Exam AWS Certified Developer Associate topic 1 question 106 discussion

B) Eliminated - While it’s possible that hitting a service limit (like EC2 vCPUs) could affect provisioning, this is generally more related to resource availability, not a typical failure during a CloudFormation

Condition on template and limitation on vCPU are existing https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-on-demand-instances.html#ec2-on-demand-instances-limits

A - not possible, conditions are the same for both environments B - not possible, there is no such a quota C - possible, someone deleted SG outside of template D - not possible, CF should detect this change E - possible, IAM permissions could be edited outside of template

As they mentioned, they just upgrading the AMI, if there was an issue with IAM or security, this issue would be present even before upgrading right.

Selected : CE Coludformation Update stack – Failure reason: 1. Delete stack fails 2. Error parsing parameter when passing a list 3. Insufficient IAM permissions 4. Invalid value or unsupported resource property 5. Resource Quota exceeded 6. Nested stacks are stuck in UPDATE_COMPLETE_CLEANUP_IN_PROGRESS, UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS, or UPDATE_ROLLBACK_IN_PROGRESS 7. No updates to perform 8. Resource failed to stabilize during a create, update, or delete stack operation 9. Security group does not exist in VPC 10. Update rollback failed 11. Wait condition didn't receive the required number of signals from an Amazon EC2 instance 12. Resource removed from stack but not deleted

A. The new AMIs do not fulfill the specified conditions in the CloudFormation template: The CloudFormation template may have specific conditions or requirements for the AMIs used in the production environment. If the new AMIs do not meet those conditions, the update may fail. C. The security group that is specified in the CloudFormation template does not exist: If the specified security group does not exist in the production environment, the update that references it will fail.

A and C are correct. E is very incorrect E is not a likely cause of the CloudFormation update failure, as the CloudFormation update was successful in the test environment. If CloudFormation did not have sufficient IAM permissions, the update would have failed in both the test and production environments.

A and B IMO this question is based on https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html D is impossible because the update fails, meaning it recognized the change and the update ran. I am going to assume the the stack ran succesfully in the first time it ran (creation). So that C and E could not be since the SG worked in the first time and IAM permissions was OK in the first time.

A and B is correct. For those who are saying A&E: If it was an error due to IAM permissions, the update wouldn't succeed in the test environment either. So E can't be correct.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html

Excluding B, C and D, the only acceptable are A and E. In B, C and D there are information that aren't mentioned in the questions, so useless for the test.

A and B are more logic for me. Application is already work and we just maded a change so it's dosen't make sense an SG is not available or CF haven't the permissions

A and B: for B: Verify that you didn't reach a resource quota. For example, the default maximum number of Amazon EC2 On-Demand instances that you can launch is 5. If try to create more Amazon EC2 On-Demand instances than your account quota, the instance creation fails and you receive the error Status=start_failed. To view the default AWS quotas by service, see AWS service quotas in the AWS General Reference. For AWS CloudFormation quotas and tweaking strategies, see AWS CloudFormation quotas. Also, during an update, if a resource is replaced, AWS CloudFormation creates new resource before it deletes the old one. This replacement might put your account over the resource quota, which would cause your update to fail. You can delete excess resources or request a quota increase. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html#troubleshooting-errors-limit-exceeded

A E

A is probable, but B is more

A and E

A and E. AMIs can only be used on specific region. Either both environments running on different regions, or permissions insufficient. IAM access deny exception is common issue. Easiest way to allow or deny AWS resources to user. So when user does not have permission to run template on production environment, it’s obvious. Security group is more for networking (open ports). If fail means written wrongly.