Amazon AWS Certified DevOps Engineer – Professional DOP-C02 Exam Dumps and Practice Test Questions Set 4 Q 61-80

Visit here for our full Amazon AWS Certified DevOps Engineer – Professional DOP-C02 exam dumps and practice test questions.

Question 61

A company is deploying microservices to Amazon EKS and wants to implement progressive deployments with automatic rollback if new pods fail health checks. Traffic should be shifted gradually, and the solution must integrate natively with Kubernetes manifests. What is the best solution?

A) Use EKS managed node groups with PodDisruptionBudgets.

B) Use Argo Rollouts for canary and blue/green deployments.

C) Configure ALB slow start mode.

D) Use Kubernetes Horizontal Pod Autoscaler (HPA).

Answer: B)

Explanation

A) PodDisruptionBudgets (PDBs) are Kubernetes resources that ensure minimum availability of pods during voluntary disruptions, such as node maintenance or scaling events. They are designed to prevent simultaneous eviction of too many pods, preserving application availability. While PDBs are crucial for operational stability, they do not manage deployments, traffic shifting, or rollback. PDBs cannot automatically detect pod health failures during new deployments or gradually shift traffic between old and new pods. Using PDBs alone addresses only pod availability during maintenance and does not meet the requirements for progressive deployments with rollback.

B) Argo Rollouts is a Kubernetes controller built specifically for progressive delivery. It supports canary and blue/green deployments, gradual traffic shifting, and automatic rollback based on pod health checks or metrics from monitoring systems like Prometheus. Argo Rollouts integrates natively with Kubernetes manifests, allowing teams to define deployment strategies declaratively. Traffic can be controlled using service mesh integrations such as Istio, App Mesh, or ingress controllers, enabling fine-grained, incremental rollout. Metrics can trigger automatic rollback if new pods fail, ensuring safe deployments. This solution directly meets all requirements: progressive deployment, traffic control, Kubernetes-native configuration, and automated rollback, making it the most suitable choice for EKS microservices.

C) ALB slow start mode gradually increases traffic to new targets to prevent sudden spikes in load. While useful for mitigating initial load impacts, slow start does not implement canary or blue/green deployments, cannot detect failing pods at the application level, and does not provide automatic rollback. Slow start only modulates traffic rate; it does not manage deployment strategy or monitor pod health, making it insufficient for the given requirements.

D) Kubernetes Horizontal Pod Autoscaler (HPA) adjusts the number of pods in a deployment based on metrics like CPU, memory, or custom metrics. HPA ensures application scalability under load but does not control deployment strategy, traffic shifting, or rollback. HPA addresses performance scaling rather than deployment safety, so it does not meet the stated requirements.

Why the correct answer is B): Argo Rollouts provides the full solution for safe, progressive deployments with traffic shifting and automatic rollback. PDBs, ALB slow start, and HPA address only partial concerns and cannot enforce progressive deployment strategies.

Question 62

A company processes high-volume logs stored in Amazon S3. They want serverless analytics that can extract fields, index data, and provide fast search queries without managing servers. Which solution meets the requirement?

A) Deploy an ELK stack on EC2.

B) Use S3 Select to query logs.

C) Use Amazon OpenSearch Serverless with S3 ingestion pipelines.

D) Store logs in DynamoDB with Global Secondary Indexes.

Answer: C)

Explanation

A) Deploying an ELK stack on EC2 allows indexing and querying of logs, but it requires manual provisioning, scaling, and maintenance. ELK is not serverless, and operational overhead is high. Scaling for high-volume log data requires careful planning and additional infrastructure, which contradicts the requirement for a serverless, fully managed solution.

B) S3 Select allows querying individual objects in S3 using SQL expressions. While it can filter or extract data from single objects, it does not provide indexing or full-text search across multiple objects. S3 Select is suitable for ad hoc queries but cannot efficiently handle large-scale, searchable log analytics.

C) Amazon OpenSearch Serverless is a fully managed, serverless option for log analytics. Logs can be ingested directly from S3 using ingestion pipelines, automatically indexed, and queried quickly. OpenSearch Serverless scales dynamically with demand and supports field extraction, indexing, and search, providing near-real-time analytics without server management. It meets all requirements: serverless operation, indexing, search capability, and integration with S3.

D) DynamoDB is optimized for structured key-value or document data with low-latency access. While Global Secondary Indexes enable efficient querying of structured attributes, DynamoDB does not support full-text search or analytics across unstructured log data. Using DynamoDB would require additional services for search capabilities, which increases complexity and operational overhead.

Why the correct answer is C): OpenSearch Serverless is a fully managed, serverless solution that provides field extraction, indexing, and fast search queries for logs in S3. Other options either require manual server management, are limited in query capability, or are not suitable for unstructured log analytics.

Question 63

A DevOps team uses AWS Lambda for serverless APIs. Cold starts are causing inconsistent latency. They want minimal code changes, optimized cost, and reduced latency for frequently accessed endpoints. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic functions.

B) Increase memory allocation for all Lambda functions.

C) Enable VPC for Lambda functions.

D) Replace Lambda with ECS Fargate.

Answer: A)

Explanation

A) Provisioned Concurrency pre-warms Lambda execution environments so that requests are served without cold starts. Applying it to high-traffic functions ensures that frequently invoked endpoints have minimal latency, while low-traffic functions remain on-demand, optimizing cost. Minimal configuration changes are needed. This approach directly addresses cold start latency, reduces variability, and maintains serverless efficiency.

B) Increasing memory allocation provides more CPU and can indirectly reduce cold start time. However, it does not eliminate cold starts, and costs rise for every invocation, regardless of traffic patterns. This solution is less precise and less cost-effective than Provisioned Concurrency.

C) Deploying Lambda in a VPC historically increased cold start latency due to Elastic Network Interface (ENI) attachment overhead. Even with improvements in Hyperplane networking, VPC placement does not eliminate cold starts and can complicate initialization. It is not a viable solution for reducing latency.

D) Replacing Lambda with ECS Fargate avoids cold starts but introduces operational complexity. Fargate requires container management, scaling configurations, and more overhead, violating the minimal code-change requirement and increasing cost.

Why the correct answer is A): Provisioned Concurrency selectively eliminates cold starts, reducing latency for high-traffic endpoints while controlling costs. Other options either do not eliminate cold starts, increase cost unnecessarily, or add operational burden.

Question 64

A company wants to enforce pre-deployment compliance on all Terraform modules deployed via CI/CD, including mandatory tags, encryption, and prohibited resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies with Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config evaluates compliance after resources are deployed. While Config can alert or remediate noncompliance, it cannot prevent noncompliant Terraform modules from being deployed. Post-deployment enforcement violates the requirement for CI/CD pre-deployment blocking.

B) Sentinel policies in Terraform Cloud/Enterprise provide policy-as-code evaluated during terraform plan or terraform apply. Policies can enforce mandatory tags, encryption, and prohibit specific resource types. Violations automatically fail Terraform runs, blocking deployment. Sentinel integrates with CI/CD pipelines, providing centralized, automated governance. This approach ensures pre-deployment enforcement, scalable policy application, and proactive compliance.

C) Git pre-commit hooks enforce policies locally and can be bypassed. They are not reliable for CI/CD pipeline enforcement, and cannot automatically block Terraform apply operations. Hooks do not provide centralized, pre-deployment enforcement.

D) CloudFormation Guard validates CloudFormation templates, not Terraform modules. It cannot evaluate Terraform plans, making it incompatible for Terraform-based pipelines.

Why the correct answer is B): Sentinel provides automated, pre-deployment compliance enforcement for Terraform modules in CI/CD, blocking violations and ensuring organizational policies are applied. Config, pre-commit hooks, and Guard either act post-deployment, are unreliable, or are incompatible.

Question 65

A company wants serverless, automated detection of unauthorized changes to compliance documents in S3, including drift detection, version comparison, and real-time alerts. Which solution is best?

A) Enable S3 Versioning and manually compare versions.

B) Use AWS Glue to crawl and compare metadata.

C) Use EventBridge with S3 notifications triggering Lambda to compare versions.

D) Use CloudTrail object-level logging.

Answer: C)

Explanation

A) Manual comparison with S3 Versioning preserves prior versions but is labor-intensive, error-prone, and cannot scale for automated detection. It also lacks real-time alerts and serverless automation, failing the requirements for compliance monitoring.

B) AWS Glue can crawl S3 and extract metadata, but it cannot compare object content or detect unauthorized changes. Glue is better suited for ETL and schema discovery rather than automated compliance monitoring. Using Glue would add unnecessary operational complexity.

C) EventBridge with S3 notifications provides a serverless, automated solution. S3 can trigger events on object creation, update, or deletion. A Lambda function can retrieve prior object versions via version IDs, perform content comparison, and detect unauthorized changes. Alerts can be sent via SNS or EventBridge if anomalies are detected. This solution meets all requirements: drift detection, version comparison, real-time alerts, and serverless operation. It scales automatically, requires minimal operational effort, and integrates seamlessly with AWS services.

D) CloudTrail object-level logging captures API calls on S3 objects. While useful for auditing, it cannot detect content changes or perform automated drift detection. CloudTrail is reactive, does not compare versions, and cannot trigger immediate alerts without additional automation.

Why the correct answer is C): EventBridge-triggered Lambda provides fully serverless, automated, and scalable detection of unauthorized S3 changes, with version comparison and real-time alerting. Manual comparison, Glue, and CloudTrail alone do not fulfill all requirements.

Question 66

A company uses multiple AWS Lambda functions triggered by Kinesis Data Streams. During traffic spikes, downstream DynamoDB tables get throttled, causing data loss. The team wants to smooth spikes, preserve ordering per device, and prevent throttling. Which solution is best?

A) Increase the Kinesis shard count.

B) Limit Lambda concurrency with reserved concurrency.

C) Insert an SQS FIFO queue between Kinesis and Lambda.

D) Implement retries with exponential backoff in Lambda code.

Answer: C)

Explanation

A) Increasing the Kinesis shard count increases the number of shards that Lambda can process in parallel. While this can improve throughput for Kinesis itself, it also increases concurrent Lambda invocations, which may further overwhelm downstream DynamoDB tables. This approach addresses only ingestion capacity but does not provide traffic smoothing, durable buffering, or guarantee ordering per device. Shard-level ordering exists, but device-to-shard mapping must be carefully managed, making this solution partially effective but not sufficient to meet the requirements.

B) Limiting Lambda concurrency via reserved concurrency can prevent DynamoDB throttling by capping concurrent invocations. However, limiting concurrency introduces backpressure on Kinesis. Records may remain unprocessed in the shard, causing increased iterator age or potential data loss if retention periods expire. Reserved concurrency controls the number of active functions but does not smooth spikes, provide durable buffering, or guarantee per-device ordering. It is a reactive control rather than a proactive solution.

C) SQS FIFO queues provide a serverless, durable buffer between Kinesis and Lambda. Messages can be grouped by device ID to preserve strict ordering, while Lambda consumes the queue at a controlled rate, preventing DynamoDB throttling. FIFO queues automatically handle bursts, smoothing traffic and ensuring reliability. Failed processing can trigger retries or be sent to a Dead Letter Queue (DLQ), maintaining integrity. This design decouples ingestion from processing, allows for backpressure handling, maintains ordering per device, and provides fault-tolerant, serverless scaling, meeting all requirements comprehensively.

D) Implementing retries with exponential backoff in Lambda helps handle transient failures but does not prevent DynamoDB throttling during spikes. Retries are reactive; they respond to failures rather than smoothing traffic proactively. Ordering cannot be guaranteed solely with backoff, and data loss may still occur if retries fail or exceed Lambda execution limits. This option does not address the requirement for durable buffering or ordering per device.

Why the correct answer is C):SQS FIFO queues provide a serverless, reliable buffer that preserves ordering, smooths traffic spikes, and prevents downstream throttling. Increasing shards or limiting concurrency address only parts of the problem, and retries alone are insufficient for proactive spike management.

Question 67

A company wants end-to-end distributed tracing for serverless APIs, covering API Gateway, Lambda, DynamoDB, and S3. They require minimal code changes, visualization of latency, and detection of bottlenecks. Which solution is best?

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights for manual correlation.

C) Deploy OpenTelemetry on EC2 instances.

D) Implement manual correlation IDs across services.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides fully managed distributed tracing. It captures segments and subsegments for Lambda, API Gateway, DynamoDB, S3, and other AWS services. A service map is generated to visualize latency, errors, and bottlenecks. Minimal code changes are required—simply enable active tracing in Lambda and optionally use X-Ray SDK for custom subsegments. X-Ray scales automatically with serverless workloads, integrates with CloudWatch dashboards, and provides near real-time insights. This approach meets all requirements: serverless integration, minimal coding, visualization, and end-to-end tracing.

B) CloudWatch Logs Insights allows querying logs for latency and errors. Manual correlation can be attempted by matching request IDs across logs. However, this process is labor-intensive, error-prone, and lacks automated visualization. It does not create a service map or provide end-to-end tracing automatically. Manual correlation is impractical at scale and does not meet the requirement for minimal code changes or automatic bottleneck detection.

C) Deploying OpenTelemetry on EC2 introduces infrastructure overhead. Each service must be instrumented manually, including Lambda functions, API Gateway, and storage services. Collectors must be managed, scaled, and maintained, increasing operational complexity. OpenTelemetry does not integrate natively with serverless AWS services like Lambda or API Gateway, violating the requirement for minimal code changes and serverless operation.

D) Manual correlation IDs require pervasive instrumentation throughout all services. While they can help trace requests, they do not provide automatic visualization, service maps, or bottleneck detection. Maintaining consistent correlation across multiple services is error-prone and labor-intensive. This approach fails to meet the requirement for minimal coding and serverless-native integration.

Why the correct answer is A): AWS X-Ray provides automatic, serverless, end-to-end tracing with service maps, latency visualization, and bottleneck detection. Other approaches either require manual effort, additional infrastructure, or cannot provide automated end-to-end tracing.

Question 68

A company wants to enforce organizational security policies for Terraform modules deployed via CI/CD. Policies include mandatory tagging, encryption, and prohibiting specific resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules evaluate compliance after deployment. While they can detect policy violations and trigger alerts or remediation, they cannot prevent Terraform modules from being deployed, leaving a window where noncompliant resources exist. Config is reactive, not preemptive, so it does not satisfy the requirement for blocking violations before deployment.

B) Sentinel policies provide pre-deployment enforcement for Terraform Cloud/Enterprise. Policies can enforce tagging, encryption, and prevent prohibited resource types. When a module violates a policy during terraform plan or terraform apply, the run fails automatically, blocking deployment. Sentinel integrates with CI/CD pipelines, allowing centralized governance, automated enforcement, and repeatable policy application across all Terraform workspaces. This solution meets the requirement for pre-deployment compliance enforcement with minimal manual intervention.

C) Git pre-commit hooks can enforce rules locally on developer machines. However, hooks are bypassable, and they do not enforce compliance within CI/CD pipelines. They cannot guarantee that deployed Terraform modules adhere to organizational policies, making them unreliable for automated enforcement.

D) CloudFormation Guard (cfn-guard) validates CloudFormation templates, not Terraform plans. It cannot enforce Terraform module compliance and is therefore unsuitable for this use case. Using cfn-guard would require converting Terraform modules to CloudFormation templates, introducing unnecessary complexity.

Why the correct answer is B): Sentinel policies enforce compliance before deployment, integrating with CI/CD to block violations automatically. Config rules act post-deployment, Git hooks are unreliable, and CloudFormation Guard is incompatible with Terraform.

Question 69

A company needs automated, serverless detection of unauthorized changes to compliance documents stored in S3. Requirements include drift detection, version comparison, and real-time alerts. Which solution is best?

A) Enable S3 Versioning and manually compare versions.

B) Use AWS Glue to crawl and compare metadata.

C) Use EventBridge with S3 notifications triggering Lambda to compare versions.

D) Use CloudTrail object-level logging.

Answer: C)

Explanation

A) Manual comparison using S3 Versioning preserves prior versions, but is labor-intensive, error-prone, and does not scale for automated detection. Manual processes cannot provide real-time alerts and violate the serverless requirement.

B) AWS Glue can crawl S3 and extract metadata, but it cannot compare object content for drift detection. Glue is better suited for ETL and schema discovery rather than automated compliance monitoring. Using Glue would add unnecessary operational complexity without meeting the requirements.

C) EventBridge with S3 notifications provides a serverless, automated solution. S3 triggers events for object creation, update, or deletion. A Lambda function retrieves prior object versions via version IDs, compares content, and detects unauthorized changes. Alerts can be sent via SNS or EventBridge if anomalies are found. This solution meets all requirements: automated drift detection, version comparison, real-time alerts, and serverless operation. It scales seamlessly, requires minimal operational effort, and integrates fully with AWS services.

D) CloudTrail object-level logging records API calls on S3 objects. While useful for auditing, it cannot detect content-level changes or automatically trigger real-time alerts. CloudTrail is reactive and requires additional automation to meet compliance monitoring needs.

Why the correct answer is C): EventBridge-triggered Lambda provides automated, serverless, scalable detection of unauthorized changes in S3, with version comparison and real-time alerting. Manual comparison, Glue, and CloudTrail alone do not meet all requirements.

Question 70

A company wants to reduce Lambda cold start latency while optimizing cost for frequently accessed and infrequently accessed endpoints. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic Lambda functions.

B) Increase memory allocation on all Lambda functions.

C) Deploy Lambda functions in a VPC.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-initializes a number of execution environments, eliminating cold starts for frequently invoked Lambda functions. Applying it selectively to high-traffic endpoints ensures low latency, while low-traffic functions remain on-demand, reducing unnecessary cost. Minimal configuration is required, making this solution serverless-native and efficient. Provisioned Concurrency directly addresses the latency issue without increasing cost for infrequently accessed functions.

B) Increasing memory allocation increases CPU and I/O resources, which may reduce execution time slightly. However, this does not eliminate cold starts and increases cost for all invocations, regardless of traffic. It is a less precise and less efficient solution compared to Provisioned Concurrency.

C) Deploying Lambda in a VPC historically increased cold start latency due to ENI initialization. Even with improvements, VPC placement does not prevent cold starts and adds networking complexity. This solution is counterproductive for reducing latency.

D) Replacing Lambda with ECS Fargate tasks avoids cold starts because containers are long-lived. However, it introduces operational complexity, including task definitions, scaling, and deployment management. It violates the requirement for minimal code changes and serverless operation.

Why the correct answer is A): Provisioned Concurrency selectively eliminates cold starts for high-traffic functions, optimizing latency and cost. Other options either fail to eliminate cold starts, increase cost unnecessarily, or introduce operational complexity.

Question 71

A company is deploying a new microservice to Amazon ECS on Fargate. They want to implement safe deployments with gradual traffic shifting, monitoring, and automatic rollback if health checks fail. Which solution is best?

A) Use ECS rolling updates with a custom health check grace period.

B) Use AWS CodeDeploy blue/green deployments integrated with ECS and ALB.

C) Rely on CloudFormation stack updates with rollback enabled.

D) Use ALB slow start mode to gradually ramp traffic.

Answer: B)

Explanation

A) ECS rolling updates gradually replace old tasks with new ones while maintaining service availability. Adjusting the health check grace period helps avoid marking slow-starting containers as unhealthy. However, rolling updates do not provide automatic rollback based on application-level failures, and traffic shifting is limited to the infrastructure level rather than controlled routing. While rolling updates improve availability, they cannot guarantee safe deployment with automated rollback or progressive traffic management for microservices that have variable initialization times.

B) AWS CodeDeploy blue/green deployments provide a fully managed solution for ECS services. CodeDeploy creates a new target group for the updated version, and traffic is shifted incrementally from the old group to the new group. Health monitoring can be integrated with ALB health checks or CloudWatch alarms. If the new tasks fail, traffic is automatically reverted to the previous version, and unhealthy tasks are terminated. CodeDeploy also allows configurable bake times, giving the application time to stabilize before full traffic migration. This approach ensures safe deployments, monitoring, gradual traffic shifting, and automatic rollback, fully meeting the requirements. Integration with ECS and ALB makes this a seamless, serverless-compatible solution without manual intervention.

C) CloudFormation stack updates provide rollback for resource creation failures or invalid configuration. While stack rollback is effective for infrastructure errors, it does not address application-level health checks or gradual traffic shifting. CloudFormation rollback is reactive and limited to template-level failures, which makes it insufficient for ensuring safe microservice rollouts in production.

D) ALB slow start mode gradually increases traffic to new targets to prevent sudden spikes. While this helps with container warming and prevents overload, it does not provide monitoring, automated rollback, or deployment control. Slow start modulates traffic but does not handle deployment orchestration, meaning failing containers may still receive requests.

Why the correct answer is B): CodeDeploy blue/green deployments provide controlled traffic shifting, health monitoring, bake times, and automatic rollback. Rolling updates, ALB slow start, and CloudFormation rollback address only partial concerns and cannot guarantee safe microservice deployment in production.

Question 72

A company wants to reduce cold start latency for frequently accessed AWS Lambda functions while minimizing cost for infrequently used functions. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic Lambda functions.

B) Increase memory allocation for all Lambda functions.

C) Deploy Lambda functions in a VPC.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-initializes execution environments, ensuring that requests do not experience cold start latency. Applying it selectively to high-traffic Lambda functions guarantees low latency for frequently accessed endpoints. Low-traffic functions can remain on-demand to minimize costs. Provisioned Concurrency integrates seamlessly with serverless architecture, requires minimal configuration, and optimizes both latency and cost. This approach directly addresses the cold start problem without adding operational overhead.

B) Increasing memory allocation provides more CPU and I/O resources, which can slightly reduce execution duration and initialization time. However, it does not eliminate cold starts, and increased memory incurs higher cost for all invocations, including infrequently accessed functions. This is a less targeted and cost-efficient solution compared to Provisioned Concurrency.

C) Deploying Lambda in a VPC historically increased cold start latency due to ENI initialization overhead. Even with improvements in Hyperplane networking, VPC placement does not eliminate cold starts and adds operational complexity. It is counterproductive for latency optimization.

D) Replacing Lambda with ECS Fargate tasks avoids cold starts because containers are long-lived. However, this introduces operational overhead, including task definitions, scaling, container image management, and monitoring. It also violates the minimal code-change requirement and increases cost, making it less practical for the scenario.

Why the correct answer is A): Provisioned Concurrency selectively eliminates cold starts for high-traffic functions, optimizing latency and cost. Other options either do not remove cold starts, increase costs unnecessarily, or introduce operational complexity.

Question 73

A company wants to enforce pre-deployment compliance on all Terraform modules deployed via CI/CD. Policies include mandatory tags, encryption, and prohibiting specific resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config evaluates compliance after resources are deployed. While Config can detect violations and trigger alerts or remediation, it cannot prevent Terraform modules from being deployed, leaving noncompliant resources in place temporarily. This does not meet the requirement for pre-deployment enforcement.

B) Sentinel policies provide policy-as-code enforcement within Terraform Cloud or Enterprise. Policies are evaluated during terraform plan or terraform apply, ensuring that modules comply with tagging, encryption, and resource restrictions. Violations fail the Terraform run, automatically blocking deployment. Sentinel integrates with CI/CD pipelines, enabling centralized governance, consistent policy application, and automated compliance. This solution ensures pre-deployment enforcement without manual intervention, fully meeting the requirement.

C) Git pre-commit hooks enforce rules locally on developer machines but are bypassable and do not guarantee CI/CD compliance. They are unreliable for ensuring that deployed Terraform modules adhere to organizational policies.

D) CloudFormation Guard (cfn-guard) validates CloudFormation templates, not Terraform plans. It cannot enforce Terraform module policies, making it incompatible with the use case. Using cfn-guard would require converting modules to CloudFormation templates, which adds unnecessary complexity.

Why the correct answer is B): Sentinel policies enforce compliance before deployment, integrate with CI/CD pipelines, and block violations automatically. Config rules are reactive, Git hooks are unreliable, and CloudFormation Guard is incompatible with Terraform modules.

Question 74

A company wants serverless, automated detection of unauthorized changes to compliance documents in S3, including drift detection, version comparison, and real-time alerts. Which solution is best?

A) Enable S3 Versioning and manually compare versions.

B) Use AWS Glue to crawl and compare metadata.

C) Use EventBridge with S3 notifications triggering Lambda to compare versions.

D) Use CloudTrail object-level logging.

Answer: C)

Explanation

A) Manual comparison using S3 Versioning preserves previous versions but is labor-intensive, error-prone, and cannot provide real-time alerts. Manual processes do not scale, fail to meet serverless operation requirements, and cannot reliably detect unauthorized changes across multiple files.

B) AWS Glue can crawl S3 and extract metadata, but it cannot perform content comparison for unauthorized changes. Glue is designed for ETL and schema discovery, not automated compliance monitoring. Using Glue adds unnecessary operational overhead without solving the problem.

C) EventBridge with S3 notifications offers a serverless, automated solution. S3 triggers events on object creation, update, or deletion. A Lambda function can retrieve previous object versions via version IDs, compare content, and detect unauthorized modifications. Alerts can be sent via SNS or EventBridge if anomalies are found. This approach meets all requirements: automated drift detection, version comparison, real-time alerts, and serverless operation. It scales seamlessly, is cost-efficient, and requires minimal operational management.

D) CloudTrail object-level logging records API calls on S3 objects for auditing, but cannot detect content-level changes automatically. CloudTrail is reactive, and additional automation would be required to meet the compliance monitoring requirements. It does not provide drift detection or version comparison natively.

Why the correct answer is C): EventBridge-triggered Lambda functions provide automated, serverless detection of unauthorized changes in S3, with version comparison and real-time alerting. Manual comparison, Glue, and CloudTrail alone are insufficient for full compliance monitoring.

Question 75

A DevOps team wants end-to-end distributed tracing for serverless APIs covering API Gateway, Lambda, DynamoDB, and S3. They require minimal code changes, visualization of latency, and bottleneck detection. Which solution is best?

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights for manual correlation.

C) Deploy OpenTelemetry on EC2 instances.

D) Implement manual correlation IDs in code.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides fully managed distributed tracing for serverless applications. It automatically captures segments and subsegments for Lambda, API Gateway, DynamoDB, and S3. A service map visualizes latency, errors, and bottlenecks across services. Minimal code changes are required—simply enabling active tracing on Lambda and optionally using the X-Ray SDK for custom subsegments. X-Ray scales automatically, integrates with CloudWatch dashboards, and provides near real-time insights. This solution meets all requirements: serverless integration, minimal coding, visualization, and end-to-end tracing.

B) CloudWatch Logs Insights allows querying logs for latency and errors. Manual correlation of request IDs can be attempted, but it is labor-intensive, error-prone, and does not provide automated service maps or bottleneck detection. This method is impractical for production-scale tracing and violates the minimal code-change requirement.

C) Deploying OpenTelemetry on EC2 introduces operational overhead and requires manual instrumentation of all services, including Lambda and API Gateway. Collectors must be managed, scaled, and maintained. OpenTelemetry does not integrate natively with serverless AWS services, adding complexity and violating the minimal code-change requirement.

D) Implementing manual correlation IDs requires pervasive instrumentation across services. While it can assist debugging, it does not provide automated service maps, visualization, or bottleneck analysis. Maintaining correlation across multiple services is error-prone and difficult to scale.

Why the correct answer is A): AWS X-Ray provides automated, serverless, end-to-end tracing with visualization of latency and bottlenecks, requiring minimal code changes. Other approaches require manual effort, additional infrastructure, or cannot provide automated end-to-end observability.

Question 76

A DevOps team is deploying multiple microservices on Amazon EKS. They want safe, progressive deployments with automatic rollback if new pods fail health checks. Traffic should be gradually shifted and the solution must integrate natively with Kubernetes manifests. Which solution is best?

A) Use EKS managed node groups with PodDisruptionBudgets.

B) Use Argo Rollouts for canary and blue/green deployments.

C) Configure ALB slow start mode.

D) Use Kubernetes Horizontal Pod Autoscaler (HPA).

Answer: B)

Explanation

A) PodDisruptionBudgets (PDBs) ensure that a minimum number of pods remain available during voluntary disruptions such as node maintenance or scaling events. While important for operational stability, PDBs do not manage deployments, traffic shifting, or rollback. They cannot automatically detect unhealthy pods during deployments or gradually shift traffic between old and new pods. PodDisruptionBudgets address pod availability during maintenance, not safe progressive deployment, so they do not fully meet the requirements.

B) Argo Rollouts is a Kubernetes-native controller for progressive delivery. It supports canary and blue/green deployments, incremental traffic shifting, and automatic rollback based on health checks or custom metrics. Traffic control can be integrated with service meshes or ingress controllers, enabling fine-grained rollout strategies. Argo Rollouts allows declarative Kubernetes manifest configuration, ensuring native integration with EKS. Metrics-driven rollback ensures safe deployments, while traffic shaping guarantees minimal user impact. This solution meets all requirements: safe progressive deployment, automated rollback, traffic control, and Kubernetes-native operation.

C) ALB slow start mode gradually increases traffic to new targets to prevent overload. While it helps prevent sudden spikes, slow start does not implement canary or blue/green deployments, monitor pod health at the application level, or provide automatic rollback. It only modulates traffic rate and cannot ensure a safe rollout.

D) Horizontal Pod Autoscaler (HPA) dynamically scales pod counts based on metrics such as CPU or memory utilization. While essential for performance, HPA does not control deployment strategy, traffic shifting, or rollback. HPA addresses scalability, not deployment safety.

Why the correct answer is B): Argo Rollouts provides full support for safe, progressive deployments with traffic shaping and automated rollback. PDBs, ALB slow start, and HPA only address partial concerns and cannot guarantee safe microservice deployment.

Question 77

A company processes large volumes of logs stored in Amazon S3. They want a serverless solution that extracts fields, indexes data, and provides fast search queries without managing servers. Which solution is best?

A) Deploy an ELK stack on EC2.

B) Use S3 Select to query logs.

C) Use Amazon OpenSearch Serverless with S3 ingestion pipelines.

D) Store logs in DynamoDB with Global Secondary Indexes.

Answer: C)

Explanation

A) Deploying an ELK stack on EC2 provides indexing and search capabilities, but it requires manual provisioning, scaling, and management. ELK is not serverless, and operational overhead is significant. Scaling for high-volume logs requires careful infrastructure planning, contradicting the serverless requirement.

B) S3 Select allows querying single S3 objects using SQL expressions. While suitable for ad hoc filtering of individual objects, it does not provide indexing or full-text search across multiple objects. S3 Select cannot meet requirements for high-speed search over large log datasets.

C) Amazon OpenSearch Serverless is fully managed and serverless. Logs can be ingested from S3 using ingestion pipelines, automatically indexed, and queried quickly. OpenSearch Serverless supports field extraction, indexing, and full-text search with near real-time results. It scales dynamically, requires no server management, and integrates natively with S3, making it ideal for high-volume log analytics without operational overhead. This solution meets all requirements: serverless, indexing, search, and S3 integration.

D) DynamoDB with Global Secondary Indexes provides low-latency access for structured data but cannot perform full-text search across unstructured logs efficiently. Using DynamoDB would require additional infrastructure for search functionality, increasing operational complexity.

Why the correct answer is C): OpenSearch Serverless provides fully managed, serverless log indexing and search for S3, meeting all requirements. Other options either require server management, are limited in query capability, or are unsuitable for unstructured log analytics.

Question 78

A DevOps team wants to reduce AWS Lambda cold start latency while keeping costs low for infrequently accessed functions. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic functions.

B) Increase memory allocation for all Lambda functions.

C) Enable VPC for Lambda functions.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-initializes execution environments for Lambda functions, ensuring that requests do not experience cold start latency. By applying it selectively to high-traffic functions, latency is reduced without increasing cost for low-traffic functions, which can remain on-demand. This approach is serverless-native, requires minimal configuration, and optimizes latency and cost simultaneously.

B) Increasing memory allocation provides more CPU resources, which can slightly reduce initialization time. However, it does not eliminate cold starts, and higher memory increases cost for all functions, including infrequently accessed ones, making it less efficient.

C) Deploying Lambda in a VPC historically increases cold start latency due to ENI initialization overhead. Even with recent improvements, VPC placement does not remove cold starts and adds operational complexity.

D) Replacing Lambda with ECS Fargate tasks eliminates cold starts because containers are long-lived, but introduces operational overhead, including container definitions, scaling, and monitoring. It violates the minimal code-change requirement and increases cost.

Why the correct answer is A): Provisioned Concurrency selectively removes cold starts for high-traffic functions, optimizing latency and cost. Other options either fail to prevent cold starts or add operational complexity.

Question 79

A company wants pre-deployment enforcement of organizational policies on Terraform modules deployed via CI/CD, including mandatory tags, encryption, and prohibited resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules evaluate compliance after resources are deployed. While useful for auditing and remediation, Config cannot prevent noncompliant Terraform modules from being applied. This is reactive and does not meet the requirement for pre-deployment enforcement.

B) Sentinel policies provide policy-as-code enforcement for Terraform Cloud or Enterprise. Policies are evaluated during terraform plan or terraform apply, automatically blocking noncompliant modules. Sentinel supports tagging, encryption, and resource restrictions. It integrates with CI/CD pipelines, providing automated, centralized governance and pre-deployment enforcement, fully meeting the requirement.

C) Git pre-commit hooks are executed locally on developer machines and can be bypassed. They do not enforce compliance in CI/CD pipelines reliably and cannot prevent Terraform apply operations, making them unsuitable for automated enforcement.

D) CloudFormation Guard (cfn-guard) validates CloudFormation templates, not Terraform modules. It is incompatible for enforcing Terraform policies without converting modules to CloudFormation, which adds unnecessary complexity.

Why the correct answer is B): Sentinel policies enforce compliance before deployment, integrating with CI/CD pipelines to block violations automatically. Config rules are reactive, Git hooks are unreliable, and CloudFormation Guard is incompatible.

Question 80

A company wants automated, serverless detection of unauthorized changes to compliance documents stored in S3, including drift detection, version comparison, and real-time alerts. Which solution is best?

A) Enable S3 Versioning and manually compare versions.

B) Use AWS Glue to crawl and compare metadata.

C) Use EventBridge with S3 notifications triggering Lambda to compare versions.

D) Use CloudTrail object-level logging.

Answer: C)

Explanation

A) Manual comparison with S3 Versioning preserves previous versions but is labor-intensive, error-prone, and cannot provide real-time alerts. It is not scalable or fully automated and fails to meet serverless operation requirements.

B) AWS Glue can crawl S3 and extract metadata, but it cannot perform content comparison or detect unauthorized changes automatically. Glue is designed for ETL and schema discovery, not automated compliance monitoring.

C) EventBridge with S3 notifications provides a serverless, automated solution. S3 triggers events on object creation, updates, or deletions. A Lambda function can retrieve previous versions via version IDs, compare content, detect unauthorized changes, and send real-time alerts via SNS or EventBridge. This approach satisfies all requirements: drift detection, version comparison, real-time alerts, and serverless operation. It scales automatically, requires minimal operational effort, and integrates seamlessly with AWS services.

D) CloudTrail object-level logging records API activity but cannot detect content-level changes or automatically trigger real-time alerts. It is reactive and requires additional automation to meet compliance monitoring requirements.

Why the correct answer is C): EventBridge-triggered Lambda provides automated, serverless detection of unauthorized changes in S3, with version comparison and real-time alerting. Manual comparison, Glue, and CloudTrail alone cannot meet all requirements.