D.Scheduled scaling to increase capacity before 8 AM and decrease after 10 AM
AnswerD

Scheduled scaling directly matches the predictable pattern, ensuring resources are ready in advance and minimizing waste.

Why this answer

Scheduled scaling is the most cost-effective approach because the traffic pattern is predictable (every weekday 8–10 AM). By configuring the auto-scaling group to add instances before the spike and remove them after, you avoid paying for idle resources during off-peak hours while ensuring capacity is ready when needed. This approach directly matches the known schedule without relying on reactive metrics or manual intervention.

Exam trap

CompTIA often tests the distinction between reactive (dynamic) and proactive (scheduled) scaling, where candidates mistakenly choose dynamic scaling for predictable patterns because they assume it is always the most efficient, ignoring the latency of metric-based triggers.

How to eliminate wrong answers

Option A is wrong because dynamic scaling based on CPU utilization reacts to load after it occurs, which can cause a lag in provisioning and potential performance degradation during the initial spike. Option B is wrong because proactive scaling using machine learning is overkill for a predictable, repeating schedule and introduces unnecessary complexity and cost. Option C is wrong because manual scaling is error-prone, requires human intervention every morning, and cannot guarantee timely scaling for a predictable pattern.

485
Multi-Selecthard

A cloud architect is designing a disaster recovery plan for a critical application. The application runs on virtual machines in a public cloud. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. Which three strategies should the architect implement? (Select THREE).

Select 3 answers
A.Implement active-passive failover with automated DNS.
B.Use synchronous replication to a secondary region.
C.Take daily snapshots of the VMs.
D.Use asynchronous replication with a 10-minute lag.
E.Maintain a warm standby in another region.
AnswersA, B, E

Correct. Automated DNS failover speeds up recovery, helping achieve the RTO.

Why this answer

Synchronous replication provides low RPO; warm standby ensures quick failover within RTO; active-passive with automated DNS reduces transition time.

486
MCQeasy

During a cloud deployment, a virtual machine is created from a custom image. After boot, the VM is not accessible via SSH. Which of the following should the administrator check FIRST?

A.The security group rules for inbound SSH
B.The boot volume is encrypted
C.The hypervisor version compatibility
D.The image's OS license activation status
AnswerA

Security group rules are the first line of defense; if SSH (port 22) is not allowed, connection will fail.

Why this answer

The most common reason a newly deployed VM is inaccessible via SSH is that the security group or network ACL does not permit inbound TCP port 22 traffic. Security groups act as a virtual firewall at the instance level, and if the rule allowing SSH from the administrator's IP is missing or misconfigured, the connection will be refused. This should be the first check because it is a frequent misconfiguration during deployment.

Exam trap

The trap here is that candidates may assume the issue is with the OS or image itself (e.g., licensing or encryption) and overlook the most common and easily verified network-layer misconfiguration of security group rules.

How to eliminate wrong answers

Option B is wrong because boot volume encryption affects data at rest security, not network connectivity; an encrypted volume does not block SSH access. Option C is wrong because hypervisor version compatibility is a pre-deployment concern and would typically cause the VM to fail to boot or run, not just block SSH after boot. Option D is wrong because OS license activation status might cause grace-period warnings or feature restrictions but does not prevent SSH connectivity; SSH is a network service that operates independently of activation state.

487
MCQhard

A cloud administrator is troubleshooting a performance issue where an application running on a VM in a private cloud is experiencing high latency. The VM is connected to a virtual switch that uses SR-IOV. The administrator suspects network bottlenecks. Which of the following is the MOST likely cause of the latency?

A.The physical network interface card (NIC) is saturated.
B.The virtual switch is dropping packets due to buffer exhaustion.
C.The VM's virtual NIC is not using the correct driver.
D.The hypervisor's CPU is overloaded due to SR-IOV emulation.
AnswerA

Saturation of the physical NIC is a common cause of latency with SR-IOV.

Why this answer

SR-IOV allows a physical NIC to present multiple virtual functions (VFs) directly to VMs, bypassing the virtual switch for data plane traffic. When the physical NIC reaches its bandwidth capacity, all VFs sharing that NIC experience increased latency and packet drops, making NIC saturation the most likely cause of the high latency.

Exam trap

The trap here is that candidates assume SR-IOV eliminates all bottlenecks, but the physical NIC remains a shared resource that can become saturated, causing latency for all VMs using its VFs.

How to eliminate wrong answers

Option B is wrong because SR-IOV bypasses the virtual switch for data plane traffic, so buffer exhaustion on the virtual switch does not affect SR-IOV passthrough traffic. Option C is wrong because SR-IOV requires a specific driver (e.g., ixgbevf or mlx5_core) on the VM; an incorrect driver would prevent the VF from being recognized or cause connectivity failure, not just high latency. Option D is wrong because SR-IOV offloads network processing to the NIC hardware, so the hypervisor's CPU is not involved in emulating the NIC for SR-IOV VFs; CPU overload would affect other components but is not a direct consequence of SR-IOV.

488
MCQhard

A company uses a multi-cloud strategy with both AWS and Azure. The cloud operations team needs to centrally monitor all cloud resources and receive alerts when resource usage exceeds predefined thresholds. Which of the following solutions should the team implement?

A.Azure Monitor with Log Analytics
B.AWS CloudWatch with cross-account monitoring
C.A third-party monitoring tool that supports both AWS and Azure
D.Custom scripts that log to a central syslog server
AnswerC

Third-party tools like Datadog can aggregate metrics from multiple clouds into a single dashboard.

Why this answer

Option D is correct because a third-party monitoring tool like Datadog or Dynatrace can provide a unified view across clouds. Option A is wrong because AWS CloudWatch is limited to AWS only. Option B is wrong because Azure Monitor is limited to Azure only.

Option C is wrong because custom scripts are less scalable and maintainable.

489
MCQeasy

A company hosts a critical application on a single virtual machine in a public cloud. The virtual machine has been running without issues for months. Recently, the application became unresponsive, and users report a '500 Internal Server Error'. The cloud administrator checks the virtual machine's status and finds it is 'Running'. The administrator can successfully ping the virtual machine's public IP address. The administrator then attempts to SSH into the virtual machine but receives 'Connection timed out'. The virtual machine's security group allows SSH (port 22) from the administrator's IP address. The operating system firewall is enabled and configured to allow SSH. What should the administrator do next to troubleshoot the issue?

A.Use a serial console or out-of-band management to access the virtual machine's console.
B.Reset the virtual machine from the cloud provider's management console.
C.Create a new virtual machine and migrate the application.
D.Check the application logs from the cloud provider's monitoring service.
AnswerA

Serial console access bypasses the network stack and allows the administrator to log in and check the SSH service status or firewall rules.

Why this answer

The administrator can ping the VM (ICMP works) but SSH (TCP/22) times out, indicating the application is running but the SSH service or network stack is not responding to new connections. Since the cloud security group and OS firewall are correctly configured, the issue is likely at the OS level (e.g., SSH daemon crashed, kernel panic, or network service hung). Using a serial console or out-of-band management (e.g., AWS EC2 Serial Console, Azure Serial Console) provides direct, network-independent access to the VM's console, bypassing the broken network stack to diagnose and fix the OS-level problem.

Exam trap

CompTIA often tests the distinction between ICMP reachability (ping) and TCP service availability (SSH), and the trap here is that candidates assume a 'Running' status and successful ping mean the OS is fully functional, overlooking that the network stack or SSH daemon can be broken while the VM appears healthy from the hypervisor's perspective.

How to eliminate wrong answers

Option B is wrong because resetting the VM (power cycle) might temporarily fix the symptom but does not diagnose the root cause, and could cause data loss or downtime without understanding why SSH failed. Option C is wrong because creating a new VM and migrating the application is a drastic, time-consuming recovery action that should only be taken after exhausting troubleshooting steps; it does not help identify the current issue. Option D is wrong because the cloud provider's monitoring service (e.g., CloudWatch, Azure Monitor) typically collects metrics and logs from the guest OS via an agent, but if the OS is unresponsive or the network stack is broken, those logs may not be accessible or up-to-date; the immediate need is to access the console, not check stale logs.

490
Multi-Selectmedium

A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?

Select 2 answers
A.Physical access logs from the data center.
B.Firewall configuration backup files.
C.Employee vacation schedule.
D.DNS query logs from the cloud DNS service.
E.Network flow logs from virtual network appliances.
AnswersD, E

DNS logs can reveal C2 communications.

Why this answer

DNS query logs from the cloud DNS service (Option D) are essential because they provide visibility into domain resolution activities, which can reveal command-and-control (C2) communications, data exfiltration via DNS tunneling, or connections to malicious domains. In a cloud-based SIEM, these logs are critical for detecting threats that leverage DNS as a covert channel, as they capture the source IP, queried domain, and response codes in real time.

Exam trap

The trap here is that candidates often mistake static configuration files (like firewall backups) or non-security data (like vacation schedules) as valid SIEM sources, overlooking that a SIEM requires real-time, event-driven logs (e.g., DNS queries and network flows) to perform effective threat detection and correlation.

491
Multi-Selecthard

A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?

Select 3 answers
A.Use a single virtual switch for all tenants.
B.Deploy tenant workloads on dedicated hypervisors.
C.Implement micro-segmentation using virtual firewalls.
D.Use separate VLANs for each tenant.
E.Place all tenants on the same storage array for efficiency.
AnswersB, C, D

Dedicated hypervisors prevent hypervisor-level attacks.

Why this answer

Deploying tenant workloads on dedicated hypervisors provides strong physical isolation, preventing a compromised hypervisor from affecting other tenants. This approach eliminates the risk of side-channel attacks or resource contention that could cross tenant boundaries, ensuring each tenant's virtual machines run on separate hardware with no shared compute resources.

Exam trap

CompTIA often tests the misconception that a single virtual switch can be securely partitioned using VLANs alone, but the trap is that VLANs only provide Layer 2 isolation and do not protect against misconfigurations or attacks within the shared virtual switch control plane.

492
MCQmedium

An organization is designing a cloud architecture for a data analytics workload that processes large datasets. The workload is CPU-intensive and runs once per day. The company wants to minimize costs. Which compute model should be used?

A.On-demand instances with auto scaling
B.Dedicated hosts with a savings plan
C.Reserved instances for a 1-year term
D.Spot instances with a fallback to on-demand
AnswerD

Spot instances are cost-effective for batch processing.

Why this answer

Option D is correct because spot/preemptible instances offer significant cost savings for fault-tolerant, interruptible workloads like batch processing. Option A is wrong because on-demand instances are more expensive. Option B is wrong because reserved instances are for steady-state usage.

Option C is wrong because dedicated hosts are the most expensive option.

493
MCQeasy

A cloud administrator cannot deploy a new VM from a custom image. The deployment fails with an error stating 'Incompatible hypervisor version'. What is the most likely cause?

A.The image was created on a newer hypervisor than the current host.
B.The VM's virtual hardware version is too old.
C.The image file is corrupt.
D.The storage backend does not support the image format.
AnswerA

Hypervisor backward compatibility may not extend to previous versions.

Why this answer

Option D is correct because the image was created on a different hypervisor version. Option A is incorrect because the image file exists. Option B is incorrect as compatibility is about hypervisor, not driver.

Option C is incorrect because storage is separate.

494
Matchingmedium

Match each security control to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage user identities and access

Require multiple authentication factors

Protect stored data from unauthorized access

Protect data during transmission

Firewall rules for cloud resources

Why these pairings

Essential security mechanisms in cloud environments.

495
MCQeasy

A cloud engineer is tasked with automating the deployment of a new web application. Which of the following tools is BEST suited for managing infrastructure as code in a hybrid cloud environment?

A.AWS CloudFormation
B.Ansible
C.Terraform
D.Docker
AnswerC

Terraform is a cloud-agnostic infrastructure as code tool that supports hybrid environments.

Why this answer

Option A is correct because Terraform is cloud-agnostic and supports multiple providers, including on-premises and public cloud. Option B is wrong because AWS CloudFormation is AWS-specific. Option C is wrong because Ansible is configuration management, not IaC.

Option D is wrong because Docker is containerization, not IaC.

496
Multi-Selecthard

An organization is migrating workloads to the cloud and after migration, users complain about slow application response times. The administrator reviews the cloud provider's dashboard and sees no resource bottlenecks. Which three factors could still cause poor performance? (Choose three.)

Select 3 answers
A.The application is not optimized for the cloud infrastructure
B.DNS resolution delays due to on-premises DNS server
C.High latency between the cloud region and the users' location
D.Insufficient number of CPU cores in the VM
E.TCP window scaling mismatch
AnswersB, C, E

Slow DNS resolution increases latency without taxing cloud resources.

Why this answer

Correct options are A, B, and D. Option A is correct because DNS delays can increase response times without showing as resource usage. Option B is correct because TCP window scaling mismatch can degrade network throughput transparently.

Option D is correct because geographic latency is not a resource bottleneck. Option C is wrong because insufficient CPU cores would appear as a CPU bottleneck on the dashboard. Option E is wrong because application optimization issues would typically manifest as high resource usage.

497
MCQmedium

A cloud administrator is configuring a new virtual private cloud (VPC) for a three-tier application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Which network architecture should be used?

A.Use one subnet with network ACLs to restrict traffic between tiers.
B.Place all tiers in the same subnet and use host-based firewalls.
C.Place each tier in a separate subnet with appropriate security group rules controlling traffic.
D.Deploy each tier in a different VPC and peer them.
AnswerC

Correct. Separate subnets with security groups allow granular control and align with security best practices.

Why this answer

Option C is correct because placing each tier in a separate subnet and using security group rules provides stateful, instance-level traffic control. Security groups act as virtual firewalls at the hypervisor layer, allowing you to specify inbound rules that restrict the application tier to only accept traffic from the web tier's security group, and the database tier to only accept traffic from the application tier's security group. This aligns with the principle of least privilege and ensures that each tier is isolated within the VPC while maintaining necessary connectivity.

Exam trap

The trap here is that candidates often confuse network ACLs (stateless, subnet-level) with security groups (stateful, instance-level) and assume a single subnet with ACLs can achieve the same isolation, but ACLs cannot filter based on source security group IDs and require manual IP management, making them unsuitable for this multi-tier access control requirement.

How to eliminate wrong answers

Option A is wrong because using a single subnet with network ACLs (stateless) would require complex, bidirectional rule management for each tier, and network ACLs cannot filter traffic based on source security group IDs, making it impossible to restrict traffic to only the web tier or application tier without exposing other resources. Option B is wrong because placing all tiers in the same subnet with host-based firewalls violates the security best practice of network segmentation; host-based firewalls are not managed centrally and can be bypassed if the host is compromised, plus they do not provide the same level of isolation as separate subnets with security groups. Option D is wrong because deploying each tier in a different VPC and peering them introduces unnecessary complexity, latency, and cost; VPC peering does not support transitive routing, so you would need additional routing configurations or a transit gateway, and it violates the typical three-tier architecture pattern where all tiers reside within the same VPC for low-latency communication.

498
MCQeasy

A company wants to automate the deployment of cloud resources using code. Which tool is BEST suited for this purpose?

A.SSH
B.An IP address management tool
C.Infrastructure as Code (IaC) templates
D.A configuration management database
AnswerC

IaC tools like Terraform or CloudFormation automate resource deployment from code.

Why this answer

Infrastructure as Code (IaC) templates (Option C) are the best tool for automating cloud resource deployment because they allow you to define, version, and provision infrastructure through machine-readable definition files. Tools like Terraform, AWS CloudFormation, or Azure Resource Manager templates enable repeatable, consistent deployments without manual intervention, directly aligning with the goal of automating cloud resource deployment using code.

Exam trap

The trap here is that candidates may confuse SSH (a remote access tool) with automation scripts (like Ansible playbooks) or think that a CMDB can automate deployments, but the question specifically asks for a tool that uses code to deploy resources, which is the core definition of IaC.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) is a network protocol for secure remote access to systems, not a tool for automating the deployment of cloud resources; it lacks the declarative or imperative infrastructure definition capabilities needed for IaC. Option B is wrong because an IP address management (IPAM) tool is used for planning, tracking, and managing IP address spaces, not for provisioning or orchestrating cloud resources via code. Option D is wrong because a configuration management database (CMDB) is a repository that stores information about IT assets and their relationships; it does not automate deployment but rather serves as a reference for configuration items.

499
Multi-Selecteasy

A developer is using a cloud provider's CLI to manage resources. Which TWO commands are commonly used to troubleshoot instance connectivity?

Select 2 answers
A.reboot
B.ssh
C.create-tags
D.traceroute
E.ping
AnswersD, E

Traceroute identifies the path and can pinpoint where connectivity fails.

Why this answer

D is correct because the `traceroute` command is a standard network diagnostic tool that identifies the path packets take from the source to a destination, revealing each hop's latency and any points of failure. It uses ICMP (or UDP on Linux) with incrementing TTL values to map the route, making it essential for troubleshooting connectivity issues between cloud instances and external endpoints.

Exam trap

The trap here is that candidates confuse `ssh` (a connectivity-dependent tool) with a diagnostic command, or assume `reboot` can resolve network issues, when the exam specifically tests the ability to select commands that *diagnose* rather than *fix* connectivity problems.

Page 6

Page 7 of 7

All pages