Amazon AWS Certified DevOps Engineer – Professional DOP-C02 Exam  Dumps and Practice Test Questions Set 2 Q 21- 40

Visit here for our full Amazon AWS Certified DevOps Engineer – Professional DOP-C02 exam dumps and practice test questions.

Question 21

A company uses AWS CodeBuild to run unit and integration tests for all microservices. Builds are taking too long, and the team wants to reduce costs and execution time by caching dependencies across builds. However, builds must remain isolated so that no microservice can access another’s artifacts or dependencies. What is the best solution?

A) Use a shared S3 bucket for all microservices to store cached dependencies.

B) Configure CodeBuild local caching with the local source cache type and assign each microservice its own dedicated project.

C) Use Docker layer caching for all CodeBuild runs with a shared ECR repository.

D) Use a shared file system mounted from EFS to store build caches for all services.

Answer: B)

Explanation

A) A shared S3 bucket for caching dependencies does not prevent microservices from accessing each other’s cached content unless extensive IAM restrictions are applied. Even with restrictions, shared global caching introduces risk of cross-contamination, causing dependency conflicts. The requirement specifies isolation between microservices, and sharing a single bucket does not guarantee adequate separation.

B) CodeBuild local caching allows caching dependencies on the build host between runs of the same build project. When each microservice has its own CodeBuild project, the local cache is isolated per project, ensuring one microservice cannot access another’s cache data. The local source cache type reduces build time by storing restored artifacts and dependency files but keeps caching boundaries separate. This meets both the performance requirement and the isolation requirement without additional overhead.

C) Docker layer caching shared across builds may cause cross-service contamination because Docker layers contain entire filesystem states. If multiple microservices share the same ECR base image or cached layers, one could inadvertently benefit from or access another’s environment layers. This violates the requirement for strict isolation.

D) A shared EFS file system shared across multiple builds introduces cross-service access issues similar to a shared S3 bucket. Strict permissions would need to be implemented per microservice, but CodeBuild containers are ephemeral and enforcing correct isolation is complex. This design also negates performance gains due to EFS latency.

Why the correct answer is B): Local cache per CodeBuild project provides fast performance improvements while ensuring strict separation of caches between microservices.

Question 22

A company operates a multi-step ETL process using AWS Step Functions with Lambda functions. During peak processing times, Lambda concurrency bursts cause throttling in downstream APIs. The company wants to apply backpressure and control concurrency across the entire workflow without changing the business logic. Which solution is most effective?

A) Configure Lambda reserved concurrency for all functions equally.

B) Use Step Functions Map state with MaxConcurrency defined to regulate how many parallel tasks run at once.

C) Add SQS queues between Lambda functions to add natural buffering.

D) Throttle execution manually by adding sleep statements in functions.

Answer: B)

Explanation

A) Reserved concurrency limits execution per function but does not coordinate concurrency across multiple steps. Some functions may still run concurrently in different state transitions, causing unpredictable load on downstream APIs. The requirement is to control workflow-level concurrency, which per-function limits do not address.

B) Step Functions Map state provides built-in concurrency control at the workflow level. MaxConcurrency allows limiting how many iterations run in parallel, effectively applying backpressure without altering function logic. This ensures that processing never exceeds defined limits, protecting downstream systems. It satisfies the requirement to control concurrency across steps without modifying business logic.

C) Introducing SQS queues adds architectural overhead and changes the workflow significantly. While SQS does buffer load, it forces redesign and breaks the atomicity of Step Functions orchestration. This violates the requirement to avoid changing the business logic.

D) Adding sleep statements artificially slows function execution but is inefficient, costly, and unpredictable. It increases runtime costs and does not truly regulate concurrency; it merely delays processing. It is also considered bad practice and does not meet the requirement for workflow-level control.

Why the correct answer is B): MaxConcurrency in Map states directly controls overall workflow concurrency, providing an elegant, native mechanism for backpressure.

Question 23

A company stores container images in Amazon ECR. Developers frequently forget to remove old images, resulting in large storage costs. The DevOps team wants an automated solution that removes unused images but ensures that the latest production and staging versions remain protected. What is the best solution?

A) Use ECR lifecycle policies that delete images older than a certain age.

B) Use ECR lifecycle policies with tag-based rules that retain only images matching specific naming conventions.

C) Manually prune images every month with a scheduled script running on an EC2 instance.

D) Send notifications through SNS whenever developers push new images so they remove old ones manually.

Answer: B)

Explanation

A) Age-based deletion risks removing images that are still needed or that remain assigned to production or staging. Age alone is insufficient to determine whether an image is safe to delete. This can easily remove active or rollback images.

B) Tag-based lifecycle rules allow retention of specific tags while deleting all others. Production and staging images can follow naming conventions such as prod-* and stage-*. Lifecycle policies can be configured to retain these tagged images while removing untagged or temporary ones. This is the most robust and automated method for safely managing ECR cleanup.

C) A scheduled script introduces operational burden and risk of errors. EC2-based automation requires maintenance, security patches, script failures, and manual oversight. It is unnecessary when ECR provides native lifecycle policies.

D) Sending notifications relies on developers manually cleaning images, which is unreliable and inconsistent. Manual cleanup cannot guarantee cost control and does not meet the requirement for automation.

Why the correct answer is B): Tag-based ECR lifecycle rules provide safe, automated cleanup with full protection of critical image tags.

Question 24

A team wants to enforce that all new IAM roles created by CloudFormation include specific tags for compliance. They also want CloudFormation deployments to fail immediately if a role is missing the required tags. What is the best solution?

A) Use AWS Config rules to detect missing tags and notify administrators after deployment.

B) Use IAM policies to block creation of roles without tags.

C) Use CloudFormation Guard rules in the CI/CD pipeline to validate templates before deployment.

D) Use AWS Trusted Advisor to identify untagged IAM roles.

Answer: C)

Explanation

A) AWS Config evaluates deployed resources after they exist. It cannot stop deployment of noncompliant resources. While it can notify or remediate, it does not meet the requirement for immediate deployment failure.

B) IAM policies cannot require tags on creation. IAM conditions for tagging exist for actions like iam:TagRole, but enforcing tag presence for role creation is complex and often ineffective. It also blocks creation, rather than failing CloudFormation deployment safely.

C) CloudFormation Guard allows policy-as-code to validate templates before they are deployed. If required tags are missing, the CI/CD pipeline fails immediately. This enforces compliance at the template level, preventing noncompliant deployments from ever reaching AWS. This meets the requirement perfectly.

D) Trusted Advisor provides general recommendations but does not enforce pre-deployment compliance. It cannot block deployments and is not real-time for CI/CD pipelines.

Why the correct answer is C): CloudFormation Guard enforces policies before deployment, enabling immediate failure if tags are missing.

Question 25

A company uses Amazon S3 to store large log files generated from EC2 instances. A DevOps engineer wants a solution that automatically extracts fields from logs and creates searchable indexes without managing servers. The system must scale automatically and allow fast search queries. What is the best solution?

A) Deploy an ELK stack on EC2 to ingest logs from S3 and index them.

B) Use S3 Select to query logs directly in S3.

C) Use Amazon OpenSearch Serverless with an ingestion pipeline connected to S3.

D) Store logs in DynamoDB and create Global Secondary Indexes for searching.

Answer: C)

Explanation

A) Running an ELK stack on EC2 requires managing cluster scaling, patching, upgrades, and availability. This contradicts the requirement for a serverless, automatically scaling solution.

B) S3 Select can filter data inside objects, but it does not index data or provide full-text search capability. It is not intended for log analytics or high-performance querying.

C) Amazon OpenSearch Serverless provides automatic scaling, index creation, and ingestion pipelines. It can pull logs directly from S3 using Data Prepper pipelines or native ingestion. It provides full-text search, field extraction, indexing, and analytics—all without managing servers. This aligns exactly with the requirement for a serverless, scalable, search-enabled solution.

D) DynamoDB is not suited for full-text search. While GSIs help with structured queries, they cannot index arbitrary log text or support complex searches typical for log analysis.

Why the correct answer is C): OpenSearch Serverless delivers scalable, serverless indexing and search directly from S3, matching all requirements.

Question 26

A company is running an event-driven data ingestion workflow where Amazon Kinesis Data Streams collects messages and AWS Lambda processes them. During heavy ingestion, Lambda concurrency surges, causing throttling on downstream APIs and eventually creating backlogs. The team wants a serverless way to buffer, smooth spikes, and prevent downstream overload while maintaining ordering within partitions. What solution should they implement?

A) Increase Kinesis shard count to distribute incoming load across more Lambda invocations.

B) Use a Lambda function with reserved concurrency limits to restrict how many records are processed at once.

C) Place an SQS FIFO queue between Kinesis and Lambda using an EventBridge Pipe.

D) Add retries within Lambda code to slow down processing when downstream APIs are overloaded.

Answer: C)

Explanation

A) Increasing the shard count may distribute load more broadly but does not actually protect downstream systems. Increasing shards causes more Lambda consumers to run in parallel because Lambda’s Kinesis integration invokes one consumer per shard. This can increase concurrency and worsen API overload. It does nothing to provide buffering or smoothing, nor does it introduce deliberate backpressure.

B) Applying reserved concurrency to Lambda limits execution rates, but it introduces a significant risk: Kinesis requires timely processing to avoid iterator age growth. If concurrency is too limited, the backlog grows rapidly inside Kinesis and may breach retention limits. This method does not add a buffering layer and risks data loss or long delays. It also does not give ordering guarantees beyond a single shard.

C) Using an SQS FIFO queue between Kinesis and Lambda through an EventBridge Pipe creates a dedicated buffering layer. SQS FIFO maintains strict ordering within message groups, aligning with Kinesis partition ordering. The FIFO queue naturally absorbs spikes without increasing Lambda concurrency. When Lambda polls SQS, concurrency scales more predictably and can be tuned safely without risking iterator age issues. This design provides excellent smoothing using a serverless buffer while preserving order.

D) Adding retries inside Lambda code artificially slows execution but does not reduce concurrency. Lambda invocations continue to occur at the rate Kinesis invokes them. Sleeping or retrying inside Lambda only wastes compute time and increases cost. It does not regulate concurrency or provide real buffering.

Why the correct answer is C): The FIFO queue provides a durable buffer, preserves order, and regulates Lambda concurrency using EventBridge Pipes without risking data loss or overwhelming downstream systems.

Question 27

A DevOps team manages a Git-based deployment workflow using AWS CodePipeline. They must ensure that deployments only occur when commits are signed with approved developer keys. Unsigned commits or commits signed by unknown keys must automatically block the pipeline. What solution best fits this requirement?

A) Use AWS CodeCommit approval rules to check commit signatures.

B) Integrate a CodeBuild stage that runs a commit-signature verification script before deployment.

C) Enable CloudTrail data events to detect unsigned pushes.

D) Require MFA for all pushes to the repository.

Answer: B)

Explanation

A) CodeCommit approval rules apply to pull requests, not commit-level signature verification. They cannot inspect GPG or X.509 commit signatures. They also do not prevent commits from being pushed; they only manage PR approvals. This does not meet the requirement for commit signature enforcement.

B) Running a CodeBuild stage with a verification script is the most precise and enforceable method. Open-source tools such as git-verify-commit or GPG verification can run in the pipeline. If verification fails, the build exits with a nonzero status, causing the pipeline to block automatically. This approach works for any Git provider, ensures enforcement before deployment, and integrates cleanly with existing CI/CD steps.

C) CloudTrail cannot detect unsigned commits because Git commits and pushes do not generate AWS API-level data events describing signature status. CloudTrail only logs repository API actions, not commit internals. This cannot enforce signature requirements.

D) Requiring MFA adds authentication security but does not validate commit signatures. It does nothing to ensure that commits come from trusted identities or that they are cryptographically signed.

Why the correct answer is B): A CodeBuild signature verification stage enforces commit authentication in CI/CD and blocks deployment if commits are unsigned or untrusted.

Question 28

An application runs on Amazon ECS using Fargate. During deployments, tasks sometimes fail health checks because container startup times vary. The DevOps team wants deployments with baked-in stability, automatic monitoring of task health, adjustable bake times, and rollback if new tasks fail. Which solution is the best fit?

A) Use ECS rolling updates with a custom health check grace period.

B) Use CodeDeploy with blue/green ECS deployments and automatic rollback.

C) Use CloudFormation to deploy ECS tasks and rely on stack rollback behavior.

D) Use an ALB target group with slow start enabled.

Answer: B)

Explanation

A) ECS rolling updates do support adjusting health check grace periods, but they do not provide automatic rollback based on health check failures. If a deployment produces failing tasks across a service, ECS may leave the service in a degraded state without a full rollback mechanism. Bake times are limited and not as flexible as blue/green strategies.

B) CodeDeploy supports ECS blue/green deployments, including configurable traffic shifting, automatic bake times, health monitoring, and rollback triggers tied to CloudWatch alarms. It ensures that new tasks run in a separate environment before traffic shifts. If tasks fail, rollback is automatic. This fully satisfies the requirements for stability, monitoring, bake times, and rollback behavior.

C) CloudFormation rollbacks apply only when the stack deploy fails at the resource creation level. They cannot manage gradual traffic shifting, baked-in stabilization, or monitoring of task health beyond stack creation. It cannot roll back application-level health failures reliably.

D) ALB slow start improves load distribution to new targets gradually but does not control deployment rollback or stability. It provides no mechanism to manage bake times or detect failing deployments. It is useful but insufficient for deployment orchestration.

Why the correct answer is B): CodeDeploy ECS blue/green deployments are purpose-built to provide safe rollouts, bake time, automated monitoring, and rollback.

Question 29

A company uses IAM roles for service-to-service authentication. They need an automated way to detect overly permissive IAM roles, validate policies against best practices, and prevent deployment of roles that violate security controls. This must happen before resources are deployed. What solution meets this requirement?

A) Use Access Advisor insights to manually review permissions for IAM roles.

B) Use AWS IAM Access Analyzer policy validation integrated into CI/CD pipelines.

C) Use SCPs in AWS Organizations to restrict IAM role creation for certain services.

D) Use Config rules to detect overly permissive IAM roles after deployment.

Answer: B)

Explanation

A) Access Advisor is manual, reactive, and operates only after roles exist. It gives historical usage but cannot block deployment of insecure policies. This fails the requirement for automatic pre-deployment validation.

B) IAM Access Analyzer includes policy validation that checks for wildcards, risky privileges, cross-account access, and privilege escalation paths. These validations can run in CI/CD pipelines using the Access Analyzer API or CLI. If the policy violates best practices, the build fails immediately. This enforces security before deployment and provides automated continuous compliance.

C) SCPs restrict the set of allowed operations but do not validate the quality of policies being created. They cannot block insecure structure within a role’s inline policy. They are coarse-grained controls, not policy analyzers.

D) Config rules evaluate deployed resources, not templates. They cannot prevent deployment of insecure roles and only detect issues after the fact. This does not meet the requirement for pre-deployment prevention.

Why the correct answer is B): IAM Access Analyzer pre-deployment validation enforces secure policies in CI/CD and prevents insecure roles from being created.

Question 30

A company stores compliance documents in Amazon S3. DevOps engineers frequently need to compare document versions, detect data drift, and ensure that changes follow governance rules. They want a serverless solution that tracks object versions, processes diffs, and generates alerts when unauthorized changes occur. What should they use?

A) Enable S3 Versioning and manually compare versions using the console.

B) Use AWS Glue to crawl documents regularly and compare metadata.

C) Use Amazon EventBridge with S3 event notifications triggering a Lambda function that compares object versions and sends alerts.

D) Use CloudTrail object-level logging to track all S3 changes.

Answer: C)

Explanation

A) Manual comparisons do not scale and cannot generate automatic alerts. They do not meet the requirement for automated drift detection.

B) AWS Glue crawlers discover schema and metadata, not file content differences. It cannot detect unauthorized changes or compare full document versions.

C) EventBridge can receive notifications whenever an S3 object is created or updated. A Lambda function triggered by these events can retrieve the previous version and run comparison logic to detect drift. If unauthorized or unexpected changes are found, the Lambda function can raise alerts through SNS or EventBridge. This is fully serverless, automated, and capable of analyzing version differences at scale.

D) CloudTrail object-level logging shows API events but does not compare file contents. It logs who modified an object, not whether the modification violates governance or how content changed.

Why the correct answer is C): The combination of S3 Versioning, EventBridge, and Lambda enables fully automated, serverless drift detection based on document content comparisons.

Question 31

A DevOps team manages a multi-account AWS Organization. They want a standardized way to ensure that every new account has mandatory guardrails: IAM role baselines, CloudTrail enabled, Config rules, tagging policies, and centralized logging. These controls must be automatically applied at account creation without manual steps. What is the best solution?

A) Use AWS CloudFormation StackSets to manually deploy the baseline into each new account.

B) Use AWS Service Catalog to enforce standard templates for all new accounts.

C) Use AWS Control Tower with landing zone guardrails and account factory.

D) Use SCPs to require compliance with mandatory services.

Answer: C)

Explanation

A) StackSets can deploy shared resources, but require manual triggers or scripting to apply them whenever new accounts are created. They do not provide full governance automation or guardrail enforcement.

B) Service Catalog manages provisioned resources but does not automatically configure new AWS accounts or apply organization-wide guardrails.

C) AWS Control Tower automatically sets up landing zones with guardrails, centralized logging, CloudTrail, Config, and baseline IAM roles. New accounts created via the Account Factory are automatically enrolled and configured. This is the purpose-built solution for multi-account governance automation.

D) SCPs can restrict actions but do not create mandatory resources such as CloudTrail or Config. They are guardrails, not provisioning tools.

Why the correct answer is C): Control Tower is the only AWS-native product that automates governance baselines across all new accounts with no manual intervention.

Question 32

An engineering team runs a CI/CD pipeline deploying to an Amazon EKS cluster. They want deployments that:

gradually shift traffic,

monitor service health,

automatically roll back failures,

and integrate natively with Kubernetes manifests.

What should they use?

A) EKS managed node groups with PodDisruptionBudgets.

B) Argo Rollouts for progressive delivery.

C) ALB Ingress slow start mode.

D) Kubernetes Horizontal Pod Autoscaler (HPA).

Answer: B)

Explanation

A) PodDisruptionBudgets protect availability during node upgrades, not during application rollouts. They do not control traffic shifting or rollback automations.

B) Argo Rollouts provides blue/green and canary deployments, traffic shaping, health checks, and automatic rollback. It integrates directly with Kubernetes manifests and is the standard tool for progressive delivery on EKS.

C) ALB slow start helps warm new targets but does not manage deployment rollbacks, analysis, or progressive rollout strategies.

D) HPA scales pods but does not manage deployment rollout strategies or traffic shifting.

Why the correct answer is B): Argo Rollouts meets all requirements for progressive, observable, automated deployment control on EKS.

Question 33

A serverless application processes real-time IoT sensor data using AWS Lambda. The team wants to add distributed tracing so they can follow a request from ingestion through Lambda, DynamoDB writes, and API responses. They want minimal code changes and a fully managed service. What is the best solution?

A) Enable AWS X-Ray active tracing on Lambda and use X-Ray SDK for all services.

B) Use CloudWatch Logs Insights to correlate logs manually.

C) Deploy a custom OpenTelemetry collector on EC2.

D) Tag logs with correlation IDs within the application.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides end-to-end distributed tracing across Lambda, DynamoDB, API Gateway, and other AWS services. Minimal code changes are required, and it is fully managed. It automatically injects and propagates trace headers.

B) CloudWatch Logs Insights allows querying logs but not generating distributed traces or visual flame graphs. It requires manual correlation.

C) Deploying an OpenTelemetry collector on EC2 introduces operational overhead and contradicts the requirement for a fully managed solution.

D) Adding correlation IDs can help debugging, but it does not create end-to-end distributed traces or provide service maps and segment visualization.

Why the correct answer is A): Enable X-Ray to get built-in, managed distributed tracing with minimal overhead.

Question 34

A company’s Lambda-based API is showing inconsistent performance due to cold starts. They want to reduce cold starts while optimizing cost and without keeping all functions warm 24/7. Some endpoints are high traffic; others are rarely accessed. What approach should they take?

A) Enable Provisioned Concurrency only on frequently used Lambda functions.

B) Increase the memory size of all Lambda functions.

C) Use VPC-enabled Lambdas to reduce cold start times.

D) Replace Lambda with ECS Fargate.

Answer: A)

Explanation

A) Provisioned Concurrency eliminates cold starts and can be applied selectively to high-traffic or latency-sensitive functions. This optimizes cost by not enabling it on rarely used functions.

B) Increasing memory improves runtime performance but does not eliminate cold starts; it may even increase their duration.

C) VPC-enabled Lambdas increase cold start duration unless using Hyperplane improvements, but they still do not outperform Provisioned Concurrency for consistent latency.

D) Replacing Lambda with Fargate eliminates cold starts but adds complexity and cost, which contradicts the requirement for cost optimization and selective application.

Why the correct answer is A): Provisioned Concurrency applied only to high-traffic functions optimally balances performance and cost.

Question 35

A development team wants to improve the reliability of their Terraform deployments. They need automation that:

runs policy checks before terraform apply,

enforces compliance (e.g., no public S3 buckets, mandatory tags),

blocks changes that violate rules,

integrates cleanly in CI/CD pipelines.

What should they use?

A) AWS Config managed rules.

B) Sentinel policies with Terraform Cloud or Enterprise.

C) Git pre-commit hooks.

D) AWS CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config evaluates deployed resources after they already exist. It cannot block Terraform deployments before they happen.

B) Sentinel policies in Terraform Cloud/Enterprise enforce policy-as-code checks before Terraform apply. They can block noncompliant infrastructure changes, integrate with CI/CD, and provide rich policy logic. This matches every requirement.

C) Git pre-commit hooks can help style and local checks but are not enforceable in CI/CD and cannot act on Terraform plan output.

D) CloudFormation Guard validates CloudFormation templates, not Terraform plans. It does not apply to Terraform at all.

Why the correct answer is B): Sentinel provides pre-deployment policy enforcement and blocks noncompliant Terraform changes.

Question 36

A company runs multiple Amazon ECS services on Fargate behind an Application Load Balancer (ALB). They are deploying a new microservice, but the rollout often causes unhealthy targets due to traffic hitting partially initialized containers. They want safe, automated rollouts with traffic shifting, health monitoring, and automatic rollback. Which solution is best?

A) Use ECS rolling updates with a custom health check grace period.

B) Use CodeDeploy blue/green deployments with ECS and ALB integration.

C) Rely on CloudFormation stack updates and stack rollback behavior.

D) Use ALB slow start mode to gradually warm new targets.

Answer: B)

Explanation

A) ECS rolling updates allow gradual replacement of tasks within a service, and adjusting the health check grace period can prevent premature marking of newly started tasks as unhealthy. However, rolling updates have several limitations. First, they cannot fully automate rollback if unhealthy targets appear due to misconfigurations, application-level errors, or failing startup sequences. ECS rolling updates primarily focus on infrastructure replacement; they lack integrated traffic monitoring with metrics that trigger automatic rollbacks. While a health check grace period can prevent immediate task failures, it cannot handle situations where tasks start correctly but produce application errors after serving requests. Rolling updates also do not natively provide controlled traffic shifting for production traffic; all replacement tasks gradually replace the old ones but without nuanced canary-style traffic shifting or monitoring. This approach provides partial protection but does not satisfy the requirement for full automation, monitoring, and rollback.

B) CodeDeploy blue/green deployments for ECS are explicitly designed to handle this exact scenario. They create a separate target group and deploy new tasks to it while leaving the existing service running. Traffic is shifted gradually from the old service to the new one using configurable weights, such as 10% every five minutes. CodeDeploy monitors the health of the new targets using CloudWatch alarms, ALB health checks, or custom metrics. If any alarm triggers during the deployment, CodeDeploy automatically rolls back traffic to the previous environment and terminates the new tasks. This approach guarantees that traffic is not sent to partially initialized or failing containers and provides a controlled, automated rollout with immediate rollback on failure. Additionally, it integrates seamlessly with ALB and ECS, preserving target health, monitoring application metrics, and ensuring zero-downtime deployment. It is fully serverless in the sense that no additional orchestration or manual intervention is needed, providing a robust, repeatable, and safe deployment strategy.

C) CloudFormation stack updates provide rollback for resource-level failures, such as failed ECS service creation or task definition registration failures. However, CloudFormation does not monitor runtime health metrics of containers once they are deployed and serving traffic. Stack rollback only occurs if the infrastructure deployment itself fails. It cannot prevent partially initialized containers from receiving production traffic or automatically shift traffic back in response to runtime application failures. It also cannot enforce canary-style rollouts or health-based rollback mechanisms. This approach cannot satisfy the requirement for safe, traffic-aware, and automatic rollback of ECS application rollouts.

D) ALB slow start mode gradually increases the rate at which requests are sent to a new target to allow the target to “warm up” before handling full traffic. While this helps with initial performance stabilization, it does not provide rollback capabilities, monitor application-level errors, or prevent unhealthy containers from receiving traffic in a broader sense. Slow start is purely a traffic pacing feature; it cannot handle failures during deployment, cannot shift traffic incrementally in multiple steps, and cannot automate rollbacks. It does not meet the requirement for safe, fully automated blue/green deployments with monitoring and rollback.

Why the correct answer is B): CodeDeploy ECS blue/green deployments directly address all concerns: gradual traffic shifting, runtime health monitoring, and automatic rollback. ECS rolling updates and ALB slow start provide partial mitigation but lack automated rollback. CloudFormation only handles infrastructure failures. Blue/green deployment with CodeDeploy is purpose-built to eliminate exposure to partially initialized or failing containers during deployments, providing a safe, controlled, and automated deployment mechanism.

Question 37

A company uses AWS Lambda for processing IoT sensor data ingested through Kinesis Data Streams. During peak ingestion periods, Lambda invocations surge, overwhelming downstream DynamoDB tables. They want a serverless solution that smooths spikes, ensures ordering per device, prevents throttling, and avoids data loss. What is the best solution?

A) Increase Kinesis shard count to handle more Lambda concurrency.

B) Limit Lambda concurrency using reserved concurrency settings.

C) Insert an SQS FIFO queue between Kinesis and Lambda.

D) Implement retries with exponential backoff in Lambda code.

Answer: C)

Explanation

A) Increasing Kinesis shards improves throughput, as each shard can support up to a fixed number of records per second. It may seem logical to distribute load across more shards, but this has unintended consequences. Lambda’s Kinesis event source mapping spawns one consumer per shard. Increasing shards increases the number of concurrent Lambda invocations during ingestion spikes. This can exacerbate downstream throttling on DynamoDB tables rather than mitigating it. It also introduces management overhead for shard splits and rebalancing and does not provide any form of buffering or controlled throttling to downstream systems. Ordering per device is not inherently guaranteed unless each device maps to its own shard, which is not always practical at scale. This approach fails to meet the requirement for smoothing spikes and preventing throttling while maintaining order.

B) Limiting Lambda concurrency using reserved concurrency prevents Lambda from scaling beyond a fixed number of concurrent executions. While this reduces immediate downstream load, it introduces backpressure on the Kinesis stream. Messages that cannot be processed remain in the shard iterator, leading to increased iterator age and potential retention expiry. It does not provide a durable buffer for spikes and could result in throttled or dropped events if iterator age grows excessively. Furthermore, concurrency limits apply globally per function and do not manage fine-grained ordering per device. This is not an ideal solution for maintaining order and throughput guarantees.

C) Inserting an SQS FIFO queue between Kinesis and Lambda provides a serverless buffer that smooths spikes effectively. The FIFO queue maintains strict ordering per message group ID, which can be mapped to each IoT device ID, satisfying the ordering requirement. Lambda can poll from the queue with controlled concurrency, allowing predictable throughput to downstream DynamoDB tables without overwhelming them. SQS ensures message durability, preventing data loss during spikes. EventBridge Pipes or Lambda event source mappings can facilitate this integration with minimal code changes. This design decouples ingestion from processing, provides spike absorption, and guarantees order per device, fully meeting the stated requirements.

D) Implementing retries with exponential backoff inside Lambda only slows down processing of failed items but does not limit concurrency or provide a durable buffer for incoming spikes. During periods of high ingestion, Lambda invocations will still spike concurrently, potentially overwhelming DynamoDB and increasing costs. Retrying alone does not manage ordering, smooth traffic, or prevent data loss if throttling occurs. This solution is reactive, not proactive, and insufficient for the problem.

Why the correct answer is C): Using an SQS FIFO queue between Kinesis and Lambda provides ordering, durability, and throttled processing. Unlike shard scaling or concurrency limits, it absorbs spikes and prevents downstream throttling. Retries alone or shard splitting are insufficient for maintaining predictable, ordered, and safe processing.

Question 38

A DevOps engineer needs to ensure that all new Terraform modules deployed through CI/CD comply with organizational security standards, including tag enforcement, encryption settings, and disallowing public resources. Violations should block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies with Terraform Cloud or Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules can evaluate compliance of deployed resources after creation. While they are useful for monitoring and reporting drift, they do not prevent noncompliant Terraform modules from being deployed. The requirement specifies blocking deployment before resources are created, which Config cannot accomplish. It is reactive rather than proactive, meaning violations may be detected after they are already live, leaving windows of noncompliance.

B) Sentinel policies in Terraform Cloud/Enterprise enforce policy-as-code checks during the terraform plan or terraform apply phases. Policies can validate tagging, encryption, resource type restrictions, and other custom organizational requirements. If a module violates any policy, Terraform execution is blocked, and the CI/CD pipeline fails automatically. This proactive enforcement ensures compliance before resources are provisioned, preventing drift or insecure configurations. Sentinel integrates with CI/CD pipelines to provide automated, repeatable, and scalable compliance checks, meeting all stated requirements. It also allows sophisticated conditional logic, referencing variables, and modular policies, enabling granular enforcement across diverse environments.

C) Git pre-commit hooks are useful for enforcing style and local checks, but they operate only on developers’ local machines. They cannot enforce rules across CI/CD pipelines or ensure deployment compliance. Developers could bypass hooks, and policies are not centrally enforceable. They do not meet the requirement for automated enforcement during pipeline execution.

D) CloudFormation Guard validates CloudFormation templates for compliance before deployment, but it cannot validate Terraform plans. While Guard is a powerful tool for CloudFormation, it is incompatible with Terraform modules and therefore cannot fulfill the requirement in a Terraform CI/CD context.

Why the correct answer is B): Sentinel policies proactively validate Terraform modules in CI/CD, block violations, and enforce organizational security requirements before any resources are created, satisfying the need for automated, pre-deployment compliance enforcement.

Question 39

A company wants to monitor Lambda-based serverless APIs end-to-end, tracking execution from API Gateway through Lambda, DynamoDB, and S3. They require automatic tracing, minimal code changes, visualization of bottlenecks, and integration with AWS-native services. Which solution is best?

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights to manually correlate logs.

C) Deploy OpenTelemetry on EC2 to collect traces.

D) Implement application-level correlation IDs manually.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides end-to-end visibility across serverless and AWS services. When enabled on Lambda and API Gateway, it automatically instruments requests, propagates trace headers, and captures segment data for DynamoDB, S3, and other AWS SDK calls. X-Ray builds a service map, allowing visualization of latency, errors, and bottlenecks. Minimal code changes are needed—mainly enabling the SDK or tracing in Lambda settings. It integrates seamlessly with CloudWatch and is fully managed, scaling automatically with traffic. It provides automatic insight into distributed workloads, enabling engineers to identify slow segments, error spikes, and performance bottlenecks.

B) CloudWatch Logs Insights allows developers to query logs and identify issues. However, it is manual, does not produce service maps, cannot automatically correlate traces across services, and does not visualize distributed latency. While useful for ad hoc investigation, it is inadequate for real-time, automated end-to-end tracing.

C) Deploying OpenTelemetry on EC2 introduces operational overhead, requires manual configuration, maintenance, scaling, and cannot automatically instrument Lambda functions without significant effort. This contradicts the requirement for minimal code changes and AWS-native integration. It is also less cost-efficient compared to X-Ray’s fully managed service.

D) Manually implementing correlation IDs helps track requests but requires pervasive instrumentation, is error-prone, and does not provide automated visualization, analytics, or integration with AWS-native services. It cannot provide the same level of insight as X-Ray service maps.

Why the correct answer is A): X-Ray automatically instruments AWS services, provides distributed traces, service maps, and bottleneck analysis, all with minimal code changes, fully meeting the requirement for end-to-end serverless observability.

Question 40

A company uses S3 to store critical compliance documents. They want automated drift detection, version comparison, and alerts whenever unauthorized or unexpected changes occur. The solution must be serverless, scalable, and detect differences between object versions. What is the best solution?

A) Enable S3 Versioning and manually compare versions.

B) Use AWS Glue to crawl and compare metadata.

C) Use S3 event notifications with EventBridge and a Lambda function to compare versions.

D) Use CloudTrail object-level logging.

Answer: C)

Explanation

A) Manual comparison is not scalable. While S3 Versioning preserves past versions, relying on humans to check differences is impractical for large datasets. It does not provide automated alerts, serverless execution, or drift detection.

B) AWS Glue crawlers analyze schema and metadata, which is insufficient for content-level drift detection. They cannot compare actual document content or detect unauthorized changes. Using Glue would also introduce unnecessary operational overhead for purely detection purposes.

C) S3 event notifications can trigger an EventBridge event whenever an object is created, overwritten, or deleted. A Lambda function triggered by these events can fetch the previous version using version IDs and perform content comparison or validation logic. If unauthorized or unexpected changes are detected, the Lambda function can send alerts through SNS or EventBridge, ensuring automated, serverless monitoring. This design scales automatically with the number of objects, requires no servers, and can enforce custom governance logic. It effectively tracks drift, compares versions, and triggers notifications without manual intervention. Using Lambda and EventBridge ensures real-time, event-driven, fully serverless compliance monitoring.

D) CloudTrail logs object-level API calls, recording who accessed or modified S3 objects. While it provides audit logs, it does not detect content-level differences or provide real-time drift detection. Alerts and comparisons must be built separately, making it less automated and less precise for detecting unauthorized changes.

Why the correct answer is C): EventBridge-triggered Lambda functions with S3 Versioning provide automated, serverless, scalable detection of unauthorized changes and version comparison, satisfying all requirements.