Amazon AWS Certified DevOps Engineer – Professional DOP-C02 Exam Dumps and Practice Test Questions Set 7 Q 121-140

Practice Exams:

View All

Amazon AWS Certified DevOps Engineer – Professional DOP-C02 Exam Dumps and Practice Test Questions Set 7 Q 121-140

Visit here for our full Amazon AWS Certified DevOps Engineer – Professional DOP-C02 exam dumps and practice test questions.

Question 121

A company is running multiple microservices on Amazon ECS Fargate and wants automated canary deployments with traffic shifting, monitoring, and automatic rollback in case of failures. Which solution is best?

A) ECS rolling updates with a custom health check grace period.

B) AWS CodeDeploy blue/green deployments integrated with ECS and ALB.

C) CloudFormation stack updates with rollback enabled.

D) ALB slow start mode for gradual traffic ramp-up.

Answer: B)

Explanation

A) ECS rolling updates provide a mechanism to gradually replace old tasks with new tasks while attempting to maintain service availability. Adjusting health check grace periods ensures that containers with slower start times are not incorrectly marked as unhealthy. However, rolling updates cannot automatically rollback based on application-level health metrics or failures. Traffic is replaced at the task level without incremental traffic control, leaving a risk of exposing users to faulty services. Rolling updates provide only partial deployment safety and lack full canary deployment orchestration capabilities. Therefore, while useful for basic availability, ECS rolling updates do not meet the requirements for fully automated, monitored, progressive deployments with rollback capabilities.

B) AWS CodeDeploy blue/green deployments provides a fully managed deployment strategy for ECS that supports canary and blue/green methodologies. It creates a new target group for the updated service, allowing incremental traffic shifting between old and new service versions. Health checks from the ALB and metrics from CloudWatch monitor the performance of new tasks. If unhealthy conditions are detected, CodeDeploy automatically rolls back traffic to the previous version, ensuring service reliability. This deployment strategy is fully automated, ECS-native, and requires minimal operational effort. It meets all requirements: traffic shifting, monitoring, automated rollback, and safe, progressive deployments.

C) CloudFormation stack updates enable rollback of infrastructure resources if template changes fail. While effective for ensuring infrastructure-level consistency, CloudFormation does not handle application-level monitoring, traffic shifting, or progressive deployments. Using CloudFormation alone cannot prevent user impact from failed services or automate rollback based on runtime application health, making it unsuitable for safe canary deployments.

D) ALB slow start mode gradually ramps traffic to new targets to avoid sudden spikes. While beneficial in reducing load on new instances, it does not orchestrate deployments, monitor service health, or provide automated rollback. Slow start is merely a traffic smoothing feature and cannot manage the deployment lifecycle independently.

Why the correct answer is B): AWS CodeDeploy blue/green deployments provide fully automated, safe canary deployments, including traffic shifting, health monitoring, and rollback. ECS rolling updates, CloudFormation stack updates, and ALB slow start address only partial aspects and are insufficient for comprehensive deployment orchestration.

Question 122

A company stores logs in Amazon S3 and wants a serverless solution to extract fields, index data, and allow fast queries without managing servers. Which solution is best?

A) Deploy ELK stack on EC2.

B) Use S3 Select for querying logs.

C) Amazon OpenSearch Serverless with S3 ingestion pipelines.

D) Store logs in DynamoDB with Global Secondary Indexes.

Answer: C)

Explanation

A) Deploying an ELK stack on EC2 provides robust log analytics and visualization capabilities, such as full-text search and dashboards with Kibana. However, this approach requires server management, including provisioning, scaling, patching, and monitoring EC2 instances. High-volume log ingestion would require careful capacity planning and operational overhead, violating the requirement for a serverless solution.

B) S3 Select allows querying individual S3 objects using SQL expressions. While suitable for ad hoc queries, it cannot index multiple objects or perform scalable full-text search across large log datasets. S3 Select lacks aggregation, indexing, and analytics capabilities required for production-grade log processing.

C) Amazon OpenSearch Serverless provides a fully managed serverless solution for log analytics. It integrates with S3 ingestion pipelines to automatically index incoming log data, supports structured field extraction, full-text search, aggregation, and near real-time queries. OpenSearch Serverless scales automatically, requires no server management, and integrates with monitoring and alerting tools. This approach meets all requirements: serverless operation, automatic indexing, fast queries, and minimal operational burden.

D) DynamoDB with Global Secondary Indexes offers fast key-value and structured data queries but cannot efficiently perform full-text search or handle unstructured logs. Using DynamoDB for logs would require additional infrastructure like OpenSearch to achieve similar capabilities, adding operational complexity and violating the serverless simplicity requirement.

Why the correct answer is C): OpenSearch Serverless delivers a fully managed, serverless solution for scalable log analytics, automated indexing, and fast search queries. Other options require servers, lack full-text search, or are operationally intensive.

Question 123

A DevOps team wants to reduce AWS Lambda cold start latency for high-traffic functions while minimizing costs for infrequently invoked functions. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic functions.

B) Increase memory allocation for all Lambda functions.

C) Deploy Lambda functions in a VPC.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-warms Lambda execution environments, ensuring that invocations do not experience cold start latency. By applying it selectively to high-traffic functions, latency-sensitive endpoints remain responsive while low-traffic functions stay on-demand, controlling cost. This is a serverless-native, cost-effective approach that minimizes operational overhead and achieves the required performance improvement.

B) Increasing memory allocation slightly increases CPU and initialization speed, potentially reducing cold start latency marginally. However, it does not eliminate cold starts entirely, and it raises costs for all invocations, including low-traffic functions. This method is inefficient compared to targeted Provisioned Concurrency.

C) Deploying Lambda in a VPC historically increases cold start latency due to ENI initialization. Although recent improvements have reduced the impact, VPC deployment does not prevent cold starts and adds operational complexity, making it a suboptimal choice.

D) Replacing Lambda with ECS Fargate tasks avoids cold starts because containers are long-lived. However, it introduces significant operational overhead for task management, scaling, and monitoring. It also violates the minimal code-change requirement and can increase costs due to always-on resources.

Why the correct answer is A): Provisioned Concurrency selectively pre-warms high-traffic Lambda functions, reducing cold start latency while maintaining cost efficiency. Other options either fail to eliminate cold starts or increase complexity and cost.

Question 124

A company wants pre-deployment enforcement of compliance policies on Terraform modules deployed through CI/CD pipelines, including mandatory tags, encryption, and restricted resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules evaluate resource compliance after deployment. Config can detect noncompliance and trigger remediation, but it cannot prevent Terraform modules from being applied. Pre-deployment enforcement is not achievable, making Config unsuitable for this requirement.

B) Sentinel policies provide policy-as-code enforcement for Terraform Cloud/Enterprise. Policies are evaluated during terraform plan or terraform apply. Violations fail the run, automatically blocking deployment. Sentinel supports tagging enforcement, encryption requirements, and restricting specific resource types. Integration with CI/CD pipelines ensures automated pre-deployment governance, guaranteeing that noncompliant resources never reach production. This solution fully satisfies the requirement for pre-deployment enforcement.

C) Git pre-commit hooks enforce rules locally on developers’ machines but are bypassable and do not reliably integrate with CI/CD pipelines. They cannot block Terraform apply operations, making them insufficient for automated policy enforcement.

D) CloudFormation Guard (cfn-guard) validates CloudFormation templates, not Terraform modules. Enforcing policies would require converting modules to CloudFormation, adding operational complexity and incompatibility.

Why the correct answer is B): Sentinel policies enforce pre-deployment compliance automatically in CI/CD pipelines. AWS Config is reactive, Git hooks are bypassable, and CloudFormation Guard is incompatible.

Question 125

A company wants end-to-end distributed tracing for serverless APIs, including API Gateway, Lambda, DynamoDB, and S3, with minimal code changes, latency visualization, and bottleneck detection. Which solution is best?

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights for manual correlation.

C) Deploy OpenTelemetry on EC2 instances.

D) Implement manual correlation IDs in code.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides fully managed distributed tracing for serverless applications. It captures segments and subsegments automatically for Lambda, API Gateway, DynamoDB, and S3. The service map visualizes latency, errors, and bottlenecks across all services. Minimal code changes are required—enabling active tracing on Lambda functions and optionally using the X-Ray SDK for custom subsegments. X-Ray scales automatically and integrates with CloudWatch dashboards, providing near real-time observability. This solution meets all requirements: serverless integration, minimal code changes, latency visualization, and end-to-end tracing.

B) CloudWatch Logs Insights allows querying logs for latency and errors. Manual correlation of request IDs is possible but is labor-intensive, error-prone, and does not provide automated service maps or bottleneck detection. It is impractical for production-scale tracing and does not meet minimal code-change requirements.

C) Deploying OpenTelemetry on EC2 introduces significant operational overhead. Each service must be instrumented, and collectors must be deployed, scaled, and maintained. OpenTelemetry does not integrate natively with serverless AWS services, making it unsuitable for minimal-code solutions.

D) Implementing manual correlation IDs requires pervasive code changes across services. While useful for debugging, it does not provide automated visualization, service maps, or bottleneck detection, and maintaining correlation across multiple services is difficult and error-prone.

Why the correct answer is A): AWS X-Ray provides automated, serverless, end-to-end tracing with latency visualization and bottleneck detection while requiring minimal code changes. Other options require manual effort, additional infrastructure, or cannot provide automated end-to-end observability.

Question 126

A company is running multiple microservices on Amazon ECS Fargate and wants safe, automated canary deployments with traffic shifting, monitoring, and rollback. Which solution is best?

A) ECS rolling updates with custom health check grace periods.

B) AWS CodeDeploy blue/green deployments integrated with ECS and ALB.

C) CloudFormation stack updates with rollback enabled.

D) ALB slow start mode for gradual traffic ramp-up.

Answer: B)

Explanation

A) ECS rolling updates gradually replace old tasks with new tasks to maintain service availability. Adjusting health check grace periods ensures containers with slower start times are not prematurely marked unhealthy. However, rolling updates do not provide automated rollback triggered by application-level failures or fine-grained traffic shifting between old and new versions. Traffic is replaced at the task level, and monitoring capabilities are limited. This option provides only partial deployment safety and does not support fully automated canary deployments.

B) AWS CodeDeploy blue/green deployments provides a fully managed canary deployment strategy. It creates a new target group for updated services and enables incremental traffic shifting from the old version. ALB health checks and CloudWatch metrics monitor new tasks, automatically rolling back traffic if failures are detected. The deployment process is automated, declarative, and ECS-native, requiring minimal operational effort. This solution satisfies all requirements: safe deployment, traffic shifting, monitoring, and automatic rollback.

C) CloudFormation stack updates provide rollback for infrastructure template errors during resource creation. While effective for infrastructure consistency, CloudFormation does not handle application-level health checks, traffic shifting, or automatic rollback based on runtime service performance. Using CloudFormation alone cannot ensure safe, progressive deployments for ECS services.

D) ALB slow start mode gradually ramps traffic to new targets to reduce sudden spikes. While beneficial for load smoothing, it does not orchestrate deployments, monitor health, or trigger rollback, and cannot provide full canary deployment capabilities on its own.

Why the correct answer is B): AWS CodeDeploy blue/green deployments provide fully automated canary deployment orchestration, including traffic shifting, monitoring, and rollback. Rolling updates, CloudFormation, and ALB slow start address only partial aspects and are insufficient for production-grade canary deployment strategies.

Question 127

A company stores large volumes of logs in Amazon S3 and requires a serverless solution to extract structured fields, index the data, and enable fast search queries. Which solution is best?

A) Deploy ELK stack on EC2.

B) Use S3 Select for querying logs.

C) Amazon OpenSearch Serverless with S3 ingestion pipelines.

D) Store logs in DynamoDB with Global Secondary Indexes.

Answer: C)

Explanation

A) Deploying an ELK stack on EC2 provides full log analytics, including visualization through Kibana and full-text search capabilities. However, this approach requires server management, including provisioning, scaling, patching, and monitoring EC2 instances. High-volume log ingestion introduces operational overhead for capacity planning and maintenance, violating the requirement for a serverless solution.

B) S3 Select allows SQL-like queries on individual S3 objects. While useful for lightweight, ad hoc queries, it cannot index multiple objects or provide scalable full-text search across large datasets. S3 Select lacks analytics capabilities such as aggregation, near real-time search, and visualization, making it unsuitable for production-grade log analytics.

C) Amazon OpenSearch Serverless provides a fully managed serverless solution for log analytics. It integrates with S3 ingestion pipelines to automatically index incoming log data, supports structured field extraction, full-text search, aggregation, and near real-time queries. OpenSearch Serverless scales automatically, requires no server management, and integrates with monitoring and alerting tools. This approach fulfills all requirements: serverless operation, automated indexing, fast search, and minimal operational burden.

D) DynamoDB with Global Secondary Indexes provides fast queries for structured data. However, it cannot efficiently perform full-text search or handle unstructured log data at scale. Using DynamoDB would require additional infrastructure like OpenSearch, increasing operational complexity and cost.

Why the correct answer is C): OpenSearch Serverless delivers a fully managed, serverless solution for high-volume log analytics, automated indexing, and fast search queries. Other options require servers, lack search capabilities, or impose operational overhead.

Question 128

A DevOps team wants to reduce AWS Lambda cold start latency for high-traffic functions while keeping costs low for infrequently invoked functions. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic functions.

B) Increase memory allocation for all Lambda functions.

C) Deploy Lambda functions in a VPC.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-warms Lambda execution environments, ensuring invocations do not experience cold start latency. By applying it only to high-traffic functions, latency-sensitive endpoints remain responsive while low-traffic functions stay on-demand, controlling cost. This approach is serverless-native, cost-efficient, and effective in reducing cold start latency with minimal operational overhead.

B) Increasing memory allocation slightly improves CPU and initialization speed, potentially reducing cold start latency marginally. However, it does not eliminate cold starts, and higher memory increases costs for all functions, including low-traffic functions. This method is less efficient compared to selective Provisioned Concurrency.

C) Deploying Lambda in a VPC historically increased cold start latency due to ENI attachment delays. Although recent networking enhancements have reduced this impact, VPC deployment does not remove cold starts and adds complexity, making it a suboptimal choice.

D) Replacing Lambda with ECS Fargate tasks avoids cold starts because containers are long-lived. However, it introduces operational overhead, including task management, scaling, and monitoring. It also violates the requirement for minimal code changes and may increase costs due to always-on resources.

Why the correct answer is A): Provisioned Concurrency selectively pre-warms high-traffic Lambda functions, reducing cold start latency while maintaining cost efficiency. Other options fail to eliminate cold starts effectively or increase operational complexity.

Question 129

A company requires pre-deployment enforcement of compliance policies on Terraform modules deployed through CI/CD pipelines. Policies include mandatory tags, encryption, and restricted resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules operate after resources are deployed. They detect noncompliance and can trigger remediation but cannot block Terraform modules from being applied, failing to enforce pre-deployment compliance. This reactive approach is unsuitable for preventing noncompliant resources from reaching production.

B) Sentinel policies provide policy-as-code enforcement within Terraform Cloud/Enterprise. Policies are evaluated during terraform plan or terraform apply. Violations fail the run, automatically preventing deployment. Sentinel supports tagging enforcement, encryption requirements, and restricting specific resource types. Integration with CI/CD ensures automated, pre-deployment compliance, preventing noncompliant resources from being provisioned. This fully satisfies pre-deployment enforcement requirements.

C) Git pre-commit hooks operate locally and enforce rules on developer machines. However, they are bypassable, do not integrate reliably with CI/CD pipelines, and cannot prevent Terraform applies, making them insufficient for automated policy enforcement.

D) CloudFormation Guard validates CloudFormation templates but is incompatible with Terraform modules without converting templates, adding complexity and operational overhead. It cannot enforce policies natively in Terraform CI/CD pipelines.

Question 130

A company wants end-to-end distributed tracing for serverless APIs, including API Gateway, Lambda, DynamoDB, and S3. Requirements include minimal code changes, latency visualization, and bottleneck detection. Which solution is best?

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights for manual correlation.

C) Deploy OpenTelemetry on EC2 instances.

D) Implement manual correlation IDs in code.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides fully managed distributed tracing for serverless applications. It automatically captures segments and subsegments for Lambda, API Gateway, DynamoDB, and S3. The service map visualizes latency, errors, and bottlenecks across services. Minimal code changes are required—enabling active tracing on Lambda functions and optionally using the X-Ray SDK for custom subsegments. X-Ray scales automatically, integrates with CloudWatch dashboards, and provides near real-time observability. This solution fulfills all requirements: serverless integration, minimal code changes, latency visualization, and end-to-end tracing.

B) CloudWatch Logs Insights enables querying logs for latency and errors. Manual correlation is possible but is labor-intensive, error-prone, and does not provide automated service maps or bottleneck detection. It is impractical for production-scale tracing and does not satisfy minimal code-change requirements.

C) Deploying OpenTelemetry on EC2 introduces operational overhead. Each service requires instrumentation, and collectors must be deployed, scaled, and maintained. OpenTelemetry does not integrate natively with serverless AWS services, making it unsuitable for minimal-code solutions.

D) Implementing manual correlation IDs requires pervasive code changes. While useful for debugging, it does not provide automated visualization, service maps, or bottleneck detection, and maintaining correlation across multiple services is error-prone.

Question 131

A company runs multiple microservices on Amazon ECS Fargate and wants safe, automated canary deployments with traffic shifting, monitoring, and rollback. Which solution is best?

A) ECS rolling updates with custom health check grace periods.

B) AWS CodeDeploy blue/green deployments integrated with ECS and ALB.

C) CloudFormation stack updates with rollback enabled.

D) ALB slow start mode for gradual traffic ramp-up.

Answer: B)

Explanation

A) ECS rolling updates gradually replace old tasks with new tasks to maintain service availability. Configuring health check grace periods ensures that slow-starting containers are not incorrectly marked unhealthy. However, rolling updates cannot automatically rollback deployments based on application-level failures or metrics, nor do they provide fine-grained traffic shifting between versions. They operate at the task level and lack integrated monitoring with automatic failure detection. This approach ensures basic availability but does not provide full canary deployment orchestration. Using only ECS rolling updates exposes services to potential failures during deployment because traffic is shifted abruptly without monitoring-based rollback.

B) AWS CodeDeploy blue/green deployments provides a fully managed canary deployment strategy for ECS integrated with ALB. It allows for incremental traffic shifting from the old service to the new one, based on configurable weights and intervals. Health checks from the ALB, combined with CloudWatch metrics, monitor the performance of new tasks, automatically rolling back traffic if unhealthy conditions are detected. This solution requires minimal operational effort, is ECS-native, and ensures safe, automated deployments with monitoring and rollback capabilities, satisfying all requirements for production-grade canary deployments.

C) CloudFormation stack updates offer rollback for template-level errors during resource creation or modification. While useful for infrastructure consistency, CloudFormation does not provide application-level monitoring, traffic shifting, or rollback based on runtime service performance. It is reactive to template failures, not application health, and cannot prevent user impact from failed deployments. Therefore, this method alone is inadequate for safe canary deployments.

D) ALB slow start mode gradually ramps traffic to new targets to avoid sudden load spikes. While this helps mitigate load on new containers, it does not orchestrate deployments, monitor application health, or trigger rollback, and cannot provide end-to-end canary deployment capabilities. Slow start is only a traffic-smoothing mechanism, not a deployment management tool.

Why the correct answer is B): AWS CodeDeploy blue/green deployments provide fully automated, safe canary deployment orchestration, including traffic shifting, health monitoring, and rollback. Other options address only partial aspects and do not satisfy all requirements.

Question 132

A company stores high-volume logs in Amazon S3 and requires a serverless solution for extracting structured fields, indexing, and fast querying without managing servers. Which solution is best?

A) Deploy ELK stack on EC2.

B) Use S3 Select for querying logs.

C) Amazon OpenSearch Serverless with S3 ingestion pipelines.

D) Store logs in DynamoDB with Global Secondary Indexes.

Answer: C)

Explanation

A) Deploying an ELK stack on EC2 allows full-featured log analytics, including visualization through Kibana dashboards and full-text search capabilities. However, this requires provisioning, scaling, and maintaining EC2 instances, which violates the serverless requirement. High-volume log ingestion adds operational overhead for capacity planning, resource management, and monitoring, making this approach unsuitable for a serverless solution.

B) S3 Select enables querying individual S3 objects using SQL-like expressions. While it is useful for ad hoc queries on single objects, it cannot index multiple objects or perform scalable full-text search across large datasets. It lacks aggregation, visualization, and analytics capabilities, making it impractical for production-grade log analytics.

C) Amazon OpenSearch Serverless is a fully managed serverless solution for log analytics. It integrates with S3 ingestion pipelines to automatically index incoming logs, supports structured field extraction, full-text search, aggregation, and near real-time queries. OpenSearch Serverless scales automatically, requires no server management, and integrates with monitoring and alerting tools. It fulfills all requirements: serverless operation, automated indexing, fast query performance, and minimal operational burden.

D) DynamoDB with Global Secondary Indexes is optimized for key-value and structured queries. While it offers low-latency lookups, it cannot efficiently handle unstructured log data or provide full-text search across large datasets. Implementing log analytics with DynamoDB would require additional infrastructure like OpenSearch, increasing operational complexity and costs.

Why the correct answer is C): OpenSearch Serverless provides a scalable, serverless, fully managed solution for high-volume log analytics, automated indexing, and fast query performance. Other options require server management, lack full-text search capabilities, or are operationally intensive.

Question 133

A DevOps team wants to reduce AWS Lambda cold start latency for high-traffic functions while keeping costs low for infrequently invoked functions. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic functions.

B) Increase memory allocation for all Lambda functions.

C) Deploy Lambda functions in a VPC.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-warms Lambda execution environments to prevent cold start latency. By applying it only to high-traffic functions, latency-sensitive services remain responsive while low-traffic functions remain on-demand, keeping costs under control. This solution is serverless-native, effective, and cost-efficient, ensuring minimal operational overhead while optimizing performance.

B) Increasing memory allocation can improve CPU and initialization speed, potentially reducing cold start latency slightly. However, it does not eliminate cold starts and increases costs for all functions, including low-traffic ones. This is less efficient compared to selective Provisioned Concurrency, which targets only the functions that require optimization.

C) Deploying Lambda in a VPC historically increases cold start latency due to ENI initialization. While recent enhancements have improved VPC networking performance, this approach does not prevent cold starts and introduces complexity, making it suboptimal for latency optimization.

D) Replacing Lambda with ECS Fargate tasks avoids cold starts since containers are long-lived. However, it adds significant operational overhead, including task management, scaling, and monitoring, and violates the requirement for minimal code changes. It may also increase costs due to always-on containers.

Why the correct answer is A): Provisioned Concurrency selectively pre-warms high-traffic Lambda functions, reducing cold start latency while controlling costs. Other options either fail to remove cold starts or increase complexity and expense.

Question 134

A company wants pre-deployment enforcement of compliance policies on Terraform modules deployed via CI/CD, including mandatory tags, encryption, and restricted resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules evaluate resource compliance after resources are deployed. They can detect noncompliance and trigger remediation, but they cannot prevent Terraform modules from being applied. This reactive enforcement approach does not satisfy the pre-deployment requirement.

B) Sentinel policies provide policy-as-code enforcement for Terraform Cloud/Enterprise. Policies are evaluated during terraform plan or terraform apply. Violations fail the run, automatically preventing deployment. Sentinel supports tag enforcement, encryption, and resource restrictions. Integration with CI/CD pipelines ensures automated, pre-deployment governance, guaranteeing noncompliant resources never reach production. This solution fully satisfies pre-deployment enforcement requirements.

C) Git pre-commit hooks enforce rules locally on developer machines. They are bypassable, do not reliably integrate with CI/CD pipelines, and cannot block Terraform applies, making them insufficient for automated policy enforcement.

D) CloudFormation Guard validates CloudFormation templates, not Terraform modules. Enforcing policies would require converting modules, adding operational complexity. It is not natively compatible with Terraform CI/CD pipelines.

Question 135

A company wants end-to-end distributed tracing for serverless APIs including API Gateway, Lambda, DynamoDB, and S3, with minimal code changes, latency visualization, and bottleneck detection. Which solution is best?

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights for manual correlation.

C) Deploy OpenTelemetry on EC2 instances.

D) Implement manual correlation IDs in code.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides fully managed distributed tracing for serverless applications. It automatically captures segments and subsegments for Lambda, API Gateway, DynamoDB, and S3. The service map visualizes latency, errors, and bottlenecks across services. Minimal code changes are required—enabling active tracing on Lambda functions and optionally using the X-Ray SDK for custom subsegments. X-Ray scales automatically and integrates with CloudWatch dashboards for near real-time observability. This solution satisfies all requirements: serverless integration, minimal code changes, latency visualization, and end-to-end tracing.

B) CloudWatch Logs Insights allows querying logs for latency and errors. Manual correlation is possible but is labor-intensive, error-prone, and does not provide automated service maps or bottleneck detection. It is impractical for production-scale tracing and violates the minimal code-change requirement.

Question 136

A company is running multiple microservices on Amazon ECS Fargate and wants safe, automated canary deployments with traffic shifting, monitoring, and rollback in case of failures. Which solution is best?

A) ECS rolling updates with custom health check grace periods.

B) AWS CodeDeploy blue/green deployments integrated with ECS and ALB.

C) CloudFormation stack updates with rollback enabled.

D) ALB slow start mode for gradual traffic ramp-up.

Answer: B)

Explanation

A) ECS rolling updates gradually replace old tasks with new ones to maintain service availability. Configuring health check grace periods ensures that containers that take longer to initialize are not incorrectly marked as unhealthy. However, rolling updates do not provide automated rollback based on runtime application metrics. Traffic shifting occurs at the task level without fine-grained control over the percentage of traffic sent to new tasks. Additionally, rolling updates lack integrated monitoring for application-level errors, making this approach incomplete for safe canary deployments. It only ensures task replacement without progressive traffic management or automatic rollback if the new version fails.

B) AWS CodeDeploy blue/green deployments is a fully managed canary deployment strategy integrated with ECS and ALB. It allows the creation of a new target group for updated services and enables incremental traffic shifting from the old version to the new version. Health checks from the ALB and CloudWatch metrics monitor the new tasks, and traffic can be automatically rolled back if failures are detected. This deployment approach is declarative, automated, and ECS-native, requiring minimal operational effort. It ensures safe, progressive deployments, automatic monitoring, and rollback capabilities, fully meeting production requirements.

C) CloudFormation stack updates provide rollback for infrastructure-level errors during resource creation. While CloudFormation ensures template consistency and can rollback failed resource updates, it does not manage application-level monitoring, traffic shifting, or automatic rollback based on performance. This makes CloudFormation unsuitable for fully orchestrated canary deployments that require runtime metrics to trigger rollback.

D) ALB slow start mode gradually increases traffic to new targets to avoid overloading containers. While this mitigates initial load spikes, it does not orchestrate deployment, monitor application health, or automatically rollback. Slow start is only a traffic ramp-up feature and cannot manage the deployment lifecycle on its own.

Why the correct answer is B): AWS CodeDeploy blue/green deployments provide fully automated, safe canary deployment orchestration with traffic shifting, monitoring, and rollback. Other options address only partial aspects and are insufficient for production-grade canary deployment strategies.

Question 137

A company stores high-volume logs in Amazon S3 and requires a serverless solution to extract structured fields, index data, and enable fast search queries. Which solution is best?

A) Deploy ELK stack on EC2.

B) Use S3 Select for querying logs.

C) Amazon OpenSearch Serverless with S3 ingestion pipelines.

D) Store logs in DynamoDB with Global Secondary Indexes.

Answer: C)

Explanation

A) Deploying an ELK stack on EC2 provides comprehensive log analytics, including Kibana dashboards and full-text search capabilities. However, this solution requires provisioning, scaling, and maintaining EC2 instances, which violates the requirement for a serverless architecture. High-volume log ingestion adds operational overhead for monitoring, capacity planning, and patch management, making this approach unsuitable for a serverless solution.

B) S3 Select allows SQL-like queries on individual S3 objects. While useful for ad hoc queries on a few objects, it cannot index multiple objects or support scalable full-text search across large datasets. S3 Select also lacks aggregation, visualization, and near real-time analytics capabilities, making it impractical for production-grade log analysis.

C) Amazon OpenSearch Serverless is a fully managed, serverless solution for log analytics. It integrates with S3 ingestion pipelines to automatically index incoming log data. It supports structured field extraction, full-text search, aggregation, and near real-time queries. OpenSearch Serverless scales automatically without server management and integrates with monitoring and alerting tools. This approach fulfills all requirements: serverless operation, automated indexing, fast query performance, and minimal operational burden.

D) DynamoDB with Global Secondary Indexes provides fast lookups for structured data. However, it cannot efficiently handle unstructured log data or provide full-text search capabilities at scale. Using DynamoDB would require additional infrastructure like OpenSearch, adding operational complexity and cost.

Why the correct answer is C): OpenSearch Serverless delivers a scalable, serverless, fully managed solution for log analytics, automated indexing, and fast query performance. Other options require servers, lack search functionality, or are operationally intensive.

Question 138

A DevOps team wants to reduce AWS Lambda cold start latency for high-traffic functions while controlling costs for low-traffic functions. Which solution is best?

A) Enable Provisioned Concurrency for high-traffic functions.

B) Increase memory allocation for all Lambda functions.

C) Deploy Lambda functions in a VPC.

D) Replace Lambda with ECS Fargate tasks.

Answer: A)

Explanation

A) Provisioned Concurrency pre-warms Lambda execution environments to eliminate cold start latency. Applying it only to high-traffic functions ensures latency-sensitive endpoints remain responsive while low-traffic functions stay on-demand, keeping costs under control. This is a serverless-native solution that optimizes performance without unnecessary operational overhead or cost.

B) Increasing memory allocation slightly improves CPU and initialization speed, which may marginally reduce cold start latency. However, it does not eliminate cold starts and increases costs for all functions, including low-traffic ones. This approach is less efficient than selective Provisioned Concurrency.

C) Deploying Lambda in a VPC historically increases cold start latency due to ENI initialization overhead. While recent networking improvements have mitigated some delays, VPC deployment does not prevent cold starts and adds complexity, making it a suboptimal solution.

D) Replacing Lambda with ECS Fargate tasks avoids cold starts because containers are long-lived. However, this introduces operational overhead for task management, scaling, and monitoring. It also violates the minimal code-change requirement and may increase costs due to always-on resources.

Question 139

A company requires pre-deployment enforcement of compliance policies on Terraform modules deployed via CI/CD pipelines. Policies include mandatory tags, encryption, and restricted resource types. Violations must block deployment. Which solution is best?

A) AWS Config rules.

B) Sentinel policies in Terraform Cloud/Enterprise.

C) Git pre-commit hooks.

D) CloudFormation Guard.

Answer: B)

Explanation

A) AWS Config rules operate after resources are deployed. They can detect noncompliance and trigger remediation but cannot block Terraform modules from being applied. Config is reactive and does not satisfy the pre-deployment requirement.

B) Sentinel policies provide policy-as-code enforcement within Terraform Cloud/Enterprise. Policies are evaluated during terraform plan or terraform apply. Violations fail the run, automatically preventing deployment. Sentinel supports tag enforcement, encryption requirements, and restricting resource types. Integration with CI/CD ensures automated, pre-deployment governance, preventing noncompliant resources from reaching production. This solution fully satisfies pre-deployment compliance requirements.

C) Git pre-commit hooks enforce rules locally on developer machines but are bypassable and cannot reliably integrate with CI/CD pipelines. They do not prevent Terraform applies and are insufficient for automated policy enforcement.

D) CloudFormation Guard validates CloudFormation templates but is incompatible with Terraform modules without conversion, adding operational complexity. It cannot enforce policies in Terraform CI/CD pipelines natively.

Question 140

A) Enable AWS X-Ray active tracing.

B) Use CloudWatch Logs Insights for manual correlation.

C) Deploy OpenTelemetry on EC2 instances.

D) Implement manual correlation IDs in code.

Answer: A)

Explanation

A) AWS X-Ray active tracing provides fully managed distributed tracing for serverless applications. It automatically captures segments and subsegments for Lambda, API Gateway, DynamoDB, and S3. The service map visualizes latency, errors, and bottlenecks. Minimal code changes are required—enable active tracing on Lambda functions and optionally use the X-Ray SDK for custom subsegments. X-Ray scales automatically and integrates with CloudWatch dashboards for near real-time observability. This solution meets all requirements: serverless integration, minimal code changes, latency visualization, and end-to-end tracing.

C) Deploying OpenTelemetry on EC2 introduces operational overhead. Each service requires instrumentation, and collectors must be deployed, scaled, and maintained. OpenTelemetry does not integrate natively with serverless services, making it unsuitable for minimal-code solutions.

Related posts: