CompTIA Cloud+ CV0-004 (CV0-004) — Questions 526600

984 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

A cloud administrator notices that a virtual machine is unresponsive. The VM is running on a hypervisor host that shows high CPU utilization. What should the administrator do first?

A.Reboot the hypervisor host
B.Increase the VM's vCPU count
C.Migrate the VM to another host
D.Check the VM console for OS-level issues
AnswerD

Checking the console allows direct assessment of the VM's OS state, such as a hung process or login prompt.

Why this answer

Option C is correct because the first step in troubleshooting an unresponsive VM is to check the VM console for OS-level issues. Option A is wrong because migrating the VM might be premature without diagnosing the root cause. Option B is wrong because increasing vCPU could exacerbate resource contention if the host is overloaded.

Option D is wrong because rebooting the host would affect all VMs and should be a last resort.

527
MCQeasy

A cloud administrator is tasked with reducing costs for a development environment that runs 24/7. The environment consists of several virtual machines and a load balancer. Which action would most effectively reduce costs without affecting developer access during business hours?

A.Implement auto-scaling to run only one instance during off-hours.
B.Schedule the VMs to shut down during nights and weekends.
C.Use reserved instances for all VMs.
D.Change all VMs to burstable instance types.
AnswerB

Correct. Shutting down VMs eliminates compute costs during idle periods, directly reducing expenses.

Why this answer

Option B is correct because scheduling VMs to shut down during nights and weekends directly reduces compute costs by eliminating runtime charges when the development environment is not needed. This approach preserves full availability during business hours without requiring architectural changes, and it is the most straightforward way to cut costs for a 24/7-running environment that only needs daytime access.

Exam trap

The trap here is that candidates often choose auto-scaling or burstable instances because they focus on reducing per-unit cost rather than eliminating runtime, missing the fact that shutting down VMs entirely during off-hours yields the greatest savings for a development environment with predictable idle periods.

How to eliminate wrong answers

Option A is wrong because auto-scaling to run only one instance during off-hours still keeps that instance running and incurring costs, and it does not address the load balancer's cost; moreover, auto-scaling is designed for variable demand, not for eliminating runtime entirely. Option C is wrong because reserved instances require a 1- or 3-year commitment and are intended for steady-state workloads, not for a development environment that can be shut down; they would lock in costs rather than reduce them for intermittent usage. Option D is wrong because changing to burstable instance types (e.g., AWS T-series) reduces per-hour cost but still charges for every hour the VMs run, so it does not eliminate the cost of running 24/7; it only lowers the rate, not the runtime.

528
Multi-Selecthard

A cloud security analyst is investigating a potential container security incident. The analyst notices that a container is sending outbound traffic to a known malicious IP address. The container was deployed from an image that passed a vulnerability scan. Which TWO of the following should the analyst implement to detect and prevent such behavior in the future? (Select TWO).

Select 2 answers
A.Use a static IP address for all containers
B.Disable outbound network access for all containers
C.Enable runtime security monitoring for anomalous container behavior
D.Store container secrets in environment variables
E.Scan the container image layers for vulnerabilities during CI/CD
AnswersC, E

Runtime security detects behavioral anomalies such as unexpected outbound connections.

Why this answer

Runtime security tools monitor container behavior for anomalies like outbound connections to malicious IPs, and scanning base image layers helps catch vulnerabilities that might allow such behavior.

529
MCQhard

A company runs a containerized application on a Kubernetes cluster. The application logs indicate occasional 'CrashLoopBackOff' errors. The developer says the application works fine locally. What is the most likely cause in the cloud environment?

A.The readiness probe is misconfigured and returning false.
B.The memory limit set in the pod spec is too low, causing the container to be OOMKilled.
C.The container image is not being pulled correctly from the registry.
D.The persistent volume claim is not bound to a storage class.
AnswerB

OOMKill causes container to restart, resulting in CrashLoopBackOff.

Why this answer

The 'CrashLoopBackOff' error indicates that the container is repeatedly crashing after startup. Since the application works locally, the issue is likely environmental. A memory limit set too low in the pod spec causes the container to exceed its allowed memory, triggering an OOMKill (Out of Memory Kill) by the kubelet.

The container restarts, fails again, and enters CrashLoopBackOff, which is a common cloud-specific resource constraint not present in local development.

Exam trap

CompTIA often tests the distinction between pod statuses: candidates confuse 'CrashLoopBackOff' (container crashes after starting) with 'ImagePullBackOff' (image pull failure) or 'Pending' (resource unavailability), so they incorrectly attribute the error to image or volume issues rather than resource limits.

How to eliminate wrong answers

Option A is wrong because a misconfigured readiness probe returning false would cause the pod to be marked as not ready and removed from service endpoints, but it would not cause the container to crash or enter CrashLoopBackOff; the container would continue running. Option C is wrong because if the container image were not being pulled correctly, the pod would show an 'ImagePullBackOff' or 'ErrImagePull' status, not 'CrashLoopBackOff'. Option D is wrong because an unbound persistent volume claim would cause the pod to remain in 'Pending' state, not crash after starting; the container would never run to begin with.

530
MCQhard

A cloud administrator is trying to attach an EBS volume to an EC2 instance for a database migration. The attachment fails with the error shown in the exhibit. The volume contains critical data. Which of the following is the MOST appropriate action to take?

A.Create a new volume and copy the data from the existing volume.
B.Terminate instance 'i-0123ijkl' to release the volume.
C.Force-detach the volume from the other instance.
D.Detach the volume from instance 'i-0123ijkl' first, then attach to the new instance.
AnswerD

Properly detaching ensures data integrity.

Why this answer

The error indicates the EBS volume is already attached to another EC2 instance (i-0123ijkl). An EBS volume can only be attached to one instance at a time in a standard attachment. The correct procedure is to first detach the volume from instance i-0123ijkl, then attach it to the target instance.

This preserves the critical data without risk of corruption or data loss.

Exam trap

CompTIA often tests the misconception that force-detach is the quickest fix, but the trap here is that force-detach can corrupt a database volume with critical data, whereas a proper detach is the safest and most appropriate action.

How to eliminate wrong answers

Option A is wrong because creating a new volume and copying data is unnecessary and time-consuming; the existing volume is intact and can be reattached. Option B is wrong because terminating instance i-0123ijkl would destroy the instance and potentially cause data loss if the volume is not first detached; it is an extreme and destructive action. Option C is wrong because force-detaching the volume can cause data corruption or filesystem inconsistency, especially for a database volume that may have pending writes; it should only be used as a last resort when the instance is unresponsive.

531
MCQmedium

A cloud administrator receives an alert that the CPU utilization on a production web server has exceeded 90% for the past hour. The administrator checks the metrics and sees that the request rate has increased. Which of the following is the MOST appropriate action to resolve the issue in the short term?

A.Increase the memory allocation for the virtual machine.
B.Implement rate limiting to reduce incoming requests.
C.Increase the number of vCPUs or add additional instances behind a load balancer.
D.Optimize the application code to reduce CPU usage.
AnswerC

Scaling up or out quickly addresses the increased load.

Why this answer

Option C is correct because increasing the number of vCPUs or adding additional instances behind a load balancer directly addresses the high CPU utilization caused by increased request rate. This scales the compute resources horizontally or vertically to handle the load, which is the most immediate and effective short-term action for a production web server under sustained high traffic.

Exam trap

The trap here is that candidates often confuse high CPU utilization with a memory bottleneck or incorrectly assume that rate limiting is the only way to handle increased traffic, failing to recognize that scaling compute resources is the standard operational response to sustained high load.

How to eliminate wrong answers

Option A is wrong because increasing memory allocation does not reduce CPU utilization; CPU and memory are separate resources, and high CPU usage is not resolved by adding RAM. Option B is wrong because implementing rate limiting would drop or delay legitimate user requests, degrading the user experience and potentially violating SLAs, rather than resolving the capacity issue. Option D is wrong because optimizing application code is a long-term solution that requires development cycles, testing, and deployment, and is not appropriate for an immediate short-term fix in a production environment.

532
MCQmedium

A cloud engineer is deploying a new application and needs to securely store database credentials. The credentials must be automatically rotated every 90 days. Which service should be used?

A.AWS Key Management Service (KMS)
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerC

Secrets Manager supports automatic rotation of secrets.

Why this answer

AWS Secrets Manager allows secure storage and automatic rotation of secrets such as database credentials, with configurable rotation intervals.

533
Multi-Selecthard

Which THREE of the following are valid methods to automate the deployment of cloud resources?

Select 3 answers
A.Employing configuration management tools to enforce desired state
B.Using snapshots to clone instances
C.Using infrastructure as code templates
D.Implementing orchestration tools that chain API calls
E.Writing scripts that use cloud provider CLI commands
AnswersA, C, D

Configuration management automates server configuration.

Why this answer

Option A is correct because configuration management tools like Ansible, Puppet, or Chef enforce a desired state on cloud resources. They continuously ensure that the system configuration matches the defined state, automatically correcting any drift. This is a valid method for automating deployment and maintenance of cloud resources.

Exam trap

The trap here is that candidates may confuse basic scripting (Option E) with dedicated automation methods, or think snapshot cloning (Option B) is a form of automation, when in fact the exam expects recognition of configuration management, IaC, and orchestration as the three primary valid methods for automating cloud resource deployment.

534
MCQmedium

Refer to the exhibit. A cloud load balancer is returning 502 Bad Gateway errors to clients. What is the most likely cause?

A.The load balancer's SSL certificate is invalid.
B.The security group allows inbound traffic from the load balancer.
C.The DNS record points to the wrong IP.
D.The backend web servers are not responding correctly.
AnswerD

502 errors and health check failures indicate the backend servers are not serving correctly.

Why this answer

A 502 Bad Gateway error indicates that the load balancer (acting as a proxy or gateway) received an invalid or no response from the upstream backend web servers. This typically occurs when the backend servers are overloaded, have crashed, or are misconfigured (e.g., incorrect health check path, application pool failure). The load balancer successfully forwards the request but fails to get a valid HTTP response, triggering the 502 error.

Exam trap

CompTIA often tests the distinction between HTTP status codes (502 vs. 504 vs. 503) and their root causes, trapping candidates who confuse a backend response failure (502) with a timeout (504) or an overload condition (503).

How to eliminate wrong answers

Option A is wrong because an invalid SSL certificate on the load balancer would cause SSL/TLS handshake failures (e.g., 525 or 526 errors in Cloudflare, or certificate warnings), not a 502 Bad Gateway, which is a proxy-level error unrelated to certificate validity. Option B is wrong because allowing inbound traffic from the load balancer in the security group is actually a correct configuration; if it were blocked, the load balancer would receive connection timeouts or 504 errors, not 502 errors. Option C is wrong because a DNS record pointing to the wrong IP would cause clients to reach an incorrect server or no server at all, resulting in connection failures or 404 errors, not a 502 Bad Gateway from the load balancer.

535
Multi-Selectmedium

A cloud administrator is investigating a sudden increase in cost for a production environment. The administrator wants to identify the sources of the cost increase and implement a tagging strategy for cost allocation. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Implement a rightsizing recommendation report.
B.Use the cloud provider's cost explorer to analyze cost drivers.
C.Enable detailed billing reports with resource tags.
D.Purchase Reserved Instances for all resources.
E.Create a budget alert for the total monthly cost.
AnswersB, C

Cost explorer helps identify which services or resources are driving costs.

Why this answer

To identify cost sources and improve allocation, the administrator should use the cloud provider's cost explorer (e.g., AWS Cost Explorer) to analyze usage and costs, and implement a tagging strategy with environment and project tags for granular cost attribution.

536
MCQmedium

A cloud engineer is tasked with setting up a disaster recovery (DR) plan for a critical application that runs on virtual machines in a private cloud. The DR site is a public cloud. The application requires low recovery time objective (RTO) of less than 15 minutes and recovery point objective (RPO) of less than 5 minutes. Which of the following replication strategies BEST meets these requirements?

A.Replicate virtual machine images to the DR site daily.
B.Use synchronous replication to keep data identical.
C.Configure agent-based backup to the DR site every 5 minutes.
D.Use continuous asynchronous replication to the DR site.
AnswerD

Continuous replication provides near-real-time RPO (seconds to minutes) and if VMs are pre-configured, can achieve RTO under 15 minutes.

Why this answer

Option B is correct because continuous asynchronous replication can achieve low RPO (under 5 minutes) and low RTO (under 15 minutes) if VMs can be quickly started from the replicated data. Option A is wrong because daily replication cannot achieve RPO < 5 minutes. Option C is wrong because synchronous replication may introduce latency and is typically used for high consistency, but RTO may be higher if recovery involves starting VMs; also, it can affect primary performance.

Option D is wrong because backup every 5 minutes may meet RPO but RTO would be higher due to restoration time from backup.

537
MCQmedium

A company uses AWS and Azure for redundancy. They deploy the same application on both clouds to avoid vendor lock-in and improve disaster recovery. Which cloud deployment model is this?

A.Community cloud
B.Hybrid cloud
C.Private cloud
D.Multi-cloud
AnswerD

Multi-cloud uses multiple public clouds.

Why this answer

Multi-cloud uses multiple public cloud providers for redundancy and best-of-breed services.

538
MCQeasy

A company wants to be notified when their monthly AWS spending exceeds $10,000. Which AWS service should they use to set up this alert?

A.AWS Trusted Advisor
B.AWS Budgets
C.AWS Cost Explorer
D.AWS CloudWatch Alarms
AnswerB

Budgets can send alerts when costs exceed a threshold.

Why this answer

AWS Budgets allows setting cost budget thresholds and sending alerts via email or SNS when spending exceeds the limit.

539
Multi-Selectmedium

A cloud administrator is implementing network security for a VPC. The administrator needs to create a stateless firewall that filters traffic based on source and destination IP, port, and protocol. Which TWO of the following are characteristics of this type of firewall? (Select TWO.)

Select 2 answers
A.It is stateful and tracks connection state.
B.Rules are evaluated in order, starting with the lowest rule number.
C.It operates at the application layer (Layer 7).
D.Explicit outbound rules are required to allow return traffic.
E.It automatically allows response traffic for allowed inbound connections.
AnswersB, D

Stateless firewalls like NACLs evaluate rules in order.

Why this answer

Network ACLs are stateless, meaning they do not track connection state and require explicit rules for both inbound and outbound traffic. They evaluate rules in order by rule number.

540
MCQmedium

A cloud engineer is designing a disaster recovery plan for a critical application. The application requires a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 1 hour. Which replication strategy should be used?

A.Asynchronous replication with snapshots every 30 minutes.
B.Daily backups stored in a different region.
C.No replication; rely on infrastructure rebuild.
D.Synchronous replication between two regions.
AnswerA

Snapshots every 30 minutes meet RPO of 1 hour; RTO achieved by failover.

Why this answer

Asynchronous replication with snapshots every 30 minutes meets the RPO of 1 hour because data loss is limited to at most 30 minutes of changes, which is within the 1-hour window. The RTO of 15 minutes is achievable because the replicated data is readily available in the secondary region, allowing for rapid failover without the delay of restoring from backups.

Exam trap

CompTIA often tests the misconception that synchronous replication is always the best choice for disaster recovery, but the trap here is that synchronous replication over long distances introduces unacceptable latency, making it unsuitable for applications with strict performance requirements, while asynchronous replication with appropriate snapshot intervals can meet moderate RPO/RTO goals without performance degradation.

How to eliminate wrong answers

Option B is wrong because daily backups stored in a different region cannot meet the RPO of 1 hour (data loss could be up to 24 hours) or the RTO of 15 minutes (restoring from backups typically takes hours). Option C is wrong because relying on infrastructure rebuild would result in an RTO far exceeding 15 minutes and an RPO of potentially all data since the last backup, failing both objectives. Option D is wrong because synchronous replication between two regions introduces significant latency that can degrade application performance, and while it provides an RPO of near zero, it is overkill for a 1-hour RPO and may not be feasible over long distances due to network constraints.

541
MCQeasy

A cloud security team needs to ensure that all API calls made to the cloud provider are logged and monitored for suspicious activity. Which service should be enabled?

A.Deploy a web application firewall (WAF).
B.Configure an intrusion detection system (IDS) on the network.
C.Enable cloud audit logging for the management console and API calls.
D.Implement a security information and event management (SIEM) system.
AnswerC

Audit logs capture every API call for compliance and monitoring.

Why this answer

Option A is correct because a cloud audit log (e.g., AWS CloudTrail, Azure Monitor) records all API calls. Option B is wrong because WAF inspects web traffic, not API calls. Option C is wrong because SIEM is a separate system that ingests logs.

Option D is wrong because IDS/IPS focuses on network traffic, not API-level actions.

542
MCQmedium

An organization is using a hybrid cloud model with an on-premises data center connected to a public cloud via a dedicated Direct Connect circuit. Users on the corporate network report that access to cloud resources is intermittently failing. The cloud administrator pings the cloud gateway and sees packet loss. The on-premises network team confirms no issues on their side. The administrator reviews the cloud provider's status page and finds no outages. What should the administrator do next?

A.Submit a support ticket to the cloud provider
B.Reboot the on-premises router
C.Check the bandwidth utilization on the Direct Connect circuit
D.Failover to a backup VPN connection
AnswerC

High utilization can cause packet loss and intermittent failures.

Why this answer

Option C is correct because intermittent packet loss and no provider outage suggest bandwidth saturation on the Direct Connect circuit. Option A is wrong because failing over to a VPN may not address the root cause and could mask it. Option B is wrong because rebooting the on-premises router is disruptive and doesn't troubleshoot bandwidth.

Option D is wrong because a support ticket is unlikely to help if the provider has no issues and the circuit is simply congested.

543
MCQmedium

A company uses a cloud-based logging service to aggregate logs from multiple servers. Suddenly, the logging service stops receiving logs from several servers. The administrator checks the logging agent status on those servers and finds that the agents are running but not sending data. The network connectivity between the servers and the logging service is verified as working. Which of the following is the MOST likely cause?

A.The logging service has reached its storage quota.
B.The logging endpoint configuration on the agents is incorrect.
C.The logging agent is out of memory.
D.A firewall is blocking the outbound traffic from the servers.
AnswerB

Wrong endpoint will cause logs to be sent to an invalid destination.

Why this answer

The logging agents are running but not sending data, and network connectivity is verified as working. This points to a configuration issue where the agents are pointing to an incorrect logging endpoint (e.g., wrong URL, port, or API key). Even if the service is healthy, misconfigured agents will fail to transmit logs, which matches the symptom of agents running but idle.

Exam trap

The trap here is that candidates assume a running agent implies correct configuration, but agents can run idle if they cannot reach or authenticate to the configured endpoint, even when network connectivity is fine.

How to eliminate wrong answers

Option A is wrong because if the logging service had reached its storage quota, the service would typically reject new logs or return an error, but the agents would still attempt to send data (and likely log the rejection). Option C is wrong because an out-of-memory agent would likely crash, hang, or produce errors, not remain in a running state without sending data. Option D is wrong because network connectivity between the servers and the logging service is verified as working, which directly rules out a firewall blocking outbound traffic.

544
MCQeasy

A DevOps team wants to deploy a Kubernetes application using a package manager that simplifies the deployment process by bundling all Kubernetes resources into a single package. Which tool should the team use?

A.Kustomize
B.Helm
C.Ansible
D.Terraform
AnswerB

Helm uses charts to package Kubernetes manifests, simplifying deployment and management.

Why this answer

Helm is the package manager for Kubernetes that uses charts to define, install, and upgrade even the most complex Kubernetes applications.

545
MCQeasy

Which storage type is most appropriate for a shared file system that multiple virtual machines need to mount simultaneously with read/write access?

A.Archive storage
B.File storage
C.Object storage
D.Block storage
AnswerB

File storage provides a shared file system accessible by multiple VMs.

Why this answer

File storage (e.g., Amazon EFS, Azure Files) provides a shared file system that can be mounted by multiple VMs. Block storage is attached to a single VM. Object storage does not support file system semantics like locking.

Archive storage is for long-term cold data.

546
Multi-Selecthard

Which THREE of the following are best practices when deploying a cloud application using Infrastructure as Code (IaC)? (Choose three.)

Select 3 answers
A.Store IaC templates in a version control system.
B.Break down complex deployments into reusable modules.
C.Embed credentials directly in the IaC templates.
D.Manually modify resources after deployment to tune performance.
E.Use immutable infrastructure patterns where possible.
AnswersA, B, E

Version control enables collaboration and rollback.

Why this answer

Storing IaC templates in a version control system (e.g., Git) is a best practice because it enables change tracking, rollback, collaboration, and auditability. This aligns with GitOps principles, where the version control repository serves as the single source of truth for infrastructure state, ensuring all changes are reviewed and recorded.

Exam trap

CompTIA often tests the distinction between mutable and immutable infrastructure, and the trap here is that candidates may think manual tuning (Option D) is acceptable for performance optimization, but it violates the core IaC principle of idempotent, automated deployments.

547
MCQmedium

A cloud engineer deploys the Kubernetes manifest shown in the exhibit. After deployment, the frontend pods are in CrashLoopBackOff state. The engineer checks the logs and finds 'OOMKilled' errors. Which of the following changes would resolve the issue?

A.Increase the memory limit to 1Gi.
B.Increase the number of replicas to 5.
C.Reduce the CPU limit to 250m.
D.Change the service type to ClusterIP.
AnswerA

Increasing memory limit allows the container to use more memory without being killed.

Why this answer

The 'OOMKilled' error indicates the container's memory usage exceeded its configured limit, causing the kernel's Out-Of-Memory (OOM) killer to terminate the process. Increasing the memory limit to 1Gi provides the container with more memory headroom, preventing the OOM kill and allowing the pod to run without crashing.

Exam trap

CompTIA often tests the distinction between resource limits (memory vs. CPU) and scaling strategies, trapping candidates who confuse horizontal scaling (replicas) with vertical scaling (resource limits).

How to eliminate wrong answers

Option B is wrong because increasing the number of replicas does not address the per-pod memory exhaustion; it only distributes traffic across more pods, each still subject to the same insufficient memory limit. Option C is wrong because reducing the CPU limit does not affect memory allocation; OOM kills are triggered by memory, not CPU, and lowering CPU could cause throttling but not resolve the memory shortage. Option D is wrong because changing the service type to ClusterIP only alters network exposure (internal vs. external) and has no impact on container resource limits or OOM behavior.

548
MCQmedium

A cloud engineer is using Ansible to automate the configuration of cloud resources. The engineer needs to ensure that the automation does not require any agent software to be installed on the target nodes. Which characteristic of Ansible makes this possible?

A.It uses PowerShell Desired State Configuration
B.It uses a master-agent architecture
C.It is agentless
D.It requires a pull-based model
AnswerC

Ansible operates over SSH or WinRM without needing an agent on managed nodes.

Why this answer

Ansible is agentless; it connects over SSH (Linux) or WinRM (Windows) to execute tasks without installing any software on the target.

549
MCQmedium

During a disaster recovery test, a cloud administrator discovers that the standby database in a different region is not synchronized with the primary. The primary database uses asynchronous replication. What is the MOST likely reason for the sync failure?

A.License expiration on the standby database
B.Network latency causing replication lag
C.Firewall rules blocking port 3306 between regions
D.Incorrect replication configuration using a read replica instead of a standby
AnswerB

Asynchronous replication allows lag; high latency can increase lag, causing data not to be current.

Why this answer

Option C is correct because asynchronous replication can have lag; if the primary fails before sync, data may be lost. Option A is wrong because DR test is not about licensing. Option B is wrong because replication configurations are typically cross-region.

Option D is wrong because a firewall blocking port 3306 would prevent any replication, not just async lag.

550
MCQmedium

An administrator is writing an Ansible playbook to provision cloud resources across multiple cloud providers. The playbook must manage instances in AWS, Azure, and GCP. Which Ansible concept should the administrator use to interact with each cloud provider's API?

A.Modules
B.Roles
C.Inventories
D.Playbooks
AnswerA

Modules are the components that perform actual API calls to manage resources.

Why this answer

Ansible modules are units of code that interact with cloud provider APIs. Each cloud provider has specific modules (e.g., ec2, azure_rm, gcp_compute).

551
MCQmedium

A company needs to meet PCI DSS compliance requirements for storing credit card data in the cloud. Which compliance certification should they verify their cloud provider has?

A.PCI DSS Level 1
B.ISO 27001
C.SOC 2 Type II
D.HIPAA BAA
AnswerA

PCI DSS Level 1 is required for entities handling large volumes of cardholder data.

Why this answer

PCI DSS Level 1 is the highest level for handling cardholder data.

552
MCQhard

A company operates a multi-tier web application on AWS. The web tier runs on EC2 instances behind an Application Load Balancer. The application tier runs on EC2 instances that connect to an RDS MySQL database. Recently, users have reported slow page load times. The cloud administrator investigates and finds the following: CPU utilization on web and app tier instances is below 50%, memory usage is normal, but the RDS instance's CPU utilization is consistently above 80% and the number of database connections is at the maximum. The administrator also notices that the application code opens a new database connection for each HTTP request and does not close them properly. Which action should the administrator take to resolve the performance issue?

A.Scale the RDS instance vertically to a larger instance class.
B.Implement a connection pooling mechanism in the application tier.
C.Increase the timeout for idle database connections.
D.Increase the maximum number of database connections on RDS.
AnswerB

Reduces the number of concurrent connections and reuses them, lowering CPU load.

Why this answer

The performance issue is caused by the application opening a new database connection for each HTTP request and not closing them properly, which exhausts the maximum connections on RDS. Implementing a connection pooling mechanism in the application tier reuses existing connections, reduces connection overhead, and prevents connection exhaustion without requiring a larger instance or increasing the connection limit. This directly addresses the root cause—inefficient connection management—rather than treating symptoms like high CPU or connection limits.

Exam trap

CompTIA often tests the misconception that scaling resources (vertical scaling or increasing limits) is the primary fix for performance issues, when the real problem is inefficient resource usage like connection leaks that require architectural changes such as connection pooling.

How to eliminate wrong answers

Option A is wrong because vertically scaling the RDS instance would increase CPU and memory capacity but does not fix the underlying connection leak; the application would still exhaust connections, leading to the same bottleneck. Option C is wrong because increasing the timeout for idle database connections would keep more connections open longer, exacerbating the connection exhaustion problem rather than resolving it. Option D is wrong because increasing the maximum number of database connections on RDS would allow more concurrent connections but does not address the application's failure to close connections, leading to eventual resource exhaustion and potential instability.

553
MCQeasy

A cloud administrator needs to ensure that application logs are retained for three years to comply with regulatory requirements. Which of the following is the MOST cost-effective solution?

A.Configure log rotation so only the last 30 days of logs are kept in the instance
B.Store all logs in block storage for three years
C.Use a lifecycle policy to transition logs to archive storage after 90 days and delete after three years
D.Compress old logs manually and store them in a separate volume
AnswerC

Lifecycle policies automate tiering to cost-effective storage.

Why this answer

Option C is the most cost-effective solution because it uses a lifecycle policy to automatically transition logs from hot storage to cheaper archive storage (e.g., Amazon S3 Glacier or Azure Blob Archive tier) after 90 days, then deletes them after three years. This minimizes storage costs by moving infrequently accessed data to lower-cost tiers while still meeting the three-year retention requirement without manual intervention or unnecessary use of expensive block storage.

Exam trap

The trap here is that candidates may choose block storage (Option B) because they assume all storage is equal, failing to recognize that block storage is optimized for low-latency I/O, not long-term archival, and incurs significantly higher costs than object storage with lifecycle management.

How to eliminate wrong answers

Option A is wrong because retaining only the last 30 days of logs fails to meet the three-year regulatory retention requirement, making it non-compliant. Option B is wrong because storing all logs in block storage (e.g., EBS volumes) for three years is prohibitively expensive due to high per-GB costs and lack of lifecycle tiering, and block storage is designed for high-performance workloads, not long-term archival. Option D is wrong because manually compressing logs and storing them in a separate volume still incurs block storage costs and requires ongoing manual effort, which is neither scalable nor cost-effective compared to automated lifecycle policies.

554
Multi-Selecteasy

A cloud administrator is investigating why a virtual machine is running slowly. The administrator checks the hypervisor performance metrics. Which TWO of the following metrics indicate CPU contention? (Choose TWO.)

Select 2 answers
A.High CPU ready time
B.High disk queue depth
C.High CPU co-stop time
D.High memory ballooning
E.High CPU usage percentage
AnswersA, C

CPU ready time directly measures wait time due to contention.

Why this answer

CPU ready time and co-stop time are both indicators of CPU contention. Ready time is time a VM is ready to run but waiting for CPU, co-stop time is time a VM is stopped because another vCPU in the same VM is contending. Option A (CPU usage percentage) is normal utilization, not contention.

Option D (Memory ballooning) is memory-related. Option E (Disk latency) is storage-related.

555
Multi-Selectmedium

A cloud administrator is configuring network security for a multi-tier application. Which TWO statements about security groups and network ACLs are correct?

Select 2 answers
A.Network ACLs evaluate rules before security groups.
B.Security groups can be used to deny traffic from specific IP addresses.
C.Security groups are stateless.
D.Network ACLs are stateless and require explicit allow rules for both inbound and outbound traffic.
E.Security groups support allow rules only.
AnswersD, E

Stateless means each direction must be explicitly allowed.

Why this answer

Option D is correct because network ACLs are stateless, meaning they do not automatically allow return traffic; you must explicitly define allow rules for both inbound and outbound traffic. Option E is correct because security groups are stateful and support only allow rules; you cannot create a deny rule within a security group, and any traffic not explicitly allowed is implicitly denied.

Exam trap

The trap here is confusing stateful security groups with stateless network ACLs, leading candidates to incorrectly think security groups can deny specific IPs or that network ACLs are evaluated first, when in fact security groups are evaluated at the instance level before network ACLs at the subnet boundary.

556
Multi-Selecthard

A company is designing a highly available architecture for a critical application. The solution must tolerate the failure of an entire availability zone. Which TWO design principles should be implemented? (Choose two.)

Select 2 answers
A.Deploy instances in a single availability zone
B.Use RAID 0 for all instance storage
C.Use a single load balancer without health checks
D.Use a load balancer with health checks and cross-zone load balancing
E.Deploy instances across multiple availability zones
AnswersD, E

Correct. Health checks and cross-zone balancing help route traffic to healthy instances.

Why this answer

To tolerate an AZ failure, deploy across multiple AZs and use active-active or active-passive with failover. So deploying across multiple AZs and using a load balancer with health checks to route traffic away from failed AZ are correct.

557
Multi-Selectmedium

A security team is implementing encryption for a cloud-based database. The compliance requirements mandate that encryption keys be managed by the customer and rotated every 90 days. Which THREE of the following should the team use? (Select THREE).

Select 3 answers
A.Store the encryption key in a configuration file
B.Use TLS 1.2+ for data in transit
C.Integrate with the cloud KMS using customer-managed keys
D.Enable encryption at rest using AES-256
E.Configure automatic key rotation every 90 days
AnswersC, D, E

Customer-managed keys give the customer control over key rotation.

Why this answer

Encryption at rest with AES-256, a cloud KMS with customer-managed keys, and automated key rotation meet the requirements. TLS secures data in transit but is not about key management.

558
Matchingmedium

Match each cloud deployment model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Shared infrastructure over the internet

Dedicated to a single organization

Combination of public and private

Shared by several organizations with common concerns

Why these pairings

Deployment models define ownership and access scope.

559
MCQhard

A cloud administrator notices that an auto-scaling group is frequently adding and removing instances due to brief spikes in CPU usage. What should be adjusted to stabilize the scaling activity?

A.Increase the cooldown period
B.Increase the maximum instance count
C.Decrease the minimum instance count
D.Decrease the cooldown period
AnswerA

A longer cooldown allows metrics to stabilize before further scaling.

Why this answer

Increasing the cooldown period or adjusting the evaluation period can prevent flapping.

560
MCQmedium

A company uses a cloud load balancer to distribute traffic to a group of web servers. After a recent update, some users report being redirected to a maintenance page when the application is actually available. What is the most likely cause?

A.The load balancer health check is misconfigured and marking healthy instances as unhealthy.
B.The load balancer's SSL certificate has expired.
C.The DNS record for the load balancer has a short TTL.
D.The web servers are not configured with the same security group.
AnswerA

A misconfigured health check can cause the load balancer to stop sending traffic to healthy instances, redirecting users to a maintenance page.

Why this answer

The most likely cause is that the load balancer's health check is misconfigured, causing it to incorrectly mark healthy web servers as unhealthy. When all instances are marked unhealthy, the load balancer has no available targets and may route traffic to a fallback maintenance page or return an error. This explains why users see a maintenance page despite the application being available.

Exam trap

CompTIA often tests the distinction between health check misconfiguration and other common issues like SSL or DNS, so candidates may mistakenly choose an expired SSL certificate because they associate 'maintenance page' with security errors, but the correct cause is the load balancer's health check marking healthy instances as unhealthy.

How to eliminate wrong answers

Option B is wrong because an expired SSL certificate would cause TLS handshake errors (e.g., certificate warnings or connection failures), not a redirect to a maintenance page. Option C is wrong because a short TTL on the DNS record affects how quickly DNS changes propagate, but it does not cause the load balancer to redirect traffic to a maintenance page. Option D is wrong because mismatched security groups would block traffic at the network level, resulting in timeouts or connection refused errors, not a maintenance page redirect.

561
MCQmedium

A cloud engineer is managing AWS infrastructure with Terraform and wants to store the state file remotely to enable team collaboration. Which storage option should the engineer configure in the backend block?

A.Google Cloud Storage
B.Local file system
C.Azure Blob Storage
D.Amazon S3
AnswerD

S3 is the standard backend for AWS Terraform state.

Why this answer

Terraform supports multiple remote backends. For AWS, S3 is the recommended backend for storing state files, providing durability and locking via DynamoDB.

562
MCQmedium

A cloud engineer is setting up automated patching for Linux instances in AWS. They need to define a maintenance window during which patches are applied. Which service should they use?

A.AWS Config
B.AWS OpsWorks
C.AWS Systems Manager Patch Manager
D.Amazon Inspector
AnswerC

Patch Manager automates patching with schedules.

Why this answer

AWS Systems Manager Patch Manager provides automated patching with maintenance windows.

563
MCQhard

An organization is adopting Infrastructure as Code (IaC) for their cloud deployments. They need to ensure that the configuration files are version-controlled and changes are audited. Which combination of tools should they use?

A.Puppet and Jenkins
B.Terraform and Ansible
C.Terraform and Git
D.CloudFormation and Chef
AnswerC

Terraform for IaC, Git for version control and audit.

Why this answer

Option C is correct because Git provides version control and audit trails for Infrastructure as Code (IaC) configuration files, while Terraform is the IaC tool that manages cloud resources declaratively. Together, they satisfy the requirement for version-controlled, auditable configuration files, as Git tracks every change with commit history and Terraform's state files can be stored in Git for change tracking.

Exam trap

CompTIA often tests the distinction between Infrastructure as Code tools (like Terraform) and configuration management tools (like Ansible, Puppet, Chef), and the trap here is that candidates confuse configuration management with version control, assuming tools like Ansible or Puppet provide audit trails when they do not.

How to eliminate wrong answers

Option A is wrong because Puppet is a configuration management tool, not a version control system, and Jenkins is a CI/CD automation server; neither directly provides version control or audit trails for IaC configuration files. Option B is wrong because while Terraform is an IaC tool, Ansible is a configuration management tool that does not inherently provide version control; the combination lacks a dedicated version control system like Git. Option D is wrong because CloudFormation is an IaC tool for AWS, but Chef is a configuration management tool, not a version control system; this pair does not include a tool for version control or auditing.

564
MCQhard

A company is using AWS CloudFormation to deploy a multi-tier application. The stack includes an Auto Scaling group and an Application Load Balancer. The operations team reports that deployments are failing because the new instances are not passing health checks. Which CloudFormation template attribute should be modified to ensure that the stack update rolls back automatically if the health check fails?

A.Add an UpdatePolicy attribute to the Auto Scaling group.
B.Use a CreationPolicy attribute on the Auto Scaling group with a timeout and signal count.
C.Modify the DeletionPolicy attribute of the instances.
D.Set the DependsOn attribute to ensure the load balancer is created first.
AnswerB

CreationPolicy ensures instances are healthy before marking resource as created.

Why this answer

Option B is correct because the CreationPolicy attribute on an Auto Scaling group, when combined with a timeout and a signal count, instructs CloudFormation to wait for a specified number of success signals from the new instances before considering the resource creation complete. If the signals are not received within the timeout (e.g., because the instances fail health checks and never report as healthy), CloudFormation treats the creation as failed and automatically rolls back the stack update. This directly addresses the requirement to roll back on health check failure.

Exam trap

CompTIA often tests the distinction between CreationPolicy (which waits for signals before marking resource creation as complete) and UpdatePolicy (which manages rolling updates but does not inherently enforce health check-based rollbacks), leading candidates to incorrectly choose UpdatePolicy when the question specifically asks for rollback on health check failure.

How to eliminate wrong answers

Option A is wrong because the UpdatePolicy attribute on an Auto Scaling group controls rolling update behavior (e.g., batch size, pause time) but does not inherently trigger a rollback based on health check failures; it relies on the CreationPolicy or a separate health check configuration. Option C is wrong because the DeletionPolicy attribute determines what happens to resources when a stack is deleted (e.g., retain, snapshot), not how creation or update failures are handled. Option D is wrong because the DependsOn attribute only ensures resource creation order (e.g., load balancer before Auto Scaling group) but does not affect rollback behavior on health check failures.

565
Multi-Selectmedium

A cloud administrator is planning a migration of on-premises workloads to a public cloud. Which THREE factors should the administrator consider to ensure minimal downtime? (Choose three.)

Select 3 answers
A.Application compatibility
B.Data compression
C.Network bandwidth
D.Transfer time window
E.Cost of data transfer
AnswersA, C, D

Ensuring the application runs in the cloud avoids rollbacks and extended downtime.

Why this answer

Application compatibility (A) is critical because incompatible applications may fail to run in the cloud environment, requiring re-architecture or re-platforming that can cause extended downtime. Ensuring applications are compatible with the target cloud's OS, hypervisor, and dependencies allows for a smoother cutover with minimal service interruption.

Exam trap

Cisco often tests the distinction between factors that directly affect downtime duration (bandwidth, transfer window, compatibility) versus operational or cost-related factors (compression, cost) that do not inherently minimize downtime.

566
MCQmedium

A cloud architect is designing a multi-tier application. The application tier needs to access a database, but the database should not be reachable from the internet. Which network security control should be used?

A.Place the database in a private subnet and use a security group to allow traffic only from the application tier
B.Encrypt the database connection using TLS
C.Use a VPN to connect the application tier to the database
D.Place the database in a public subnet with restrictive security groups
AnswerA

Private subnets have no internet gateway, and security groups can restrict access to only the application tier.

Why this answer

Placing the database in a private subnet with no direct internet route ensures it is not reachable from the internet. Security groups can then allow inbound traffic only from the application tier's security group.

567
Multi-Selecteasy

A company is adopting Infrastructure as Code (IaC) to manage its cloud resources. Which THREE statements are true about IaC? (Select THREE.)

Select 3 answers
A.IaC allows for automated provisioning of infrastructure
B.IaC eliminates the need for manual configuration changes
C.IaC is only applicable for immutable infrastructure
D.IaC configurations are typically stored in version control
E.IaC ensures that deployments are repeatable and consistent
AnswersA, D, E

Automation is a key benefit.

Why this answer

IaC enables automation, idempotency, and version control. Manual changes are not required; IaC can be used for both mutable and immutable infrastructure.

568
MCQhard

During a security audit, an organization discovers their cloud-based database is accessible from any public IP address due to a firewall rule allowing 0.0.0.0/0 on port 3306 (MySQL). The database must remain accessible to remote developers working from home. What is the most effective remediation?

A.Remove the firewall rule entirely and rely on database IAM authentication.
B.Enable encryption in transit using TLS and keep the rule as is.
C.Change the firewall rule to allow only specific known developer IP ranges.
D.Move the database to a private subnet without a NAT gateway.
AnswerC

This minimizes attack surface while preserving access.

Why this answer

Option C is correct because restricting to specific trusted IP ranges reduces exposure while maintaining remote access.

569
MCQeasy

A cloud administrator is troubleshooting a performance issue where a web application experiences intermittent slowdowns. The application is deployed on a public cloud IaaS with auto-scaling. What should the administrator check first?

A.Verify load balancer configuration
B.Check CPU utilization of all instances
C.Analyze database query performance
D.Review network latency between tiers
AnswerA

Load balancer misconfiguration can cause intermittent failures.

Why this answer

Option D is correct because a misconfigured load balancer can cause uneven traffic distribution, leading to intermittent slowdowns. Option A is wrong because CPU utilization spikes might be a symptom, not the root cause, and auto-scaling should handle it. Option B is wrong because network latency is less likely to be intermittent.

Option C is wrong because database queries are a deeper layer to investigate after network and application tiers.

570
MCQmedium

An organization wants to deploy a new microservice to a Kubernetes cluster with zero downtime. The deployment should update pods gradually by replacing old pods with new ones, and if the new pods fail health checks, the rollout should stop. Which Kubernetes deployment strategy meets these requirements?

A.Canary
B.Recreate
C.Rolling update
D.Blue/green
AnswerC

Rolling update gradually replaces pods and can be configured to stop on failed readiness probes.

Why this answer

A rolling update strategy in Kubernetes replaces pods incrementally and can be configured to pause on failed health checks.

571
MCQmedium

Refer to the exhibit. A cloud engineer is troubleshooting network connectivity to a server with IP 10.0.0.5. The server is on the same subnet. Based on the iptables rules shown, what is the most likely cause of the connectivity failure?

A.The FORWARD chain policy drops all traffic
B.The OUTPUT chain rejects all traffic to the server
C.The DROP rule in INPUT has zero packet count, so it is not effective
D.The INPUT chain drops all traffic destined to the 10.0.0.0/8 network
AnswerD

Correct; the DROP rule in INPUT blocks traffic to 10.0.0.0/8.

Why this answer

Option D is correct because the INPUT chain has a rule that drops all traffic destined to the 10.0.0.0/8 network, which includes the target server at 10.0.0.5. Since the server is on the same subnet, traffic to it must traverse the INPUT chain on the local system, and this DROP rule will match and discard packets before any other rule can accept them. The rule's position and destination match make it the most direct cause of the connectivity failure.

Exam trap

The trap here is that candidates often overlook the INPUT chain's destination match and assume the FORWARD chain is responsible for same-subnet traffic, or they misinterpret a zero packet count as an inactive rule, when in fact the rule is simply waiting for matching traffic.

How to eliminate wrong answers

Option A is wrong because the FORWARD chain only applies to traffic being routed through the system, not to traffic destined for the local system itself; since the server is on the same subnet, packets to 10.0.0.5 are not forwarded but processed locally via the INPUT chain. Option B is wrong because the OUTPUT chain controls traffic leaving the local system, not incoming traffic to the server; rejecting OUTPUT traffic would prevent the local system from sending packets, but the issue is about connectivity to the server, which is inbound. Option C is wrong because a DROP rule with a zero packet count simply means no packets have matched it yet; it is still present and effective in the ruleset, and once traffic matches, the count will increment—zero count does not imply the rule is inactive or ineffective.

572
MCQeasy

A company uses a cloud-based backup solution for its virtual machines. The backup policy specifies daily backups with a retention of 30 days. The backup administrator notices that backups are failing with an error indicating insufficient storage space in the backup repository. Which of the following is the most likely reason for this issue?

A.The retention period is too long for the available storage.
B.The backup frequency is too low.
C.Compression is not enabled on the backup.
D.The backup window is too short.
AnswerA

Longer retention means more backups accumulate, consuming storage.

Why this answer

The error indicates insufficient storage space in the backup repository. With a daily backup policy and a 30-day retention period, the repository must accommodate at least 30 full backups (or the equivalent incremental/differential chain). If the repository's capacity is less than the total size of 30 backups, the retention period exceeds the available storage, causing failures.

This is the most direct cause of the error.

Exam trap

The trap here is that candidates may confuse 'insufficient storage' with backup window or frequency issues, but the error is explicitly capacity-related, making retention period length the root cause when storage is fixed.

How to eliminate wrong answers

Option B is wrong because a lower backup frequency (e.g., weekly instead of daily) would reduce storage consumption, not cause an insufficient space error; the issue is high consumption relative to retention, not frequency. Option C is wrong because while compression reduces backup size, its absence would increase storage usage but not directly cause a failure unless the repository is already at capacity; the error message specifically cites insufficient space, not a configuration issue. Option D is wrong because a short backup window might cause timeouts or incomplete backups, but it would not produce an 'insufficient storage space' error; that error is purely capacity-related.

573
MCQeasy

Which cloud service model gives the customer the most control over the operating system and applications, while the provider manages the physical hardware, network, and storage?

A.FaaS
B.PaaS
C.SaaS
D.IaaS
AnswerD

IaaS provides VMs, storage, networking; customer manages OS and above.

Why this answer

IaaS provides virtualized computing resources where the customer manages the OS, applications, and middleware, while the provider manages the underlying infrastructure.

574
MCQhard

A cloud engineer is troubleshooting a web application that is not responding. The engineer examines the serial console output of the web-server instance and finds the error shown in the exhibit. What is the MOST likely cause of this issue?

A.The service account associated with the instance is missing the required permissions.
B.The instance is in a STOPPED state and cannot execute user data scripts.
C.The instance does not have a public IP address assigned.
D.A firewall rule is blocking traffic to the metadata server IP address 169.254.169.254.
AnswerD

The metadata server is accessed via link-local address; blocking this traffic prevents metadata retrieval.

Why this answer

The error shown in the serial console output indicates that the instance cannot reach the metadata server at 169.254.169.254. This IP address is a link-local address used by cloud providers (e.g., AWS, GCP, Azure) to serve instance metadata, including user data scripts. If a firewall rule blocks traffic to this IP, the instance cannot retrieve its user data, causing the web application to fail to start or respond.

Exam trap

The trap here is that candidates often associate connectivity issues with public IPs or firewall rules blocking external traffic, but the metadata server is an internal link-local address, so the firewall rule must be blocking internal traffic to 169.254.169.254 specifically.

How to eliminate wrong answers

Option A is wrong because the error is about network connectivity to the metadata server, not about IAM or service account permissions; missing permissions would cause API call failures, not a connection timeout to 169.254.169.254. Option B is wrong because if the instance were in a STOPPED state, there would be no serial console output or running processes to troubleshoot; the error implies the instance is running but cannot reach the metadata server. Option C is wrong because a public IP address is not required for an instance to access the metadata server; the metadata server is accessible via the link-local address 169.254.169.254 from within the instance regardless of public IP assignment.

575
MCQeasy

A company decides to use AWS for compute and Azure for storage to leverage best-of-breed services. This is an example of which cloud deployment model?

A.Multi-cloud
B.Community cloud
C.Public cloud
D.Hybrid cloud
AnswerA

Using multiple public cloud providers for different services is multi-cloud.

Why this answer

Multi-cloud refers to using multiple public cloud providers simultaneously.

576
MCQmedium

A company is migrating a legacy on-premises application to a cloud VM. The application requires a static private IP address for compliance. During a disaster recovery failover, the VM must automatically retain the same IP address in the secondary region. Which solution should be used?

A.Provision a reserved static private IP address that can be reassigned to the new VM.
B.Use a dynamic IP address and update DNS after failover.
C.Use a load balancer with a fixed IP and point it to the VM's current private IP.
D.Assign an elastic IP (public) and configure a VPN.
AnswerA

Reserved static IPs are portable and can be assigned to another VM in another region.

Why this answer

Option B is correct because a reserved IP address can be assigned to a VM and can be moved between regions for failover. Option A is wrong because dynamic IP will change. Option C is wrong because elastic IPs are public.

Option D is wrong because a load balancer may change the backend IP.

577
MCQeasy

A cloud engineer needs to deploy a Lambda function that processes objects uploaded to an S3 bucket. The function code is stored in a .zip file. Which event trigger should the engineer configure to invoke the function automatically?

A.S3 event notification
B.API Gateway
C.SQS
D.EventBridge
AnswerA

S3 events can trigger Lambda directly on object creation.

Why this answer

S3 can send event notifications to Lambda when objects are created, making it the appropriate trigger for this use case.

578
MCQeasy

A company is experiencing latency issues when accessing a cloud-based application. The cloud administrator runs a traceroute and notices high latency at the ISP's edge router. Which of the following is the MOST likely cause?

A.An internet service provider (ISP) issue is degrading the WAN connection
B.A misconfigured firewall rule is dropping packets
C.The load balancer is sending traffic to unhealthy instances
D.The virtual machine hosting the application is under-provisioned
AnswerA

High latency at ISP edge router indicates WAN connection issue.

Why this answer

High latency at the ISP's edge router indicates that the bottleneck is occurring on the WAN link between the company's network and the cloud provider, which is under the ISP's control. This is a classic symptom of an ISP issue, such as congestion, routing problems, or a degraded physical link, directly impacting the WAN connection. The traceroute output localizes the latency to the ISP's infrastructure, not to the company's internal network or the cloud application's resources.

Exam trap

CompTIA often tests the distinction between latency caused by network infrastructure (ISP) versus application or server performance issues, and the trap here is that candidates may attribute high latency to internal misconfigurations (like firewalls or load balancers) when the traceroute clearly isolates the problem to an external hop.

How to eliminate wrong answers

Option B is wrong because a misconfigured firewall rule dropping packets would cause packet loss or connectivity failures, not consistently high latency at a specific hop; dropped packets would result in retransmissions and timeouts, not a steady latency increase. Option C is wrong because a load balancer sending traffic to unhealthy instances would cause application errors or timeouts, but the latency would appear at the application layer or after the load balancer, not at the ISP's edge router. Option D is wrong because an under-provisioned virtual machine would cause high CPU or memory utilization leading to application slowness, but the latency would be observed at the VM or within the cloud provider's network, not at the ISP's edge router.

579
MCQmedium

A cloud administrator notices that an Auto Scaling group is launching and terminating instances too frequently, causing instability. What should the administrator adjust to reduce this flapping behavior?

A.Disable the cooldown period
B.Decrease the cooldown period
C.Increase the scale-out threshold
D.Increase the cooldown period
AnswerD

A longer cooldown prevents rapid scaling actions.

Why this answer

Increasing the cooldown period gives instances time to stabilize before additional scaling actions, reducing flapping.

580
MCQhard

A company uses an auto-scaling group to handle variable web traffic. The scaling policy is based on CPU utilization. However, during a flash sale, the application experiences a sudden spike in traffic, and the auto-scaling group takes too long to launch new instances. Which design change would most effectively reduce the time to scale out?

A.Use larger instance types to handle more traffic
B.Lower the CPU utilization threshold
C.Increase the cooldown period
D.Use scheduled scaling to pre-warm instances before the sale
AnswerD

Proactive scaling reduces response time.

Why this answer

Using a predictive scaling policy or scheduled scaling can anticipate traffic spikes and pre-warm instances, reducing launch delay. Alternatively, increasing the cooldown period would slow scaling. Lowering the threshold would cause earlier scaling but not necessarily reduce launch time.

Using larger instances is vertical scaling, not addressing launch delay.

581
Multi-Selecthard

Which THREE of the following are valid methods to manage identity and access in a multi-cloud environment?

Select 3 answers
A.Set up a site-to-site VPN between the on-premises network and each cloud.
B.Implement a federation using SAML 2.0 between the corporate identity provider and each cloud.
C.Assign resource tags and use them in attribute-based access control (ABAC) policies.
D.Use a single shared API key for all clouds to simplify automation.
E.Deploy a cloud access security broker (CASB) to enforce access policies across clouds.
AnswersB, C, E

Federation allows SSO and centralized identity management.

Why this answer

Options A, B, and D are correct. A single sign-on (SSO) with federation allows centralized access control, cloud access security brokers (CASB) enforce policies across clouds, and resource tags combined with access policies can automate access. Option C is wrong because shared keys are not identity-based.

Option E is wrong because VPNs are for network, not identity.

582
Multi-Selecthard

A cloud administrator is troubleshooting performance issues with a cloud object storage bucket that is used for storing large amounts of small files. The application reads and writes objects frequently. Which three actions could improve the performance? (Choose three.)

Select 3 answers
A.Use a multi-region bucket to reduce latency.
B.Increase the number of concurrent requests from the application.
C.Enable transfer acceleration using a CDN.
D.Enable versioning to avoid overwrites.
E.Use a prefix naming scheme that distributes objects across multiple partitions.
AnswersB, C, E

Increasing concurrency can improve throughput as long as the backend can handle it.

Why this answer

Options C, D, and E are correct. Option A is wrong because multi-region buckets increase write latency due to replication. Option B is wrong because versioning adds overhead.

C uses prefix naming to increase request rate, D uses transfer acceleration for faster uploads, and E increases throughput via concurrency.

583
Multi-Selecthard

Which THREE of the following are valid considerations when selecting a cloud deployment model (public, private, hybrid)? (Choose three.)

Select 3 answers
A.Regulatory compliance requirements.
B.Budget and total cost of ownership.
C.Developers' preferred programming languages.
D.Latency sensitivity of the application.
E.Cloud provider's marketing claims.
AnswersA, B, D

Some data must remain on-premises.

Why this answer

Regulatory compliance requirements (A) are a primary consideration because certain industries (e.g., healthcare, finance) mandate data residency and privacy controls that may only be satisfied by a private or dedicated public cloud infrastructure. Budget and total cost of ownership (B) directly influence the choice between capital-intensive private cloud deployments and operational-expense-based public cloud services. Latency sensitivity (D) dictates whether an application requires on-premises private cloud resources to avoid network jitter and meet strict SLAs, or can tolerate the higher latency of a public cloud.

Exam trap

CompTIA often tests that candidates confuse operational preferences (like programming languages) with architectural constraints, leading them to select C as a valid consideration when it is irrelevant to the deployment model decision.

584
MCQhard

A company experiences a data breach where an attacker exfiltrated data from a cloud storage bucket. The security team discovers that the bucket had a policy allowing public access. The cloud administrator had previously set the bucket to be private. Which of the following is the MOST likely reason the bucket became public?

A.An IAM role with administrative privileges applied a bucket policy that overrode the private setting.
B.The bucket had versioning enabled, which reverted to a previous public state.
C.Access logs were not enabled, so the change was not recorded.
D.Server-side encryption was disabled, causing the bucket to become public.
AnswerA

A bucket policy can supersede the block public access settings if the role has sufficient permissions.

Why this answer

A bucket policy that grants public access (e.g., `Principal: "*"` with `Effect: "Allow"`) can override the private block public access setting at the bucket level. Even if the cloud administrator set the bucket to private via the console or ACLs, an IAM role with administrative privileges can apply a bucket policy that explicitly allows public access, effectively making the bucket public. This is because bucket policies are evaluated separately and can grant permissions that supersede other access controls.

Exam trap

CompTIA often tests the misconception that setting a bucket to private in the console or via ACLs is sufficient to prevent public access, ignoring that a bucket policy can independently grant public access and override those settings.

How to eliminate wrong answers

Option B is wrong because enabling versioning does not revert bucket policies or access settings to a previous state; versioning only preserves object versions and does not affect access control configurations. Option C is wrong because access logs record actions but do not prevent or cause changes to bucket permissions; the lack of logging is a monitoring issue, not a cause of the bucket becoming public. Option D is wrong because disabling server-side encryption affects data encryption at rest, not access permissions; encryption settings have no impact on whether a bucket is public or private.

585
MCQhard

A company uses GCP and wants to ensure that log entries from Compute Engine instances are automatically exported to BigQuery for analysis. The logs must include structured JSON data. Which GCP service should be configured to route logs?

A.Cloud Audit Logs
B.Cloud Functions
C.Cloud Monitoring
D.Cloud Logging using sinks
AnswerD

Sinks export logs to destinations like BigQuery.

Why this answer

Cloud Logging can route logs to BigQuery using sinks. It accepts structured logs in JSON format.

586
MCQeasy

A cloud administrator needs to apply a critical security patch to a virtual machine that is part of a production application. The application must remain available during patching. Which of the following is the BEST approach?

A.Postpone the patch until the next scheduled update cycle
B.Remove the VM from the load balancer, apply the patch, then return it to service during a maintenance window
C.Patch all VMs simultaneously to minimize the time to full deployment
D.Apply the patch during peak usage hours to ensure immediate deployment
AnswerB

Rolling patching maintains availability.

Why this answer

Removing the VM from the load balancer ensures that no new traffic is sent to it while the patch is applied, maintaining application availability for users. After the patch is applied and the VM is verified as healthy, it can be returned to the load balancer pool. This approach aligns with a rolling update strategy, which is the standard method for applying patches to production VMs without downtime.

Exam trap

The trap here is that candidates may think patching all VMs simultaneously is faster and therefore better, but they overlook the critical requirement of maintaining application availability, which is explicitly stated in the question.

How to eliminate wrong answers

Option A is wrong because postponing a critical security patch leaves the application vulnerable to exploitation, which violates security best practices and compliance requirements. Option C is wrong because patching all VMs simultaneously would cause a complete application outage, as no VM would be available to serve traffic during the patching process. Option D is wrong because applying the patch during peak usage hours increases the risk of performance degradation or service disruption, and contradicts the standard practice of scheduling maintenance during low-traffic periods.

587
MCQmedium

A cloud engineer is writing a Bicep file to deploy Azure resources. Bicep is a domain-specific language (DSL) that transpiles to ARM templates. Which of the following is a benefit of using Bicep over ARM JSON templates?

A.Bicep automatically manages state
B.Bicep reduces code verbosity and supports modules
C.Bicep is natively executed by Azure Resource Manager
D.Bicep supports imperative scripting
AnswerB

Bicep syntax is concise and supports modular templates.

Why this answer

Bicep provides a simpler syntax with less boilerplate, modularity, and reusable modules. It reduces complexity compared to raw ARM JSON.

588
Multi-Selectmedium

A cloud architect is reviewing costs for a production environment. The environment uses a mix of EC2 instances and RDS databases. Which THREE of the following are effective cost optimization strategies?

Select 3 answers
A.Use reserved instances for baseline capacity
B.Implement storage lifecycle policies to move old data to cheaper storage tiers
C.Use all SSD storage for all data to maximize performance
D.Rightsize instances based on actual utilization metrics
E.Run all instances 24/7 to ensure availability
AnswersA, B, D

Reserved instances offer significant discounts for predictable workloads.

Why this answer

Reserved instances provide discounts for steady-state usage. Storage lifecycle policies move data to cheaper tiers over time. Rightsizing ensures resources match workload requirements, reducing waste.

Using all SSD even for cold data is expensive. Running instances 24/7 when not needed increases costs unnecessarily.

589
MCQhard

A cloud engineer is troubleshooting a performance issue in a multi-tier application on AWS. The web tier shows high latency, but the application logs indicate no errors. The engineer wants to trace a request end-to-end across services. Which AWS service should be used?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.AWS X-Ray
AnswerD

X-Ray provides end-to-end tracing to analyze and debug distributed applications.

Why this answer

AWS X-Ray provides distributed tracing, allowing you to trace requests as they travel through your application and identify performance bottlenecks.

590
MCQhard

A company wants to migrate a 50 TB on-premises SQL Server database to Amazon RDS for MySQL with minimal downtime. The source database is 3 TB and continues to receive writes. Which service should the cloud architect use to perform the migration with ongoing replication?

A.AWS DMS
B.AWS Snowball
C.AWS S3 Transfer Acceleration
D.AWS DataSync
AnswerA

AWS DMS supports CDC replication, allowing near-zero downtime migration.

Why this answer

AWS Database Migration Service (DMS) supports ongoing replication via change data capture (CDC) to migrate with minimal downtime.

591
MCQeasy

A virtual machine in a cloud environment is experiencing high disk I/O latency. The administrator checks the performance metrics and sees that the disk queue length is consistently above 100. What is the best immediate action?

A.Attach an additional disk and stripe the data
B.Upgrade the VM's network bandwidth
C.Migrate the VM to a host with faster disks
D.Increase the VM's memory
AnswerA

Stripping adds parallelism, reducing queue depth and improving latency.

Why this answer

Option C is correct because attaching additional disks and striping (e.g., RAID 0) distributes I/O, reducing queue length. Option A is wrong because memory does not affect disk I/O. Option B is wrong because migration to a different host may not change disk performance.

Option D is wrong because network bandwidth is unrelated.

592
MCQmedium

A cloud administrator notices that an application's latency has increased. The application is distributed across multiple microservices. Which tool can help trace requests across services to identify the bottleneck?

A.AWS CloudWatch Logs
B.Amazon Inspector
C.AWS X-Ray
D.AWS CloudTrail
AnswerC

X-Ray traces requests across services to identify latency sources.

Why this answer

AWS X-Ray provides end-to-end tracing of requests as they travel through your application, helping to pinpoint performance issues and errors.

593
MCQhard

A cloud engineer is troubleshooting an issue where a virtual machine (VM) in a VPC cannot communicate with an on-premises database server through a site-to-site VPN. The VPN tunnel status shows 'UP' and the on-premises firewall logs show packets from the VM's public IP (but the VM is in a private subnet with no public IP). What is the MOST likely cause?

A.The on-premises firewall is blocking the VM's private IP address.
B.The VM's security group is blocking outbound traffic to the on-premises subnet.
C.The route table for the subnet is missing a route to the on-premises network via the VPN.
D.The VPN tunnel is misconfigured with mismatched pre-shared keys.
AnswerC

Without proper route, traffic may exit through an internet gateway or NAT, resulting in public IP source.

Why this answer

The VPN tunnel status is 'UP' and the on-premises firewall sees packets from the VM's public IP, but the VM is in a private subnet with no public IP. This indicates that the VM's traffic is being sent to the internet instead of through the VPN tunnel. The most likely cause is that the subnet's route table lacks a specific route directing traffic destined for the on-premises network to the virtual private gateway (VGW) or VPN connection, causing the traffic to be routed to the internet gateway (IGW) and source-NATed to the public IP.

Exam trap

The trap here is that candidates see 'VPN tunnel UP' and assume the VPN is fully functional, overlooking that routing (the route table) is a separate layer that must direct traffic into the tunnel; the tunnel being up does not guarantee traffic is being sent through it.

How to eliminate wrong answers

Option A is wrong because the on-premises firewall logs show packets from the VM's public IP, not its private IP, so the firewall is not blocking the private IP; the issue is that the private IP is not being used for the VPN traffic. Option B is wrong because security groups are stateful and, by default, allow all outbound traffic; even if outbound rules were restrictive, the traffic would still be dropped at the VM level, not appear at the on-premises firewall with a public IP. Option D is wrong because mismatched pre-shared keys would prevent the VPN tunnel from establishing, but the tunnel status is 'UP', indicating the Phase 1 and Phase 2 negotiations succeeded.

594
MCQhard

During a disaster recovery drill, a cloud engineer discovers that the RTO for a critical application is not being met. The application runs on EC2 instances with data in EBS volumes. Which change would most likely improve the RTO?

A.Increase the frequency of EBS snapshots from daily to hourly
B.Enable cross-region replication for the EBS snapshots
C.Configure scheduled scaling to pre-warm instances in the recovery region
D.Increase the EC2 instance size in the recovery region
AnswerB

Having snapshots already in the recovery region eliminates the time needed to copy them during recovery.

Why this answer

Cross-region replication of EBS snapshots reduces the time to have data available in the recovery region. Changing replication frequency doesn't affect recovery time if snapshots are not pre-replicated. Using larger instances may not help if data transfer is the bottleneck.

Scheduled scaling is unrelated to DR recovery.

595
MCQhard

A financial services company is migrating a critical application to a hybrid cloud environment. The application must maintain sub-millisecond latency between the front-end and back-end components. The on-premises data center is located in New York, and the cloud region chosen is AWS us-east-1. The network team has established a dedicated AWS Direct Connect connection. After deploying the application, latency tests show 2 ms on average, which is acceptable. However, during peak hours, latency spikes to 10 ms. The cloud administrator suspects that the spike is due to increased traffic going over the VPN backup link instead of Direct Connect. What should the administrator do to resolve the issue?

A.Move the application to a different AWS region closer to the on-premises data center.
B.Configure the cloud resources to use only the Direct Connect connection and disable the VPN.
C.Increase the bandwidth of the VPN backup link.
D.Implement traffic shaping to prioritize application traffic over the Direct Connect link.
AnswerB

Ensures all traffic uses the low-latency Direct Connect.

Why this answer

Option B is correct because the latency spike during peak hours is caused by traffic failing over to the VPN backup link, which introduces higher latency and potential congestion. By configuring cloud resources to use only the Direct Connect connection and disabling the VPN, the administrator ensures all traffic stays on the low-latency, dedicated path. This eliminates the possibility of traffic being routed over the VPN, which is typically slower and less reliable than Direct Connect.

Exam trap

The trap here is that candidates may assume increasing bandwidth or traffic shaping will fix the latency issue, but the real problem is that traffic is incorrectly routed over the VPN backup link, not that the Direct Connect link is saturated.

How to eliminate wrong answers

Option A is wrong because moving the application to a different AWS region would not resolve the issue of traffic using the VPN backup link; the latency spike is due to routing misconfiguration, not geographic distance. Option C is wrong because increasing the bandwidth of the VPN backup link does not address the root cause—traffic should not be using the VPN at all during peak hours; the VPN link itself introduces higher latency regardless of bandwidth. Option D is wrong because traffic shaping prioritizes traffic on the Direct Connect link but does not prevent traffic from failing over to the VPN; the issue is that traffic is being routed over the VPN, not that the Direct Connect link is congested.

596
MCQhard

A multinational corporation is deploying a new application across multiple cloud regions for disaster recovery. The application requires consistent low latency for users globally. The architect decides to use a content delivery network (CDN) for static assets and a global load balancer for API traffic. After deployment, some users in Asia report occasional timeouts when accessing the API. The API servers are deployed in the US East and Europe regions. The load balancer is configured with latency-based routing. What is the most likely cause of the timeouts?

A.The latency-based routing is directing traffic to the farthest region due to routing table issues.
B.The API servers in Europe have insufficient capacity.
C.The CDN is misconfigured for the API endpoints.
D.The DNS TTL is set too high, causing cached resolution to a failed server.
AnswerD

High TTL means clients cache DNS results; if a server fails, they still try that IP until cache expires, causing timeouts.

Why this answer

Option D is correct because a high DNS TTL causes clients to cache the IP address of a failed or unhealthy API server for an extended period. When that server becomes unavailable, clients continue to send requests to the cached IP instead of querying DNS for a healthy endpoint, resulting in timeouts. This is a common issue with latency-based routing, where DNS resolution is critical for directing traffic to the optimal region.

Exam trap

The trap here is that candidates often overlook DNS caching behavior and instead focus on load balancer configuration or server capacity, failing to recognize that high DNS TTL can cause stale routing decisions in latency-based architectures.

How to eliminate wrong answers

Option A is wrong because latency-based routing directs traffic to the region with the lowest measured latency, not the farthest; routing table issues would affect reachability, not cause timeouts due to distance. Option B is wrong because insufficient capacity would cause errors like 503 Service Unavailable or increased latency, not intermittent timeouts specific to Asia users when servers exist in both US East and Europe. Option C is wrong because a CDN is used for static assets, not API endpoints; misconfiguring the CDN for API traffic would not cause timeouts since the API traffic is handled by the global load balancer, not the CDN.

597
Multi-Selecthard

A company uses Azure VMs and wants to automate patching with minimal downtime. The application is stateless and can tolerate instance restarts. The patch schedule must ensure that at least 2 instances remain available during the update. Which THREE actions should the administrator take? (Select THREE.)

Select 3 answers
A.Enable auto-scaling for the VM scale set
B.Use Azure Update Management to schedule patch deployments
C.Configure a maintenance window in the patch schedule
D.Create a custom script extension to apply patches
E.Place the VMs in an availability set
AnswersB, C, E

Update Management enables automated patching with scheduling.

Why this answer

Using an availability set ensures VMs are distributed across update domains, allowing rolling updates. Azure Update Management can schedule patches. Configuring a maintenance window is essential for controlling when patches are applied.

598
Multi-Selecteasy

A cloud architect is designing a multi-tier application that must remain available during a single Availability Zone failure. Which TWO design principles should the architect apply?

Select 2 answers
A.Implement synchronous replication between the primary site and a DR site.
B.Deploy resources across multiple Availability Zones.
C.Use a single load balancer to distribute traffic across instances.
D.Place all application servers in the same subnet for low latency.
E.Use an auto-scaling group with a minimum of two instances spread across zones.
AnswersB, E

This provides redundancy if one zone fails.

Why this answer

Deploying resources across multiple Availability Zones (AZs) ensures that if one AZ fails, the application continues to run using resources in the other AZ(s). This is a fundamental principle of high availability in cloud architecture, as AZs are isolated from each other's failures. Option E complements this by using an auto-scaling group with a minimum of two instances spread across zones, which maintains capacity even if one instance or AZ fails.

Exam trap

CompTIA often tests the distinction between high availability (within a region across AZs) and disaster recovery (across regions), leading candidates to mistakenly choose synchronous replication (Option A) for AZ failure scenarios when it is actually designed for regional outages.

599
MCQmedium

A company uses Azure and wants to set up an alert that triggers when the average CPU of a virtual machine exceeds 90% for the past 15 minutes. The alert should send an email to the operations team. Which Azure resources are needed?

A.Azure Log Analytics and Logic App
B.Azure Monitor metric alert and action group with email
C.Azure Advisor recommendation
D.Azure Service Health alert
AnswerB

Metric alert evaluates CPU and action group sends email.

Why this answer

Azure Monitor alerts evaluate metrics and trigger actions like sending emails via action groups.

600
MCQmedium

A company wants to reduce costs by identifying underutilized EC2 instances. Which tool should they use to get rightsizing recommendations?

A.AWS Cost Explorer
B.AWS Trusted Advisor
C.AWS Compute Optimizer
D.AWS Budgets
AnswerC

Compute Optimizer gives rightsizing recommendations.

Why this answer

AWS Compute Optimizer analyzes instance usage and recommends optimal sizes.

Page 7

Page 8 of 14

Page 9