EMT Practice Test

1. Question Content...


Question List

Question1: When an Auto Scaling group is running in Amazon Elastic Compute Cloud (EC2), your application rapidly scales up and down in response to load within a 10-minute window; however, after the load peaks, you begin to see problems in your configuration management system where previously terminated Amazon EC2 resources are still showing as active.
What would be a reliable and efficient way to handle the cleanup of Amazon EC2 resources within your configuration management system?
Choose 2 answers

Question2: A DevOps Engineer manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The Engineer needs to implement a deployment strategy that:
- Launches a second fleet of instances with the same capacity as the
original fleet.
- Maintains the original fleet unchanged while the second fleet is
launched.
- Transitions traffic to the second fleet when the second fleet is
fully deployed.
- Terminates the original fleet automatically 1 hour after transition.
Which solution will satisfy these requirements?

Question3: A DevOps engineer is tasked with migrating Docker containers used for a workload to AWS. The solution must allow for changes to be deployed into development and test environments automatically by updating each container and checking it into a container registry. Once the containers are pushed, they must be deployed automatically.
Which solution will meet these requirements?

Question4: Which Auto Scaling process would be helpful when testing new instances before sending traffic to them, while still keeping them in your Auto Scaling Group?

Question5: A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.
Which solution will meet these requirements?

Question6: A company has a legacy application running on AWS. The application can only run on one Amazon EC2 instance at a time. Application metadata is stored in Amazon S3 and must be retrieved if the instance is restarted. The instance should be automatically restarted or relaunched if performance degrades.
Which solution will satisfy these requirements?

Question7: A user is defining a policy for the IAM user. Which of the below mentioned elements can be found in an IAM policy?

Question8: A DevOps Engineer has a single Amazon Dynamo DB table that received shipping orders and tracks inventory. The Engineer has three AWS Lambda functions reading from a DymamoDB stream on that table. The Lambda functions perform various functions such as doing an item count, moving items to Amazon Kinesis Data Firehose, monitoring inventory levels, and creating vendor orders when parts are low.
While reviewing logs, the Engineer notices the Lambda functions occasionally fail under increased load, receiving a stream throttling error.
Which is the MOST cost-effective solution that requires the LEAST amount of operational management?

Question9: The Deployment team has grown substantially in recent months and so has the number of projects that use separate code repositories. The current process involves configuring AWS CodePipeline manually, and there have been service limit alerts for the count of Amazon S3 buckets. Which pipeline option will reduce S3 bucket sprawl alerts?

Question10: What does it mean if you have zero IOPS and a non-empty I/O queue for all EBS volumes attached to a running EC2 instance?

Question11: A security review has identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The Security team does not allow unauthenticated requests to S3 buckets for this project.
How can this issue be corrected in the MOST secure manner?

Question12: You are running a Docker daemon on a Linux host and it becomes unresponsive. Which signal, when sent to a Docker process with the kill command, forces the full stack trace to be logged for debugging purposes?

Question13: A company plans to stop using Amazon EC2 key pairs for SSH access, and instead plans to use AWS Systems Manager Session Manager. To further enhance security, access to Session Manager must take place over a private network only.
Which combinations of actions will accomplish this? (Choose two.)

Question14: Your company wants to understand where cost is coming from in the company's production AWS account. There are a number of applications and services running at any given time. Without expending too much initial development time, how best can you give the business a good understanding of which applications cost the most per month to operate?

Question15: You have an Auto Sealing group of Instances that processes messages from an Amazon Simple Queue Service (SQS) queue.
The group scales on the size of the queue. Processing Involves calling a third-party web service.
The web service is complaining about the number of failed and repeated calls it is receiving from you.
You have noticed that when the group scales in, instances are being terminated while they are processing.
What cost-effective solution can you use to reduce the number of incomplete process attempts?

Question16: When thinking of AWS Elastic Beanstalk, which statement is true?

Question17: Which status represents a failure state in AWS CloudFormation?

Question18: A DevOps Engineer is researching the least-expensive way to implement an image batch processing cluster in AWS. The application cannot run in Docker containers and must run on Amazon EC2. The batch job stores checkpoint data on a Network File System (NFS) and can tolerate interruptions. Configuring the cluster software from a bare EC2 Amazon Linux image takes 30 minutes.
Which is the MOST cost-effective solution?

Question19: You manage a three-tier web application consisting of an autoscaled web proxy tier, an autoscaled application tier, and an Amazon RDS database tier.
You use a load balancer to distribute requests from end users to the web proxy tier and another, internal load balancer to distribute requests between the web tier and the application tier.
After deploying a small database schema update, you notice that all of your web and application instances have been terminated.
What may have caused this?

Question20: Your CTO has asked you to make sure that you know what all users of your AWS account are doing to change resources at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource type group as possible. How should you do this?

Question21: A company's security team discovers that IAM access keys were potentially exposed. The DevOps team wants to implement a solution that will automatically disable any keys that are suspected of being compromised. The solution also must provide a notification to the security team.
Which solution will accomplish this?

Question22: A company has multiple development groups working in a single shared AWS account. The Senior Manager of the groups wants to be alerted via a third-party API call when the creation of resources approaches the service limits for the account.
Which solution will accomplish this with the LEAST amount of development effort?

Question23: What is the purpose of a Docker swarm worker node?

Question24: A company has containerized all of its in-house quality control applications. The company is running Jenkins on Amazon EC2, which requires patching and upgrading. The Compliance Officer has requested a DevOps Engineer begin encrypting build artifacts since they contain company intellectual property.
What should the DevOps Engineer do to accomplish this in the MOST maintainable manner?

Question25: You have an application running on Amazon EC2 in an Auto Scaling group. Instances are being bootstrapped dynamically, and the bootstrapping takes over 15 minutes to complete.
You find that instances are reported by Auto Scaling as being In Service before bootstrapping has completed.
You are receiving application alarms related to new instances before they have completed bootstrapping, which is causing confusion.
You find the cause: your application monitoring tool is polling the Auto Scaling Service API for instances that are In Service, and creating alarms for new previously unknown instances.
Which of the following will ensure that new instances are not added to your application monitoring tool before bootstrapping is completed?

Question26: A highly regulated company has a policy that DevOps Engineers should not log in to their Amazon EC2 instances except in emergencies. If a DevOps Engineer does log in, the Security team must be notified within 15 minutes of the occurrence.
Which solution will meet these requirements?

Question27: Using the AWS CLI, which command retrieves CloudTrail trail settings, including the status of the trail itself?

Question28: An IT department manages a portfolio with Windows and Linux (Amazon and Red Hat Enterprise Linux) servers both on-premises and on AWS. An audit reveals that there is no process for updating OS and core application patches, and that the servers have inconsistent patch levels.
Which of the following provides the MOST reliable and consistent mechanism for updating and maintaining all servers at the recent OS and core application patch levels?

Question29: As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that's very active can generate a large number of notifications. If you subscribe using email or SMS, you may end up receiving a large volume of messages. Which of the following should you use to handle notifications programmatically?

Question30: A company uses AWS Storage Gateway in file gateway mode in front of an Amazon S3 bucket that is used by multiple resources. In the morning when business begins, users do not see the objects processed by a third party the previous evening. When a DevOps engineer looks directly at the S3 bucket, the data is there, but it is missing in Storage Gateway.
Which solution ensures that all the updated third-party files are available in the morning?

Question31: A consulting company was hired to assess security vulnerabilities within a client company's application and propose a plan to remediate all identified issues. The architecture is identified as follows: Amazon S3 storage for content, an Auto Scaling group of Amazon EC2 instances behind an Elastic Load Balancer with attached Amazon EBS storage, and an Amazon RDS MySQL database. There are also several AWS Lambda functions that communicate directly with the RDS database using connection string statements in the code.
The consultants identified the top security threat as follows: the application is not meeting its requirement to have encryption at rest.
What solution will address this issue with the LEAST operational overhead and will provide monitoring for potential future violations?

Question32: What does the Docker network docker_gwbridge do?

Question33: You have an asynchronous processing application using an Auto Scaling Group and an SQS Queue. The Auto Scaling Group scales according to the depth of the job queue. The completion velocity of the jobs has gone down, the Auto Scaling Group size has maxed out, but the inbound job velocity did not increase.
What is a possible issue?

Question34: A DevOps engineer is deploying an AWS Service Catalog portfolio using AWS CodePipeline. The pipeline should create products and templates based on a manifest file in either JSON or YAML, and should enforce security requirements on all AWS Service Catalog products managed through the pipeline.
Which solution will meet the requirements in an automated fashion?

Question35: You are creating a new API for video game scores. Reads are 100 times more common than writes, and the top 1% of scores are read 100 times more frequently than the rest of the scores.
What's the best design for this system, using DynamoDB?

Question36: If designing a single playbook to run across multiple Linux distributions that have distribution specific commands, what would be the best method to allow a successful run?

Question37: Which of these is not a CloudFormation Helper Script?

Question38: A company recently migrated its legacy application from on-premises to AWS. The application is hosted on Amazon EC2 instances behind an Application Load Balancer, which is behind Amazon API Gateway. The company wants to ensure users experience minimal disruptions during any deployment of a new version of the application. The company also wants to ensure it can quickly roll back updates if there is an issue.
Which solution will meet these requirements with MINIMAL changes to the application?

Question39: A company wants to use Amazon DynamoDB for maintaining metadata on its forums. See the sample data set in the image below.

A DevOps Engineer is required to define the table schema with the partition key, the sort key, the local secondary index, projected attributes, and fetch operations. The schema should support the following example searches using the least provisioned read capacity units to minimize cost.
- Search within ForumName for items where the subject starts with `a'.
- Search forums within the given LastPostDateTime time frame.
- Return the thread value where LastPostDateTime is within the last
three months.
Which schema meets the requirements?

Question40: For Amazon Inspector's integration with CloudTrail, what information is logged for List* and Describe* APIs?

Question41: A DevOps Engineer is architecting a continuous development strategy for a company's software as a service (SaaS) web application running on AWS. For application and security reasons, users subscribing to this application are distributed across multiple Application Load Balancers (ALBs), each of which has a dedicated Auto Scaling group and fleet of Amazon EC2 instances. The application does not require a build stage, and when it is committed to AWS CodeCommit, the application must trigger a simultaneous deployment to all ALBs, Auto Scaling groups, and EC2 fleets.
Which architecture will meet these requirements with the LEAST amount of configuration?

Question42: During metric analysis, your team has determined that the company's website during peak hours is experiencing response times higher than anticipated. You currently rely on Auto Scaling to make sure that you are scaling your environment during peak windows. How can you improve your Auto Scaling policy to reduce this high response time? Choose 2 answers.

Question43: A DevOps Engineer has been asked by the Security team to ensure that AWS CloudTrail files are not tampered with after being created. Currently, there is a process with multiple trails, using AWS IAM to restrict access to specific trails. The Security team wants to ensure they can trace the integrity of each file and make sure there has been no tampering.
Which option will require the LEAST effort to implement and ensure the legitimacy of the file while allowing the Security team to prove the authenticity of the logs?

Question44: After conducting a disaster recovery exercise, an Enterprise Architect discovers that a large team of Database and Storage Administrators need more then seven hours of manual effort to make a flagship application's database functional in a different AWS Region. The Architect also discovers that the recovered database is often missing as much as two hours of data transactions. Which solution provides improved RTO and RPO in a cross-region failover scenario?

Question45: Which major database needs a BYO license?

Question46: You are building a Ruby on Rails application for internal, non-production use which uses MySQL as a database. You want developers without very much AWS experience to be able to deploy new code with a single command line push. You also want to set this up as simply as possible.
Which tool is ideal for this setup?

Question47: A company runs a three-tier web application in its production environment, which is built on a single AWS CloudFormation template made up of Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon RDS Multi-AZ DB instance with read replicas.
Amazon Route 53 manages the application's public DNS record.
A DevOps Engineer must create a workflow to mitigate a failed software deployment by rolling back changes in the production environment when a software cutover occurs for new application software. What steps should the Engineer perform to meet these requirements with the LEAST amount of downtime?

Question48: A company hosts its staging website using an Amazon EC2 instance backed with Amazon EBS storage. The company wants to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance.
Which solution will meet these requirements?

Question49: You have an application which consists of EC2 instances in an Auto Scaling group. Between a particular time frame every day, there is an increase in traffic to your website.
Hence users are complaining of a poor response time on the application. You have configured your Auto Scaling group to deploy one new EC2 instance when CPU utilization is greater than
60% for 2 consecutive periods of 5 minutes.
What is the least cost-effective way to resolve this problem?

Question50: You recently encountered a major bug in your Windows-based web application during a deployment cycle.
During this failed deployment, it took the team four hours to roll back to a previously working state, which left customers with a poor user experience.
During the post-mortem, your team discussed the need to provide a quicker way to roll back failed deployments.
You currently run your web application on Amazon EC2 using Windows 2012R2 and use Elastic Load Balancing for your load balancing needs.
Which technique should you use to solve this problem?

Question51: What is AWS CloudTrail Processing Library?

Question52: A company is deploying a new application using Amazon EC2 instances. The company wants to maintain a centralized application and Amazon API logs that can be queried using one tool or service.
Which solution will meet these requirements?

Question53: What is the scope of an EC2 EIP?

Question54: A DevOps engineer has automated a web service deployment using AWS CodePipeline with the following steps:
- An AWS CodeBuild project compiles the deployment artifact and runs
unit tests.
- An AWS CodeDeploy deployment group deploys the web service to Amazon
EC2 instances in the staging environment.
- A CodeDeploy deployment group deploys the web service to EC2
instances in the production environment.
The quality assurance (QA) team has asked for permission to inspect the build artifact before the deployment to the production environment occurs. The QA team wants to run an internal automated penetration testing tool (invoked using a REST API call) to run some manual tests.
Which combination of actions will fulfill this request? (Choose two.)

Question55: A DevOps engineer has been tasked with ensuring that all Amazon S3 buckets, except for those with the word "public" in the name, allow access only to authorized users utilizing S3 bucket policies. The security team wants to be notified when a bucket is created without the proper policy and for the policy to be automatically updated.
Which solutions will meet these requirements?

Question56: Your API requires the ability to stay online during AWS regional failures. Your API does not store any state, it only aggregates data from other sources - you do not have a database. What is a simple but effective way to achieve this uptime goal?

Question57: A company is creating a software solution that executes a specific parallel-processing mechanism. The software can scale to tens of servers in some special scenarios. This solution uses a proprietary library that is license-based, requiring that each individual server have a single, dedicated license installed. The company has 200 licenses and is planning to run 200 server nodes concurrently at most.
The company has requested the following features:
- A mechanism to automate the use of the licenses at scale.
- Creation of a dashboard to use in the future to verify which licenses are available at any moment.
What is the MOST effective way to accomplish these requirements'?

Question58: Which tool will Ansible not use, even if available, to gather facts?

Question59: A rapidly growing company wants to scale for Developer demand for AWS development environments. Development environments are created manually in the AWS Management Console. The Networking team uses AWS CloudFormation to manage the networking infrastructure, exporting stack output values for the Amazon VPC and all subnets. The development environments have common standards, such as Application Load Balancers, Amazon EC2 Auto Scaling groups, security groups, and Amazon DynamoDB tables.
To keep up with the demand, the DevOps Engineer wants to automate the creation of development environments. Because the infrastructure required to support the application is expected to grow, there must be a way to easily update the deployed infrastructure.
CloudFormation will be used to create a template for the development environments.
Which approach will meet these requirements and quickly provide consistent AWS environments for Developers?

Question60: A developer tested an application locally and then deployed it to AWS Lambda. While testing the application remotely, the Lambda function fails with an access denied message.
How can this issue be addressed?

Question61: Using the AWS CLI, which command would you use to change the configuration settings for a CloudTrail trail?

Question62: A DevOps Engineer must implement monitoring for a workload running on Amazon EC2 and Amazon RDS MySQL. The monitoring must include:
- Application logs and operating system metrics for the Amazon EC2
instances
- Database logs and operating system metrics for the Amazon RDS
database
Which steps should the Engineer take?

Question63: An application is being deployed with two Amazon EC2 Auto Scaling groups, each configured with an Application Load Balancer. The application is deployed to one of the Auto Scaling groups and an Amazon Route 53 alias record is pointed to the Application Load Balancer of the last deployed Auto Scaling group. Deployments alternate between the two Auto Scaling groups.
Home security devices are making requests into the application. The Development team notes that new requests are coming into the old stack days after the deployment. The issue is caused by devices that are not observing the Time to Live (TTL) setting on the Amazon Route 53 alias record. What steps should the DevOps Engineer take to address the issue with requests coming to the old stacks, while creating minimal additional resources?

Question64: A DevOps Engineer has several legacy applications that all generate different log formats. The Engineer must standardize the formats before writing them to Amazon S3 for querying and analysis.
How can this requirement be met at the LOWEST cost?

Question65: An Application team has three environments for their application: development, pre-production, and production. The team recently adopted AWS CodePipeline. However, the team has had several deployments of misconfigured or nonfunctional development code into the production environment, resulting in user disruption and downtime. The DevOps Engineer must review the pipeline and add steps to identify problems with the application before it is deployed.
What should the Engineer do to identify functional issues during the deployment process?
(Choose two.)

Question66: You work for a company that automatically tags photographs using artificial neural networks (ANNs), which run on GPUs using C++. You receive millions of images at a time, but only 3 times per day on average. These images are loaded into an AWS S3 bucket you control for you in a batch, and then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well. Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires 5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket. Which of these is the best system architectures for this system?

Question67: A company is building a web and mobile application that uses a serverless architecture powered by AWS Lambda and Amazon API Gateway. The company wants to fully automate the backend Lambda deployment based on code that is pushed to the appropriate environment branch in an AWS CodeCommit repository.
The deployment must have the following:
- Separate environment pipelines for testing and production.
- Automatic deployment that occurs for test environments only.
Which steps should be taken to meet these requirements?

Question68: A Security team requires all Amazon EBS volumes that are attached to an Amazon EC2 instance to have AWS Key Management Service (AWS KMS) encryption enabled. If encryption is not enabled, the company's policy requires the EBS volume to be detached and deleted. A DevOps Engineer must automate the detection and deletion of unencrypted EBS volumes.
Which method should the Engineer use to accomplish this with the LEAST operational effort?

Question69: A company has a single Developer writing code for an automated deployment pipeline. The Developer is storing source code in an Amazon S3 bucket for each project. The company wants to add more Developers to the team but is concerned about code conflicts and lost work. The company also wants to build a test environment to deploy newer versions of code for testing and allow Developers to automatically deploy to both environments when code is changed in the repository.
What is the MOST efficient way to meet these requirements?

Question70: A company is using tagging to allocate AWS costs. The company has Amazon EC2 instances that run in Auto Scaling groups.
The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instances are being created without the appropriate cost center tags. A DevOps engineer must ensure that the new EBS volumes are properly tagged.
What is the MOST efficient solution that meets this requirement?

Question71: An application is deployed on Amazon EC2 instances running in an Auto Scaling group. During the bootstrapping process, the instances register their private IP addresses with a monitoring system. The monitoring system performs health checks frequently by sending ping requests to those IP addresses and sending alerts if an instance becomes non-responsive.
The existing deployment strategy replaces the current EC2 instances with new ones. A DevOps Engineer has noticed that the monitoring system is sending false alarms during a deployment, and is tasked with stopping these false alarms.
Which solution will meet these requirements without affecting the current deployment method?

Question72: A large enterprise is deploying a web application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Oracle DB instance and Amazon DynamoDB. There are separate environments for development, testing, and production. What is the MOST secure and flexible way to obtain password credentials during deployment?

Question73: A Development team is adding a new country to an e-commerce application. This addition requires that new application features be added to the shipping component of the application. The team has not decided if all new features should be added, as some will take approximately six weeks to build. While the final decision on the shipping component features is being made, other team members are continuing to work on other features of the application.
Based on this situation, how should the application feature deployments be managed?

Question74: You have been given a business requirement to retain log files for your application for 10 years.
You need to regularly retrieve the most recent logs for troubleshooting.
Your logging system must be cost-effective, given the large volume of logs.
What technique should you use to meet these requirements?

Question75: A retail company is currently hosting a Java-based application in its on-premises data center.
Management wants the DevOps Engineer to move this application to AWS. Requirements state that while keeping high availability, infrastructure management should be as simple as possible.
Also, during deployments of new application versions, while cost is an important metric, the Engineer needs to ensure that at least half of the fleet is available to handle user traffic.
What option requires the LEAST amount of management overhead to meet these requirements?

Question76: For AWS Auto Scaling, what is the first transition state a new instance enters after leaving steady state when scaling out due to increased load?

Question77: In DynamoDB, a secondary index is a data structure that contains a subset of attributes from a table, along with an alternate key to support ______ operations.

Question78: On which local address does the Docker DNS server listen?

Question79: Your application stores sensitive information on an EBS volume attached to your EC2 instance.
How can you protect your information? Choose two answers from the options given below

Question80: A company has an application deployed using Amazon ECS with data stored in an Amazon DynamoDB table. The company wants the application to fail over to another Region in a disaster recovery scenario. The application must also efficiently recover from any accidental data loss events. The RPO for the application is 1 hour and the RTO is 2 hours.
Which highly available solution should a DevOps engineer recommend?

Question81: Customers have recently been complaining that your web application has randomly stopped responding.
During a deep dive of your logs, the team has discovered a major bug in your new Java web application.
This bug is causing a memory leak that eventually causes the application to crash.
Your web application runs on Amazon EC2 and was built with AWS CloudFormation.
Which techniques should you use to help detect these problems faster, as well as help eliminate the server's unresponsiveness? Choose 2 answers

Question82: You need your CI to build AMIs with code pre-installed on the images on every new code push.
You need to do this as cheaply as possible. How do you do this?

Question83: A company is deploying a new mobile game on AWS for its customers around the world. The Development team uses AWS Code services and must meet the following requirements:
- Clients need to send/receive real-time playing data from the backend
frequently and with minimal latency
- Game data must meet the data residency requirement
Which strategy can a DevOps Engineer implement to meet their needs?

Question84: By default, Amazon CloudTrail logs ____ actions defined by the CloudTrail ____ APIs.

Question85: Which of the following Dockerfile commands cannot be overridden at runtime?

Question86: A company is using AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline to deploy applications automatically to an Amazon EC2 instance. A DevOps Engineer needs to perform a security assessment scan of the operating system on every application deployment to the environment.
How should this be automated?

Question87: You have a complex system that involves networking, IAM policies, and multiple, three-tier applications.
You are still receiving requirements for the new system, so you don't yet know how many AWS components will be present in the final design.
You want to start using AWS CloudFormation to define these AWS resources so that you can automate and version-control your infrastructure.
How would you use AWS CloudFormation to provide agile new environments for your customers in a cost-effective, reliable manner?

Question88: A company wants to implement a CI/CD pipeline for building and testing its mobile apps.
A DevOps Engineer has been given the following requirements:
- Use AWS CodePipeline to orchestrate the workflow.
- Test the application on real devices.
- Trigger a notification.
- Stage the application binary on a production bucket in a different account.
- Make the application binary publicly accessible.
Which sequence of actions should the Engineer perform in the pipeline to meet the requirements?

Question89: Due to compliance regulations, management has asked you to provide a system that allows for cost-effective long-term storage of your application logs and provides a way for support staff to view the logs more quickly. Currently your log system archives logs automatically to Amazon S3 every hour, and support staff must wait for these logs to appear in Amazon S3, because they do not currently have access to the systems to view live logs.
What method should you use to become compliant while also providing a faster way for support staff to have access to logs?

Question90: An n-tier application requires a table in an Amazon RDS MySQL DB instance to be dropped and repopulated at each deployment. This process can take several minutes and the web tier cannot come online until the process is complete. Currently, the web tier is configured in an Amazon EC2 Auto Scaling group, with instances being terminated and replaced at each deployment. The MySQL table is populated by running a SQL query through an AWS CodeBuild job.
What should be done to ensure that the web tier does not come online before the database is completely configured?

Question91: The operations team and the development team want a single place to view both operating system and application logs.
How should you implement this using AWS services? Choose 2 answers

Question92: A company indexes all of its Amazon CloudWatch Logs on Amazon ES and uses Kibana to view a dashboard for actionable insight. The company wants to restrict user access to Kibana by user.
Which actions can a DevOps Engineer take to meet this requirement? (Choose two.)

Question93: A company wants to use AWS Systems Manager documents to bootstrap physical laptops for developers. The bootstrap code is stored in GitHub. A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the registration code, and installed an activation ID on all the laptops.
Which set of steps should be taken next?

Question94: You were just hired as a DevOps Engineer for a startup. Your startup uses AWS for 100% of their infrastructure. They currently have no automation at all for deployment, and they have had many failures while trying to deploy to production. The company has told you deployment process risk mitigation is the most important thing now, and you have a lot of budget for tools and AWS resources.
Their stack:
2-tier API
Data stored in DynamoDB or S3, depending on type
Compute layer is EC2 in Auto Scaling Groups
They use Route53 for DNS pointing to an ELB
An ELB balances load across the EC2 instances
The scaling group properly varies between 4 and 12 EC2 servers. Which of the following approaches, given this company's stack and their priorities, best meets the company's needs?

Question95: After a recent audit, a company decided to implement a new disaster recovery strategy for its Amazon S3 data and its MySQL database running on Amazon EC2. Management wants the ability to recover to a secondary AWS Region with an RPO under 5 seconds and an RTO under 1 minute.
Which actions will meet the requirements while MINIMIZING operational overhead? (Choose two.)

Question96: Your CTO has asked you to make sure that you know what all users of your AWS account are doing to change resources at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource type group as possible. How should you do this?

Question97: A company uses Amazon S3 to store proprietary information. The Development team creates buckets for new projects on a daily basis. The Security team wants to ensure that all existing and future buckets have encryption, logging, and versioning enabled. Additionally, no buckets should ever be publicly read or write accessible.
What should a DevOps Engineer do to meet these requirements?

Question98: A DevOps Engineer must track the health of a stateless RESTful service sitting behind a Classic Load Balancer. The deployment of new application revisions is through a Cl/CD pipeline. If the service's latency increases beyond a defined threshold, deployment should be stopped until the service has recovered. Which of the following methods allow for the QUICKEST detection time?

Question99: A DevOps Engineer encountered the following error when attempting to use an AWS CloudFormation template to create an Amazon ECS cluster:
An error occurred (InsufficientCapabilitiesException) when calling the CreateStack operation.
What caused this error and what steps need to be taken to allow the Engineer to successfully execute the AWS CloudFormation template?

Question100: A DevOps Engineer uses Docker container technology to build an image-analysis application.
The application often sees spikes in traffic. The Engineer must automatically scale the application in response to customer demand while maintaining cost effectiveness and minimizing any impact on availability. What will allow the FASTEST response to spikes in traffic while fulfilling the other requirements?

Question101: A company has a web application that uses an Amazon DynamoDB table in a single AWS Region to store user information. To support an increasingly global user base, the application must run in a secondary Region and allow users to connect to their closest Region and fail over to the secondary Region.
Which approach should be used to ensure the deployment meets these requirements?

Question102: A company is required to collect user consent to a privacy agreement. An application is deployed in six AWS Regions with two in North America, two in Europe, and two in Asia with a user base of
20-30 million users. The company needs to read and write data related to each user's response, and ensure the responses are available in all six Regions.
What solution will satisfy these requirements while MINIMIZING latency?

Question103: The development team is creating a social media game which ranks users on a scoreboard. The current implementation uses an Amazon RDS for MySQL database for storing user data; however, the game cannot display scores quickly enough during performance testing.
Which service would provide the fastest retrieval times?

Question104: A company runs an application on one Amazon EC2 instance. Application metadata is stored in Amazon S3 and must be retrieved if the instance is restarted. The instance must restart or relaunch automatically if the instance becomes unresponsive.
Which solution will meet these requirements?

Question105: Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?

Question106: Which is the proper syntax for referencing a variable's value in an Ansible task?

Question107: A Development team creates a build project in AWS CodeBuild. The build project invokes automated tests of modules that access AWS services.
Which of the following will enable the tests to run the MOST securely?

Question108: A company runs a database on a single Amazon EC2 instance in a development environment.
The data is stored on separate Amazon EBS volumes that are attached to the EC2 instance. An Amazon Route 53 A record has been created and configured to point to the EC2 instance. The company would like to automate the recovery of the database instance when an instance or Availability Zone (AZ) fails. The company also wants to keep its costs low. The RTO is 4 hours and RPO is 12 hours. Which solution should a DevOps Engineer implement to meet these requirements?

Question109: A media company has several thousand Amazon EC2 instances in an AWS account. The company is using Slack and a shared email inbox for team communications and important updates. A DevOps engineer needs to send all AWS-scheduled EC2 maintenance notifications to the Slack channel and the shared inbox. The solution must include the instances' Name and Owner tags.
Which solutions will meet these requirements?

Question110: Your system uses a multi-master, multi-region DynamoDB configuration spanning two regions to achieve high availablity. For the first time since launching your system, one of the AWS Regions in which you operate over went down for 3 hours, and the failover worked correctly. However, after recovery, your users are experiencing strange bugs, in which users on different sides of the globe see different data. What is a likely design issue that was not accounted for when launching?

Question111: Your organization has decided to implement a third-party configuration management tool that uses a master server from which nodes pull configuration.
You have built a custom base Amazon Machine Image that already has the third-party configuration management agent installed.
You want to use the same base AMI in Development, Test and Production environments, each of which has its own master server.
How should you configure your Amazon EC2 instances to register with the correct master server on launch?

Question112: What is the scope of an EBS snapshot?

Question113: A company has established tagging and configuration standatrds for its infrastructure resources running on AWS. A DevOps Engineer is developing a design that will provide a near-real-time dashboard of the compliance posture with the ability to highlight violations.
Which approach meets the stated requirements?

Question114: Which of these configuration or deployment practices is a security risk for RDS?

Question115: The Ansible Inventory system allows many attributes to be defined within it. Which item below is not one of these?

Question116: An online company uses Amazon EC2 Auto Scaling extensively to provide an excellent customer experience while minimizing the number of running EC2 instances. The company's self-hosted Puppet environment in the application layer manages the configuration of the instances. The IT manager wants the lowest licensing costs and wants to ensure that whenever the EC2 Auto Scaling group scales down, removed EC2 instances are deregistered from the Puppet master as soon as possible.
How can the requirement be met?

Question117: A DevOps Engineer discovered a sudden spike in a website's page load times and found that a recent deployment occurred. A brief diff of the related commit shows that the URL for an external API call was altered and the connecting port changed from 80 to 443. The external API has been verified and works outside the application. The application logs show that the connection is now timing out, resulting in multiple retries and eventual failure of the call.
Which debug steps should the Engineer take to determine the root cause of the issue'?

Question118: A company has mandated a global encryption-at-rest policy. A DevOps engineer has been tasked to ensure that new data uploaded to both new and existing Amazon S3 buckets is encrypted at rest across the company's AWS Organizations organization. There are a number of legacy applications deployed on AWS that use Amazon S3 and do not store data encrypted at rest.
These applications MUST continue to operate. The engineer must ensure S3 encryption at rest across the organization without requiring an application code change.
How should this be accomplished with MINIMAL effort?

Question119: A government agency is storing highly confidential files in an encrypted Amazon S3 bucket. The agency has configured federated access and has allowed only a particular on-premises Active Directory user group to access this bucket.
The agency wants to maintain audit records and automatically detect and revert any accidental changes administrators make to the IAM policies used for providing this restricted federated access.
Which of the following options provide the FASTEST way to meet these requirements?

Question120: A company is using AWS for an application. The Development team must automate its deployments. The team has set up an AWS CodePipeline to deploy the application to Amazon EC2 instances by using AWS CodeDeploy after it has been built using the AWS CodeBuild service.
The team would like to add automated testing to the pipeline to confirm that the application is healthy before deploying it to the next stage of the pipeline using the same code. The team requires a manual approval action before the application is deployed, even if the test is successful. The testing and approval must be accomplished at the lowest costs, using the simplest management solution.
Which solution will meet these requirements?

Question121: A company uses Amazon EC2 instances to host applications for its customers. Recently, the company's support team has received EC2 scheduled maintenance notifications regarding its EC2 instances.
The support team wants to automatically perform a restart of any EC2 instances with a scheduled maintenance event before the scheduled date.
Which solution will meet these requirements while requiring the MINIMUM amount of development effort?

Question122: A user is defining a policy for an IAM user. Which of the below mentioned options is a valid version defined for the policy?

Question123: A company uses federated access for its AWS environment. The available roles are created and managed using AWS CloudFormation from CI/CD pipeline. All changes should be made to the IAM roles through the pipeline. The security team found that changes are being made to the roles out-of-band and would like to detect when this occurs.
Which action will accomplish this?

Question124: A publishing company used AWS Elastic Beanstalk, Amazon S3, and Amazon DynamoDB to develop a web application. The web application has increased dramatically in popularity, resulting in unpredictable spikes in traffic. A DevOps Engineer has noted that 90% of the requests are duplicate read requests. How can the Engineer improve the performance of the website?

Question125: A company has multiple development teams sharing one AWS account. The development team's manager wants to be able to automatically stop Amazon EC2 instances and receive notifications if resources are idle and not tagged as production resources.
Which solution will meet these requirements?

Question126: A healthcare services company is concerned about the growing costs of software licensing for an application for monitoring patient wellness. The company wants to create an audit process to ensure that the application is running exclusively on Amazon EC2 Dedicated Hosts. A DevOps Engineer must create a workflow to audit the application to ensure compliance.
What steps should the Engineer take to meet this requirement with the LEAST administrative overhead?

Question127: A development team is building an ecommerce application and is using Amazon Simple Notification Service (Amazon SNS) to send order messages to multiple endpoints. One of the endpoints is an external HTTP endpoint that is not always available. The development team needs to receive a notification if an order message is not delivered to the HTTP endpoint.
What should a DevOps engineer do to meet these requirements?

Question128: An online retail company based in the United States plans to expand its operations to Europe and Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora database instance.
When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and purchases must be kept in each region. How should the company meet these requirements with the LEAST amount of application changes?

Question129: A company's application is running on Amazon EC2 instances in an Auto Scaling group. A DevOps engineer needs to ensure there are at least four application servers running at all times.
Whenever an update has to be made to the application, the engineer creates a new AMI with the updated configuration and updates the AWS CloudFormation template with the new AMI ID. After the stack finishes, the engineer manually terminates the old instances one by one, verifying that the new instance is operational before proceeding. The engineer needs to automate this process.
Which action will allow for the LEAST number of manual steps moving forward?

Question130: A company is deploying a container-based application using AWS CodeBuild. The Security team mandates that all containers are scanned for vulnerabilities prior to deployment using a password-protected endpoint. All sensitive information must be stored securely.
Which solution should be used to meet these requirements?

Question131: You need to grant a vendor access to your AWS account. They need to be able to read protected messages in a private S3 bucket at their leisure. They also use AWS. What is the best way to accomplish this?

Question132: After presenting a working proof of concept for a new application that uses AWS API Gateway, a Developer must set up a team development environment for the project. Due to a tight timeline, the Developer wants to minimize time spent on infrastructure setup, and would like to reuse the code repository created for the proof of concept. Currently, all source code is stored in AWS CodeCommit. Company policy mandates having alpha, beta, and production stages with separate Jenkins servers to build code and run tests for every stage. The Development Manager must have the ability to block code propagation between admins at any time. The Security team wants to make sure that users will not be able to modify the environment without permission.
How can this be accomplished?

Question133: You need to deploy an AWS stack in a repeatable manner across multiple environments. You have selected CloudFormation as the right tool to accomplish this, but have found that there is a resource type you need to create and model, but is unsupported by CloudFormation. How should you overcome this challenge?

Question134: A company's security team discovers that IAM access keys were exposed in a public code repository. Moving forward, the DevOps team wants to implement a solution that will automatically disable any keys that are suspected of being compromised, and notify the security team.
Which solution will accomplish this?

Question135: A DevOps team wants to implement their containerized application using AWS. The deployment must meet the following requirements:
- There should be minimal downtime during deployment.
- The application must be functionally tested to be considered a
success.
How can the DevOps team automate this deployment?

Question136: What is web identity federation?

Question137: Your development team wants account-level access to production instances in order to do live debugging of a highly secure environment.
Which of the following should you do?

Question138: What method should I use to author automation if I want to wait for a CloudFormation stack to finish completing in a script?

Question139: An application has microservices spread across different AWS accounts and is integrated with an on- premises legacy system for some of its functionality. Because of the segmented architecture and missing logs, every time the application experiences issues, it is taking too long to gather the logs to identify the issues. A DevOps Engineer must fix the log aggregation process and provide a way to centrally analyze the logs.
Which is the MOST efficient and cost-effective solution?

Question140: You are using AWS Elastic Beanstalk to deploy your application and must make data stored on an Amazon Elastic Block Store (EBS) volume snapshot available to the Amazon Elastic Compute Cloud (EC2) instances. How can you modify your Elastic Beanstalk environment so that the data is added to the Amazon EC2 instances every time you deploy your application?

Question141: A company's DevOps team launches a WorkSpace using Amazon WorkSpaces for each new user. Recently, the Security team said that WorkSpaces for these new users are not consistently being tagged. Company policy requires that all WorkSpaces be tagged with USERNAME automatically upon creation.
Which combination of steps should the DevOps Engineer take to address this requirement?
(Choose two.)

Question142: You have an application running on multiple Amazon EC2 instances within an Auto Scaling group.
You notice that instances are being re-spawned as their health checks are failing in Amazon EC2.
However, before you have a chance to diagnose the issue, the affected instances are being terminated by the Auto Scaling service.
You receive notifications of health checks failing and investigate within 20 minutes.
However, this is not enough time to troubleshoot the issue.
What should you change that will enable you to troubleshoot the instance before it is terminated by the Auto Scaling service, while keeping costs minimal?

Question143: A company updated the AWS CloudFormation template for a critical business application. The stack update process failed due to an error in the updated template, and CloudFormation automatically began the stack rollback process. Later, a DevOps engineer found the application was still unavailable, and that the stack was in the UPDATE_ROLLBACK_FAILED state.
Which combination of actions will allow the stack rollback to complete successfully? (Choose two.)

Question144: Which of the following is NOT an advantage of Docker's content addressable storage model?

Question145: A DevOps engineer is troubleshooting deployments to a new application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. Instances sometimes come online before they are ready, which is leading to increased error rates among users. The current health check configuration gives instances a 60-second grace period and considers instances healthy after two
200 response codes from /index.php, a page that may respond intermittently during the deployment process. The development team wants instances to come online as soon as possible.
Which strategy would address this issue?

Question146: What is the scope of an EC2 security group?

Question147: A DevOps Engineer needs to deploy a scalable three-tier Node.js application in AWS. The application must have zero downtime during deployments and be able to roll back to previous versions. Other applications will also connect to the same MySQL backend database. The CIO has provided the following guidance for logging:
- Centrally view all current web access server logs.
- Search and filter web and application logs in near-real time.
- Retain log data for three months.
How should these requirements be met?

Question148: Which statement is true about configuring proxy support for Amazon Inspector agent on a Windows-based system?

Question149: A company is required to collect user consent to a privacy agreement.
An application is deployed in six AWS Regions with two in North America, two in Europe, and two in Asia with a user base of 20-30 million users.
The company needs to read and write data related to each user's response, and ensure the responses are available in all six Regions.
What solution will satisfy these requirements while MINIMIZING latency?

Question150: Some of your EC2 instances are configured to use a Proxy. Can you use Amazon Inspector for regular assessment of instances behind proxy?

Question151: A company is using AWS CodePipeline to automate its release pipeline. AWS CodeDeploy is being used in the pipeline to deploy an application to Amazon ECS using the blue/green deployment model. The company wants to implement scripts to test the green version of the application before shifting traffic. These scripts will complete in 5 minutes or less. If errors are discovered during these tests, the application must be rolled back.
Which strategy will meet these requirements?

Question152: An AWS CodePipeline pipeline has implemented a code release process. The pipeline is integrated with AWS CodeDeploy to deploy versions of an application to multiple Amazon EC2 instances for each CodePipeline stage.
During a recent deployment, the pipeline failed due to a CodeDeploy issue. The DevOps team wants to improve monitoring and notifications during deployment to decrease resolution times.
What should the DevOps Engineer do to create notifications when issues are discovered?

Question153: You run a large number of applications on Amazon EC2 instances. Each application has associated metadata, such as cost center, support contact, and application ID.
Many applications usually co-exist on each Amazon EC2 instance, so the amount of metadata per instance can range from 10 to 200 items.
The customer wants to be able to quickly access this metadata using an API without logging into the instances.
Which of the following options will satisfy their requirements? Choose 2 answers

Question154: A company is building a solution for storing files containing Personally Identifiable Information (PII) on AWS.
Requirements state:
- All data must be encrypted at rest and in transit.
- Al data must be replicated in at least two locations that are at
least 500 miles apart.
Which solution meets these requirements?

Question155: What is the scope of AWS IAM?

Question156: What are the default memory limit policies for a Docker container?

Question157: A company has an application that has predictable peak traffic times. The company wants the application instances to scale up only during the peak times. The application stores state in Amazon DynamoDB. The application environment uses a standard Node.js application stack and custom Chef recipes stored in a private Git repository.
Which solution is MOST cost-effective and requires the LEAST amount of management overhead when performing rolling updates of the application environment?

Question158: You are in charge of a large-scale highly available multi-tier web application infrastructure.
This architecture consists of Amazon Route53 with a load balancer and multiple Amazon EC2 instances.
You have been tasked to come up with a process to provide Blue/Green style deployments.
Which technique should you use to deliver this new requirement?

Question159: Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?

Question160: When thinking of DynamoDB, what are true of Local Secondary Key properties?

Question161: A company gives its employees limited rights to AWS. DevOps engineers have the ability to assume an administrator role. For tracking purposes, the security team wants to receive a near- real-time notification when the administrator role is assumed.
How should this be accomplished?

Question162: For AWS Auto Scaling, what is the first transition state an existing instance enters after leaving steady state in Standby mode?

Question163: A company is using several AWS CloudFormation templates for deploying infrastructure as code.
In most of the deployments, the company uses Amazon EC2 Auto Scaling groups. A DevOps Engineer needs to update the AMIs for the Auto Scaling group in the template if newer AMIs are available.
How can these requirements be met?

Question164: Your application is currently running on Amazon EC2 instances behind a load balancer. Your management has decided to use a Blue/Green deployment strategy. How should you implement this for each deployment?

Question165: A company used AWS CloudFormation to deploy a three-tier web application that stores data in an Amazon RDS MySOL Multi-AZ DB instance. A DevOps Engineer must upgrade the RDS instance to the latest major version of MySQL while incurring minimal downtime. How should the Engineer upgrade the instance while minimizing downtime?

Question166: A DevOps Engineer administers an application that manages video files for a video production company. The application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon RDS PostgreSOL Multi-AZ DB instance, and the video ides are stored in an Amazon S3 bucket. On a typical day 50 GB of new video are added to the S3 bucket. The Engineer must implement a multi-region disaster recovery plan with the least data loss and the lowest recovery times. The current application infrastructure is already described using AWS CloudFormation.
Which deployment option should the Engineer choose to meet the uptime and recovery objectives for the system?

Question167: A DevOps engineer is designing a multi-Region disaster recovery strategy for an application requiring an RPO of 1 hour and RTO of 4 hours. The application is deployed with an AWS CloudFormation template that creates an Application Load Balancer, Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS Multi-AZ DB instance with 20 GB of allocated storage. The AMI of the application instance does not contain data and has been copied to the destination Region.
Which combination of actions will satisfy the recovery objectives at the LOWEST cost? (Choose two.)

Question168: For AWS Auto Scaling, what is the first transition state an instance enters after leaving steady state when scaling in due to health check failure or decreased load?

Question169: In which Docker Swarm model does the swarm manager distribute a specific number of replica tasks among the nodes based upon the scale you set in the desired state?

Question170: A global company with distributed Development teams built a web application using a microservices architecture running on Amazon ECS. Each application service is independent and runs as a service in the ECS cluster. The container build files and source code reside in a private GitHub source code repository. Separate ECS clusters exist for development, testing, and production environments. Developers are required to push features to branches in the GitHub repository and then merge the changes into an environment-specific branch (development, test, or production). This merge needs to trigger an automated pipeline to run a build and a deployment to the appropriate ECS cluster. What should the DevOps Engineer recommend as an automated solution to these requirements?

Question171: An application running on a set of Amazon EC2 instances in an Auto Scaling group requires a configuration file to operate. The instances are created and maintained with AWS CloudFormation. A DevOps engineer wants the instances to have the latest configuration file when launched, and wants changes to the configuration file to be reflected on all the instances with a minimal delay when the CloudFormation template is updated. Company policy requires that application configuration files be maintained along with AWS infrastructure configuration files in source control.
Which solution will accomplish this?

Question172: You are creating an application which stores extremely sensitive financial information. All information in the system must be encrypted at rest and in transit. Which of these is a violation of this policy?

Question173: You are designing a service that aggregates clickstream data in batch and delivers reports to subscribers via email only once per week. Data is extremely spikey, geographically distributed, high-scale, and unpredictable. How should you design this system?

Question174: A DevOps engineer used an AWS CloudFormation custom resource to set up AD Connector. The AWS Lambda function executed and created AD Connector, but CloudFormation is not transitioning from CREATE_IN_PROGRESS to CREATE_COMPLETE.
Which action should the engineer take to resolve this issue?

Question175: Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch.
You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and you must decide how to authenticate and authorize your users for access to these images.
You also need to manage the storage of these images.
Which two of the following approaches should you use?
Choose 2 answers

Question176: You have been tasked with deploying a scalable distributed system using AWS OpsWorks.
Your distributed system is required to scale on demand. As it is distributed, each node must hold a configuration file that includes the hostnames of the other instances within the layer.
How should you configure AWS OpsWorks to manage scaling this application dynamically?

Question177: A DevOps Engineer is implementing a mechanism for canary testing an application on AWS. The application was recently modified and went through security, unit, and functional testing. The application needs to be deployed on an AutoScaling group and must use a Classic Load Balancer.
Which design meets the requirement for canary testing?

Question178: A Security team is concerned that a Developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production. No Developer should be allowed to attach an Elastic IP address to an instance. The Security team must be notified if any production server has an Elastic IP address at any time.
How can this task be automated?

Question179: A company is using an AWS CloudFormation template to deploy web applications. The template requires that manual changes be made for each of the three major environments: production, staging, and development. The current sprint includes the new implementation and configuration of AWS CodePipeline for automated deployments.
What changes should the DevOps Engineer make to ensure that the CloudFormation template is reusable across multiple pipelines?

Question180: A company has a hybrid architecture solution in which some legacy systems remain on-premises, while a specific cluster of servers is moved to AWS. The company cannot reconfigure the legacy systems, so the cluster nodes must have a fixed hostname and local IP address for each server that is part of the cluster. The DevOps Engineer must automate the configuration for a six-node cluster with high availability across three Availability Zones (AZs), placing two elastic network interfaces in a specific subnet for each AZ. Each node's hostname and local IP address should remain the same between reboots or instance failures. Which solution involves the LEAST amount of effort to automate this task?

Question181: A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure.
Which solution will accomplish this?

Question182: What is the maximum time messages can be stored in SQS?

Question183: Which answer is the proper syntax for specifying two target hosts on the command line when running an Ansible Playbook?

Question184: A company manages an application that stores logs in Amazon CloudWatch Logs. The company wants to archive the logs in Amazon S3. Logs are rarely accessed after 90 days and must be retained for 10 years.
Which combination of steps should a DevOps engineer take to meet these requirements?
(Choose two.)

Question185: An ecommerce company uses a large number of Amazon EBS backed Amazon EC2 instances.
To decrease manual work across all the instances, a DevOps Engineer is tasked with automating restart actions when EC2 instance retirement events are scheduled.
How can this be accomplished?

Question186: A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline.
A DevOps Engineer has notices there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation, the DevOps Engineer believes the failures are due to database changes not having fully propagated before the lambda function begins executing.
How should the DevOps Engineer overcome this?

Question187: Your application has an Auto Scaling group of m3.large instances running an application that receives messages born an Amazon SQS queue.
After a while, the number of instances reaches the maximum set for the group and the number of messages on the queue continues to increase.
You have discovered that a third- party library used by the application has a bug that causes a memory leak.
What cost-effective steps can you take to continue message processing while the library developer fixes the bug?

Question188: A company is using AWS Organizations and wants to implement a governance strategy with the following requirements:
- AWS resource access is restricted to the same two Regions for all
accounts.
- AWS services are limited to a specific group of authorized services
for all accounts.
- Authentication is provided by Active Directory.
- Access permissions are organized by job function and are identical in each account.
Which solution will meet these requirements?

Question189: Your social media marketing application has a component written in Ruby running on AWS Elastic Beanstalk.
This application component posts messages to social media sites in support of various marketing campaigns.
Your management now requires you to record replies to these social media messages to analyze the effectiveness of the marketing campaign in comparison to past and future efforts.
You' ve already developed a new application component to interface with the social media site APIs in order to read the replies.
Which process should you use to record the social media replies in a durable data store that can be accessed at any time for analysis of historical data?

Question190: Which of the following are not valid sources for OpsWorks custom cookbook repositories?

Question191: You set up a scalable continuous integration platform on AWS.
The platform consists of a master node that can delegate project build jobs to multiple slave nodes, all running on Amazon EC2.
The build output will be stored in Amazon S3.
You always have five slave nodes deployed. Each slave node can handle 10 build jobs simultaneously.
Your master node publishes a custom Amazon CloudWatch metric with the name
"RunningBuildiobs" that Slows you to programmatically track how many build jobs are running across your platform.
Which two configuration options will allow you to flexibly scale your platform to support more than
50 simultaneous build jobs while minimizing costs? Choose 2 answers

Question192: A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.
Which strategy should be used to meet these requirements?

Question193: Two teams are working together on different portions of an architecture and are using AWS CloudFormation to manage their resources. One team administers operating system-level updates and patches, while the other team manages application-level dependencies and updates. The Application team must take the most recent AMI when creating new instances and deploying the application. What is the MOST scalable method for linking these two teams and processes?

Question194: A DevOps engineer is deploying a new version of a company's application in an AWS CodeDeploy deployment group associated with its Amazon EC2 instances. After some time, the deployment fails. The engineer realizes that all the events associated with the specific deployment ID are in a Skipped status, and code was not deployed in the instances associated with the deployment group.
What are valid reasons for this failure? (Choose two.)

Question195: You are administering a continuous integration application that polls version control for changes and then launches new Amazon EC2 instances for a full suite of build tests.
What should you do to ensure the lowest overall cost while being able to run as many tests in parallel as possible?

Question196: What is the expected behavior if Ansible is called with `ansible-playbook -i localhost playbook.yml'?

Question197: You are building an AWS CloudFormation template for a multi-tier web application.
The user data of your Linux web server resource contains a complex script that can take a long time to run.
Which techniques could you use to ensure that these servers are fully configured and running before attaching them to the load balancer? Choose 2 answers

Question198: A defect was discovered in production and a new sprint item has been created for deploying a hotfix. However, any code change must go through the following steps before going into production:
- Scan the code for security breaches, such as password and access key
leaks.
- Run the code through extensive, long running unit tests.
Which source control strategy should a DevOps Engineer use in combination with AWS CodePipeline to complete this process?

Question199: A DevOps engineer needs to grant several external contractors access to a legacy application that runs on an Amazon Linux Amazon EC2 instance. The application server is available only in a private subnet. The contractors are not authorized for VPN access.
What should the DevOps engineer do to grant the contactors access to the application server?

Question200: A DevOps Engineer is building a continuous deployment pipeline for a serverless application using AWS CodePipeline and AWS CodeBuild. The source, build, and test stages have been created with the deploy stage remaining. The company wants to reduce the risk of an unsuccessful deployment by deploying to a specified subset of customers and monitoring prior to a full release to all customers.
How should the deploy stage be configured to meet these requirements?

Question201: After a daily scrum with your development teams, you've agreed that using Blue/Green style deployments would benefit the team.
Which technique should you use to deliver this new requirement?

Question202: A DevOps Engineer has several legacy applications that all generate different log formats. The Engineer must standardize the formats before writing them to Amazon S3 for querying and analysis.
How can this requirement be met at the LOWEST cost?

Question203: A root account has created an IAM group and defined the policy as:
"Statement": [
{
"Effect": "Allow"
"Action": ["iam:ChangePassword"],
"Resource": ["arn:aws:iam::123123123123:user/${aws:username}"] },
{
"Effect": "Allow",
"Action": ["iam:GetAccountPasswordPolicy"],
"Resource": ["*"]
}
]
What will this policy do?

Question204: You run a small online consignment marketplace. Interested sellers complete an online application in order to allow them to sell their products on your website.
Once approved, they can post their product using a custom interface.
From that pant, you manage the shopping cart process so that when a buyer decides to buy a product, you handle the billing and coordinate the shipping.
Part of this process requires sending emails to the buyer and the seller at different stages.
Your system has been running on AWS for a few months.
Occasionally, products are shipped before payment cleared and emails are sent out of order.
Furthermore, sometimes credit cards are being charged twice. How can you resolve these problems?

Question205: Which services can be used as optional components of setting up a new Trail in CloudTrail?

Question206: What option below is the geographic limit of an EC2 security group?

Question207: You need to run a very large batch data processing job one time per day. The source data exists entirely in S3, and the output of the processing job should also be written to S3 when finished. If you need to version control this processing job and all setup and teardown logic for the system, what approach should you use?

Question208: You want to set up the CloudTrail Processing Library to log your bucket operations. Which command will build a .jar file from the CloudTrail Processing Library source code?

Question209: You have a fleet of Elastic Compute Cloud (EC2) instances in an Auto Scaling group.
All of these instances are running Microsoft Windows Server 2012 backed by Amazon Elastic Block Store (EBS).
These instances were launched through AWS CloudFormation.
You have determined that your instances are underutilized, and in order to save some money, have decided to modify the instance type of the fleet.
In which of the following ways can you achieve the desired result during a scheduled maintenance window? Choose 2 answers

Question210: A company has built a web service that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company has deployed the application in us-east-1. Amazon Route 53 provides an external DNS that routes traffic from example.com to the application, created with appropriate health checks.
The company has deployed a second environment for the application in eu-west-1. The company wants traffic to be routed to whichever environment results in the best response time for each user. If there is an outage in one Region, traffic should be directed to the other environment.
Which configuration will achieve these requirements?

Question211: A Development team uses AWS CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the master branch when they are ready for production. A direct push to the master branch should not be allowed. The team applied the AWS managed policy AWSCodeCommitPowerUser to the Developers' IAM rote, but now members are able to push to the master branch directly on every repository in the AWS account.
What actions should be taken to restrict this?

Question212: If a variable is assigned in the `vars' section of a playbook, where is the proper place to override that variable?

Question213: Which command will start an assessment run?

Question214: You need to deploy a new application version to production. Because the deployment is high-risk, you need to roll the new version out to users over a number of hours, to make sure everything is working correctly. You need to be able to control the proportion of users seeing the new version of the application down to the percentage point.
You use ELB and EC2 with Auto Scaling Groups and custom AMIs with your code pre-installed assigned to Launch Configurations. There are no database-level changes during your deployment. You have been told you cannot spend too much money, so you must not increase the number of EC2 instances much at all during the deployment, but you also need to be able to switch back to the original version of code quickly if something goes wrong. What is the best way to meet these requirements?

Question215: You need to know when you spend $1000 or more on AWS. What's the easy way for you to see that notification?

Question216: Your system automatically provisions EIPs to EC2 instances in a VPC on boot. The system provisions the whole VPC and stack at once. You have two of them per VPC. On your new AWS account, your attempt to create a Development environment failed, after successfully creating Staging and Production environments in the same region. What happened?

Question217: Which deployment method, when using AWS Auto Scaling Groups and Auto Scaling Launch Configurations, enables the shortest time to live for individual servers?

Question218: To monitor API calls against our AWS account by different users and entities, we can use
________ to create a history of calls in bulk for later review, and use ___________ for reacting to AWS API calls in real-time.

Question219: A company is setting a centralized logging solution on AWS and has several requirements. The company wants its Amazon CloudWatch Logs and VPC Flow logs to come from different sub accounts and to be delivered to a single auditing account. However, the number of sub accounts keeps changing. The company also needs to index the logs in the auditing account to gather actionable insight. How should a DevOps Engineer implement the solution to meet all of the company's requirements?

Question220: A web application is being actively developed by multiple development teams within your organization.
You have created a self-service portal-driven by AWS CloudFormation and the AWS APIs-that allows testers to select a code branch containing a new feature that they want to test.
The portal will then provision an environment and deploy the right branch of code to it.
Recently you have noticed that a large number of environments contain broken builds.
You want to introduce a set of automated browser tests that are executed on a new environment before the environment is available to the tester.
This way a tester does not waste time trying to test new features in a broken environment. Select a suitable way to implement such a feature into the existing self-service portal:

Question221: You are building out a layer in a software stack on AWS that needs to be able to scale out to react to increased demand as fast as possible. You are running the code on EC2 instances in an Auto Scaling Group behind an ELB. Which application code deployment method should you use?

Question222: A company is implementing AWS CodePipeline to automate its testing process. The company wants to be notified when the execution state fails and used the following custom event pattern in Amazon CloudWatch:

Which type of events will match this event pattern?

Question223: A company wants to migrate a legacy application to AWS and develop a deployment pipeline that uses AWS services only. A DevOps engineer is migrating all of the application code from a Git repository to AWS CodeCommit while preserving the history of the repository. The DevOps engineer has set all the permissions within CodeCommit, installed the Git client and the AWS CLI on a local computer, and is ready to migrate the repository.
Which actions will follow?

Question224: A DevOps Engineer must automate a weekly process of identifying unnecessary permissions on a per- user basis, across all users in an AWS account. This process should evaluate the permissions currently granted to each user by examining the user's attached IAM access policies compared to the permissions the user has actually used in the past 90 days. Any differences in the comparison would indicate that the user has more permissions than are required. A report of the deltas should be sent to the Information Security team for further review and IAM user access policy revisions, as required. Which solution is fully automated and will produce the MOST detailed deltas report?

Question225: You want to securely distribute credentials for your Amazon RDS instance to your fleet of web server instances.
The credentials are stored in a file that is controlled by a configuration management system.
How do you securely deploy the credentials in an automated manner across the fleet of web server instances, which can number in the hundreds, while retaining the ability to roll back if needed?

Question226: A DevOps engineer is scheduling legacy AWS KMS keys for deletion and has created a remediation AWS Lambda function that will re-enable a key if necessary. The engineer wants to automate this process with available AWS CloudTrail data so, if a key scheduled for deletion is in use, it will be re-enabled.
Which solution enables this automation?

Question227: You need to perform ad-hoc analysis on log data, including searching quickly for specific error codes and reference numbers. Which should you evaluate first?

Question228: A root owner is trying to create an IAM user of the various departments. The owner has created groups for each department, but wants to still delineate the user based on the sub division level.
E.g. The two users from different sub departments should be identified separately and have separate permissions. How can the root owner configure this?

Question229: A government agency has multiple AWS accounts, many of which store sensitive citizen information. A Security team wants to detect anomalous account and network activities (such as SSH brute force attacks) in any account and centralize that information in a dedicated security account. Event information should be stored in an Amazon S3 bucket in the security account, which is monitored by the department's Security Information and Even Manager (SIEM) system.
How can this be accomplished?

Question230: Your company currently runs a large multi-tier web application. One component is an API service that all other components of your application rely on to perform read/write operations.
This service must have high availability and zero downtime during deployments.
Which technique should you use to provide cost-effective, zero-downtime deployments for this component?

Question231: You are responsible for your company's large multi-tiered Windows-based web application running on Amazon EC2 instances situated behind a load balancer.
While reviewing metrics, you've started noticing an upwards trend for slow customer page load time.
Your manager has asked you to come up with a solution to ensure that customer load time is not affected by too many requests per second.
Which technique would you use to solve this issue?

Question232: Your application is currently running on Amazon EC2 instances behind a load balancer.
Your management has decided to use a Blue/Green deployment strategy.
How should you implement this for each deployment?

Question233: Your serverless architecture using AWS API Gateway, AWS Lambda, and AWS DynamoDB experienced a large increase in traffic to a sustained 400 requests per second, and dramatically increased in failure rates. Your requests, during normal operation, last 500 milliseconds on average. Your DynamoDB table did not exceed 50% of provisioned throughput, and Table primary keys are designed correctly. What is the most likely issue?

Question234: A company is beginning to move to the AWS Cloud. Internal customers are classified into two groups according to their AWS skills: beginners and experts.
The DevOps Engineer needs to build a solution to allow beginners to deploy a restricted set of AWS architecture blueprints expresses as AWS CloudFormation templates. Deployment should only be possible on predetermined Virtual Private Clouds (VPCs). However, expert users should be able to deploy blueprints without constraints. Experts should also be able to access other AWS services, as needed. How can the Engineer implement a solution to meet these requirements with the LEAST amount of overhead?

Question235: A web application with multiple services runs on Amazon EC2 instances behind an Application Load Balancer. The application stores data in an Amazon RDS Multi-AZ DB instance. The instance health check used by the load balancer returns PASS if at least one service is running on the instance.
The company uses AWS CodePipeline with AWS CodeBuild and AWS CodeDeploy steps to deploy code to test and production environments. Recently, a new version was unable to connect to the database server in the test environment. One process was running, so the health checks reported healthy and the application was promoted to production, causing a production outage.
The company wants to ensure that test builds are fully functional before a promotion to production.
Which changes should a DevOps Engineer make to the test and deployment process? (Choose two.)

Question236: A company wants 10 use AWS development tools to replace Its current bash deployment scrips.
The company currently deploys a LAMP application to a group of Amazon EC2 instances behind an Application Load Balancer (ALB). During the deployments, the company unit tests the committed application, stops and starts services, unregisters and re-registers instances with the load balancer, and updates Me permissions.
The company wants to maintain the same deployment functionality through the shift to using AWS services.
Which solution will meet these requirements?

Question237: A DevOps engineer is assisting with a multi-Region disaster recovery solution for a new application. The application consists of Amazon EC2 instances running in an Auto Scaling group and an Amazon Aurora MySQL DB cluster. The application must be available with an RTO of 120 minutes and an RPO of 60 minutes.
What is the MOST cost-effective way to meet these requirements?

Question238: A Developer is designing a continuous deployment workflow for a new Development team to facilitate the process for source code promotion in AWS. Developers would like to store and promote code for deployment from development to production while maintaining the ability to roll back that deployment if it fails.
Which design will incur the LEAST amount of downtime?

Question239: A company wants to use AWS CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions.
Developers will need to deploy multiple versions of the same application.
Which solution ensures resources are deployed in accordance with company policy?

Question240: You need to migrate 10 million records in one hour into DynamoDB. All records are 1.5KB in size.
The data is evenly distributed across the partition key. How many write capacity units should you provision during this batch load?

Question241: A company uses AWS KMS with CMKs and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after
90 days.
Which solution will accomplish this?

Question242: You work for a startup that has developed a new photo-sharing application for mobile devices.
Over recent months your application has increased in popularity; this has resulted in a decrease in the performance of the application clue to the increased load.
Your application has a two-tier architecture that is composed of an Auto Scaling PHP application tier and a MySQL RDS instance initially deployed with AWS CloudFormation.
Your Auto Scaling group has a min value of 4 and a max value of 8. The desired capacity is now at 8 because of the high CPU utilization of the instances.
After some analysis, you are confident that the performance issues stem from a constraint in CPU capacity, although memory utilization remains low.
You therefore decide to move from the general-purpose M3 instances to the compute-optimized C3 instances.
How would you deploy this change while minimizing any interruption to your end users?

Question243: When Ansible's connection state is set to `remote', what method of communication does Ansible utilize to run commands on the remote target host?

Question244: A DevOps engineer is developing an application for a company. The application needs to persist files to Amazon S3. The application needs to upload files with different security classifications that the company defines. These classifications include confidential, private, and public. Files that have a confidential classification must not be viewable by anyone other than the user who uploaded them. The application uses the IAM role of the user to call the S3 API operations.
The DevOps engineer has modified the application to add a DataClassificationtag with the value of confidentialand an Ownertag with the uploading user's ID to each confidential object that is uploaded to Amazon S3.
Which set of additional steps must the DevOps engineer take to meet the company's requirements?

Question245: A new zero-day vulnerability was found in OpenSSL requiring the immediate patching of a production web fleet running on Amazon Linux. Currently, OS updates are performed manually on a monthly basis and deployed using updates to the production Auto Scaling Group's launch configuration. Which method should a DevOps Engineer use to update packages in-place without downtime?

Question246: The project you are working on currently uses a single AWS CloudFormation template to deploy its AWS infrastructure, which supports a multi-tier web application.
You have been tasked with organizing the AWS CloudFormation resources so that they can be maintained in the future, and so that different departments such as Networking and Security can review the architecture before it goes to Production.
How should you do this in a way that accommodates each department, using their existing workflows?

Question247: A Developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The Developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated.
How can log collection be automated?

Question248: Your company releases new features with high frequency while demanding high application availability.
As part of the application's A/B testing, logs from each updated Amazon EC2 instance of the application need to be analyzed in near real-time, to ensure that the application is working flawlessly after each deployment. If the logs show arty anomalous behavior, then the application version of the instance is changed to a more stable one.
Which of the following methods should you use for shipping and analyzing the logs in a highly available manner?

Question249: When deploying to a Docker swarm, which section of the docker-compose file defines configuration related to the deployment and running of services?

Question250: A DevOps Engineer is working with an application deployed to 12 Amazon EC2 instances across
3 Availability Zones. New instances can be started from an AMI image. On a typical day, each EC2 instance has 30% utilization during business hours and 10% utilization after business hours.
The CPU utilization has an immediate spike in the first few minutes of business hours. Other increases in CPU utilization rise gradually.
The Engineer has been asked to reduce costs while retaining the same or higher reliability.
Which solution meets these requirements?

Question251: A company is using AWS CodeDeploy to automate software deployment. The deployment must meet these requirements:
- A number of instances must be available to serve traffic during the
deployment. Traffic must be balanced across those instances, and the
instances must automatically heal in the event of failure.
- A new fleet of instances must be launched for deploying a new
revision automatically, with no manual provisioning.
- Traffic must be rerouted to the new environment to half of the new
instances at a time. The deployment should succeed if traffic is
rerouted to at least half of the instances; otherwise, it should fail.
- Before routing traffic to the new fleet of instances, the temporary
files generated during the deployment process must be deleted.
- At the end of a successful deployment, the original instances in the
deployment group must be deleted immediately to reduce costs.
How can a DevOps Engineer meet these requirements?

Question252: A company has many applications. Different teams in the company developed the applications by using multiple languages and frameworks. The applications run on premises and on different servers with different operating systems. Each team has its own release protocol and process.
The company wants to reduce the complexity of the release and maintenance of these applications.
The company is migrating its technology stacks, including these applications, to AWS. The company wants centralized control of source code, a consistent and automatic delivery pipeline, and as few maintenance tasks as possible on the underlying infrastructure.
What should a DevOps engineer do to meet these requirements?

Question253: A DevOps Engineer is designing a deployment strategy for a web application. The application will use an Auto Scaling group to launch Amazon EC2 instances using an AMI. The same infrastructure will be deployed in multiple environments (development, test, and quality assurance). The deployment strategy should meet the following requirements:
- Minimize the startup time for the instance
- Allow the same AMI to work in multiple environments
- Store secrets for multiple environments securely
How should this be accomplished?

Question254: Which of the following tools does not directly support AWS OpsWorks, for monitoring your stacks?

Question255: When logging with Amazon CloudTrail, API call information for services with regional end points is ____.

Question256: A company is using an AWS CodeBuild project to build and package an application.
The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts.
The buildspec.yml file contains the following:

The DevOps Engineer has noticed that anybody with an AWS account is able to download the artifacts.
What steps should the DevOps Engineer take to stop this?

Question257: A DevOps Engineer needs to design and implement a backup mechanism for Amazon EFS. The Engineer is given the following requirements:
- The backup should run on schedule.
- The backup should be stopped if the backup window expires.
- The backup should be stopped if the backup completes before the
backup window.
- The backup logs should be retained for further analysis.
- The design should support highly available and fault-tolerant
paradigms.
- Administrators should be notified with backup metadata.
Which design will meet these requirements?