










































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The AWS DevOps Engineer Professional Ultimate Exam is a comprehensive preparation solution for advanced DevOps professionals working within AWS environments. It covers CI/CD automation, infrastructure as code, monitoring, logging, security automation, deployment strategies, containerization, and operational resilience. Learners strengthen their understanding of DevOps methodologies and AWS automation tools while mastering advanced cloud engineering concepts. Practice scenarios and professional-level assessments help candidates prepare effectively for demanding certification objectives.
Typology: Exams
1 / 50
This page cannot be seen from the preview
Don't miss anything!











































Question 1. Which AWS service is primarily used to orchestrate end‑to‑end CI/CD pipelines across multiple AWS accounts? A) AWS CodeCommit B) AWS CodePipeline C) AWS CodeBuild D) AWS CodeDeploy Answer: B Explanation: CodePipeline provides a visual workflow to define stages, actions, and approvals, and can invoke cross‑account resources via IAM roles. Question 2. In a Gitflow branching strategy implemented with AWS CodeCommit, which branch typically contains the production‑ready code? A) feature/* B) develop C) release/* D) master/main Answer: D Explanation: The master (or main) branch holds the stable, production‑ready code; develop is used for integration before release. Question 3. Which file defines the build commands and environment variables for an AWS CodeBuild project? A) buildspec.yml B) Dockerfile C) pom.xml D) package.json Answer: A Explanation: buildspec.yml is the declarative file that CodeBuild reads to run phases, install dependencies, and set environment variables.
Question 4. When storing build artifacts in Amazon S3 for later use by CodeDeploy, which S feature helps guarantee that only the intended pipeline can read the artifacts? A) S3 Transfer Acceleration B) S3 Object Lock C) S3 Bucket Policy with IAM role condition D) S3 Versioning Answer: C Explanation: A bucket policy that allows access only from the specific CodePipeline IAM role enforces least‑privilege access to artifacts. Question 5. Which deployment strategy shifts a fixed percentage of traffic to the new version each minute until 100 % is reached? A) Blue/Green B) Canary C) Linear D) Rolling update Answer: C Explanation: Linear deployments move a constant increment of traffic (e.g., 10 % per minute) until the new version receives all traffic. Question 6. For AWS Lambda, which combination of resources enables traffic shifting between two function versions? A) Layers and Environment Variables B) Aliases and Versions C) Event Sources and Destinations D) Reserved Concurrency and Provisioned Concurrency Answer: B Explanation: Lambda versions are immutable snapshots; aliases point to a version and can split traffic between two versions for canary or linear shifts.
Question 10. When using AWS CDK, which construct represents a reusable, encapsulated piece of infrastructure? A) Stack B) App C) Construct D) Resource Answer: C Explanation: In CDK, a Construct is the basic building block that can be composed to create higher‑level abstractions like Stacks. Question 11. Which CloudFormation intrinsic function allows you to reference an output value from a different stack? A) !Ref B! GetAtt C) !ImportValue D) !Sub Answer: C Explanation: !ImportValue enables cross‑stack references by importing exported output values from another stack. Question 12. Which AWS Systems Manager capability can enforce a specific package version on all managed instances? A) Patch Manager B) State Manager C) Distributor D) Session Manager Answer: B Explanation: State Manager applies a defined configuration (including package versions) to target instances on a schedule or continuously.
Question 13. To rotate database credentials automatically in an Amazon RDS instance, which service should you use? A) AWS Secrets Manager with rotation Lambda B) AWS KMS key rotation C) AWS Config managed rule D) AWS Systems Manager Parameter Store Answer: A Explanation: Secrets Manager can store RDS credentials and invoke a Lambda function on a schedule to rotate them without downtime. Question 14. Which AWS Config rule helps ensure that S3 buckets are not publicly readable? A) s3-bucket-logging-enabled B) s3-bucket-versioning-enabled C) s3-bucket-public-read-prohibited D) s3-bucket-encryption-enabled Answer: C Explanation: The managed rule s3-bucket-public-read-prohibited checks for public READ ACLs or bucket policies. Question 15. In a multi‑region architecture, which Route 53 routing policy is best suited for active‑active traffic distribution? A) Simple B) Weighted C) Latency‑based D) Failover Answer: B Explanation: Weighted routing allows you to assign traffic percentages to each region, enabling active‑active distribution.
Question 19. Which CloudWatch Logs feature allows you to query log data using a SQL‑like syntax? A) Metric Filters B) Subscription Filters C) Log Insights D) Retention Policies Answer: C Explanation: CloudWatch Logs Insights provides an interactive query language to analyze log events. Question 20. Which AWS service records every API call made in an AWS account for audit purposes? A) AWS Config B) AWS CloudTrail C) Amazon GuardDuty D) AWS Security Hub Answer: B Explanation: CloudTrail captures API activity across services, providing a comprehensive audit trail. Question 21. When enabling VPC Flow Logs, which destination can you choose to store the logs? A) Amazon S3 only B) Amazon CloudWatch Logs only C) Both Amazon S3 and CloudWatch Logs D) Amazon RDS Answer: C Explanation: Flow logs can be sent to either CloudWatch Logs, S3, or both, depending on analysis needs. Question 22. Which CloudWatch feature can automatically create an alarm when a metric deviates from its historical pattern? A) Composite Alarms
B) Anomaly Detection C) Metric Math D) Statistic Sets Answer: B Explanation: Anomaly Detection applies machine learning to a metric’s baseline and triggers alarms on abnormal behavior. Question 23. In AWS X‑Ray, what does a “segment” represent? A) An entire trace for a request B) A single downstream service call within a trace C) A CloudWatch metric alarm D) A Lambda function version Answer: B Explanation: A segment records information about a single component (e.g., Lambda, EC2) that participated in the request. Question 24. Which AWS Health Dashboard component provides proactive notifications about upcoming service changes? A) Health Events B) Personal Health Dashboard (PHD) C) Health Advisories D) Service Health Dashboard Answer: B Explanation: The Personal Health Dashboard gives account‑specific alerts, including scheduled maintenance and service degradation. Question 25. Which EventBridge pattern is used to trigger a remediation Lambda when an EC instance changes state to “stopped”? A) Scheduled Expression
B) AWS Auto Scaling C) Elastic Load Balancing (ELB) D) Amazon Route 53 Answer: C Explanation: ELB health checks continuously probe targets; unhealthy targets are deregistered, prompting Auto Scaling to replace them. Question 29. Which AWS Organizations feature allows you to restrict the use of specific services across member accounts? A) Service Control Policies (SCPs) B) Consolidated Billing C) Tag Policies D) Organizational Units (OUs) only Answer: A Explanation: SCPs are policy documents attached to OUs or accounts that whitelist or blacklist AWS service actions. Question 30. Which AWS Config rule type can evaluate compliance without requiring a separate Lambda function? A) Managed rule B) Custom rule with Lambda C) Custom rule with EventBridge D) Aggregator rule Answer: A Explanation: Managed rules are pre‑built by AWS and run in a managed environment; they do not need user‑supplied Lambda code. Question 31. Which IAM feature helps you discover resources that a principal can access, assisting in least‑privilege design? A) IAM Access Analyzer
B) IAM Policy Simulator C) IAM Role Trust Policy D) IAM Permissions Boundaries Answer: A Explanation: Access Analyzer examines policies and generates findings about external access, guiding least‑privilege adjustments. Question 32. Which AWS service can automatically scan container images stored in Amazon ECR for known vulnerabilities? A) Amazon Inspector B) Amazon GuardDuty C) Amazon Macie D) AWS Security Hub Answer: A Explanation: Amazon Inspector (image scanning) examines ECR images for CVEs and reports findings that can be integrated into CI/CD. Question 33. Which Amazon S3 feature can be used to enforce object‑level encryption at rest without modifying application code? A) S3 Transfer Acceleration B) S3 Bucket Policy with aws:kms key condition C) S3 Versioning D) S3 Event Notifications Answer: B Explanation: A bucket policy can require that PUT requests include the x‑amz‑server‑side‑encryption header with a specific KMS key. Question 34. Which AWS CodeDeploy deployment type is best suited for updating an Auto Scaling group without downtime? A) In‑place deployment
C) dynamodb.CfnTable D) dynamodb.TableAttributes Answer: B Explanation: The high‑level dynamodb.Table construct defaults to on‑demand capacity unless provisioned capacity is specified. Question 38. Which AWS service provides a centralized view of compliance findings from Config, Inspector, GuardDuty, and Security Hub? A) AWS Audit Manager B) AWS Organizations C) AWS Control Tower D) AWS Artifact Answer: A Explanation: Audit Manager aggregates evidence from multiple services to generate compliance reports. Question 39. Which CloudWatch metric would you monitor to detect a sudden increase in request latency for an Application Load Balancer? A) RequestCount B) TargetResponseTime C) HealthyHostCount D) HTTPCode_ELB_5XX_Count Answer: B Explanation: TargetResponseTime measures the time taken for targets to respond, directly reflecting latency. Question 40. Which SSM Parameter Store tier allows you to store a parameter value up to 8 KB and use versioning? A) Standard B) Advanced
C) Secure D) Hierarchical Answer: B Explanation: Advanced parameters support larger size (up to 8 KB) and versioning, while Standard is limited to 4 KB. Question 41. When using AWS CodeArtifact as a Maven repository, which file must you configure to point to the repository URL? A) settings.xml B) pom.xml C) build.gradle D) .npmrc Answer: A Explanation: Maven’s settings.xml defines server credentials and repository URLs for CodeArtifact. Question 42. Which AWS service can automatically remediate non‑compliant S3 bucket encryption by applying a default KMS key? A) AWS Config with a custom remediation Lambda B) AWS Config with a managed rule and automatic remediation C) AWS Security Hub D) AWS Control Tower Answer: B Explanation: The managed Config rule s3-bucket-server-side-encryption-enabled can be set to automatically remediate by applying a default KMS key. Question 43. Which Amazon EC2 feature allows you to create a snapshot of a running instance without stopping it? A) AMI creation from instance store B) Live migration
C) Build D) Deploy Answer: B Explanation: The Approval action pauses the pipeline until a designated reviewer clicks “Approve”. Question 47. Which AWS service provides a serverless, fully managed Git repository that integrates natively with CodePipeline? A) AWS CodeCommit B) AWS CodeDeploy C) AWS CodeStar D) AWS Amplify Console Answer: A Explanation: CodeCommit hosts Git repositories and can be a source action in CodePipeline. Question 48. Which Amazon RDS feature enables point‑in‑time recovery for a MySQL instance? A) Multi‑AZ deployment B) Read Replica C) Automated Backups with retention period > 0 D) Storage Auto‑Scaling Answer: C Explanation: Automated backups retain transaction logs enabling point‑in‑time recovery within the retention window. Question 49. Which AWS service can be used to centrally manage KMS key policies across multiple accounts? A) AWS Organizations B) AWS CloudHSM C) AWS KMS multi‑region keys D) AWS Control Tower
Answer: C Explanation: Multi‑Region keys let you replicate a KMS key in several regions, simplifying policy management across accounts. Question 50. Which EC2 instance metadata option should you enable to protect against SSRF attacks? A) IMDSv1 only B) IMDSv2 with token requirement C) Disable metadata service D) Enable metadata service on IPv6 only Answer: B Explanation: IMDSv2 requires a session token, mitigating Server‑Side Request Forgery vulnerabilities. Question 51. Which CloudWatch Logs retention setting automatically deletes log events older than 30 days? A) Never Expire B) Expire after 14 days C) Expire after 30 days D) Expire after 90 days Answer: C Explanation: Setting retention to 30 days tells CloudWatch to purge events older than that period. Question 52. Which Amazon VPC component can be used to inspect traffic between subnets without exposing it to the internet? A) NAT Gateway B) VPC Endpoint C) Transit Gateway D) VPC Traffic Mirroring Answer: D
Explanation: CloudFormer (now deprecated) could create a template from live resources; currently no fully supported native service exists. Question 56. Which IAM policy element is used to restrict actions to a specific AWS Region? A) Action B) Resource C) Condition with aws:RequestedRegion D) Effect Answer: C Explanation: The Condition key aws:RequestedRegion limits the policy to calls made in the specified region. Question 57. Which AWS service provides a fully managed, Git‑based source control that also offers built‑in CI/CD capabilities for container images? A) AWS CodeCommit B) Amazon ECR C) AWS CodeBuild D) AWS CodeStar Answer: D Explanation: CodeStar provides a unified project dashboard with integrated source control and pipelines for containers. Question 58. Which CloudWatch metric should be used to detect a sudden increase in Lambda function errors? A) Invocations B) Errors C) Throttles D) Duration Answer: B
Explanation: The Errors metric counts the number of invocations that resulted in an error, ideal for alerting on failures. Question 59. Which AWS Config aggregation feature lets you view compliance data from multiple accounts and regions in a single place? A) Config Rules B) Config Conformance Packs C) Aggregator D) Recorder Answer: C Explanation: An Aggregator collects configuration and compliance data across accounts/regions for centralized analysis. Question 60. Which AWS service can enforce encryption of data in transit for all services that support TLS, using a central policy? A) AWS Shield B) AWS WAF C) AWS Certificate Manager (ACM) with Private CA D) AWS Config with a custom rule Answer: D Explanation: A custom Config rule can evaluate whether services have TLS enabled and flag non‑compliant resources. Question 61. Which AWS feature allows you to run a Lambda function on a schedule without using CloudWatch Events? A) EventBridge Scheduler B) Step Functions C) SSM Maintenance Window D) CodeDeploy Deployment Group Answer: A