CompTIA Cloud+ CV0-004 (CV0-004) — Questions 601675

984 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A team is designing a CI/CD pipeline for a microservices application. They want to automatically build, test, and deploy each service independently to a Kubernetes cluster. The pipeline must integrate with Git repositories and support parallel job execution. Which tool is best suited for this requirement?

A.Azure DevOps
B.Jenkins
C.AWS CodePipeline
D.GitLab CI
AnswerD

GitLab CI offers native Git integration, parallel jobs, and Kubernetes deployment support.

Why this answer

GitLab CI is integrated with Git repositories, supports parallel jobs, and can deploy to Kubernetes, making it a good fit for microservices CI/CD.

602
MCQmedium

Refer to the exhibit. A cloud administrator applies the bucket policy shown. After applying, users report that they can no longer access the prod-backup bucket using their applications. The applications use the AWS SDK with default configuration. What is the most likely reason?

A.The policy does not include an Allow statement.
B.The policy has a syntax error in the condition.
C.The applications are using HTTP instead of HTTPS.
D.The policy's principal "*" blocks all users.
AnswerC

Correct. The policy denies non-HTTPS requests, so if the SDK uses HTTP, access is denied.

Why this answer

The bucket policy explicitly denies access unless the request uses HTTPS (aws:SecureTransport is false). The applications use the AWS SDK with default configuration, which typically does not enforce HTTPS; many SDKs default to HTTP for performance or legacy reasons. Since the policy denies HTTP requests, the applications are blocked, making C the correct answer.

Exam trap

Cisco often tests the nuance that an explicit Deny with a condition can override an Allow, and that default SDK configurations may not enforce HTTPS, leading candidates to overlook the transport protocol requirement.

How to eliminate wrong answers

Option A is wrong because the policy includes an explicit Allow statement for s3:GetObject and s3:ListBucket, but the Deny statement overrides it when the condition is met. Option B is wrong because the condition syntax ("Bool": {"aws:SecureTransport": "false"}) is valid and correctly denies requests that are not using HTTPS. Option D is wrong because the principal "*" does not block all users; it is a standard wildcard that includes all users, and the Deny is conditional on the transport protocol, not the principal.

603
MCQhard

A company is migrating a 50 TB on-premises database to AWS RDS MySQL. The migration must have minimal downtime and support ongoing replication during the cutover. The database schema is standard MySQL. Which combination of services should the company use?

A.AWS DMS with schema conversion tool to convert to MySQL
B.AWS Database Migration Service (DMS) with Change Data Capture (CDC) replication
C.AWS Snowball Edge to transfer database dump, then import to RDS
D.AWS DataSync to transfer database files to S3, then restore to RDS
AnswerB

DMS supports CDC for minimal downtime.

Why this answer

AWS DMS with CDC enables minimal downtime migration by replicating ongoing changes. Schema Conversion Tool is unnecessary for MySQL to MySQL. Snowball is for large data sets offline, not for minimal downtime.

604
Multi-Selectmedium

A cloud administrator is troubleshooting a connectivity issue between a web server and a database server in the same VPC but different subnets. The security group for the database server allows inbound traffic from the web server's security group. However, the web server cannot establish a TCP connection to the database. What are two possible causes? (Choose two.)

Select 2 answers
A.The security group of the web server does not allow outbound traffic to the database.
B.The network ACL of the web server subnet is blocking outbound traffic.
C.The network ACL of the database subnet is blocking inbound traffic.
D.The route table of the database subnet does not contain a route to the web server subnet.
E.The database server is not listening on the correct port.
AnswersB, C

The outbound NACL on the web server subnet may block the connection request.

Why this answer

Option B is correct because network ACLs are stateless and apply to subnet boundaries. Even if the web server's security group allows outbound traffic, the subnet's network ACL must explicitly allow outbound traffic to the database server's IP and port. If the outbound rule is missing or denies the traffic, the TCP SYN packet will be dropped before it leaves the subnet.

Option C is correct because the database subnet's network ACL must allow inbound traffic from the web server's IP and port; if it blocks the inbound SYN, the connection cannot be established.

Exam trap

The trap here is that candidates often assume security groups are the only firewall layer, forgetting that network ACLs at the subnet level can override security group rules, especially when they are stateless and require explicit rules for both directions.

605
MCQmedium

A cloud administrator needs to apply security patches to a group of Windows servers running in AWS. The patches should be applied during a maintenance window to minimize disruption. Which AWS service should be used?

A.Amazon Inspector
B.AWS Config
C.AWS OpsWorks
D.AWS Systems Manager Patch Manager
AnswerD

Patch Manager is designed for automated patching with maintenance windows.

Why this answer

AWS Systems Manager Patch Manager automates the process of patching managed instances with maintenance windows and approval rules.

606
MCQhard

A cloud architect is designing a disaster recovery plan for a critical application that requires an RPO of 15 minutes and an RTO of 1 hour. The application runs on GCP Compute Engine with persistent disks. Which backup strategy best meets these requirements?

A.Use gcloud compute instances move to move instances to another region
B.Use persistent disk synchronous replication to another zone
C.Schedule daily snapshots to a different region
D.Schedule snapshots every 15 minutes and store in a different region
AnswerD

Frequent snapshots achieve RPO of 15 minutes; cross-region storage supports DR.

Why this answer

Snapshot schedules can be as frequent as every 10 minutes, and snapshots can be restored quickly, meeting the RPO and RTO.

607
MCQmedium

A containerized application deployment fails with an 'ImagePullBackOff' error. What should the administrator verify?

A.The CPU utilization on the node
B.The cluster's DNS configuration
C.The firewall rules between nodes and registry
D.The container registry credentials and image tag
AnswerD

ImagePullBackOff commonly occurs when the image is not found or access is denied.

Why this answer

Option B is correct because the error indicates the container runtime cannot pull the image, often due to wrong tag or registry credentials. Option A is wrong while DNS could be involved, it typically gives a different error. Option C is wrong firewall issues cause timeouts, not pull errors.

Option D is wrong CPU utilization does not cause image pull errors.

608
Multi-Selecthard

A cloud administrator is investigating a performance issue with a cloud-based application. The application's response time has increased significantly. Monitoring shows low CPU and memory, but high network latency. Which two actions should the administrator take? (Choose two.)

Select 2 answers
A.Review the security group rules for any restrictive outbound rules.
B.Check the load balancer's connection draining settings.
C.Use a trace tool to identify network hops and bottlenecks.
D.Verify that the instances are in the same placement group.
E.Check for packet drops in the VPC flow logs.
AnswersC, E

Traceroute helps pinpoint where network delays occur.

Why this answer

Option C is correct because using a trace tool (such as traceroute or MTR) allows the administrator to identify each network hop between the application and its users, revealing where latency is introduced. This directly addresses the symptom of high network latency by pinpointing congested or failing routers, misconfigured firewalls, or suboptimal routing paths.

Exam trap

The trap here is that candidates may confuse high latency with connectivity failures and incorrectly choose security group or load balancer settings, when in fact the correct approach is to use network diagnostic tools (trace tool and flow logs) to isolate the source of the delay.

609
MCQmedium

An organization wants to ensure that only authenticated users from their corporate Active Directory can access cloud resources. Which federation protocol is most commonly used for this purpose?

A.LDAP
B.OAuth 2.0
C.RADIUS
D.SAML
AnswerD

SAML enables browser-based SSO with corporate IdPs.

Why this answer

SAML is widely used for federation between corporate identity providers (e.g., Active Directory) and cloud services.

610
Multi-Selectmedium

A company is planning to migrate a 200 TB on-premises file server to AWS S3. The network link is 1 Gbps and cannot be saturated due to other traffic. The migration must be completed within two weeks. Which TWO services or features should the cloud engineer consider to accelerate the transfer? (Choose two.)

Select 2 answers
A.AWS Direct Connect
B.AWS DMS
C.AWS DataSync
D.AWS Snowball
E.AWS Storage Gateway
AnswersC, D

DataSync can accelerate transfers over the network and is designed for large datasets.

Why this answer

AWS DataSync is correct because it is designed to efficiently migrate large datasets to AWS by using parallel multi-threaded transfers and incremental syncs, which can optimize the use of the available 1 Gbps link without saturating it. It can handle the 200 TB file server migration by automating the transfer and reducing the time required compared to manual copying, though the 1 Gbps link alone may still be insufficient for the two-week window, making it a partial solution.

Exam trap

The trap here is that candidates often assume AWS DataSync alone can handle any large transfer over a network link, but they overlook the bandwidth calculation—200 TB at 1 Gbps takes over 18 days, so a physical transport like Snowball is necessary to meet the two-week deadline.

611
MCQmedium

A cloud architect is choosing a compute pricing model for a batch processing job that runs for 2 hours every night. The job can be interrupted. Which option is most cost-effective?

A.Reserved instances for 1 year
B.Spot instances
C.On-demand instances
D.Dedicated hosts
AnswerB

Spot instances are cheaper and suitable for interruptible workloads.

Why this answer

Spot instances are the most cost-effective option because the batch processing job is fault-tolerant (can be interrupted) and runs for a fixed, short duration (2 hours nightly). Spot instances offer significant discounts (often 60-90% off on-demand pricing) by leveraging unused cloud capacity, which can be reclaimed with a 2-minute warning. This aligns perfectly with the workload's tolerance for interruption and its predictable but non-critical schedule.

Exam trap

Cisco often tests the misconception that Reserved instances are always cheaper for any recurring workload, but the trap here is that the short, interruptible nature of the job makes spot instances far more cost-effective than committing to a long-term reservation.

How to eliminate wrong answers

Option A is wrong because Reserved instances require a 1-year or 3-year commitment and are designed for steady-state, always-on workloads; paying upfront for a full year to cover only 2 hours per night is wasteful and not cost-effective. Option C is wrong because On-demand instances charge per hour with no discount, making them more expensive than spot instances for a batch job that can tolerate interruptions. Option D is wrong because Dedicated hosts are physical servers dedicated to a single customer, incurring high costs for full server capacity regardless of usage; they are intended for compliance or licensing needs, not for cost optimization on an interruptible batch job.

612
MCQhard

A cloud administrator is managing a hybrid cloud environment where on-premises servers connect to a public cloud VPC via a site-to-site VPN. Users report intermittent connectivity issues to cloud resources. The administrator examines the VPN tunnel logs and sees 'Phase 2 negotiation failed' errors. Which of the following is the MOST likely cause?

A.Dead Peer Detection (DPD) is disabled on one side.
B.Incorrect pre-shared key used for the VPN tunnel.
C.Packet loss due to high latency on the internet link.
D.Mismatched encryption domain definitions (traffic selectors) between on-premises and cloud VPN gateways.
AnswerD

Phase 2 negotiates encryption domains; mismatched selectors cause failure.

Why this answer

Phase 2 negotiation failures in IPsec VPNs indicate that the two gateways cannot agree on the security associations (SAs) for encrypting data traffic. This is most commonly caused by mismatched encryption domain definitions (traffic selectors), such as differing local/remote subnets, protocols, or ports. When the on-premises and cloud VPN gateways define the allowed traffic differently, they cannot establish the Phase 2 SA, leading to intermittent connectivity.

Exam trap

The trap here is that candidates often confuse Phase 1 and Phase 2 failures, incorrectly attributing the error to pre-shared key mismatches (Phase 1) instead of traffic selector mismatches (Phase 2).

How to eliminate wrong answers

Option A is wrong because Dead Peer Detection (DPD) is used to detect loss of a peer during Phase 1 or Phase 2, but disabling DPD does not cause Phase 2 negotiation failures; it only delays failure detection. Option B is wrong because an incorrect pre-shared key would cause Phase 1 (IKE) authentication to fail, not Phase 2 negotiation. Option C is wrong because packet loss or high latency can cause timeouts or retransmissions but does not directly cause a 'Phase 2 negotiation failed' error, which is a protocol-level mismatch.

613
MCQhard

A cloud administrator is troubleshooting a web application hosted on a cloud virtual machine (VM) that is experiencing intermittent high latency during peak traffic hours. The application is deployed on a single VM instance with 4 vCPUs and 8 GB RAM, running a Linux OS. The VM is connected to a virtual network with a public IP. The administrator has verified that the application code is optimized and there are no memory leaks. CPU utilization remains below 50% during peaks, but network outbound traffic shows periodic spikes up to 500 Mbps. The VM's network interface is configured with a 1 Gbps bandwidth cap. The administrator suspects that the issue is related to network throttling or packet loss. Which of the following actions should the administrator take to resolve the issue?

A.Increase the VM's vCPU count to 8 to improve processing capacity.
B.Upgrade the VM to a larger instance size with higher network bandwidth cap (e.g., 2 Gbps).
C.Configure the firewall to allow all traffic to reduce processing overhead.
D.Enable DDoS protection on the public IP to filter malicious traffic.
AnswerB

This directly addresses the network bottleneck causing latency during traffic spikes.

Why this answer

Option B is correct because the VM's network bandwidth cap of 1 Gbps is being saturated during peak traffic (spikes up to 500 Mbps, but with overhead and burst behavior, the cap can cause throttling and packet loss). Upgrading to a larger instance size with a higher network bandwidth cap (e.g., 2 Gbps) directly addresses the bottleneck by providing more headroom for outbound traffic, reducing latency caused by queueing and drops. The administrator has already ruled out CPU and memory issues, so the network cap is the likely culprit.

Exam trap

The trap here is that candidates may assume CPU or memory is the bottleneck because latency is intermittent, but the question explicitly states CPU is below 50% and memory is fine, so the real issue is the network bandwidth cap, which is a common cloud-specific limitation tied to instance size.

How to eliminate wrong answers

Option A is wrong because increasing vCPUs does not increase network bandwidth capacity; the bottleneck is network throughput, not compute, and CPU utilization is already below 50%. Option C is wrong because configuring the firewall to allow all traffic would not reduce processing overhead in a meaningful way and could actually increase security risks; firewall processing overhead is negligible compared to the bandwidth cap limitation. Option D is wrong because DDoS protection is designed to filter malicious traffic, not to resolve throttling or packet loss caused by legitimate peak traffic exceeding the bandwidth cap.

614
MCQeasy

In the shared responsibility model, which of the following is the cloud customer responsible for?

A.Operating system patching on virtual machines
B.Network infrastructure under the hypervisor
C.Hypervisor security
D.Physical hardware maintenance
AnswerA

Customers manage guest OS patching.

Why this answer

The shared responsibility model states that customers are responsible for OS patching, application code, IAM, data encryption, and network security groups.

615
MCQmedium

A cloud architect is designing a highly available web application on AWS. The application must continue serving traffic even if an entire AWS Availability Zone fails. Which architecture should the architect implement?

A.Active-passive in a single Availability Zone
B.Active-active across two Availability Zones
C.Vertical scaling on a single instance
D.Active-passive across two regions
AnswerB

Active-active across zones allows continued service if one zone fails.

Why this answer

Active-active architecture across multiple Availability Zones ensures that if one zone fails, traffic is routed to the remaining healthy zones, providing high availability.

616
MCQeasy

A startup is deploying its web application in the cloud using an auto-scaling group. The application experiences variable traffic, with spikes during business hours. The team has configured the auto-scaling group to scale out when CPU utilization exceeds 70% and scale in when it drops below 30%. However, during a sudden spike, the new instances take over 5 minutes to become healthy, causing slow response times. What should the team do to improve responsiveness?

A.Use a larger instance type for the auto-scaling group.
B.Implement a predictive scaling policy based on historical patterns.
C.Reduce the threshold for scale-out to 50% CPU.
D.Increase the cooldown period for the scaling policy.
AnswerB

Predictive scaling provisions instances ahead of anticipated spikes.

Why this answer

Predictive scaling uses historical traffic patterns to proactively launch instances before CPU utilization spikes, eliminating the 5-minute lag from reactive scaling. This approach anticipates the business-hour surge and ensures capacity is ready when demand increases, directly addressing the slow response time issue.

Exam trap

The trap here is that candidates often focus on tuning thresholds or instance sizes to fix a latency problem, missing that the core issue is the reactive scaling delay, which only a proactive approach like predictive scaling can resolve.

How to eliminate wrong answers

Option A is wrong because using a larger instance type does not reduce the time for new instances to become healthy; it only increases per-instance capacity, which may still suffer from the same 5-minute startup delay during spikes. Option C is wrong because reducing the scale-out threshold to 50% CPU would trigger scaling earlier but still relies on reactive scaling, meaning instances would still take over 5 minutes to become healthy after the threshold is breached, failing to prevent slow responses. Option D is wrong because increasing the cooldown period would delay further scaling actions, making the auto-scaling group less responsive during rapid traffic spikes, worsening the problem.

617
Multi-Selecteasy

A company is migrating 50 TB of data from an on-premises file server to Amazon S3. The migration must be completed within two weeks and the internet connection is slow. Which TWO AWS services can accelerate the transfer?

Select 2 answers
A.Amazon S3 multipart upload
B.AWS Direct Connect
C.AWS DataSync
D.AWS Snowball
E.S3 Transfer Acceleration
AnswersD, E

Snowball physically ships data, bypassing the slow internet.

Why this answer

AWS Snowball (Option D) is a petabyte-scale data transport solution that uses secure physical devices to transfer large amounts of data to AWS, bypassing the internet entirely. For a 50 TB migration over a slow connection within a two-week window, Snowball is ideal because it avoids network bandwidth constraints and can transfer data at the speed of shipping, not the internet.

Exam trap

The trap here is that candidates may confuse S3 Transfer Acceleration (Option E) as a solution for all slow connections, but it only optimizes internet routing and does not overcome severe bandwidth limitations for multi-terabyte transfers within a strict deadline.

618
Multi-Selectmedium

A cloud operations team needs to automate patching of Linux servers. Which TWO services can be used? (Choose TWO)

Select 2 answers
A.Azure Update Management
B.AWS Systems Manager Patch Manager
C.AWS CloudTrail
D.AWS CloudFormation
E.AWS Config
AnswersA, B

Supports automated patching of Linux VMs.

Why this answer

AWS Systems Manager Patch Manager and Azure Update Management both support automated patching.

619
MCQmedium

A company must migrate 50 TB of data from an on-premises NFS server to Amazon S3 within one week. The network bandwidth averages 50 Mbps. The administrator is evaluating AWS DataSync and AWS Snowball. Which service should the administrator choose?

A.AWS Snowball
B.AWS DataSync
C.S3 Transfer Acceleration
D.AWS Database Migration Service
AnswerA

Snowball is an offline physical device that can handle large datasets quickly.

Why this answer

At 50 Mbps, transferring 50 TB would take about 95 days, exceeding the one-week deadline. Snowball provides offline physical transfer, making it feasible within a week.

620
MCQhard

A cloud administrator is troubleshooting an application that fails to connect to a database. The database server is in a private subnet, and the application server is in a public subnet. The security group for the database allows inbound traffic on port 3306 from the application's security group. Which of the following is the MOST likely reason the connection fails?

A.The network ACL for the database subnet is blocking inbound traffic on port 3306
B.The database server's operating system firewall is blocking the connection
C.The application's security group does not allow outbound traffic to the database
D.The route table for the public subnet does not have a route to the private subnet
AnswerA

NACLs are stateless and require explicit allow rules.

Why this answer

The network ACL (NACL) for the database subnet is the most likely cause because NACLs are stateless and apply to the entire subnet. Even if the database security group allows inbound traffic from the application's security group, the NACL must also allow inbound traffic on port 3306 (MySQL) from the application subnet. By default, custom NACLs deny all inbound traffic, so if the administrator did not explicitly add a rule for port 3306, the connection will be blocked at the subnet boundary.

Exam trap

CompTIA often tests the difference between stateful security groups and stateless network ACLs, and the trap here is that candidates assume security group rules are sufficient for connectivity, forgetting that NACLs must also permit the traffic at the subnet boundary.

How to eliminate wrong answers

Option B is wrong because the operating system firewall on the database server could block the connection, but it is less likely than a NACL issue since the question states the security group already allows the traffic, and OS firewalls are typically configured to allow traffic that matches security group rules. Option C is wrong because security groups are stateful; if the application's security group allows outbound traffic by default (which it does for all traffic unless explicitly denied), the response traffic from the database is automatically allowed, so outbound rules are not the issue. Option D is wrong because route tables control traffic routing between subnets, and by default, VPCs have an implicit local route that allows communication between all subnets within the VPC, so a missing route is not the problem here.

621
MCQhard

A company wants to implement a disaster recovery strategy with an RTO of 15 minutes and an RPO of 1 minute for a critical database. Which approach should be used?

A.Scheduled snapshots every hour
B.Daily snapshots copied to another region
C.Weekly full backups to tape stored offsite
D.Cross-region continuous replication with automatic failover
AnswerD

Continuous replication meets both RTO and RPO requirements.

Why this answer

Continuous replication with automatic failover provides near-zero RPO and fast RTO.

622
MCQhard

A cloud administrator is troubleshooting connectivity issues between two virtual networks in a public cloud. The networks are in the same region but different VPCs. Both VPCs have route tables and security groups configured. Instances in VPC A cannot ping instances in VPC B. Which of the following is the most likely cause?

A.VPC peering is not established between the two VPCs.
B.The instances are not assigned public IP addresses.
C.Security groups are blocking ICMP traffic.
D.Network ACLs are not configured to allow the traffic.
AnswerA

Without peering, traffic is isolated between VPCs.

Why this answer

VPC peering is a direct network connection between two VPCs that enables routing of traffic using private IPv4 or IPv6 addresses. Without an established VPC peering connection, instances in different VPCs cannot communicate, even if they are in the same region. Since the question states the VPCs are separate and no peering is mentioned, this is the most likely root cause of the connectivity failure.

Exam trap

The trap here is that candidates often focus on security groups or ACLs as the default answer for connectivity issues, but the fundamental prerequisite for cross-VPC communication is the existence of a VPC peering connection or a transit gateway, not just network access controls.

How to eliminate wrong answers

Option B is wrong because public IP addresses are not required for VPC-to-VPC communication; private IP routing via VPC peering or transit gateway is the standard method. Option C is wrong because while security groups can block ICMP, they are stateful and would not prevent all traffic unless explicitly configured to deny ICMP; the question does not indicate any such rule. Option D is wrong because network ACLs are stateless and must allow both inbound and outbound traffic, but they are not the primary enabler of cross-VPC connectivity; without VPC peering, no amount of ACL configuration will establish the link.

623
MCQmedium

A company uses Azure and wants to connect its on-premises data center to Azure with a dedicated, private, and high-bandwidth connection. Which service should the company use?

A.Azure ExpressRoute
B.Site-to-Site VPN
C.Azure Front Door
D.Azure VPN Gateway
AnswerA

ExpressRoute is a dedicated private connection ideal for high-bandwidth and low-latency needs.

Why this answer

Azure ExpressRoute provides a dedicated private connection from on-premises to Azure, offering higher bandwidth and reliability than VPN.

624
Multi-Selectmedium

A company is migrating to the cloud and needs to ensure high availability for a web application. The solution must tolerate the failure of an entire Availability Zone. Which three actions should the administrator take? (Choose three.)

Select 3 answers
A.Deploy the application across two or more Availability Zones.
B.Implement auto scaling with a minimum of one instance per AZ.
C.Use an Application Load Balancer with cross-zone load balancing enabled.
D.Use a single instance in a larger instance size.
E.Use a Multi-AZ RDS database.
AnswersA, B, E

This is fundamental to survive an AZ failure.

Why this answer

Option A is correct because deploying the application across two or more Availability Zones (AZs) ensures that if an entire AZ fails, the application remains available in the other AZ(s). This is a fundamental design pattern for achieving high availability in AWS, as AZs are physically separate data centers with independent power, cooling, and networking. By distributing resources across multiple AZs, the application can tolerate the failure of one AZ without service interruption.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which optimizes traffic distribution) with the fundamental requirement of deploying resources across multiple AZs to achieve AZ failure tolerance, leading them to select option C as a necessary action when it is actually a default or optional feature that does not by itself provide AZ redundancy.

625
MCQeasy

A cloud operations team uses a configuration management tool to apply patches to hundreds of Linux servers. Recently, the automation script that applies security patches has been failing with an error: 'Package not found.' The administrator verifies that the patch repository URL is correct and that the servers have internet access. The script runs every Sunday at 2:00 AM and the failures started two weeks ago. The failed patches are all for the latest kernel update. What should the administrator check FIRST?

A.Verify that the package cache is being updated before the installation step.
B.Ensure the patch repository is reachable via DNS.
C.Check if the servers have sufficient disk space for the patch download.
D.Roll back to an earlier version of the patch script.
AnswerA

The package cache must be refreshed to recognize the latest kernel package; the script may have skipped that step.

Why this answer

The error 'Package not found' typically indicates that the repository metadata is outdated. On many Linux systems, the local package cache (e.g., apt or yum) needs to be updated before installing new packages. The script likely needs to run an update command before attempting to install the patch.

626
MCQhard

An organization uses CloudFormation to manage resources across multiple AWS accounts. They need to deploy a common set of resources (e.g., logging configuration) to all accounts in an AWS Organization. Which CloudFormation feature should they use?

A.Change sets
B.StackSets
C.Drift detection
D.Nested stacks
AnswerB

StackSets enable deploying stacks across multiple accounts and regions.

Why this answer

CloudFormation StackSets allow you to deploy stacks across multiple accounts and regions in a single operation, ideal for multi-account governance.

627
Multi-Selectmedium

A cloud administrator is configuring a notification channel for critical alerts. Which TWO of the following are commonly used notification channels in cloud monitoring systems? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon Simple Notification Service (SNS)
C.Slack webhooks
D.AWS Organizations
E.AWS CloudTrail
AnswersB, C

SNS is a notification channel that can distribute messages to subscribers via email, SMS, etc.

Why this answer

Common notification channels include email (SMTP) and integration services like Slack webhooks. SNS is an AWS notification service that can send to email or other endpoints, but PagerDuty is also a common integration.

628
MCQeasy

A small business plans to migrate its on-premises infrastructure to the cloud to reduce capital expenditure. They have a limited IT team and want to minimize management overhead. Which cloud deployment model should they choose?

A.Private cloud
B.Community cloud
C.Hybrid cloud
D.Public cloud
AnswerD

Public cloud is cost-effective and requires minimal management overhead.

Why this answer

The public cloud deployment model is the correct choice because it allows the small business to offload all infrastructure management to the cloud provider, eliminating the need for on-premises hardware and reducing capital expenditure. With a limited IT team, the public cloud's shared responsibility model minimizes management overhead by handling physical security, hardware maintenance, and hypervisor updates, while the business only manages its applications and data.

Exam trap

CompTIA often tests the misconception that 'public cloud means zero management overhead,' but the shared responsibility model still requires the customer to manage the guest OS, applications, and data, which is a key trap in this question.

How to eliminate wrong answers

Option A is wrong because a private cloud requires the business to own or lease dedicated hardware, which increases capital expenditure and management overhead, contradicting the goal of reducing both. Option B is wrong because a community cloud is shared among several organizations with common concerns, still requiring significant coordination and often dedicated infrastructure, which does not minimize management overhead for a small business. Option C is wrong because a hybrid cloud combines public and private clouds, introducing complexity in networking, orchestration, and data synchronization, which increases management overhead and does not fully eliminate capital expenditure.

629
MCQmedium

A company is deploying a web application that requires high availability across two geographically separate data centers. The application must be active in both sites simultaneously, and traffic must be load-balanced between them. Which architecture best meets these requirements?

A.Active-active architecture
B.Active-passive architecture
C.Fault-tolerant N+1 architecture
D.Warm standby architecture
AnswerA

Both sites are active and load-balanced, meeting the requirement.

Why this answer

Active-active architecture allows both sites to handle traffic simultaneously, providing load balancing and high availability. Active-passive would leave one site idle. Warm standby implies one site is not fully active.

Fault tolerance (N+1) is a component-level concept, not a site-level architecture.

630
Multi-Selectmedium

A cloud architect is designing a CI/CD pipeline for a microservices application deployed on AWS EKS. The pipeline should include stages for source, build, test, deploy, and verify. Which TWO of the following are typical pipeline stages? (Select TWO.)

Select 2 answers
A.Build
B.Audit
C.Source
D.Backup
E.Monitor
AnswersA, C

Build stage compiles and packages the application.

Why this answer

Option A (Build) is correct because in a CI/CD pipeline for AWS EKS, the Build stage compiles source code, runs unit tests, and creates container images (e.g., using Docker) that are pushed to a registry like Amazon ECR. This stage is essential for transforming code into deployable artifacts for Kubernetes workloads.

Exam trap

Cisco often tests the distinction between pipeline stages and adjacent operational activities; the trap here is confusing post-deployment tasks like monitoring or backup with the defined CI/CD stages (source, build, test, deploy, verify).

631
MCQmedium

An organization needs to connect its on-premises data center to a public cloud with a dedicated, low-latency, and consistent network connection. Which connectivity option should they use?

A.Direct Connect
B.Internet gateway
C.VPC peering
D.Site-to-site VPN
AnswerA

Direct Connect provides a dedicated private connection with consistent performance.

Why this answer

Direct Connect (AWS) or ExpressRoute (Azure) provides dedicated private connectivity from on-premises to cloud.

632
Multi-Selecthard

A company is deploying a cloud-native application that uses containers orchestrated by Kubernetes. The security team wants to enforce the principle of least privilege at the Kubernetes level. Which THREE measures should be implemented? (Choose three.)

Select 3 answers
A.Apply Pod Security Standards (e.g., restricted policy)
B.Implement Kubernetes RBAC to restrict permissions to namespaces and resources
C.Implement network policies to restrict pod-to-pod communication
D.Create service accounts with only the necessary permissions for each application
E.Use namespaces to separate environments
AnswersA, B, D

Pod Security Standards enforce security contexts that limit pod capabilities.

Why this answer

Pod Security Standards (PSS) define security contexts for pods, with the 'restricted' policy enforcing the principle of least privilege by disallowing privileged containers, host network access, and other high-risk capabilities. This directly prevents pods from running with unnecessary permissions, aligning with the security team's goal at the pod level.

Exam trap

Cisco often tests the distinction between network-level controls (network policies) and identity/privilege controls (RBAC, Pod Security Standards), leading candidates to mistakenly select network policies as a least-privilege measure when they only restrict traffic, not permissions.

633
Multi-Selecthard

A company is performing a disaster recovery test for a critical application. The test reveals that the application's RTO of 1 hour is not being met due to slow database restoration. Which THREE actions could help improve the restoration time? (Select THREE.)

Select 3 answers
A.Implement continuous replication to a standby database
B.Pre-warm standby database instances in the recovery region
C.Disable encryption on the database to reduce overhead
D.Increase the retention period of automated backups
E.Use provisioned IOPS storage for the database volumes
AnswersA, B, E

Continuous replication keeps the standby database nearly in sync, reducing recovery time.

Why this answer

Pre-warming standby instances reduces launch time, using faster storage like Provisioned IOPS speeds up data access, and implementing continuous replication reduces the amount of data to restore.

634
Multi-Selectmedium

A company is designing stateless application tiers to support horizontal scaling. Which TWO design principles support statelessness? (Select TWO.)

Select 2 answers
A.Persist all application state in a shared database
B.Store configuration files on each instance locally
C.Store session state in a shared external cache (e.g., Redis)
D.Use local instance storage for session data
E.Use sticky sessions (session affinity) on the load balancer
AnswersA, C

Shared database allows any instance to serve any request.

Why this answer

Storing session state in an external cache or database makes the application stateless. Local storage is stateful. Sticky sessions break statelessness.

Using configuration files per instance is stateful.

635
Multi-Selectmedium

A cloud engineer is migrating a legacy application to AWS. The application requires minimal downtime during the database migration from SQL Server to Aurora MySQL. Which TWO AWS services should the engineer use to achieve this?

Select 2 answers
A.AWS Snowball
B.AWS Schema Conversion Tool (SCT)
C.AWS Direct Connect
D.AWS DataSync
E.AWS Database Migration Service (DMS)
AnswersB, E

SCT converts schema between different database engines.

Why this answer

The AWS Schema Conversion Tool (SCT) is used to convert the source SQL Server database schema and code to be compatible with Aurora MySQL, handling differences in data types, stored procedures, and other database objects. The AWS Database Migration Service (DMS) then performs the actual data migration with minimal downtime by continuously replicating changes from the source to the target database until a cutover is performed. Together, SCT and DMS enable a heterogeneous migration with near-zero downtime.

Exam trap

Cisco often tests the distinction between data migration services (DMS) and data transfer services (DataSync, Snowball), where candidates mistakenly choose DataSync for database migrations because it sounds similar to 'data synchronization' but it lacks schema conversion and live database replication capabilities.

636
MCQeasy

A company is using a cloud provider's object storage for archival data. The data is rarely accessed but must be retained for 7 years for compliance. The current storage class is Standard, and the monthly bill is increasing. The cloud administrator wants to minimize costs while meeting compliance requirements. The data must be accessible within 24 hours if needed. Which of the following actions should the administrator take?

A.Compress the objects using server-side encryption.
B.Delete the objects after 7 years to save cost.
C.Move the data to a cold storage tier like Glacier or Archive.
D.Use a lifecycle policy to transition objects to a cheaper storage class after a period.
AnswerD

Lifecycle policies automate transition to lower-cost storage (e.g., after 30 days to Infrequent Access, then to Glacier), optimizing cost while retaining data.

Why this answer

Option D is correct because a lifecycle policy automates the transition of objects from a higher-cost storage class (e.g., Standard) to a cheaper class (e.g., S3 Glacier Deep Archive or Azure Archive) after a specified period, reducing costs while retaining data for the required 7 years. The data remains accessible within 24 hours via a restore request, meeting the compliance and retrieval time requirement.

Exam trap

The trap here is that candidates may think moving data to a cold storage tier (Option C) is the best immediate action, but they overlook that a lifecycle policy (Option D) automates the transition and avoids manual intervention, which is more efficient and cost-effective over time.

How to eliminate wrong answers

Option A is wrong because server-side encryption (e.g., AES-256) does not reduce storage costs; it only secures data at rest. Option B is wrong because deleting objects after 7 years does not address the immediate cost increase and violates the compliance requirement to retain data for the full 7 years. Option C is wrong because moving data directly to a cold storage tier like Glacier or Archive without a lifecycle policy is a manual, non-automated action that does not leverage cost-saving transitions over time; also, some cold tiers may have minimum storage durations that could increase costs if data is moved too early.

637
MCQhard

A company wants to implement automated patching for their Windows and Linux servers in AWS. They need to schedule patching during a maintenance window and have a rollback plan. Which service should they use?

A.AWS OpsWorks
B.AWS Config
C.AWS Systems Manager Patch Manager
D.Amazon Inspector
AnswerC

Patch Manager automates patching with maintenance windows and rollback via AMI backups.

Why this answer

AWS Systems Manager Patch Manager automates patching with maintenance windows and allows creation of patching baselines. It also supports rollback by restoring from AMIs or using AWS Backup. Inspector is for vulnerability scanning, not patching.

Config is for compliance. OpsWorks is configuration management.

638
MCQeasy

Which cloud deployment model connects an on-premises data center to a public cloud using VPN or dedicated connections like AWS Direct Connect?

A.Private cloud
B.Multi-cloud
C.Hybrid cloud
D.Public cloud
AnswerC

Hybrid cloud combines on-premises and public cloud.

Why this answer

Hybrid cloud integrates on-premises and public cloud resources via private networking.

639
Multi-Selectmedium

A cloud administrator receives an alert that a VM's disk usage is at 95%. The VM is running a critical database. Which TWO actions should the administrator take to resolve the issue while minimizing downtime?

Select 2 answers
A.Increase the size of the existing disk
B.Shrink an existing partition to free space
C.Clear temporary files and logs
D.Restore the VM from a recent backup to a larger disk
E.Add a new disk and move data to it
AnswersA, C

Many cloud providers allow online disk resizing without rebooting.

Why this answer

Increasing the size of the existing disk (Option A) is correct because it allows the VM to gain additional storage capacity without requiring a reboot or migration, minimizing downtime. Modern hypervisors and cloud platforms support live resizing of virtual disks, and once the disk is expanded, the OS can extend the partition online using tools like `resize2fs` (Linux) or Disk Management (Windows). This directly addresses the 95% disk usage alert for the critical database with minimal service interruption.

Exam trap

The trap here is that candidates often choose Option E (add a new disk) thinking it is safer or more standard, but they overlook that expanding the existing disk is faster and causes less downtime for a critical database, and that adding a new disk introduces additional management overhead and potential service interruption.

640
Matchingmedium

Match each disaster recovery term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum time to restore services after outage

Maximum acceptable data loss in time

Automatic switch to standby system

Copy of data for restoration

Documented plan for disaster recovery

Why these pairings

Key metrics and concepts for business continuity.

641
Multi-Selecthard

A company is deploying a web application on Google Cloud that requires low-latency access to static content (images, CSS) for global users. The application also needs to handle SSL termination to reduce load on backend instances. Which TWO services should the architect use? (Select TWO.)

Select 2 answers
A.Compute Engine with enhanced network
B.Cloud Functions
C.Cloud CDN
D.Cloud Load Balancing
E.Cloud Storage
AnswersC, D

CDN caches static content at the edge for low-latency delivery.

Why this answer

Cloud CDN (Option C) is correct because it uses Google's global edge cache to deliver static content (images, CSS) with low latency by caching content at points of presence (PoPs) close to users. Cloud Load Balancing (Option D) is correct because it provides global anycast-based load balancing with integrated SSL termination, offloading the SSL/TLS handshake from backend instances and reducing their CPU load.

Exam trap

Cisco often tests the misconception that Cloud Storage alone can serve static content globally with low latency, but it lacks edge caching and SSL termination, requiring Cloud CDN and Cloud Load Balancing to meet the requirements.

642
MCQhard

A cloud administrator receives an alert that a storage bucket containing sensitive customer data has been accessed from an unknown IP address at 3:00 AM. The bucket policy is configured to allow access only from the corporate VPN CIDR block (10.0.0.0/8). The administrator checks the access logs and sees that the request originated from 203.0.113.50, which is not within the allowed range. The bucket policy also includes a condition that restricts access to Secure Transport (SSL). What is the most likely reason the request succeeded despite the policy?

A.The access logs are spoofed; the request actually came from a corporate IP.
B.The policy has an Allow statement that permits all accesses using SSL, without restricting the source IP.
C.The unknown IP address is part of a misconfigured VPN client that still appears as the corporate CIDR.
D.The bucket policy is missing an explicit Deny statement for IP addresses outside the allowed range.
AnswerB

If the Allow statement only requires SSL but does not enforce the IP condition, then any SSL request would be allowed, bypassing the intended IP restriction.

Why this answer

If the bucket policy has a condition that checks only for Secure Transport (aws:SecureTransport) but does not explicitly deny IP addresses, a Deny statement with a Null condition on IP address might be misconfigured, or the IP address condition is not applied correctly. The most common error is that the policy allows all requests that use SSL, overriding the IP restriction. Option C correctly identifies that the SSL condition might be too permissive.

643
Multi-Selectmedium

A cloud architect is evaluating cloud deployment models for a healthcare application that must comply with data sovereignty regulations. The solution must provide the lowest latency for users in North America and Europe, and must avoid vendor lock-in. Which TWO deployment models should the architect consider? (Choose two.)

Select 2 answers
A.Private cloud
B.Multi-cloud
C.Public cloud
D.Community cloud
E.Hybrid cloud
AnswersB, E

Multi-cloud can use multiple providers to avoid lock-in and place resources in different regions.

Why this answer

Multi-cloud uses multiple public clouds to avoid vendor lock-in and can place resources in North America and Europe. Hybrid cloud can keep sensitive data on-premises while using public cloud for compute, but does not directly address multiple regions; however, the combination of both can meet all requirements, but the question asks for TWO models. Multi-cloud and hybrid cloud together provide flexibility and compliance.

However, given the options, the best two are multi-cloud and hybrid cloud. Note: The question says 'Which TWO' so exactly two correct.

644
MCQmedium

A cloud architect is selecting a storage solution for a database that requires low-latency reads and writes. The database will run on a single VM and must support consistent performance. Which storage type is most appropriate?

A.Archive storage
B.Object storage
C.File storage
D.Block storage
AnswerD

Block storage provides dedicated, low-latency performance for databases.

Why this answer

Block storage (e.g., EBS, Azure Disk) provides low-latency, consistent performance suitable for databases running on a single VM.

645
MCQmedium

An organization's compliance policy requires that all access to cloud resources be logged and that logs be immutable. Which service should be used to meet these requirements?

A.AWS CloudWatch Logs
B.AWS CloudTrail
C.AWS Trusted Advisor
D.AWS Config
AnswerB

CloudTrail records API calls and can store logs immutably.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS resources, providing a detailed audit log of who made the request, from which IP address, and when. CloudTrail logs can be stored in an S3 bucket with S3 Object Lock enabled, which enforces a write-once-read-many (WORM) model to make logs immutable, meeting the compliance requirement for both logging and immutability.

Exam trap

Cisco often tests the distinction between logging API calls (CloudTrail) and monitoring resource configurations (Config) or operational logs (CloudWatch Logs), leading candidates to confuse CloudWatch Logs as the logging service without considering immutability requirements.

How to eliminate wrong answers

Option A is wrong because AWS CloudWatch Logs is a monitoring service for collecting log data from various sources, but it does not natively provide immutability features; logs can be deleted or overwritten without additional configuration. Option C is wrong because AWS Trusted Advisor is an advisory tool that inspects your AWS environment for best practices in cost, performance, security, and fault tolerance, but it does not log API calls or provide immutable logs. Option D is wrong because AWS Config is a service for evaluating and auditing resource configurations against desired policies, but it does not capture API activity logs or offer immutability; it records configuration changes, not access logs.

646
MCQhard

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to isolate each build job to avoid interference. Which cloud concept should be utilized?

A.Dedicated hosts
B.Containerization with orchestration
C.Virtual private cloud (VPC)
D.Serverless functions
AnswerB

Containers provide lightweight, isolated environments ideal for CI/CD jobs, and orchestration manages them.

Why this answer

Containerization with orchestration (e.g., Docker and Kubernetes) provides isolated runtime environments for each build job by packaging the application and its dependencies into lightweight containers. This ensures that build processes do not interfere with each other, as each container runs in its own isolated user space with dedicated resources, and orchestration manages scheduling, scaling, and lifecycle. This approach is ideal for CI/CD pipelines in microservices architectures where build isolation is critical.

Exam trap

CompTIA often tests the misconception that network-level isolation (VPC) or physical isolation (dedicated hosts) is required for build job isolation, when in fact containerization provides sufficient and more efficient isolation at the process level.

How to eliminate wrong answers

Option A is wrong because dedicated hosts provide physical server isolation but are overkill for build job isolation; they do not offer per-job isolation within the same host and incur higher cost and management overhead. Option C is wrong because a Virtual Private Cloud (VPC) is a network-level isolation construct for cloud resources, not a mechanism to isolate individual build jobs; it cannot prevent interference between processes running on the same compute instance. Option D is wrong because serverless functions (e.g., AWS Lambda) are stateless and ephemeral, but they are not designed for running CI/CD build jobs that require persistent storage, longer execution times, or custom runtime environments; they also lack the fine-grained resource isolation needed for concurrent builds.

647
Multi-Selecthard

Which THREE of the following are common causes of VM migration failures in a cloud environment? (Choose three.)

Select 3 answers
A.Expired software licenses on the target host
B.Incompatible CPU instruction sets or features between source and target hosts
C.Stale DNS records for the VM's hostname
D.Insufficient storage space on the target host
E.Network connectivity issues between the source and target hypervisors
AnswersB, D, E

Different CPU generations can prevent live migration.

Why this answer

Options A, C, and D are correct. Incompatible CPU features (A) can cause migration failures, insufficient storage capacity (C) on target, and network connectivity issues (D) between hosts. Option B is wrong: stale DNS records may cause name resolution problems but not migration failure.

Option E is wrong: license checks may block migration but are less common than resource issues.

648
MCQeasy

A security administrator needs to store database credentials and API keys securely in AWS. The credentials must be automatically rotated every 90 days. Which service should the administrator use?

A.AWS Systems Manager Parameter Store
B.AWS KMS
C.AWS Secrets Manager
D.AWS Certificate Manager
AnswerC

Secrets Manager stores secrets and supports automatic rotation.

Why this answer

AWS Secrets Manager is designed to store secrets and provides built-in rotation capabilities.

649
MCQmedium

A cloud architect is designing a disaster recovery solution for a critical database. The RTO is 4 hours and the RPO is 1 hour. Which replication strategy should the architect choose to meet these requirements?

A.Hot standby
B.Active-passive
C.Warm standby
D.Cold standby
AnswerC

Correct. Warm standby can achieve RPO of 1 hour and RTO of 4 hours.

Why this answer

Warm standby maintains a partially scaled environment with frequent replication, meeting an RPO of 1 hour and RTO of 4 hours.

650
Multi-Selecthard

Which TWO design patterns can help a cloud architect achieve a Recovery Time Objective (RTO) of less than 5 minutes for a critical application?

Select 2 answers
A.Warm standby
B.Multi-site active-active
C.Backup and restore
D.Pilot light
E.Hot standby (active/passive) with automatic failover
AnswersB, E

Multiple active sites can take over instantly, achieving RTO under 5 minutes.

Why this answer

Multi-site active-active (B) distributes the application workload across two or more geographically separated sites, with all sites actively serving traffic. If one site fails, traffic is instantly rerouted to the remaining sites via DNS load balancing or global server load balancing (GSLB), enabling sub-5-minute RTO because there is no cold start or failover delay. Hot standby (active/passive) with automatic failover (E) maintains a fully provisioned standby environment that mirrors the primary, with automatic health checks and failover mechanisms (e.g., using AWS Route 53 health checks or Azure Traffic Manager) that can redirect traffic within seconds to minutes, meeting a strict RTO of under 5 minutes.

Exam trap

CompTIA often tests the misconception that warm standby or pilot light can achieve sub-5-minute RTO, but candidates forget that these patterns require manual scaling or provisioning steps that add significant delay, unlike the fully pre-provisioned and automated failover in active-active or hot standby.

651
MCQmedium

A cloud engineer notices that an auto-scaling group is adding and removing instances too frequently, causing instability. Which configuration parameter should be adjusted to reduce this behavior?

A.Increase the health check grace period
B.Disable lifecycle hooks
C.Increase the cooldown period
D.Lower the scaling metric thresholds
AnswerC

A longer cooldown prevents rapid successive scaling actions.

Why this answer

Cooldown periods prevent auto-scaling from launching or terminating instances too rapidly after a scaling activity. Scaling thresholds affect when scaling triggers, but the issue is frequency. Lifecycle hooks are for custom actions during scaling events.

Health check grace period is for initial instance health.

652
MCQhard

A company is designing a multi-cloud disaster recovery solution. They need to ensure RPO of 15 minutes and RTO of 1 hour for critical workloads. Which of the following should be implemented?

A.Asynchronous replication to a secondary cloud with a 30-minute delay
B.Synchronous replication to a standby environment in another cloud provider
C.Pilot light environment that is started manually during a disaster
D.Daily backups to object storage in a different region
AnswerB

Correct; synchronous replication provides low RPO and fast failover.

Why this answer

Synchronous replication ensures that data is written to both the primary and standby environments simultaneously, guaranteeing zero data loss and meeting the 15-minute RPO. With a pre-configured standby environment in another cloud provider, failover can occur within minutes, satisfying the 1-hour RTO. This approach provides the lowest possible RPO and RTO for critical workloads.

Exam trap

CompTIA often tests the distinction between synchronous and asynchronous replication, where candidates mistakenly choose asynchronous replication for low RPO requirements, not realizing that asynchronous replication inherently introduces a delay equal to the replication interval.

How to eliminate wrong answers

Option A is wrong because asynchronous replication with a 30-minute delay cannot achieve a 15-minute RPO, as data loss could be up to 30 minutes. Option C is wrong because a pilot light environment that is started manually during a disaster typically has an RTO of hours, not 1 hour, due to the time required to provision and configure resources. Option D is wrong because daily backups to object storage cannot meet a 15-minute RPO, as data loss could be up to 24 hours, and recovery from backups often takes longer than 1 hour.

653
MCQhard

A security administrator is configuring a Web Application Firewall (WAF) to protect a public-facing web application. The application experiences a high volume of traffic from certain geographic regions that are not serving customers. Which WAF feature should be used to block this traffic?

A.Rate limiting
B.OWASP rule set
C.Geo-blocking
D.IP reputation lists
AnswerC

Geo-blocking restricts traffic by country or region.

Why this answer

Geo-blocking allows the WAF to block or allow traffic based on geographic location, reducing unwanted traffic and potential attacks.

654
MCQmedium

A cloud engineer is creating an Ansible playbook to provision cloud resources on AWS. Ansible is agentless; it connects to managed nodes via SSH. Which component defines the desired state of cloud resources in Ansible?

A.Playbooks
B.Roles
C.Modules
D.Inventory
AnswerC

Modules are the actual code that enforces state on cloud resources.

Why this answer

Ansible uses modules to interact with cloud APIs. AWS modules, such as ec2, define the desired state of resources like EC2 instances.

655
MCQeasy

The exhibit shows the output of the df command and an application error. What is the most likely cause of the error?

A.The /dev/shm partition is full.
B.The /var partition is full.
C.The filesystem is corrupt.
D.The inode usage on the root filesystem is exhausted.
AnswerB

The root partition is at 95% usage, and since /var is under /, it is likely full.

Why this answer

Option A is correct because the root partition is at 95% usage, and the application writes to /var/log which is on the root filesystem. Option B is wrong because tmpfs is empty. Option C is plausible but df shows space, not inodes; inode exhaustion would also give same error, but more likely space.

Option D is wrong because no corruption indicated.

656
Multi-Selectmedium

A cloud engineer is troubleshooting a VM that is experiencing high latency. The VM is hosted on a hypervisor with other VMs. Which TWO metrics should the engineer review to identify if resource contention is occurring?

Select 2 answers
A.Memory ballooning
B.CPU ready time
C.Network packet drops
D.Swap usage
E.Disk queue length
AnswersA, B

Correct; memory ballooning indicates memory contention.

Why this answer

Memory ballooning (A) is a VMware mechanism where the hypervisor reclaims idle memory from a VM by inflating a balloon driver, forcing the VM to swap. High ballooning indicates memory overcommitment and contention, directly causing latency. CPU ready time (B) measures the time a VM is ready to run but waiting for a physical CPU core; elevated ready time signals CPU contention among VMs on the same hypervisor.

Exam trap

CompTIA often tests the distinction between guest-level metrics (swap usage, disk queue length) and hypervisor-level metrics (ballooning, ready time), and the trap here is that candidates confuse swap usage (guest OS paging) with memory ballooning (hypervisor reclaim), or assume network packet drops indicate VM contention rather than network issues.

657
MCQmedium

A company wants to implement a tagging strategy for their cloud resources to track costs by department and project. Tags must be applied to resources such as virtual machines and storage buckets. Which of the following is a best practice for cost attribution using tags?

A.Apply tags to resources only after creation to avoid governance issues.
B.Define a set of mandatory tag keys such as CostCenter, Project, and Environment with standardized values.
C.Use a single tag key 'Environment' with values 'Production' or 'Development'.
D.Use free-form text for tag values to allow flexibility.
AnswerB

Mandatory tags with controlled values ensure consistent cost attribution across all resources.

Why this answer

Using a consistent tagging strategy with key-value pairs (e.g., Department:Finance, Project:Alpha) allows cost allocation and reporting in billing dashboards.

658
MCQmedium

A company is migrating a large Oracle database (2 TB) from on-premises to AWS RDS for Oracle. They require minimal downtime and need to keep the source database running during migration. Which AWS service should they use to achieve continuous replication?

A.AWS DataSync
B.AWS DMS with CDC
C.AWS S3 Transfer Acceleration
D.AWS Snowball Edge
AnswerB

AWS DMS with CDC enables continuous replication and minimal downtime.

Why this answer

AWS DMS with Change Data Capture (CDC) is the correct choice because it enables continuous replication of ongoing changes from the source Oracle database to the target RDS for Oracle instance, allowing the source to remain fully operational during migration. CDC captures incremental changes (inserts, updates, deletes) from the source's redo logs, minimizing downtime to a brief cutover window. This meets the requirement of a 2 TB database with minimal downtime while keeping the source running.

Exam trap

The trap here is that candidates confuse AWS DataSync or S3 Transfer Acceleration as suitable for database replication, but they lack CDC capabilities and are designed for file or object transfers, not transactional database synchronization.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is designed for one-time bulk data transfers between on-premises storage and AWS, not for continuous database replication or CDC. Option C is wrong because AWS S3 Transfer Acceleration speeds up uploads to S3 buckets over the internet but does not support database replication or CDC for Oracle to RDS. Option D is wrong because AWS Snowball Edge is a physical device for offline bulk data transfer, which cannot provide continuous replication and would require taking the source database offline to transfer data.

659
MCQeasy

A user reports being unable to upload files to an S3 bucket named 'my-bucket'. The IAM policy attached to the user is shown in the exhibit. What is the most likely reason for the failure?

A.The policy requires a condition that is not met.
B.The policy does not include s3:PutObjectAcl, which is needed.
C.The policy has a typo in the Action field.
D.The bucket policy denies the upload.
AnswerB

Many upload operations require PutObjectAcl.

Why this answer

The IAM policy grants s3:PutObject, which allows uploading an object, but it does not include s3:PutObjectAcl. When uploading to an S3 bucket, if the bucket is configured to require bucket-owner-full-control ACLs (e.g., via a bucket policy or default settings), the upload will fail unless the user also has permission to set the ACL. The s3:PutObjectAcl action is necessary to specify the ACL during the PUT request, and its absence is the most likely cause of the failure.

Exam trap

CompTIA often tests the distinction between s3:PutObject and s3:PutObjectAcl, trapping candidates who assume that upload permission alone is sufficient when ACL requirements are enforced.

How to eliminate wrong answers

Option A is wrong because the exhibit does not show any condition block in the policy, so there is no condition to be unmet. Option C is wrong because 's3:PutObject' is a valid action with correct casing and syntax, so there is no typo. Option D is wrong because the bucket policy is not mentioned in the scenario; the failure is attributed to the user's IAM policy, and bucket policies are separate from IAM policies.

660
Multi-Selecteasy

A cloud administrator is troubleshooting a virtual machine that is experiencing high memory usage. The VM is running a web server. Which two metrics should the administrator monitor to determine if the VM needs additional memory? (Choose two.)

Select 2 answers
A.Swap usage
B.Disk I/O wait
C.Page fault rate
D.Available memory
E.CPU ready time
AnswersA, D

High swap usage indicates the OS is using disk as memory, a sign of insufficient physical memory.

Why this answer

Options A and C are correct. Available memory directly shows free memory, and swap usage indicates the OS is using disk as memory, which is a sign of insufficient RAM. Option B (CPU ready time) is a CPU metric.

Option D (disk I/O wait) is disk-related. Option E (page fault rate) indicates paging but is not as direct as swap usage.

661
MCQhard

An organization uses a cloud-based infrastructure with multiple VPCs peered together. The security team notices that traffic between VPCs is not being inspected by the central firewall. What design change should be implemented to ensure all inter-VPC traffic passes through a centralized firewall?

A.Use VPC endpoints for all inter-VPC communication
B.Apply network ACLs to all subnets in each VPC
C.Set up a transit VPC with a firewall appliance and route traffic through it
D.Implement VPC peering between all VPCs and attach a firewall to each VPC
AnswerC

A transit VPC acts as a hub, routing all inter-VPC traffic through a central firewall for inspection.

Why this answer

Option C is correct because a transit VPC architecture uses a centralized hub VPC containing a firewall appliance (e.g., a next-generation firewall) and routes all inter-VPC traffic through it via VPC peering or VPN connections. By configuring route tables in each spoke VPC to point the destination CIDR of other VPCs to the transit VPC's firewall, every packet between VPCs is forced through the firewall for inspection, ensuring compliance with security policies.

Exam trap

The trap here is that candidates confuse VPC peering (which allows direct, non-inspected traffic) with a transit VPC (which forces traffic through a central inspection point), or they mistakenly think network ACLs or VPC endpoints can provide centralized traffic inspection.

How to eliminate wrong answers

Option A is wrong because VPC endpoints (e.g., Gateway or Interface endpoints) are designed for private connectivity to AWS services (like S3 or DynamoDB) without traversing the internet, not for routing general inter-VPC traffic through a central firewall. Option B is wrong because network ACLs are stateless, subnet-level filters that control inbound/outbound traffic at the subnet boundary but do not force traffic through a centralized inspection point; they only allow or deny traffic based on rules, not route it. Option D is wrong because implementing VPC peering between all VPCs creates a full mesh, but attaching a firewall to each VPC would require managing multiple firewalls and does not guarantee centralized inspection; traffic would flow directly between peered VPCs without passing through a single firewall, defeating the goal of centralized inspection.

662
MCQhard

A company uses Azure RBAC to manage access to resources. A user is assigned a Contributor role at the subscription scope. Which of the following is true regarding the scope of this role?

A.The user will have Contributor permissions only on resources created after the assignment.
B.The user will have Contributor permissions on the subscription itself but not its resources.
C.The user will have Contributor permissions only on resource groups within the subscription.
D.The user will have Contributor permissions on all resources within the subscription.
AnswerD

Role assignment at subscription scope applies to all resources in that subscription.

Why this answer

RBAC roles in Azure are inherited from higher scopes to lower scopes (management group → subscription → resource group → resource).

663
MCQeasy

A cloud administrator needs to grant a developer read-only access to a specific storage bucket in AWS. Which IAM component should the administrator modify?

A.IAM policy
B.Security group
C.AWS WAF
D.Network ACL
AnswerA

IAM policies define permissions for AWS resources.

Why this answer

IAM policies are JSON documents that define permissions for AWS resources like S3 buckets.

664
MCQeasy

A cloud engineer is responsible for securing a multi-tier application deployed on IaaS. The application consists of web servers, application servers, and database servers. The engineer needs to implement network segmentation to minimize the attack surface. Which of the following is the BEST approach?

A.Use a single security group for all instances and define rules to allow traffic between tiers.
B.Create separate subnets for each tier and configure security groups to allow only required traffic between them.
C.Place web servers in a public subnet and application and database servers in the same private subnet with a common security group.
D.Place all instances in the same subnet and use network ACLs to restrict traffic between tiers.
AnswerB

Separate subnets with security groups enforce network segmentation and least privilege.

Why this answer

Option B is correct because creating separate subnets for each tier enforces network segmentation at the IP layer, which is a fundamental security best practice for multi-tier applications. By configuring security groups (stateful firewalls) to allow only the specific required traffic (e.g., HTTP/HTTPS from web to app, SQL from app to database), the engineer minimizes the attack surface by preventing lateral movement if one tier is compromised. This approach aligns with the principle of least privilege and is the most effective method in IaaS environments like AWS, Azure, or GCP.

Exam trap

The trap here is that candidates often confuse security groups with network ACLs or assume that placing servers in the same subnet with restrictive rules is sufficient, but Cisco tests the understanding that true network segmentation requires separate subnets (or VLANs) to prevent layer-2 adjacency and lateral movement.

How to eliminate wrong answers

Option A is wrong because using a single security group for all instances violates network segmentation; any instance can potentially communicate with any other if rules are too permissive, and it does not isolate tiers, increasing the blast radius. Option C is wrong because placing application and database servers in the same private subnet with a common security group fails to isolate the database tier from the application tier, allowing an attacker who compromises the app server to directly access the database without additional network-level controls. Option D is wrong because placing all instances in the same subnet and relying solely on network ACLs (stateless) is insufficient; network ACLs evaluate rules in order and require explicit allow rules for return traffic, making them more complex to manage and easier to misconfigure, and they do not provide the same granular, stateful control as security groups.

665
MCQhard

A company uses Azure and wants to enforce multi-factor authentication (MFA) for all administrative users. The solution must be centrally managed and apply to all Azure subscriptions. Which approach should be used?

A.Create a Conditional Access policy in Azure AD requiring MFA for all cloud apps
B.Configure MFA on each individual Azure subscription
C.Assign MFA to each user individually in Azure AD
D.Use Azure Policy to require MFA for admin roles
AnswerA

Conditional Access policies can enforce MFA tenant-wide.

Why this answer

Option A is correct because Conditional Access policies in Azure AD are centrally managed and can enforce MFA for all cloud apps across all Azure subscriptions by targeting the 'Microsoft Azure Management' cloud app. This approach applies to all administrative users regardless of subscription, as Azure AD is the identity provider for Azure resources.

Exam trap

The trap here is confusing Azure Policy (resource compliance) with Azure AD Conditional Access (identity security), leading candidates to select Option D, even though Azure Policy cannot enforce authentication requirements.

How to eliminate wrong answers

Option B is wrong because MFA cannot be configured on individual Azure subscriptions; MFA is an Azure AD feature, not a subscription-level setting. Option C is wrong because assigning MFA per user is not centrally managed and does not scale to apply to all subscriptions automatically; it also lacks the granularity of Conditional Access policies. Option D is wrong because Azure Policy is used for resource compliance (e.g., tagging, encryption) and cannot enforce MFA, which is an identity-level control managed by Azure AD.

666
MCQmedium

A cloud architect is designing a deployment strategy for a web application that must handle unpredictable traffic spikes. The application runs in containers on a Kubernetes cluster. The architect wants to minimize costs while ensuring that the cluster can scale out rapidly during spikes. Which deployment strategy best meets these requirements?

A.Pre-provision a fixed number of pods to handle peak load at all times.
B.Manually scale the deployment when monitoring alerts indicate high traffic.
C.Implement horizontal pod autoscaling based on CPU utilization.
D.Use vertical pod autoscaling to increase resource limits on existing pods.
AnswerC

HPA automatically adds/removes pods to match demand.

Why this answer

Horizontal Pod Autoscaling (HPA) automatically adjusts the number of pod replicas based on observed CPU utilization (or custom metrics), enabling rapid scale-out during traffic spikes without manual intervention. This minimizes costs by running only the necessary pods during low traffic while ensuring the cluster can react quickly to increased demand, which aligns with the requirement for unpredictable spikes.

Exam trap

CompTIA often tests the distinction between horizontal and vertical scaling in the context of cost and rapid elasticity; the trap here is that candidates may choose vertical autoscaling (Option D) thinking it is cheaper, but it cannot scale out quickly enough for unpredictable spikes and is limited by node resources.

How to eliminate wrong answers

Option A is wrong because pre-provisioning a fixed number of pods to handle peak load at all times results in over-provisioning and higher costs, as resources are wasted during low-traffic periods. Option B is wrong because manually scaling the deployment when monitoring alerts indicate high traffic introduces latency and cannot react quickly enough to unpredictable spikes, risking performance degradation. Option D is wrong because vertical pod autoscaling increases resource limits on existing pods, which does not provide rapid scale-out; it is limited by node capacity and cannot handle sudden traffic surges as effectively as adding more pod replicas.

667
MCQmedium

A cloud administrator is troubleshooting connectivity issues between two virtual networks in different regions. The VNets are peered, but instances cannot communicate. The administrator verifies that the peering status is 'Connected' and route tables appear correct. Which of the following should be checked next?

A.Network Security Group (NSG) rules on the instances and subnets
B.DNS resolution settings
C.Gateway subnet configuration
D.Service endpoint status
AnswerA

Correct; NSGs can block traffic even if VNet peering is established.

Why this answer

Even when VNet peering status shows 'Connected' and route tables are correct, Network Security Group (NSG) rules can still block traffic. NSGs act as a stateful firewall at the subnet or NIC level, and by default they deny all inbound traffic unless explicitly allowed. Since the administrator has already verified routing, the next logical step is to check NSG rules for any implicit deny or missing allow rules that could be dropping the inter-region traffic.

Exam trap

The trap here is that candidates assume a 'Connected' peering status guarantees traffic flow, but they overlook that NSGs can silently drop traffic even when peering and routing are correctly configured.

How to eliminate wrong answers

Option B is wrong because DNS resolution settings affect name resolution, not IP-level connectivity; if instances cannot communicate via IP, DNS is irrelevant. Option C is wrong because gateway subnets are only used for VPN or ExpressRoute gateways, not for VNet peering; peering does not require a gateway. Option D is wrong because service endpoints are used to secure Azure service access (e.g., Storage, SQL) from a VNet, not for traffic between peered VNets; they do not control inter-VNet communication.

668
MCQmedium

A cloud operations team wants to be notified when the average CPU utilization of an auto-scaling group exceeds 80% for 5 consecutive minutes. They also want to avoid notification storms. Which alerting configuration should they use?

A.Step scaling policy triggered by a CloudWatch Alarm with a threshold of 80% for 5 evaluation periods
B.Simple scaling policy with a cooldown period
C.Scheduled scaling action to increase capacity at peak times
D.Anomaly detection based on a band model with a sensitivity of 2
AnswerA

This setup alerts when CPU > 80% for 5 consecutive minutes, reducing false alarms.

Why this answer

CloudWatch Alarms can be set with a threshold and evaluation periods. Using 5 consecutive periods of 1 minute each with a static threshold of 80% ensures the condition persists before alerting, reducing noise.

669
MCQmedium

A cloud engineer is designing a VPC in AWS for a three-tier web application. The web servers must be accessible from the internet, the application servers must be isolated from the internet but reachable by web servers, and the database servers must be isolated from both. How many subnets should be created, and which type should each be?

A.Two subnets: public for web, private for app and database together
B.Three subnets: public for web, private for app, and private for database with stricter security groups
C.One public subnet for all tiers
D.Four subnets: two public for redundancy, two private for app and database
AnswerB

This provides proper isolation: web in public, app in private, database in isolated private subnet.

Why this answer

A three-tier architecture typically uses three subnets: public for web servers, private for application servers, and a database subnet (often private with additional restrictions). The database subnet is typically private, but the question asks for isolation, implying a separate subnet tier. A single subnet cannot provide isolation.

Two subnets would combine two tiers, violating isolation.

670
MCQhard

A company has a hybrid cloud environment with on-premises servers and AWS. They deploy a new application using AWS Elastic Beanstalk with a load balancer and auto scaling group. The application is a Node.js API that connects to an RDS MySQL database. After deployment, users report that the API returns a '500 Internal Server Error' intermittently. The application logs show 'ETIMEDOUT' errors when connecting to the database. The database is deployed in a private subnet with a security group that allows inbound traffic from the Elastic Beanstalk environment's security group. The database connection string uses the RDS endpoint. The same application works perfectly when deployed on-premises. What is the most likely cause?

A.The database connection string uses the wrong port number
B.The Elastic Beanstalk environment is in a different VPC or subnet that cannot reach the RDS instance
C.The security group attached to the RDS instance does not allow traffic from the Elastic Beanstalk environment
D.The RDS instance is in a failed state and needs to be rebooted
AnswerB

Network connectivity between VPCs or subnets is likely misconfigured, causing timeouts.

Why this answer

The intermittent 'ETIMEDOUT' errors indicate a network connectivity issue between the Elastic Beanstalk environment and the RDS database. Since the application works on-premises, the problem is specific to the AWS networking configuration. The most likely cause is that the Elastic Beanstalk environment is deployed in a different VPC or subnet that lacks routing or a VPC peering connection to reach the RDS instance's private subnet, causing timeouts when the load balancer or auto scaling group instances attempt to connect.

Exam trap

The trap here is that candidates often assume security group misconfiguration is the cause, but Cisco tests the understanding that 'ETIMEDOUT' specifically indicates a network layer reachability problem (routing or VPC isolation) rather than a firewall or authentication issue.

How to eliminate wrong answers

Option A is wrong because the database connection string uses the RDS endpoint, which includes the correct port (default 3306 for MySQL); a wrong port would cause a 'Connection refused' error, not 'ETIMEDOUT'. Option C is wrong because the security group is already configured to allow inbound traffic from the Elastic Beanstalk environment's security group, so if that were the issue, the error would be consistent, not intermittent, and would likely be 'Connection refused' or 'Access denied'. Option D is wrong because an RDS instance in a failed state would produce persistent errors or a 'Can't connect to MySQL server' message, not intermittent 'ETIMEDOUT' errors, and rebooting would not resolve a network connectivity problem.

671
MCQmedium

A DevOps team wants to deploy a containerized application to a Kubernetes cluster with zero downtime. The team needs to gradually shift traffic from the old version to the new version, monitoring error rates and automatically rolling back if errors exceed a threshold. Which deployment strategy should the team implement?

A.Blue/green deployment
B.Rolling deployment
C.Recreate deployment
D.Canary deployment
AnswerD

Canary gradually shifts traffic percentage, monitors, and can auto-rollback.

Why this answer

A canary deployment releases the new version to a small subset of users, monitors performance, and automatically rolls back if issues are detected, meeting the zero-downtime and auto-rollback requirements.

672
Multi-Selectmedium

A company is migrating 100 TB of data from on-premises to Google Cloud Storage. The network bandwidth is 1 Gbps, and the migration window is two weeks. Which TWO services should the company consider to complete the transfer within the window? (Choose two.)

Select 2 answers
A.Transfer Appliance
B.gsutil
C.Cloud Dataflow
D.Cloud VPN
E.Storage Transfer Service
AnswersA, E

Transfer Appliance is a physical device for offline transfer, suitable for large data when network is slow.

Why this answer

Storage Transfer Service handles online transfers from various sources, and Transfer Appliance provides offline physical shipping for large datasets when network is insufficient.

673
MCQmedium

A cloud engineer is configuring a dashboard to monitor costs across multiple projects. The company uses tags to track costs by project, environment, and team. Which AWS tool allows the engineer to create custom cost and usage reports filtered by tags?

A.AWS Trusted Advisor
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Billing Conductor
AnswerB

Cost Explorer provides customizable cost reports with tag filtering.

Why this answer

AWS Cost Explorer allows filtering by tags and creating custom reports for cost analysis.

674
MCQhard

A company uses Google Cloud Platform (GCP) and wants to enforce that all service accounts used by applications have only the permissions necessary to perform their tasks. Which IAM concept should the administrator apply?

A.Separation of duties
B.Privileged access management (PAM)
C.Role-based access control (RBAC)
D.Least privilege
AnswerD

Least privilege is the principle of granting minimal necessary permissions.

Why this answer

The principle of least privilege dictates granting only the required permissions. In GCP, this is achieved by assigning predefined roles that are narrowly scoped to specific services, and by using conditions to further restrict access.

675
MCQmedium

A company is using AWS and wants to minimize costs for a batch processing workload that runs for 2 hours every night. The workload can tolerate interruptions. Which pricing model should the company choose?

A.Dedicated hosts
B.Spot instances
C.Reserved instances
D.On-demand instances
AnswerB

Spot instances offer the lowest cost and are suitable for fault-tolerant, short-lived workloads.

Why this answer

Spot instances offer significant discounts and are suitable for fault-tolerant, interruptible workloads. The workload's short duration and tolerance for interruption make spot instances ideal for cost savings.

Page 8

Page 9 of 14

Page 10