DOP-C02 — AWS Certified DevOps Engineer – Professional Study Guide

Your organization uses AWS CodePipeline to automate deployments across multiple AWS regions. You need to ensure that artifacts are automatically replicated to all regions before deployment stages execute. Which approach best meets this requirement?

• A Manually trigger separate pipelines in each region after the artifact is uploaded to the primary region
• B Configure S3 cross-region replication on the artifact bucket and add region-specific deployment stages in CodePipeline ✓ Correct
• C Use CodePipeline's built-in artifact replication feature to automatically sync artifacts across regions
• D Store artifacts in an S3 bucket in each region and manually copy them using the AWS CLI

You are implementing infrastructure-as-code using CloudFormation. Your template needs to conditionally create resources based on the environment parameter. However, you also need to export values from nested stacks for use in other stacks. What is the correct approach?

• A Implement all conditional logic in nested stacks and avoid using Outputs for cross-stack references
• B Use mappings to define environment-specific values and export them through the parent stack only
• C Use Conditions in the parent template and add Outputs with Export names in each nested stack ✓ Correct
• D Use Parameter constraints to prevent invalid environment values and store exports in SSM Parameter Store instead

Your application experiences unpredictable traffic spikes. You've configured Auto Scaling Group with target tracking scaling policy. However, metrics show that the group frequently scales up and down within minutes. What is the most likely cause and solution?

• A The application has memory leaks causing temporary CPU spikes; fix the application code first
• B The target utilization is too low; increase it and adjust the scale-in cooldown period to prevent rapid scaling cycles ✓ Correct
• C CloudWatch metrics are not being collected frequently enough; enable detailed monitoring on all instances
• D Target tracking requires manual adjustment of minimum and maximum capacity values daily

You need to implement automated vulnerability scanning for Docker images in your ECR repository. The scanning results must trigger automatic remediation for critical vulnerabilities. What combination of services should you use?

• A ECR image scanning with EventBridge integration to trigger Lambda functions for remediation ✓ Correct
• B GuardDuty for container vulnerability detection integrated with Systems Manager Automation
• C AWS Inspector for vulnerability assessment and SNS notifications to DevOps team
• D CodeBuild with custom scanning scripts and CodePipeline manual approval stages

Your organization requires audit logging for all API calls across AWS accounts in an organization. You need to store logs centrally and ensure they cannot be deleted or modified. Which solution is most appropriate?

• A Enable CloudTrail in all accounts, aggregate logs to a central S3 bucket with MFA Delete and Object Lock enabled ✓ Correct
• B Enable Config in all accounts to record API changes and store snapshots in a central S3 bucket
• C Configure VPC Flow Logs for all VPCs and aggregate them to CloudWatch Logs in the organization master account
• D Use CloudWatch Logs in each account and replicate to a central account using subscription filters and S3 export

You are troubleshooting a CodeDeploy deployment that fails intermittently. The error logs show 'The CodeDeploy agent did not receive a valid command document.' What should you check first?

• A Check if the application revision size exceeds 2 GB and compress the artifact
• B Ensure the deployment group region matches the CodeDeploy service region settings
• C Verify the IAM instance profile includes CodeDeploy permissions and the agent is running and healthy on instances ✓ Correct
• D Validate that the AppSpec file uses YAML format exclusively and does not contain any JSON syntax

Your Lambda functions process sensitive data and must encrypt environment variables at rest. You have created a custom KMS key but deployment keeps failing. What is the most likely issue?

• A Environment variable encryption requires enabling AWS KMS multi-region replication on the key
• B The KMS key must be in the same region as the Lambda function, and cross-region references are not supported
• C The Lambda execution role lacks kms:Decrypt permission for the KMS key used to encrypt environment variables ✓ Correct
• D Lambda environment variables can only be encrypted with AWS managed keys, not customer managed keys

You need to implement canary deployments for your ECS service without using CodeDeploy. Which approach using native ECS features is most appropriate?

• A Create two ECS services with different task definitions, use Application Load Balancer weighted target groups to gradually shift traffic ✓ Correct
• B Modify the task definition revision and use CloudFormation stack updates with a manual approval stage between versions
• C Use ECS service auto scaling to gradually increase the desired task count of the new version while decreasing the old version
• D Create separate ECS clusters for each version and use Route 53 weighted routing policies to shift traffic

Your CloudFormation template uses nested stacks with parameters. You notice that updating the parent stack sometimes fails with 'Output of nested stack does not exist'. What is the most common cause?

• A CloudFormation limits prevent more than 10 nested stacks in a single parent stack
• B Nested stack outputs are being referenced before they are created due to missing DependsOn attributes in the parent template ✓ Correct
• C The nested stack failed to create due to parameter validation errors, but the parent continued executing
• D Export names in nested stacks must match the parent stack name exactly or the reference fails

You are implementing a blue-green deployment strategy using EC2 Auto Scaling groups. The new (green) version experiences higher latency than expected during testing. What should you investigate first?

• A Verify that both Auto Scaling groups have identical security groups, subnet configurations, and that the green group has sufficient capacity ✓ Correct
• B Review CloudTrail logs to ensure the green Auto Scaling group was created in the correct AWS region
• C Check if the green instances are running an older AMI version that was not updated with the latest patches
• D Confirm the load balancer connection draining timeout is set to zero to prevent stale connections

Your organization uses AWS Systems Manager Session Manager for bastion-less access to EC2 instances. However, some users report inability to connect even with appropriate IAM permissions. What is the most likely cause?

• A Session Manager connections require enabling VPC endpoints for Systems Manager, EC2 Messages, and SSM Messages services
• B The instance does not have the SSM agent installed or running, or the instance profile lacks the AmazonSSMManagedInstanceCore policy ✓ Correct
• C Users must have explicit ec2:DescribeInstances permission in addition to Systems Manager permissions to see instances
• D Session Manager requires instances to be in public subnets with internet gateways for CloudWatch Logs integration

You need to implement cost optimization for your AWS infrastructure without reducing functionality. Which combination of tools and practices should you implement?

• A Implement AWS Budget alerts and use them to automatically terminate instances that exceed spending thresholds
• B Use CloudFormation to create all resources once and disable auto-scaling to reduce management overhead
• C Enable AWS Compute Optimizer, review recommendations for instance right-sizing, and use Reserved Instances and Savings Plans for predictable workloads ✓ Correct
• D Consolidate all workloads into a single large instance to reduce the number of running resources

Your CodePipeline includes a manual approval stage that requires several stakeholders. However, notifications are being missed and approvals are delayed. What approach best ensures timely approvals?

• A Configure multiple SNS topics for different stakeholder groups, enable escalation notifications, and use Amazon Chatbot to post approvals in Slack or Teams ✓ Correct
• B Create an SNS subscription with SMS notifications and require all stakeholders to respond via text message to approve
• C Implement a Lambda function that sends email reminders to all stakeholders every 5 minutes until approval is received
• D Add CloudWatch Events rule to pause the pipeline and require manual intervention through the AWS Management Console

You are implementing cross-account access for DevOps automation. Your automation Lambda function in Account A needs to deploy resources in Account B. What is the secure approach?

• A Create an IAM role in Account B with deployment permissions and establish a cross-account trust relationship with Account A's Lambda execution role ✓ Correct
• B Grant the Lambda execution role in Account A permissions to all services in Account B for maximum flexibility and easier troubleshooting
• C Store AWS credentials for Account B as encrypted environment variables in the Lambda function
• D Create an IAM user in Account B and store access keys in AWS Secrets Manager, retrieving them at runtime in the Lambda function

Your organization needs to ensure that all EC2 instances are patched within 30 days of patch release. What combination of services provides the best enforcement?

• A Use AWS Systems Manager Patch Manager with compliance scanning, configure maintenance windows, and use AWS Config rules to enforce compliance tracking ✓ Correct
• B Enable automatic instance recovery in Auto Scaling groups and use CodeDeploy to push patches to all instances
• C Implement EC2 Instance Refresh in Auto Scaling groups and manually trigger updates every 30 days
• D Create a scheduled Lambda function that forcibly terminates unpatched instances every 30 days

You need to implement a disaster recovery strategy with a Recovery Time Objective (RTO) of 1 hour and Recovery Point Objective (RPO) of 15 minutes. Which combination of services best meets these requirements?

• A Use AWS Backup for database backups every 15 minutes, replicate data to a standby region, and maintain a warm standby infrastructure ready for failover ✓ Correct
• B Implement S3 cross-region replication and store database snapshots in Glacier for cost optimization during normal operations
• C Configure Amazon RDS Multi-AZ with automated backups and use Route 53 health checks to trigger failover
• D Enable read replicas in the standby region and use CodeDeploy to redeploy application code from the backup region only when disaster occurs

Your CodeBuild project uses a custom Docker image stored in ECR. Builds are failing with 'image not found' errors even though the image exists. What should you verify?

• A The Docker image size is less than 1 GB and the image uses only official base images from Docker Hub
• B The CodeBuild environment is configured to use the 'standard' runtime and not 'custom' runtime with ECR images
• C The ECR image must be in the same AWS region as the CodeBuild project and the registry URL must not include the AWS account ID
• D The CodeBuild service role has ecr:GetDownloadUrlForLayer and ecr:BatchGetImage permissions, and the image URI is correctly specified in the buildspec.yml file ✓ Correct

You are designing a monitoring solution for a microservices application. You need to correlate logs, metrics, and traces across services. Which AWS service is specifically designed for this purpose?

• A AWS X-Ray for distributed tracing, CloudWatch for metrics and logs, and X-Ray console integration to correlate all three ✓ Correct
• B VPC Flow Logs combined with CloudTrail for comprehensive activity tracking across services
• C EventBridge to route logs and metrics to a central processing pipeline for correlation
• D CloudWatch Insights for querying logs and native dashboard integration with all CloudWatch metrics

Your organization deploys containerized applications using ECS Fargate. You need to implement blue-green deployments with automated rollback on deployment failure. What is the recommended approach?

• A Use the ECS native deployment controller with service auto scaling and CloudWatch alarms to monitor deployment health
• B Implement blue-green deployments using separate AWS Fargate clusters and Route 53 weighted routing policies
• C Create two ECS services and manually switch the load balancer target group between them using Lambda automation
• D Use CodeDeploy with ECS deployment controller set to 'CODE_DEPLOY' to manage traffic shifting and automatic rollback on CloudWatch alarms ✓ Correct

You need to implement secrets rotation for database passwords across multiple AWS regions. Which approach provides automated rotation with minimal application impact?

• A Use AWS Systems Manager Parameter Store with change notification and manually create Lambda functions to rotate secrets in each region
• B Store secrets in encrypted DynamoDB tables and implement a scheduled Lambda function to update them globally
• C Use CloudFormation custom resources to rotate secrets as part of stack updates triggered by EventBridge schedules
• D Use AWS Secrets Manager with automatic rotation, configure a Lambda function to update the database password, and enable cross-region replication of the secret ✓ Correct

Your application uses RDS with read replicas in multiple availability zones. You need to ensure that read queries are distributed across replicas automatically. What is the most appropriate solution?

• A Use RDS Proxy to manage connections and distribute read traffic across replicas based on connection pooling and endpoint targeting ✓ Correct
• B Use Route 53 weighted record sets pointing to each replica endpoint and update DNS weights dynamically based on CloudWatch metrics
• C Implement application-level logic to randomize read queries across replica endpoints and handle connection failures
• D Configure read-only users on the primary instance and manually update application connection strings to point to different replicas periodically

You are implementing Infrastructure as Code for a highly available application that must support multiple deployments per day. Your CloudFormation templates are becoming complex. What approach best manages this complexity?

• A Migrate entirely to Terraform as it handles complexity better than CloudFormation
• B Break templates into modular nested stacks for networking, compute, and data layers, use parameters for environment-specific values, and version templates in a git repository ✓ Correct
• C Use CloudFormation Designer visually to manage all resources in one graphical interface
• D Create a single monolithic template and use mappings to define all environment-specific configurations

Your organization requires that all data stored in S3 be encrypted at rest, but the current encryption keys are AWS managed. You need to enforce customer managed key encryption without disrupting existing applications. What is the safest approach?

• A Migrate all existing objects to new buckets with CMK encryption enabled, then delete the original buckets
• B Create a custom AWS Config rule to identify non-compliant buckets, implement S3 bucket policies requiring CMK encryption, and use AWS Backup to migrate existing objects to CMK encryption
• C Create a bucket policy that denies all PutObject requests without CMK encryption headers and notify application teams to update their code
• D Enable S3 default encryption with customer managed keys on all buckets, then use S3 Batch Operations to re-encrypt existing objects ✓ Correct

You need to implement automated testing for your Infrastructure as Code templates before deployment. Which tool combination provides comprehensive validation?

• A Use cfn-lint for syntax validation, CloudFormation change sets to preview changes, and AWS Config rules post-deployment to verify infrastructure compliance ✓ Correct
• B Implement unit tests using pytest and integration tests using Terraform test framework
• C Deploy to a development CloudFormation stack, validate manually, then promote to production using shell scripts
• D Use CloudFormation template validation API and manual code review before deployment

Your Lambda function reads from an SQS queue and processes messages. Processing is slow and SQS message visibility timeout frequently expires before processing completes. What is the best solution?

• A Switch from SQS to SNS with Lambda subscriptions to reduce message processing latency
• B Implement a secondary Lambda function that monitors message age and extends visibility timeout automatically for stuck messages
• C Increase the SQS message visibility timeout to 15 minutes and set Lambda timeout to 14 minutes to prevent conflicts
• D Implement Lambda SQS event source with batch size optimization, use ChangeMessageVisibility to extend timeout dynamically during processing, and monitor Lambda duration metrics ✓ Correct

You are implementing a CI/CD pipeline using AWS CodePipeline. Your team needs to ensure that deployments to production are only triggered after manual approval and comprehensive testing. Which combination of services best supports this requirement?

• A EventBridge with scheduled rules and Lambda for approval logic
• B CodeCommit with branch protection rules and SNS notifications
• C CodePipeline with manual approval action and CodeBuild for testing ✓ Correct
• D CodeDeploy with automatic rollback and CloudWatch alarms

Your organization uses multiple AWS accounts for different environments (dev, staging, production). You need to implement a centralized logging solution that aggregates logs from all accounts while maintaining cost efficiency and compliance. What is the recommended approach?

• A Implement Amazon CloudWatch Logs with cross-account log group subscriptions and filter patterns ✓ Correct
• B Deploy a centralized ELK stack in the primary account with VPC peering to all other accounts
• C Use Amazon S3 as the central repository with cross-account bucket policies and AWS CloudTrail for log aggregation
• D Configure CloudWatch Logs agent on each EC2 instance to send logs to a central account's CloudWatch Logs group

During a deployment, you notice that your application's response time has increased significantly. You want to automatically roll back the deployment if key performance metrics exceed predefined thresholds. Which service combination achieves this?

• A CodeDeploy with automatic rollback enabled and CloudWatch alarms for monitoring ✓ Correct
• B AWS X-Ray service map analysis with Lambda-based automatic remediation
• C CloudWatch alarms triggering CodePipeline manual approvals
• D Application Load Balancer with target group health checks and auto-scaling policies

You are designing a disaster recovery strategy for a critical application deployed across multiple AWS regions. Your RTO is 15 minutes and RPO is 5 minutes. Which approach best meets these requirements with minimal operational overhead?

• A Multi-region active-active deployment with cross-region DynamoDB global tables and Route 53 health checks ✓ Correct
• B Single region with enhanced backup frequency and EC2 instance store optimization
• C Scheduled point-in-time recovery backups stored in S3 with manual failover procedures
• D Primary region deployment with automated daily snapshots replicated to a secondary region

Your development team needs to implement infrastructure as code (IaC) for AWS resources. You need to support versioning, code review, and automated testing of infrastructure changes. Which AWS service is the primary choice for defining and managing infrastructure?

• A AWS CloudFormation with nested stacks and AWS SAM for serverless applications ✓ Correct
• B AWS AppConfig for configuration management and deployment
• C AWS OpsWorks with Chef recipes and version control integration
• D AWS Systems Manager Parameter Store with automation documents

You need to implement secrets management for database credentials used across multiple microservices. The solution must support automatic rotation, encryption at rest, and fine-grained access control. Which service is most appropriate?

• A AWS Secrets Manager with Lambda-based rotation and IAM resource-based policies ✓ Correct
• B Environment variables stored in EC2 Systems Manager documents
• C AWS Systems Manager Parameter Store with encryption using AWS KMS
• D HashiCorp Vault deployed on EC2 with custom rotation scripts

Your organization experiences unpredictable traffic patterns. You need to implement auto-scaling that responds quickly to demand spikes while minimizing costs during low-traffic periods. What is the best approach?

• A Implement predictive scaling using machine learning to forecast capacity needs ✓ Correct
• B Set up manual scaling with SNS notifications to ops team for capacity decisions
• C Use step scaling policies with multiple thresholds and scheduled scaling for predictable patterns
• D Configure target tracking scaling with a custom CloudWatch metric based on application response time

You are implementing a blue-green deployment strategy for an application running on EC2 instances. You need to minimize downtime during the switch from blue to green environment. Which service best supports this workflow?

• A Auto Scaling group termination policies with scheduled scale-down events
• B CloudFormation stack updates with manual resource replacement
• C CodeDeploy with blue-green deployment and traffic shifting using load balancer target groups ✓ Correct
• D CodeDeploy with in-place deployment and health checks

Your compliance requirements mandate that all infrastructure changes must be tracked and approved before deployment. You need to implement a solution that provides visibility into what changed, who changed it, and why. Which combination of services provides complete auditability?

• A CloudTrail for API logging, CloudFormation for infrastructure changes, and SNS for notifications
• B CloudWatch Events with EventBridge rules and manual approval gates in CodePipeline
• C AWS Config for resource compliance tracking and Systems Manager Change Calendar for approval
• D AWS CloudTrail for audit logs combined with AWS Config for resource history and CodePipeline approvals ✓ Correct

You need to monitor application performance across a distributed system with microservices deployed in containers. You require distributed tracing, service map visualization, and performance insights. Which AWS service is purpose-built for this?

• A Application Load Balancer access logs with Athena for query analysis
• B Amazon DevOps Guru for anomaly detection and recommendations
• C AWS X-Ray for distributed tracing with service maps and performance analysis ✓ Correct
• D CloudWatch Logs Insights with custom queries for performance analysis

Your application requires real-time performance monitoring with the ability to detect anomalies automatically and provide remediation recommendations. Which service combines these capabilities?

• A Amazon DevOps Guru for anomaly detection with ML-powered insights and remediation recommendations ✓ Correct
• B AWS Systems Manager OpsCenter for incident management and runbooks
• C Amazon CloudWatch with custom metrics and Lambda-based anomaly detection
• D AWS Health Dashboard with EventBridge rules for automated response

You are designing a deployment strategy for a stateless microservice that must support gradual rollout to minimize blast radius. The solution should enable quick rollback if issues are detected. Which deployment pattern is most suitable?

• A Blue-green deployment with manual traffic shifting in 25% increments
• B Shadow deployment with traffic mirroring to validate new versions
• C Rolling deployment with instance replacement and health check validation
• D Canary deployment with CloudWatch metrics validation and automatic rollback ✓ Correct

Your organization needs to ensure consistent security configurations across all AWS accounts and regions. You need to identify non-compliant resources and automatically remediate them. Which combination of services achieves this at scale?

• A Amazon Inspector for vulnerability scanning with SNS notifications
• B AWS Config with Config Rules, Systems Manager Automation, and AWS Organizations ✓ Correct
• C AWS Security Hub with custom insights and manual remediation workflows
• D IAM Access Analyzer with CloudTrail and manual remediation procedures

You need to implement a solution that maintains application state during deployments without manual intervention. Your application uses in-memory session data that must persist across instance replacements. What is the best approach?

• A Configure Amazon RDS for session storage with read replicas for high availability
• B Use EC2 instance store volumes with backup to EBS snapshots before instance termination
• C Store session data in Amazon ElastiCache and configure sticky sessions on load balancer ✓ Correct
• D Implement application-level session replication using DynamoDB with client-side caching

Your DevOps team needs to manage configuration changes across thousands of EC2 instances efficiently. You require a solution that supports version control, easy rollback, and compliance validation. Which service is most appropriate?

• A AWS Systems Manager Configuration Management with EC2 Systems Manager documents
• B AWS AppConfig with deployment strategies and validation profiles ✓ Correct
• C AWS Systems Manager Session Manager with manual configuration scripts
• D AWS OpsWorks Stacks with Chef recipes and version control integration

You are implementing automated testing in your CI/CD pipeline. Tests must run in parallel to minimize pipeline execution time, but you need to aggregate results and fail the pipeline if any test fails. What is the best CodePipeline configuration?

• A Parallel CodeBuild projects within a single stage with aggregate failure reporting ✓ Correct
• B Sequential CodeBuild projects with dependencies and failure conditions
• C Multiple CodePipeline stages with CodeBuild projects and manual approval gates
• D CodeBuild with buildspec files executing multiple test suites sequentially

Your organization requires immutable infrastructure where no manual changes are allowed after deployment. You need to ensure that configuration drift is detected immediately and non-compliant instances are replaced. Which combination of services implements this pattern?

• A EC2 Image Builder for automated AMI creation and Systems Manager Patch Manager for updates
• B AWS Config with Config Rules triggering Lambda for non-compliant resource termination
• C CodeDeploy with CodeBuild for configuration validation and auto-scaling rollback
• D CloudFormation with drift detection and Systems Manager Automation for instance termination ✓ Correct

You need to implement a cost optimization solution that analyzes resource utilization patterns and recommends rightsizing opportunities. Which AWS service provides automated recommendations with minimal configuration?

• A AWS Cost Explorer with custom cost allocation tags and manual analysis
• B AWS Compute Optimizer for ML-driven resource rightsizing recommendations ✓ Correct
• C AWS Trusted Advisor with programmatic access via AWS SDK
• D CloudWatch with custom metrics for resource utilization tracking

Your application has strict latency requirements and uses a database that must handle sudden traffic spikes. You need a caching solution that reduces database load while ensuring data consistency. Which approach is most suitable?

• A Amazon DynamoDB with global secondary indexes and on-demand pricing
• B Amazon ElastiCache with cache invalidation strategy and TTL-based expiration ✓ Correct
• C Application-level caching using Lambda@Edge with CloudFront invalidation
• D RDS read replicas with read-only connections and connection pooling

You are implementing a multi-region deployment with the requirement that database transactions must maintain ACID properties across regions. Which database solution best meets this requirement?

• A Aurora global database with read-only secondary regions and cross-region failover ✓ Correct
• B Multi-master RDS MySQL with binary log replication across regions
• C DynamoDB global tables with eventual consistency and conflict resolution
• D S3 cross-region replication with application-level transaction handling

Your DevOps team needs to troubleshoot performance issues in a containerized application running on ECS. You need to collect detailed performance metrics, application logs, and system-level events in one place. Which service combination is best?

• A CloudWatch Container Insights with X-Ray for distributed tracing and detailed monitoring ✓ Correct
• B ECS Exec with Systems Manager Session Manager for interactive debugging
• C CloudWatch Logs with custom metrics and EventBridge for event routing
• D CloudWatch Application Insights with auto-configured monitoring dashboards

You need to implement a GitOps workflow where infrastructure and application deployments are managed through Git repositories with automatic synchronization. Which service combination best supports this approach?

• A GitHub with Terraform Cloud and AWS Systems Manager automation documents
• B CodeCommit with EventBridge triggering Lambda for infrastructure reconciliation
• C CodeCommit with CodePipeline triggering CloudFormation stack updates on push events ✓ Correct
• D GitHub with CodePipeline and CodeDeploy for continuous deployment

Your organization runs critical applications that require zero-downtime deployments with instant rollback capability. You need to support complex traffic shifting patterns based on metrics. Which deployment service is most appropriate?

• A Application Load Balancer with weighted target groups and health checks
• B CloudFormation blue-green deployments with custom Lambda for traffic management
• C AWS AppConfig with linear traffic shifting and validation profiles
• D CodeDeploy with canary traffic shifting and CloudWatch alarm-based rollback ✓ Correct

You need to implement a solution that automatically patches EC2 instances according to a maintenance schedule while minimizing application downtime. Which service provides orchestrated, compliance-aware patching?

• A CloudFormation stack updates with instance replacement and DNS failover
• B AWS Systems Manager Patch Manager with maintenance windows and auto-approval rules ✓ Correct
• C EC2 Image Builder for creating pre-patched AMIs and instance refresh workflows
• D Auto Scaling group instance refresh with rolling replacement and health checks

Your application logs contain sensitive information that must be redacted before storage or analysis. You need an automated solution that identifies and masks sensitive data without manual intervention. Which approach is most scalable?

• A CloudWatch Logs with subscription filters triggering Lambda for data redaction ✓ Correct
• B Application-level logging configuration with custom serializers for sensitive data
• C AWS Glue for ETL processing and data masking before storage
• D Amazon Macie for sensitive data discovery with automatic redaction policies

You are designing a solution to provide developers with self-service AWS resources while maintaining security and compliance guardrails. Which service enables this with minimal operational overhead?

• A AWS Service Catalog with CloudFormation templates and IAM access control ✓ Correct
• B AWS Control Tower with organizational units and AWS Config rules for compliance
• C AWS Organizations with CloudFormation StackSets for multi-account deployments
• D IAM roles with custom policies and CloudTrail audit logging for tracking

Your organization operates a SaaS platform that must isolate customer data while sharing infrastructure for cost efficiency. You need a solution that prevents cross-tenant data access while optimizing resource utilization. Which architecture pattern is most appropriate?

• A Database-per-tenant pattern with shared compute resources and strict IAM policies
• B Application-level tenant isolation with encryption keys managed per customer
• C Single account with row-level security in RDS and separate S3 buckets per tenant ✓ Correct
• D Separate AWS accounts per customer with AWS Organizations for centralized management

Your organization uses AWS CodePipeline to deploy applications across multiple AWS accounts. You need to ensure that deployments to production accounts require explicit approval before proceeding. Which approach best meets this requirement while maintaining auditability?

• A Use CodeBuild to validate deployments before automatic progression
• B Implement Lambda functions to pause pipeline execution automatically
• C Configure CloudWatch Events to trigger SNS notifications for manual intervention
• D Use a manual approval action in CodePipeline with cross-account IAM role assumption ✓ Correct

You are implementing infrastructure as code using CloudFormation for a microservices architecture. During stack creation, a nested stack fails, but the parent stack continues executing. How should you prevent this scenario?

• A Configure the parent stack with OnFailure=ROLLBACK and ensure all nested stacks have explicit dependencies ✓ Correct
• B Use OnFailure=DELETE parameter during stack creation and enable rollback on all nested stacks
• C Implement a Lambda custom resource to monitor nested stack status and fail the parent stack accordingly
• D Set DisableApiTermination to true on the parent stack

Your team uses AWS Systems Manager Session Manager for secure shell access to EC2 instances without SSH keys. However, you need to ensure all session activities are logged and auditable. What is the most comprehensive logging solution?

• A Enable EC2 detailed monitoring with CloudWatch agent forwarding
• B Use VPC Flow Logs to capture all session traffic
• C Enable CloudTrail logging and configure Session Manager to log to CloudWatch Logs and S3 ✓ Correct
• D Configure security group logs and enable VPC endpoint logging

Your organization deploys containerized applications using ECS with Fargate launch type. You need to implement automated scaling based on custom application metrics. Which combination of services provides the best solution?

• A ECS service discovery with dynamic port mapping and manual scaling rules
• B Application Auto Scaling with CloudWatch custom metrics and target tracking policies ✓ Correct
• C Lambda-triggered scaling based on CloudWatch alarms and SNS notifications
• D EC2 Auto Scaling groups configured with ECS cluster capacity providers

You are designing a CI/CD pipeline using CodePipeline with CodeBuild for testing. Tests occasionally fail due to external API rate limiting. How should you handle this?

• A Create a separate test environment with mocked external APIs only for pipeline execution
• B Use CodeBuild cache to store API responses and skip external calls on retry
• C Configure CodePipeline retry settings to automatically re-run failed stages three times
• D Implement exponential backoff retry logic in the CodeBuild buildspec with conditional failure handling ✓ Correct

Your organization uses AWS Secrets Manager to store database credentials. Multiple applications need access to these secrets, but you need to enforce least-privilege access and track which application accesses which secret. What is the optimal approach?

• A Share a single IAM role across all applications with wildcard secret permissions and monitor through CloudWatch
• B Use resource-based policies on secrets and configure VPC endpoints with access logging
• C Implement Secrets Manager resource rotation with application-specific rotation lambdas
• D Create individual IAM policies for each application with specific secret ARNs and enable CloudTrail logging ✓ Correct

You are implementing blue-green deployments for a critical application using CodeDeploy. During the green environment deployment, validation tests fail. How should CodeDeploy respond?

• A Pause the deployment and require manual intervention to proceed or rollback ✓ Correct
• B Automatically terminate the green environment and keep the blue environment active through a failed lifecycle hook
• C Continue deployment while logging the failures to CloudWatch for later analysis
• D Reroute traffic back to blue and scale down green resources automatically

Your organization needs to enforce consistent security policies across multiple AWS accounts using AWS Config. Which approach best enables centralized policy management while maintaining account-level flexibility?

• A Deploy AWS Config rules in each account and aggregate findings in a centralized Config aggregator with authorization rules ✓ Correct
• B Implement Config conformance packs in each account with identical configurations
• C Use a single master Config account with cross-account API permissions for all rules
• D Configure Config to replicate rules to member accounts using EventBridge automation

You are troubleshooting a CodePipeline that fails intermittently when deploying to CloudFormation. The failure occurs during stack update operations. What should you investigate first?

• A Service role permissions, IAM capabilities, and CloudFormation template parameter requirements ✓ Correct
• B CloudFormation stack termination protection settings
• C Network connectivity between CodePipeline and CloudFormation endpoints
• D CodePipeline execution history and artifact storage in S3

Your organization implements infrastructure as code using Terraform with AWS as the primary cloud provider. You need to ensure state files are encrypted, versioned, and accessible only to authorized users. What is the most secure remote state configuration?

• A Store state in S3 with versioning and server-side encryption, with DynamoDB for state locking and restricted IAM bucket policies ✓ Correct
• B Store state in encrypted EBS volumes mounted on EC2 instances with SSH access
• C Use Terraform Cloud with free tier and local encryption of sensitive variables
• D Use AWS Systems Manager Parameter Store to store state file contents with automatic rotation