Mock-Test Window

20 Questions

Aws devops engineer professional Quiz

1 :-

A company wants to use Amazon ECS to provide a Docker container runtime environment. For
compliance reasons, all Amazon EBS volumes used in the ECS cluster must be encrypted. Rolling
updates will be made to the cluster instances and the company wants the instances drained of all
tasks before being terminated.

How can these requirements be met? (Choose two.)

Modify The Default Ecs Ami User Data To Create A Script That Executes Docker Rm –f {id} For All Running Container Instances. Copy The Script To The /etc/init.d/rc.d Directory And Execute Chconfig Enabling The Script To Run During Operating System Shutdown. Use Aws Codepipeline To Build A Pipeline That Discovers The Latest Amazon-provided Ecs Ami Then Copies The Image To An Encrypted Ami Outputting The Encrypted Ami Id. Use The Encrypted Ami Id When Deploying The Cluster. Copy The Default Aws Cloudformation Template That Ecs Uses To Deploy Cluster Instances. Modify The Template Resource Ebs Configuration Setting To Set ‘encrypted: True’ And Include The Aws Kms Alias: ‘aws/ebs’ To Encrypt The Ami. Create An Auto Scaling Lifecycle Hook Backed By An Aws Lambda Function That Uses The Aws Sdk To Mark A Terminating Instance As Draining. Prevent The Lifecycle Hook From Completing Until The Running Tasks On The Instance Are Zero. Create An Iam Role That Allows The Action Ecs::encryptedimage. Configure The Aws Cli And A Profile To Use This Role. Start The Cluster Using The Aws Cli Providing The --use-encrypted-image And --kms-key Arguments To The Create-cluster Ecs Command.

2 :-

A DevOps Engineer administers an application that manages video files for a video production
company. The application runs on Amazon EC2 instances behind an ELB Application Load
Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. Data is
stored in an Amazon RDS PostgreSQL Multi-AZ DB instance, and the video files are stored in an
Amazon S3 bucket. On a typical day, 50 GB of new video are added to the S3 bucket. The
Engineer must implement a multi-region disaster recovery plan with the least data loss and the
lowest recovery times. The current application infrastructure is already described using AWS
CloudFormation.

Which deployment option should the Engineer choose to meet the uptime and recovery objectives
for the system?

3 :-

The Security team depends on AWS CloudTrail to detect sensitive security issues in the
company’s AWS account. The DevOps Engineer needs a solution to auto-remediate CloudTrail
being turned off in an AWS account.

What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries?

Create An Amazon Cloudwatch Events Rule For The Cloudtrail Stoplogging Event. Create An Aws Lambda Function That Uses The Aws Sdk To Call Startlogging On The Arn Of The Resource In Which Stoplogging Was Called. Add The Lambda Function Arn As A Target To The Cloudwatch Events Rule. Deploy The Aws-managed Cloudtrail-enabled Aws Config Rule Set With A Periodic Interval Of 1 Hour. Create An Amazon Cloudwatch Events Rule For Aws Config Rules Compliance Change. Create An Aws Lambda Function That Uses The Aws Sdk To Call Startlogging On The Arn Of The Resource In Which Stoplogging Was Called. Add The Lambda Function Arn As A Target To The Cloudwatch Events Rule. Create An Amazon Cloudwatch Events Rule For A Scheduled Event Every 5 Minutes. Create An Aws Lambda Function That Uses The Aws Sdk To Call Startlogging On A Cloudtrail Trail In The Aws Account. Add The Lambda Function Arn As A Target To The Cloudwatch Events Rule. Launch A T2.nano Instance With A Script Running Every 5 Minutes That Uses The Aws Sdk To Query Cloudtrail In The Current Account. If The Cloudtrail Trail Is Disabled Have The Script Re-enable The Trail.

4 :-

The Development team at an online retailer has moved to Business support and wants to take
advantage of the AWS Health Dashboard and the AWS Health API to automate remediation
actions for issues with the health of AWS resources. The first use case is to respond to AWS
detecting an IAM access key that is listed on a public code repository site. The automated
response will be to delete the IAM access key and send a notification to the Security team.

How should this be achieved?

5 :-

A media customer has several thousand Amazon EC2 instances in an AWS account. The
customer is using a Slack channel for team communications and important updates. A DevOps
Engineer was told to send all AWS-scheduled EC2 maintenance notifications to the company
Slack channel.

Which method should the Engineer use to implement this process in the LEAST amount of steps?

Integrate Aws Trusted Advisor With Aws Config. Based On The Aws Config Rules Created The Aws Config Event Can Invoke An Aws Lambda Function To Send Notifications To The Slack Channel. Integrate Aws Personal Health Dashboard With Amazon Cloudwatch Events. Based On The Cloudwatch Events Created The Event Can Invoke An Aws Lambda Function To Send Notifications To The Slack Channel. Integrate Ec2 Events With Amazon Cloudwatch Monitoring. Based On The Cloudwatch Alarm Created The Alarm Can Invoke An Aws Lambda Function To Send Ec2 Maintenance Notifications To The Slack Channel. Integrate Aws Support With Aws Cloudtrail. Based On The Cloudtrail Lookup Event Created The Event Can Invoke An Aws Lambda Function To Pass Ec2 Maintenance Notifications To The Slack Channel.

6 :-

An Amazon EC2 instance with no internet access is running in a Virtual Private Cloud (VPC) and needs to download an object from a restricted Amazon S3 bucket. When the DevOps Engineer
tries to gain access to the object, an AccessDenied error is received.

What are the possible causes for this error? (Choose three.)

The S3 Bucket Default Encryption Is Enabled. There Is An Error In The S3 Bucket Policy. There Is An Error In The Vpc Endpoint Policy. The Object Has Been Moved To Amazon Glacier. There Is An Error In The Iam Role Configuration. S3 Versioning Is Enabled.

7 :-

A company is setting up a centralized logging solution on AWS and has several requirements. The
company wants its Amazon CloudWatch Logs and VPC Flow logs to come from different sub
accounts and to be delivered to a single auditing account. However, the number of sub accounts
keeps changing. The company also needs to index the logs in the auditing account to gather
actionable insight.

How should a DevOps Engineer implement the solution to meet all of the company’s
requirements?

Use Aws Lambda To Write Logs To Amazon Es In The Auditing Account. Create An Amazon Cloudwatch Subscription Filter And Use Amazon Kinesis Data Streams In The Sub Accounts To Stream The Logs To The Lambda Function Deployed In The Auditing Account Use Amazon Kinesis Streams To Write Logs To Amazon Es In The Auditing Account. Create A Cloudwatch Subscription Filter And Use Kinesis Data Streams In The Sub Accounts To Stream The Logs To The Kinesis Stream In The Auditing Account. Use Amazon Kinesis Firehose With Kinesis Data Streams To Write Logs To Amazon Es In The Amazon Aws Devops Engineer Professional Exam Auditing Account. Create A Cloudwatch Subscription Filter And Stream Logs From Sub Accounts To The Kinesis Stream In The Auditing Account Use Aws Lambda To Write Logs To Amazon Es In The Auditing Account. Create A Cloudwatch Subscription Filter And Use Lambda In The Sub Accounts To Stream The Logs To The Lambda Function Deployed In The Auditing Account.

8 :-

An Engineering team manages a Node.js e-commerce application. The current environment
consists of the following components:

Amazon S3 buckets for storing content

Amazon EC2 for the front-end web servers

AWS Lambda for executing image processing

Amazon DynamoDB for storing session-related data

The team expects a significant increase in traffic to the site. The application should handle the
additional load without interruption. The team ran initial tests by adding new servers to the EC2
front-end to handle the larger load, but the instances took up to 20 minutes to become fully
configured. The team wants to reduce this configuration time.

What changes will the Engineering team need to implement to make the solution the MOST
resilient and highly available while meeting the expected increase in demand?

Use Aws Opsworks To Automatically Configure Each New Ec2 Instance As It Is Launched. Configure The Ec2 Instances By Using An Auto Scaling Group Behind An Application Load Balancer Across Multiple Availability Zones. Implement Amazon Dynamodb Auto Scaling. Use Amazon Route 53 To Point The Application Dns Record To The Application Load Balancer. Deploy A Fleet Of Ec2 Instances Doubling The Current Capacity And Place Them Behind An Application Load Balancer. Increase The Amazon Dynamodb Read And Write Capacity Units. Add An Alias Record That Contains The Application Load Balancer Endpoint To The Existing Amazon Route 53 Dns Record That Points To The Application. Configure Amazon Cloudfront And Have Its Origin Point To Amazon S3 To Host The Web Application. Implement Amazon Dynamodb Auto Scaling. Use Amazon Route 53 To Point The Application Dns Record To The Cloudfront Dns Name. Use Aws Elastic Beanstalk With A Custom Ami Including All Web Components. Deploy The Platform By Using An Auto Scaling Group Behind An Application Load Balancer Across Multiple Availability Zones. Implement Amazon Dynamodb Auto Scaling. Use Amazon Route 53 To Point The Application Dns Record To The Elastic Beanstalk Load Balancer.

9 :-

A company has developed a static website hosted on an Amazon S3 bucket. The website is
deployed using AWS CloudFormation. The CloudFormation template defines an S3 bucket and a
custom resource that copies content into the bucket from a source location.

The company has decided that it needs to move the website to a new location, so the existing
CloudFormation stack must be deleted and re-created. However, CloudFormation reports that the
stack could not be deleted cleanly.

What is the MOST likely cause and how can the DevOps Engineer mitigate this problem for this
and future versions of the website?

Deletion Has Failed Because The S3 Bucket Has An Active Website Configuration. Modify The Cloudformation Template To Remove The Websiteconfiguration Property From The S3 Bucket Resource. Deletion Has Failed Because The S3 Bucket Is Not Empty. Modify The Custom Resource’s Aws Lambda Function Code To Recursively Empty The Bucket When Requesttype Is Delete. Deletion Has Failed Because The Custom Resource Does Not Define A Deletion Policy. Add A Deletionpolicy Property To The Custom Resource Definition With A Value Of Removeondeletion. Deletion Has Failed Because The S3 Bucket Is Not Empty. Modify The S3 Bucket Resource In The Cloudformation Template To Add A Deletionpolicy Property With A Value Of Empty.

10 :-

A DevOps Engineer has been asked by the Security team to ensure that AWS CloudTrail files are
not tampered with after being created. Currently, there is a process with multiple trails, using AWS
IAM to restrict access to specific trails. The Security team wants to ensure they can trace the
integrity of each file and make sure there has been no tampering.

Which option will require the LEAST effort to implement and ensure the legitimacy of the file while
allowing the Security team to prove the authenticity of the logs?

Create An Amazon Cloudwatch Events Rule That Triggers An Aws Lambda Function When A New File Is Delivered. Configure The Lambda Function To Perform An Md5 Hash Check On The File Store The Name And Location Of The File And Post The Returned Hash To An Amazon Dynamodb Table. The Security Team Can Use The Values Stored In Dynamodb To Verify The File Authenticity. Enable The Cloudtrail File Integrity Feature On An Amazon S3 Bucket. Create An Iam Policy That Grants The Security Team Access To The File Integrity Logs Stored In The S3 Bucket. Enable The Cloudtrail File Integrity Feature On The Trail. Use The Digest File Created By Cloudtrail To Verify The Integrity Of The Delivered Cloudtrail Files. Create An Aws Lambda Function That Is Triggered Each Time A New File Is Delivered To The Cloudtrail Bucket. Configure The Lambda Function To Execute An Md5 Hash Check On The File And Store The Result On A Tag In An Amazon S3 Object. The Security Team Can Use The Information On The Tag To Verify The Integrity Of The File.

11 :-

A Development team is building more than 40 applications. Each app is a three-tiered web
application based on an ELB Application Load Balancer, Amazon EC2, and Amazon RDS.
Because the applications will be used internally, the Security team wants to allow access to the 40
applications only from the corporate network and block access from external IP addresses. The
corporate network reaches the internet through proxy servers. The proxy servers have 12 proxy IP
addresses that are being changed one or two times per month. The Network Infrastructure team
manages the proxy servers; they upload the file that contains the latest proxy IP addresses into an
Amazon S3 bucket. The DevOps Engineer must build a solution to ensure that the applications are
accessible from the corporate network.

Which solution achieves these requirements with MINIMAL impact to application development,
MINIMAL operational effort, and the LOWEST infrastructure cost?

Implement An Aws Lambda Function To Read The List Of Proxy Ip Addresses From The S3 Object And To Update The Elb Security Groups To Allow Https Only From The Given Ip Addresses. Configure The S3 Bucket To Invoke The Lambda Function When The Object Is Updated. Save The Ip Address List To The S3 Bucket When They Are Changed Ensure That All The Applications Are Hosted In The Same Virtual Private Cloud (vpc). Otherwise Consolidate The Applications Into A Single Vpc. Establish An Aws Direct Connect Connection With An Active/standby Configuration. Change The Elb Security Groups To Allow Only Inbound Https Connections From The Corporate Network Ip Addresses. Implement A Python Script With The Aws Sdk For Python (boto) Which Downloads The S3 Object That Contains The Proxy Ip Addresses Scans The Elb Security Groups And Updates Them To Allow Only Https Inbound From The Given Ip Addresses. Launch An Ec2 Instance And Store The Script In The Instance. Use A Cron Job To Execute The Script Daily. Enable Elb Security Groups To Allow Https Inbound Access From The Internet. Use Amazon Cognito To Integrate The Company's Active Directory As The Identity Provider. Change The 40 Applications To Integrate With Amazon Cognito So That Only Company Employees Can Log Into The Application. Save The User Access Logs To Amazon Cloudwatch Logs To Record User Access Activities.

12 :-

A Developer is designing a continuous deployment workflow for a new Development team to
facilitate the process for source code promotion in AWS. Developers would like to store and
promote code for deployment from development to production while maintaining the ability to roll
back that deployment if it fails.

Which design will incur the LEAST amount of downtime?

Create One Repository In Aws Codecommit. Create A Development Branch To Hold Merged Changes. Use Aws Codebuild To Build And Test The Code Stored In The Development Branch Triggered On A New Commit. Merge To The Master And Deploy To Production By Using Aws Codedeploy For A Blue/green Deployment. Create One Repository For Each Developer In Aws Codecommit And Another Repository To Hold The Production Code. Use Aws Codebuild To Merge Development And Production Repositories And Deploy To Production By Using Aws Codedeploy For A Blue/green Deployment. Create One Repository For Development Code In Aws Codecommit And Another Repository To Hold The Production Code. Use Aws Codebuild To Merge Development And Production Repositories And Deploy To Production By Using Aws Codedeploy For A Blue/green Deployment. Create A Shared Amazon S3 Bucket For The Development Team To Store Their Code. Set Up An Amazon Cloudwatch Events Rule To Trigger An Aws Lambda Function That Deploys The Code To Production By Using Aws Codedeploy For A Blue/green Deployment.

13 :-

A startup company is developing a web application on AWS. It plans to use Amazon RDS for
persistence and deploy the application to Amazon EC2 with an Auto Scaling group. The company
would also like to separate the environments for development, testing, and production.

What is the MOST secure approach to manage the application configuration?

Create A Property File To Include The Configuration And The Encrypted Passwords. Check In The Property File To The Source Repository Package The Property File With The Application And Deploy The Application. Create An Environment Tag For The Ec2 Instances And Tag The Instances Respectively. The Application Will Extract The Necessary Property Values Based On The Environment Tag. Create A Property File For Each Environment To Include The Environment-specific Configuration And An Encrypted Password. Check In The Property Files To The Source Repository. During Deployment Use Only The Environment-specific Property File With The Application. The Application Will Read The Needed Property Values From The Deployed Property File. Create A Property File For Each Environment To Include The Environment-specific Configuration. Create A Private Amazon S3 Bucket And Save The Property Files In The Bucket. Save The Passwords In The Bucket With Aws Kms Encryption. During Deployment The Application Will Read The Needed Property Values From The Environment-specific Property File In The S3 Bucket. Create A Property File For Each Environment To Include The Environment-specific Configuration. Create A Private Amazon S3 Bucket And Save The Property Files In The Bucket. Save The Encrypted Passwords In The Aws Systems Manager Parameter Store. Create An Environment Tag For The Ec2 Instances And Tag The Instances Respectively. The Application Will Read The Needed Property Values From The Environment-specific Property File In The S3 Bucket And The Parameter Store.

14 :-

A Development team is currently using AWS CodeDeploy to deploy an application revision to an
Auto Scaling group. If the deployment process fails, it must be rolled back automatically and a
notification must be sent.

What is the MOST effective configuration that can satisfy all of the requirements?

Create Amazon Cloudwatch Events Rules For Codedeploy Operations. Configure A Cloudwatch Events Rule To Send Out An Amazon Sns Message When The Deployment Fails. Configure Codedeploy To Automatically Roll Back When The Deployment Fails. Use Available Amazon Cloudwatch Metrics For Codedeploy To Create Cloudwatch Alarms. Configure Cloudwatch Alarms To Send Out An Amazon Sns Message When The Deployment Fails. Use Aws Cli To Redeploy A Previously Deployed Revision. Configure A Codedeploy Agent To Create A Trigger That Will Send Notification To Amazon Sns Topics When The Deployment Fails. Configure Codedeploy To Automatically Roll Back When The Deployment Fails. Use Aws Cloudtrail To Monitor Api Calls Made By Or On Behalf Of Codedeploy In The Aws Account. Send An Amazon Sns Message When Deployment Fails. Use Aws Cli To Redeploy A Previously Deployed Revision.

15 :-

A large enterprise is deploying a web application on AWS. The application runs on Amazon EC2
instances behind an Application Load Balancer. The instances run in an Auto Scaling group
across multiple Availability Zones. The application stores data in an Amazon RDS Oracle DB
instance and Amazon DynamoDB. There are separate environments for development, testing, and
production.

What is the MOST secure and flexible way to obtain password credentials during deployment?

Retrieve An Access Key From An Aws Systems Manager Securestring Parameter To Access Aws Services. Retrieve The Database Credentials From A Systems Manager Securestring Parameter. Launch The Ec2 Instances With An Ec2 Iam Role To Access Aws Services. Retrieve The Database Credentials From Aws Secrets Manager. Retrieve An Access Key From An Aws Systems Manager Plaintext Parameter To Access Aws Services. Retrieve The Database Credentials From A Systems Manager Securestring Parameter. Launch The Ec2 Instances With An Ec2 Iam Role To Access Aws Services. Store The Database Passwords In An Encrypted Config File With The Application Artifacts.

16 :-

An online retail company based in the United States plans to expand its operations to Europe and
Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an
Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across
multiple Availability Zones. All data is stored in an Amazon Aurora database instance.

When the product is deployed in multiple regions, the company wants a single product catalog
across all regions, but for compliance purposes, its customer information and purchases must be
kept in each region.

How should the company meet these requirements with the LEAST amount of application
changes?

Use Amazon Redshift For The Product Catalog And Amazon Dynamodb Tables For The Customer Information And Purchases Use Amazon Dynamodb Global Tables For The Product Catalog And Regional Tables For The Customer Information And Purchases. Use Aurora With Read Replicas For The Product Catalog And Additional Local Aurora Instances In Each Region For The Customer Information And Purchases. Use Aurora For The Product Catalog And Amazon Dynamodb Global Tables For The Customer Information And Purchases.

17 :-

An online company uses Amazon EC2 Auto Scaling extensively to provide an excellent customer
experience while minimizing the number of running EC2 instances. The company’s self-hosted
Puppet environment in the application layer manages the configuration of the instances. The IT
manager wants the lowest licensing costs and wants to ensure that whenever the EC2 Auto
Scaling group scales down, removed EC2 instances are deregistered from the Puppet master as
soon as possible.

How can the requirement be met?

18 :-

A company is migrating an application to AWS that runs on a single Amazon EC2 instance.
Because of licensing limitations, the application does not support horizontal scaling. The
application will be using Amazon Aurora for its database.

How can the DevOps Engineer architect automated healing to automatically recover from EC2 and

Aurora failures, in addition to recovering across Availability Zones (AZs), in the MOST cost-
effective manner?

Create An Ec2 Auto Scaling Group With A Minimum And Maximum Instance Count Of 1 And Have It Span Across Azs. Use A Single-node Aurora Instance. Create An Ec2 Instance And Enable Instance Recovery. Create An Aurora Database With A Read Replica In A Second Az And Promote It To A Primary Database Instance If The Primary Database Instance Fails. Create An Amazon Cloudwatch Events Rule To Trigger An Aws Lambda Function To Start A New Ec2 Instance In An Available Az When The Instance Status Reaches A Failure State. Create An Aurora Database With A Read Replica In A Second Az And Promote It To A Primary Database Instance When The Primary Database Instance Fails. Assign An Elastic Ip Address On The Instance. Create A Second Ec2 Instance In A Second Az. Create An Amazon Cloudwatch Events Rule To Trigger An Aws Lambda Function To Move The Elastic Ip Address To The Second Instance When The First Instance Fails. Use A Single-node Aurora Instance.

19 :-

A company runs a production application workload in a single AWS account that uses Amazon
Route 53, AWS Elastic Beanstalk, and Amazon RDS. In the event of a security incident, the
Security team wants the application workload to fail over to a new AWS account. The Security
team also wants to block all access to the original account immediately, with no access to any
AWS resources in the original AWS account, during forensic analysis.

What is the most cost-effective way to prepare to fail over to the second account prior to a security
incident?

Migrate The Amazon Route 53 Configuration To A Dedicated Aws Account. Mirror The Elastic Beanstalk Configuration In A Different Account. Enable Rds Database Read Replicas In A Different Account. Migrate The Amazon Route 53 Configuration To A Dedicated Aws Account. Save/copy The Elastic Beanstalk Configuration Files In A Different Aws Account. Copy Snapshots Of The Rds Database To A Different Account. Save/copy The Amazon Route 53 Configurations For Use In A Different Aws Account After An Incident. Save/copy Elastic Beanstalk Configuration Files To A Different Account. Enable The Rds Database Read Replica In A Different Account. Save/copy The Amazon Route 53 Configurations For Use In A Different Aws Account After An Incident. Mirror The Configuration Of Elastic Beanstalk In A Different Account. Copy Snapshots Of The Rds Database To A Different Account.

20 :-

A DevOps Engineer is deploying a new web application. The company chooses AWS Elastic
Beanstalk for deploying and managing the web application, and Amazon RDS MySQL to handle
persistent data. The company requires that new deployments have minimal impact if they fail. The
application resources must be at full capacity during deployment, and rolling back a deployment
must also be possible.

Which deployment sequence will meet these requirements?

Deploy The Application Using Elastic Beanstalk And Connect To An External Rds Mysql Instance Using Elastic Beanstalk Environment Properties. Use Elastic Beanstalk Features For A Blue/green Deployment To Deploy The New Release To A Separate Environment And Then Swap The Cname In The Two Environments To Redirect Traffic To The New Version. Deploy The Application Using Elastic Beanstalk And Include Rds Mysql As Part Of The Environment. Use Default Elastic Beanstalk Behavior To Deploy Changes To The Application And Let Rolling Updates Deploy Changes To The Application. Deploy The Application Using Elastic Beanstalk And Include Rds Mysql As Part Of The Environment. Use Elastic Beanstalk Immutable Updates For Application Deployments. Deploy The Application Using Elastic Beanstalk And Connect To An External Rds Mysql Instance Using Elastic Beanstalk Environment Properties. Use Elastic Beanstalk Immutable Updates For Application Deployments.

Back

Aws devops engineer professional Quiz

🏅