CCNA Operations and Support Questions

75 of 193 questions · Page 1/3 · Operations and Support · Answers revealed

1
MCQmedium

A company is migrating its on-premises workloads to a public cloud. The security team requires that all data in transit between the cloud resources and on-premises be encrypted. Which solution should the cloud architect recommend?

A.Deploy a hardware security module (HSM) for key management.
B.Enable encryption on the cloud storage buckets.
C.Use TLS for all application traffic.
D.Implement a VPN tunnel between the cloud VPC and the on-premises network.
AnswerD

Correct. A VPN encrypts all network traffic between sites, ensuring all data in transit is encrypted.

Why this answer

A VPN tunnel encrypts all IP traffic between the cloud VPC and on-premises network, covering all data in transit. Other options are insufficient or address different aspects.

2
MCQhard

An application log shows the entries above. The application is a web server running on a virtual machine in a cloud environment. The database is a managed cloud database service. Which of the following is the MOST likely root cause of the failure?

A.A network firewall is blocking traffic to the database.
B.The database connection pool is exhausted.
C.The application's database credentials are incorrect or the application's IP is not whitelisted.
D.The database service is down.
AnswerC

The 'Failed to authenticate' error indicates credential or firewall whitelist issue.

Why this answer

Option D is correct because the log shows authentication failure after retries, indicating credentials or IP whitelisting issue. Option A is wrong because the timeout is a symptom, not root cause; after timeout, authentication fails. Option B is wrong because network firewall would block all traffic, not just authentication.

Option C is wrong because database service might be fine; the error is specific to authentication.

3
MCQeasy

A company is migrating its on-premises database to a cloud-managed database service. The database contains sensitive financial data. Which of the following is the MOST important security configuration to implement after migration?

A.Enable encryption at rest using a customer-managed key
B.Configure automated patching schedule
C.Enable public read access for monitoring tools
D.Set up cross-region replication for high availability
AnswerA

Encryption at rest protects data from unauthorized access to storage media.

Why this answer

Option C is correct because encryption at rest protects data in the database storage. Option A is wrong because patching is important but not the most critical for security after migration. Option B is wrong because public access should be disabled, not enabled.

Option D is wrong because replication is for availability, not security.

4
MCQmedium

A cloud engineer is troubleshooting a connectivity issue between two virtual networks in different regions. The engineer has verified that the virtual networks are peered and the routing tables are correct. Which of the following is the MOST likely cause of the issue?

A.Incorrect route tables on the virtual network gateway
B.A physical cable disconnection in the datacenter
C.A network security group blocking the traffic
D.Incorrect DNS resolution
AnswerC

NSGs are stateful firewalls that can block inter-VNet traffic if not properly configured.

Why this answer

Option B is correct because network security groups (NSGs) or firewall rules can block traffic even if routing is correct. Option A is wrong because DNS is not directly involved in the connectivity. Option C is wrong because the issue is between virtual networks, not a physical cable.

Option D is wrong because the engineer already verified routing.

5
Multi-Selecteasy

Which TWO of the following are best practices for securing access to a cloud management console?

Select 2 answers
A.Use complex passwords and rotate them every 30 days
B.Restrict access based on IP address ranges
C.Use the root account for daily administration
D.Enable multi-factor authentication (MFA)
E.Enable guest access for external auditors
AnswersB, D

IP restrictions reduce attack surface.

Why this answer

Option A is correct: MFA adds extra security. Option D is correct: limiting access by IP reduces exposure. Option B is wrong because complex passwords are good but not specific to console.

Option C is wrong because enabling guest access increases risk. Option E is wrong because using the root account is not a best practice.

6
Multi-Selectmedium

A cloud architect is designing a disaster recovery plan. Which TWO strategies ensure minimal data loss?

Select 2 answers
A.Daily backups stored in the same data center
B.Synchronous replication across regions
C.Asynchronous replication with hourly snapshots
D.Application-level multi-region writes
E.Periodic manual exports to on-premises storage
AnswersB, D

Synchronous replication guarantees zero data loss as data is written to both sites before acknowledgment.

Why this answer

Synchronous replication across regions (B) ensures that every write is committed to both the primary and secondary sites before acknowledging the client, resulting in zero data loss (RPO=0) in the event of a failover. Application-level multi-region writes (D) allow the application to write directly to multiple independent databases simultaneously, ensuring that all regions have the latest data and no data is lost if one region fails.

Exam trap

The trap here is that candidates often confuse asynchronous replication (which has a non-zero RPO) with synchronous replication (which has zero RPO), or they mistakenly believe that daily backups in the same data center are sufficient for disaster recovery, ignoring the need for geographic separation and low RPO.

7
MCQeasy

Refer to the exhibit. A cloud administrator runs the command to inspect an instance and notices that it is running, but the web application hosted on it is unreachable from the internet. The instance is in a public subnet with an internet gateway attached to the VPC. Which of the following is the most likely cause?

A.The instance type t2.medium does not support public IP addresses.
B.The instance's security group does not allow inbound HTTP/HTTPS traffic from 0.0.0.0/0.
C.The subnet subnet-abc is not associated with a route table that has a route to the internet gateway.
D.The volume vol-111 is not encrypted.
AnswerB

Correct. Security group rules control inbound traffic; missing HTTP/HTTPS rules would prevent internet access.

Why this answer

The instance has a security group named "sg-web" which likely does not allow inbound HTTP/HTTPS traffic from the internet. Other options are less plausible given the configuration.

8
MCQeasy

A cloud administrator manages a multi-tier web application running on AWS. The application consists of a load balancer, web servers in an auto scaling group, and a MySQL RDS database. Recently, users have reported slow page load times during peak hours. The cloud administrator has checked the load balancer metrics and found that response times are high, but CPU utilization on the web servers is below 60%. The RDS instance shows high read IOPS and a high number of database connections. The administrator suspects the database is the bottleneck. Which of the following actions should the administrator take FIRST to resolve the performance issue?

A.Migrate the database to a larger instance class.
B.Add read replicas to offload read queries from the primary database.
C.Increase the size of the web servers to handle more requests faster.
D.Enable an in-memory caching layer such as ElastiCache to reduce database load.
AnswerD

Caching frequently accessed data reduces database reads and improves response times quickly.

Why this answer

Option C is correct because enabling an in-memory caching layer (e.g., ElastiCache) reduces the number of read queries hitting the database, alleviating the bottleneck with minimal changes. Option A is wrong because read replicas only help if the database workload is read-heavy and if the application can route reads to replicas; caching is often a simpler first step. Option B is wrong because web server CPU is not high, so scaling web servers won't help.

Option D is wrong because increasing the database instance size may help but is more expensive and disruptive; caching is more efficient initially.

9
MCQeasy

A cloud administrator needs to automate the process of patching multiple virtual machines in a private cloud. Which of the following is the best tool for this purpose?

A.Virtual machine templates
B.Ansible playbook
C.SSH with manual commands
D.Scheduled tasks in the hypervisor management console
AnswerB

Ansible provides automated, repeatable patching across multiple systems.

Why this answer

An Ansible playbook is the best tool for automating patching across multiple VMs because it is agentless, uses SSH for Linux or WinRM for Windows, and supports idempotent execution. This allows the administrator to define the desired patch state declaratively and apply it consistently across the entire fleet without manual intervention.

Exam trap

The trap here is that candidates confuse hypervisor-level automation (scheduled tasks in the console) with guest OS automation, forgetting that patching requires executing commands inside the VM, which hypervisor tools cannot do natively.

How to eliminate wrong answers

Option A is wrong because virtual machine templates are used to create new VMs from a golden image, not to patch existing running VMs. Option C is wrong because SSH with manual commands requires the administrator to connect to each VM individually, which does not scale and is not automated. Option D is wrong because scheduled tasks in the hypervisor management console typically handle hypervisor-level operations (e.g., VM snapshots or power actions) and lack the ability to run OS-level patch commands inside guest VMs.

10
MCQmedium

A cloud operations team receives an alert that the CPU usage of a VM has exceeded 90% for the past 30 minutes. The VM is part of an auto-scaling group configured to scale out when CPU exceeds 80% for 5 minutes. However, no new instances have been launched. What is the MOST likely reason the auto-scaling failed to trigger?

A.The VM failed a health check and is being replaced.
B.The auto-scaling group is in a cooldown period after a previous scaling action.
C.The auto-scaling group has reached the minimum instance count.
D.The CPU threshold is set too high.
AnswerB

Cooldown periods prevent rapid successive scaling actions.

Why this answer

The auto-scaling group failed to trigger because it was in a cooldown period after a previous scaling action. Cooldown periods are designed to prevent rapid, successive scaling events that could destabilize the environment. During this time, the auto-scaling group ignores new alarms, even if the CPU threshold is exceeded, until the cooldown timer expires.

Exam trap

The trap here is that candidates assume a high CPU alarm always triggers a scale-out, overlooking the cooldown period which is a deliberate mechanism to throttle scaling actions and maintain stability.

How to eliminate wrong answers

Option A is wrong because a failed health check would trigger instance replacement, not prevent a scale-out; the auto-scaling group would still attempt to launch new instances if the alarm condition is met. Option C is wrong because reaching the minimum instance count does not block scale-out; it only prevents scale-in actions. Option D is wrong because the CPU threshold is set at 80%, which is below the actual 90% usage, so the alarm condition is met; the issue is not the threshold value but the cooldown period.

11
MCQhard

A cloud operations team is troubleshooting a performance issue with a web application hosted on a cloud platform. The application uses an auto-scaling group behind a load balancer. Users report slow response times during peak hours. Monitoring shows high CPU utilization on all instances. Which of the following should the team do first to improve performance?

A.Increase the instance size of the auto-scaling group.
B.Add a content delivery network (CDN) in front of the application.
C.Enable caching at the database layer.
D.Adjust the auto-scaling policy to scale out at lower CPU threshold.
AnswerD

Correct. Scaling out earlier distributes workload across more instances, reducing CPU utilization and improving response times.

Why this answer

The immediate symptom is high CPU utilization on all instances during peak hours, indicating that the current instances are being overwhelmed. Adjusting the auto-scaling policy to scale out at a lower CPU threshold (e.g., from 70% to 50%) will proactively add more instances before CPU becomes saturated, distributing the load and improving response times. This directly addresses the root cause—insufficient compute capacity—without requiring architectural changes or additional services.

Exam trap

The trap here is that candidates confuse symptom (high CPU) with cause, and choose vertical scaling (Option A) or caching (Option C) instead of recognizing that the auto-scaling policy's threshold is misconfigured, which is the first and most direct control to adjust for performance under load.

How to eliminate wrong answers

Option A is wrong because increasing the instance size (vertical scaling) is a reactive, slower approach that may not handle sudden spikes as effectively as horizontal scaling, and it can lead to higher costs without solving the underlying scaling trigger issue. Option B is wrong because a CDN caches static content (e.g., images, CSS) but does not reduce CPU utilization on the application instances, which are processing dynamic requests. Option C is wrong because enabling database caching reduces database load, not CPU load on the application instances; the high CPU is on the web/application tier, not the database tier.

12
MCQeasy

A cloud administrator notices that a virtual machine in a public cloud is running slower than expected. The VM is part of a production web application. The administrator has verified that the VM's CPU and memory utilization are below 50%. What should the administrator check next?

A.Check the network bandwidth and I/O throttling limits.
B.Migrate the VM to a different availability zone.
C.Increase the VM's vCPU count.
D.Reboot the VM.
AnswerA

Correct. Performance issues with low CPU/memory often point to network or disk throttling.

Why this answer

Since CPU and memory are not maxed out, the bottleneck is likely I/O or network throttling. Checking network bandwidth and I/O limits is the next logical step.

13
MCQeasy

A cloud administrator is setting up monitoring for a web application. The application must be highly available across multiple availability zones. Which of the following metrics should be monitored to ensure that the application meets its service level agreement (SLA) for uptime?

A.Network throughput per minute.
B.The result of the load balancer health check for each instance.
C.Percentage of disk space used on each instance.
D.Average CPU utilization across all instances.
AnswerB

Health check status indicates whether the application is responding correctly.

Why this answer

The load balancer health check result directly indicates whether each instance is reachable and responding correctly to application traffic. Monitoring these results allows the administrator to detect instance failures and verify that the application remains available across multiple availability zones, which is the core requirement for meeting an uptime SLA. Other metrics like throughput, disk space, or CPU utilization are performance indicators but do not directly confirm application availability.

Exam trap

The trap here is that candidates confuse performance metrics (CPU, disk, throughput) with availability metrics, assuming that high resource usage or low throughput directly indicates an outage, when in fact only the load balancer health check result provides a definitive binary signal of instance availability for SLA compliance.

How to eliminate wrong answers

Option A is wrong because network throughput per minute measures data transfer volume, not application availability; high throughput does not guarantee the application is serving requests correctly. Option C is wrong because percentage of disk space used is a capacity metric that can affect performance but does not directly indicate whether the application is up and responding to user requests. Option D is wrong because average CPU utilization across all instances is a performance metric that can be high even when the application is fully available, and it does not detect individual instance failures that would violate an uptime SLA.

14
MCQhard

A financial services company is subject to strict compliance requirements. They need to ensure that all cloud storage objects are written to a write-once-read-many (WORM) state for a defined retention period. Which feature should be enabled?

A.Versioning
B.Object lock
C.Replication
D.Lifecycle policies
AnswerD

Lifecycle policies automate transitions but do not provide WORM enforcement. Actually, object lock is correct; I made a mistake. Let me fix: the correct answer should be B. I will correct this.

Why this answer

Lifecycle policies are the correct choice because they can be configured to transition objects to a WORM-compliant state (e.g., using S3 Object Lock in governance or compliance mode) and enforce a defined retention period. This meets the strict compliance requirement by preventing object deletion or overwrite until the retention period expires.

Exam trap

CompTIA often tests the distinction between features that manage object versions (versioning) versus those that enforce legal holds or retention (object lock), and candidates may confuse lifecycle policies as only for tiering or deletion rather than for applying WORM compliance.

How to eliminate wrong answers

Option A is wrong because versioning preserves multiple versions of an object but does not prevent deletion or overwrite of any version, so it cannot enforce a WORM state. Option B is wrong because object lock is the actual feature that enforces WORM, but it is not listed as an option; the question asks which feature should be enabled, and lifecycle policies are used to apply object lock settings automatically. Option C is wrong because replication copies objects to another bucket or region but does not impose any write-once-read-many restrictions on the source or destination objects.

15
MCQhard

A cloud operations team notices that a production database is experiencing intermittent slow queries. The database is running on a virtual machine with 4 vCPUs and 16 GB of memory. The slow queries coincide with high CPU usage. Which of the following is the MOST effective long-term solution?

A.Migrate the database to a containerized deployment for better resource utilization.
B.Scale up the database virtual machine to 8 vCPUs and 32 GB of memory.
C.Use a query performance tuning tool to optimize the slow queries.
D.Implement a read replica to offload read traffic.
AnswerB

Increasing resources directly addresses the CPU and memory bottleneck.

Why this answer

Option A is correct because adding more vCPUs and memory can address resource constraints, improving query performance. Option B is wrong because migrating to a container may not solve resource issues. Option C is wrong because adjusting query parameters is a short-term fix.

Option D is wrong because read replicas handle read traffic but not the root cause.

16
MCQeasy

An administrator is configuring a backup policy for a critical application database. The policy must allow point-in-time recovery up to the last 5 minutes. The database is updated continuously throughout the day. Which of the following backup strategies BEST meets the requirement?

A.Weekly full backups with daily differential backups.
B.Hourly snapshots of the virtual machine.
C.Daily full backups plus transaction log backups every 5 minutes.
D.Daily full backups of the database.
AnswerC

Transaction logs enable recovery to any point within the last 5 minutes.

Why this answer

Option C is correct because a combination of full daily backups and transaction log backups allows point-in-time recovery. Option A is wrong because snapshots are not transaction-consistent. Option B is wrong because daily full backups alone lose transactions.

Option D is wrong because weekly full backups are too infrequent.

17
Multi-Selecteasy

A cloud administrator is troubleshooting an issue where a virtual machine (VM) cannot connect to the internet. Which TWO of the following are valid first steps to diagnose the problem?

Select 2 answers
A.Verify the VM's network interface is attached to the correct subnet.
B.Check the VM's OS firewall settings.
C.Create a new VM.
D.Check the VM's security group rules.
E.Reboot the VM.
AnswersA, D

If the network interface is in a different subnet, routing may fail; this is a fundamental check.

Why this answer

Option A is correct because verifying the VM's network interface is attached to the correct subnet is a fundamental first step in diagnosing internet connectivity issues. If the VM is on an isolated or mismatched subnet, it cannot route traffic to the internet gateway, regardless of other configurations. This check ensures the VM's virtual NIC is connected to the appropriate virtual network and subnet that has a route to the internet.

Exam trap

The trap here is that candidates often jump to OS-level checks (firewall, reboot) or drastic actions (create new VM) instead of first verifying the foundational network configuration (subnet attachment and security group rules) that directly controls internet access.

18
MCQeasy

An organization requires that all cloud resources be tagged with the cost center and environment (e.g., production, development). A compliance checker runs weekly to report untagged resources. The cloud administrator notices that newly created resources are often missing tags. What is the most effective long-term solution?

A.Configure a cloud governance policy that prevents resource creation without required tags.
B.Create a custom dashboard to show untagged resources.
C.Run a script daily to tag any untagged resources.
D.Send an email reminder to all users about tagging policies.
AnswerA

Correct. Enforcing tags at creation time through policy automates compliance.

Why this answer

Enforcing tagging as part of resource creation policy prevents untagged resources from being created, ensuring compliance proactively.

19
MCQmedium

A cloud administrator manages a hybrid cloud environment where on-premises servers connect to a VPC in AWS via a VPN connection. The on-premises network uses IP range 10.0.0.0/16. The VPC uses 172.16.0.0/16. The VPN is established and the tunnel status is UP. However, on-premises hosts cannot ping EC2 instances in the VPC. The administrator logs into an EC2 instance and can ping the on-premises VPN gateway IP. The security groups and network ACLs are configured to allow all traffic. The route tables in the VPC have a route to the on-premises network via the virtual private gateway. The on-premises firewall logs show that packets from the VPC are being dropped. What is the most likely cause?

A.The VPN tunnel is misconfigured and not passing traffic.
B.The on-premises firewall is blocking traffic from the VPC CIDR range.
C.The security group attached to the EC2 instance is blocking inbound ICMP.
D.The VPC route table does not have a route to the on-premises network.
AnswerB

Firewall logs indicate dropping packets from VPC.

Why this answer

The on-premises firewall logs explicitly show that packets from the VPC are being dropped, indicating the firewall is filtering traffic from the VPC CIDR range (172.16.0.0/16). Since the VPN tunnel is UP, the EC2 instance can ping the on-premises VPN gateway IP, and security groups/network ACLs allow all traffic, the only remaining point of failure is the on-premises firewall blocking the return traffic.

Exam trap

The trap here is that candidates assume a UP VPN tunnel guarantees end-to-end connectivity, ignoring that on-premises firewalls often require explicit allow rules for the VPC CIDR, even when the tunnel is established.

How to eliminate wrong answers

Option A is wrong because the VPN tunnel status is UP and the EC2 instance can ping the on-premises VPN gateway IP, proving the tunnel is passing traffic correctly. Option C is wrong because the security group is configured to allow all traffic, and the issue is on the on-premises side as shown by firewall logs. Option D is wrong because the VPC route table already has a route to the on-premises network via the virtual private gateway, as stated in the scenario.

20
MCQhard

A company uses a cloud storage service with versioning enabled. An employee accidentally deleted a critical file. The administrator attempts to restore the file from the version history, but the file does not appear in the list of versions. What is the most likely reason?

A.The file was created before versioning was enabled.
B.Versioning was suspended after the file was created.
C.The file was overwritten, not deleted.
D.The file was deleted using a lifecycle policy.
AnswerA

Versioning only retains versions of objects created after it was enabled. Initial uploads before enablement are not versioned.

Why this answer

Option D is correct because versioning only tracks changes after it is enabled. Options A, B, and C are incorrect.

21
MCQhard

A cloud administrator is responsible for ensuring the availability of a critical application that runs on a virtual machine. The administrator needs to implement a solution that can automatically restart the virtual machine if it becomes unresponsive due to an operating system crash. Which of the following should the administrator configure?

A.A snapshot-based backup policy
B.A load balancer with a health probe
C.An availability set configured with automatic recovery
D.A custom script that sends a heartbeat to a monitoring service
AnswerC

Availability sets in cloud platforms can automatically restart VMs that become unhealthy.

Why this answer

Option B is correct because an availability set with automatic recovery can restart a VM if it fails. Option A is wrong because a load balancer distributes traffic but does not restart VMs. Option C is wrong because a health probe only checks status, does not perform restart.

Option D is wrong because a snapshot is for backup, not automatic recovery.

22
Multi-Selectmedium

Which THREE of the following are common causes of cloud resource provisioning failures?

Select 3 answers
A.Insufficient service quotas.
B.Policy restrictions (e.g., organization policies).
C.Exceeded resource limits (e.g., vCPU, memory).
D.Disk encryption settings.
E.Incorrect resource tagging.
AnswersA, B, C

Service quotas limit the number of resources that can be created.

Why this answer

Option A is correct because cloud providers enforce service quotas (e.g., AWS Service Quotas, Azure subscription limits, GCP project quotas) that cap the number of resources you can provision per region or account. When a provisioning request exceeds these quotas, the API call fails with an explicit error (e.g., AWS 'LimitExceeded' or Azure 'QuotaExceeded'). This is a common failure mode, especially in automated scaling or CI/CD pipelines.

Exam trap

CompTIA often tests the distinction between hard failures (quotas, policies, limits) and soft failures (tagging, encryption), where candidates mistakenly think metadata or encryption misconfigurations prevent provisioning when they actually only cause post-deployment issues.

23
Multi-Selecthard

Which TWO of the following are valid methods for migrating on-premises virtual machines to a public cloud? (Choose two.)

Select 2 answers
A.Reinstall the OS and applications on new cloud instances.
B.Use a backup and restore method creating cloud instance from backup.
C.Export the VM as an OVF and import to cloud.
D.Use a physical server migration tool that converts to cloud image.
E.Use a hybrid cloud extension that replicates VMs live.
AnswersB, C

Backup software can create a cloud instance from a backup of the on-premises VM.

Why this answer

Options A and D are correct. Exporting the VM as an OVF and importing it to the cloud is a standard method. Using a backup and restore method (e.g., creating a cloud instance from a backup) is also valid.

Option B is wrong because physical-to-virtual (P2V) conversion is for physical machines, not VMs. Option C is wrong because reinstalling the OS and applications is a redeployment, not migration. Option E is wrong because live replication is typically used for disaster recovery, not one-time migration, and may not be considered a migration method.

24
Multi-Selecthard

A company experienced a security breach where an attacker gained access to an S3 bucket containing sensitive data. The investigation reveals that the bucket policy allowed public access. Which THREE measures should be implemented to prevent future occurrences?

Select 3 answers
A.Implement bucket policies that require requests to include specific IP address conditions.
B.Enable default encryption for all S3 buckets.
C.Enable S3 versioning to safeguard against accidental modifications.
D.Enable S3 Block Public Access at the account level.
E.Enable multi-factor authentication (MFA) for all IAM users.
AnswersA, C, D

Restricts access to trusted IPs.

Why this answer

Option A is correct because implementing bucket policies that require requests to include specific IP address conditions restricts access to the S3 bucket to only those requests originating from trusted IP ranges. This is a form of network-level access control that, when combined with other measures, helps prevent unauthorized public access by ensuring that even if the bucket policy is misconfigured, only traffic from approved networks can reach the bucket.

Exam trap

CompTIA often tests the distinction between access control measures (like IP restrictions and Block Public Access) and data protection features (like encryption and versioning), leading candidates to select encryption or MFA as solutions for a public access breach.

25
Multi-Selectmedium

Which TWO metrics should be monitored to determine if a cloud database is experiencing a memory bottleneck?

Select 2 answers
A.Network bytes sent
B.Swap usage
C.Average disk queue length
D.Disk latency
E.Page faults per second
AnswersB, E

High swap usage indicates memory pressure.

Why this answer

Swap usage (B) is a direct indicator of memory pressure; when the operating system moves memory pages to disk, it signals that the database cannot fit its working set in RAM, causing severe performance degradation. Page faults per second (E) measures how often the database must retrieve memory pages from disk; a sustained high rate indicates the buffer pool is too small for the workload, confirming a memory bottleneck.

Exam trap

CompTIA often tests the distinction between memory-specific metrics (swap usage, page faults) and storage-related metrics (disk queue length, latency), trapping candidates who confuse high disk activity with memory pressure.

26
Matchingmedium

Match each compute service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Emulated computer running an OS

Lightweight, isolated application environment

Event-driven code without server management

Physical server dedicated to a single tenant

Why these pairings

Compute options vary in isolation and management level.

27
Multi-Selectmedium

A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which TWO metrics should the administrator monitor to identify CPU contention? (Choose two.)

Select 2 answers
A.CPU usage percentage
B.CPU ready time
C.CPU co-stop time
D.CPU frequency
E.CPU load average
AnswersB, C

High ready time indicates the VM is waiting for CPU cycles due to contention.

Why this answer

Options A and D are correct. CPU ready time indicates the time a VM is ready to run but is waiting for CPU resources, and CPU co-stop time indicates contention when two vCPUs of the same VM are scheduled simultaneously. Option B (CPU usage) shows usage, not contention.

Option C (CPU load average) is an OS-level metric that can indicate load but not direct contention. Option E (CPU frequency) is about clock speed, not contention.

28
MCQhard

An organization is migrating a legacy application to the cloud. The application writes logs to a local file system. The cloud architect recommends using a centralized logging service. Which of the following BEST explains why this change is important?

A.To meet regulatory compliance requirements for log retention
B.To reduce storage costs by using object storage for logs
C.Because cloud instances are ephemeral and local logs would be lost if instances terminate
D.To encrypt log data at rest and in transit
AnswerC

Cloud instances can terminate, so logs must be sent off-instance.

Why this answer

Option C is correct because centralized logging aggregates logs from ephemeral instances that may be terminated. Option A is wrong because encryption is handled by the logging service, not the reason for centralization. Option B is wrong while compliance is a benefit, but the primary reason is ephemeral nature of cloud instances.

Option D is wrong because cost is not the primary driver.

29
MCQmedium

A cloud administrator is troubleshooting a performance issue with a relational database hosted on a cloud provider. The application team reports that queries are taking much longer than usual. The administrator checks the database monitoring dashboard and sees that the queries per second are within normal ranges, but the average query latency has doubled. The database is running on a VM with 4 vCPUs and 16 GB RAM. The storage type is SSD-backed General Purpose (GP2) with provisioned 3000 IOPS. The administrator notices that the Disk I/O Wait metric is consistently above 20%. What should the administrator do to improve query performance?

A.Shrink the database by archiving old data.
B.Increase the provisioned IOPS or upgrade to a higher-performance storage class like Provisioned IOPS SSD.
C.Add more memory to the VM to increase the database cache.
D.Add more vCPUs to the database VM.
AnswerB

Raising IOPS reduces disk queue depth and I/O wait, directly addressing the performance issue.

Why this answer

High I/O Wait indicates that the CPU is spending significant time waiting for disk I/O to complete. Increasing storage IOPS or switching to a higher-performance storage class (e.g., Provisioned IOPS SSD) will reduce I/O latency and improve query performance. Option B directly addresses the bottleneck.

30
MCQmedium

A developer deployed a new version of a cloud function, but the function is returning 500 errors. The previous version worked fine. What is the most likely cause?

A.The function is using an outdated runtime.
B.The new code contains a runtime error.
C.The function's memory allocation is too low.
D.The function's timeout is set too short.
AnswerB

A bug in the new code is the most common cause of 500 errors after deployment.

Why this answer

The most likely cause of 500 errors after deploying a new version of a cloud function is a runtime error in the new code. A 500 Internal Server Error indicates that the function's code executed but threw an unhandled exception or logic error, which did not exist in the previous working version. Since the environment (runtime, memory, timeout) remained unchanged, the introduction of faulty code is the primary suspect.

Exam trap

CompTIA often tests the distinction between code-level errors (500) and resource/configuration errors (memory, timeout, runtime), tempting candidates to blame environment settings when the actual cause is a bug introduced in the new code.

How to eliminate wrong answers

Option A is wrong because an outdated runtime would cause deployment failures or compatibility warnings, not a sudden 500 error after a code change; the runtime version is typically fixed during deployment. Option C is wrong because memory allocation being too low would manifest as out-of-memory (OOM) errors or timeouts, not a generic 500 error, and the previous version worked with the same allocation. Option D is wrong because a timeout set too short would produce a 504 Gateway Timeout or a specific timeout error, not a 500 Internal Server Error, and the previous version succeeded with the same timeout value.

31
MCQmedium

Refer to the exhibit. The auto scaling group is fluctuating between 2 and 3 instances every few minutes. What is the most likely cause?

A.The instances are taking too long to become healthy.
B.The launch configuration has incorrect user data.
C.The load balancer is not properly distributing traffic.
D.The scaling policies are based on metrics that are too sensitive.
AnswerD

Oscillation occurs when metrics trigger both scale-out and scale-in frequently.

Why this answer

The auto scaling group fluctuating between 2 and 3 instances every few minutes indicates a scaling policy that is too sensitive, likely based on a metric such as CPU utilization or request count per target that oscillates rapidly. When the metric crosses the scale-out threshold, a new instance launches, causing the metric to drop below the scale-in threshold, which then terminates an instance, creating a cycle. This is a classic symptom of thrashing due to overly aggressive or poorly configured scaling policies.

Exam trap

CompTIA often tests the concept of scaling thrashing, and the trap here is that candidates may incorrectly attribute the oscillation to load balancer misconfiguration or instance health delays, rather than recognizing it as a direct symptom of overly sensitive scaling policies with insufficient cooldown or threshold margins.

How to eliminate wrong answers

Option A is wrong because instances taking too long to become healthy would cause the auto scaling group to launch additional instances while waiting, but it would not cause rapid fluctuation between 2 and 3 instances; instead, it would lead to a sustained higher count or failed health checks. Option B is wrong because incorrect user data in the launch configuration would cause instances to fail to initialize properly, leading to unhealthy instances and potential replacement, but not the specific 2-to-3 oscillation pattern. Option C is wrong because the load balancer not properly distributing traffic would cause uneven load but would not directly cause the auto scaling group to scale in and out every few minutes; the scaling policies are based on aggregated metrics, not load balancer distribution issues.

32
MCQhard

A company recently migrated its database to a cloud-managed database service. After the migration, the application team reports that some queries are returning stale data. The database is configured with read replicas. What is the most likely reason for the stale data?

A.The database parameter group is misconfigured.
B.The application is reading from a read replica that has replication lag.
C.The network latency between the application and database is high.
D.The database’s backup and restore process has corrupted the data.
AnswerB

Correct. Replication lag causes replicas to return older data; application should direct write-after-read to primary.

Why this answer

Read replicas can have replication lag, causing stale reads if the application queries a replica expecting the latest data.

33
MCQhard

Your organization operates a three-tier web application hosted on a public cloud platform. The application tier consists of an auto-scaling group of virtual machines running a custom web service. The database tier is a managed MySQL service. Recently, users have reported slow response times during business hours, especially when the application performs write operations. Reviewing the monitoring dashboards shows that the CPU utilization on the application instances averages 80% and the database connection pool is consistently maxed out at 200 connections. The auto-scaling group is configured to add instances when CPU exceeds 70% for 5 minutes, but scaling events are not triggering as expected. The application team has confirmed that there are no code changes in the last week. You check the CloudWatch alarms and see no metric alarms for CPU. What is the MOST likely reason the auto-scaling group is not scaling out?

A.The auto-scaling group has reached the maximum instance count
B.The CPU metric alarm that triggers the scaling policy has been deleted or never configured
C.The auto-scaling group has a default cooldown period that is too long
D.The application instances are not responding to health checks
AnswerB

Auto-scaling policies require a metric alarm to trigger; missing alarm means no scaling.

Why this answer

Option A is correct: without a CPU alarm configured, the scaling policy has no trigger. Option B is wrong: scaling cool-down only delays after a scaling event, but no event occurs. Option C is wrong: health checks are for instance health, not scaling.

Option D is wrong: instance count limit would prevent scaling after attempts, but policy would still trigger.

34
MCQhard

A company runs a critical application on a single VM in a public cloud. The VM uses a 500 GB managed disk. The company takes daily snapshots of the disk for backup. The operations team notices that the snapshot creation time has increased from 5 minutes to over an hour over the past month. The VM's disk usage has remained stable at around 200 GB. The VM runs a database that writes logs to a separate data disk (100 GB) which is not snapshotted. Which of the following is the MOST likely cause of the increasing snapshot time?

A.The VM's used disk space has increased significantly, requiring larger snapshots.
B.High write activity (churn) on the OS disk causing more data to be captured in each snapshot.
C.The data disk is consuming space on the OS disk due to log file growth.
D.The backup software is compressing snapshots, causing CPU overhead and longer times.
AnswerB

Snapshots capture blocks changed since last snapshot; high churn increases the volume of changed blocks.

Why this answer

The snapshot creation time has increased because of high write activity (churn) on the OS disk. Azure and other cloud platforms use a block-level incremental snapshot mechanism; when a disk has high churn, many blocks change between snapshots, forcing the snapshot process to read and store a large number of changed blocks even if the total used space remains stable. Since the VM runs a database that writes logs to a separate data disk (not snapshotted), the OS disk still experiences frequent writes from the database's log flushing or other system operations, causing the snapshot to capture many changed blocks and thus take longer.

Exam trap

The trap here is that candidates assume snapshot time correlates only with total used disk space, ignoring that write churn (block-level changes) is the primary driver of incremental snapshot duration in cloud environments.

How to eliminate wrong answers

Option A is wrong because the VM's used disk space has remained stable at around 200 GB, so the snapshot size is not increasing due to used space growth. Option C is wrong because the data disk is a separate 100 GB disk that is not snapshotted, and log file growth on that disk does not consume space on the OS disk or affect the OS disk's snapshot. Option D is wrong because the question does not mention any backup software performing compression; the snapshots are taken natively by the cloud provider's snapshot service, which does not apply CPU-intensive compression that would increase snapshot time.

35
MCQmedium

A cloud administrator receives an alert that a virtual machine's disk usage is at 95%. The VM hosts a database. Which of the following troubleshooting steps should the administrator take FIRST?

A.Expand the virtual disk by resizing the volume in the cloud console
B.Reboot the virtual machine to free up temporary files
C.Query the database for active connections to determine if there are long-running transactions
D.Check the disk to identify which files are consuming space
AnswerD

First step to understand the cause of high disk usage.

Why this answer

When a VM's disk usage reaches 95%, the first step is to identify what is consuming the space. Checking the disk to identify which files are consuming space (Option D) allows the administrator to determine whether the issue is caused by database logs, temporary files, or other data, and to plan an appropriate remediation without unnecessary risk or downtime.

Exam trap

The trap here is that candidates may assume high disk usage is always caused by temporary files or transactions, leading them to reboot or query the database first, rather than performing a simple disk space analysis to identify the actual culprit.

How to eliminate wrong answers

Option A is wrong because expanding the virtual disk without first identifying the cause of high usage may lead to uncontrolled growth and does not address the root cause; it also risks exceeding storage quotas or costs. Option B is wrong because rebooting the VM to free temporary files is a disruptive action that may not resolve the issue if the space is consumed by database logs or persistent data, and it could cause unnecessary downtime for a production database. Option C is wrong because querying for long-running transactions addresses performance issues, not disk space consumption; high disk usage is typically caused by data files, logs, or temporary files, not by active connections.

36
MCQeasy

A cloud administrator notices that a virtual machine (VM) hosting a web application is consistently running at 95% CPU utilization during business hours. End users complain that the application is slow. The application is stateless and can scale horizontally. The VM is part of an auto-scaling group configured with a target tracking scaling policy based on average CPU utilization. The administrator checks CloudWatch metrics and sees that the CPU utilization has been above the target of 70% for the last two hours, but no new instances have been launched. What should the administrator do FIRST to resolve the issue?

A.Verify that the CloudWatch agent is sending CPU metrics and that the metric names match the scaling policy configuration.
B.Manually increase the desired capacity of the auto-scaling group.
C.Reduce the target tracking value to 50% so scaling happens sooner.
D.Replace the instance with a larger instance type that has more vCPUs.
AnswerA

If metrics are missing or misconfigured, auto-scaling cannot trigger. This is the most direct diagnostic step.

Why this answer

The auto-scaling policy is not triggering despite sustained high CPU. The most likely cause is that the metric collection is not functioning correctly. Checking the CloudWatch agent and metrics will reveal if data is being sent properly.

Option B is the correct first step because without valid metrics, auto-scaling cannot adjust capacity.

37
MCQmedium

A company uses a hybrid cloud model with on-premises servers and a public cloud. The IT team wants to ensure that critical data is backed up daily and retained for 30 days. The backup solution must be cost-effective. Which of the following backup strategies BEST meets these requirements?

A.Full backup daily to cloud storage with a 30-day lifecycle policy.
B.Full backup daily to tape, retained for 30 days.
C.Differential backup daily to cloud storage, with full backup every 30 days.
D.Incremental backup daily to cloud storage, with weekly full backup.
AnswerD

Incremental backups are small and cost-effective; weekly full provides baseline; retention can be set to 30 days.

Why this answer

Option B is correct because incremental backups daily and full backup weekly reduces storage costs while allowing 30-day retention by keeping weekly fulls. Option A is wrong because full daily to tape is expensive and not cloud-based. Option C is wrong because differential backups grow large and cost more than incremental.

Option D is wrong because full daily backups to cloud storage are costly.

38
MCQhard

A cloud administrator receives an alert that a virtual machine has unexpectedly shut down. The administrator checks the hypervisor logs and finds an entry "Out of memory: killed process" in the VM's OS logs. Which of the following is the most likely cause?

A.The hypervisor memory overcommitment is too high.
B.The VM has a memory leak in its application.
C.The VM's memory balloon driver is not installed.
D.The VM's swap space is insufficient.
AnswerB

A memory leak causes the VM's memory to be exhausted, triggering the OOM killer.

Why this answer

Option C is correct because the OOM killer message in the VM's OS indicates that a process consumed too much memory, likely due to a memory leak. Option A would cause host-side OOM, not VM-side. Option B would affect the host, not the VM.

Option D could be a factor but a memory leak is the most direct cause of running out of memory.

39
MCQeasy

A cloud administrator is troubleshooting a connectivity issue between two virtual machines in the same VPC but different subnets. Both VMs have security groups that allow all traffic from the VPC CIDR. What should the administrator check first?

A.The VPC flow logs.
B.The network ACLs for both subnets.
C.The route tables for both subnets.
D.The DHCP option set.
AnswerB

NACLs are stateless and may be blocking traffic even if security groups allow it.

Why this answer

Option A is correct because network ACLs are stateless and must explicitly allow traffic in both directions. Option B is unlikely due to the automatic local route. Options C and D are not the first step.

40
MCQmedium

Refer to the exhibit. A cloud engineer is reviewing logs from an EC2 instance. Which of the following is the MOST likely root cause of the application failure?

A.The application experienced a segmentation fault due to a code bug
B.The instance ran out of memory because the application had a memory leak
C.The instance was stopped by the cloud provider due to a license violation
D.The disk space reached 100% capacity, preventing the application from writing logs
AnswerD

The sequence shows disk warnings before application failures.

Why this answer

When disk space reaches 100% capacity, the operating system cannot write new data to the filesystem. Since the application relies on writing logs (and potentially other data) to disk, it will fail when it cannot perform these write operations. This is a common root cause in cloud environments where log rotation is not configured or monitoring thresholds are not set.

Exam trap

CompTIA often tests the distinction between memory-related failures (segfaults, OOM) and disk-related failures, where candidates mistakenly attribute a log-write failure to a memory issue instead of checking disk space.

How to eliminate wrong answers

Option A is wrong because a segmentation fault is a memory access violation caused by a code bug, which would generate a core dump and specific error messages in logs, not a gradual failure due to disk space exhaustion. Option B is wrong because running out of memory due to a memory leak would manifest as the kernel OOM killer terminating processes or the application crashing with out-of-memory errors, not as a failure to write logs. Option C is wrong because cloud providers like AWS do not stop instances for license violations; they may disable the instance or revoke access, but the instance itself would not be stopped by the provider for this reason.

41
MCQmedium

A cloud administrator notices that a virtual machine is running out of memory and causing performance issues. The VM is part of a production web application. Which of the following actions should the administrator take FIRST to resolve the issue without impacting availability?

A.Stop the VM and increase its memory allocation, then restart it.
B.Add a swap file to the VM's virtual disk.
C.Take a snapshot of the VM and then increase memory allocation.
D.Perform a live migration of the VM to a host with more memory.
AnswerD

Live migration moves the VM without downtime, allowing access to more resources.

Why this answer

Option D is correct because live migration (e.g., VMware vMotion or Hyper-V Live Migration) allows the administrator to move the running VM to a host with more physical memory without any downtime, directly resolving the memory pressure while maintaining production availability. This is the only option that addresses the root cause (insufficient host memory) without stopping the VM or risking data loss.

Exam trap

CompTIA often tests the misconception that increasing memory requires a VM restart, but the trap here is that candidates overlook live migration as a zero-downtime solution and instead choose options that either cause downtime or degrade performance.

How to eliminate wrong answers

Option A is wrong because stopping the VM to increase memory allocation causes downtime, which violates the requirement to not impact availability. Option B is wrong because adding a swap file to the VM's virtual disk only shifts memory pressure to disk I/O, degrading performance further, and does not resolve the underlying physical memory shortage. Option C is wrong because taking a snapshot before increasing memory is unnecessary for a memory change and does not prevent the need to stop the VM (unless using hot-add memory, which is not implied), and snapshots can cause performance overhead and storage issues.

42
MCQeasy

A cloud engineer needs to deploy a stateless application across multiple availability zones. The application must scale horizontally based on CPU utilization. Which of the following is the BEST configuration?

A.Deploy a single large instance and increase its size as needed
B.Create an auto-scaling group spanning multiple zones with a load balancer
C.Use a managed container service and manually add containers
D.Deploy instances in one zone using spot instances to reduce cost
AnswerB

This provides automated horizontal scaling and fault tolerance.

Why this answer

Option A is correct because auto-scaling groups across zones with a load balancer provide high availability and scaling. Option B is wrong: vertical scaling is not horizontal. Option C is wrong: manual scaling is not automated.

Option D is wrong: spot instances may be terminated, causing instability.

43
MCQhard

A cloud administrator is managing a fleet of virtual machines that run a batch processing job. The job is memory-intensive and runs once a day. The administrator wants to optimize cost without affecting performance. Which of the following is the BEST approach?

A.Purchase dedicated hosts to ensure resource isolation
B.Use a mix of reserved instances for the minimum required capacity and spot instances to handle the daily workload
C.Manually shut down instances when the job completes
D.Use only on-demand instances to avoid commitment
AnswerB

Reserved instances provide discount; spot instances offer cheap compute for tolerant jobs.

Why this answer

Option A is correct: using a combination of reserved instances for baseline and spot instances for spikes reduces cost. Option B is wrong: on-demand is most expensive. Option C is wrong: dedicated hosts are costly and unnecessary.

Option D is wrong: shutting down manually is inefficient and may miss jobs.

44
Multi-Selectmedium

Which TWO of the following are best practices for securing an API gateway in a cloud environment?

Select 2 answers
A.Implement rate limiting to control the number of requests per client.
B.Expose the API endpoints without authentication for ease of integration.
C.Return detailed error messages including stack traces to help developers.
D.Use API keys or OAuth for authentication and authorization.
E.Disable HTTPS to reduce latency.
AnswersA, D

Rate limiting protects against abuse and DoS attacks.

Why this answer

Option A is correct because rate limiting is a fundamental security control for API gateways. It mitigates abuse and denial-of-service (DoS) attacks by restricting the number of requests a client can make within a specified time window, typically enforced via token bucket or leaky bucket algorithms. This ensures fair resource usage and protects backend services from being overwhelmed.

Exam trap

CompTIA often tests the misconception that 'detailed error messages help developers debug faster'—but in a cloud environment, exposing stack traces is a critical security flaw, not a best practice.

45
MCQmedium

A cloud administrator is designing a backup strategy for a critical database that must achieve a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 30 minutes. The database has a high write throughput. Which of the following backup methods BEST meets these requirements?

A.Synchronous log shipping to a standby database.
B.Full daily backups with transaction log backups every hour.
C.Snapshot replication to a secondary datastore every 10 minutes.
D.Incremental backups every 10 minutes.
AnswerC

Snapshots provide point-in-time copies that can be restored quickly, meeting RPO and RTO.

Why this answer

Option C is correct because snapshot replication provides near-instant recovery with minimal data loss, meeting both RPO and RTO. Option A is wrong because full daily backups have a higher RPO. Option B is wrong because incremental backups require a full restore, increasing RTO.

Option D is wrong because log shipping may have a longer recovery time.

46
MCQeasy

A cloud administrator notices that a load balancer is marking all instances as unhealthy. The health check is configured to check a specific URL path. Which of the following is the MOST likely cause?

A.The health check path does not exist on the instances.
B.The auto scaling group's minimum size is too low.
C.The security group for the instances blocks traffic from the load balancer.
D.The instances are under high CPU load.
AnswerA

If the path is missing, the load balancer receives non-200 responses.

Why this answer

The health check is configured to check a specific URL path. If that path does not exist on the instances (e.g., returns a 404 or 403 status), the load balancer will consider the instances unhealthy. This is the most direct cause because the health check relies on a successful HTTP response (typically 200 OK) from that exact path.

Exam trap

CompTIA often tests the distinction between connectivity issues (security groups, network ACLs) and application-level health check failures, leading candidates to incorrectly choose security group misconfiguration when the real issue is a missing or misconfigured health check endpoint.

How to eliminate wrong answers

Option B is wrong because the auto scaling group's minimum size affects the number of instances running, not the health check status of individual instances; a low minimum size could cause scaling issues but does not cause all instances to be marked unhealthy. Option C is wrong because if the security group blocked traffic from the load balancer, the instances would be unreachable entirely (e.g., connection timeout), not just fail a specific URL path health check. Option D is wrong because high CPU load might degrade performance but does not inherently cause the health check to fail unless the application crashes or the web server stops responding; the load balancer's health check is a simple HTTP request that typically succeeds even under moderate load.

47
MCQhard

Refer to the exhibit. An application in a cloud environment logs multiple database connection errors. The database is a managed MySQL instance in the same VPC. The timeouts and connection refused errors occur intermittently. Which of the following is the most likely cause?

A.The database is hitting its maximum connections limit.
B.The database instance is out of storage.
C.The security group for the database is not allowing inbound traffic from the application.
D.The database's DNS resolves to multiple IP addresses.
AnswerA

Correct. When max connections are reached, new connections are refused, and timeouts occur when waiting for a slot.

Why this answer

Intermittent connection refused and timeouts indicate that the database is reaching its maximum connections limit, causing new connections to be refused or timeout.

48
MCQhard

A company deploys a multi-tier application in a public cloud. The web tier uses an auto scaling group across multiple availability zones. The database tier runs on a single large VM. The application experiences intermittent slowdowns during peak load. Which of the following is the BEST long-term solution?

A.Migrate the database to a managed database service with read replicas
B.Add a load balancer in front of the database tier
C.Upgrade the database VM to a larger instance type
D.Increase the number of web servers in the auto scaling group
AnswerA

Managed service provides scaling and high availability.

Why this answer

Option D is correct because moving the database to a managed service with replication improves scalability and reduces single points of failure. Option A is wrong because increasing web tier instances may not help if database is bottleneck. Option B is wrong because vertical scaling of the database has limits.

Option C is wrong because placing a load balancer in front of a single database does not solve the scaling problem.

49
MCQhard

A company uses a cloud-based load balancer to distribute traffic to a fleet of web servers. Users report intermittent timeouts. The administrator reviews the load balancer logs and notices that one backend server has a significantly higher error rate than the others. Which of the following is the BEST course of action?

A.Immediately add two more backend servers to distribute the load.
B.Drain connections to the unhealthy server and troubleshoot its configuration.
C.Enable sticky sessions on the load balancer to maintain user sessions.
D.Increase the health check interval for all servers to reduce false positives.
AnswerB

Draining prevents further impact while allowing investigation of the root cause.

Why this answer

Option B is correct because draining connections from the unhealthy server allows the load balancer to stop sending new traffic to it while existing sessions complete, preventing further timeouts. Troubleshooting the server's configuration addresses the root cause of the high error rate, such as misconfigured web server software, resource exhaustion, or application bugs. This approach follows the principle of isolating and resolving the faulty component rather than masking the issue with workarounds.

Exam trap

CompTIA often tests the misconception that adding more servers or increasing health check intervals will solve performance issues, but the trap here is that the problem is a specific faulty backend server, not a capacity or health check sensitivity issue, so the correct action is to isolate and troubleshoot that server.

How to eliminate wrong answers

Option A is wrong because adding more backend servers does not fix the underlying problem with the unhealthy server; it only distributes load away from it temporarily, and the faulty server will continue to serve errors to any traffic it receives. Option C is wrong because enabling sticky sessions (session persistence) would lock users to the unhealthy server, worsening the timeouts for those users and increasing error rates. Option D is wrong because increasing the health check interval makes the load balancer less responsive to failures, allowing the unhealthy server to remain in the pool longer and serve more errors before being marked down.

50
MCQmedium

A cloud administrator needs to deploy a web application in a public cloud. The application must automatically scale out based on CPU utilization and scale in during low demand. Which of the following is the BEST approach?

A.Configure an auto scaling group with a scaling policy based on average CPU utilization
B.Use a script to increase the instance size when CPU exceeds 80%
C.Implement scheduled scaling to add instances during business hours
D.Create a load balancer and manually add instances during peak hours
AnswerA

Auto scaling with CPU metric provides automated horizontal scaling.

Why this answer

An auto scaling group with a scaling policy based on average CPU utilization is the best approach because it dynamically adjusts the number of instances in response to real-time demand. This method uses CloudWatch metrics to trigger scale-out when CPU exceeds a threshold (e.g., 70%) and scale-in when it drops, ensuring the application remains responsive while minimizing cost during low usage.

Exam trap

CompTIA often tests the distinction between horizontal scaling (adding/removing instances) and vertical scaling (resizing instances), where candidates mistakenly choose vertical scaling (Option B) because it seems simpler, but it does not provide the elasticity required for cloud-native applications.

How to eliminate wrong answers

Option B is wrong because increasing the instance size (vertical scaling) does not provide the horizontal scaling required for distributed load handling and can cause downtime during resizing; it also does not automatically scale in. Option C is wrong because scheduled scaling assumes predictable traffic patterns and cannot adapt to unexpected spikes or lulls in CPU utilization, which is the specified trigger. Option D is wrong because manually adding instances during peak hours is not automated and defeats the purpose of elastic scaling, leading to potential delays and human error.

51
Multi-Selectmedium

Which TWO of the following are common causes of performance degradation in a cloud-based application?

Select 2 answers
A.Over-provisioned virtual machines
B.Resource contention from other tenants on the same hypervisor (noisy neighbor)
C.Load balancer distributing traffic evenly
D.Insufficient IOPS on the storage volume
E.Insufficient bandwidth to the cloud provider
AnswersB, D

Noisy neighbor is a classic cloud performance issue.

Why this answer

Option A is correct: noisy neighbors impact performance. Option D is correct: insufficient storage IOPS can cause I/O bottlenecks. Option B is wrong because over-provisioned resources would not degrade performance.

Option C is wrong while correct but not as common as other options. Option E is wrong because load balancing improves performance.

52
Multi-Selecteasy

Which TWO of the following are best practices when configuring a cloud-based virtual private cloud (VPC) for a multi-tier application?

Select 2 answers
A.Place each application tier in a separate subnet.
B.Disable VPC flow logs to reduce costs.
C.Use the default security group for all instances.
D.Place all instances in the same subnet for simplicity.
E.Restrict SSH access to management IP addresses using security groups.
AnswersA, E

Separate subnets allow for network segmentation and security controls.

Why this answer

Option A is correct because placing each application tier (e.g., web, application, database) in a separate subnet allows you to apply distinct network access control lists (NACLs) and security groups per tier. This segmentation enforces the principle of least privilege, ensuring that only the web tier can communicate with the application tier on specific ports, and only the application tier can reach the database tier. It also isolates failures and simplifies troubleshooting by containing traffic within defined network boundaries.

Exam trap

CompTIA often tests the misconception that simplicity (placing all instances in one subnet) is a best practice, when in fact proper segmentation is critical for security and compliance in multi-tier architectures.

53
MCQmedium

Refer to the exhibit. A cloud administrator is troubleshooting why an EC2 instance in subnet-12345678 cannot be reached from the internet. The instance has a public IP and the security group allows all inbound traffic. Based on the exhibit, what is the most likely cause?

A.The security group is not applied.
B.The route table is missing a default route to the internet gateway.
C.The instance is stopped.
D.The network ACL is misconfigured and blocking all inbound traffic.
AnswerD

The network ACL has a deny rule for all inbound traffic, which overrides the security group's allow.

Why this answer

Option B is correct. The network ACL associated with the subnet has an inbound deny rule for all traffic, blocking access despite the security group. Options A, C, and D are not supported by the exhibit.

54
Drag & Dropmedium

Order the steps to perform a disaster recovery failover to a secondary cloud region.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Failover: activate secondary, update DNS, restore data, verify, then monitor before failback.

55
Multi-Selecthard

A cloud administrator is troubleshooting an application that fails to connect to a database. The application and database are in the same VPC. Which THREE steps should the administrator take to diagnose the issue?

Select 3 answers
A.Check the routing table for a route to the internet.
B.Test connectivity to the database using a telnet or netcat command from the application server.
C.Verify that the security group associated with the database instance allows inbound traffic from the application's security group on the database port.
D.Check the DNS resolution of the database endpoint in the application's subnet.
E.Verify that the network ACL for the database subnet allows inbound traffic on the database port.
AnswersB, C, E

Direct connectivity test isolates the issue.

Why this answer

Option B is correct because telnet or netcat can test basic TCP connectivity to the database port, confirming whether the database is reachable from the application server at the network layer. This step isolates whether the issue is a network connectivity problem versus an authentication or configuration issue within the database itself.

Exam trap

CompTIA often tests the distinction between stateful security groups and stateless network ACLs, and candidates mistakenly assume that allowing inbound traffic in the security group alone is sufficient, forgetting that network ACLs must also permit the traffic.

56
MCQmedium

A cloud administrator receives an alert that a virtual machine is unresponsive. The hypervisor shows the VM status as 'running'. Which of the following should the administrator check FIRST to diagnose the issue?

A.Access the VM's console to view the operating system screen.
B.Verify the security group rules for the VM's subnet.
C.Review the hypervisor's CPU and memory utilization for the VM.
D.Check the virtual network interface for disconnection.
AnswerA

The console shows the OS state; if the OS is hung, it can be diagnosed there.

Why this answer

When a VM is unresponsive but the hypervisor shows its status as 'running', the most direct way to determine if the guest OS has crashed or is stuck in a boot loop is to access the VM's console. This provides a direct view of the OS screen, allowing the administrator to see if the OS is hung, at a login prompt, or displaying an error, which is the first step in isolating the issue before checking network or resource configurations.

Exam trap

CompTIA often tests the distinction between 'VM status' (hypervisor-level) and 'guest OS responsiveness' (OS-level), and the trap here is that candidates assume a 'running' VM is fully operational and immediately check network or resource issues, ignoring the need to verify the OS state via console.

How to eliminate wrong answers

Option B is wrong because security group rules control network traffic at the subnet level; if the VM is unresponsive due to an OS crash, security groups would not affect the VM's ability to respond, and checking them first would be premature without confirming the OS is operational. Option C is wrong because reviewing hypervisor CPU and memory utilization for the VM would help identify resource contention, but the VM is already marked as 'running', meaning the hypervisor is allocating resources; the issue is likely within the guest OS, not resource starvation. Option D is wrong because checking the virtual network interface for disconnection would only be relevant if the VM were unreachable over the network, but the alert states the VM is unresponsive, which could be due to an OS-level hang; network disconnection would not cause the VM to be unresponsive from the hypervisor's perspective.

57
MCQeasy

A company wants to ensure high availability for a stateless web application. Which architecture should be recommended?

A.Two VMs in the same availability zone with a load balancer
B.One VM in each of two availability zones with a load balancer
C.Single VM with daily backups
D.A single large VM with auto-recovery
AnswerB

This provides HA across zones; if one zone fails, traffic is routed to the other.

Why this answer

Option B is correct because deploying one VM in each of two availability zones with a load balancer ensures high availability by eliminating a single point of failure. If one availability zone fails, the load balancer automatically routes traffic to the healthy VM in the other zone, keeping the stateless web application accessible. This architecture aligns with the principle of fault tolerance for stateless applications, where no session state is lost during failover.

Exam trap

The trap here is that candidates often confuse high availability with redundancy within a single zone, failing to recognize that true high availability requires geographic or zone-level separation to survive infrastructure failures.

How to eliminate wrong answers

Option A is wrong because placing two VMs in the same availability zone still creates a single point of failure at the zone level; if that zone goes down, both VMs become unavailable. Option C is wrong because a single VM with daily backups does not provide high availability — backups only aid recovery after a failure, not automatic failover, and the application will experience downtime. Option D is wrong because a single large VM with auto-recovery still represents a single point of failure; auto-recovery only restarts the VM after a crash, but it does not prevent downtime during the recovery period and cannot protect against zone-level failures.

58
MCQmedium

A company uses a cloud object storage service to store backup data. The cloud provider charges for storage and retrieval. The operations team wants to minimize costs while ensuring data is available within 24 hours of a restore request. Which storage tier should they use?

A.Archive storage tier with retrieval time of 48 hours
B.Hot storage tier
C.Cold storage tier with retrieval time of 12 hours
D.Infrequent access tier with retrieval time of 1 hour
AnswerC

Cold storage offers low cost and retrieval within 24 hours.

Why this answer

Option C is correct because the cold storage tier offers a retrieval time of 12 hours, which meets the requirement of making data available within 24 hours while minimizing costs compared to hotter tiers. Cold storage is designed for infrequently accessed data with longer retrieval times, providing a cost-effective balance between availability and expense for backup data that does not need immediate access.

Exam trap

The trap here is that candidates may confuse 'cold storage' with 'archive storage' or assume that any tier with a retrieval time under 24 hours is equally cost-effective, overlooking that cold storage specifically balances cost and retrieval time for infrequent access needs.

How to eliminate wrong answers

Option A is wrong because the archive storage tier with a 48-hour retrieval time exceeds the 24-hour availability requirement, making it unsuitable for the stated restore window. Option B is wrong because the hot storage tier, while providing immediate retrieval, incurs higher storage costs that are unnecessary for backup data that does not require real-time access, thus failing to minimize costs. Option D is wrong because the infrequent access tier with a 1-hour retrieval time, though cheaper than hot storage, still costs more than cold storage and provides faster retrieval than needed, leading to higher expenses without operational benefit.

59
MCQmedium

A cloud administrator is troubleshooting a performance issue where a virtual machine running a database is experiencing high latency. The hypervisor shows the VM has been allocated 4 vCPUs and 16 GB of RAM, but the host server has 32 GB of RAM and 16 cores. Which of the following is most likely the cause of the latency?

A.The VM is over-provisioned on vCPUs relative to physical cores.
B.The VM's storage is on a network share.
C.The VM has too little RAM.
D.The VM is using paravirtualized drivers.
AnswerA

Over-provisioning vCPUs causes contention and context switching, increasing latency.

Why this answer

The VM is allocated 4 vCPUs, but the host has only 16 physical cores. If the VM's workload (e.g., a database) is CPU-intensive and the hypervisor is oversubscribing vCPUs across multiple VMs, the vCPUs may be waiting for physical cores, causing CPU ready time and high latency. This is a classic symptom of CPU over-provisioning.

Exam trap

CompTIA often tests the misconception that more vCPUs always improve performance, when in fact over-provisioning leads to CPU scheduling contention and increased latency.

How to eliminate wrong answers

Option B is wrong because network-attached storage can introduce latency, but the question focuses on CPU/RAM allocation and the host has ample resources; storage is not indicated as the bottleneck. Option C is wrong because 16 GB RAM for a database VM is often sufficient, and the host has 32 GB total, so memory starvation is unlikely to cause high latency without other symptoms. Option D is wrong because paravirtualized drivers typically reduce latency by bypassing emulation overhead; they are a best practice for performance, not a cause of high latency.

60
Multi-Selectmedium

Which TWO of the following are best practices for managing cloud costs? (Select TWO.)

Select 2 answers
A.Implementing resource tagging for cost allocation
B.Consolidating all environments into a single subscription
C.Using reserved instances for predictable workloads
D.Overprovisioning resources to ensure high performance
E.Manually stopping idle virtual machines
AnswersA, C

Tags help identify cost centers and optimize spend.

Why this answer

Options B and D are correct. Option B is correct because tagging resources allows tracking costs by project. Option D is correct because using reserved instances reduces costs for predictable workloads.

Option A is wrong because manual shutdown is error-prone; automation is better. Option C is wrong because overprovisioning increases costs. Option E is wrong because multiple environments require separate management for cost control.

61
Multi-Selecteasy

A cloud administrator is planning a migration of on-premises workloads to the cloud. Which TWO factors should be considered when selecting the appropriate cloud service model (IaaS, PaaS, SaaS)?

Select 2 answers
A.The scalability requirements of the application.
B.The level of control required over the operating system and runtime environment.
C.The security compliance requirements for data at rest.
D.The compatibility of the application with managed database or middleware services.
E.The total cost of ownership compared to on-premises.
AnswersB, D

Determines if IaaS (full control) or PaaS (less control) is needed.

Why this answer

Option B is correct because the level of control over the operating system and runtime environment is a defining factor when choosing between IaaS, PaaS, and SaaS. IaaS provides full control over the OS and runtime, PaaS abstracts the OS and runtime but allows control over application deployment, and SaaS offers no control over the underlying infrastructure. This directly impacts migration decisions, especially for legacy applications that require specific OS configurations or custom runtime dependencies.

Exam trap

CompTIA often tests the misconception that security compliance or scalability are primary factors for service model selection, when in fact they are operational requirements that apply across all models, while control over the OS and runtime is the key differentiator.

62
Multi-Selecteasy

A cloud administrator wants to ensure that patches are applied to cloud workloads with minimal risk. Which TWO practices should the administrator follow? (Choose two.)

Select 2 answers
A.Automate patch deployment using orchestration tools.
B.Skip patches for legacy systems to avoid regression.
C.Patch in production during peak hours to save time.
D.Always apply patches manually to ensure control.
E.Test patches in a staging environment first.
AnswersA, E

Automation ensures timely, consistent patching and reduces human error.

Why this answer

Testing patches in a staging environment before production deployment reduces the risk of unexpected issues. Automating patch deployment using orchestration tools ensures consistency and reduces manual errors.

63
MCQhard

A cloud application is intermittently slow. Based on the exhibit, which of the following is the most likely cause?

A.A network security group is blocking port 3306.
B.The database server is overloaded.
C.The database endpoint DNS record is incorrect.
D.The application has insufficient memory.
AnswerA

Blocking the port prevents TCP handshake, causing a timeout. This matches the error logs.

Why this answer

The intermittent slowness points to a network security group blocking port 3306, which is used by MySQL/MariaDB. When the NSG intermittently drops packets to this port, the application experiences timeouts and retries, causing sporadic slowdowns. This is a common issue in cloud environments where security rules are misconfigured or applied at the wrong priority level.

Exam trap

CompTIA often tests the distinction between intermittent failures (caused by network filtering or transient connectivity issues) versus persistent failures (caused by overload or misconfiguration), leading candidates to incorrectly choose database overload or DNS errors.

How to eliminate wrong answers

Option B is wrong because a database server overload would cause consistent slowness or errors, not intermittent issues, and the exhibit likely shows no CPU/memory spikes. Option C is wrong because an incorrect DNS record would cause a complete failure to resolve the endpoint, not intermittent slowness, and DNS caching would mask transient changes. Option D is wrong because insufficient application memory would manifest as out-of-memory errors or crashes, not intermittent slowness, and would be visible in application metrics.

64
MCQeasy

A cloud administrator notices that a virtual machine has been running for 180 days without a reboot. The administrator needs to install critical security patches that require a reboot. Which of the following actions should the administrator take FIRST?

A.Pause the virtual machine before applying patches.
B.Check for existing snapshots and create a new snapshot.
C.Shut down the virtual machine and apply patches offline.
D.Migrate the virtual machine to a different host to avoid disruption.
AnswerB

Creating a snapshot before patching provides a rollback point in case of failure.

Why this answer

Option B is correct because checking for snapshots ensures that the VM can be rolled back if the patching fails. Option A is wrong because pausing the VM is not necessary before checking snapshots. Option C is wrong because migrating to another host is a later step.

Option D is wrong because shutting down before checking snapshots risks losing state.

65
Multi-Selecthard

A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which THREE of the following metrics should the administrator analyze to identify potential resource contention? (Select THREE.)

Select 3 answers
A.CPU ready time
B.Disk queuing
C.Swap file usage
D.Network latency
E.Memory ballooning
AnswersA, B, E

High CPU ready time means the VM is waiting for CPU cycles due to contention.

Why this answer

CPU ready time measures the time a virtual machine is ready to execute instructions but is waiting for the hypervisor to schedule physical CPU resources. High ready time directly indicates CPU contention, as the VM is being starved of CPU cycles by other VMs on the same host.

Exam trap

The trap here is that candidates often select network latency or swap file usage as signs of resource contention, but these metrics are not direct indicators of hypervisor-level contention for CPU, memory, or storage in a virtualized environment.

66
Multi-Selecteasy

A cloud administrator is designing a backup strategy for a virtual machine running a critical application. The application stores data on a separate data disk. Which TWO of the following practices should the administrator include to ensure a reliable backup?

Select 2 answers
A.Ensure the backup includes the system state and data disk.
B.Encrypt the backup files before storing them off-site.
C.Use file-level backups for the data disk only.
D.Perform guest-level backups with application-aware processing.
E.Rely solely on hypervisor-level snapshots.
AnswersA, D

Including both system state and data disk allows full restore of the VM.

Why this answer

Option A is correct because guest-level backups ensure application consistency. Option D is correct because snapshot consistency ensures crash-consistent not application-consistent. Option B is wrong because file-level backups are less efficient.

Option C is wrong because snapshot-only lacks application consistency. Option E is wrong because encryption not directly backup reliability.

67
Multi-Selecteasy

A cloud engineer is deploying a new application that requires high availability. The solution must include automated failover and load balancing. Which TWO of the following should the engineer implement?

Select 2 answers
A.Configure an auto scaling group with a minimum of two instances across two availability zones.
B.Take daily snapshots of the instance and store them in a different region.
C.Configure a read replica in a different region for failover.
D.Deploy the application on a single large instance with more resources.
E.Place the instances behind an application load balancer with health checks.
AnswersA, E

Auto scaling provides automated replacement and multi-AZ distribution.

Why this answer

Option A is correct because deploying an auto scaling group with a minimum of two instances across two availability zones ensures that if one instance or zone fails, the other can continue serving traffic, providing high availability. This setup also supports automated failover by replacing unhealthy instances automatically, and it works with a load balancer to distribute traffic. The combination of multi-AZ placement and auto scaling is a foundational pattern for fault-tolerant architectures in cloud environments.

Exam trap

The trap here is that candidates often confuse data backup or database replication (options B and C) with application-level high availability and load balancing, failing to recognize that automated failover and load balancing require multiple active compute instances and a traffic distributor, not just data redundancy.

68
MCQmedium

A cloud administrator is reviewing cost reports and notices that a development environment is incurring high costs due to idle compute resources. The environment is used only during business hours on weekdays. Which of the following actions would MOST effectively reduce costs?

A.Implement an auto-scaling schedule to shut down instances during off-hours.
B.Move the development environment to a different region with lower costs.
C.Change all instances to smaller instance types.
D.Use spot instances for all development servers.
AnswerA

This stops instances when not in use, significantly reducing costs without impacting availability during business hours.

Why this answer

An auto-scaling schedule allows you to define time-based rules to automatically scale in (terminate) instances during off-hours and scale out (launch) them during business hours. This directly addresses the idle compute waste by ensuring resources are only running when needed, which is the most effective cost reduction strategy for a predictable usage pattern like weekdays 9-to-5.

Exam trap

CompTIA often tests the distinction between reducing per-unit cost (e.g., smaller instances, spot, different region) versus reducing total runtime cost, and the trap here is that candidates choose a cost-reduction method that still leaves resources running 24/7 instead of aligning compute with actual usage patterns.

How to eliminate wrong answers

Option B is wrong because moving to a different region may reduce per-hour costs but does not eliminate the idle time waste; instances would still run 24/7, just at a lower rate. Option C is wrong because downsizing instance types reduces per-instance cost but still leaves instances running idle during off-hours, failing to address the core issue of unnecessary runtime. Option D is wrong because spot instances can be interrupted at any time and are not suitable for a development environment that requires consistent availability during business hours; they also do not automatically stop during off-hours.

69
MCQeasy

A cloud engineer needs to ensure that a web application can scale out automatically during traffic spikes. Which design best practice should be implemented?

A.Deploy a larger instance size.
B.Use a single powerful VM with more vCPUs.
C.Manually provision additional VMs during peak times.
D.Configure an auto scaling group with a load balancer.
AnswerD

Auto scaling automatically adjusts capacity.

Why this answer

Option D is correct because an auto scaling group combined with a load balancer automatically adds or removes VM instances based on predefined metrics (e.g., CPU utilization, request count), ensuring the web application scales out horizontally during traffic spikes without manual intervention. This aligns with cloud elasticity best practices for handling variable workloads.

Exam trap

CompTIA often tests the distinction between vertical scaling (scaling up) and horizontal scaling (scaling out), where candidates mistakenly choose a larger instance size or a single powerful VM because they think 'more resources' is the solution, ignoring the need for automatic, elastic scaling and fault tolerance.

How to eliminate wrong answers

Option A is wrong because deploying a larger instance size (vertical scaling) has a hard limit based on the maximum available instance type and does not provide true elasticity; it also incurs downtime during resizing and cannot handle sudden spikes beyond the single instance's capacity. Option B is wrong because using a single powerful VM with more vCPUs is also vertical scaling, creating a single point of failure and a scalability ceiling; it cannot distribute traffic across multiple instances. Option C is wrong because manually provisioning additional VMs during peak times is reactive, error-prone, and introduces latency, failing to meet the requirement for automatic scaling during traffic spikes.

70
MCQmedium

Refer to the exhibit. A cloud administrator is trying to retrieve a secret from a cloud secrets manager using a script with an access key and secret key. The script returns the error shown. The keys were newly created. What is the most likely cause?

A.The secret is encrypted with a different KMS key.
B.The script is using the wrong region.
C.The secret does not exist.
D.The access key is not activated or has a propagation delay.
AnswerD

Newly created keys can take a few minutes to propagate; until then, they may be considered invalid.

Why this answer

Option D is correct. Newly created access keys may have a propagation delay and are not immediately active. Options A, B, and C would yield different error messages.

71
MCQmedium

Refer to the exhibit. An administrator created this policy and attached it to a user. When the user attempts to terminate an instance from an IP address outside the 10.0.0.0/8 range, what will happen?

A.The user will be denied because the action is not allowed.
B.The effect will be evaluated as Deny.
C.The user will be denied because the condition fails.
D.The user will be allowed to terminate instances.
AnswerC

Without a matching Allow, the default Deny takes effect.

Why this answer

Option B is correct because the condition restricts the Allow to requests from the specified IP range. Requests from outside that range do not match the condition, so the Allow is not applied, resulting in an implicit Deny. Option A is incorrect because the condition fails.

Option C is incorrect because the action is allowed under the correct condition. Option D is incorrect because the effect is not changed to Deny; it is simply not allowed.

72
MCQmedium

A company uses AWS for its production environment. The company has deployed a web application behind an Application Load Balancer (ALB) with a target group containing two EC2 instances in different Availability Zones. The application is stateless and stores session data in an external Redis cluster. Recently, users report that they are occasionally logged out during a session. The load balancer health checks pass for both instances. The application logs show no errors. Which of the following is the most likely cause of the issue?

A.The Redis cluster is not configured for replication.
B.The instances are using different AMI versions.
C.The target group is configured with slow start.
D.Sticky sessions are not enabled on the ALB.
AnswerA

Without replication, a failure in the Redis node can cause session data loss, resulting in intermittent logouts.

Why this answer

The application is stateless and stores session data in an external Redis cluster. If the Redis cluster lacks replication, a failure of the primary node will cause all session data to be lost, logging users out. The ALB health checks pass and application logs show no errors because the EC2 instances themselves are healthy; the issue lies entirely in the Redis layer's lack of high availability.

Exam trap

The trap here is that candidates often assume sticky sessions are required for session persistence, but the question explicitly states the application is stateless and uses an external Redis cluster, making the Redis architecture the real culprit.

How to eliminate wrong answers

Option B is wrong because different AMI versions would cause inconsistent application behavior or deployment failures, not intermittent session loss when health checks pass. Option C is wrong because slow start gradually increases traffic to new targets, which affects load distribution but does not cause session data loss or logouts. Option D is wrong because sticky sessions (session affinity) are unnecessary for a stateless application that stores session data externally in Redis; enabling them would not prevent data loss from a non-replicated Redis cluster.

73
MCQhard

A cloud administrator is troubleshooting an issue where users from the 192.0.2.0/24 network cannot access objects in an S3 bucket. The bucket policy is shown in the exhibit. What is the most likely cause of the issue?

A.The condition uses an incorrect IP address format.
B.The policy does not grant the s3:ListBucket action.
C.The policy is missing a required statement ID.
D.The resource ARN does not include the bucket itself.
AnswerB

Without ListBucket, users cannot list objects, only get them if they know the exact key.

Why this answer

The bucket policy grants s3:GetObject but not s3:ListBucket. Without s3:ListBucket, users cannot list the objects in the bucket, so they cannot discover the object keys needed to access objects. Even if they know the exact object key, the missing ListBucket action prevents the initial listing operation, which is required for many S3 access patterns.

Exam trap

CompTIA often tests the distinction between object-level actions (s3:GetObject) and bucket-level actions (s3:ListBucket), trapping candidates who assume that granting read access automatically includes listing permissions.

How to eliminate wrong answers

Option A is wrong because the IP address format '192.0.2.0/24' is a valid CIDR notation and is correctly used in the condition block. Option C is wrong because a Statement ID (Sid) is optional in S3 bucket policies; its absence does not cause access failures. Option D is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' correctly specifies all objects in the bucket, and the bucket itself is not required for object-level operations like s3:GetObject.

74
MCQhard

During a disaster recovery test, a cloud administrator finds that the replicated VMs in the secondary site fail to start because they are assigned to a resource pool that does not exist in the secondary site. Which of the following should the administrator have done to prevent this issue?

A.Map the resource pools between primary and secondary sites.
B.Use storage snapshot replication instead.
C.Ensure the secondary site has identical hardware.
D.Configure the replication job to use a different datastore.
AnswerA

Resource pool mappings allow VMs to start on appropriate clusters or hosts in the DR site.

Why this answer

Option C is correct because mapping resource pools between primary and secondary sites ensures that replicated VMs can find their intended compute resources. Option A addresses storage, not compute association. Option B would change datastore, not fix the resource pool issue.

Option D is not necessary; hardware differences can be managed with proper mappings.

75
Multi-Selecthard

A cloud engineer is troubleshooting a performance issue with a web application that uses a cloud load balancer and multiple backend instances. Users report intermittent slow responses. The engineer reviews metrics and finds that CPU utilization on backend instances stays below 50% but network throughput is near the instance limit. Which THREE actions should the engineer take to improve performance?

Select 3 answers
A.Change the load balancing algorithm to least connections.
B.Distribute instances across multiple availability zones.
C.Upgrade to an instance type with higher network bandwidth.
D.Increase the number of backend instances.
E.Enable connection draining on the load balancer.
AnswersB, C, E

Multi-zone deployment can improve resilience and distribute load across network paths.

Why this answer

Distributing instances across multiple availability zones (AZs) improves fault tolerance and can reduce network congestion by spreading traffic across physically separate infrastructure. In this scenario, network throughput is near the instance limit, so adding instances in different AZs allows the load balancer to distribute traffic more evenly, preventing any single instance from being overwhelmed. This also leverages the load balancer's cross-zone load balancing capability, which can improve overall throughput and reduce latency for users.

Exam trap

CompTIA often tests the misconception that increasing the number of instances always solves performance issues, when in reality the bottleneck may be the network bandwidth per instance, requiring a larger instance type or distribution across AZs to utilize aggregate bandwidth.

Page 1 of 3 · 193 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Operations and Support questions.