[2025年04月03日] 最新AWS Certified DevOps Engineer AWS-DevOps-Engineer-Professional実際の無料試験解答 [Q265-Q281]

[2025年04月03日] 最新AWS Certified DevOps Engineer AWS-DevOps-Engineer-Professional実際の無料試験解答

AWS Certified DevOps Engineer AWS-DevOps-Engineer-Professional問題集最新の練習テスト575独特な解答

質問 # 265
What is a circular dependency in AWS CloudFormation?

• A. When a Template references an earlier version of itself.
• B. When Nested Stacks depend on each other.
• C. When a Template references a region, which references the original Template.
• D. When Resources form a DependOn loop.

正解：D

解説：
To resolve a dependency error, add a DependsOn attribute to resources that depend on other resources in your template. In some cases, you must explicitly declare dependencies so that AWS CloudFormation can create or delete resources in the correct order. For example, if you create an Elastic IP and a VPC with an Internet gateway in the same stack, the Elastic IP must depend on the Internet gateway attachment. For additional information, see DependsOn Attribute.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html#trouble shootin g-errors-dependence-error

質問 # 266
A DevOps engineer is writing an AWS CloudFormation template to stand up a web service that will run on Amazon EC2 instances in a private subnet behind an ELB Application Load Balancer.
The Engineer must ensure that the service can accept requests from clients that have IPv6 addresses. Which configuration items should the Engineer incorporate into the CloudFormation template to allow IPv6 clients to access the web service?

• A. Associate an IPv6 CIDR block with the Amazon VPC and subnets where the EC2 instances will live.
  Create route table entries for the IPv6 network, use EC2 instance types that support IPv6, and assign IPv6 addresses to each EC2 instance.
• B. Create a target group and add the EC2 instances as targets. Create a listener on port 443 of the Application Load Balancer. Associate the newly created target group as the default target group.
  Select a dual stack IP address, and create a rule in the security group that allows inbound traffic from anywhere.
• C. Replace the Application Load Balancer with a Network Load Balancer. Associate an IPv6 CIDR block with the Virtual Private Cloud (VPC) and subnets where the Network Load Balancer lives, and assign the Network Load Balancer an IPv6 Elastic IP address.
• D. Assign each EC2 instance an IPv6 Elastic IP address. Create a target group and add the EC2 instances as targets. Create a listener on port 443 of the Application Load Balancer, and associate the newly created target group as the default target group.

正解：B

解説：
https://aws.amazon.com/about-aws/whats-new/2017/01/announcing-internet-protocol-version-6- ipv6-support-for-elastic-load-balancing-in-amazon-virtual-private-cloud-vpc/

質問 # 267
Which of the following are ways to secure data at rest and in transit in AWS. Choose 3 answers from the
options given below

• A. UseSSL/HTTPS when using the Elastic Load Balancer
• B. UselOPS volumes when working with EBS volumes on EC2 Instances
• C. Useserver side encryption for S3
• D. Encryptall EBS volumes attached to EC2 Instances

正解：A、C、D

解説：
Explanation
The AWS documentation mentions the following
Amazon CBS encryption offers you a simple encryption solution for your EBS volumes without the need for
you to build, maintain, and secure your own key
management infrastructure. When you create an encrypted CBS volume and attach it to a supported instance
type, the following types of data are encrypted:
Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume Data protection refers to protecting data while in-transit (as it travels to
and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data
in transit by using SSL or by using client-side encryption. You have the following options of protecting data at
rest in Amazon S3.
Use Server-Side encryption - You request Amazon S3 to encrypt your object before saving it on disks in its
data centers and decrypt it when you download the objects.
Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In
this case, you manage the encryption process, the encryption keys, and related tools.
You can create a load balancer that uses the SSL/TLS protocol for encrypted connections (also known as SSL
offload). This feature enables traffic encryption between your load balancer and the clients that initiate HTTPS
sessions, and for connections between your load balancer and your L~C2 instances. For more information on
securing data at rest, please refer to the below link:
* https://dO3wsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf

質問 # 268
Your company has multiple applications running on AWS.
Your company wants to develop a tool that notifies on-call teams immediately via email when an alarm is triggered in your environment.
You have multiple on-cal teams that work different shifts, and the tool should handle notifying the correct teams at the correct times.
How should you implement this solution?

• A. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers.
  Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to this new topic.
  Notifications will be sent to on-call users when a CloudWatch alarm is triggered.
• B. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers.
  Create a secondary Amazon SNS topic for alarms and configure your CloudWatch alarms to notify this topic when triggered.
  Create an HTTP subscriber to this topic that notifies your application via HTTP POST when an alarm is triggered.
  Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to the first topic so that on-call engineers receive alerts.
• C. Create an Amazon SNS topic for each on-call group, and configure each of these with the team member emails as subscribers.
  Create another Amazon SNS topic and configure your CloudWatch alarms to notify this topic when triggered.
  Create an HTTP subscriber to this topic that notifies your application via HTTP POST when an alarm is triggered.
  Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to the correct team topic when on shift.
• D. Create an Amazon SNS topic and an Amazon SQS queue.
  Configure the Amazon SQS queue as a subscriber to the Amazon SNS topic.
  Configure CloudWatch alarms to notify this topic when an alarm is triggered.
  Create an Amazon EC2 Auto Scaling group with both minimum and desired Instances configured to 0.
  Worker nodes in this group spawn when messages are added to the queue.
  Workers then use Amazon Simple Email Service to send messages to your on call teams.

正解：C

質問 # 269
Within an IAM policy, can you add an IfExists condition at the end of a Null condition?

• A. Yes, you can add an IfExists condition at the end of a Null condition depending on the condition.
• B. Yes, you can add an IfExists condition at the end of a Null condition but not in all Regions.
• C. No, you cannot add an IfExists condition at the end of a Null condition.
• D. Yes, you can add an IfExists condition at the end of a Null condition.

正解：C

解説：
Within an IAM policy, IfExists can be added to the end of any condition operator except the Null condition. It can be used to indicate that conditional comparison needs to happen if the policy key is present in the context of a request; otherwise, it can be ignored.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

質問 # 270
You have instances running on your VPC. You have both production and development based instances running in the VPC. You want to ensure that people who are responsible for the development instances don't have the access to work on the production instances to ensure better security. Using policies, which of the following would be the best way to accomplish this? Choose the correct answer from the options given below

• A. Launchthe test and production instances in separate VPC's and use VPC peering
• B. Createan 1AM policy with a condition which allows access to only instances that areused for production or development
• C. Launchthe test and production instances in different Availability Zones and use MultiFactor Authentication
• D. Definethe tags on the test and production servers and add a condition to the lAMpolicy which allows access to specific tags

正解：D

解説：
Explanation
You can easily add tags which define which instances are production and which are development instances and then ensure these tags are used when controlling access via an 1AM policy.
For more information on tagging your resources, please refer to the below link:
* http://docs.aws.amazon.com/AWSCC2/latest/UserGuide/Using_Tags.html
*

質問 # 271
A company runs a database on a single Amazon EC2 instance in a development environment.
The data is stored on separate Amazon EBS volumes that are attached to the EC2 instance. An Amazon Route 53 A record has been created and configured to point to the EC2 instance. The company would like to automate the recovery of the database instance when an instance or Availability Zone (AZ) fails. The company also wants to keep its costs low. The RTO is 4 hours and RPO is 12 hours. Which solution should a DevOps Engineer implement to meet these requirements?

• A. Run the database in an Auto Scaling group with a minimum and maximum instance count of 1 in multiple AZs. Create an AWS Lambda function that is triggered by a scheduled Amazon CloudWatch Events rule every 4 hours to take a snapshot of the data volume and apply a tag.
  Have the instance UserData get the latest snapshot, create a new volume from it, and attach and mount the volume. Then start the database and update the Route 53 record.
• B. Run the database in an Auto Scaling group with a minimum and maximum instance count of 1 in multiple AZs. Add a lifecycle hook to the Auto Scaling group and define an Amazon CloudWatch Events rule that is triggered when a lifecycle event occurs. Have the CloudWatch Events rule invoke an AWS Lambda function to detach or attach the Amazon EBS data volumes from the EC2 instance based on the event. Configure the EC2 instance UserData to mount the data volumes (retry on failure with a short delay), then start the database and update the Route 53 record.
• C. Run the database on two separate EC2 instances in different AZs. Configure one of the instances as a master and the other as a standby. Set up replication between the master and standby instances. Point the Route 53 record to the master. Configure an Amazon CloudWatch Events rule to invoke an AWS Lambda function upon the EC2 instance termination. The Lambda function launches a replacement EC2 instance. If the terminated instance was the active node, the function promotes the standby to master and points the Route 53 record to it.
• D. Run the database on two separate EC2 instances in different AZs with one active and the other as a standby. Attach the data volumes to the active instance. Configure an Amazon CloudWatch Events rule to invoke an AWS Lambda function on EC2 instance termination. The Lambda function launches a replacement EC2 instance. If the terminated instance was the active node, then the function attaches the data volumes to the standby node. Start the database and update the Route 53 record.

正解：A

解説：
It restores EBS volumes from snapshot and snapshot is not AZ independent.
Two instances means more costs.
Also Auto Scaling group with min 1 max 1 IS the preferred method for HA.

質問 # 272
You are setting up cloudformation templates for your organization. The cloudformation template consists of creating EC2 Instances for both your development and production environments in the same region. Each of these instances will have an Elastic IP and a security group attached to them which will be done via Cloudformation. Your cloudformation stack for the development environment gets successfully created, but then the production cloudformation stack fails. Which of the below could be a reason for this.

• A. Youhit the soft limit of 5 EIPs per region when creating the developmentenvironment.
• B. Youdidn't choose the Production version of the AMI you are using when creating theproduction stack.
• C. Youhit the soft limit for security groups when creating the developmentenvironment.
• D. Youhave chosen the wrong tags when creating the instances in both environments.

正解：A

解説：
Explanation
The most viable reason could be that you reached the limit for the number of Clastic IP's in the region.
For more information on AWS CC2 service limits, please refer to the below link:
* http://docs.aws.amazon.com/AWSCC2/latest/UserGuide/ec2-resource-limits.html

質問 # 273
A healthcare services company is concerned about the growing costs of software licensing for an application for monitoring patient wellness. The company wants to create an audit process to ensure that the application is running exclusively on Amazon EC2 Dedicated Hosts. A DevOps Engineer must create a workflow to audit the application to ensure compliance.
What steps should the Engineer take to meet this requirement with the LEAST administrative overhead?

• A. Use AWS Config Identify all EC2 instances to be audited by enabling Config Recording on all Amazon EC2 resources for the region. Create a custom AWS Config rule that triggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint. Modify the Lambda evaluate.Compliance () function to verify host placement to return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use the AWS Config report to address noncompliant instances.
• B. Use AWS Systems Manager Configuration Compliance. Use calls to the put-compliance- items API action to scan and build a database of noncompliant EC2 instances based on their host placement configuration. Use an Amazon DynamoDB table to store these instance IDs for fast access. Generate a report through Systems Manager by calling the list-compliance- summaries API action.
• C. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for the instance depending on the number of instances to be checked. Send the list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDB. Use an AWS Lambda function to terminate noncompliant instance IDs obtained from the queue, and send them to an Amazon SNS email topic for distribution.
• D. Use AWS CloudTrail. Identity all EC2 instances to be audited by analyzing all calls to the EC2 RunCommand API action. Invoke an AWS Lambda function that analyzes the host placement of the instance. Store the EC2 instance ID of noncompliant resources in an Amazon RDS MySOL DB instance. Generate a report by querying the RDS instance and exporting the query results to a CSV text file.

正解：A

解説：
https://aws.amazon.com/about-aws/whats-new/2015/11/use-aws-config-to-track-ec2-instances- on-dedicated-hosts-and-assess-license-compliance/

質問 # 274
You need to scale an RDS deployment. You are operating at 10% writes and 90% reads, based on your logging. How best can you scale this in a simple way?

• A. Create a Multi-AZ RDS installs and route read traffic to standby.
• B. Create a second master RDS instance and peer the RDS groups.
• C. Create read replicas for RDS since the load is mostly reads.
• D. Cache all the database responses on the read side with CloudFront.

正解：C

解説：
Explanation
Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This replication feature makes it easy to elastically scale out beyond the capacity constraints of a single DB Instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances.
Option A is invalid because you would need to maintain the synchronization yourself with a secondary instance.
Option B is invalid because you are introducing another layer unnecessarily when you already have read replica's Option D is invalid because you only use this for Standy's For more information on Read Replica's, please refer to the below link:
* https://aws.amazon.com/rds/details/read-replicas/

質問 # 275
Your company has multiple applications running on AWS. Your company wants to develop a tool that notifies on-call teams immediately via email when an alarm is triggered in your environment. You have multiple on-call teams that work different shifts, and the tool should handle notifying the correct teams at the correct times. How should you implement this solution?

• A. Create an Amazon SNS topic for each on-call group, and configure each of these with the team member emails as subscribers. Create another Amazon SNS topic and configure your CloudWatch alarms to notify this topic when triggered. Create an HTTP subscriber to this topic that notifies your application via HTTP POST when an alarm is triggered. Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to the correct team topic when on shift.
• B. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers. Create a secondary Amazon SNS topic for alarms and configure your CloudWatch alarms to notify this topic when triggered. Create an HTTP subscriber to this topic that notifies your application via HTTP POST when an alarm is triggered. Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to the first topic so that on-call engineers receive alerts.
• C. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers. Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to this new topic.
  Notifications will be sent to on-call users when a CloudWatch alarm is triggered.
• D. Create an Amazon SNS topic and an Amazon SQS queue. Configure the Amazon SQS queue as a subscriber to the Amazon SNS topic.
  Configure CloudWatch alarms to notify this topic when an alarm is triggered. Create an Amazon EC2 Auto Scaling group with both minimum and desired Instances configured to 0. Worker nodes in this group spawn when messages are added to the queue. Workers then use Amazon Simple Email Service to send messages to your on call teams.

正解：A

解説：
Explanation
Option D fulfils all the requirements
1) First is to create a SNS topic for each group so that the required members get the email addresses.
2) Ensure the application uses the HTTPS endpoint and the SDK to publish messages Option A is invalid because the SQS service is not required.
Option B and C are incorrect. As per the requirement we need to provide notification to only those on-call teams who are working in that particular shift when an alarm is triggered. It need not have to be send to all the on-call teams of the company. With Option B & C, since we are not configuring the SNS topic for each on call team the notifications will be send to all the on-call teams. Hence these 2 options are invalid. For more information on setting up notifications, please refer to the below document link: from AWS
* http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/US_SetupSNS.html

質問 # 276
You have an ELB setup in AWS with EC2 instances running behind it. You have been requested to monitor the incoming connections to the ELB. Which of the below options can suffice this requirement?

• A. Create a custom metric CloudWatch filter on your load balancer
• B. Use a CloudWatch Logs Agent
• C. Enable access logs on the load balancer
• D. UseAWSCIoudTrail with your load balancer

正解：C

解説：
Explanation
Clastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Cach log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
Option A is invalid because this service will monitor all AWS services
Option C and D are invalid since CLB already provides a logging feature.
For more information on ELB access logs, please refer to the below document link: from AWS
* http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html

質問 # 277
You work for a company that automatically tags photographs using artificial neural networks (ANNs), which run on GPUs using C++. You receive millions of images at a time, but only 3 times per day on average. These images are loaded into an AWS S3 bucket you control for you in a batch, and then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well. Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires 5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket. Which of these is the best system architectures for this system?

• A. Make an S3 notification configuration which publishes to AWS Lambda on the manifest bucket.
  Make the Lambda create a CloudFormation Stack which contains the logic to construct an autoscaling worker tier of EC2 G2 instances with the ANN code on each instance. Create an SQS queue of the images in the manifest. Tear the stack down when the queue is empty.
• B. Deploy your ANN code to AWS Lambda as a bundled binary for the C++ extension. Make an S3 notification configuration on the manifest, which publishes to another AWS Lambda running controller code. This controller code publishes all the images in the manifest to AWS Kinesis.
  Your ANN code Lambda Function uses the Kinesis as an Event Source. The system automatically scales when the stream contains image events.
• C. Create an Auto Scaling, Load Balanced Elastic Beanstalk worker tier Application and Environment.
  Deploy the ANN code to G2 instances in this tier. Set the desired capacity to 1. Make the code periodically check S3 for new manifests. When a new manifest is detected, push all of the images in the manifest into the SQS queue associated with the Elastic Beanstalk worker tier.
• D. Create an OpsWorks Stack with two Layers. The first contains lifecycle scripts for launching and bootstrapping an HTTP API on G2 instances for ANN image processing, and the second has an always-on instance which monitors the S3 manifest bucket for new files. When a new file is detected, request instances to boot on the ANN layer. When the instances are booted and the HTTP APIs are up, submit processing requests to individual instances.

正解：A

解説：
The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.
The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage. The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.
The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.
http://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html

質問 # 278
You have been tasked with deploying a solution for your company that will store images, which the marketing department will use for its campaigns.
Employees are able to upload images via a web interface, and once uploaded, each image must be resized and watermarked with the company logo.
Image resize and watermark is not time-sensitive and can be completed days after upload if required.
How should you design this solution in the most highly available and cost-effective way?

• A. Configure your web application to upload images to the Amazon Elastic Transcoder service.
  Use the Amazon Elastic Transcoder watermark feature to add the company logo as a watermark on your images and then to upload the final images into an Amazon S3 bucket.
• B. Configure your web application to upload images to Amazon S3, and send the Amazon S3 bucket URI to an Amazon SQS queue.
  Create an Auto Scaling group and configure it to use Spot instances, specifying a price you are willing to pay.
  Configure the instances in this Auto Scaling group to poll the SQS queue for new images and then resize and watermark the image before uploading the final images into Amazon S3.
• C. Configure your web application to upload images to Amazon S3, and send the S3 object URI to an Amazon SQS queue.
  Create an Auto Scaling launch configuration that uses Spot instances, specifying a price you are willing to pay.
  Configure the instances in this Auto Scaling group to poll the Amazon SQS queue for new images and then resize and watermark the image before uploading the new images into Amazon S3 and deleting the message from the Amazon SQS queue.
• D. Configure your web application to upload images to the local storage of the web server.
  Create a cronjob to execute a script daily that scans this directory for new files and then uses the Amazon EC2 Service API to launch 10 new Amazon EC2 instances, which will resize and watermark the images daily.

正解：C

質問 # 279
You have been asked to de-risk deployments at your company. Specifically, the CEO is concerned about outages that occur because of accidental inconsistencies between Staging and Production, which sometimes cause unexpected behaviors in Production even when Staging tests pass. You already use Docker to get high consistency between Staging and Production for the application environment on your EC2 instances. How do you further de-risk the rest of the execution environment, since in AWS, there are many service components you may use beyond EC2 virtual machines?

• A. Use AWS Config to force the Staging and Production stacks to have configuration parity. Any differences will be detected for you so you are aware of risks.
• B. Use AMIs to ensure the whole machine, including the kernel of the virual machines, is consistent, since Docker uses Linux Container (LXC) technology, and we need to make sure the container environment is consistent.
• C. Use AWS ECS and Docker clustering. This will make sure that the AMIs and machine sizes are the same across both environments.
• D. Develop models of your entire cloud system in CloudFormation. Use this model in Staging and Production to achieve greater parity.

正解：D

解説：
Only CloudFormation's JSON Templates allow declarative version control of repeatably deployable models of entire AWS clouds.
https://blogs.aws.amazon.com/application-management/blog/category/Best+practices

質問 # 280
A media customer has several thousand amazon EC2 instances in an AWS account. The customer is using a Slack channel for team communications and important updates. A DevOps Engineer was told to send all AWS-scheduled EC2 maintenance notifications to the company Slack channel. Which method should the Engineer use to implement this process in the LEAST amount of steps?

• A. Integrate AWS Trusted Advisor with AWS Config. Based on the AWS Config rules created, the AWS Config event can invoke an AWS Lambda function to send notifications to the Slack channel.
• B. Integrate AWS Personal Health Dashboard with Amazon CloudWatch Events. Based on the CloudWatch Events created, the event can invoke an AWS Lambda function to send notifications to the Slack channel.
• C. Integrate AWS Support with AWS CloudTrail. Based on the CloudTrail lookup event created, the event can invoke an AWS Lambda function to pass EC2 maintenance notifications to the Slack channel.
• D. Integrate EC2 events with Amazon CloudWatch monitoring. Based on the CloudWatch Alarm created, the alarm can invoke an AWS Lambda function to send EC2 maintenance notifications to the Slack channel.

正解：B

解説：
https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.html

質問 # 281
......

検証済みAWS-DevOps-Engineer-Professional問題集と解答100%合格PassTest：https://www.passtest.jp/Amazon/AWS-DevOps-Engineer-Professional-shiken.html

最新100%試験高合格率AWS-DevOps-Engineer-Professional問題集PDF：https://drive.google.com/open?id=1GUGtZcKd0nKuWxbhzEpchQmYdNyzfoW6