Questions 1 - 20
Question 1
Topic: Monitoring & Logging Scenario: A company has a mobile application that makes HTTP API calls to an Application Load Balancer (ALB), which routes requests to an AWS Lambda function. Multiple versions of the application are in use, defined in the user-agent header. The company observes issues and needs to gather a metric for each API operation by response code for each version of the application. A DevOps engineer has modified the Lambda function to extract the necessary information.
Question: Which additional set of actions should the DevOps engineer take to gather the required metrics?
Options:
A. Modify the Lambda function to write the API operation name, response code, and version number as a log line to an Amazon CloudWatch Logs log group. Configure a CloudWatch Logs metric filter that increments a metric for each API operation name. Specify response code and application version as dimensions for the metric.
B. Modify the Lambda function to write the API operation name, response code, and version number as a log line to an Amazon CloudWatch Logs log group. Configure a CloudWatch Logs Insights query to populate CloudWatch metrics from the log lines. Specify response code and application version as dimensions for the metric.
C. Configure the ALB access logs to write to an Amazon CloudWatch Logs log group. Modify the Lambda function to respond to the ALB with the API operation name, response code, and version number as response metadata. Configure a CloudWatch Logs metric filter that increments a metric for each API operation name. Specify response code and application version as dimensions for the metric.
D. Configure AWS X-Ray integration on the Lambda function. Modify the Lambda function to create an X-Ray subsegment with the API operation name, response code, and version number. Configure X-Ray insights to extract an aggregated metric for each API operation name and to publish the metric to Amazon CloudWatch. Specify response code and application version as dimensions for the metric.
Correct Answer: A Community Vote: A (90%)
Question 2
Topic: Serverless Optimization Scenario: An application uses an Amazon API Gateway REST API that invokes an AWS Lambda function. On initialization, the function loads a large amount of data from a DynamoDB table (with DAX), causing cold-start times of 8-10 seconds. The application has variable traffic patterns: thousands of requests daily, 10x traffic midday, and 10% traffic near the end of the day. A DevOps engineer needs to reduce the latency of the Lambda function at all times.
Question: Which solution will meet these requirements?
Options:
A. Configure provisioned concurrency on the Lambda function with a concurrency value of 1. Delete the DAX cluster for the DynamoDB table.
B. Configure reserved concurrency on the Lambda function with a concurrency value of 0.
C. Configure provisioned concurrency on the Lambda function. Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.
D. Configure reserved concurrency on the Lambda function. Configure AWS Application Auto Scaling on the API Gateway API with a reserved concurrency maximum value of 100.
Correct Answer: C Community Vote: C (100%)
Question 3
Topic: Deployment Automation Scenario: A company is adopting AWS CodeDeploy for a Java-Apache Tomcat application. The team wants to change the log level configuration dynamically during deployment based on the deployment group (e.g., developer, staging, production) without creating different application revisions for each group.
Question: How can these requirements be met with the LEAST management overhead and without requiring different script versions for each deployment group?
Options:
A. Tag the Amazon EC2 instances depending on the deployment group. Place a script in the revision that calls the metadata service and EC2 API to identify the group and configure settings. Reference this script in the AfterInstall hook.
B. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_NAME to identify the group and configure settings. Reference this script in the BeforeInstall hook in appspec.yml.
C. Create a CodeDeploy custom environment variable for each environment. Place a script in the revision that checks this variable. Reference this script in the ValidateService hook.
D. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_ID to identify the group. Reference this script in the Install hook.
Correct Answer: B Community Vote: B (73%)
Question 4
Topic: Configuration Management Scenario: A company requires developers to tag all Amazon EBS volumes with Backup_Frequency (values: none, daily, weekly). An audit finds inconsistent tagging. A DevOps engineer needs to ensure all EBS volumes always have the tag so backups occur at least weekly unless specified otherwise.
Question: Which solution will meet these requirements?
Options:
A. Set up AWS Config in the account. Create a custom rule that returns a compliance failure for all Amazon EC2 resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.
B. Set up AWS Config in the account. Use a managed rule that returns a compliance failure for EC2::Volume resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.
C. Turn on AWS CloudTrail in the account. Create an Amazon EventBridge rule that reacts to EBS CreateVolume events. Configure a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly. Specify the runbook as the target of the rule.
D. Turn on AWS CloudTrail in the account. Create an Amazon EventBridge rule that reacts to EBS CreateVolume events or EBS ModifyVolume events. Configure a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly. Specify the runbook as the target of the rule.
Correct Answer: B
Question 5
Topic: Database High Availability Scenario: An application uses an Amazon Aurora cluster with a single DB instance. An update is scheduled for a maintenance window. The cluster must remain available with the least possible interruption.
Question: What should a DevOps engineer do to meet these requirements?
Options:
A. Add a reader instance to the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster's reader endpoint for reads.
B. Add a reader instance to the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster's custom ANY endpoint for read and write operations.
C. Turn on the Multi-AZ option on the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster’s reader endpoint for reads.
D. Turn on the Multi-AZ option on the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster's custom ANY endpoint for read and write operations
Correct Answer: A
Question 6
Topic: Security & AMIs Scenario: A company must encrypt all AMIs shared across accounts. An unencrypted custom AMI exists in a source account with an AWS KMS key. The AMI must be shared with a target account where an EC2 Auto Scaling group will launch instances.
Question: Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)
Options:
A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action. Most Voted
B. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.
C. In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.
D. In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role. Most Voted
E. In the source account, share the unencrypted AMI with the target account.
F. In the source account, share the encrypted AMI with the target account. Most Voted
Note: The provided text for Question 6 options cuts off. Community discussion suggests the answer is A, D, F.
Question 7
Topic: CI/CD Migration Scenario: A company uses AWS CodePipeline (Build, Test, Deploy) and wants to switch to AWS CodeDeploy for the deployment stage. The application is an RPM package deployed to a fleet of EC2 instances in an Auto Scaling group launched from a common AMI.
Question: Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.)
Options:
A. Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy. Most Voted
B. Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec file that contains application deployment scripts and grants access to CodeDeploy.
C. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Add a step to the CodePipeline pipeline to use EC2 Image Builder to create a new AMI. Configure CodeDeploy to deploy the newly created AMI.
D. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application. Most Voted
E. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the EC2 instances that are launched from the common AMI as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.
Note: Community discussion suggests the answer is A and D.
Question 8
Topic: Security & Compliance Scenario: A security team requires all external Application Load Balancers (ALBs) and API Gateway APIs to be associated with AWS WAF web ACLs. The company has hundreds of accounts in AWS Organizations and uses AWS Config. An audit found violations.
Question: Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)
Options:
A. Delegate AWS Firewall Manager to a security account.
B. Delegate Amazon GuardDuty to a security account.
C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
E. Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
Community Vote: A, C (Most Voted)
Question 9
Topic: Security & Key Management Scenario: A company uses AWS KMS keys and manual key rotation. The security team wants to be notified when any keys have not been rotated after 90 days.
Question: Which solution will accomplish this?
Options:
A. Configure AWS KMS to publish to an Amazon SNS topic when keys are more than 90 days old.
B. Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon SNS topic.
C. Develop an AWS Config custom rule that publishes to an Amazon SNS topic when keys are more than 90 days old.
D. Configure AWS Security Hub to publish to an Amazon SNS topic when keys are more than 90 days old.
Correct Answer: C
Question 10
Topic: Security & CI/CD Scenario: A security review identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team prohibits unauthenticated requests.
Question: How can this issue be corrected in the MOST secure manner?
Options:
A. Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the script.
B. Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token.
C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the script.
D. Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI to download the database population script using an IAM access key and a secret access key.
Note: Community discussion favors Option C.
Question 11
Topic: IAM Identity Center (SSO) & ABAC Scenario: An ecommerce company is building an AWS Control Tower landing zone. They use AWS IAM Identity Center with an external IdP (SAML 2.0). The DevOps team needs a permission model that follows the principle of least privilege, allowing the team to build and manage only their own resources. Question: Which combination of steps will meet these requirements? (Choose three.)
Options:
A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs. Most Voted
Community Consensus: B, C, F
Explanation: The solution involves using Attribute-Based Access Control (ABAC). You create groups in the IdP (Option C), enable attributes for access control (Option F - inferred from comments), and use Permission Sets with policies leveraging aws:PrincipalTag (Option B).
Question 12
Topic: Serverless Performance Tuning Scenario: An ecommerce company has delays in order history reflecting processing status. The system uses a Lambda function (reserved concurrency) processing messages from SQS and inserting them into a DynamoDB table (auto scaling enabled). Question: Which actions should a DevOps engineer take to resolve this delay? (Choose two.)
Options:
A. Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.
B. Check the ApproximateAgeOfOldestMessage metnc for the SQS queue Configure a redrive policy on the SQS queue.
C. Check the NumberOfMessagesSent metric for the SQS queue. Increase the SQS queue visibility timeout.
D. Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity.
E. Check the Throttles metric for the Lambda function. Increase the Lambda function timeout.
Community Consensus: A and D
Explanation: High ApproximateAgeOfOldestMessage indicates messages are backing up, suggesting a need for more processing power (Lambda concurrency). WriteThrottleEvents indicates the database cannot handle the write throughput, requiring higher write capacity limits.
Question 13
Topic: Security & Compliance (EC2) Scenario: A security policy requires all EC2 instances to have an IAM instance profile attached. If one is missing, it must use a default profile with no permissions. A DevOps engineer needs to ensure this is applied to all existing and future instances. Question: Which solution will ensure that an instance profile is attached to all existing and future EC2 instances?
Options:
A. Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an AWS Lambda function to attach the default instance profile to the EC2 instances.
B. Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances. Most Voted
C. Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API calls. Configure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances
D. Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.
Community Consensus: B
Explanation: AWS Config is the standard tool for compliance monitoring and remediation. The managed rule checks for the profile, and SSM Automation handles the fix for both new and existing resources.
Question 14
Topic: Serverless Deployment (Canary) Scenario: A DevOps engineer is building a continuous deployment pipeline for a serverless application (Lambda). The goal is to reduce customer impact during unsuccessful deployments and monitor for issues. Question: Which deploy stage configuration will meet these requirements?
Options:
A. Use an AWS Serverless Application Model (AWS SAM) template to define the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions. Most Voted
B. Use AWS CloudFormation to publish a new stack update, and include Amazon CloudWatch alarms on all resources. Set up an AWS CodePipeline approval action for a developer to verify and approve the AWS CloudFormation change set.
C. Use AWS CloudFormation to publish a new version on every stack update, and include Amazon CloudWatch alarms on all resources. Use the RoutingConfig property of the AWS::Lambda::Alias resource to update the traffic routing during the stack update.
D. Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions. Publish a new version of the functions, and include Amazon CloudWatch alarms. Update the production alias to point to the new version. Configure rollbacks to occur when an alarm is in the ALARM state.
Community Consensus: A
Explanation: AWS SAM and CodeDeploy natively support gradual traffic shifting (Canary deployments) for Lambda, which minimizes impact and supports automatic rollback via CloudWatch alarms.
Question 15
Topic: Networking & Security Scenario: An EC2 instance launched in a public subnet installs application artifacts via a user data script. A security change now requires the instance to run with no internet access. The application fails to install under the new restriction. Question: Which of the following should successfully install the application while complying with the new rule?
Options:
A. Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
B. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket. Most Voted
D. Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
Community Consensus: C
Explanation: Options A and B provide internet access, violating the requirement. Option C allows the instance to retrieve artifacts from S3 using a private endpoint without traversing the public internet.
Question 16
Topic: CI/CD Troubleshooting (CodePipeline) Scenario: A team uses CodeCommit and CodePipeline. The pipeline is triggered by a remote main branch. A developer pushed code, but the pipeline did not trigger after 10 minutes. Question: Which action should be taken to troubleshoot this?
Options:
A. Check that an Amazon EventBridge rule has been created for the main branch to trigger the pipeline.
B. Check that the CodePipeline service role has permission to access the CodeCommit repository.
C. Check that the developer’s IAM role has permission to push to the CodeCommit repository.
D. Check for CodeCommit errors in CloudWatch Logs.
Correct Answer: A Community Consensus: A
Explanation: CodePipeline relies on Amazon EventBridge rules to detect changes in CodeCommit repositories and trigger the pipeline. If the rule is missing or misconfigured, the pipeline will not start. If B is the cause, it would throw "Permission Denied" error immediately rather than no reaction for 10 mins.
Question 17
Topic: Security Automation (EventBridge) Scenario: Developers use EC2 instances as workstations. The security team wants to be notified in near real-time if a security group is modified to allow unrestricted inbound access (0.0.0.0/0) and automatically remove the rule. Question: What should the DevOps engineer do next to meet the requirements?
Options:
A. Configure the Lambda function to be invoked by the SNS topic. Create an AWS CloudTrail subscription for the SNS topic. Configure a subscription filter for security group modification events.
B. Create an Amazon EventBridge scheduled rule to invoke the Lambda function. Define a schedule pattern that runs the Lambda function every hour.
C. Create an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function. Most Voted
D. Create an Amazon EventBridge custom event bus that subscribes to events from all AWS services. Configure the Lambda function to be invoked by the custom event bus.
Community Consensus: C
Explanation: EventBridge can react to CloudTrail API events in real-time. A scheduled rule (Option B) is not real-time. SNS (Option A) is typically a destination for notifications, not the trigger logic source.
Question 18
Topic: Networking (IPv6) Scenario: A web service runs on EC2 in a private subnet behind an ALB. The engineer must ensure the service accepts requests from clients with IPv6 addresses. Question: What should the DevOps engineer do with the CloudFormation template?
Options:
A. Add an IPv6 CIDR block to the VPC and the private subnet for the EC2 instances. Create route table entries for the IPv6 network, use EC2 instance types that support IPv6, and assign IPv6 addresses to each EC2 instance.
B. Assign each EC2 instance an IPv6 Elastic IP address. Create a target group, and add the EC2 instances as targets. Create a listener on port 443 of the ALB, and associate the target group with the ALB.
C. Replace the ALB with a Network Load Balancer (NLB). Add an IPv6 CIDR block to the VPC and subnets for the NLB, and assign the NLB an IPv6 Elastic IP address.
D. Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443. and specify the dualstack IP address type on the ALB. Create a target group, and add the EC2 instances as targets. Associate the target group with the ALB. Most Voted
Community Consensus: D
Explanation: The ALB must be configured in "dualstack" mode to support both IPv4 and IPv6 clients. The EC2 instances in the private subnet do not necessarily need public IPv6 addresses if the ALB handles the termination.
Question 19
Topic: Account Management (Control Tower/AFT) Scenario: A company uses Control Tower and Account Factory for Terraform (AFT). New accounts are provisioned with Basic Support, but they need Enterprise Support. Question: Which solution will meet these requirements?
Options:
A. Use an AWS Config conformance pack to deploy the account-part-of-organizations AWS Config rule and to automatically remediate any noncompliant accounts.
B. Create an AWS Lambda function to create a ticket for AWS Support to add the account to the Enterprise Support plan. Grant the Lambda function the support:ResolveCase permission.
C. Add an additional value to the control_tower_parameters input to set the AWSEnterpriseSupport parameter as the organization's management account number.
D. Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. Redeploy AFT and apply the changes. Most Voted
Community Consensus: D
Explanation: AFT has a specific feature flag (aft_feature_enterprise_support) that can be enabled to provision accounts with Enterprise Support automatically.
Question 20
Topic: Systems Manager & EventBridge Scenario: EC2 instances need a restart after AWS Health notifications. The engineer creates an EventBridge rule to automate this. Question: How should the DevOps engineer configure the EventBridge rule?
Options:
A. Configure an event source of AWS Health, a service of EC2. and an event type that indicates instance maintenance. Target a Systems Manager document to restart the EC2 instance. Most Voted
B. Configure an event source of Systems Manager and an event type that indicates a maintenance window. Target a Systems Manager document to restart the EC2 instance.
C. Configure an event source of AWS Health, a service of EC2, and an event type that indicates instance maintenance. Target a newly created AWS Lambda function that registers an automation task to restart the EC2 instance during a maintenance window.
D. Configure an event source of EC2 and an event type that indicates instance maintenance. Target a newly created AWS Lambda function that registers an automation task to restart the EC2 instance during a maintenance window.
Community Consensus: A
Explanation: EventBridge can directly target Systems Manager Automation documents (like AWS-RestartEC2Instance). There is no need to invoke a Lambda function as an intermediary (Option C).