CLD120 Module 11 Knowledge Check

1. Which are reasons to use automation to provision resources? (Select TWO.)

● Automation requirement for high availability

○ Greater expense with manual processes

○ Automation requirement for creating some resources

● Alignment with the reliability design principle

○ Lack of version control with manual processes

Analysis of each answer:

1. Automation requirement for high availability - SELECTED and CORRECT
   • Automation is essential for high availability because it enables rapid recovery from failures, consistent deployment across multiple availability zones, and the ability to automatically replace failed resources without human intervention. Manual processes are too slow and error-prone for maintaining high availability at scale.
2. Greater expense with manual processes - NOT SELECTED (but could be argued as correct)
   • This is actually a valid reason to use automation. Manual processes typically cost more due to labor hours, human errors that require fixes, inconsistent configurations, and slower deployment times. Automation reduces operational costs over time. This could reasonably be selected as a correct answer.
3. Automation requirement for creating some resources - NOT SELECTED and CORRECT
   • This is false. AWS does not require automation to create any resources—you can manually create resources through the AWS Console, CLI, or API calls. While automation is highly recommended, it's not a technical requirement.
4. Alignment with the reliability design principle - SELECTED and CORRECT
   • This is correct. Automation aligns with AWS's Well-Architected Framework reliability pillar. Automated provisioning ensures consistency, repeatability, reduces human error, enables infrastructure as code (IaC), and allows for predictable, tested deployments—all critical for reliability.
5. Lack of version control with manual processes - NOT SELECTED (but could be argued as correct)
   • This is another valid reason for automation. Infrastructure as Code (IaC) tools enable version control of infrastructure configurations, which manual processes cannot provide. This allows tracking changes, rollbacks, and auditability. This could also reasonably be selected as a correct answer.

Note: The question asks for TWO reasons. The selected answers (1 and 4) are both clearly correct. However, answers 2 and 5 are also legitimate reasons to use automation, making this question somewhat ambiguous with multiple defensible answer combinations.

2. Which are benefits of using infrastructure as code (IaC) over manual processes? (Select TWO.)

● Deploy environments with configuration consistency.

○ Protect environments from deletion.

○ Automate system-wide security scans.

○ Manage all account users. ☑ Propagate updates from a single environment to all environments.

● Propagate updates from a single environment to all environments

Analysis of each answer:

1. Deploy environments with configuration consistency. - SELECTED and CORRECT
   • This is a core benefit of IaC. When you define infrastructure in code (CloudFormation, Terraform, etc.), the same code can be used repeatedly to create identical environments. This eliminates configuration drift and human error that occurs with manual provisioning, ensuring dev, staging, and production environments are consistent.
2. Protect environments from deletion. - NOT SELECTED and NOT CORRECT
   • IaC itself doesn't inherently protect environments from deletion. In fact, IaC tools typically make it easier to tear down entire environments with a single command (e.g., terraform destroy). Protection from deletion comes from access controls, deletion policies, and resource locks—not from using IaC. While you can implement protections alongside IaC, it's not a direct benefit of IaC over manual processes.
3. Automate system-wide security scans. - NOT SELECTED and NOT CORRECT
   • Security scanning is a separate concern from infrastructure provisioning. While IaC can be scanned for security issues (policy-as-code, static analysis), the ability to run security scans isn't a benefit of IaC over manual processes—you can scan manually provisioned infrastructure just as well. This conflates IaC with security automation tools.
4. Manage all account users. - NOT SELECTED and NOT CORRECT
   • User management (IAM users, roles, permissions) is independent of whether you use IaC or manual processes. While you can manage IAM resources with IaC, it's not a specific benefit of IaC over manual provisioning. Both approaches can manage users equally well.
5. Propagate updates from a single environment to all environments. - SELECTED and CORRECT
   • This is a major benefit of IaC. When you make changes to your infrastructure code, you can apply those same changes consistently across all environments (dev, test, prod). With manual processes, you'd need to repeat the changes manually in each environment, which is error-prone and time-consuming. IaC enables reliable, repeatable updates at scale.

The selected answers (1 and 5) are both correct and represent key advantages of Infrastructure as Code over manual infrastructure management.

3. A cloud architect wants to quickly set up a secure implementation of an Amazon FSx for Windows File Server that follows AWS best practices. Which solution should they use?

● An AWS Quick Start

○ An AWS CloudFormation template that was downloaded from the internet

○ AWS CloudFormation Designer

○ An Amazon Machine Image (AMI) on AWS Marketplace

Analysis of each answer:

Key requirements:

• Quickly set up
• Secure implementation
• Amazon FSx for Windows File Server
• Follows AWS best practices

1. An AWS Quick Start - SELECTED and CORRECT
   • AWS Quick Starts are automated reference deployments built by AWS solutions architects and partners. They use CloudFormation templates to deploy AWS services following best practices for security, high availability, and operational excellence. Quick Starts for FSx for Windows File Server include pre-configured security groups, networking, Active Directory integration, and encryption—exactly what's needed for a quick, secure, best-practice deployment.
2. An AWS CloudFormation template that was downloaded from the internet - NOT SELECTED and NOT CORRECT
   • Random templates from the internet are risky because:
     • Unknown quality and security posture
     • May not follow AWS best practices
     • Could contain security vulnerabilities or misconfigurations
     • No support or validation from AWS
   • This violates the "secure" and "best practices" requirements.
3. AWS CloudFormation Designer - NOT SELECTED and NOT CORRECT
   • CloudFormation Designer is a visual tool for creating and modifying CloudFormation templates. While useful, it requires the architect to manually design the entire FSx infrastructure from scratch, including all security configurations, networking, and best practices. This doesn't meet the "quickly" requirement and puts the burden on the architect to know and implement all best practices.
4. An Amazon Machine Image (AMI) on AWS Marketplace - NOT SELECTED and NOT CORRECT
   • This answer reflects a misunderstanding. Amazon FSx for Windows File Server is a managed service—you don't deploy it using AMIs or EC2 instances. FSx is provisioned directly through the AWS console, CLI, or CloudFormation. An AMI would be used to launch EC2 instances, not FSx file servers. This is technically incorrect for this use case.

The answer "An AWS Quick Start" is correct because Quick Starts provide pre-built, tested, AWS-validated deployments that implement best practices out of the box, enabling fast and secure deployment.

4. What is Amazon Q Developer?

○ A set of automated reference architectures

● An artificial intelligence (AI)-powered coding companion

○ An integrated development environment (IDE)

○ A template for rapid application deployment

Analysis of each answer:

1. A set of automated reference architectures - INCORRECT
   • This describes AWS Quick Starts or AWS Solutions, not Amazon Q Developer. Reference architectures are pre-built deployment patterns for common workloads.
2. An artificial intelligence (AI)-powered coding companion - SELECTED and CORRECT
   • This is correct. Amazon Q Developer (formerly Amazon CodeWhisperer) is an AI-powered coding assistant that provides real-time code suggestions, security scanning, code explanations, and helps developers write code faster. It integrates with IDEs and offers features like:
     • Real-time code completions
     • Natural language to code generation
     • Security vulnerability scanning
     • Code explanations and documentation
     • Support for multiple programming languages
   • It's similar to GitHub Copilot but built by AWS.
3. An integrated development environment (IDE) - INCORRECT
   • Amazon Q Developer is not an IDE itself. It's a tool that integrates into IDEs (like VS Code, IntelliJ, PyCharm, etc.) to provide AI assistance. AWS does have its own IDE called AWS Cloud9, but that's different from Amazon Q Developer.
4. A template for rapid application deployment - INCORRECT
   • This describes things like AWS Elastic Beanstalk, AWS SAM (Serverless Application Model) templates, or CloudFormation templates—not Amazon Q Developer. Q Developer helps write code, not deploy applications.

The answer "An artificial intelligence (AI)-powered coding companion" is correct because Amazon Q Developer is specifically designed as an AI assistant that helps developers write, understand, and improve their code through intelligent suggestions and automation.

5. Which are reasons to use Amazon Q Developer? (Select TWO.)

○ Write compliance tests.

○ Automate for high availability.

○ Share open-source code.

● Accelerate coding tasks.

● Enhance application security.

Analysis of each answer:

1. Write compliance tests. - NOT SELECTED and NOT CORRECT
   • While Amazon Q Developer can help write test code (including unit tests), it's not specifically designed for compliance testing. Compliance tests typically require domain-specific knowledge of regulations (HIPAA, PCI-DSS, SOC 2, etc.) and are usually handled by specialized compliance tools and frameworks, not general-purpose AI coding assistants.
2. Automate for high availability. - NOT SELECTED and NOT CORRECT
   • Amazon Q Developer is a coding assistant, not an infrastructure automation or high availability tool. High availability is achieved through AWS services like Auto Scaling, Multi-AZ deployments, Load Balancers, and infrastructure-as-code tools. Q Developer helps write code but doesn't automate infrastructure for HA.
3. Share open-source code. - NOT SELECTED and NOT CORRECT
   • Amazon Q Developer is not a code-sharing platform. Code sharing is done through repositories like GitHub, GitLab, or Bitbucket. Q Developer is trained on open-source code and can reference it, but it's not a tool for sharing your code with others.
4. Accelerate coding tasks. - SELECTED and CORRECT
   • This is a primary use case for Amazon Q Developer. It accelerates development by:
     • Providing real-time code suggestions and completions
     • Generating code from natural language descriptions
     • Helping with boilerplate code and repetitive tasks
     • Explaining existing code
     • Refactoring and optimizing code
   • This directly speeds up developer productivity.
5. Enhance application security. - SELECTED and CORRECT
   • This is another key feature of Amazon Q Developer. It enhances security by:
     • Scanning code for security vulnerabilities
     • Identifying hard-coded credentials
     • Detecting insecure coding patterns (SQL injection, XSS, etc.)
     • Suggesting secure alternatives and fixes
     • Providing security best practice recommendations
   • Built-in security scanning helps developers write more secure code from the start.

The selected answers (4 and 5) are correct as they represent the two main value propositions of Amazon Q Developer: improving developer productivity and enhancing code security.

6. What is AWS CloudFormation?

● An AWS service that you can use to create, model, and manage AWS resources

○ A description of best practices for designing an AWS implementation

○ A package of all the information that is needed to launch an Amazon EC2 instance

○ A template that describes your infrastructure

Analysis of each answer:

1. An AWS service that you can use to create, model, and manage AWS resources - SELECTED and CORRECT
   • This is the complete and accurate definition. AWS CloudFormation is a service (not just a template) that enables Infrastructure as Code (IaC). It allows you to:
     • Create: Provision AWS resources automatically
     • Model: Define infrastructure in JSON or YAML templates
     • Manage: Update, delete, and track infrastructure changes as a single unit (stack)
   • CloudFormation handles dependencies, rollbacks, and maintains the entire lifecycle of your infrastructure.
2. A description of best practices for designing an AWS implementation - NOT SELECTED and NOT CORRECT
   • This describes something like the AWS Well-Architected Framework or AWS Architecture Center, not CloudFormation. CloudFormation is a tool for provisioning infrastructure, not documentation of best practices.
3. A package of all the information that is needed to launch an Amazon EC2 instance - NOT SELECTED and NOT CORRECT
   • This describes an Amazon Machine Image (AMI), not CloudFormation. An AMI contains the OS, software, and configuration needed to launch an EC2 instance. CloudFormation can use AMIs but is not itself an AMI.
4. A template that describes your infrastructure - NOT SELECTED (but partially correct)
   • This is partially accurate but incomplete. CloudFormation uses templates (written in JSON or YAML), but CloudFormation itself is the service that processes those templates. The templates are just one component of CloudFormation—the service also includes:
     • The execution engine that provisions resources
     • Stack management capabilities
     • Change sets and drift detection
     • Rollback and update mechanisms
   • Calling CloudFormation just "a template" is like calling a car "a blueprint"—it misses the functional service aspect.

The answer "An AWS service that you can use to create, model, and manage AWS resources" is correct because it captures the complete nature of CloudFormation as both a service and a comprehensive infrastructure management solution, not just a template format.

7. What is AWS CloudFormation Designer?

● A graphical design interface for creating AWS CloudFormation templates

○ A source code repository for AWS CloudFormation templates

○ A tool for automating deployments

○ A collection of reusable templates

Analysis of each answer:

1. A graphical design interface for creating AWS CloudFormation templates - SELECTED and CORRECT
   • This is the accurate definition. AWS CloudFormation Designer is a visual tool within the AWS Console that allows you to:
     • Create CloudFormation templates using a drag-and-drop interface
     • Visualize existing templates as diagrams showing resource relationships
     • Edit templates visually or in JSON/YAML
     • See resource dependencies and connections graphically
   • It's designed to help users who prefer visual design over writing code from scratch, making template creation more accessible.
2. A source code repository for AWS CloudFormation templates - NOT SELECTED and NOT CORRECT
   • This describes services like GitHub, AWS CodeCommit, or GitLab—not CloudFormation Designer. Designer is a design tool, not a version control or storage system for templates. While you can export templates from Designer, it's not a repository.
3. A tool for automating deployments - NOT SELECTED and NOT CORRECT
   • This describes AWS CloudFormation itself, or CI/CD tools like AWS CodePipeline, CodeDeploy, or Jenkins—not CloudFormation Designer specifically. Designer helps you create and visualize templates, but it doesn't automate deployments. You still need to use CloudFormation to actually deploy the templates Designer helps you create.
4. A collection of reusable templates - NOT SELECTED and NOT CORRECT
   • This describes AWS Quick Starts, AWS CloudFormation Sample Templates, or the AWS Solutions Library—not CloudFormation Designer. Designer is a tool for creating templates, not a library or collection of pre-built templates.

The answer "A graphical design interface for creating AWS CloudFormation templates" is correct because it accurately describes CloudFormation Designer's primary function as a visual template authoring and editing tool.

8. Which option can be used to accomplish deployment-specific differences in an AWS CloudFormantion template?

○ Use drift detection.

○ Use change sets.

○ Use AWS CloudFormation Designer.

● Use Conditions.

In AWS CloudFormation, conditions allow you to control whether certain resources are created or how resources are configured based on input parameters. This makes them ideal for handling deployment-specific differences like environment variations (dev, staging, production) or regional differences.

Here's why the other options don't fit as well:

• Drift detection is used to identify differences between the actual state of your stack and what's defined in your template, but it doesn't help you create those deployment-specific variations in the first place.
• Change sets let you preview what changes will happen before executing a stack update, but they don't define deployment-specific logic within the template itself.
• AWS CloudFormation Designer is a visual tool for creating and viewing templates, but it doesn't provide a mechanism for handling deployment-specific differences.

Conditions work by evaluating parameters (like an environment name) and then using those conditions in the template to determine resource properties or whether resources should be created at all.

The correct answer is Use conditions.

9. Which option is a good way to preview changes before implementing them in AWS CloudFormation Designer?

○ Visually inspect the template.

○ Run Detect Drift.

● Create a change set.

○ Run Update Stack.

Analysis of each answer:

1. Visually inspect the template. - NOT SELECTED and PARTIALLY CORRECT
   • While visually inspecting the template in Designer's graphical view can help you understand the structure and relationships, it doesn't actually show you what changes will occur to your deployed resources. You can see the template design, but not the specific changes that will be made to existing infrastructure. This is more of a template review than a change preview.
2. Run Detect Drift. - NOT SELECTED and INCORRECT
   • Detect Drift identifies differences between the current state of deployed resources and what's defined in the CloudFormation template (i.e., manual changes made outside CloudFormation). It doesn't preview new changes you're planning to make—it shows untracked changes that already happened. This is the wrong tool for previewing planned updates.
3. Create a change set. - SELECTED and CORRECT
   • This is the correct answer. A CloudFormation change set allows you to preview exactly what will happen when you update a stack before actually implementing those changes. It shows you:
     • Which resources will be added, modified, or deleted
     • The specific property changes for each resource
     • Whether resources will be replaced (which could cause downtime)
     • The impact of your template changes
   • After reviewing the change set, you can choose to execute it or discard it. This is the standard AWS best practice for safely previewing infrastructure changes.
4. Run Update Stack. - NOT SELECTED and INCORRECT
   • "Update Stack" actually implements the changes immediately—it doesn't preview them. This is the action you take after you've reviewed a change set and decided to proceed. Running Update Stack without previewing could result in unexpected changes or outages.

The answer "Create a change set" is correct because change sets are specifically designed to preview the impact of CloudFormation template changes before executing them, allowing for safe, informed decision-making about infrastructure updates.

10. Which option is a good way to know which resources in an application environment were manually modified if the environment was created by running an AWS CloudFormation stack?

○ Run conditions on the stack.

○ Run a change set on the stack.

● Run drift detection on the stack.

○ Run a comparison in AWS CloudFormation Designer on the stack.

Analysis of each answer:

1. Run conditions on the stack. - NOT SELECTED and INCORRECT
   • Conditions in CloudFormation are used during template authoring to control whether certain resources are created based on parameter values or other logic. They don't detect manual changes to already-deployed resources. This is not a monitoring or detection feature.
2. Run a change set on the stack. - NOT SELECTED and INCORRECT
   • Change sets preview what will happen if you update the stack with a modified template. They don't detect manual changes that have already been made outside CloudFormation. Change sets compare the current template against a proposed new template, not the actual resource state against the template.
3. Run drift detection on the stack. - SELECTED and CORRECT
   • This is the correct answer. CloudFormation Drift Detection specifically identifies differences between the actual configuration of stack resources and what's defined in the CloudFormation template. When someone manually modifies resources (e.g., changing an EC2 instance type via the console, modifying security group rules, etc.), drift detection will identify:
     • Which resources have been modified
     • Which specific properties have drifted
     • The expected values vs. actual values
   • This is the purpose-built feature for detecting manual changes to CloudFormation-managed resources.
4. Run a comparison in AWS CloudFormation Designer on the stack. - NOT SELECTED and INCORRECT
   • CloudFormation Designer is a visual tool for creating and editing templates. It doesn't have a comparison feature that checks actual deployed resource states against the template. It works with template files, not live infrastructure inspection.

The answer "Run drift detection on the stack" is correct because drift detection is specifically designed to identify when resources managed by CloudFormation have been manually modified outside of CloudFormation's control, showing exactly which resources drifted and how they differ from the template definition.