Deployment strategies
Choosing a deployment pattern: blast radius vs cost vs rollback
Every deployment pattern is a position on one trade-off triangle: how large a blast radius a bad release may have, how much extra cost you pay during the rollout, and how fast you can roll back. Blue/green buys instant rollback by paying for two full environments; all-at-once is free but exposes 100% of users at once; canary trades a small first slice for a monitoring window. The four canonical patterns sit at different corners of that triangle, and the exam expects you to map a scenario's constraints to the right one.
The four patterns
| Pattern | Blast radius of a bad release | Rollback speed | Extra cost during deploy | Mixed versions live? |
|---|---|---|---|---|
| All-at-once | 100% immediately | Slowest (full redeploy) | None | No |
| Rolling / in-place | Grows batch by batch | Slow (redeploy prior batches) | None | Yes |
| Blue/green | 0% until cutover, then 100% | Instant (flip traffic to blue) | High (two full environments) | No |
| Canary / linear | Small first slice, then grows | Fast (stop shift, auto-rollback) | Low (one extra version / task set) | Yes |
All-at-once replaces every target simultaneously. It is the cheapest and fastest path, but a defect reaches 100% of users at once and the only rollback is a second full deployment. Reserve it for dev, low-risk internal tools, or workloads where a brief outage is acceptable.
Rolling (in-place) updates the existing fleet in batches. There is no duplicate fleet to pay for, but two consequences follow: old and new versions run side by side during the rollout (so the versions must be compatible), and rollback means redeploying the previous revision to the already-updated batches, slow.
Blue/green stands up a parallel green environment next to the running blue one and cuts traffic over at the load balancer or via DNS. Because blue keeps running, rollback is an immediate traffic flip with no redeploy, the fastest recovery available. The price is running two full environments during the cutover window, which is why it is the wrong default for cost-sensitive, low-risk work.
Canary and linear expose a small slice of traffic to the new version first, giving a monitoring window in which an alarm can abort before the blast radius grows. A canary shifts one increment (for example 10%), bakes for a fixed interval, then sends the rest; a linear config shifts a fixed percentage on a repeating interval until 100%. Both are the safest way to expose a new version of a serverless or containerized workload.
The coexistence precondition
Canary, linear, and blue/green all assume the old and new versions can run at the same time during the shift. A backward-incompatible (schema-breaking) database change violates this: it breaks the still-running old version the moment the new schema lands. The professional-level answer is the expand/contract (parallel-change) migration: first deploy a backward-compatible schema that both versions tolerate (expand), migrate the code, then remove the old columns/behavior (contract). If you cannot make the change compatible, accept a maintenance-window all-at-once cutover instead. Treat any answer that runs a canary over a schema-breaking migration as wrong.
The non-negotiable: rollback must be automated
The pattern matters less than the rule underneath all of them: a deployment is only safe if it self-aborts on a bad health signal. Wire health alarms to the deployment so the platform reverts without a human in the loop. A release path whose only recovery is a manual redeploy is the anti-pattern the exam consistently penalizes, regardless of how elegant the rollout strategy looks.
CodeDeploy mechanics: compute platforms, configs, and rollback
CodeDeploy[8] automates deployments to three compute platforms, and the SAP-C02 traps live in the differences between them.
Three compute platforms, two deployment types
CodeDeploy offers two deployment types, in-place and blue/green, but they are not available everywhere. Only the EC2/On-Premises compute platform can do in-place deployments; AWS Lambda and Amazon ECS deployments cannot use the in-place type and are always blue/green[8]. For EC2/On-Premises blue/green, CodeDeploy provisions a replacement environment (a new set of instances), installs the revision, optionally pauses for testing, then registers the replacement instances with the Elastic Load Balancing load balancer and deregisters the original ones (which can be terminated or kept running). Blue/green on EC2/On-Premises works with Amazon EC2 instances only, on-premises instances are not supported[8]; the replacement environment is built either by copying an existing Auto Scaling group or by selecting instances manually.
Predefined deployment configurations per platform
| Compute platform | Mechanism | Predefined configs |
|---|---|---|
| EC2/On-Premises (in-place) | Minimum-healthy-hosts | CodeDeployDefault.AllAtOnce, HalfAtATime, OneAtATime |
| AWS Lambda | Alias weighting | LambdaCanary10Percent5Minutes (+10/15/30-min), LambdaLinear10PercentEvery1Minute (+2/3/10-min), LambdaAllAtOnce |
| Amazon ECS | Weighted target group | ECSCanary10Percent5Minutes, ECSCanary10Percent15Minutes, ECSLinear10PercentEvery1Minutes, ECSLinear10PercentEvery3Minutes, ECSAllAtOnce |
The EC2/on-premises configs are governed by a minimum-healthy-hosts value, not traffic weighting, and the default when none is specified is CodeDeployDefault.OneAtATime[1]. On Lambda, CodeDeploy shifts traffic between function versions by alias weighting; the linear config name ends in the singular "Minute"[1]. On ECS, the new application deploys as a replacement task set and traffic shifting requires a weighted target group; the ECS linear name ends in the plural "Minutes", and behind a Network Load Balancer only CodeDeployDefault.ECSAllAtOnce is supported[1]. That NLB restriction is a recurring distractor: if a stem puts an ECS service behind an NLB and offers a canary config, the canary option is impossible.
Lifecycle hooks gate the shift
For Lambda and ECS, the AppSpec hooks section names Lambda validation functions that run at lifecycle events. Lambda deployments expose BeforeAllowTraffic (before traffic shifts to the new version) and AfterAllowTraffic (after)[9]. ECS deployments add BeforeInstall, AfterInstall, and AfterAllowTestTraffic, the latter running validation against a separate test listener before any production traffic moves[9]. A failing hook triggers a rollback; if the validation function does not call back Succeeded/Failed within one hour the deployment is treated as failed. This is how you run automated smoke tests against the green version before it ever sees a customer.
Automatic rollback is alarm-driven
CodeDeploy can be configured to automatically roll back when a deployment fails or when a CloudWatch monitoring threshold (alarm) is met, redeploying the last known good revision[4]. One subtlety the exam rewards: a rollback is itself a new deployment, CodeDeploy redeploys the previous revision with a new deployment ID rather than restoring an old one[4]. For blue/green the practical effect is faster and more reliable than in-place, because traffic can be routed back to the still-running original instances instead of waiting on a redeploy.
IaC as the spine: CloudFormation, change sets, StackSets, SAM/CDK
CodeDeploy releases the application; CloudFormation (and its higher-level wrappers) provisions and governs the infrastructure that runs it. The professional change-management story is everything as code, every change previewed, one artifact promoted.
CloudFormation as single source of truth
Modeling infrastructure as a CloudFormation[3] template makes environments reproducible and auditable. Two governance features matter for deployments:
- Change sets let you preview an update before executing it. A change set shows which resources CloudFormation will add, modify, replace, or delete, and nothing changes until you execute it[7], surfacing destructive replacements (which can mean data loss) ahead of time. A change set does not guarantee the update will succeed (quotas, permissions, or non-updatable properties can still fail it), and executing one removes all other change sets associated with that stack[7].
- Drift detection flags resources changed outside CloudFormation. It detects whether a stack's actual configuration differs from its expected (template) configuration, on an entire stack or individual resources[10]; resources get a drift status of
IN_SYNC,MODIFIED,DELETED, orNOT_CHECKED. Only AWS resources that support drift detection are checked, and CloudFormation does not detect drift on nested stacks of a stack you check, you must run drift detection directly on each nested stack[10]. Reconcile out-of-band console edits back into the template so the IaC stays authoritative.
Nested stacks for reuse
Nested stacks let you split a large template into reusable pieces: a parent template references a child template through the AWS::CloudFormation::Stack resource[11], and the top-level stack is the root stack while each nested stack has an immediate parent stack. Stack updates should be initiated from the root stack; when you update a root stack, only nested stacks whose template changed are updated[11]. Use nesting to share a common load balancer or VPC pattern across many stacks instead of copy-pasting resource blocks.
StackSets for cross-account, multi-Region rollout
CloudFormation StackSets deploy one template as stack instances into many accounts and Regions from a single administrator account[3]. The permission model is the exam's favorite distinction:
- Service-managed permissions (integrated with AWS Organizations) create the cross-account IAM roles for you and support automatic deployment, so an account later added to a target OU inherits the baseline stack with no manual action.
- Self-managed permissions require you to create the cross-account roles yourself and target individual account IDs, with no auto-deploy to future accounts.
A stack instance is a reference to a stack in a target account/Region and can exist even when its stack failed to create; failure tolerance is evaluated per Region and Region concurrency is Sequential (default) or Parallel[3]. Those operation preferences give a StackSet the same incremental, fail-fast behavior you want from any production rollout. When a stem says "the baseline must reach every account in the organization, including ones created later," the answer is service-managed StackSets, not a Lambda that copy-deploys templates.
SAM and CDK compile down to CloudFormation
For serverless, AWS SAM is an open-source framework and an extension of CloudFormation: its shorthand syntax declares serverless resources that are transformed into standard CloudFormation during deployment[12], and a SAM AutoPublishAlias plus DeploymentPreference wires Lambda canary/linear traffic shifting through CodeDeploy with almost no boilerplate. AWS CDK lets you define infrastructure in a general-purpose language and synthesizes the same CloudFormation. Because all three converge on CloudFormation, the change-set, drift, and StackSet behaviors above apply no matter which authoring layer the scenario names.
Traffic shifting, feature flags, and orchestration
Beyond CodeDeploy's built-in shifting, SAP-C02 expects you to know the load-balancer and DNS primitives that move traffic, the feature-flag service that decouples release from deploy, and the pipeline that gates the whole path.
Where traffic actually shifts
The lever you reach for is decided by one question: where do the blue and green versions live? Within one Region, weight at the load balancer; across separate stacks or Regions, weight in DNS; for an active/passive cutover, let health checks move traffic for you.
- ALB weighted target groups: an Application Load Balancer can forward to multiple target groups with weights, so a listener rule sending 90% to blue and 10% to green is the mechanism under an ECS canary. Weighting at the ALB shifts within a Region in seconds.
- Route 53 weighted records: for blue/green across whole environments (or Regions) you point traffic with weighted DNS records and lower blue's weight as green proves out. DNS shifting is coarser (bounded by record TTL and resolver caching) and is a control-plane operation, so it is less resilient than a data-plane flip for failover, but it is the standard cross-environment cutover lever.
- Route 53 failover records + health checks: for an active/passive cutover, a failover routing policy backed by health checks moves traffic automatically when the primary is unhealthy.
Use the ALB lever for in-Region task/instance shifting and the Route 53 lever when the blue and green environments are separate stacks or Regions.
AppConfig decouples release from deploy
AWS AppConfig adjusts application behavior in production without full code deployments, using feature flags and dynamic configuration; if a bad change triggers a CloudWatch alarm, AppConfig automatically rolls the change back[5]. It supports two configuration profile types, feature flags and freeform, and ships safety controls: validators that check a configuration before it deploys, a deployment strategy that releases the change gradually, and alarm-based automatic rollback. An AppConfig deployment strategy has a deployment type (Linear or Exponential), a step percentage (the API calls it growth factor), a deployment-time window, and a bake time during which AppConfig watches the configured CloudWatch alarms after the change reaches 100% of targets and rolls back if one fires[2] (AppConfig must hold IAM permission to roll back). Reach for AppConfig when runtime behavior must change but the deployed artifact should not: toggling a feature, flipping a throttle limit, or instantly disabling a misbehaving capability without a redeploy.
CodePipeline orchestrates with approval gates
The release path is chained in CodePipeline: CodeBuild builds and tests, then CodeDeploy and/or CloudFormation actions release. A manual-approval action inserted between stages forces a person to gate promotion (for example staging to production)[6], giving a repeatable, reviewed, auditable change-management path. Two professional disciplines round it out:
- Promote one immutable artifact. Build the artifact once and promote that same build through staging to production. Rebuilding per environment risks shipping a different artifact to prod than the one that was tested, defeating the purpose of the tested path.
- Gate destructive changes. Combine CloudFormation change-set review (preview replacements) with a manual-approval action so a human sees what will be deleted before prod is touched.
This is the non-negotiable rollback rule from the first section, now wearing its orchestration clothes: ship incrementally, attach health alarms to the deployment, and let the platform revert automatically, here orchestrated by IaC and gated by approvals.
Exam-pattern recognition (SAP-C02)
SAP-C02 deployment questions are long scenarios where one constraint silently selects the answer. Train on the stem-to-answer mappings below and on why the plausible distractors fail.
Stem cues and the correct choice
| Scenario cue in the stem | Correct choice | Why |
|---|---|---|
| "Stateful prod app; must roll back instantly with no redeploy" | Blue/green; keep blue warm and flip the ALB / Route 53 | Rollback = traffic flip back to running blue, no redeploy |
| "Serverless API; expose new version safely, auto-abort on errors" | Lambda canary/linear via CodeDeploy + CloudWatch alarm | Alias weighting shifts a slice first; alarm auto-rolls back |
| "ECS service behind an NLB; want a 10% canary" | Not possible, only ECSAllAtOnce behind an NLB | Canary needs a weighted target group; NLB can't weight |
| "Change runtime behavior without redeploying code" | AWS AppConfig feature flag + gradual strategy | Decouples release from deploy; alarm-based rollback |
| "Baseline must reach every account, incl. future ones" | Service-managed StackSets (Organizations) | Auto-deploys to accounts added to the target OU |
| "Preview exactly what an update will change/replace" | CloudFormation change set, then execute | Shows add/modify/replace/delete before any change |
| "Detect resources changed outside the template" | CloudFormation drift detection, reconcile to template | Reports MODIFIED/DELETED vs expected config |
| "Cost-sensitive internal tool; brief outage OK" | All-at-once or rolling in-place | Blue/green doubles cost for no needed benefit |
| "Same tested build must reach prod" | Promote one immutable artifact, don't rebuild per stage | Rebuilding risks a different prod artifact |
| "Backward-incompatible DB migration mid-rollout" | Expand/contract migration first (or windowed cutover) | Canary/blue-green need old+new to coexist |
Distractor traps to disarm
- "Run a canary on the ECS service behind the NLB." Wrong: traffic shifting needs a weighted target group, so behind a Network Load Balancer only
CodeDeployDefault.ECSAllAtOnceis supported[1]. The fix is an ALB (or accept all-at-once). - "Use an in-place deployment for the Lambda function." Wrong: Lambda and ECS cannot use the in-place deployment type, they are always blue/green[8].
- "Roll back by manually redeploying the previous version when CloudWatch alarms." Inferior: CodeDeploy can roll back automatically when an alarm threshold is met[4], the answer that wires automatic rollback beats the one that puts a human in the loop.
- "Use self-managed StackSets so new org accounts inherit the stack." Wrong: only service-managed permissions support automatic deployment to accounts added to a target OU[3]; self-managed has no auto-deploy.
- "Detect drift on the root stack to find changes in its nested stacks." Wrong: drift detection on a stack does not cover its nested stacks[10]; run it on each nested stack.
- "Just execute the update, change sets guarantee success." Wrong: a change set previews changes but does not guarantee the update will succeed[7].
- "Canary the schema-breaking migration to limit blast radius." Wrong: canary assumes old and new coexist; a breaking migration takes down the still-running old version. Use expand/contract first.
- "Rebuild the artifact in each environment's pipeline stage." Inferior: promote one immutable artifact so prod runs exactly what was tested.
When two options both technically work, prefer the one that is more automated, smaller blast radius, and faster to roll back, that ranking decides almost every deployment-strategy question on this exam.
Deployment patterns by risk, cost, and rollback speed (SAP-C02)
| Dimension | All-at-once | Rolling / in-place | Blue/green | Canary / linear |
|---|---|---|---|---|
| Blast radius of a bad release | 100% immediately | Grows batch by batch | 0% until cutover, then 100% | Small first slice, then grows |
| Rollback speed | Slowest (full redeploy) | Slow (redeploy prior batches) | Instant (flip traffic to blue) | Fast (stop shift, auto-rollback) |
| Extra cost during deploy | None | None | High (two full environments) | Low (one extra task set / version) |
| Mixed versions live at once | No | Yes | No (clean cutover) | Yes (during shift) |
| Native AWS mechanism | CodeDeploy AllAtOnce | CodeDeploy HalfAtATime / OneAtATime | CodeDeploy blue/green; ALB or Route 53 | CodeDeploy ECS/Lambda canary & linear |
| Typical fit | Dev / low-risk / cost-first | Stateless fleet, modest risk | Stateful prod needing instant rollback | Serverless/containers needing safe exposure |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Pick the deployment pattern by rollback speed vs cost
Deployment patterns trade rollback speed against cost. All-at-once is the cheapest and fastest but a bad release hits 100% of users at once and rollback is a second full deploy. Blue/green holds blast radius at 0% until cutover and rolls back instantly by flipping traffic back to the warm blue fleet, but you pay for two full environments during the window. Canary and linear expose a small slice first behind an alarm-gated abort. Rolling in-place needs no duplicate fleet, but it leaves mixed versions live and rolls back slowly batch by batch.
Trap Defaulting to blue/green as the universally best pattern, ignoring that all-at-once or rolling can be the right call when the workload is cost-sensitive and can tolerate slower recovery.
- Blue/green buys instant rollback for double the cost
Blue/green stands up a parallel green environment running the new version and cuts traffic over at the load balancer or via Route 53 weighted DNS; because the old blue fleet keeps running, rollback is an immediate traffic flip with no redeploy. The cost is paying for two full identical environments during the cutover window, so it is the wrong fit for cost-sensitive, low-risk workloads that can tolerate a slower recovery.
- Canary front-loads one gate, linear spreads risk evenly
Canary and linear both shift traffic gradually but differ in shape. A canary config shifts one small increment first (for example 10%), waits a fixed interval, then sends the remaining 90% all at once. A linear config shifts a fixed percentage on a repeating interval (for example 10% every minute) until 100%. Both give a CloudWatch-alarm window to auto-abort before the bad version reaches everyone; canary concentrates the observation in one early gate, linear distributes exposure across many equal steps.
Trap Treating canary as a gradual ramp to 100%, when after the single observation interval it sends the entire remaining 90% in one jump.
3 questions test this
- A company is migrating from manual Lambda deployments to automated traffic shifting using AWS CodeDeploy. The company wants to implement a…
- A company is modernizing its deployment pipeline for an AWS Lambda-based application. The application experiences high traffic volumes and…
- A retail company is planning to deploy a new version of its order processing Lambda function using AWS CodeDeploy. The company wants to…
- CodeDeploy on EC2 deploys in-place by minimum-healthy-hosts
On the EC2/on-premises compute platform CodeDeploy does in-place batch deployment governed by a minimum-healthy-hosts value (the number or percentage of instances that must stay available), not traffic weighting. The three predefined configs are
CodeDeployDefault.AllAtOnce,CodeDeployDefault.HalfAtATime, andCodeDeployDefault.OneAtATime; when none is specified CodeDeploy defaults toCodeDeployDefault.OneAtATime.Trap Assuming CodeDeploy shifts EC2 traffic by percentage like it does for Lambda/ECS, when EC2 in-place is governed by minimum-healthy-hosts.
- CodeDeploy on Lambda shifts traffic by alias weighting
On the AWS Lambda compute platform CodeDeploy shifts traffic between function versions using alias weighting. Predefined configs include
CodeDeployDefault.LambdaCanary10Percent5Minutes(with 10/15/30-minute variants),CodeDeployDefault.LambdaLinear10PercentEvery1Minute(with 2/3/10-minute variants), andCodeDeployDefault.LambdaAllAtOnce. Pre-traffic and post-traffic Lambda validation hooks can gate promotion before and after the shift.Trap Assuming Lambda traffic shifting needs a load balancer or target group, when CodeDeploy moves it purely through weighted version aliases.
4 questions test this
- A company is deploying a new version of an AWS Lambda function that processes financial transactions. The DevOps team requires a deployment…
- A financial services company is deploying a new version of a critical Lambda function that processes customer transactions. The company…
- A company is deploying a critical Lambda function that processes financial transactions. The development team wants to implement a gradual…
- A company is deploying a critical payment processing API running on AWS Lambda functions. The development team wants to implement a…
- CodeDeploy on ECS needs a weighted load balancer to shift traffic
On the Amazon ECS compute platform CodeDeploy shifts traffic to a new task set using canary, linear, or all-at-once configs such as
CodeDeployDefault.ECSCanary10Percent5MinutesandCodeDeployDefault.ECSLinear10PercentEvery1Minutes(the ECS linear name ends in "Minutes" plural where the Lambda equivalent ends in "Minute"). Weighted traffic shifting requires a weighted target group, so behind a Network Load Balancer onlyCodeDeployDefault.ECSAllAtOnceis supported.Trap Specifying an ECS canary or linear config behind a Network Load Balancer, which supports only ECSAllAtOnce because it cannot do weighted target-group shifting.
3 questions test this
- A company runs a critical e-commerce application on Amazon ECS with AWS Fargate. The development team wants to implement a traffic shifting…
- A company operates a microservices application on Amazon ECS with deployments managed by AWS CodeDeploy. The operations team wants to…
- A logistics company runs a containerized application on Amazon ECS using a Network Load Balancer to handle high-throughput TCP connections.…
- Wire automated rollback to CloudWatch alarms, not manual redeploy
CodeDeploy can automatically roll back[4] when a deployment fails or when a monitoring threshold you set (a CloudWatch alarm in ALARM state) is met; the rollback redeploys the last known good revision as a brand-new deployment with its own ID, not a restore. Attach health alarms to every deployment so the platform reverts without a human in the loop.
6 questions test this
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The company is…
- A company runs a critical e-commerce application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The…
- A financial services company runs a critical web application on an Auto Scaling group with 12 EC2 instances behind an Application Load…
- A media company is deploying a new version of its video transcoding application to an Auto Scaling group with 20 EC2 instances. The…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application…
- A SaaS company is migrating to an immutable infrastructure deployment model. The company deploys new AMIs weekly through instance refresh…
- AppConfig flips runtime behavior without redeploying code
AWS AppConfig[5] deploys configuration and feature-flag changes to running applications so you can adjust production behavior without a full code deployment, decoupling feature releases from code releases. It is the right tool when behavior must change but the deployed artifact should not, and it reaches EC2, ECS, Lambda, and other compute through the AppConfig agent, Lambda extension, or the SDK/API.
Trap Pushing a full code redeploy just to toggle a feature flag, when AppConfig changes runtime behavior without touching the deployed artifact.
- An AppConfig strategy = growth factor plus bake-time rollback
An AWS AppConfig deployment strategy uses a Linear or Exponential deployment type, a step percentage (the API calls it growth factor) setting how many callers each step targets, a deployment-time window over which the rollout is processed, and a final bake time. During the bake time AppConfig monitors the configured CloudWatch alarms after the change reaches 100% of targets and automatically rolls the configuration back if an alarm fires; AppConfig must be granted IAM permission to perform that rollback.
Trap Expecting AppConfig to keep monitoring for rollback after the bake time elapses, when its automatic alarm-driven rollback only covers the bake-time window.
- Promote one immutable artifact, never rebuild per stage
Build the artifact once and promote that same immutable build through staging to production rather than rebuilding it at each stage. Rebuilding per environment risks shipping a different artifact to prod than the one that was tested, which defeats the entire purpose of a tested release path.
- CodePipeline gates promotion with a manual-approval action
CodePipeline chains CodeBuild (build/test), CodeDeploy (release), and CloudFormation actions into stages, and a manual-approval action[6] inserted between stages stops execution until someone with the right IAM permission approves or rejects (for example gating staging to production). A rejection or no response within seven days fails the action, giving a repeatable, reviewed, auditable change path instead of ad-hoc deploys.
4 questions test this
- A financial services company manages 150 AWS accounts using AWS Organizations with multiple organizational units (OUs). The company needs…
- A financial services company is implementing a CI/CD pipeline using AWS CodePipeline to deploy infrastructure changes across 50 AWS…
- A company uses AWS Organizations to manage 50 member accounts across production and non-production organizational units (OUs). The company…
- A company uses AWS CodePipeline to deploy infrastructure changes using CloudFormation StackSets across 50 AWS accounts in 4 AWS Regions.…
- Preview every stack update with a change set first
A CloudFormation change set[7] previews exactly which resources an update will add, modify, or delete (including which changes force a replacement) before anything is touched; nothing changes until you execute it. A change set does NOT guarantee the update will succeed (quotas, permissions, or non-updatable properties can still fail it), and executing one removes all other change sets associated with that stack.
Trap Treating a clean change set as a guarantee the update will succeed, when quotas, permissions, or non-updatable properties can still fail the execution.
- IaC as the source of truth makes drift detectable
Defining infrastructure as CloudFormation (or CDK/SAM, which synthesize to CloudFormation) makes environments reproducible and lets drift detection flag resources changed outside the template. Out-of-band console edits create drift that should be reconciled back into the template so the IaC stays authoritative; a half-managed stack where humans also click in the console loses that guarantee.
Trap Fixing a production issue with a quick console edit, creating drift that leaves the template no longer matching the live stack.
- StackSets deploy one template across many accounts and Regions
CloudFormation StackSets deploy a single template as stack instances into many accounts and Regions from one administrator account. A stack instance is a reference to a stack in a target account/Region and can exist even when its underlying stack failed to create (it records the failure reason). Updating the StackSet pushes the template change to all associated stack instances at once; you cannot selectively update the template for only some instances.
Trap Expecting to push a template update to only a subset of stack instances, when a StackSet update applies to all associated instances at once.
- Service-managed StackSets auto-deploy to new org accounts
With service-managed permissions (integrated with AWS Organizations) StackSets create the required cross-account IAM roles for you and support automatic deployment, so any account later added to a target organizational unit inherits the baseline stack automatically. Self-managed permissions instead require you to create the cross-account roles yourself and target individual account IDs, with no auto-deploy to accounts added in the future.
Trap Choosing self-managed StackSets permissions when the requirement is automatic baseline deployment to future organization accounts, which only service-managed provides.
8 questions test this
- A financial services company manages 150 AWS accounts using AWS Organizations with multiple organizational units (OUs). The company needs…
- A multinational company has an AWS Organization with 200 member accounts distributed across multiple organizational units (OUs). The…
- A company operates a multi-account environment with AWS Organizations and wants to deploy security baselines to all accounts using AWS…
- A large enterprise operates a central DevOps account that manages deployments for the entire organization using AWS CodePipeline and…
- A financial services company is implementing a CI/CD pipeline using AWS CodePipeline to deploy infrastructure changes across 50 AWS…
- A company uses AWS Organizations to manage 50 member accounts across production and non-production organizational units (OUs). The company…
- A company uses AWS Organizations to manage 150 member accounts across development, testing, and production organizational units (OUs). The…
- A financial services company uses AWS Organizations to manage 150 member accounts across development, staging, and production…
- StackSet operation preferences drive a fail-fast rollout
StackSet operation preferences give the incremental, fail-fast behavior you want from any production rollout: maximum concurrent accounts caps how many accounts deploy at once, failure tolerance (evaluated per Region) stops the operation once too many stacks fail in a Region, and Region concurrency is Sequential (default, one Region at a time in the deployment order) or Parallel. With Strict failure tolerance, maximum concurrent accounts can be at most one more than the failure-tolerance value.
Trap Reading failure tolerance as a global count across all Regions, when StackSets evaluate it per Region so the threshold applies separately in each one.
- Traffic-shifting patterns require old and new versions to coexist
Canary, linear, and blue/green all assume the old and new versions can run side by side while traffic shifts between them. A backward-incompatible (schema-breaking) database migration violates this and breaks the still-running old version, so apply expand/contract migrations first to keep both versions readable, or accept a maintenance-window all-at-once cutover.
Trap Running a canary or blue/green cutover over a schema-breaking database migration, which breaks the old version still serving live traffic.
- Roll out a new AMI with an Auto Scaling group instance refresh
Publish a new launch template version carrying the updated AMI, then start an Auto Scaling group instance refresh to replace instances in rolling batches.
MinHealthyPercentagesets the percentage of desired capacity that must stay in service before the refresh continues (default 90%), andMaxHealthyPercentagecaps how far above desired capacity the group can scale while replacing (default 100%). Enable auto rollback wired to a CloudWatch alarm to revert on failure, and use skip matching so instances already on the desired configuration are left untouched.Trap Updating only the Auto Scaling group's launch template and expecting running instances to pick up the new AMI, when existing instances need an instance refresh to be replaced.
9 questions test this
- A company operates an e-commerce platform on Amazon EC2 instances within an Auto Scaling group. During peak shopping periods, the company…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The company is…
- A company runs a critical e-commerce application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The…
- A financial services company runs a critical web application on an Auto Scaling group with 12 EC2 instances behind an Application Load…
- A media company is deploying a new version of its video transcoding application to an Auto Scaling group with 20 EC2 instances. The…
- A retail company operates an Auto Scaling group with 100 EC2 instances running a microservices application. The instances use a launch…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application…
- A SaaS company is migrating to an immutable infrastructure deployment model. The company deploys new AMIs weekly through instance refresh…
- A company is migrating from mutable infrastructure to an immutable deployment model using EC2 Auto Scaling with instance refresh. The…
Also tested in
References
- CodeDeploy deployment configurations
- Creating a deployment strategy in AWS AppConfig
- AWS CloudFormation StackSets concepts
- Redeploy and roll back a deployment with CodeDeploy
- What is AWS AppConfig?
- Manage approval actions in CodePipeline
- Update CloudFormation stacks using change sets
- What is CodeDeploy?
- AppSpec 'hooks' section
- Detect unmanaged configuration changes to stacks and resources with drift detection
- Split a template into reusable pieces using nested stacks
- What is the AWS Serverless Application Model (AWS SAM)?