New Page

Question 1

Topic: Monitoring & Logging Scenario: A company has a mobile application that makes HTTP API calls to an Application Load Balancer (ALB), which routes requests to an AWS Lambda function. Multiple versions of the application are in use, defined in the user-agent header. The company observes issues and needs to gather a metric for each API operation by response code for each version of the application. A DevOps engineer has modified the Lambda function to extract the necessary information.

Question: Which additional set of actions should the DevOps engineer take to gather the required metrics?

Options:

A. Modify the Lambda function to write the API operation name, response code, and version number as a log line to an Amazon CloudWatch Logs log group. Configure a CloudWatch Logs metric filter that increments a metric for each API operation name. Specify response code and application version as dimensions for the metric.

B. Modify the Lambda function to write the API operation name, response code, and version number as a log line to an Amazon CloudWatch Logs log group. Configure a CloudWatch Logs Insights query to populate CloudWatch metrics from the log lines. Specify response code and application version as dimensions for the metric.

C. Configure the ALB access logs to write to an Amazon CloudWatch Logs log group. Modify the Lambda function to respond to the ALB with the API operation name, response code, and version number as response metadata. Configure a CloudWatch Logs metric filter that increments a metric for each API operation name. Specify response code and application version as dimensions for the metric.

D. Configure AWS X-Ray integration on the Lambda function. Modify the Lambda function to create an X-Ray subsegment with the API operation name, response code, and version number. Configure X-Ray insights to extract an aggregated metric for each API operation name and to publish the metric to Amazon CloudWatch. Specify response code and application version as dimensions for the metric.

Correct Answer: A Community Vote: A (90%)

Question 2

Topic: Serverless Optimization Scenario: An application uses an Amazon API Gateway REST API that invokes an AWS Lambda function. On initialization, the function loads a large amount of data from a DynamoDB table (with DAX), causing cold-start times of 8-10 seconds. The application has variable traffic patterns: thousands of requests daily, 10x traffic midday, and 10% traffic near the end of the day. A DevOps engineer needs to reduce the latency of the Lambda function at all times.

Question: Which solution will meet these requirements?

Options:

A. Configure provisioned concurrency on the Lambda function with a concurrency value of 1. Delete the DAX cluster for the DynamoDB table.

B. Configure reserved concurrency on the Lambda function with a concurrency value of 0.

C. Configure provisioned concurrency on the Lambda function. Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.

D. Configure reserved concurrency on the Lambda function. Configure AWS Application Auto Scaling on the API Gateway API with a reserved concurrency maximum value of 100.

Correct Answer: C Community Vote: C (100%)

Question 3

Topic: Deployment Automation Scenario: A company is adopting AWS CodeDeploy for a Java-Apache Tomcat application. The team wants to change the log level configuration dynamically during deployment based on the deployment group (e.g., developer, staging, production) without creating different application revisions for each group.

Question: How can these requirements be met with the LEAST management overhead and without requiring different script versions for each deployment group?

Options:

A. Tag the Amazon EC2 instances depending on the deployment group. Place a script in the revision that calls the metadata service and EC2 API to identify the group and configure settings. Reference this script in the AfterInstall hook.

B. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_NAME to identify the group and configure settings. Reference this script in the BeforeInstall hook in appspec.yml.

C. Create a CodeDeploy custom environment variable for each environment. Place a script in the revision that checks this variable. Reference this script in the ValidateService hook.

D. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_ID to identify the group. Reference this script in the Install hook.

Correct Answer: B Community Vote: B (73%)

Question 4

Topic: Configuration Management Scenario: A company requires developers to tag all Amazon EBS volumes with Backup_Frequency (values: none, daily, weekly). An audit finds inconsistent tagging. A DevOps engineer needs to ensure all EBS volumes always have the tag so backups occur at least weekly unless specified otherwise.

Question: Which solution will meet these requirements?

Options:

A. Set up AWS Config in the account. Create a custom rule that returns a compliance failure for all Amazon EC2 resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency ~~t...~~tag ~~(text~~with ~~cuts~~a ~~off)~~value of weekly.

~~Note:~~B. ~~The~~Set ~~provided~~up ~~text~~AWS ~~for~~Config ~~Question 4 is incomplete. Community comments suggest Option B is~~in the ~~correct~~account. ~~answer, utilizing~~Use a managed rule ~~rather~~that ~~than~~returns a compliance failure for EC2::Volume resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom ~~one.~~AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.

C. Turn on AWS CloudTrail in the account. Create an Amazon EventBridge rule that reacts to EBS CreateVolume events. Configure a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly. Specify the runbook as the target of the rule.

D. Turn on AWS CloudTrail in the account. Create an Amazon EventBridge rule that reacts to EBS CreateVolume events or EBS ModifyVolume events. Configure a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly. Specify the runbook as the target of the rule.

Correct Answer: B

Question 5

Topic: Database High Availability Scenario: An application uses an Amazon Aurora cluster with a single DB instance. An update is scheduled for a maintenance window. The cluster must remain available with the least possible interruption.

Question: What should a DevOps engineer do to meet these requirements?

Options:

A. Add a reader instance to the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster's reader endpoint for reads.

B. Add a reader instance to the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster's custom ANY endpoint for read and write operations.

C. Turn on the Multi-AZ option on the Aurora cluster. Update the application to... (text cuts off)

Note: Community comments heavily favor Option C (or an option describing enabling Multi-AZ/adding a reader for failover).

Question 6

Topic: Security & AMIs Scenario: A company must encrypt all AMIs shared across accounts. An unencrypted custom AMI exists in a source account with an AWS KMS key. The AMI must be shared with a target account where an EC2 Auto Scaling group will launch instances.

Question: Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)

Options:

A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.

B. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon EBS encryption key in the copy action.

C. In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account... (text cuts off)

Note: The provided text for Question 6 options cuts off. Community discussion suggests the answer is A, D, F.

Question 7

Topic: CI/CD Migration Scenario: A company uses AWS CodePipeline (Build, Test, Deploy) and wants to switch to AWS CodeDeploy for the deployment stage. The application is an RPM package deployed to a fleet of EC2 instances in an Auto Scaling group launched from a common AMI.

Question: Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.)

Options:

A. Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.

B. Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec file that contains application deployment scripts and grants acce... (text cuts off)

Note: Community discussion suggests the answer is A and D.

Question 8

Topic: Security & Compliance Scenario: A security team requires all external Application Load Balancers (ALBs) and API Gateway APIs to be associated with AWS WAF web ACLs. The company has hundreds of accounts in AWS Organizations and uses AWS Config. An audit found violations.

Question: Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)

Options:

A. Delegate AWS Firewall Manager to a security account.

B. Delegate Amazon GuardDuty to a security account.

C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

E. Configure an AWS Config managed rule to attach AWS WAF web... (text cuts off)

Community Vote: A, C (Most Voted)

Question 9

Topic: Security & Key Management Scenario: A company uses AWS KMS keys and manual key rotation. The security team wants to be notified when any keys have not been rotated after 90 days.

Question: Which solution will accomplish this?

Options:

A. Configure AWS KMS to publish to an Amazon SNS topic when keys are more than 90 days old.

B. Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon SNS topic.

C. Develop an AWS Config custom rule that publishes to an Amazon SNS topic when keys are more than 90 days old.

D. Configure AWS Security Hub to publish to an Amazon SNS topic when keys are more than 90 days old.

Correct Answer: C

Question 10

Topic: Security & CI/CD Scenario: A security review identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team prohibits unauthenticated requests.

Question: How can this issue be corrected in the MOST secure manner?

Options:

A. Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the script.

B. Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token.

C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the script.

D. Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI... (text cuts off)

Note: Community discussion favors Option C.

Question 11

Topic: IAM Identity Center (SSO) & ABAC Scenario: An ecommerce company is building an AWS Control Tower landing zone. They use AWS IAM Identity Center with an external IdP (SAML 2.0). The DevOps team needs a permission model that follows the principle of least privilege, allowing the team to build and manage only their own resources. Question: Which combination of steps will meet these requirements? (Choose three.)

Options:

A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.

B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.

C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.

D. Create a group... (Text cuts off).

E/F. (Options E and F are not fully visible in the source text, but community discussion references them).

Community Consensus: B, C, F

Explanation: The solution involves using Attribute-Based Access Control (ABAC). You create groups in the IdP (Option C), enable attributes for access control (Option F - inferred from comments), and use Permission Sets with policies leveraging aws:PrincipalTag (Option B).

Question 12

Topic: Serverless Performance Tuning Scenario: An ecommerce company has delays in order history reflecting processing status. The system uses a Lambda function (reserved concurrency) processing messages from SQS and inserting them into a DynamoDB table (auto scaling enabled). Question: Which actions should a DevOps engineer take to resolve this delay? (Choose two.)

Options:

A. Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.

B. Check ApproximateAgeOfOldestMessage... Configure a redrive policy.

C. Check NumberOfMessagesSent... Increase SQS visibility timeout.

D. Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity.

Community Consensus: A and D

Explanation: High ApproximateAgeOfOldestMessage indicates messages are backing up, suggesting a need for more processing power (Lambda concurrency). WriteThrottleEvents indicates the database cannot handle the write throughput, requiring higher write capacity limits.

Question 13

Topic: Security & Compliance (EC2) Scenario: A security policy requires all EC2 instances to have an IAM instance profile attached. If one is missing, it must use a default profile with no permissions. A DevOps engineer needs to ensure this is applied to all existing and future instances. Question: Which solution will ensure that an instance profile is attached to all existing and future EC2 instances?

Options:

A. Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls...

B. (Implied from comments) Use AWS Config with a managed rule (ec2-instance-profile-attached) and an automatic remediation action using SSM Automation.

C. (Implied from comments) Related to Inspector or stopping instances.

D. (Implied from comments) Using Lambda for remediation.

Community Consensus: B

Explanation: AWS Config is the standard tool for compliance monitoring and remediation. The managed rule checks for the profile, and SSM Automation handles the fix for both new and existing resources.

Question 14

Topic: Serverless Deployment (Canary) Scenario: A DevOps engineer is building a continuous deployment pipeline for a serverless application (Lambda). The goal is to reduce customer impact during unsuccessful deployments and monitor for issues. Question: Which deploy stage configuration will meet these requirements?

Options:

A. Use an AWS Serverless Application Model (AWS SAM) template. Use AWS CodeDeploy to deploy with the Canary10Percent15Minutes preference. Use CloudWatch alarms to monitor health.

B. Use AWS CloudFormation to publish a new stack update... Set up a CodePipeline approval action.

C. Use AWS CloudFormation to publish a new version... Use RoutingConfig...

D. (Not fully visible).

Community Consensus: A

Explanation: AWS SAM and CodeDeploy natively support gradual traffic shifting (Canary deployments) for Lambda, which minimizes impact and supports automatic rollback via CloudWatch alarms.

Question 15

Topic: Networking & Security Scenario: An EC2 instance launched in a public subnet installs application artifacts via a user data script. A security change now requires the instance to run with no internet access. The application fails to install under the new restriction. Question: Which of the following should successfully install the application while complying with the new rule?

Options:

A. Launch in a public subnet with Elastic IP, then disassociate later.

B. Set up a NAT gateway. Deploy to a private subnet.

C. Publish application artifacts to an Amazon S3 bucket... (implied: use a VPC Gateway Endpoint for S3).

Community Consensus: C

Explanation: Options A and B provide internet access, violating the requirement. Option C allows the instance to retrieve artifacts from S3 using a private endpoint without traversing the public internet.

Question 16

Topic: CI/CD Troubleshooting (CodePipeline) Scenario: A team uses CodeCommit and CodePipeline. The pipeline is triggered by a remote main branch. A developer pushed code, but the pipeline did not trigger after 10 minutes. Question: Which action should be taken to troubleshoot this?

Options:

A. Check that an Amazon EventBridge rule has been created for the main branch to trigger the pipeline.

B. Check that the CodePipeline service role has permission to access the CodeCommit repository.

C. Check that the developer’s IAM role has permission to push to the CodeCommit repository.

D. Check for CodeCommit errors in CloudWatch Logs.

Correct Answer: A Community Consensus: A

Explanation: CodePipeline relies on Amazon EventBridge rules to detect changes in CodeCommit repositories and trigger the pipeline. If the rule is missing or misconfigured, the pipeline will not start.

Question 17

Topic: Security Automation (EventBridge) Scenario: Developers use EC2 instances as workstations. The security team wants to be notified in near real-time if a security group is modified to allow unrestricted inbound access (0.0.0.0/0) and automatically remove the rule. Question: What should the DevOps engineer do next to meet the requirements?

Options:

A. Configure Lambda to be invoked by SNS... Create CloudTrail subscription.

B. Create an Amazon EventBridge scheduled rule...

C. (Implied from comments) Create an EventBridge rule matching specific API calls (e.g., AuthorizeSecurityGroupIngress) to trigger the Lambda function.

Community Consensus: C

Explanation: EventBridge can react to CloudTrail API events in real-time. A scheduled rule (Option B) is not real-time. SNS (Option A) is typically a destination for notifications, not the trigger logic source.

Question 18

Topic: Networking (IPv6) Scenario: A web service runs on EC2 in a private subnet behind an ALB. The engineer must ensure the service accepts requests from clients with IPv6 addresses. Question: What should the DevOps engineer do with the CloudFormation template?

Options:

A. Add IPv6 CIDR to VPC/subnet, update route tables, assign IPv6 to EC2.

B. Assign IPv6 Elastic IPs to EC2...

C. Replace ALB with NLB...

D. (Implied from comments) Add IPv6 CIDR to VPC/subnets for the ALB. Create a listener on port 443 and specify dualstack IP address type on the ALB.

Community Consensus: D

Explanation: The ALB must be configured in "dualstack" mode to support both IPv4 and IPv6 clients. The EC2 instances in the private subnet do not necessarily need public IPv6 addresses if the ALB handles the termination.

Question 19

Topic: Account Management (Control Tower/AFT) Scenario: A company uses Control Tower and Account Factory for Terraform (AFT). New accounts are provisioned with Basic Support, but they need Enterprise Support. Question: Which solution will meet these requirements?

Options:

A. Use AWS Config conformance pack...

B. Create a Lambda function to create a ticket...

C. Add an additional value to control_tower_parameters...

D. (Implied from comments) Set the aft_feature_enterprise_support feature flag to True in the AFT deployment configuration.

Community Consensus: D

Explanation: AFT has a specific feature flag (aft_feature_enterprise_support) that can be enabled to provision accounts with Enterprise Support automatically.

Question 20

Topic: Systems Manager & EventBridge Scenario: EC2 instances need a restart after AWS Health notifications. The engineer creates an EventBridge rule to automate this. Question: How should the DevOps engineer configure the EventBridge rule?

Options:

A. Configure event source AWS Health, service EC2... Target a Systems Manager document to restart the EC2 instance.

B. Configure event source Systems Manager...

C. Configure event source AWS Health... Target a newly created AWS Lambda function...

Community Consensus: A

Explanation: EventBridge can directly target Systems Manager Automation documents (like AWS-RestartEC2Instance). There is no need to invoke a Lambda function as an intermediary (Option C).