Domain 2 of 4 · Chapter 1 of 6

Deployment strategies

Choosing a deployment pattern: blast radius vs cost vs rollback

Every deployment pattern is a position on one trade-off triangle: how large a blast radius a bad release may have, how much extra cost you pay during the rollout, and how fast you can roll back. Blue/green buys instant rollback by paying for two full environments; all-at-once is free but exposes 100% of users at once; canary trades a small first slice for a monitoring window. The four canonical patterns sit at different corners of that triangle, and the exam expects you to map a scenario's constraints to the right one.

The four patterns

Pattern Blast radius of a bad release Rollback speed Extra cost during deploy Mixed versions live?
All-at-once 100% immediately Slowest (full redeploy) None No
Rolling / in-place Grows batch by batch Slow (redeploy prior batches) None Yes
Blue/green 0% until cutover, then 100% Instant (flip traffic to blue) High (two full environments) No
Canary / linear Small first slice, then grows Fast (stop shift, auto-rollback) Low (one extra version / task set) Yes

All-at-once replaces every target simultaneously. It is the cheapest and fastest path, but a defect reaches 100% of users at once and the only rollback is a second full deployment. Reserve it for dev, low-risk internal tools, or workloads where a brief outage is acceptable.

Rolling (in-place) updates the existing fleet in batches. There is no duplicate fleet to pay for, but two consequences follow: old and new versions run side by side during the rollout (so the versions must be compatible), and rollback means redeploying the previous revision to the already-updated batches, slow.

Blue/green stands up a parallel green environment next to the running blue one and cuts traffic over at the load balancer or via DNS. Because blue keeps running, rollback is an immediate traffic flip with no redeploy, the fastest recovery available. The price is running two full environments during the cutover window, which is why it is the wrong default for cost-sensitive, low-risk work.

Canary and linear expose a small slice of traffic to the new version first, giving a monitoring window in which an alarm can abort before the blast radius grows. A canary shifts one increment (for example 10%), bakes for a fixed interval, then sends the rest; a linear config shifts a fixed percentage on a repeating interval until 100%. Both are the safest way to expose a new version of a serverless or containerized workload.

The coexistence precondition

Canary, linear, and blue/green all assume the old and new versions can run at the same time during the shift. A backward-incompatible (schema-breaking) database change violates this: it breaks the still-running old version the moment the new schema lands. The professional-level answer is the expand/contract (parallel-change) migration: first deploy a backward-compatible schema that both versions tolerate (expand), migrate the code, then remove the old columns/behavior (contract). If you cannot make the change compatible, accept a maintenance-window all-at-once cutover instead. Treat any answer that runs a canary over a schema-breaking migration as wrong.

The non-negotiable: rollback must be automated

The pattern matters less than the rule underneath all of them: a deployment is only safe if it self-aborts on a bad health signal. Wire health alarms to the deployment so the platform reverts without a human in the loop. A release path whose only recovery is a manual redeploy is the anti-pattern the exam consistently penalizes, regardless of how elegant the rollout strategy looks.

The trade-off triangle Blast radius Extra cost Rollback speed All-at-once cheapest, 100% blast, slowest rollback Rolling / in-place no duplicate fleet, slow rollback Canary / linear small first slice, fast rollback Blue/green two environments, instant rollback
The trade-off triangle: each pattern sits where its blast radius, extra cost during deploy, and rollback speed balance. Modeled on AWS deployment-strategy guidance.

CodeDeploy mechanics: compute platforms, configs, and rollback

CodeDeploy[8] automates deployments to three compute platforms, and the SAP-C02 traps live in the differences between them.

Three compute platforms, two deployment types

CodeDeploy offers two deployment types, in-place and blue/green, but they are not available everywhere. Only the EC2/On-Premises compute platform can do in-place deployments; AWS Lambda and Amazon ECS deployments cannot use the in-place type and are always blue/green[8]. For EC2/On-Premises blue/green, CodeDeploy provisions a replacement environment (a new set of instances), installs the revision, optionally pauses for testing, then registers the replacement instances with the Elastic Load Balancing load balancer and deregisters the original ones (which can be terminated or kept running). Blue/green on EC2/On-Premises works with Amazon EC2 instances only, on-premises instances are not supported[8]; the replacement environment is built either by copying an existing Auto Scaling group or by selecting instances manually.

Predefined deployment configurations per platform

Compute platform Mechanism Predefined configs
EC2/On-Premises (in-place) Minimum-healthy-hosts CodeDeployDefault.AllAtOnce, HalfAtATime, OneAtATime
AWS Lambda Alias weighting LambdaCanary10Percent5Minutes (+10/15/30-min), LambdaLinear10PercentEvery1Minute (+2/3/10-min), LambdaAllAtOnce
Amazon ECS Weighted target group ECSCanary10Percent5Minutes, ECSCanary10Percent15Minutes, ECSLinear10PercentEvery1Minutes, ECSLinear10PercentEvery3Minutes, ECSAllAtOnce

The EC2/on-premises configs are governed by a minimum-healthy-hosts value, not traffic weighting, and the default when none is specified is CodeDeployDefault.OneAtATime[1]. On Lambda, CodeDeploy shifts traffic between function versions by alias weighting; the linear config name ends in the singular "Minute"[1]. On ECS, the new application deploys as a replacement task set and traffic shifting requires a weighted target group; the ECS linear name ends in the plural "Minutes", and behind a Network Load Balancer only CodeDeployDefault.ECSAllAtOnce is supported[1]. That NLB restriction is a recurring distractor: if a stem puts an ECS service behind an NLB and offers a canary config, the canary option is impossible.

Lifecycle hooks gate the shift

For Lambda and ECS, the AppSpec hooks section names Lambda validation functions that run at lifecycle events. Lambda deployments expose BeforeAllowTraffic (before traffic shifts to the new version) and AfterAllowTraffic (after)[9]. ECS deployments add BeforeInstall, AfterInstall, and AfterAllowTestTraffic, the latter running validation against a separate test listener before any production traffic moves[9]. A failing hook triggers a rollback; if the validation function does not call back Succeeded/Failed within one hour the deployment is treated as failed. This is how you run automated smoke tests against the green version before it ever sees a customer.

Automatic rollback is alarm-driven

CodeDeploy can be configured to automatically roll back when a deployment fails or when a CloudWatch monitoring threshold (alarm) is met, redeploying the last known good revision[4]. One subtlety the exam rewards: a rollback is itself a new deployment, CodeDeploy redeploys the previous revision with a new deployment ID rather than restoring an old one[4]. For blue/green the practical effect is faster and more reliable than in-place, because traffic can be routed back to the still-running original instances instead of waiting on a redeploy.

EC2/On-Premises blue/green (Amazon EC2 instances only) Provision replacement environment Install the revision on replacement instances Optional pause for testing Cut over at the load balancer: register replacement, deregister original Rollback routes traffic back to the still-running original instances — no redeploy.
CodeDeploy EC2/On-Premises blue/green sequence, modeled on the AWS CodeDeploy overview: https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html

IaC as the spine: CloudFormation, change sets, StackSets, SAM/CDK

CodeDeploy releases the application; CloudFormation (and its higher-level wrappers) provisions and governs the infrastructure that runs it. The professional change-management story is everything as code, every change previewed, one artifact promoted.

CloudFormation as single source of truth

Modeling infrastructure as a CloudFormation[3] template makes environments reproducible and auditable. Two governance features matter for deployments:

Nested stacks for reuse

Nested stacks let you split a large template into reusable pieces: a parent template references a child template through the AWS::CloudFormation::Stack resource[11], and the top-level stack is the root stack while each nested stack has an immediate parent stack. Stack updates should be initiated from the root stack; when you update a root stack, only nested stacks whose template changed are updated[11]. Use nesting to share a common load balancer or VPC pattern across many stacks instead of copy-pasting resource blocks.

StackSets for cross-account, multi-Region rollout

CloudFormation StackSets deploy one template as stack instances into many accounts and Regions from a single administrator account[3]. The permission model is the exam's favorite distinction:

  • Service-managed permissions (integrated with AWS Organizations) create the cross-account IAM roles for you and support automatic deployment, so an account later added to a target OU inherits the baseline stack with no manual action.
  • Self-managed permissions require you to create the cross-account roles yourself and target individual account IDs, with no auto-deploy to future accounts.

A stack instance is a reference to a stack in a target account/Region and can exist even when its stack failed to create; failure tolerance is evaluated per Region and Region concurrency is Sequential (default) or Parallel[3]. Those operation preferences give a StackSet the same incremental, fail-fast behavior you want from any production rollout. When a stem says "the baseline must reach every account in the organization, including ones created later," the answer is service-managed StackSets, not a Lambda that copy-deploys templates.

SAM and CDK compile down to CloudFormation

For serverless, AWS SAM is an open-source framework and an extension of CloudFormation: its shorthand syntax declares serverless resources that are transformed into standard CloudFormation during deployment[12], and a SAM AutoPublishAlias plus DeploymentPreference wires Lambda canary/linear traffic shifting through CodeDeploy with almost no boilerplate. AWS CDK lets you define infrastructure in a general-purpose language and synthesizes the same CloudFormation. Because all three converge on CloudFormation, the change-set, drift, and StackSet behaviors above apply no matter which authoring layer the scenario names.

Root stack top-level; update from here Parent stack immediate parent of a nested stack Parent stack immediate parent of a nested stack Nested stack Nested stack Nested stack references via AWS::CloudFormation::Stack
CloudFormation nested-stack hierarchy (root → parent → nested), modeled on the AWS nested-stacks doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html

Traffic shifting, feature flags, and orchestration

Beyond CodeDeploy's built-in shifting, SAP-C02 expects you to know the load-balancer and DNS primitives that move traffic, the feature-flag service that decouples release from deploy, and the pipeline that gates the whole path.

Where traffic actually shifts

The lever you reach for is decided by one question: where do the blue and green versions live? Within one Region, weight at the load balancer; across separate stacks or Regions, weight in DNS; for an active/passive cutover, let health checks move traffic for you.

  • ALB weighted target groups: an Application Load Balancer can forward to multiple target groups with weights, so a listener rule sending 90% to blue and 10% to green is the mechanism under an ECS canary. Weighting at the ALB shifts within a Region in seconds.
  • Route 53 weighted records: for blue/green across whole environments (or Regions) you point traffic with weighted DNS records and lower blue's weight as green proves out. DNS shifting is coarser (bounded by record TTL and resolver caching) and is a control-plane operation, so it is less resilient than a data-plane flip for failover, but it is the standard cross-environment cutover lever.
  • Route 53 failover records + health checks: for an active/passive cutover, a failover routing policy backed by health checks moves traffic automatically when the primary is unhealthy.

Use the ALB lever for in-Region task/instance shifting and the Route 53 lever when the blue and green environments are separate stacks or Regions.

AppConfig decouples release from deploy

AWS AppConfig adjusts application behavior in production without full code deployments, using feature flags and dynamic configuration; if a bad change triggers a CloudWatch alarm, AppConfig automatically rolls the change back[5]. It supports two configuration profile types, feature flags and freeform, and ships safety controls: validators that check a configuration before it deploys, a deployment strategy that releases the change gradually, and alarm-based automatic rollback. An AppConfig deployment strategy has a deployment type (Linear or Exponential), a step percentage (the API calls it growth factor), a deployment-time window, and a bake time during which AppConfig watches the configured CloudWatch alarms after the change reaches 100% of targets and rolls back if one fires[2] (AppConfig must hold IAM permission to roll back). Reach for AppConfig when runtime behavior must change but the deployed artifact should not: toggling a feature, flipping a throttle limit, or instantly disabling a misbehaving capability without a redeploy.

CodePipeline orchestrates with approval gates

The release path is chained in CodePipeline: CodeBuild builds and tests, then CodeDeploy and/or CloudFormation actions release. A manual-approval action inserted between stages forces a person to gate promotion (for example staging to production)[6], giving a repeatable, reviewed, auditable change-management path. Two professional disciplines round it out:

  • Promote one immutable artifact. Build the artifact once and promote that same build through staging to production. Rebuilding per environment risks shipping a different artifact to prod than the one that was tested, defeating the purpose of the tested path.
  • Gate destructive changes. Combine CloudFormation change-set review (preview replacements) with a manual-approval action so a human sees what will be deleted before prod is touched.

This is the non-negotiable rollback rule from the first section, now wearing its orchestration clothes: ship incrementally, attach health alarms to the deployment, and let the platform revert automatically, here orchestrated by IaC and gated by approvals.

Where do blue and green live? ALB weighted target groups in-Region task / instance shifting Route 53 weighted records separate stacks or Regions Route 53 failover records + health checks active / passive cutover one Region separate failover
Picking the traffic-shifting lever: ALB weighted target groups in-Region, Route 53 weighted records across stacks/Regions, Route 53 failover for active/passive.

Exam-pattern recognition (SAP-C02)

SAP-C02 deployment questions are long scenarios where one constraint silently selects the answer. Train on the stem-to-answer mappings below and on why the plausible distractors fail.

Stem cues and the correct choice

Scenario cue in the stem Correct choice Why
"Stateful prod app; must roll back instantly with no redeploy" Blue/green; keep blue warm and flip the ALB / Route 53 Rollback = traffic flip back to running blue, no redeploy
"Serverless API; expose new version safely, auto-abort on errors" Lambda canary/linear via CodeDeploy + CloudWatch alarm Alias weighting shifts a slice first; alarm auto-rolls back
"ECS service behind an NLB; want a 10% canary" Not possible, only ECSAllAtOnce behind an NLB Canary needs a weighted target group; NLB can't weight
"Change runtime behavior without redeploying code" AWS AppConfig feature flag + gradual strategy Decouples release from deploy; alarm-based rollback
"Baseline must reach every account, incl. future ones" Service-managed StackSets (Organizations) Auto-deploys to accounts added to the target OU
"Preview exactly what an update will change/replace" CloudFormation change set, then execute Shows add/modify/replace/delete before any change
"Detect resources changed outside the template" CloudFormation drift detection, reconcile to template Reports MODIFIED/DELETED vs expected config
"Cost-sensitive internal tool; brief outage OK" All-at-once or rolling in-place Blue/green doubles cost for no needed benefit
"Same tested build must reach prod" Promote one immutable artifact, don't rebuild per stage Rebuilding risks a different prod artifact
"Backward-incompatible DB migration mid-rollout" Expand/contract migration first (or windowed cutover) Canary/blue-green need old+new to coexist

Distractor traps to disarm

When two options both technically work, prefer the one that is more automated, smaller blast radius, and faster to roll back, that ranking decides almost every deployment-strategy question on this exam.

Deployment patterns by risk, cost, and rollback speed (SAP-C02)

DimensionAll-at-onceRolling / in-placeBlue/greenCanary / linear
Blast radius of a bad release100% immediatelyGrows batch by batch0% until cutover, then 100%Small first slice, then grows
Rollback speedSlowest (full redeploy)Slow (redeploy prior batches)Instant (flip traffic to blue)Fast (stop shift, auto-rollback)
Extra cost during deployNoneNoneHigh (two full environments)Low (one extra task set / version)
Mixed versions live at onceNoYesNo (clean cutover)Yes (during shift)
Native AWS mechanismCodeDeploy AllAtOnceCodeDeploy HalfAtATime / OneAtATimeCodeDeploy blue/green; ALB or Route 53CodeDeploy ECS/Lambda canary & linear
Typical fitDev / low-risk / cost-firstStateless fleet, modest riskStateful prod needing instant rollbackServerless/containers needing safe exposure

Decision tree

Need instant rollback with no redeploy? Yes, can pay for 2 envs Blue/green parallel fleet, flip ALB / Route 53 No / cost-first Can expose a small slice first and watch alarms? Yes Compute target for traffic shifting? No Rolling in-place CodeDeploy Half / OneAtATime; or all-at-once if outage OK Lambda Lambda canary / linear LambdaCanary10Percent5Minutes alias weighting + auto-rollback ECS (ALB) ECS canary / linear ECSCanary10Percent5Minutes; NLB → only ECSAllAtOnce EC2 / runtime config AppConfig feature flags gradual rollout + bake time; decouples release from deploy Always: codify as CloudFormation / CDK / SAM, gate with CodePipeline manual approvals, wire CloudWatch alarms to auto-rollback, and use StackSets for cross-account / multi-Region rollout.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Pick the deployment pattern by rollback speed vs cost

Deployment patterns trade rollback speed against cost. All-at-once is the cheapest and fastest but a bad release hits 100% of users at once and rollback is a second full deploy. Blue/green holds blast radius at 0% until cutover and rolls back instantly by flipping traffic back to the warm blue fleet, but you pay for two full environments during the window. Canary and linear expose a small slice first behind an alarm-gated abort. Rolling in-place needs no duplicate fleet, but it leaves mixed versions live and rolls back slowly batch by batch.

Trap Defaulting to blue/green as the universally best pattern, ignoring that all-at-once or rolling can be the right call when the workload is cost-sensitive and can tolerate slower recovery.

Blue/green buys instant rollback for double the cost

Blue/green stands up a parallel green environment running the new version and cuts traffic over at the load balancer or via Route 53 weighted DNS; because the old blue fleet keeps running, rollback is an immediate traffic flip with no redeploy. The cost is paying for two full identical environments during the cutover window, so it is the wrong fit for cost-sensitive, low-risk workloads that can tolerate a slower recovery.

Canary front-loads one gate, linear spreads risk evenly

Canary and linear both shift traffic gradually but differ in shape. A canary config shifts one small increment first (for example 10%), waits a fixed interval, then sends the remaining 90% all at once. A linear config shifts a fixed percentage on a repeating interval (for example 10% every minute) until 100%. Both give a CloudWatch-alarm window to auto-abort before the bad version reaches everyone; canary concentrates the observation in one early gate, linear distributes exposure across many equal steps.

Trap Treating canary as a gradual ramp to 100%, when after the single observation interval it sends the entire remaining 90% in one jump.

3 questions test this
CodeDeploy on EC2 deploys in-place by minimum-healthy-hosts

On the EC2/on-premises compute platform CodeDeploy does in-place batch deployment governed by a minimum-healthy-hosts value (the number or percentage of instances that must stay available), not traffic weighting. The three predefined configs are CodeDeployDefault.AllAtOnce, CodeDeployDefault.HalfAtATime, and CodeDeployDefault.OneAtATime; when none is specified CodeDeploy defaults to CodeDeployDefault.OneAtATime.

Trap Assuming CodeDeploy shifts EC2 traffic by percentage like it does for Lambda/ECS, when EC2 in-place is governed by minimum-healthy-hosts.

CodeDeploy on Lambda shifts traffic by alias weighting

On the AWS Lambda compute platform CodeDeploy shifts traffic between function versions using alias weighting. Predefined configs include CodeDeployDefault.LambdaCanary10Percent5Minutes (with 10/15/30-minute variants), CodeDeployDefault.LambdaLinear10PercentEvery1Minute (with 2/3/10-minute variants), and CodeDeployDefault.LambdaAllAtOnce. Pre-traffic and post-traffic Lambda validation hooks can gate promotion before and after the shift.

Trap Assuming Lambda traffic shifting needs a load balancer or target group, when CodeDeploy moves it purely through weighted version aliases.

4 questions test this
CodeDeploy on ECS needs a weighted load balancer to shift traffic

On the Amazon ECS compute platform CodeDeploy shifts traffic to a new task set using canary, linear, or all-at-once configs such as CodeDeployDefault.ECSCanary10Percent5Minutes and CodeDeployDefault.ECSLinear10PercentEvery1Minutes (the ECS linear name ends in "Minutes" plural where the Lambda equivalent ends in "Minute"). Weighted traffic shifting requires a weighted target group, so behind a Network Load Balancer only CodeDeployDefault.ECSAllAtOnce is supported.

Trap Specifying an ECS canary or linear config behind a Network Load Balancer, which supports only ECSAllAtOnce because it cannot do weighted target-group shifting.

3 questions test this
Wire automated rollback to CloudWatch alarms, not manual redeploy

CodeDeploy can automatically roll back[4] when a deployment fails or when a monitoring threshold you set (a CloudWatch alarm in ALARM state) is met; the rollback redeploys the last known good revision as a brand-new deployment with its own ID, not a restore. Attach health alarms to every deployment so the platform reverts without a human in the loop.

6 questions test this
AppConfig flips runtime behavior without redeploying code

AWS AppConfig[5] deploys configuration and feature-flag changes to running applications so you can adjust production behavior without a full code deployment, decoupling feature releases from code releases. It is the right tool when behavior must change but the deployed artifact should not, and it reaches EC2, ECS, Lambda, and other compute through the AppConfig agent, Lambda extension, or the SDK/API.

Trap Pushing a full code redeploy just to toggle a feature flag, when AppConfig changes runtime behavior without touching the deployed artifact.

An AppConfig strategy = growth factor plus bake-time rollback

An AWS AppConfig deployment strategy uses a Linear or Exponential deployment type, a step percentage (the API calls it growth factor) setting how many callers each step targets, a deployment-time window over which the rollout is processed, and a final bake time. During the bake time AppConfig monitors the configured CloudWatch alarms after the change reaches 100% of targets and automatically rolls the configuration back if an alarm fires; AppConfig must be granted IAM permission to perform that rollback.

Trap Expecting AppConfig to keep monitoring for rollback after the bake time elapses, when its automatic alarm-driven rollback only covers the bake-time window.

Promote one immutable artifact, never rebuild per stage

Build the artifact once and promote that same immutable build through staging to production rather than rebuilding it at each stage. Rebuilding per environment risks shipping a different artifact to prod than the one that was tested, which defeats the entire purpose of a tested release path.

CodePipeline gates promotion with a manual-approval action

CodePipeline chains CodeBuild (build/test), CodeDeploy (release), and CloudFormation actions into stages, and a manual-approval action[6] inserted between stages stops execution until someone with the right IAM permission approves or rejects (for example gating staging to production). A rejection or no response within seven days fails the action, giving a repeatable, reviewed, auditable change path instead of ad-hoc deploys.

4 questions test this
Preview every stack update with a change set first

A CloudFormation change set[7] previews exactly which resources an update will add, modify, or delete (including which changes force a replacement) before anything is touched; nothing changes until you execute it. A change set does NOT guarantee the update will succeed (quotas, permissions, or non-updatable properties can still fail it), and executing one removes all other change sets associated with that stack.

Trap Treating a clean change set as a guarantee the update will succeed, when quotas, permissions, or non-updatable properties can still fail the execution.

IaC as the source of truth makes drift detectable

Defining infrastructure as CloudFormation (or CDK/SAM, which synthesize to CloudFormation) makes environments reproducible and lets drift detection flag resources changed outside the template. Out-of-band console edits create drift that should be reconciled back into the template so the IaC stays authoritative; a half-managed stack where humans also click in the console loses that guarantee.

Trap Fixing a production issue with a quick console edit, creating drift that leaves the template no longer matching the live stack.

StackSets deploy one template across many accounts and Regions

CloudFormation StackSets deploy a single template as stack instances into many accounts and Regions from one administrator account. A stack instance is a reference to a stack in a target account/Region and can exist even when its underlying stack failed to create (it records the failure reason). Updating the StackSet pushes the template change to all associated stack instances at once; you cannot selectively update the template for only some instances.

Trap Expecting to push a template update to only a subset of stack instances, when a StackSet update applies to all associated instances at once.

Service-managed StackSets auto-deploy to new org accounts

With service-managed permissions (integrated with AWS Organizations) StackSets create the required cross-account IAM roles for you and support automatic deployment, so any account later added to a target organizational unit inherits the baseline stack automatically. Self-managed permissions instead require you to create the cross-account roles yourself and target individual account IDs, with no auto-deploy to accounts added in the future.

Trap Choosing self-managed StackSets permissions when the requirement is automatic baseline deployment to future organization accounts, which only service-managed provides.

8 questions test this
StackSet operation preferences drive a fail-fast rollout

StackSet operation preferences give the incremental, fail-fast behavior you want from any production rollout: maximum concurrent accounts caps how many accounts deploy at once, failure tolerance (evaluated per Region) stops the operation once too many stacks fail in a Region, and Region concurrency is Sequential (default, one Region at a time in the deployment order) or Parallel. With Strict failure tolerance, maximum concurrent accounts can be at most one more than the failure-tolerance value.

Trap Reading failure tolerance as a global count across all Regions, when StackSets evaluate it per Region so the threshold applies separately in each one.

2 questions test this
Traffic-shifting patterns require old and new versions to coexist

Canary, linear, and blue/green all assume the old and new versions can run side by side while traffic shifts between them. A backward-incompatible (schema-breaking) database migration violates this and breaks the still-running old version, so apply expand/contract migrations first to keep both versions readable, or accept a maintenance-window all-at-once cutover.

Trap Running a canary or blue/green cutover over a schema-breaking database migration, which breaks the old version still serving live traffic.

Roll out a new AMI with an Auto Scaling group instance refresh

Publish a new launch template version carrying the updated AMI, then start an Auto Scaling group instance refresh to replace instances in rolling batches. MinHealthyPercentage sets the percentage of desired capacity that must stay in service before the refresh continues (default 90%), and MaxHealthyPercentage caps how far above desired capacity the group can scale while replacing (default 100%). Enable auto rollback wired to a CloudWatch alarm to revert on failure, and use skip matching so instances already on the desired configuration are left untouched.

Trap Updating only the Auto Scaling group's launch template and expecting running instances to pick up the new AMI, when existing instances need an instance refresh to be replaced.

9 questions test this

Also tested in

References

  1. CodeDeploy deployment configurations
  2. Creating a deployment strategy in AWS AppConfig
  3. AWS CloudFormation StackSets concepts
  4. Redeploy and roll back a deployment with CodeDeploy
  5. What is AWS AppConfig?
  6. Manage approval actions in CodePipeline
  7. Update CloudFormation stacks using change sets
  8. What is CodeDeploy?
  9. AppSpec 'hooks' section
  10. Detect unmanaged configuration changes to stacks and resources with drift detection
  11. Split a template into reusable pieces using nested stacks
  12. What is the AWS Serverless Application Model (AWS SAM)?