Exam: AWS Certified DevOps Engineer - Professional

Answer: CDF ✅ Explanation -To minimize application response times and improve availability across multiple continents, you need to: -Deploy application resources (EC2, ALB) in the new Region. -Ensure the database (DynamoDB) supports cross-Region replication. -Route user traffic based on latency to the closest Region. ✅ Explanation of Correct Answers: C. Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group. Why: You must deploy the application backend in the new Region for local users. -Ensures EC2-based compute resources are available near the users, reducing latency. D. Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB. Why: Latency-based routing in Route 53 sends each user to the Region with the lowest latency. Health checks ensure traffic is only sent to healthy endpoints. F. Convert the DynamoDB table to a global table. Why: DynamoDB Global Tables provide multi-Region, fully active replication. Ensures data consistency and local reads/writes, improving performance and availability.

Answer: B ✅ Explanation -When using AWS CloudFormation custom resources, the Lambda function must send a response to a pre-signed S3 URL provided by CloudFormation in the event data. This response tells CloudFormation whether the custom resource creation was successful or failed. ⚙️ What Happens: CloudFormation triggers the Lambda function. -The function performs the custom logic (e.g., creates an AD Connector). -CloudFormation waits for a response to the pre-signed S3 URL. -If no response is received, the stack remains in CREATE_IN_PROGRESS and eventually times out. ✅ Correct Option: B. Ensure the Lambda function code returns a response to the pre-signed URL. -This is required for CloudFormation to complete the operation on a custom resource. -If missing, CloudFormation hangs, just as described in the scenario.

Answer: BC ✅ Explanation -Key considerations: -Session Manager connects to the instance through the Systems Manager Agent (SSM Agent), which requires access to Systems Manager endpoints. -To keep traffic on the private network, VPC endpoints for Systems Manager services are used. -The instance profile must have the correct IAM permissions to allow Systems Manager operations. -Evaluate options: A. Allow inbound access to TCP port 22 in all associated EC2 security groups from the VPC CIDR range. No. If moving away from key pair SSH to Session Manager, port 22 access is not needed and doesn't affect Session Manager. This option is irrelevant. B. Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile. Yes. For Session Manager to work, the instance profile (IAM role attached to EC2) must have permissions like AmazonSSMManagedInstanceCore. Necessary to enable instances to communicate with Systems Manager. C. Create a VPC endpoint for Systems Manager in the desired Region. Yes. To keep Session Manager traffic private (no internet), you must create VPC endpoints (Interface endpoints) for these services: com.amazonaws.<region>.ssm com.amazonaws.<region>.ec2messages com.amazonaws.<region>.ssmmessages This keeps communication inside the AWS network without going through the internet. D. Deploy a new EC2 instance that will act as a bastion host to the rest of the EC2 instance fleet. No. This is counter to the intent to move away from key pair-based SSH and to use Session Manager, which eliminates the need for bastion hosts. E. Remove any default routes in the associated route tables. No. Removing default routes (like internet gateway routes) would isolate the subnet, but without VPC endpoints, the instances cannot communicate with Systems Manager. The proper solution is to create VPC endpoints, not just remove default routes. -Correct Answers: B. Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile. C. Create a VPC endpoint for Systems Manager in the desired Region.

Answer: A

Answer: ABC ✅ Explanation Scenario: -Code is stored in GitHub. -When the repo is updated, the code should be compiled, tested, and then the artifacts pushed to Amazon S3 (a storage service). -The goal is to automate this entire build process. -Key points: Source control: GitHub -Trigger: On every code change (push to GitHub) -Build steps: Compile, test, and then push artifacts to S3 -Automation tools: AWS native services preferred (CodeBuild, CodePipeline, etc.) -Reviewing the options: A. Add a buildspec.yml file to the source code with build instructions. This is required for CodeBuild to know how to build and test your code. The buildspec.yml contains phases like install, pre_build, build, post_build with commands, including pushing to S3. So A is needed. B. Configure a GitHub webhook to trigger a build every time a code change is pushed to the repository. To automate build triggering on GitHub push events, a webhook is needed. Alternatively, CodeBuild can be connected directly to GitHub and can automatically poll or use webhooks internally, but often you configure a webhook. B is relevant. C. Create an AWS CodeBuild project with GitHub as the source repository. CodeBuild is the service that runs build and test jobs. You specify GitHub as the source. This is essential for compiling and testing the code automatically. So C is needed. D. Create an AWS CodeDeploy application with the Amazon EC2/On-Premises compute platform. CodeDeploy is for deploying applications to EC2 instances or on-premises servers. The requirement is just building and pushing artifacts to S3, no deployment to EC2. D is not required. E. Create an AWS OpsWorks deployment with the install dependencies command. OpsWorks is a configuration management service to manage servers. This is more complex than needed. The requirement does not mention configuration management or deployment to servers. E is not relevant. F. Provision an Amazon EC2 instance to perform the build. -This would be a manual approach. Instead of using managed services like CodeBuild, you could run builds on EC2. -But since AWS CodeBuild exists and can be connected to GitHub, this is not necessary and not the best practice. F is not required. Final answer: The three correct steps are: A. Add a buildspec.yml file to the source code with build instructions. B. Configure a GitHub webhook to trigger a build every time a code change is pushed to the repository. C. Create an AWS CodeBuild project with GitHub as the source repository.

Answer: B ✅ Explanation -Requirements: Global Expansion: The application will be deployed to multiple AWS regions (Europe and Asia). Product Catalog: Must be shared globally across all regions. Needs to be consistent across deployments. Customer Data & Purchases: -Must remain within each region for compliance (likely data residency laws like GDPR). -Least amount of application changes is a priority. Evaluating the options: A. Use Amazon Redshift for the product catalog and Amazon DynamoDB tables for the customer information and purchases. ❌ Amazon Redshift is a data warehouse, not optimized for transactional workloads (OLTP), which are typical for a product catalog. ❌ Redshift is not ideal for frequently updated, globally available catalog data. ✅ DynamoDB regional tables make sense for regional customer data, but overall, this solution would require significant app changes. Not the best choice. B. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases. ✅ DynamoDB Global Tables are designed for multi-region, active-active replication. This allows fast, local reads/writes to the shared product catalog in each region. ✅ You can create regional DynamoDB tables for customer data, meeting compliance and data residency rules. ✅ Very minimal application changes if already using or compatible with DynamoDB. This is a strong option. C. Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases. ❌ Aurora read replicas across regions are read-only, so you can’t do multi-region writes to the catalog without extra logic. ❌ Promoting read replicas or using Aurora Global Database is more complex and may require application logic to manage writes. ✅ Local Aurora for customer data is okay. ❌ More application changes needed to handle read-only vs. write logic and failover. Not ideal for least application changes. D. Use Aurora for the product catalog and Amazon DynamoDB global tables for the customer information and purchases. ❌ This is inverted: product catalog is shared globally, so DynamoDB global tables would be more appropriate for it, not for customer data. ❌ Using global tables for customer data violates data residency compliance since data would be replicated across regions. -This violates compliance requirements. ✅ Correct Answer: B. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases. This satisfies: -Global access and consistency for product catalog (with global tables), -Regional isolation for customer data, meeting compliance, -Minimal application changes, thanks to native DynamoDB support for this architecture.

Answer: A ✅ Explanation -Requirements: Application: EC2 + ALB + Auto Scaling across AZs. Database: Amazon RDS PostgreSQL (Multi-AZ). File storage: Amazon S3 bucket (50 GB of new videos daily). Goal: Multi-region DR with: Least data loss (low RPO) Lowest recovery time (low RTO) CloudFormation is used for infrastructure Cost-efficiency 🔍 Option A Launch application in second region (ASG = 1). RDS read replica in second region. Cross-region S3 replication to second bucket. Failover by promoting replica and scaling ASG. ✅ Pros: -Read replica: Provides near real-time replication (low RPO). -Cross-region S3 replication: Near real-time S3 object sync (low RPO). -Low RTO: Pre-launched stack reduces time to scale up in disaster. -Least manual effort during failover: Promote replica and scale. 🚫 Cons: -Slightly higher cost due to read replica and replication traffic. -You still need to scale ASG on failover manually (but fast with CFN). 🟢 Best balance of low RTO/RPO and cost.

Answer: C ✅ Explanation: -You are using AWS CodeDeploy with Amazon ECS and the blue/green deployment model. In this model, CodeDeploy automatically handles traffic shifting between old (blue) and new (green) environments, and it includes lifecycle events that allow you to run tests before shifting live traffic. 🔍 What’s AfterAllowTestTraffic? This lifecycle event is triggered after test traffic is routed to the green environment, but before production traffic is shifted. -It gives you an opportunity to run tests against the green version. -If a hook fails during this stage (e.g., Lambda returns an error or fails), CodeDeploy automatically rolls back the deployment. 💡 Why Option C works best: AppSpec hooks are the right place to run deployment lifecycle logic. AfterAllowTestTraffic is designed specifically to test green environment before traffic shifting. Failing the hook (e.g., by returning an error) automatically triggers rollback — exactly what is required.

Answer: BD ✅ Explanation ✅ B. Aurora Global Database Aurora global databases are designed for low-latency global reads and disaster recovery across AWS Regions. -Replication lag is typically under 1 second, giving you a very low RPO — well within 2 hours. -If the primary Region fails, you can promote the secondary Region to be the new primary within minutes — achieving RTO ≤ 10 mins. -Ideal for mission-critical multi-Region applications. ✅ D. Multi-Region Active-Passive Application with Route 53 Failover Route 53 with failover routing policy automatically redirects traffic to the healthy Region. -You can use health checks on ALBs to detect Region availability. -Auto Scaling groups in both Regions ensure app scalability and readiness. -This architecture enables fast failover (low RTO) and redundancy.