Back to the course
Test yourself

AWS CloudFormation

Final exam · 14 questions · answers explained as you pick
Beginner
4 questions
01CloudFormation stores stack state…
Incorrect — that is Terraform; CloudFormation is managed.
Correct — AWS tracks the resources; there is nothing to store or lock yourself.
Incorrect — no manual backend — AWS manages it.
Incorrect — it very much tracks state, just for you.
02The only required section of a template is…
Incorrect — optional — for deploy-time inputs.
Incorrect — optional — for exporting values.
Correct — the what — every template must declare at least one resource.
Incorrect — optional lookup tables.
03To keep a password out of plaintext in a template parameter, you…
Correct — NoEcho masks it; referencing a secret store keeps it out of the template entirely.
Incorrect — encoding is not protection — trivially reversible.
Incorrect — Outputs are visible — the worst place for a secret.
Incorrect — plain parameters are visible in events/console without NoEcho.
04If a resource fails during a stack create/update, CloudFormation by default…
Incorrect — no — it rolls back to protect you.
Correct — automatic rollback reverts the whole operation.
Incorrect — it only affects the stack being changed.
Incorrect — it rolls back, it does not loop.
4 questions · explanations appear as you answer
Intermediate
5 questions
01The field in a change set that warns of destroy-and-recreate is…
Incorrect — Action is Add/Modify/Remove; it does not alone signal replacement.
Incorrect — that is just the resource name.
Correct — a Modify with Replacement: True means the resource is destroyed and recreated — data loss on stateful ones.
Incorrect — not the replacement indicator.
02!Ref on an S3 bucket returns its name, while !GetAtt Bucket.Arn returns…
Correct — GetAtt reads named return values; Ref returns the default identifier.
Incorrect — they differ — that is the common bug.
Incorrect — GetAtt returns the requested attribute.
Incorrect — that would be the AWS::Region pseudo-parameter.
03A pseudo-parameter like AWS::AccountId is…
Incorrect — no — AWS supplies it automatically.
Correct — lets a template adapt to any account/region without hard-coding.
Incorrect — unrelated.
Incorrect — it is an input value AWS provides, not an output.
04You cannot delete a stack export while…
Incorrect — only exports that are imported are locked.
Incorrect — environment is irrelevant.
Correct — CloudFormation protects consumers by refusing to remove an in-use export.
Incorrect — you can, once no stack imports it.
05Drift most commonly happens because…
Correct — the real config diverges from the template until the next update surprises you.
Incorrect — it does not change things on its own.
Incorrect — that fails validation, it is not drift.
Incorrect — not what drift means.
5 questions · explanations appear as you answer
Advanced
5 questions
01A custom resource lets CloudFormation…
Incorrect — that is a macro; a custom resource provisions something.
Correct — e.g. a third-party API or a lookup — the result is a managed resource.
Incorrect — unrelated.
Incorrect — drift detection is a separate feature.
02The difference between a macro and a custom resource is…
Incorrect — they operate at different times.
Incorrect — reversed — see the correct option.
Correct — SAM (Transform) is a macro; a Lambda-backed Custom:: is a custom resource.
Incorrect — both run your Lambda code.
03A StackSet is used to…
Correct — ideal for org-wide baselines that auto-deploy to new accounts in an OU.
Incorrect — that is nested stacks, not StackSets.
Incorrect — unrelated.
Incorrect — that is cfn-guard/cfn-nag.
04Which tool checks a template against security policy-as-code rules?
Incorrect — cfn-lint checks validity/best practice, not custom security policy.
Correct — they flag public buckets, open ingress, wildcard IAM, and enforce guard rules.
Incorrect — that shows deploy progress, not policy.
Incorrect — that checks syntax, not security posture.
05The safest way to give CI credentials to deploy CloudFormation is…
Incorrect — a top breach vector — a leaked runner exfiltrates them.
Incorrect — over-privileged; a compromised template can do anything.
Correct — no static keys, least-privilege, auditable — removes the common pipeline compromise.
Incorrect — never use root for automation.
5 questions · explanations appear as you answer