Answer: B

Explanation: CodeDeploy supports automatic rollback that can be triggered by CloudWatch alarms. You configure the deployment group to monitor specific CloudWatch alarms (like error rate) and automatically roll back if the alarm enters the ALARM state within a defined period. This is the most automated and native solution without requiring manual intervention or custom Lambda functions.

Answer: B

Explanation: CodeBuild supports caching to store reusable build artifacts (like npm modules, Maven dependencies) between builds. Caches can be stored locally in the build environment or in S3. This significantly reduces build times by avoiding re-downloading unchanged dependencies. Increasing compute type (A) speeds up the build itself but not the download time. EC2 (C) is not how CodeBuild works. Parallel builds (D) don't reduce individual build time.

Answer: B

Explanation: AWS CloudFormation StackSets allow you to create, update, or delete CloudFormation stacks across multiple accounts and regions with a single operation. It's specifically designed for multi-account, multi-region deployments. Nested Stacks (A) organize stacks hierarchically but within one account. CDK (C) generates CloudFormation templates but doesn't manage cross-account deployment. Service Catalog (D) manages product portfolios.

Answer: D

Explanation: The most comprehensive approach uses IAM policies with the aws:RequestTag condition key to deny resource creation without required tags, combined with AWS Organizations tag policies to standardize tag values. IAM policies alone (A) require tagging on creation but don't standardize values. Config rules (B) are detective, not preventive. SCPs (C) can deny actions but require careful configuration.

Answer: D

Explanation: CodeDeploy allows creating custom deployment configurations specifying the percentage or number of instances to deploy to at a time. A custom configuration with a 25% minimum healthy hosts value would deploy to 25% of instances at a time. HalfAtATime (B) deploys to 50% at a time. OneAtATime (C) deploys to one instance at a time. AllAtOnce (A) deploys to all instances simultaneously.

Answer: B

Explanation: GitOps for Kubernetes uses tools like Flux or ArgoCD that continuously reconcile the desired state in Git with the actual state in Kubernetes. AWS CodePipeline can trigger these tools or they can work independently, continuously pulling from CodeCommit/GitHub. CodePipeline with CodeDeploy (A) is for traditional deployments. Lambda (C) is not a GitOps tool. Elastic Beanstalk (D) is for managed application deployments.

Answer: C

Explanation: AWS Secrets Manager or SSM Parameter Store SecureString parameters provide encrypted storage with IAM-based access control. CodeBuild can natively reference Secrets Manager secrets and SSM parameters in environment variables, retrieving them at build time. Storing plaintext in environment variables (A) exposes them in logs. Storing in the repository (B) is a security risk. S3 (D) requires additional code to retrieve and doesn't provide the same access control integration.

Answer: B

Explanation: AWS CodeArtifact provides a login command (aws codeartifact login --tool npm) that configures npm to use CodeArtifact as the registry and retrieves a temporary authorization token. This command should be run in the pre-build phase of the buildspec.yml. Simply setting the URL in package.json (A) doesn't handle authentication. VPC endpoints (C) are for network connectivity. Environment variables alone (D) don't configure the npm client.

Answer: A

Explanation: AWS CodePipeline natively supports Manual Approval actions. When the pipeline reaches the approval stage, it can send a notification via SNS (which can trigger email) and pauses until a reviewer approves or rejects. This is the native, purpose-built solution for pipeline approvals with notifications. SQS+Lambda (B) adds unnecessary complexity. The other options (C, D) don't provide native pipeline approval functionality.

Answer: C

Explanation: AWS Config continuously monitors resource configurations and evaluates them against Config Rules. When rules are violated, Config can automatically trigger remediation actions (using Systems Manager Automation documents) to bring resources back into compliance. CloudTrail (A) logs API calls. Inspector (B) scans for vulnerabilities. Security Hub (D) aggregates findings but doesn't automatically remediate.

Answer: A

Explanation: ECS integrates with CodeDeploy to provide blue/green deployments. CodeDeploy shifts traffic from the old (blue) to the new (green) task set gradually, monitors health checks, and automatically rolls back if health checks fail. CloudFormation rolling updates (B) are for EC2 Auto Scaling. ECS rolling updates (C) are less sophisticated and harder to roll back. Manual updates (D) are error-prone.

Answer: B

Explanation: AWS Systems Manager Run Command allows running commands across multiple EC2 instances without needing SSH access or managing an Ansible control node. State Manager provides desired state configuration to maintain instance configurations. The SSM Agent is pre-installed on Amazon Linux/Windows AMIs. Ansible (A) requires managing a control node. OpsWorks (C) requires Chef/Puppet expertise. EC2 user data (D) only runs at instance launch.

Answer: B

Explanation: CloudFormation stack events provide a detailed timeline of what happened during stack creation/update, including which resource failed, why it failed, and the error message. The stack remains in a failed state (ROLLBACK_COMPLETE or UPDATE_ROLLBACK_COMPLETE) until you take action, preserving the failure information. CloudTrail (A) shows the API calls but not resource-level failures. CodeBuild logs (D) are for build stage failures.

Answer: B

Explanation: AWS Config rules continuously evaluate resource configurations. Config can be configured to send notifications via SNS when the compliance status changes (e.g., from COMPLIANT to NON_COMPLIANT). This provides real-time notifications when policies are violated. CloudTrail with EventBridge (A) detects API calls, not configuration compliance. Inspector (C) is for vulnerability scanning. Security Hub (D) aggregates findings from multiple services.

Answer: B

Explanation: AWS CDK Constructs are reusable infrastructure components that can be packaged as libraries and shared via npm, PyPI, or Maven. Teams can create their own construct libraries that encapsulate best practices (e.g., a secure S3 bucket construct with encryption and versioning enabled). CDK Aspects (C) are for traversing and modifying CDK trees (like applying tags). CloudFormation templates (A, D) are not CDK.

Answer: B

Explanation: CodeDeploy for Lambda supports canary deployments. Canary10Percent5Minutes shifts 10% of traffic to the new Lambda version, waits 5 minutes, and if no CloudWatch alarms are triggered, shifts the remaining 90%. This matches the requirement. Linear deployments (A, D) shift traffic gradually in equal increments. AllAtOnce (C) shifts all traffic immediately.

Answer: D

Explanation: Enforcing pull requests in CodeCommit requires two components: (1) IAM policies that deny direct push to the main branch for regular developers, and (2) CodeCommit approval rule templates that require a minimum number of approvals on pull requests before they can be merged. Approval rule templates alone don't prevent direct pushes. IAM policies alone don't enforce the approval count on PRs.

Answer: A

Explanation: Publishing custom metrics to CloudWatch, then using Application Auto Scaling with target tracking scaling policies allows automatic scaling of various resources (ECS tasks, DynamoDB capacity, etc.) based on custom metrics like queue depth. This is the native AWS solution for custom metric-based scaling. X-Ray (B) is for distributed tracing. Lambda+DynamoDB (C) doesn't provide auto-scaling. EventBridge+Step Functions (D) is for event orchestration.

Answer: D

Explanation: AWS Config records the configuration history of CloudFormation stacks as a resource type. It tracks all changes to stack configurations over time, providing an audit trail. CloudTrail (A) logs the API calls but not the full stack configuration at each point. Change sets (B) show what will change before applying. Drift detection (C) shows the current difference between the template and actual resources.

Answer: B

Explanation: A single CodePipeline can deploy across multiple AWS accounts by assuming cross-account IAM roles. The pipeline in the tooling account uses roles in the target accounts (dev, staging, prod) to deploy. This provides a single source of truth for the pipeline while maintaining account isolation. Separate pipelines (A) duplicate configuration and make synchronization difficult. Elastic Beanstalk (C) doesn't address multi-account deployment. Separate pipelines in each account (D) are hard to maintain.

Answer: B

Explanation: EC2 Auto Scaling Groups with ELB health checks automatically terminate and replace instances that fail health checks. This is the native self-healing mechanism for EC2. CloudWatch alarms with SNS (A) notify but don't automatically replace. Lambda (C) can monitor but adds custom complexity. Maintenance windows (D) are for scheduled maintenance, not self-healing.

Answer: B

Explanation: AWS CloudTrail records all API calls. EventBridge can create rules that match specific CloudTrail events (like unauthorized API calls, root account usage, security group changes) and trigger SNS notifications. This is the standard pattern for API-level alerting. VPC Flow Logs (A) capture network traffic. Config (C) monitors resource configurations. GuardDuty (D) provides ML-based threat detection but uses a different model.

Answer: C

Explanation: Following least privilege, the CodeBuild service role needs specific ECR permissions: ecr:GetAuthorizationToken (for Docker login), ecr:BatchCheckLayerAvailability, ecr:PutImage, ecr:InitiateLayerUpload, ecr:UploadLayerPart, ecr:CompleteLayerUpload. AmazonEC2ContainerRegistryPowerUser (B) includes all needed permissions but also more than needed. FullAccess (A) includes delete permissions. AmazonECS-FullAccess (D) is for ECS management.

Answer: B

Explanation: Setting DeletionPolicy: Retain on a CloudFormation resource (like an RDS instance) means that when the stack is deleted, the resource is retained (not deleted). This prevents accidental database deletion through CloudFormation stack operations. Termination protection (D) prevents the entire stack from being deleted but the question asks specifically about the database resource. Retention policies (A) are for specific behaviors. IAM policies (C) prevent all stack deletions.

Answer: A

Explanation: A CodeBuild stage in CodePipeline can be used to run integration tests. The buildspec.yml in the test phase can invoke external testing frameworks, run test scripts, and report results. If tests fail, the CodeBuild stage fails and the pipeline stops. This is the most integrated approach within AWS. Lambda invocations (B) are for simple event-driven tasks. Jenkins (C) requires managing Jenkins infrastructure. Manual approval (D) is not automated.

Answer: A

Explanation: AWS Systems Manager Patch Manager can automatically patch EC2 instances based on patch baselines and patch groups. Maintenance windows schedule patching operations. The SSM Agent on instances receives patch instructions without needing SSH. Compliance reports show patching status. EC2 user data (B) only runs at launch. Ansible Tower (C) requires managing infrastructure. OpsWorks (D) requires Chef expertise.

Answer: B

Explanation: AWS CodeDeploy canary deployments shift a percentage of traffic to the new version and monitor CloudWatch alarms. If alarms are triggered during the baking period, CodeDeploy automatically rolls back to the previous version. This provides fully automated canary deployment with rollback. Route 53 weighted routing (A) requires manual rollback. ALB weighted target groups (C) require custom automation. CloudFront functions (D) are for edge request manipulation.

Answer: A

Explanation: Running CodeBuild inside a VPC without a NAT gateway provides no internet access. VPC endpoints for CodeCommit, ECR, S3, and other AWS services allow the build to access private repositories and ECR through the AWS private network. Security groups (B) blocking all outbound would also block AWS service access. NAT gateway with restrictions (C) still provides internet access. There are no "private CodeBuild environments" (D).

Answer: B

Explanation: AWS AppConfig is designed specifically for dynamic configuration delivery to applications without restarts. It supports gradual rollouts of configuration changes, validation, and monitoring. Applications use the AppConfig Agent or SDK to receive configuration updates in real-time. Polling SSM periodically (C) works but is not as sophisticated as AppConfig. Restarting the application (A) causes downtime. DynamoDB (D) requires custom polling code.

Answer: B

Explanation: Amazon CloudWatch Logs natively integrates with EC2 (via CloudWatch agent) and Lambda (automatic integration). CloudWatch Logs Insights provides powerful query capabilities for centralized log analysis. This is the most integrated AWS-native solution. S3 with Athena (A) works but requires exporting logs. Kinesis (C) is for streaming, not log storage/analysis. ELK on EC2 (D) requires managing infrastructure.

Answer: B

Explanation: AWS X-Ray Service Map provides a visual representation of the application components and their connections. Each segment and subsegment in a trace represents a unit of work, showing the time spent. By examining trace details, you can identify which specific downstream call (database, API, microservice) is causing high latency. CloudWatch metrics (A) provide aggregate data. Enhanced RDS monitoring (C) is for database internals. EC2 CPU metrics (D) don't show distributed call latency.

Answer: B

Explanation: The best approach uses multiple mechanisms: (1) EventBridge rules that trigger CodeBuild projects for feature branch builds and PR checks when CodeCommit events occur, and (2) a CodePipeline that triggers only on the main branch for production deployment. Separate pipelines for each branch (C) are impractical at scale. A single pipeline on all branches (A) can lead to unintended deployments. Jenkins (D) requires managing infrastructure.

Answer: B

Explanation: AWS Secrets Manager supports automatic rotation of database credentials. For RDS, it has built-in rotation Lambda functions that update the password in both Secrets Manager and the RDS instance. Applications retrieve the current secret from Secrets Manager, so rotation is transparent. KMS key rotation (A) is for encryption keys. SSM Parameter Store (C) can rotate with a custom Lambda but requires more custom code. ACM (D) is for SSL certificates.

Answer: B

Explanation: When CodeBuild runs inside a VPC, it loses its default internet access. To access external internet resources (like npm packages), the VPC needs a NAT gateway in a public subnet, and the CodeBuild subnet's route table must route internet-bound traffic through the NAT gateway. Using CodeArtifact (proxy for npm) would also resolve this. Adding an internet gateway (A) alone doesn't route traffic from private subnets. Moving outside VPC (C) loses access to private resources.

Answer: B

Explanation: AWS Fault Injection Simulator (FIS) is a managed chaos engineering service that allows you to run controlled experiments by injecting faults into AWS infrastructure (like terminating EC2 instances, adding network latency, causing CPU stress, throttling API calls). Systems Manager Automation (A) runs operational tasks. CloudFormation drift detection (C) finds configuration drift. DevOps Guru (D) uses ML to detect operational anomalies.

Answer: A

Explanation: Amazon Inspector integrates with Amazon ECR to automatically scan container images for software vulnerabilities (CVEs). When a new image is pushed to ECR, Inspector scans it and reports findings. The pipeline can check Inspector findings via an API call or EventBridge notification and fail the build if critical vulnerabilities are found. WAF (B) is for web app protection. GuardDuty (C) is for threat detection. Security Hub (D) aggregates findings.

Answer: B

Explanation: Independent deployment pipelines per service, combined with contract testing (to ensure services still communicate correctly), enables teams to deploy independently without coordination. Contract tests verify that the service interfaces remain compatible. Deploying all together (A) creates tight coupling. Feature flags (C) control feature visibility but don't enable independent deployment pipelines. Manual deployments (D) eliminate the CI/CD benefit.

Answer: C

Explanation: CloudFormation dynamic references allow you to reference SSM Parameter Store values directly in templates using the syntax {{resolve:ssm:/path/to/parameter}}. When the stack is deployed or updated, CloudFormation retrieves the current value from SSM. This ensures the latest approved AMI is always used. AWS::SSM::Parameter (B) is for creating SSM parameters, not retrieving them. Lambda custom resources (D) add complexity. Hard-coding (A) requires manual updates.

Answer: B

Explanation: AWS AppConfig supports feature flag configurations that can be deployed gradually using deployment strategies. Applications can evaluate feature flags at runtime to enable features for specific users or percentages. Route 53 weighted routing (A) routes at DNS level, not per-user. ALB rules (C) route based on request attributes but don't provide the feature flag management interface. Lambda@Edge (D) can implement feature flags but requires custom code.

Answer: B

Explanation: EventBridge (formerly CloudWatch Events) emits events for CodePipeline stage and pipeline state changes. An EventBridge rule can filter for FAILED state changes and trigger a Lambda function that sends a message to Slack (using the Slack webhook API). This is event-driven, efficient, and requires no polling. Polling (A) is inefficient. CloudWatch alarms (C) don't directly monitor pipeline state. SNS with manual Slack forwarding (D) is not automated.

Answer: C

Explanation: When a nested stack fails, the parent stack events show a failure referencing the nested stack (e.g., "Embedded stack failed to reach COMPLETE state"). By clicking on the nested stack name in the events or navigating to it directly, you can see its events which show the specific resource that failed and the error message. Checking parent stack events (A) gives a partial picture. Checking all nested stacks (B) is inefficient. CloudTrail (D) shows API calls, not stack-level resource failures.

Answer: B

Explanation: Adding a dedicated migration stage in CodePipeline before the deployment stage ensures migrations run first. A CodeBuild action can connect to the database and run migration scripts. If migrations fail, the pipeline stops and the new application code is not deployed, preventing version mismatches. Running at startup (A) can cause issues with multiple instances running simultaneously. Manual migrations (C) eliminate automation benefits. RDS backups (D) are for data recovery.

Answer: B

Explanation: AWS Config can evaluate CodeBuild project configurations and flag non-compliant projects (e.g., projects using unapproved images or with inline buildspecs). IAM policies can restrict which images are allowed in CodeBuild project configurations. This provides both detection (Config) and prevention (IAM). Code reviews (A) and manual audits (D) are not automated. Inspector (C) scans for vulnerabilities, not configuration compliance.

Answer: C

Explanation: The CodeDeploy AppSpec lifecycle events for load balancer deployments include: BeforeBlockTraffic (before the load balancer blocks traffic to instances), BlockTraffic (load balancer blocks traffic), AfterBlockTraffic (after traffic is blocked). To drain connections before traffic is blocked by the load balancer, use the BeforeBlockTraffic hook. BeforeInstall (A) runs after traffic is already blocked. AfterInstall (B) runs after application installation.

Answer: A

Explanation: CodePipeline triggered by CodeCommit (or GitHub) changes implements GitOps for CloudFormation. Any commit to the repository triggers the pipeline which applies CloudFormation changes. This ensures the deployed infrastructure always matches the repository. CDK Pipelines (D) also implements this but specifically for CDK applications. Manual changes (B) violate GitOps principles. StackSets (C) manage cross-account deployments but need a trigger.

Answer: A

Explanation: CloudWatch Logs (application logs), CloudWatch Metrics (infrastructure metrics), and X-Ray (distributed traces) form the observability trinity on AWS. CloudWatch Container Insights provides ECS-specific metrics and logs. X-Ray correlates traces with CloudWatch using trace IDs. S3+Athena (B) doesn't provide real-time correlation. Elasticsearch+Kibana (C) requires managing infrastructure. CloudTrail (D) is for API audit, not application observability.

Answer: B

Explanation: A single CodePipeline with sequential stages for each region implements the required flow: deploy to us-east-1, run health checks (CodeBuild test stage), then deploy to eu-west-1 only if health checks pass. This provides automated, sequential deployment with gates. Two separate pipelines (A) require manual coordination. StackSets (C) deploy to multiple regions simultaneously, not sequentially with gates. Manual deployments (D) eliminate automation.

Answer: B

Explanation: EC2 Auto Scaling Instance Refresh allows rolling updates of instances to use new launch templates. By setting the MinHealthyPercentage and configuring checkpoints, you can test on a percentage of instances before proceeding. Warm pools can pre-warm replacement instances. Launch configurations (A) are deprecated. Manual termination (C) is error-prone. Creating a new ASG (D) doesn't integrate with the existing deployment.

Answer: B

Explanation: Reversible migrations with up/down scripts allow the application to apply (up) migrations when deploying and reverse (down) them when rolling back. The pipeline can automatically run the down migration if deployment fails. This is faster than restoring from snapshots. Database dumps (A) and snapshots (D) are slow to restore. PITR (C) is even slower and may lose data from the period after the snapshot.

Answer: C

Explanation: Amazon Inspector integrates with ECR to scan container images for both vulnerabilities (CVEs in packages) and now secrets accidentally embedded in image layers (using the Secrets detection feature). ECR enhanced scanning with Inspector provides automated detection without manual review. Multi-stage builds (B) reduce image size but don't detect secrets. Manual review (A, D) is not scalable.

Answer: B

Explanation: CodeDeploy deployment groups can be configured with CloudWatch alarms for automatic rollback and with triggers that send SNS notifications when deployment events occur (including rollbacks). This is the fully integrated, native solution for automatic rollback with notification. CloudWatch email alarms (A) notify but don't stop/rollback deployments. Lambda (C) adds custom complexity. Manual monitoring (D) is not automated.

Answer: B

Explanation: An AWS Config custom rule can evaluate all Lambda functions and report non-compliant ones that don't have reserved concurrency set. Config can also trigger remediation actions. This provides visibility at scale without manual checking. Manual configuration (A) doesn't scale. Service Quotas (C) limit total account concurrency but not per-function enforcement. IAM policies (D) can't require the presence of a configuration attribute during creation.

Answer: B

Explanation: CloudFormation Custom Resources backed by Lambda allow you to execute arbitrary code during stack create/update/delete operations. The Lambda function can call third-party APIs, configure external services, and return data back to the CloudFormation template. cfn-init (A) is for configuring EC2 instances. WaitCondition (C) is for waiting on signals from EC2 instances. AWS::CloudFormation::Stack (D) is for nested stacks.

Answer: B

Explanation: When an ASG is configured to use ELB health checks, it considers an instance unhealthy if the load balancer reports it as unhealthy (based on the ALB/NLB target group health check, which checks application-level endpoints like /health). The ASG then automatically terminates and replaces the unhealthy instance. EC2 status checks (A) only check EC2 infrastructure health. CloudWatch alarms (C) trigger scaling policies, not direct replacement. Custom health check with EC2 checks (D) doesn't leverage the application-level check properly.

Answer: B

Explanation: Using SSM Parameter Store with environment-specific paths (e.g., /dev/database/endpoint, /prod/database/endpoint) allows applications and pipelines to retrieve environment-specific configurations at runtime. Access can be controlled via IAM policies per environment. Storing configs in the repository (A) risks exposing secrets. Hard-coding in build artifacts (C) creates different artifacts per environment. Different CodeBuild projects (D) don't address the config management problem.

Answer: A

Explanation: Immutable infrastructure uses an AMI pipeline (CodeBuild to build and bake a golden AMI with the new code, then Instance Refresh the Auto Scaling Group with the new AMI). New instances are launched from the new AMI and old instances are terminated. In-place deployments (B) modify existing instances, violating immutable principles. SSM patching (C) modifies existing instances. Manual updates (D) are error-prone.

Answer: B

Explanation: Amazon CloudWatch dashboards can aggregate CodePipeline execution metrics and status across multiple pipelines. Combined with EventBridge events from pipelines, a Lambda function can update a DynamoDB table of pipeline statuses which a CloudWatch dashboard displays. CloudWatch also provides pipeline-level metrics. DevOps Guru (C) uses ML for anomaly detection, not a pipeline dashboard. Organizations console (D) manages accounts, not pipelines.

Answer: B

Explanation: After a CodeBuild build pushes an image to ECR, it can retrieve the full image URI with the digest (SHA256 hash) using docker inspect or ECR API. This digest URI is written to an artifact file (imagedefinitions.json) that the CodeDeploy action in CodePipeline uses to update the ECS task definition. Using digests ensures the exact image is deployed, not whatever 'latest' points to. ECR tag immutability (C) prevents overwriting tags but doesn't ensure digest-based deployment.

Answer: B

Explanation: After a CloudFormation deployment, a CodeBuild action can run AWS CLI commands to check AWS Config rule compliance for the resources created by the stack (aws configservice get-compliance-details-by-resource). If any resources are NON_COMPLIANT, the CodeBuild stage fails and the pipeline stops. Manual review (A) is not automated. Inspector (C) scans for vulnerabilities. GuardDuty (D) is for threat detection.

Answer: A

Explanation: AWS CloudFormation Guard is a policy-as-code tool that validates CloudFormation templates against custom rules before deployment. CloudFormation Hooks can invoke Guard or Lambda functions before resource creation to block non-compliant resources. Config rules (B) are detective (after deployment). Security Hub (C) aggregates findings. Trusted Advisor (D) provides recommendations but doesn't prevent deployments.

Answer: D

Explanation: EC2 Auto Scaling's Maximum Instance Lifetime feature automatically replaces instances after a specified duration. Setting it to 86400 seconds (24 hours) ensures all instances are replaced within 24 hours, picking up new AMIs if the launch template is updated. EventBridge triggering Instance Refresh (A) requires a custom automation. Manual refresh (B) is not automated. Spot instances (C) may be replaced but not guaranteed within 24 hours.

Answer: C

Explanation: Tools like git-secrets, truffleHog, or Gitleaks are designed to scan source code for hard-coded secrets and credentials. These can be integrated into the CodeBuild buildspec as a build step. If secrets are found, the build fails. Amazon Inspector (A) scans container images and EC2 instances. Secrets Manager (B) stores secrets but doesn't scan code. Macie (D) scans S3 objects for sensitive data, not source code.

Answer: B

Explanation: Using separate parallel deploy actions (each with their own CodeDeploy deployment group) for each ECS service in CodePipeline allows individual service rollbacks when a deployment fails. If one service's deployment fails, only that deployment rolls back while other services continue. A single deployment group (A) or single deployment (D) for all services would roll back all services. Sequential CloudFormation (C) doesn't leverage CodeDeploy's rollback capabilities.

Answer: A

Explanation: An AWS Config rule can detect EC2 instances where MetadataOptions.HttpTokens is not set to required (IMDSv2). When non-compliant instances are found, an SSM Automation remediation document can automatically update the instance metadata options to require IMDSv2. This provides both detection and automatic remediation. Inspector (B) is for vulnerabilities. Manual audit (C) is not scalable. CloudTrail (D) logs API calls.

Answer: B

Explanation: The recommended backend for Terraform on AWS is S3 (with versioning for state history and recovery) combined with DynamoDB for state locking (prevents concurrent state modifications). This is the standard, well-documented pattern for secure Terraform state management on AWS. Local filesystem (A) doesn't support team collaboration or DR. CodeCommit (C) would require committing state files which is not recommended. CodeArtifact (D) is a package manager.

Answer: B

Explanation: OPA (Open Policy Agent) with conftest or Kyverno can validate Kubernetes manifests against policy rules (like requiring non-root users, resource limits, read-only filesystems) in a CodeBuild stage. If policies fail, the build fails and manifests are not deployed. This is shift-left security. Inspector (C) scans running workloads. GuardDuty (D) detects threats at runtime. Manual review (A) doesn't scale.

Answer: B

Explanation: Break glass access uses IAM roles that can be assumed for a limited duration via AWS STS. Access is tightly controlled (specific users can assume the role), audited via CloudTrail, and time-limited (STS session duration). The role assumption can trigger SNS alerts. Sharing root credentials (A) is never acceptable. Permanent admin users (C) are always available, not "break glass". SCPs (D) can't be bypassed without Organization admin access.

Answer: B

Explanation: AWS CodeBuild Test Reports allow you to create report groups that aggregate test results from multiple builds over time. CodeBuild parses test result files (JUnit XML, Cucumber JSON, etc.) and displays pass/fail statistics, trends, and test durations in the CodeBuild console. CloudWatch Logs (A) store raw log output. S3 artifacts (C) store files but don't visualize test trends. X-Ray (D) is for distributed tracing.

Answer: A

Explanation: Amazon RDS Blue/Green Deployments is a feature that creates a staging environment (green) that is synchronized with the production database (blue). You can apply schema changes to the green environment, test them, and then perform a switchover with minimal downtime. RDS Multi-AZ (B) is for high availability failover. Read replicas (C) are read-only. DMS (D) is for migration between different database types.

Answer: B

Explanation: IAM policies can deny developers the ability to directly invoke CodeDeploy, update ECS services, or push to ECR/EKS. The CodePipeline uses a dedicated service role that has the necessary permissions. This means deployments can only happen through the pipeline. Team policies (A) are not enforced technically. VPN (C) and NACLs (D) control network access, not deployment permissions.

Answer: B

Explanation: In a CodeBuild pre-build step, a script can run git diff to identify which directories (services) have changed since the last successful build. The script can then set environment variables or output files that control which subsequent build/deploy steps are executed. This is a common pattern for monorepo CI/CD optimization. Always building all services (A) wastes time and resources. Separate repos (C) changes the architecture significantly. Lambda detection (D) adds complexity.

Answer: B

Explanation: A CodeBuild stage after staging deployment can run load testing tools like Locust, k6, or JMeter. The test script defines the load profile and assertions (P99 latency < 200ms). If assertions fail, CodeBuild returns a non-zero exit code, failing the pipeline stage and preventing promotion to production. Manual testing (A) is not automated. CloudWatch alarms (C) monitor production, not staging pre-deployment tests. Trusted Advisor (D) provides cost/performance recommendations.

Answer: B

Explanation: An automated solution: EventBridge scheduled rule triggers a Lambda function that initiates CloudFormation drift detection for all stacks. If drift is detected, the Lambda triggers CodePipeline to re-deploy the CloudFormation stack (bringing it back to desired state). This is fully automated. Manual checks (A) are not continuous. Config rules (C) can detect drift but aren't specifically designed for CloudFormation stack drift. Termination protection (D) prevents deletion, not drift.

Answer: B

Explanation: AWS AppConfig is specifically designed for dynamic configuration delivery. The AppConfig agent (or SDK) polls for configuration changes and can be configured to check every 45 seconds, ensuring changes take effect within 60 seconds. AppConfig also supports deployment strategies and validation. ECS environment variables (A) require task restarts. SSM polling (C) works but lacks AppConfig's validation and deployment strategy features. DynamoDB+Lambda (D) requires custom code and has scheduling lag.

Answer: C

Explanation: The most comprehensive approach: (1) CloudFormation stack tags automatically propagate to resources created by the stack, (2) CodePipeline passes commit ID and pipeline name as CloudFormation parameters used as tags, (3) AWS Organizations tag policies enforce tag standards. This handles tagging at the pipeline source, propagation through CloudFormation, and governance through Organizations. Manual tagging (A) doesn't scale. Lambda post-creation tagging (D) has race conditions and misses some resources.