Data confidentiality refers to protecting information from unauthorized access. Encryption ensures that only authorized parties (with the appropriate keys) can view the data. Whether at rest or in transit, encrypted data remains unintelligible to attackers. Compression is unrelated to security, checksums verify integrity (not confidentiality), and file permissions provide access control at a system level but can be bypassed if the system is compromised.

Uptime is the most direct measure of availability in cloud computing. It refers to the proportion of time a service is fully functional and accessible over a given period—usually a year. For example, “99.99% uptime“ means the service is allowed to be down for no more than about 52 minutes per year. While scalability and elasticity are important, they refer to performance, not availability. Redundancy supports availability but isn‘t itself a metric for it.

Pay-as-you-go pricing is designed to increase cost efficiency by billing only for the resources consumed, down to the second or minute in some cases. This dynamic billing model enables companies to scale workloads without committing to unnecessary long-term costs. Unlike reserved or fixed pricing models, there is no need to over-provision resources “just in case.” This reduces wastage and allows for rapid adaptation to workload changes. The other options describe pricing models that are more static and less cost-efficient for fluctuating workloads.

Auto-scaling groups enable cloud applications to adapt to changes in demand by automatically increasing or decreasing the number of virtual machines (or containers) based on performance metrics like CPU usage, memory consumption, or network throughput. This dynamic response not only improves application performance but also contributes to cost savings by ensuring that only the necessary resources are running. Static scheduling or replication does not provide this level of adaptability.

Latency is a key performance metric in cloud computing that refers to the time delay between a user request and the corresponding response. Low latency is critical for real-time applications such as video conferencing, online gaming, or trading platforms. High latency can lead to poor user experience. Unlike throughput, which measures capacity, or concurrency, which counts users or threads, latency directly affects responsiveness.

Reserved Instances (RIs) allow users to save significantly on compute costs by committing to use a specific instance type in a specific region for a set period (usually 1 or 3 years). This model is ideal for predictable workloads where long-term resource usage is guaranteed. However, RIs are less flexible than On-Demand instances—they do not auto-scale or change based on usage spikes. They also do not provide exclusive hardware or special networking features unless specifically configured.

Multi-region deployment spreads workloads across different geographical locations, which improves fault tolerance, reduces the risk of a single point of failure, and helps meet compliance requirements. If one region suffers an outage, traffic can be rerouted to another. This enhances both availability and disaster recovery capabilities. The other options may benefit indirectly, but they are not the primary reasons for a multi-region architecture.

Serverless computing charges customers based on the actual number of function executions and the time those executions take, down to the millisecond. This model is particularly beneficial for event-driven architectures where workloads are irregular or bursty. Unlike virtual machines or containers, which may incur idle-time costs, serverless functions only incur charges when triggered. This model promotes efficiency and can significantly lower costs for applications with unpredictable usage patterns.

Most cloud providers offer integrated tools such as Budget Alerts and Cost Explorers to track and manage spending. These tools allow administrators to set usage thresholds and receive notifications when usage approaches or exceeds budget limits. This helps prevent cost overruns and supports financial planning. NACLs and resource tags are used for security and organization, while auto-scaling groups manage performance, not cost directly.

A Service Level Agreement (SLA) is a formal document that outlines the expected level of service from the provider. This typically includes guarantees on uptime (e.g., 99.9%), response times for support tickets, and possibly performance metrics. It provides accountability and a foundation for service refunds or penalties if the provider fails to meet the expectations. It does not detail technical implementations such as encryption or exact versions, nor does it usually specify physical data locations unless included in a compliance addendum.

The principle of least privilege is a foundational security concept that restricts user access rights to the bare minimum needed for their role or task. For example, a junior developer shouldn‘t have access to production databases, and a customer support agent shouldn‘t be able to restart services. This reduces the attack surface and limits damage in the event of compromised credentials. Option 1 is dangerous and leads to unnecessary exposure. Option 2 is overly restrictive and not practical. Option 4 compromises security by prioritizing convenience over control.

Firewalls are systems (either hardware, software, or both) that monitor and control incoming and outgoing network traffic based on predetermined security rules. Their main purpose is to enforce a barrier between trusted internal networks and untrusted external networks (like the internet). They can allow or deny traffic based on IP address, port number, protocol, or content. Firewalls do not encrypt data, manage filesystem permissions, or directly detect malware (that’s typically an antivirus or IDS/IPS role).

Passwords should never be stored in plain text or even encrypted using reversible encryption. The best practice is to hash them using a one-way cryptographic algorithm like bcrypt, scrypt, or Argon2. A salt (a random value added before hashing) should also be used to ensure that identical passwords have different hash values. This prevents rainbow table attacks. Encrypting passwords means they can be decrypted if the key is compromised. Hiding passwords in a file is obscurity, not security.

PKI is a framework used to manage digital certificates and public-key encryption. It allows secure exchange of information in untrusted environments. PKI provides authentication (via certificates), data integrity (digital signatures), and encryption (using key pairs). When someone sends a message encrypted with your public key, only your private key can decrypt it. PKI is not used for load balancing, proxy configuration, or application packaging.

An IDS monitors network traffic or system behavior to detect potential security threats, such as unauthorized access, malware signatures, or policy violations. It typically operates passively by logging and alerting administrators. Unlike an IPS (Intrusion Prevention System), which actively blocks threats, an IDS focuses on detection and analysis. It doesn’t perform backups, enforce policies, or block traffic by itself. Its purpose is early warning, not enforcement.

Serverless architecture allows developers to focus solely on writing and deploying code, while the cloud provider manages infrastructure, including scaling and resource provisioning. When demand increases, additional instances are automatically created to handle the load. This ensures better performance and user experience without manual intervention. The other options refer to low-level hardware control and custom OS configurations, which are more relevant to traditional IaaS or on-premise environments, not serverless.

Phishing attacks typically involve fraudulent emails or messages that try to trick users into revealing sensitive information like passwords, credit card numbers, or login credentials. These messages often include fake URLs that mimic legitimate websites. A key warning sign is being asked to click on unfamiliar links or input credentials outside of known secure login portals. Legitimate systems rarely ask users to log in through unexpected links or non-secure websites.

A VPN creates an encrypted tunnel between the user’s device and a VPN server, making the communication between them private—even when using untrusted networks like public Wi-Fi. This prevents attackers from eavesdropping on data, including credentials and session cookies. It does not inherently speed up connections, hide local files, or block specific traffic types unless configured with additional rules.

MFA strengthens login security by requiring users to provide two or more types of evidence: something they know (password), something they have (e.g., a phone or token), and/or something they are (biometrics). While it doesn’t eliminate all attack vectors (e.g., phishing or SIM swapping), it drastically reduces the likelihood that a stolen password alone can lead to unauthorized access. It complements—not replaces—passwords.

System patching involves applying updates released by software vendors to address vulnerabilities, bugs, and performance issues. Security patches specifically close loopholes that attackers might exploit. Failing to patch systems in a timely manner can leave them exposed to known threats. Patches may sometimes include new features, but their main purpose is reliability and security—not visuals or legacy support.

Containers encapsulate an application and its dependencies into a lightweight, portable unit. This ensures that the application runs identically regardless of where it is deployed—be it development, staging, or production. This consistency minimizes the “it works on my machine“ problem and supports automation in CI/CD pipelines. Unlike virtual machines, containers share the host OS kernel, which makes them lighter, but that is not their main advantage in DevOps. Option 3 is incorrect as containers are OS-agnostic to a large degree via the container engine. Option 4 is unrelated—containers and source control are both vital but serve different purposes.

git clone is used to create a local working copy of a remote repository. This includes all branches, commit history, and files. It’s typically the first step in collaborating on an existing project. Unlike git pull, which updates an existing local repo, or git commit, which pushes local changes, cloning is about initialization. Git never deletes a remote repository via commands from a regular client—it requires permissions and API-level actions, not a Git CLI command like git clone.

A Dockerfile is a script-like file that contains a series of commands and instructions used by Docker to build a container image. These instructions include defining the base image, copying files, installing dependencies, setting environment variables, and specifying the entry point. It enables repeatable, versioned container builds which is crucial for DevOps automation. Options 1 and 4 are unrelated: Dockerfiles are not used for VMs or Kubernetes network policies. Option 3 confuses orchestration (handled by tools like Docker Compose or Kubernetes) with image definition.

A branch in Git is a pointer to a snapshot of your changes. It allows you to develop features, experiment, or fix bugs independently from the main or production codebase. This enables multiple developers to work in parallel without interfering with each other’s work. When finished, branches can be merged into the main codebase. Branches don’t store binaries, synchronize with registries, or back up repositories. Those functions are handled by CI/CD pipelines, registries, and external tools.

The command docker run -d nginx pulls the NGINX image (if not present locally) and runs a container from it in detached mode, meaning the container will run in the background. This is commonly used to launch services without tying up the terminal. It doesn’t install NGINX directly on the host (containers are isolated), nor does it upload images or compile from source—that’s done using Dockerfiles and docker build.

Infrastructure as Code (IaC) uses code (e.g., Terraform, Ansible, CloudFormation) to define and manage infrastructure. It removes the variability of manual setups by allowing infrastructure to be versioned, tested, and deployed automatically. IaC ensures that staging, development, and production environments are consistent, reducing configuration drift and deployment errors. It complements—not replaces—CI tools. It also doesn‘t handle real-time monitoring, which is handled by specialized tools like Prometheus or Datadog.

Continuous Integration (CI) is a DevOps practice where developers integrate code into a shared repository frequently. Each integration triggers an automated build and test process to detect errors quickly. The main goal is early detection of issues, faster feedback loops, and improved software quality. CI doesn‘t handle encryption or replace source control. It‘s a workflow enhancement that complements Git and other version control tools. Option 1 describes part of a build process, not the full scope of CI.

Kubernetes is a powerful open-source system that automates the deployment, scaling, and management of containerized applications. It handles container lifecycle operations, service discovery, self-healing (restarts failed containers), load balancing, and more. It‘s especially useful in microservices architectures. Kubernetes is not a security tool or GUI creator. It doesn‘t replace virtualization—it runs on virtual or physical infrastructure. Option 4 confuses orchestration with infrastructure provisioning.

git merge combines the history of two branches, typically integrating feature development into the main branch. This is a central concept in collaborative workflows, allowing developers to work independently and bring their changes together efficiently. Merging preserves history and supports traceability. Option 1 is about git push, option 3 is incorrect as Git never deletes remotes like that, and option 4 refers to git reset, which is for discarding changes or moving HEAD.

Staging environments serve as a pre-production area where code and features are tested in conditions that mirror the live production system. This helps identify bugs or performance issues that may not appear in development. It also enables final user acceptance testing and security validation. Staging environments do not handle password encryption directly, nor do they affect Git branching strategies. Option 1 is unrelated to application logic or deployment pipelines.

ss -plnt shows listening ports and processes. lsof -i :port shows the process using a specific port. netstat -tuln shows ports but not processes unless used with -p. ip a shows interface info, not ports.

/etc/fstab defines static mount points for filesystems to be mounted at boot. It does not control boot order (GRUB does), services (systemd), or network interfaces (/etc/network, NetworkManager).

ip a is the modern and recommended command for showing IP info. ifconfig is deprecated, ping checks connectivity, and traceroute tracks the route to a destination but doesn’t show local IP info.

ls -a lists all files including hidden ones (those starting with .). ls without -a omits hidden files, find can find files but not list them traditionally, and tree shows hierarchy, not a simple file list.

mount connects a device or filesystem to a directory in the Linux filesystem hierarchy. It doesn’t manage processes (ps does), install software (apt, dnf), or display usage (df, du).

top provides a real-time, interactive display of CPU, memory, and processes. free shows memory usage statically, df is for disk, and ps shows process info at a single moment.

chmod 755 sets read, write, and execute for the owner, and read and execute for group and others. It does not hide files (prefix . does that), remove permissions, or change ownership (chown).

/var/log contains logs from the system and services. User docs go in /home, software in /usr, and temporary files in /tmp.

ping sends ICMP echo requests to test connectivity and response time. ip manages network configs, ifconfig is legacy, and ss is for socket statistics.

df -h shows filesystem usage with readable units like GB/MB. free handles memory, top and ps show processes, and ss/netstat show network usage.

journalctl -f follows the systemd journal in real-time, equivalent to tail -f. journalctl -xe shows the most recent logs with errors. dmesg –follow is kernel-only and tail -f /var/log/messages may not work if systemd is in use and the journal is not forwarded there.

Starting with basic connectivity is essential. ping helps confirm whether the remote host is reachable at all. Restarting services or rebooting might not be necessary and could disrupt other users. Firewall inspection is valuable but comes after confirming basic reachability.

systemctl restart network.service is the correct systemd syntax for restarting the network service. The other options are either SysV-style (/etc/init.d/) or incorrect command syntaxes.

/etc/hostname stores the system’s persistent hostname. /etc/hosts maps hostnames to IPs. /etc/network/interfaces is used on Debian-based systems for network interfaces. /etc/resolv.conf is for DNS configuration, not the hostname.

chmod +x script.sh gives execute permission. Changing ownership (chown) may not be appropriate. chmod 777 is insecure and overly permissive. setfacl can work but is more complex and not needed for simple cases.

du -sh shows the total disk usage of a directory in a summarized and human-readable format. ls -lh lists individual file sizes. df -h shows overall filesystem usage, and free -m is for memory stats.

Emergency mode often indicates file system corruption or mount failure. Running fsck helps check and repair disks. Editing /etc/hosts or rebooting won’t help directly. Reinstalling GRUB is only needed if the bootloader is corrupted, which isn‘t the immediate assumption.

ip and nmcli are modern tools. ip configures interfaces, addresses, and routes directly. nmcli works with NetworkManager. ifconfig and netstat are deprecated and replaced by ip and ss.

systemctl is-active returns active if a service is running. It doesn‘t start or restart services. To list all enabled services, you‘d use systemctl list-unit-files –type=service –state=enabled.

dig queries DNS servers directly and provides detailed resolution info. ping 127.0.0.1 only tests local IP stack. traceroute follows the route but doesn’t show DNS details. ip addr show shows interface addresses, unrelated to DNS.

Serverless platforms automatically handle scaling and infrastructure management, allowing developers to focus solely on code. It does not provide hardware control, root OS access, or long-term pricing models (those are for reserved VMs).

Availability is typically expressed as uptime over a year (e.g., 99.99%). Throughput, IOPS, and container counts measure performance or capacity, not availability.

Pay-as-you-go models charge users based on actual consumption, offering elasticity and cost-efficiency. Fixed billing and spot discounts are different models; charging for peak usage contradicts this principle.

Auto-scaling dynamically adjusts compute resources to meet workload demand, improving performance and cost-efficiency. It doesn’t directly impact SLAs, prevent corruption, or manage IOPS usage.

Latency refers to the time delay between a request and its corresponding response. It’s critical for user experience but unrelated to uptime, CPU cycles, or user concurrency metrics.

Reserved instances provide cost savings for committing to long-term use. However, they lack flexibility and don’t provide scaling or hardware upgrades by default.

Multi-region means deploying services in separate geographic locations to improve redundancy, availability, and disaster recovery. Availability zones are within the same region and not the same as true multi-region deployments.

Serverless functions are triggered by events and run only when needed, optimizing resource usage. Reserved time, pre-warming, or manual scaling don‘t provide the same efficiency.

Cloud providers offer budget and cost alerting tools that help forecast and monitor expenses. ACLs and IAM are security features; auto-healing ensures service uptime, not budgeting.

An SLA formalizes the performance expectations (uptime, response time) between the cloud provider and the customer. It does not define pricing, security practices, or user permissions.