4.3.2. Sample Questions - Domain 2: Configuration Management & IaC

Question 1:

A DevOps engineer needs to provision a complex, reusable set of AWS resources. The team prefers to define infrastructure using familiar programming languages like Python or TypeScript to leverage existing code libraries and apply object-oriented principles. Which AWS Infrastructure as Code (IaC) tool is best suited for this requirement?

A) AWS CloudFormation B) AWS Cloud Development Kit (CDK) C) AWS Serverless Application Model (SAM) D) AWS OpsWorks

Correct Answer: B

Explanation:

• A) AWS CloudFormation: AWS CloudFormation uses declarative JSON or YAML templates. While powerful for defining infrastructure, it does not allow the use of general-purpose programming languages or direct leveraging of existing code libraries in the way that CDK does. Its strength lies in its declarative nature for consistent deployments.
• B) AWS Cloud Development Kit (CDK): The AWS Cloud Development Kit (CDK) is an open-source framework that allows developers to define cloud resources using familiar programming languages such as Python, TypeScript, Java, .NET, and Go. This enables the application of object-oriented principles, leveraging existing code libraries, and building complex, reusable constructs. CDK then synthesizes these definitions into CloudFormation templates for deployment, combining the flexibility of programming languages with the robustness of CloudFormation.
• C) AWS Serverless Application Model (SAM): AWS Serverless Application Model (SAM) is an extension of AWS CloudFormation specifically designed to simplify the deployment of serverless applications. While it uses a shorthand syntax for serverless resources (Lambda functions, API Gateways, DynamoDB tables), it is not a general-purpose IaC tool for defining any type of complex, reusable AWS resource using programming languages beyond its serverless scope.
• D) AWS OpsWorks: AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. It is primarily used for automating server configuration, application deployment, and operational tasks, rather than for defining and provisioning the underlying AWS infrastructure itself using programming languages. It operates at a different layer of the infrastructure stack compared to IaC provisioning tools.

Question 2:

A development team is adopting Infrastructure as Code (IaC) for their AWS environment. They want to ensure that all infrastructure changes are controlled, auditable, and predictable, minimizing the risk of configuration drift and unintended consequences. Which of the following practices is MOST crucial for achieving these goals in an IaC environment?

A) Implementing manual approval gates for all infrastructure deployments. B) Storing IaC templates in a shared network drive for easy access. C) Mandating the use of Version Control Systems (VCS) and Pull Requests (PRs) for all IaC changes. D) Performing ad-hoc infrastructure updates directly in the AWS Management Console.

Correct Answer: C

Explanation:

• A) Implementing manual approval gates for all infrastructure deployments: While manual approval gates can provide a layer of control, they are not the most crucial practice for ensuring auditable and predictable changes in an IaC environment. The core principle of IaC is automation and consistency, which is best achieved through version control and automated processes. Manual approvals alone do not prevent configuration drift or provide a comprehensive audit trail of changes to the code itself.
• B) Storing IaC templates in a shared network drive for easy access: Storing IaC templates in a shared network drive is detrimental to controlled, auditable, and predictable changes. This practice lacks versioning, change tracking, and collaboration features, making it impossible to maintain a history of changes, revert to previous states, or ensure consistency across deployments. It directly contradicts the First Principle of defining infrastructure through machine-readable definition files and managing them like application code.
• C) Mandating the use of Version Control Systems (VCS) and Pull Requests (PRs) for all IaC changes: Mandating the use of Version Control Systems (VCS) like Git and requiring Pull Requests (PRs) for all IaC changes is the MOST crucial practice. VCS provides a complete history of all infrastructure code changes, enabling auditing, tracking who made what changes, and facilitating easy rollbacks. PRs enforce peer review, ensuring correctness, adherence to standards, and preventing unintended consequences before changes are merged and deployed. This aligns with the First Principle of treating infrastructure as code, enabling automated, consistent, and repeatable provisioning and management.
• D) Performing ad-hoc infrastructure updates directly in the AWS Management Console: Performing ad-hoc infrastructure updates directly in the AWS Management Console is a direct violation of IaC principles and leads to configuration drift, lack of auditability, and unpredictable environments. Such changes are not version-controlled, cannot be easily replicated, and make it impossible to maintain a consistent desired state. This practice undermines the very purpose of IaC, which is to define and manage infrastructure through code.

Question 3:

A company is struggling with configuration drift across their fleet of EC2 instances, leading to inconsistent application behavior and increased security vulnerabilities. They need an automated solution to ensure all instances maintain a desired state, apply patches regularly, and collect configuration data for auditing. Which AWS service provides a unified interface to address these challenges comprehensively?

A) AWS CloudFormation B) AWS Config C) AWS Systems Manager D) AWS OpsWorks

Correct Answer: C

Explanation:

• A) AWS CloudFormation: AWS CloudFormation is an Infrastructure as Code (IaC) service used for provisioning and managing AWS resources. While it defines the initial desired state of infrastructure, it does not actively maintain the configuration of instances post-provisioning, apply patches, or collect inventory data in the way that a configuration management service does. It focuses on the initial deployment and updates of the infrastructure stack.
• B) AWS Config: AWS Config continuously monitors and records AWS resource configurations, allowing for auditing, security analysis, and change tracking. While it can detect configuration drift by comparing current configurations to desired ones, it does not actively remediate drift, apply patches, or manage the state of instances. Its primary role is monitoring and compliance, not active configuration management.
• C) AWS Systems Manager: AWS Systems Manager provides a unified interface for operational data and task automation across AWS resources. It includes capabilities like State Manager (to apply and maintain desired configurations), Patch Manager (to automate OS and application patching), and Inventory (to collect and report system configuration data). This makes it the most comprehensive solution for addressing configuration drift, patching, and data collection for auditing, aligning with the First Principle of automation for consistent system states.
• D) AWS OpsWorks: AWS OpsWorks supports Chef Automate and Puppet Enterprise for server configuration management. While it can manage configurations and deploy applications, it is a more specialized service focused on Chef and Puppet environments. AWS Systems Manager offers a broader, more integrated set of capabilities for general configuration management, patching, and inventory across a wider range of AWS resources without requiring external configuration management tools.

Question 4:

A DevOps team is designing a new serverless application on AWS. They want to define their Lambda functions, API Gateway endpoints, and DynamoDB tables using a simplified syntax that is an extension of CloudFormation, specifically tailored for serverless components. Which AWS service should they use to compose and deploy these serverless resources efficiently?

A) AWS CloudFormation B) AWS Cloud Development Kit (CDK) C) AWS Serverless Application Model (SAM) D) AWS Elastic Beanstalk

Correct Answer: C

Explanation:

• A) AWS CloudFormation: AWS CloudFormation is a foundational IaC service that can define serverless resources. However, it requires verbose YAML/JSON syntax for each resource. While SAM ultimately synthesizes into CloudFormation, using raw CloudFormation for serverless applications would be less efficient and more complex than using SAM's simplified syntax, which is specifically designed to streamline serverless deployments.
• B) AWS Cloud Development Kit (CDK): AWS Cloud Development Kit (CDK) allows defining cloud resources using familiar programming languages. While CDK can be used to define serverless applications and synthesizes into CloudFormation, SAM provides a higher-level abstraction and simplified syntax specifically for common serverless patterns, making it often more efficient for purely serverless application development compared to the more general-purpose CDK.
• C) AWS Serverless Application Model (SAM): The AWS Serverless Application Model (SAM) is an open-source framework that extends AWS CloudFormation to provide a simplified way of defining serverless applications. It offers shorthand syntax for declaring serverless resources like Lambda functions, API Gateway APIs, and DynamoDB tables, streamlining the development and deployment process for serverless components. SAM templates are then transformed into CloudFormation templates for deployment, aligning with the First Principle of automation for rapid and reliable deployments of serverless architectures.
• D) AWS Elastic Beanstalk: AWS Elastic Beanstalk is a service for deploying and scaling web applications and services developed with various programming languages and platforms. While it automates deployment, it is not specifically designed for serverless applications and does not provide the simplified syntax or direct integration with serverless components like Lambda and API Gateway that SAM offers. It's more suited for traditional web application deployments on EC2 instances or containers.

Question 5:

A large enterprise uses a multi-account AWS strategy and operates in several AWS Regions. They need to ensure consistent deployment of security baselines, common networking configurations (VPCs, subnets), and shared services across all their accounts and Regions. Manually deploying and updating these resources in each location is becoming unmanageable and prone to errors. Which AWS service is specifically designed to address this challenge by enabling centralized management and deployment of common AWS resources at scale?

A) AWS CloudFormation B) AWS Organizations C) AWS CloudFormation StackSets D) AWS Resource Access Manager (RAM)

Correct Answer: C

Explanation:

• A) AWS CloudFormation: AWS CloudFormation is used to provision and manage AWS resources within a single account and Region. While it is the underlying technology for StackSets, CloudFormation alone does not provide the capability to deploy and manage resources consistently across multiple accounts and Regions from a single operation. It requires separate deployments for each target.
• B) AWS Organizations: AWS Organizations helps manage multiple AWS accounts, allowing for consolidated billing, centralized security policies, and account management. While it is crucial for a multi-account strategy and can be integrated with StackSets, AWS Organizations itself does not deploy or manage AWS resources. Its primary function is organizational structure and policy enforcement, not infrastructure provisioning.
• C) AWS CloudFormation StackSets: AWS CloudFormation StackSets extend CloudFormation's capabilities by enabling the deployment and management of common AWS resources from a single CloudFormation template across multiple target AWS accounts and specified AWS Regions with a single operation. This service is specifically designed for scenarios requiring consistent resource provisioning, such as security baselines and networking configurations, at scale across an enterprise's entire AWS organizational footprint, aligning with the First Principle of automation and scalability for IaC.
• D) AWS Resource Access Manager (RAM): AWS Resource Access Manager (RAM) allows you to share AWS resources securely across AWS accounts within your organization or with specific AWS accounts. While it facilitates resource sharing, it does not deploy or manage the resources themselves. It is a service for sharing existing resources, not for provisioning new ones consistently across multiple accounts and Regions.