Config Management

Question 1

You are using AWS CloudFormation to manage infrastructure. How can you ensure that changes in the stack template do not affect running resources?
A) Use a change set
B) Use a parameter
C) Use a stack policy
D) Use a custom resource

Answer 1

A) Use a change set

Question 2

Which AWS service allows you to centrally manage the configuration of multiple AWS accounts?
A) AWS Config
B) AWS CloudFormation
C) AWS Organizations
D) AWS Systems Manager

Answer 2

C) AWS Organizations

Question 3

You need to ensure that instances in your fleet automatically receive security patches. Which service helps achieve this?
A) AWS Systems Manager Patch Manager
B) AWS CodeBuild
C) AWS Lambda
D) AWS IAM

Answer 3

A) AWS Systems Manager Patch Manager

Question 4

To automatically provision and manage your EC2 instances based on your code, which AWS service should you use?
A) AWS CloudFormation
B) AWS CodeDeploy
C) AWS OpsWorks
D) AWS Lambda

Answer 4

C) AWS OpsWorks

Question 5

Which tool allows you to deploy and manage infrastructure across multiple AWS regions with minimal configuration?
A) AWS CloudFormation StackSets
B) AWS CodeDeploy
C) AWS EC2 Auto Scaling
D) AWS Elastic Beanstalk

Answer 5

A) AWS CloudFormation StackSets

Question 6

How can you automatically apply security baselines to newly created AWS resources across multiple accounts?
A) AWS Config Conformance Packs
B) AWS CloudFormation StackSets
C) AWS Systems Manager
D) AWS Trusted Advisor

Answer 6

A) AWS Config Conformance Packs

Question 7

Which AWS service allows you to manage software and operating system configurations on EC2 instances?
A) AWS Systems Manager State Manager
B) AWS CloudFormation
C) AWS CodeDeploy
D) AWS Elastic Beanstalk

Answer 7

A) AWS Systems Manager State Manager

Question 8

Which AWS service allows you to automate instance patching across multiple regions?
A) AWS Systems Manager Patch Manager
B) AWS Lambda
C) AWS CloudWatch Events
D) AWS Elastic Beanstalk

Answer 8

A) AWS Systems Manager Patch Manager

Question 9

You need to audit the compliance of your AWS resources. Which service allows you to do this with custom rules?
A) AWS Config
B) AWS IAM
C) AWS CloudFormation
D) AWS CodePipeline

Answer 9

A) AWS Config

Question 10

What AWS service would you use to automate the configuration management of EC2 instances?
A) AWS OpsWorks
B) AWS CodePipeline
C) AWS Lambda
D) AWS CloudFormation

Answer 10

A) AWS OpsWorks

Question 11

Which AWS service provides a way to continuously audit the configuration of your AWS resources and detect changes?
A) AWS Config
B) AWS CloudTrail
C) AWS Systems Manager
D) AWS CloudFormation

Answer 11

A) AWS Config

Question 12

To deploy a fleet of instances across multiple regions with a consistent configuration, which AWS service should you use?
A) AWS CloudFormation StackSets
B) AWS EC2 Auto Scaling
C) AWS OpsWorks
D) AWS Elastic Beanstalk

Answer 12

A) AWS CloudFormation StackSets

Question 13

You need to manage operating system patches across your EC2 instances. Which AWS service would you use?
A) AWS Systems Manager Patch Manager
B) AWS OpsWorks
C) AWS CodeBuild
D) AWS CodePipeline

Answer 13

A) AWS Systems Manager Patch Manager

Question 14

Which AWS service allows you to create and maintain server configurations that are applied consistently to your EC2 instances?
A) AWS OpsWorks
B) AWS CloudFormation
C) AWS CodeDeploy
D) AWS Systems Manager

Answer 14

A) AWS OpsWorks

Question 15

You need to apply a set of predefined policies and configuration settings across multiple AWS accounts. Which service is best suited for this?
A) AWS Organizations
B) AWS Config
C) AWS CloudFormation
D) AWS IAM

Answer 15

A) AWS Organizations

Question 16

What AWS service allows you to deploy and maintain server configurations on EC2 instances?
A) AWS OpsWorks
B) AWS Elastic Beanstalk
C) AWS CodeBuild
D) AWS CloudFormation

Answer 16

A) AWS OpsWorks

Question 17

To automate software configuration, patch management, and compliance across EC2 instances, which AWS service would you use?
A) AWS Systems Manager
B) AWS CodePipeline
C) AWS Lambda
D) AWS CloudFormation

Answer 17

A) AWS Systems Manager

Question 18

Which AWS service provides a managed Chef and Puppet configuration management environment?
A) AWS OpsWorks
B) AWS CodeDeploy
C) AWS Lambda
D) AWS IAM

Answer 18

A) AWS OpsWorks

Question 19

You need to ensure that your AWS infrastructure resources maintain compliance with company policies. Which AWS service should you use?
A) AWS Config
B) AWS CloudFormation
C) AWS Trusted Advisor
D) AWS GuardDuty

Answer 19

A) AWS Config

Question 20

How can you automatically enforce policies across multiple AWS accounts?
A) AWS Organizations
B) AWS CloudTrail
C) AWS CloudFormation
D) AWS Config

Answer 20

A) AWS Organizations

Question 21

What is the outcome, effect, stack status of a cloudformation stack failure with “Rollback on Failure” selected? Provide an example of why this would happen?

Answer 21

Outcome: By default, CloudFormation rolls back any changes made to the resources if the stack creation or update fails. This ensures that the stack doesn’t remain in a partially deployed or inconsistent state.
Effect: Any resources that were successfully created or updated before the failure will be deleted. The stack will return to the state it was in before the operation began (or no resources at all if it was a new stack).
Stack Status: ROLLBACK_COMPLETE
Example: If a new EC2 instance fails to launch, and other resources like an S3 bucket were successfully created, the S3 bucket will also be deleted.

Question 22

What is the outcome, effect, stack status of a cloudformation stack failure with “Retain Resources on Failure (Disable Rollback)” selected? Provide an example of why this would happen?

Answer 22

Outcome: If you disable rollback (by setting the DisableRollback parameter to true), CloudFormation will leave the stack and any successfully created resources in their current state even if the stack creation fails.
Effect: The resources that were created before the failure will persist. This is useful for debugging, as you can investigate what went wrong without losing the partial stack setup.
successfully created, the S3 bucket remains.
Stack Status: CREATE_FAILED or UPDATE_FAILED
Example: If an EC2 instance fails to launch but an S3 bucket was

Question 23

What is the outcome, effect, stack status of a cloudformation stack failure with “Update Rollback” selected? Provide an example of why this would happen?

Answer 23

Outcome: During a stack update, if an error occurs, CloudFormation attempts to roll back the update to the previous stack state.
Effect: The stack will attempt to return to its previous configuration before the update began. However, if the rollback itself fails (for example, due to issues with dependencies or permissions), you may need to manually intervene.
Stack Status: UPDATE_ROLLBACK_COMPLETE or UPDATE_ROLLBACK_FAILED (if the rollback fails)
Example: If you are updating an EC2 instance type and the update fails, CloudFormation will try to revert the instance back to the previous type.

Question 24

What is the outcome, effect, stack status of a cloudformation stack failure with “Delete Stack on Failure” selected? Provide an example of why this would happen?

Answer 24

Outcome: When creating a new stack, if the stack creation fails and rollback is not disabled, CloudFormation may delete the entire stack and all associated resources.
Effect: All resources that were created as part of the stack will be deleted.
Stack Status: DELETE_COMPLETE (if the stack is fully deleted)
Example: If a stack creation includes launching an EC2 instance and creating an RDS database but the EC2 instance fails, both the RDS database and any other resources will be deleted.

Question 25

What is the outcome, effect, stack status of a cloudformation stack failure with “Manual Cleanup Required (Stuck in Rollback_Failed State)” selected? Provide an example of why this would happen?

Answer 25

Outcome: If CloudFormation encounters an issue during rollback (for example, due to a resource dependency or a permissions issue), it may leave the stack in a failed state.
Effect: You may need to manually delete resources or fix the issues preventing the rollback from completing. The stack will be in a ROLLBACK_FAILED or UPDATE_ROLLBACK_FAILED state.
Stack Status: ROLLBACK_FAILED or UPDATE_ROLLBACK_FAILED
Example: If CloudFormation cannot delete a resource due to resource dependencies (e.g., an S3 bucket with versioning enabled), manual intervention is required.

Question 26

What is the outcome, effect, stack status of a cloudformation stack failure with “Partial Update (Resources Left in Inconsistent State)” selected? Provide an example of why this would happen?

Answer 26

Outcome: If an update fails, some resources may have been successfully updated, while others were not. This can leave resources in a partially updated state if rollback fails or was disabled.
Effect: Some resources might be updated to the new state, while others remain in the old state. This inconsistent state can cause issues if your application depends on all resources being updated in sync.
Stack Status: UPDATE_FAILED or UPDATE_ROLLBACK_FAILED
Example: If you update an Auto Scaling group size but fail to update the associated launch template, instances may launch with an incorrect configuration.

Question 27

How to Handle CloudFormation Failures?

Answer 27

Enable Detailed Logging: Use the CloudFormation console or AWS CLI to view the events that caused the failure.
Check CloudWatch Logs: For failures involving Lambda functions or custom resources, check the logs in Amazon CloudWatch.
Use DisableRollback for Debugging: Temporarily disable rollback to investigate what went wrong with the stack creation.
Fix the Issue: Correct the template, permissions, or resource dependencies that caused the failure.
Manual Resource Cleanup: If CloudFormation cannot delete certain resources (due to dependencies or permissions), you may need to delete or modify those resources manually.

Question 28

What is the one exception to a DeletionPolicy Delete in CloudFormation?

Answer 28

Default DeletionPolicy=Delete won’t workon an S3 bucket if the bucket is not empty.

Question 29

What are the 3 different types of Deletion Policy for CloudFormation? What is the default?
Deletion Policy allows you to control what happens when the CloudFormation template is deleted or when a resource is removed from a CloudFormation template.

Answer 29

Default: Delete
Delete - deletes the resources when CF is deleted. Exception, an S3 bucket that is not empty
Retain - will retain the resources when CF is deleted or resource is removed (supports all resources)
Snapshot - create one final snapshot before deleting the resource (supports: EBS Vol, ElastiCache Cluster, ElastiCache Replication Group, RDS DB Instance, RDS DB Cluster, Redshift Cluster, Neptune DB Cluster, Document DB DB Cluster)

Question 30

How do you get rid of a resource that has a CF Deletion Policy: Retain?

Answer 30

You have to manually delete it after the CF template is deleted.

Question 31

What is the stack policy default effect?

Answer 31

Deny.
Need to add (and specify resource)
{
“Statement” : [
{
“Effect” : “Allow”,
“Action” : “Update:”,
“Principal”: “”,
“Resource” : “*”
}
]
}

Question 32

What is Termination Protection?

Answer 32

Prevents accidental deletion of a stack policy