A development team is deploying a two-tier application in production using AWS Elastic Beanstalk. The application comprises of a load-balanced web tier and an Amazon RDS database layer. The team want to partition the RDS instance from the Elastic Beanstalk instance.
How is this possible?
Use the Elastic Beanstalk CLI to disassociate the database. Use the AWS CLI to disassociate the database. Change the deployment policy to disassociate the database. Recreate a new Elastic Beanstalk environment without Amazon RDS.
.
A developer has established a new AWS IAM user with the s3:putObject permission, which enables him to write to a particular Amazon S3 bucket. As a default, this S3 bucket employs server-side encryption with AWS KMS controlled keys (SSE-KMS). When contacting the PutObject API with the IAM user's access key and secret key, the application encountered an access denied error.
How is this problem to be resolved?
Update the policy of the IAM user to allow the s3:Encrypt action. Update the bucket policy of the S3 bucket to allow the IAM user to upload objects. Update the policy of the IAM user to allow the kms:GenerateDataKey action. Update the ACL of the S3 bucket to allow the IAM user to upload objects.
Amazon API Gateway is being used by a media business to handle microservices configured as AWS Lambda functions. The development team of the corporation intends to release a new version of its API. To prevent impacting current customers when the new API is launched, the firm intends to provide all users a three-month grace period during which they may migrate from the old API to the new API.
Which implementation technique should the business utilize to accomplish this objective?
Update the Lambda functions. Configure the API to use Lambda proxy integration. Update the Lambda functions. Provide the API client with the new Lambda endpoints. Use API Gateway to deploy a new stage that uses updated Lambda functions and provides users with a new URL Use API Gateway to redirect requests based on a request header to updated Lambda functions. Configure a 90-day expiration on the old API.
On Amazon ECS, a corporation is running a Docker application. The application's load must be scaled depending on the past 15 seconds' user activity.
How should a developer instrument code to ensure it satisfies the requirement?
Create a high-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 30 seconds Create a high-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 5 seconds Create a standard-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 30 seconds Create a standard-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 5 seconds.
A business demands that AWS Lambda functions built by developers record problems in order for System Administrators to resolve issues more efficiently.
What should developers do to address this need?
Publish errors to a dedicated Amazon SQS queue Create an Amazon CloudWatch Events event trigger based on certain Lambda events. Report errors through logging statements in Lambda function code. Set up an Amazon SNS topic that sends logging statements upon failure.
In the console, a developer transformed an existing application to an AWS Lambda function. While the application works OK on a local laptop, it fails to import a module when evaluated in the Lambda interface.
Which of the following may be used to correct the error? Install the missing module and specify the current directory as the target. Create a ZIP file to include all files under the current directory, and upload the ZIP file. Install the missing module in a lib directory. Create a ZIP file to include all files under the lib directory, and upload the ZIP file as dependency file. In the Lambda code, invoke a Linux command to install the missing modules under the /usr/lib directory. In the Lambda console, create a LB_LIBRARY_PATH environment and specify the value for the system library path.
An application is composed of two components: one for handling HTTP requests and another for doing background processing operations. Each component must be self-scaling. The developer want to use AWS Elastic Beanstalk to deploy this application.
How, in light of these criteria, should this application be deployed?
Deploy the application in a single Elastic Beanstalk environment. Deploy each component in a separate Elastic Beanstalk environment. Use multiple Elastic Beanstalk environments for the HTTP component, but one environment for the background task component. Use multiple Elastic Beanstalk environments for the background task component, but one environment for the HTTP component.
A developer has created a web application and want to swiftly deploy it on an AWS Tomcat server. The developer want to be free of the responsibility of managing the underlying infrastructure.
According to these criteria, what is the simplest approach to deploy the application?
AWS CloudFormation AWS Elastic Beanstalk Amazon S3 AWS CodePipeline.
A developer uses Amazon ECS to host an e-commerce API. The application's fluctuating and spiking demand is causing order processing to take an excessive amount of time. The program manages Amazon Simple Queue Service (SQS) queues. Throughout the day, the ApproximateNumberOfMessagesVisible metric jumps to very high levels, resulting in Amazon CloudWatch alert violations. Other ECS metrics for API containers are within acceptable ranges.
What measures can the developer take to boost performance while keeping costs down?
Target tracking scaling policy Docker Swarm Service scheduler Step scaling policy.
A developer is configuring the Amazon API Gateway to support their business's goods. Registered developers may use the API to query and change their environments. For financial and security concerns, the organization want to restrict the number of requests that end users may submit. Management want to provide registered developers with the option of purchasing bigger packages that support a greater number of requests.
How can the developer do this with the LEAST amount of management overhead?
Enable throttling for the API Gateway stage. Set a value for both the rate and burst capacity. If a registered user chooses a larger package, create a stage for them, adjust the values, and share the new URL with them. Set up Amazon CloudWatch API logging in API Gateway. Create a filter based on the user and requestTime fields and create an alarm on this filter. Write an AWS Lambda function to analyze the values and requester information, and respond accordingly. Set up the function as the target for the alarm. If a registered user chooses a larger package, update the Lambda code with the values. Enable Amazon CloudWatch metrics for the API Gateway stage. Set up CloudWatch alarms based off the Count metric and the ApiName, Method, Resource, and Stage dimensions to alerts when request rates pass the threshold. Set the alarm action to Deny. If a registered user chooses a larger package, create a user-specific alarm and adjust the values. Set up a default usage plan, specify values for the rate and burst capacity, and associate it with a stage. If a registered user chooses a larger package, create a custom plan with the appropriate values and associate the plan with the user.
A firm is compiling a website using AWS CodeBuild from source code saved in AWS CodeCommit. Due to a recent modification to the source code, the CodeBuild project is unable to assemble the website correctly.
How is the developer to determine the root cause of the failures?
Modify the buildspec.yml file to include steps to send the output of build commands to Amazon CloudWatch. Use a custom Docker image that includes the AWS X-Ray agent in the AWS CodeBuild project configuration. Check the build logs of the failed phase in the last build attempt in the AWS CodeBuild project build history. Manually re-run the build process on a local machine so that the output can be visualized.
A developer is attempting to monitor the status of an application by running a cron job that returns 1 when the service is up and 0 when it is down. The developer wrote code to publish the custom metrics to Amazon CloudWatch and set an alert using the AWS CLI put-metric-alarm function. The Developer, on the other hand, is unable to issue an alert since the custom metrics are not visible in the CloudWatch interface.
What is the source of this problem? Sending custom metrics using the CLI is not supported The Developer needs to use the put-metric-data command. The Developer must use a unified CloudWatch agent to publish custom metrics The code is not running on an Amazon EC2 instance.
Amazon Kinesis Streams is being used by a web application to store clickstream data that may not be utilized for up to 12 hours.
How can the developer encrypt data in the Kinesis Streams at rest?
Enable SSL connections to Kinesis Use Amazon Kinesis Consumer Library Encrypt the data once it is at rest with a Lambda function Enable server-side encryption in Kinesis Streams.
207) A business is building a web application that will enable workers to submit their profile pictures to a private Amazon S3 bucket. There is no restriction on the size of the profile images that should be shown each time an employee checks in. The images cannot be made publicly available for security reasons.
What is a long-term feasible solution to this situation?
Generate a presigned URL when a picture is uploaded. Save the URL in an Amazon DynamoDB table. Return the URL to the browser when the employee logs in. Save the picture's S3 key in an Amazon DynamoDB table. Create an Amazon S3 VPC endpoint to allow the employees to download pictures once they log in. Encode a picture using base64. Save the base64 string in an Amazon DB table. Allow the browser to retrieve the string and convert it to a picture. Save the picture's S3 key in an Amazon DynamoDB table. Use a function to generate a presigned URL every time an employee logs in. Return the URL to the browser.
A business is developing a stock trading application. The program requires a latency of less than one millisecond to handle trading requests. The firm stores all trade data in Amazon DynamoDB, which is utilized to perform each trading request.
A development team conducts load testing on the application and discovers that the time required to get data is longer than intended. The development team need a solution that significantly improves data retrieval time with the least amount of work feasible.
Which solution satisfies these criteria?
Add local secondary indexes (LSIs) for trading data. Store trading data in Amazon S3 and use Transfer Acceleration. Add retries with exponential back-off for DynamoDB queries Use DynamoDB Accelerator to cache trading data.
A business runs an application that makes use of an Amazon RDS DB instance as the database. A developer must implement database encryption at rest.
Which measures should the developer perform in combination to satisfy this requirement? (Select two.)
Enable encryption on the DB instance in the AWS Management Console. Stop the DB instance. Restore the DB instance from the encrypted snapshot. Take a snapshot of the DB instance, and create an encrypted copy of the snapshot. Create a customer managed key in AWS Key Management Service (AWS KMS).
Amazon CloudFront is being used by an organization to guarantee that its users have low-latency access to their online application. The business determined that all communication between users and CloudFront, as well as all traffic between CloudFront and the web application, should be encrypted.
How are these stipulations to be met? (Select two.) Use AWS KMS to encrypt traffic between CloudFront and the web application. Set the Origin Protocol Policy to ג€HTTPS Onlyג€. Set the Origin's HTTP Port to 443. Set the Viewer Protocol Policy to ג€HTTPS Onlyג€ or ג€Redirect HTTP to HTTPSג€. Enable the CloudFront option Restrict Viewer Access.
A developer is transferring an application from on-premises to AWS. Currently, the program accepts user uploads and stores them to a server-side local directory. All uploads must be preserved and instantly accessible to all instances within an Auto Scaling group.
Which strategy will satisfy these criteria? Use Amazon EBS and configure the application AMI to use a snapshot of the same EBS instance on boot. Use Amazon S3 and rearchitect the application so all uploads are placed in S3. Use instance storage and share it between instances launched from the same Amazon Machine Image (AMI). Use Amazon EBS and file synchronization software to achieve eventual consistency among the Auto Scaling group.
215) A developer is updating a bespoke application that is currently running on AWS Elastic Beanstalk.
What solutions will update the Elastic Beanstalk environment with the new application version after the Developer completes the changes? (Select two.)
Package the application code into a .zip file, and upload, then deploy the packaged application from the AWS Management Console Package the application code into a .tar file, create a new application version from the AWS Management Console, then update the environment by using AWS CLI Package the application code into a .tar file, and upload and deploy the packaged application from the AWS Management Console Package the application code into a .zip file, create a new application version from the AWS Management Console, then rebuild the environment by using AWS CLI Package the application code into a .zip file, create a new application version from the packaged application by using AWS CLI, then update the environment by using AWS CLI.
A developer is debugging connection difficulties between an Amazon Web Services Lambda function and an Amazon EC2 machine running Amazon Linux 2. Even if the Lambda function is enabled to access resources on the EC2 instance's network, the Lambda function and the EC2 instance are unable to interact.
How can the developer see the network traffic between the Lambda function and the Amazon Elastic Compute Cloud instance?
Use the traceroute command on the EC2 instance to check connectivity. Inspect the VPC flow logs for network activity Use the telnet command on the EC2 instance to check connectivity. Analyze the Amazon CloudWatch metrics for network traffic.
220) A business wishes to transition an imaging service to Amazon EC2 while adhering to industry best practices for security. The photos are obtained and read from an Amazon S3 bucket that is not publicly accessible.
What actions should a developer take to ensure compliance with these requirements?
Create an IAM user with read-only permissions for the S3 bucket. Temporarily store the user credentials in the user data of the EC2 instance. Create an EC2 service role with read-only permissions for the S3 bucket. Attach the role to the EC2 instance. Create an IAM user with read-only permissions for the S3 bucket. Temporarily store the user credentials in the Amazon EBS volume of the EC2 instance. Create an S3 service role with read-only permissions for the S3 bucket. Attach the role to the EC2 instance.
221) A business makes use of continuous integration and delivery platforms. A developer now wants to automate the distribution of software packages to both Amazon EC2 instances and on-premises virtual machines.
Which AWS service should be utilized for this purpose?
AWS CodePipeline AWS Elastic Beanstalk AWS CodeBuild AWS CodeDeploy.
How does AWS KMS's Envelope Encryption work? Two encryption keys are used. The Customer Master Key encrypts customer data. The Data Key is used to re-encrypt the encrypted data Two encryption keys are used. The Data Key encrypts customer data. The ׀¡ustomer Master Key is used to re-encrypt the encrypted data The Customer Master Key is used to encrypt/decrypt a data key. The Plaintext Data Key is used to encrypt customer data. he Customer Master Key is used to encrypt/decrypt a data key. The Encrypted Data Key is used to encrypt customer data.
223) A developer must construct an application that supports SAML and Facebook authentication. Additionally, it must provide access to AWS services such as Amazon DynamoDB.
Which AWS service or feature will allow for the LEAST amount of extra code to achieve these requirements?
Amazon Cognito identity pools AWS AppSync Amazon Lambda@Edge Amazon Cognito user pools.
224) A developer is troubleshooting an AWS Lambda function that is being used in conjunction with an Amazon API Gateway. HTTP status code 200 is returned whenever the API Gateway endpoint is contacted, despite the fact that AWS Lambda is logging a 4xx error.
What modification is required to deliver an appropriate error code through the API Gateway?
Enable CORS in the API Gateway method settings Use a Lambda proxy integration to return HTTP codes and headers Enable API Gateway error pass-through. Return the value in the header x-Amzn-ErrorType.
226) A development team is now working on a case management system that will enable the processing and evaluation of medical claims. Users log in to share medical and financial information.
Sensitive data such as medical records, medical imaging, bank statements, and invoices are uploaded to Amazon S3 as part of the program. All papers must be sent and kept securely. All access to documents must be documented for auditing purposes.
Which technique is the MOST SECURE?
Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket. Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents. Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket. Use client-side encryption/decryption with Amazon S3 and AWS KMS.
229) A business administers a website that is hosted on Amazon EC2 instances that are routed via an Elastic Load Balancer. CPU use is limited on EC2 Instances. The technical staff at the organization is responsible for securing incoming internet traffic.
Which combination of actions will satisfy these criteria? (Select two.)
Configure the Elastic Load Balancer with SSL passthrough. Configure SSL certificates on the Elastic Load Balancer. Configure the Elastic Load Balancer with a Loadable Storage System. Install SSL certificates on the EC2 instances. Configure the Elastic Load Balancer with SSL termination.
240) A developer has established a new AWS IAM user with the s3:putObject permission, which enables him to write to a particular Amazon S3 bucket. As a default, this S3 bucket employs server-side encryption with AWS KMS controlled keys (SSE-KMS). When contacting the PutObject API with the IAM user's access key and secret key, the application encountered an access denied error.
How is this problem to be resolved?
Update the policy of the IAM user to allow the s3:Encrypt action Update the bucket policy of the S3 bucket to allow the IAM user to upload objects. Update the policy of the IAM user to allow the kms:GenerateDataKey action. Update the ACL of the S3 bucket to allow the IAM user to upload objects.
252) A server-side application running on Amazon EC2 instances needs access assets contained in an Amazon S3 bucket that have been secured using AWS KMS encryption keys (SSE-KMS). To decrypt the items, the program must have access to the customer master key (CMK).
Which sequence of actions will provide access to the application? (Select two.)
Write an S3 bucket policy that grants the bucket access to the key. Grant access to the key in the IAM EC2 role attached to the application's EC2 instances. Write a key policy that enables IAM policies to grant access to the key Grant access to the key in the S3 bucket's ACL Create a Systems Manager parameter that exposes the KMS key to the EC2 instances.
253) Amazon Cognito is being used by a social networking firm to synchronize profiles across many mobile devices, enabling end users to enjoy a consistent experience.
Which of the following setups enables customers to be notified quietly whenever an update is ready for their other devices?
Modify the user pool to include all the devices which keep them in sync. Use the SyncCallback interface to receive notifications on the application. Use an Amazon Cognito stream to analyze the data and push the notifications. Use the push synchronization feature with the appropriate IAM role.
263) A developer works in an environment that includes various Amazon Web Services accounts and AWS Lambda functions that handle identical 100 KB payloads. The developer wishes to centralize the payloads' origin in a single account and have all Lambda functions triggered whenever the parent account's starting event happens.
How can the developer build the process in the most efficient manner possible, ensuring that all Lambda functions with multiple accounts are run when an event occurs?
Create a Lambda function in the parent account and use cross-account IAM roles with the AWS Security Token Service (AWS STS) AssumeRole API call to make AWS Lambda invoke the API call to invoke all the cross-account Lambda functions. Subscribe all the multi-account Lambda functions to an Amazon SNS topic and make a SNS Publish API call with the payload to the SNS topic. Set up an Amazon SQS queue with the queue policy permitting the ReceiveMessage action for multi-account Lambda functions. Then send the payload to the SQS queue using the sqs:SendMessage permission and poll the queue using multi-account Lambda functions. Use a worker on an Amazon EC2 instance to poll for the payload event. Invoke all Lambda functions using the Lambda Invoke API after using cross-account IAM roles with the AWS Security Token Service (AWS STS) AssumeRole API call.
266) A developer is deploying an application to Amazon EC2 using AWS CodeDeploy. The developer wishes to modify the permissions on a particular deployment file.
Which lifecycle event should a developer utilize to do this task?
AfterInstall DownloadBundle BeforeInstall ValidateService.
274) A development team deploys applications using AWS Elastic Beanstalk. The team has limited the number of application versions to 25 by configuring the application version lifecycle policy. Despite this, the source bundle gets destroyed from the Amazon S3 source bucket regardless of the lifespan policy.
What should a developer do in the Elastic Beanstalk application's version lifecycle settings to ensure that the source code is retained in the S3 bucket?
Change the Set the application versions limit by total count setting to zero Disable the Lifecycle policy setting Change the Set the application version limit by age setting to zero. Set Retention to Retain source bundle in S3.
A developer is creating a distributed application that will be constructed utilizing a microservices architecture and will span numerous Amazon Web Services accounts. The operations team of the business need the ability to examine and troubleshoot application problems from a centralized account.
How is the developer to adhere to these specifications? Use an Amazon X-Ray agent with role assumption to publish data into the centralized account. Use Amazon X-Ray and create a new IAM user to publish the access keys into the centralized account. Use VPC Flow Logs to collect applications logs across different accounts. Enable AWS CloudTrail to publish the trails in an Amazon S3 bucket in the centralized account.
283) A developer is currently building code for an Amazon Web Services Lambda function. The function will act as a Lambda authorizer, allowing Amazon API Gateway to manage access to a certain API.
Along with the primary identity, what should this code return following successful authentication?
An HTTP response status code of 200 that indicates successful completion An integer 0 that indicates successful completio The Amazon Resource Name (ARN) of an IAM role that will be assumed for authentication A policy document with desired permissions.
A smartphone application that allows users to see photographs from an S3 bucket is being developed by a developer. Users must be able to log in using their Amazon credentials as well as their Facebook® and/or Google® accounts.
How will the Developer be able to implement this authentication feature?
Use Amazon Cognito with web identity federation. Use Amazon Cognito with SAML-based identity federation. Use AWS IAM Access/Secret keys in the application code to allow Get* on the S3 bucket Use AWS STS AssumeRole in the application code and assume a role with Get* permissions on the S3 bucket.
An AWS Lambda function is being written by a developer. The developer want to record critical events that occur during the Lambda function's execution and to provide a unique identifier that will allow the events to be associated with a single function invocation.
Which of the following will assist the developer in achieving this goal?
Obtain the request identifier from the Lambda context object. Architect the application to write logs to the console. Obtain the request identifier from the Lambda event object. Architect the application to write logs to a file. Obtain the request identifier from the Lambda event object. Architect the application to write logs to the console. Obtain the request identifier from the Lambda context object. Architect the application to write logs to a file.
A developer hosts static websites using Amazon S3 buckets. The developer builds two S3 buckets: one for the code and another for the assets, which include picture and video files. When a user tries to access the assets bucket from the code bucket, access is forbidden, and the website application displays a 403 error.
How should the Developer approach this situation?
Create an IAM role and apply it to the assets bucket for the code bucket to be granted access. Edit the bucket policy of the assets bucket to open access to all principals. Edit the cross-origin resource sharing (CORS) configuration of the assets bucket to allow any origin to access the assets. Change the code bucket to use AWS Lambda functions instead of static website hosting.
A developer has developed an application that can concurrently upload tens of thousands of items to Amazon S3 under a single AWS account. As part of the new criteria, data stored in S3 must be encrypted on the server using AWS KMS (SSE-KMS). After making this update, the application's performance degrades.
Which of the following is the MOST LIKELY source of application latency?
Amazon S3 throttles the rate at which uploaded objects can be encrypted using Customer Master Keys The AWS KMS API calls limit is less than needed to achieve the desired performance. The client encryption of the objects is using a poor algorithm. KMS requires that an alias be used to create an independent display name that can be mapped to a CMK.
A business has a website built in PHP and WordPress and is hosted on AWS Elastic Beanstalk. The website requires a new version to be deployed in the Elastic Beanstalk environment. The firm cannot afford to have the website unavailable in the event of an update failure. Deployments must have a negligible effect and be reversible as quickly as feasible.
Which type of deployment should be used?
All at once Rolling Snapshots Immutable.
A development team is in the process of developing a new application that will operate on AWS. While the test and production environments will be hosted on Amazon EC2 instances, developers will use their own computers to execute their environments.
Which of the following is the EASIEST and MOST SECURE method for local development computers to access AWS services?
Use an IAM role to assume a role and execute API calls using the role. Create an IAM user to be shared with the entire development team; provide the development team with the access key. Create an IAM user for each developer on the team; provide each developer with a unique access key. Set up a federation through an Amazon Cognito user pool.
301) A developer is developing a web application that will be deployed on Amazon EC2 instances behind an application load balancer that will be visible to the public (ALB). In front of the ALB, the developer must install an Amazon CloudFront distribution. Additionally, the developer must verify that client data that originates outside the VPC is secured during transit.
Which configuration options in CloudFront should the developer use to achieve these requirements? (Select two.)
Restrict viewer access by using signed URLs. Set the Origin Protocol Policy setting to Match Viewer. Enable field-level encryption. Enable automatic object compression. Set the Viewer Protocol Policy setting to Redirect HTTP to HTTPS.
327) A developer is debugging an application's permissions for making modifications to an Amazon RDS database. The developer has access to the application's IAM role.
Which command structure should be used by the developer to verify role permissions?
aws iam attach-role-policy aws ssm resume-session aws sts assume-role aws rds add-role-to-db-cluster.
329) During the most recent deployment of a new application, a corporation suffered some downtime. AWS Elastic Beanstalk partitioned the environment's Amazon EC2 instances into batches and delivered the new version one batch at a time after deactivating them. As a result, full capacity was not maintained during the deployment process.
The developer intends to deliver a new version of the program and is seeking a policy that will ensure maximum capacity and mitigate the consequences of a failure deployment.
Which deployment strategy is appropriate for the developer?
Immutable All at Once Rolling Rolling with an Additional Batch.
A corporation employs 25,000 people and is expanding. The business is developing an application that will be exclusive to its workers. A developer is storing photos in Amazon S3 and application data in Amazon RDS. The organization demands that all employee data remain in the old Security Assertion Markup Language (SAML) employee directory and is not interested in replicating employee data on AWS.
How can the developer ensure that the workers who will be utilizing this program have allowed access to their own application data?
Use Amazon VPC and keep all resources inside the VPC, and use a VPC link for the S3 bucket with the bucket policy. Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy. Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognito-identity.amazonaws.com:sub variable to grant access to the employees. Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only.
A developer ran an AWS CLI command and encountered the following error:
"A client error occured: you're not authorized..."
What step should the developer take to make this mistake understandable to humans?
Make a call to AWS KMS to decode the message Use the AWS STS decode-authorization-message API to decode the message. Use an open source decoding library to decode the message. Use the AWS IAM decode-authorization-message API to decode this message.
A developer is writing a script to automate the serverless application deployment process. The developer want to build the application using an existing AWS Serverless Application Model (AWS SAM) template.
What tools should the developer use in order to complete the project? (Select two.)
Call aws cloudformation package to create the deployment package. Call aws cloudformation deploy to deploy the package afterward. Call sam package to create the deployment package. Call sam deploy to deploy the package afterward. Call aws s3 cp to upload the AWS SAM template to Amazon S3. Call aws lambda update-function-code to create the application. Create a ZIP package locally and call aws serverlessrepo create-application to create the application. Create a ZIP package and upload it to Amazon S3. Call aws cloudformation create-stack to create the application.
A gaming application saves player scores in an Amazon DynamoDB database with the following four columns: user id, user name, user score, and user rank. Users are only permitted to edit their names. Web identity federation authenticates a user.
Which set of criteria should be put to the dynamodb: PutItem API call's policy associated with the role?
user_id user_name aaa bbb ccc.
337) A developer has created an application that makes use of Amazon Cognito's authentication and authorisation capabilities. When a user logs in successfully, the application produces a user record in an Amazon DynamoDB database.
How should the user be authenticated and a record created in the DynamoDB table?
Authenticate and get a token from an Amazon Cognito user pool. Use the token to access DynamoDB. Authenticate and get a token from an Amazon Cognito identity pool. Use the token to access DynamoDB. Authenticate and get a token from an Amazon Cognito user pool. Exchange the token for AWS credentials with an Amazon Cognito identity pool. Use the credentials to access DynamoDB. Authenticate and get a token from an Amazon Cognito identity pool. Exchange the token for AWS credentials with an Amazon Cognito user pool. Use the credentials to access DynamoDB.
A developer observed that an application responsible for processing messages in an Amazon SQS queue was falling behind on a regular basis. Although the program is capable of processing several messages concurrently, it receives only one message at a time.
What can the developer do to boost the amount of messages received by the application?
Call the ChangeMessageVisibility API for the queue and set MaxNumberOfMessages to a value greater than the default of 1. Call the AddPermission API to set MaxNumberOfMessages for the ReceiveMessage action to a value greater than the default of 1. Call the ReceiveMessage API to set MaxNumberOfMessages to a value greater than the default of 1. Call the SetQueueAttributes API for the queue and set MaxNumberOfMessages to a value greater than the default of 1.
351) A developer is developing a serverless application using AWS Lambda and is required to establish a REST API that utilizes the HTTP GET technique.
What has to be specified to satisfy this criterion? (Select two.)
A Lambda@Edge function An Amazon API Gateway with a Lambda function An exposed GET method in an Amazon API Gateway An exposed GET method in the Lambda function An exposed GET method in Amazon Route 53.
376) A developer uses the AWS CLI to create a role in order to get a set of temporary security credentials.
Which of the following environment variables or AWS configuration file must be specified in order to authenticate with AWS?
AccessKeyId SecretAccessKey, and AssumedRoleId AccessKeyId, SecretAccessKey, and SessionToken UserId, SessionToken, and AssumedRoleId UserId, SessionToken and Credentials.
376) A developer uses the AWS CLI to create a role in order to get a set of temporary security credentials.
Which of the following environment variables or AWS configuration file must be specified in order to authenticate with AWS?
AccessKeyId SecretAccessKey, and AssumedRoleId UserId, SessionToken, and AssumedRoleId AccessKeyId, SecretAccessKey, and SessionToken UserId, SessionToken and Credentials.
A developer must provide non-logged-in guest users access to an Amazon Cognito-enabled site in order to read files stored in an Amazon S3 bucket.
How is the Developer to comply with these requirements?
Create a blank user ID in a user pool, add to the user group, and grant access to AWS resources. Create a new identity pool, enable access to authenticated identities, and grant access to AWS resources. Create a new user pool, enable access to authenticated identifies, and grant access to AWS resources. Create a new user pool, disable authentication access, and grant access to AWS resources.
393) A deployment package utilizes the AWS CLI to put files into any S3 bucket in the account, using environment variables to keep access keys. The package is operating on Amazon EC2 instances that have been updated to run with an assumed IAM role and a more restricted policy that restricts access to a single bucket. Following the update, the Developer login into the host and retains the ability to write to all of the account's S3 buckets.
What is the MOST LIKELY REASON for this occurrence?
An IAM inline policy is being used on the IAM role An IAM managed policy is being used on the IAM role The AWS CLI is corrupt and needs to be reinstalled The AWS credential provider looks for instance profile credentials last.
409) A developer is developing an application that requires identifying the public IPv4 address of the Amazon EC2 instance on which it is running.
How is the program going to find this data?
Get the instance metadata by retrieving http://169.254.169.254/latest/metadata/. Get the instance user data by retrieving http://169.254.169.254/latest/userdata/. Get the application to run IFCONFIG to get the public IP address Get the application to run IPCONFIG to get the public IP address.
417) A developer must invoke an AWS Lambda function depending on the lifecycle activity of an item in an Amazon DynamoDB database.
How does the developer go about developing the solution?
Enable a DynamoDB stream that publishes an Amazon SNS message. Trigger the Lambda function synchronously from the SNS message. Enable a DynamoDB stream that publishes an SNS message. Trigger the Lambda function asynchronously from the SNS message. Enable a DynamoDB stream, and trigger the Lambda function synchronously from the stream Enable a DynamoDB stream, and trigger the Lambda function asynchronously from the stream.
420) A team of developers is responsible for migrating an application running on AWS Elastic Beanstalk from a Classic Load Balancer to an Application Load Balancer.
How should the job be completed using the AWS Management Console?
1. Update the application code in the existing deployment. 2. Select a new load balancer type before running the deployment. 3. Deploy the new version of the application code to the environment. 1. Create a new environment with the same configurations except for the load balancer type. 2. Deploy the same application version as used in the original environment. 3. Run the swap-environment-cnames action 1. Clone the existing environment, changing the associated load balancer type. 2. Deploy the same application version as used in the original environment. 3. Run the swap-environment-cnames action. 1. Edit the environment definitions in the existing deployment. 2. Change the associated load balancer type according to the requirements. 3. Rebuild the environment with the new load balancer type.
423) A developer has registered a new AWS account and is required to design a scalable AWS Lambda function that satisfies the following concurrent execution requirements:
✑ Average execution time of 100 seconds
✑ 50 requests per second
Which procedure must be followed prior to deployment in order to avoid errors?
Implement dead-letter queues to capture invocation errors Add an event source from Amazon API Gateway to the Lambda function Implement error handling within the application code Contact AWS Support to increase the concurrent execution limits.
429) A developer is transferring code to an Amazon Lambda function that will interact with an Amazon Aurora MySQL database.
What is the SECUREST method for authenticating the function against the database?
Store the database credentials as encrypted parameters in AWS Systems Manager Parameters Store. Obtain the credentials from Systems Manager when the Lambda function needs to connect to the database. Store the database credentials in AWS Secrets Manager. Let Secrets Manager handle the rotation of the credentials, as required. Store the database credentials in an Amazon S3 bucket that has a restrictive bucket policy for the Lambda role when accessing the credentials. Use AWS KMS to encrypt the data. Create a policy with rds-db:connect access to the database and attach it to the role assigned to the Lambda function.
6) What section of the document root must be included in an AWS CloudFormation template to include objects specified by the AWS Serverless Application Model (SAM) in addition to Resources? Conditions Trasform Globals Properties.
7) A developer recognizes the need for centralized storage of application-level logs while designing an application that runs on Amazon EC2 in an Amazon VPC.
Which AWS service can be utilized to store these logs securely?
Amazon EC2 VPC Flow Logs Amazon CloudWatch Logs Amazon CloudSearch AWS CloudTrail.
9) A developer must install a serverless RESTful API on AWS regularly and consistently.
Which strategies will be effective? (Select two.)
Define a Swagger file. Use AWS Elastic Beanstalk to deploy the Swagger file. Define a Swagger file. Use AWS CodeDeploy to deploy the Swagger file. Deploy a SAM template with an inline Swagger definition. Define a Swagger file. Deploy a SAM template that references the Swagger file. Define an inline Swagger definition in a Lambda function. Invoke the Lambda function.
12) With production-distributed applications created as AWS Lambda functions, a developer must investigate performance issues. Other components of the applications are invoked by these distributed Lambda applications.
What is the best way for a developer to discover and resolve the root cause of production performance issues?
Add logging statements to the Lambda functions, then use Amazon CloudWatch to view the logs. Use AWS CloudTrail and then examine the logs. Use AWS X-Ray, then examine the segments and errors Run Amazon Inspector agents and then analyze performance.
19) The application components of a big firm are scattered across several AWS accounts. The organization must gather and display account-level trace data.
What materials should be utilized to achieve these specifications?
AWS X-Ray Amazon CloudWatch Amazon VPC flow logs Amazon Elasticsearch Service.
21) Amazon DynamoDB is used by a corporation to manage and track orders. The order date is used to split the DynamoDB table. During a sales event, the company receives a large spike in orders, forcing DynamoDB writes to choke, and the used throughput is considerably lower than the permitted throughput.
How can this issue be rectified with MINIMAL expenses, according to AWS best practices?
Create a new DynamoDB table for every order date. Increase the read and write capacity units of the DynamoDB table. Add a random number suffix to the partition key values Add a global secondary index to the DynamoDB table.
22) An Amazon S3 bucket is used to host a static website. JavaScript is used on many HTML pages on the site to retrieve photos from another Amazon S3 bucket. When people explore the site, certain photos are not shown.
What may be the underlying source of the problem?
The referenced Amazon S3 bucket is in another region. The images must be stored in the same Amazon S3 bucket. Port 80 must be opened on the security group in which the Amazon S3 bucket is located. Cross Origin Resource Sharing must be enabled on the Amazon S3 bucket.
23) Amazon Elastic Container Service is used to deploy a microservices application across several containers (Amazon ECS). A developer want to collect trace information across microservices and view the microservices architecture in order to optimize performance.
Which solution will satisfy these criteria?
Build the container from the amazon/aws-xray-daemon base image. Use the AWS X-Ray SDK to instrument the application Install the Amazon CloudWatch agent on the container image. Use the CloudWatch SDK to publish custom metrics from each of the microservices. Install the AWS X-Ray daemon on each of the ECS instances. Configure AWS CloudTrail data events to capture the traffic between the microservices.
25) A business processes papers that arrive through an Amazon S3 bucket. Through a web user interface, users may upload documents to an S3 bucket. When files are received in S3, an AWS Lambda function is executed to handle them, however the Lambda function periodically times out.
What happens to the S3 event if the Lambda function is setup with the default settings?
The S3 event is discarded after the event is retried twice The S3 event is sent to the default Dead Letter Queue. The S3 event is processed until it is successful. Notification of a failed S3 event is send as an email through Amazon SNS.
26) On AWS Elastic Beanstalk, a gaming firm has created a web portal. Occasionally, the organization must deliver new versions three or four times every day.
The organization must rapidly roll out new features to all users. The solution's performance effect must be kept to a minimum and its availability must be maximized.
Which solution will satisfy these criteria?
Use a rolling deployment policy to deploy to Amazon EC2 instances. Use an immutable deployment policy to deploy to Amazon EC2 instances Use an all-at-once deployment policy to deploy to Amazon EC2 instances. Use a canary deployment strategy to deploy changes to Amazon EC2 instances.
27) A considerable amount of read capacity is being used by queries to an Amazon DynamoDB database. There are a high number of huge characteristics in the table. The program does not need the whole set of attribute data.
How may DynamoDB expenses be lowered while application performance be maximized?
Batch all the writes, and perform the write operations when no or few reads are being performed. Create a global secondary index with a minimum set of projected attributes. Implement exponential backoffs in the application. Load balance the reads to the table using an Application Load Balancer.
31) An program overwrites an item in Amazon S3, then reads the identical object instantaneously.
Why might the program sometimes get an object's previous version?
S3 overwrite PUTS are eventually consistent, so the application may read the old object. The application needs to add extra metadata to label the latest version when uploading to Amazon S3. All S3 PUTS are eventually consistent, so the application may read the old object. The application needs to explicitly specify latest version when retrieving the object.
35) A developer wishes to search and filter log data in order to troubleshoot an application. Amazon CloudWatch Logs stores the application logs. To count exceptions in the application logs, the Developer sets a new metric filter. The logs, on the other hand, return no results.
What is the cause for the absence of filtered results?
A setup of the Amazon CloudWatch interface VPC endpoint is required for filtering the CloudWatch Logs in the VPC CloudWatch Logs only publishes metric data for events that happen after the filter is created The log group for CloudWatch Logs should be first streamed to Amazon Elasticsearch Service before metric filtering returns the results Metric data points for logs groups can be filtered only after they are exported to an Amazon S3 bucket.
39) A developer is trying to upload an object to an S3 bucket that has default encryption enabled using the Amazon S3 PutObject API action. A 400 Bad Request error is sent to the developer.
Which of the following is the most probable source of this error?
The API operation cannot access the encryption key. The HTTP Content-Length header is missing. The object exceeds the maximum object size that is allowed. The S3 bucket exceeds the maximum storage capacity that is allowed.
40) A business uses Amazon EC2 instances to execute a bespoke web application behind an Application Load Balancer. The instances are managed as part of an Auto Scaling group. The company's development team deploys all services through AWS CloudFormation. When the development team runs a new instance of the program, it takes time to install and setup.
Which sequence of actions should a developer follow to improve efficiency while launching a new instance? (Select two.)
Use an AWS Marketplace Amazon Machine Image (AMI) with a prebuilt application. Create a prebuilt Amazon Machine Image (AMI) with the application installed and configured. Update the launch template resource in the CloudFormation template. Use AWS Systems Manager Run Command to install and configure the application. Use CloudFormation helper scripts to install and configure the application.
42) A Linux, Apache, MySQL, and PHP (LAMP) stack is used to construct an on-premises application. The developer want to host this application on Amazon Web Services.
Which of the following AWS service sets is appropriate for running this stack?
Amazon API Gateway, Amazon S3 AWS Lambda, Amazon DynamoDB Amazon EC2, Amazon Aurora Amazon Cognito, Amazon RDS.
44) A developer is in the process of developing an event handling system. The developer established a normal Amazon SQS queue to process messages asynchronously. According to quality assurance testing, some events were handled several times.
What is the preferred method for preventing events from being handled multiple times?
Change long polling to short polling. Use a FIFO queue and configure deduplication. Convert the standard SQS queue into a FIFO queue. Send the messages with message timers.
Where in the application source bundle should an Elastic Beanstalk configuration file called healthcheckur1.config be placed? In the root of the application In the bin folder In healthcheckur1.config.ebextension under root In the .ebextensions folder.
47) A corporation uses Amazon API Gateway and the API Gateway native API key validation to maintain a REST service. Users can now join up for the service through a new registration website that was recently developed by the corporation. The registration page uses CreateApiKey to generate a new API key and sends it to the user. The user receives a 403 Forbidden error when attempting to call the API with this key. Existing API users are unaffected and can continue to utilize it.
What changes to the code will allow these additional users to access the API?
The createDeployment method must be called so the API can be redeployed to include the newly created API key. The updateAuthorizer method must be called to update the API's authorizer to include the newly created API key. The importApiKeys method must be called to import all newly created API keys into the current stage of the API. The createUsagePlanKey method must be called to associate the newly created API key with the correct usage plan.
49) A development team is now supporting an application that saves cumulative gaming outcomes in an in-memory store. A database is used to keep individual outcomes. The team must employ automated scaling as part of the migration to AWS. The team is aware that this will result in uneven outcomes.
Where should the team keep these gathered game outcomes in order to achieve the highest level of consistency without jeopardizing performance?
Amazon S3 Amazon RDS Amazon ElastiCache Amazon Kinesis.
50) A developer is developing an application for Amazon EC2 instances. To read and write records, the application must establish a connection to an Amazon DynamoDB database. The security staff must change access keys on a regular basis.
Which technique will meet these criteria?
Create an IAM role with read and write access to the DynamoDB table. Generate access keys for the user and store the access keys in the application as environment variables. Create an IAM user with read and write access to the DynamoDB table. Store the user name and password in the application and generate access keys using an AWS SDK. Create an IAM role, configure read and write access for the DynamoDB table, and attach to the EC2 instances. Create an IAM user with read and write access to the DynamoDB table. Generate access keys for the user and store the access keys in the application as a credentials file.
52) A business delivers APIs as a service and binds all of its users to a service level agreement (SLA).
What should the organization do to ensure compliance with each SLA?
Enable throttling limits for each method in Amazon API Gatewa Create a usage plan for each user and request API keys to access the APIs Enable API rate limiting in Amazon Cognito for each user Enable default throttling limits for each stage after deploying the APIs.
53) A developer created a static website hosted on Amazon S3 that uses Amazon API Gateway and AWS Lambda to conduct web service queries. The site is now displaying an error message that reads as follows:
The requested resource does not have an Access-Control-Allow-Origin€TM header. As a result, origin € null€TM is denied access. ג€
What is the Developer's responsibility in resolving this issue?
Enable cross-origin resource sharing (CORS) on the S3 bucket. Enable cross-origin resource sharing (CORS) for the method in API Gateway Add the Access-Control-Request-Method header to the request Add the Access-Control-Request-Headers header to the request.
54) Returning consumers may log in to see personalized web pages on an e-commerce site. The process is shown below: Implement the user login page as an asynchronous Lambda function. Use Amazon ElastiCache for MemCached to cache user data Use an Amazon Application Load Balancer to load balance the traffic to the website. Call the database asynchronously so the code can continue executing. Batch login requests from hundreds of users together as a single read request to the database.
56) An application developer is tasked with integrating Amazon CloudWatch into an on-premises environment.
According to AWS security best practices, how should the application use CloudWatch?
Configure AWS credentials in the application server with an AWS SDK Implement and proxy API-calls through an EC2 instance Store IAM credentials in the source code to enable access Add the application server SSH-key to AWS.
57) A developer attempts to use the command aws configure after installing the AWS CLI and gets the following error:
aws: command not found Error: aws: command not found
Which of the following is the most probable source of this error?
The aws executable is not in the PATH environment variable. Access to the aws executable has been denied to the installer. Incorrect AWS credentials were provided. The aws script does not have an executable file mode.
58) A business utilizes AWS CodeBuild and AWS CodeCommit to implement a continuous build process. Developers routinely submit code throughout the development period, resulting in large build failures. The firm is looking for a solution that would generate code prior to developers pushing it to the main branch.
Which option best fits these criteria in terms of cost-effectiveness?
Configure am Amazon EC2 instance with the CodeBuild agent to build the code. Configure CodeBuild jobs on AWS for each branch build process. Configure the CodeBuild agent to build the code in the local system. Configure a Jenkins plugin for CodeBuild to run the code build process.
59) In an Amazon DynamoDB database, a game holds user game data. Individual users should not have access to the gaming data of other players.
How is this possible?
Encrypt the game data with individual user keys. Restrict access to specific items based on certain primary key values. Stage data in SQS queues to inject metadata before accessing DynamoDB. Read records from DynamoDB and discard irrelevant data client-side.
A developer must use an AWS CloudFormation template to launch a new AWS Lambda function.
Which processes are responsible for deploying Lambda functions? (Select two.)
Upload the code to an AWS CodeCommit repository, then add a reference to it in an AWS::Lambda::Function resource in the template. Create an AWS::Lambda::Function resource in the template, then write the code directly inside the CloudFormation template Upload a .ZIP file containing the function code to Amazon S3, then add a reference to it in an AWS::Lambda::Function resource in the template. Upload a .ZIP file to AWS CloudFormation containing the function code, then add a reference to it in an AWS::Lambda::Function resource in the template Upload the function code to a private Git repository, then add a reference to it in an AWS::Lambda::Function resource in the template.
What is the purpose of an Amazon SQS delay queue? Messages are hidden for a configurable amount of time when they are first added to the queue. Messages are hidden for a configurable amount of time after they are consumed from the queue The consumer can poll the queue for a configurable amount of time before retrieving a message. Message cannot be deleted for a configurable amount of time after they are consumed from the queue.
A business is developing an ecommerce website, and the static data will be stored on Amazon S3. The business anticipates roughly 1,000 GET and PUT requests per second (TPS). All queries must be logged and maintained for auditing reasons.
Which approach is the MOST cost-effective?
Enable AWS CloudTrail logging for the S3 bucket-level action and create a lifecycle policy to move the data from the log bucket to Amazon S3 Glacier in 90 days. Enable S3 server access logging and create a lifecycle policy to expire the data in 90 days. Enable AWS CloudTrail logging for the S3 bucket-level action and create a lifecycle policy to expire the data in 90 days. Enable S3 server access logging and create a lifecycle policy to move the data to Amazon S3 Glacier in 90 days.
A business has an application in which reading items from Amazon S3 is conditional on the user type. There are two sorts of users: registered and visitor. The firm now has 25,000 users and is expanding at a rapid pace. Depending on the user type, data is fetched from an S3 bucket.
Which techniques are advised for accommodating both sorts of users? (Select two.)
Provide a different access key and secret access key in the application code for registered users and guest users to provide read access to the objects.
Use S3 bucket policies to restrict read access to specific IAM users. Use Amazon Cognito to provide access using authenticated and unauthenticated roles. Create a new IAM user for each user and grant read access. Use the AWS IAM service and let the application assume the different roles using the AWS Security Token Service (AWS STS) AssumeRole action depending on the type of user and provide read access to Amazon S3 using the assumed role.
Using Amazon API Gateway, a developer has established a REST API. The developer want to keep track of which callers and how they utilize the API. Additionally, the developer want to have control over the duration of the logs.
What actions should the developer take to ensure compliance with these requirements?
Enable API Gateway execution logging. Delete old logs using API Gateway retention settings. Enable API Gateway access logs. Use Amazon CloudWatch retention settings to delete old logs. Enable detailed Amazon CloudWatch metrics. Delete old logs with a recurring AWS Lambda function. Create and use API Gateway usage plans. Delete old logs with a recurring AWS Lambda function.
A business in the us-east-1 Region has installed web servers on Amazon EC2 instances running Amazon Linux. Amazon Elastic Block Store is used to back up the EC2 instances (Amazon EBS). A developer want to guarantee that all of these instances use an AWS Key Management Service (AWS KMS) key to offer encryption at rest.
How can a developer use an AWS KMS key to enable encryption at rest on existing and new instances?
Use AWS Certificate Manager (ACM) to generate a TLS certificate. Store the private key in AWS KMS. Use AWS KMS on the instances to enable TLS encryption Manually enable EBS encryption with AWS KMS on running instances. Then enable EBS encryption by default for new instances. Enable EBS encryption by default. Create snapshots from the running instances. Replace running instances with new instances from snapshots. Export the AWS KMS key to the application. Encrypt all application data by using the exported key. Enable EBS encryption by default to encrypt all other data.
A developer is developing an application that will use Amazon S3 to store data. Before data is transmitted to Amazon S3 for storage, management requires that it be secured. The Security team is responsible for managing the encryption keys.
Which strategy should the developer use to satisfy these requirements?
Implement server-side encryption using customer-provided encryption keys (SSE-C). Implement server-side encryption by using a client-side master key. Implement client-side encryption using an AWS KMS managed customer master key (CMK). Implement client-side encryption using Amazon S3 managed keys.
A developer has designed a software package that will be distributed utilizing IAM roles across many EC2 servers.
What measures may be taken to validate IAM access to Amazon Kinesis Streams records? (Select two.)
Use the AWS CLI to retrieve the IAM group. Query Amazon EC2 metadata for in-line IAM policies. Request a token from AWS STS, and perform a describe action. Perform a get action using the ג€"-dry-run argument. Validate the IAM role policy with the IAM policy simulator.
A developer has an on-premises legacy application. Other AWS-hosted apps rely on the on-premises application for optimal operation.
In the event of any application failures, the Developer want to be able to monitor and debug all apps from a single location using Amazon CloudWatch.
How is this accomplished by the Developer?
Install an AWS SDK on the on-premises server to automatically send logs to CloudWatch. Download the CloudWatch agent to the on-premises server. Configure the agent to use IAM user credentials with permissions for CloudWatch. Upload log files from the on-premises server to Amazon S3 and have CloudWatch read the files. Upload log files from the on-premises server to an Amazon EC2 instance and have the instance forward the logs to CloudWatch.
A development team has released ten applications that are operating on Amazon EC2 instances. A graphical representation of the data is required by the Operations team.
For each application, there is one critical performance metric. For convenient monitoring, all of these metrics should be presented on a single screen.
Which actions should the developer take to use Amazon CloudWatch to do this?
Create a custom namespace with a unique metric name for each application Create a custom dimension with a unique metric name for each application. Create a custom event with a unique metric name for each application. Create a custom alarm with a unique metric name for each application.
A business must send firmware upgrades to all of its consumers worldwide.
Which solution will provide simple and secure control of download access at the lowest possible cost?
Use Amazon CloudFront with signed URLs for Amazon S3 Create a dedicated Amazon CloudFront Distribution for each customer Use Amazon CloudFront with AWS Lambda@Edge Use Amazon API Gateway and AWS Lambda to control access to an S3 bucket.
A business want to use Amazon API Gateway to enable authentication for its new REST service. Each request must include HTTP headers including a client ID and a user ID in order to authenticate the calls. These credentials must be matched to data stored in an Amazon DynamoDB database for authentication.
What actions MUST the company take to implement this authorization in the API global Gateway?
Implement an AWS Lambda authorizer that references the DynamoDB authentication table Create a model that requires the credentials, then grant API Gateway access to the authentication tabl Modify the integration requests to require the credentials, then grant API Gateway access to the authentication table Implement an Amazon Cognito authorizer that references the DynamoDB authentication table.
A developer wishes to get a list of objects from an Amazon DynamoDB table's global secondary index.
Which DynamoDB API call should the developer use to utilize the fewest read capacity units possible?
Scan operation using eventually-consistent reads Query operation using strongly-consistent reads Query operation using eventually-consistent reads Scan operation using strongly-consistent reads.
A corporation is deploying one of their apps using AWS CodePipeline. The delivery pipeline is triggered by modifications to the master branch of an AWS CodeCommit repository and utilizes AWS CodeBuild for the test and build phases, as well as AWS CodeDeploy for application deployment.
For many months, the pipeline has operated effectively with no adjustments. AWS CodeDeploy failed to deploy the updated application as planned after a recent modification to the application's source code.
What may be the underlying causes? (Select two.)
The change was not made in the master branch of the AWS CodeCommit repository. One of the earlier stages in the pipeline failed and the pipeline has terminated. One of the Amazon EC2 instances in the company's AWS CodePipeline cluster is inactive. The AWS CodePipeline is incorrectly configured and is not executing AWS CodeDeploy. AWS CodePipeline does not have permissions to access AWS CodeCommit.
A developer is attempting to use the SDK to perform API requests. The application's IAM user credentials need multi-factor authentication TOKEN for all API requests.
Which mechanism does the developer use to get access to the API that is protected by multi-factor authentication?
GetFederationToken GetCallerIdentity GetSessionToken DecodeAuthorizationMessage.
A development team is composed of ten individuals. The manager want to offer access to user-specific folders in an Amazon S3 bucket, similar to a home directory for each team member. The sample of the IAM policy for the team member with the username €TeamMemberX€ is as follows:
Rather of generating unique policies for each team member, how may this policy excerpt be made general for all team members?
Use IAM policy condition Use IAM policy principal Use IAM policy variables Use IAM policy resource.
The development team is now hard at work developing an API that will be provided through the Amazon API gateway. Three environments will service the API: development, test, and production. All three phases of the API Gateway are set to consume 237 GB of cache.
Which deployment option is the MOST cost-effective?
Create a single API Gateway with all three stages. Create three API Gateways, one for each stage in a single AWS account. Create an API Gateway in three separate AWS accounts. Enable the cache for development and test environments only when needed.
A developer is debugging a three-tier application hosted on Amazon EC2 instances. Between the application servers and database servers, there is a connection issue.
Which Amazon Web Services (AWS) services or tools should be utilized to determine which component is faulty? (Make a selection of at least two.)
AWS CloudTrail . AWS Trusted Advisor Amazon VPC Flow Logs Network access control lists AWS Config rules.
A business requires security for its current website, which is hosted behind an Elastic Load Balancer. Amazon EC2 instances hosting the website are CPU restricted.
How can the website be secured without raising the CPU burden on the Amazon EC2 web servers? (Select two.)
Configure an Elastic Load Balancer with SSL pass-through. Configure SSL certificates on an Elastic Load Balancer Configure an Elastic Load Balancer with a Loadable Storage System Install SSL certificates on the EC2 instances. Configure an Elastic Load Balancer with SSL termination.
A developer will handle AWS services through the AWS CLI on a local development server.
What can be done to guarantee that the CLI executes commands using the Developer's IAM permissions?
Specify the Developer's IAM access key ID and secret access key as parameters for each CLI command. Run the aws configure CLI command, and provide the Developer's IAM access key ID and secret access key. Specify the Developer's IAM user name and password as parameters for each CLI command. Use the Developer's IAM role when making the CLI command.
A client wishes to host its source code on AWS Elastic Beanstalk. The client should undertake deployment with minimum downtime and should keep application access logs exclusively on existing instances.
Which deployment strategy would meet these criteria?
Rolling All at once Rolling with an additional batch Immutable.
A development team chooses to use AWS CodePipeline and AWS CodeCommit to implement a continuous integration/continuous delivery (CI/CD) method for a new application. Management, on the other hand, requires a human to evaluate and approve the code prior to it being released to production.
How can the development team include a manual approver into the continuous integration/continuous delivery pipeline?
Use AWS SES to send an email to approvers when their action is required. Develop a simple application that allows approvers to accept or reject a build. Invoke an AWS Lambda function to advance the pipeline when a build is accepted. If approved, add an approved tag when pushing changes to the CodeCommit repository. CodePipeline will proceed to build and deploy approved commits without interruption. Add an approval step to CodeCommit. Commits will not be saved until approved. Add an approval action to the pipeline. Configure the approval action to publish to an Amazon SNS topic when approval is required. The pipeline execution will stop and wait for an approval.
A developer is now working on a serverless Java app. Initial testing indicates that a cold start for AWS Lambda functions takes around 8 seconds on average.
What should the developer do to lessen the time required for a cold start? (Select two.)
Add the Spring Framework to the project and enable dependency injection. Reduce the deployment package by including only needed modules from the AWS SDK for Java. Increase the memory allocation setting for the Lambda function. Increase the timeout setting for the Lambda function. Change the Lambda invocation mode from synchronous to asynchronous.
A programmer is developing a new application that will make use of an Amazon DynamoDB database. All objects older than 48 hours must be eliminated, according to the standard.
Which solution will satisfy this criterion?
Create a new attribute that has the Number data type. Add a local secondary index (LSI) for this attribute, and enable TTL with an expiration of 48 hours. In the application code, set the value of this attribute to the current timestamp for each new item that is being inserted Create a new attribute that has the String data type. Add a local secondary index (LSI) for this attribute, and enable TTL with an expiration of 48 hours. In the application code, set the value of this attribute to the current timestamp for each new item that is being inserted Create a new attribute that has the Number data type. Enable TTL on the DynamoDB table for this attribute. In the application code, set the value of this attribute to the current timestamp plus 48 hours for each new item that is being inserted. Create a new attribute that has the String data type. Enable TTL on the DynamoDB table for this attribute. In the application code, set the value of this attribute to the current timestamp plus 48 hours for each new item that is being inserted.
Amazon Kinesis is being used to handle clickstream data for an application. Periodic spikes occur in the clickstream data flow into Kinesis. Occasionally, the PutRecords API request fails, and the logs indicate that the unsuccessful call provides the following response:
Which approaches will aid in mitigating this circumstance? (Select two.)
Implement retries with exponential backoff. Use a PutRecord API instead of PutRecords. Reduce the frequency and/or size of the requests. Use Amazon SNS instead of Kinesis. Reduce the number of KCL consumers.
Two Amazon DynamoDB tables are accessed using an AWS Lambda function. A developer wishes to optimize the Lambda function's performance by finding bottlenecks inside the function.
How can a developer determine the duration of DynamoDB API calls?
Add DynamoDB as an event source to the Lambda function. View the performance with Amazon CloudWatch metrics. Place an Application Load Balancer (ALB) in front of the two DynamoDB tables. Inspect the ALB logs. Limit Lambda to no more than five concurrent invocations. Monitor from the Lambda console. nable AWS X-Ray tracing for the function. View the traces from the X-Ray service.
A business operates an application on AWS Lambda@Edge. The application offers material that adapts according on the device being used by the viewer.
The number of hits by device type is written to logs in Amazon CloudWatch Logs that are saved in a log group. For each device type, the organization must provide an Amazon CloudWatch custom metric.
Which strategy will satisfy these criteria?
A. Create a CloudWatch Logs Insights query to extract the device type information from the logs and to create a custom metric with device type as a dimension.
B. Create a CloudWatch metric filter to extract metrics from the log files with device type as a dimension.
C. Update the application to write its logs in the CloudWatch embedded metric format with device type as a dimension.
D. Configure the CloudWatch Logs agent for Lambda integration. Update the application to use the StatsD protocol to emit the metrics.
.
What are the procedures for launching a templatized serverless application using the AWS CLI? Use AWS CloudFormation get-template then CloudFormation execute-change-set. Use AWS CloudFormation validate-template then CloudFormation create-change-set. Use AWS CloudFormation package then CloudFormation deploy. Use AWS CloudFormation create-stack then CloudFormation update-stack.
A cluster of Amazon EC2 instances hosts an application. When attempting to read items encrypted using server-side encryption using AWS KMS managed keys (SSE-KMS) from a single Amazon S3 bucket, the application encounters the following error:
Throttling Exception
Which measures should be made in combination to avoid this failure? (Select two.)
A. Contact AWS Support to request an AWS KMS rate limit increase.
B. Perform error retries with exponential backoff in the application code.
C. Contact AWS Support to request a S3 rate limit increase.
D. Import a customer master key (CMK) with a larger key size.
E. Use more than one customer master key (CMK) to encrypt S3 data.
.
AWS Lambda functions need read/write access to an Amazon S3 bucket and to an Amazon DynamoDB database. The appropriate IAM policy is already in place.
How can I allow the Lambda function access to the S3 bucket and DynamoDB database in the MOST SECURE manner possible?
Attach the existing IAM policy to the Lambda function. Create an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the role to the Lambda function. Create an IAM user with programmatic access. Attach the existing IAM policy to the user. Add the user access key ID and secret access key as environment variables in the Lambda function. Add the AWS account root user access key ID and secret access key as encrypted environment variables in the Lambda function.
The developer is developing a web application that uses a POST request to capture highly controlled and private user data. Amazon CloudFront is used to serve the web application. User names and phone numbers must be encrypted at the edge of the application stack and must stay encrypted throughout.
What is the SECUREST method for meeting these requirements?
Enforce Match Viewer with HTTPS Only on CloudFront. Use only the newest TLS security policy on CloudFront. Enforce a signed URL on CloudFront on the front end. Use field-level encryption on CloudFront.
Numerous apps make use of an Amazon RDS database instance to seek for previous data. The pace of queries is quite steady. When historical data is updated daily, the associated write traffic degrades the speed of read queries, affecting all application users.
What can be done to minimize the effect on application users' performance?
Make sure Amazon RDS is Multi-AZ so it can better absorb increased traffic. Create an RDS Read Replica and direct all read traffic to the replica. Implement Amazon ElastiCache in front of Amazon RDS to buffer the write traffic. Use Amazon DynamoDB instead of Amazon RDS to buffer the read traffic.
A Global Secondary Index (GSI) is used by Amazon DynamoDB to facilitate read queries. The main table is heavily utilized for write operations, while the GSI is heavily used for read activities. When the Developer examines Amazon CloudWatch analytics, he observes that write operations to the main table are regularly throttled during periods of high write activity. However, write capacity units to the primary table remain accessible and unutilized.
What is the reason for the table's throttling?
The GSI write capacity units are underprovisioned There are not enough read capacity units on the primary table Amazon DynamoDB Streams is not enabled on the table A large write operation is being performed against another table.
AWS Organizations enables a business to manage many accounts. Account A utilizes an Amazon EC2 instance to host an application. The program makes advantage of the AWS command line interface to do automatic deployments in Account '. By using an EC2 IAM service role in Account A and an IAM role in Account ', an administrator established cross-account access.
The application attempts to take the IAM role in Account' using the following command but is unable to deploy anything in Account'.
Assume aws sts
-
-role —role-arn :aws:iam::AccountB-ID>:role/AccountB-Role€am:aws:iam::AccountB-ID>:role/AccountB-Role
AccountB-Role-Session-Name € —role-session-name
Which action is required next to enable the application to effectively utilise the credentials obtained via the usage of Account B's role?
Configure the access key and secret access key of a valid IAM user from Account ׀’ in the environment variables. Configure the access key, secret access key, and token from the assume-role command in the environment variables. Create a CLI profile for the EC2 IAM service role in the AWS configuration file. . Delete any access keys and secret access keys in the environment variables.
All personally identifiable information (PII) is stored by a corporation in an Amazon DynamoDB database called PII in Account A. Access to the PII database is required by an application operating on Amazon EC2 instances in Account B. Account A's administrator established an IAM role called AccessPII with access credentials to the PII database and added Account B as a trusted entity.
Which extra actions need developers take in order to have access to the table? (Select two.)
Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role. B. Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role with predefined service control policies.
C. Ask an administrator in Account A to allow the EC2 IAM role permission to assume the AccessPII role with predefined service control policies.
D. Include the AssumeRole API in the application code logic to obtain credentials to access the PII table.
E. Include the GetSessionToken API in the application code logic to obtain credentials to access the PII table.
.
A developer enhanced an application that runs on an Amazon EC2 instance and makes use of Amazon SQS. The developer observed a large spike in Amazon SQS prices upon deployment. When monitoring the Amazon SQS metrics using Amazon CloudWatch, the developer saw that this queue receives an average of one message every minute.
What can be done to lower this application's Amazon SQS costs?
Increase the Amazon SQS queue polling timeout. Scale down the Amazon SQS queue to the appropriate size for low traffic demand. Configure push delivery via Amazon SNS instead of polling the Amazon SQS queue. Use an Amazon SQS first-in, first-out (FIFO) queue instead of a standard queue.
A developer is developing a website that will be hosted on Amazon's S3 service. Secure browser connections must be supported by the website.
Which steps must the developer perform in combination to satisfy this requirement? (Select two.)
Create an Elastic Load Balancer (ELB). Configure the ELB to direct traffic to the S3 bucket. Create an Amazon CloudFront distribution. Set the S3 bucket as an origin. Configure the Elastic Load Balancer with an SSL/TLS certificate. Configure the Amazon CloudFront distribution with an SSL/TLS certificate. Configure the S3 bucket with an SSL/TLS certificate.
A developer is automating the deployment of a new application using AWS Serverless Application Model (AWS SAM). One AWS Lambda function and one Amazon S3 bucket are included in the new application. The Lambda function must have read-only access to the S3 bucket.
How should the developer setup AWS SAM to provide the S3 bucket the appropriate read permissions?
Reference a second Lambda authorizer function. Add a custom S3 bucket policy to the Lambda function Create an Amazon Simple Queue Service (SQS) topic for only S3 object reads. Reference the topic in the template. Add the S3ReadPolicy template to the Lambda function's execution role.
A developer must use AWS KMS to encrypt a 100 GB object.
What is the BEST course of action?
Make an Encrypt API call to encrypt the plaintext data as ciphertext using a customer master key (CMK) Make an Encrypt API call to encrypt the plaintext data as ciphertext using a customer master key (CMK) with imported key material Make a GenerateDataKey API call that returns a plaintext key and an encrypted copy of a data key. Use a plaintext key to encrypt the data Make a GenerateDataKeyWithoutPlaintext API call that returns an encrypted copy of a data key. Use an encrypted key to encrypt the data.
A firm is developing an application that will use an Amazon DynamoDB database to monitor athlete performance. A partition key (user id) and a sort key (sport name) uniquely identify each item in the database. The following illustration depicts the table's design:
(Please note that not all table characteristics are shown.)
A developer is requested to create a leaderboard application that would show the best performers (user id) for each sport name depending on their score.
Which approach will enable the developer to most effectively retrieve results from the DynamoDB table?
Use a DynamoDB query operation with the key attributes of user_id and sport_name and order the results based on the score attribute. Create a global secondary index with a partition key of sport_name and a sort key of score, and get the results Use a DynamoDB scan operation to retrieve scores and user_id based on sport_name, and order the results based on the score attribute. Create a local secondary index with a primary key of sport_name and a sort key of score and get the results based on the score attribute.
A developer is developing a serverless application that needs every ten minutes invocation of an AWS Lambda function.
How can the function be triggered in an automated and serverless manner?
Deploy an Amazon EC2 instance based on Linux, and edit its /etc/crontab file by adding a command to periodically invoke the Lambda function. onfigure an environment variable named PERIOD for the Lambda function. Set the value to 600. Create an Amazon CloudWatch Events rule that triggers on a regular schedule to invoke the Lambda function. Create an Amazon SNS topic that has a subscription to the Lambda function with a 600-second timer.
Images are stored in an S3 bucket by an application. Notifications from Amazon S3 are utilized to invoke a Lambda code that resizes the pictures. Each photograph is processed in less than a second.
How will AWS Lambda deal with the increased traffic?
Lambda will scale out to execute the requests concurrently. Lambda will handle the requests sequentially in the order received. Lambda will process multiple images in a single execution. Lambda will add more compute to each execution to reduce processing time.
An application becomes unresponsive due to the following error: The bucket given does not exist.
Where IS THE BEST PLACE TO START THE ANALYSIS OF THE ROOT CAUSES?
Check the Elastic Load Balancer logs for DeleteBucket requests. Check the application logs in Amazon CloudWatch Logs for Amazon S3 DeleteBucket errors. Check AWS X-Ray for Amazon S3 DeleteBucket alarms. Check AWS CloudTrail for a DeleteBucket event.
A developer has an on-premises stateful web server that is being transferred to AWS. The developer's flexibility in the new design must be increased.
How should the developer approach refactoring the program to increase its elasticity? (Select two.)
Use pessimistic concurrency on Amazon DynamoDB Use Amazon CloudFront with an Auto Scaling group Use Amazon CloudFront with an AWS Web Application Firewall Store session state data in an Amazon DynamoDB table Use an ELB with an Auto Scaling group.
Amazon API Gateway is being used by a media business to handle microservices configured as AWS Lambda functions. The development team of the corporation intends to release a new version of its API. To prevent impacting current customers when the new API is launched, the firm intends to provide all users a three-month grace period during which they may migrate from the old API to the new API.
Which implementation technique should the business utilize to accomplish this objective?
Update the Lambda functions. Configure the API to use Lambda proxy integration. Update the Lambda functions. Provide the API client with the new Lambda endpoints. Use API Gateway to deploy a new stage that uses updated Lambda functions and provides users with a new URL. Use API Gateway to redirect requests based on a request header to updated Lambda functions. Configure a 90-day expiration on the old API.
On Amazon ECS, a corporation is running a Docker application. The application's load must be scaled depending on the past 15 seconds' user activity.
How should a developer instrument code to ensure it satisfies the requirement?
Create a high-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 30 seconds Create a high-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 5 seconds Create a standard-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 30 seconds Create a standard-resolution custom Amazon CloudWatch metric for user activity data, then publish data every 5 seconds.
A business demands that AWS Lambda functions built by developers record problems in order for System Administrators to resolve issues more efficiently.
What should developers do to address this need?
Publish errors to a dedicated Amazon SQS queue. Create an Amazon CloudWatch Events event trigger based on certain Lambda events. Report errors through logging statements in Lambda function code. Set up an Amazon SNS topic that sends logging statements upon failure.
In the console, a developer transformed an existing application to an AWS Lambda function. While the application works OK on a local laptop, it fails to import a module when evaluated in the Lambda interface.
Which of the following may be used to correct the error?
Install the missing module and specify the current directory as the target. Create a ZIP file to include all files under the current directory, and upload the ZIP file Install the missing module in a lib directory. Create a ZIP file to include all files under the lib directory, and upload the ZIP file as dependency file. In the Lambda code, invoke a Linux command to install the missing modules under the /usr/lib directory. In the Lambda console, create a LB_LIBRARY_PATH environment and specify the value for the system library path.
An application is composed of two components: one for handling HTTP requests and another for doing background processing operations. Each component must be self-scaling. The developer want to use AWS Elastic Beanstalk to deploy this application.
How, in light of these criteria, should this application be deployed?
Deploy the application in a single Elastic Beanstalk environment. Deploy each component in a separate Elastic Beanstalk environment. Use multiple Elastic Beanstalk environments for the HTTP component, but one environment for the background task component. Use multiple Elastic Beanstalk environments for the background task component, but one environment for the HTTP component.
A developer has created a web application and want to swiftly deploy it on an AWS Tomcat server. The developer want to be free of the responsibility of managing the underlying infrastructure.
According to these criteria, what is the simplest approach to deploy the application?
AWS CloudFormation AWS Elastic Beanstalk Amazon S3 AWS CodePipeline.
A developer uses Amazon ECS to host an e-commerce API. The application's fluctuating and spiking demand is causing order processing to take an excessive amount of time. The program manages Amazon Simple Queue Service (SQS) queues. Throughout the day, the ApproximateNumberOfMessagesVisible metric jumps to very high levels, resulting in Amazon CloudWatch alert violations. Other ECS metrics for API containers are within acceptable ranges.
What measures can the developer take to boost performance while keeping costs down?
Target tracking scaling policy Docker Swarm Service scheduler
Step scaling policy.
A developer is configuring the Amazon API Gateway to support their business's goods. Registered developers may use the API to query and change their environments. For financial and security concerns, the organization want to restrict the number of requests that end users may submit. Management want to provide registered developers with the option of purchasing bigger packages that support a greater number of requests.
How can the developer do this with the LEAST amount of management overhead?
Enable throttling for the API Gateway stage. Set a value for both the rate and burst capacity. If a registered user chooses a larger package, create a stage for them, adjust the values, and share the new URL with them. Set up Amazon CloudWatch API logging in API Gateway. Create a filter based on the user and requestTime fields and create an alarm on this filter. Write an AWS Lambda function to analyze the values and requester information, and respond accordingly. Set up the function as the target for the alarm. If a registered user chooses a larger package, update the Lambda code with the values. Enable Amazon CloudWatch metrics for the API Gateway stage. Set up CloudWatch alarms based off the Count metric and the ApiName, Method, Resource, and Stage dimensions to alerts when request rates pass the threshold. Set the alarm action to Deny. If a registered user chooses a larger package, create a user-specific alarm and adjust the values Set up a default usage plan, specify values for the rate and burst capacity, and associate it with a stage. If a registered user chooses a larger package, create a custom plan with the appropriate values and associate the plan with the user.
A developer is attempting to monitor the status of an application by running a cron job that returns 1 when the service is up and 0 when it is down. The developer wrote code to publish the custom metrics to Amazon CloudWatch and set an alert using the AWS CLI put-metric-alarm function. The Developer, on the other hand, is unable to issue an alert since the custom metrics are not visible in the CloudWatch interface.
What is the source of this problem?
Sending custom metrics using the CLI is not supported. The Developer needs to use the put-metric-data command. The Developer must use a unified CloudWatch agent to publish custom metrics. The code is not running on an Amazon EC2 instance.
Amazon Kinesis Streams is being used by a web application to store clickstream data that may not be utilized for up to 12 hours.
How can the developer encrypt data in the Kinesis Streams at rest?
Enable SSL connections to Kinesis Use Amazon Kinesis Consumer Library Encrypt the data once it is at rest with a Lambda function Enable server-side encryption in Kinesis Streams.
A business is building a web application that will enable workers to submit their profile pictures to a private Amazon S3 bucket. There is no restriction on the size of the profile images that should be shown each time an employee checks in. The images cannot be made publicly available for security reasons.
What is a long-term feasible solution to this situation?
Generate a presigned URL when a picture is uploaded. Save the URL in an Amazon DynamoDB table. Return the URL to the browser when the employee logs in. Save the picture's S3 key in an Amazon DynamoDB table. Create an Amazon S3 VPC endpoint to allow the employees to download pictures once they log in. Encode a picture using base64. Save the base64 string in an Amazon DB table. Allow the browser to retrieve the string and convert it to a picture. Save the picture's S3 key in an Amazon DynamoDB table. Use a function to generate a presigned URL every time an employee logs in. Return the URL to the browser.
A business is developing a stock trading application. The program requires a latency of less than one millisecond to handle trading requests. The firm stores all trade data in Amazon DynamoDB, which is utilized to perform each trading request.
A development team conducts load testing on the application and discovers that the time required to get data is longer than intended. The development team need a solution that significantly improves data retrieval time with the least amount of work feasible.
Which solution satisfies these criteria?
Add local secondary indexes (LSIs) for trading data. Store trading data in Amazon S3 and use Transfer Acceleration Add retries with exponential back-off for DynamoDB queries Use DynamoDB Accelerator to cache trading data.
A business runs an application that makes use of an Amazon RDS DB instance as the database. A developer must implement database encryption at rest.
Which measures should the developer perform in combination to satisfy this requirement? (Select two.)
Enable encryption on the DB instance in the AWS Management Console. Stop the DB instance. Restore the DB instance from the encrypted snapshot Take a snapshot of the DB instance, and create an encrypted copy of the snapshot. Create a customer managed key in AWS Key Management Service (AWS KMS).
Amazon CloudFront is being used by an organization to guarantee that its users have low-latency access to their online application. The business determined that all communication between users and CloudFront, as well as all traffic between CloudFront and the web application, should be encrypted.
How are these stipulations to be met? (Select two.)
Use AWS KMS to encrypt traffic between CloudFront and the web application. Set the Origin Protocol Policy to ג€HTTPS Onlyג€. Set the Origin's HTTP Port to 443. Set the Viewer Protocol Policy to ג€HTTPS Onlyג€ or ג€Redirect HTTP to HTTPSג€. Enable the CloudFront option Restrict Viewer Access.
A developer is transferring an application from on-premises to AWS. Currently, the program accepts user uploads and stores them to a server-side local directory. All uploads must be preserved and instantly accessible to all instances within an Auto Scaling group.
Which strategy will satisfy these criteria?
Use Amazon EBS and configure the application AMI to use a snapshot of the same EBS instance on boot. Use Amazon S3 and rearchitect the application so all uploads are placed in S3. Use instance storage and share it between instances launched from the same Amazon Machine Image (AMI). Use Amazon EBS and file synchronization software to achieve eventual consistency among the Auto Scaling group.
A developer is updating a bespoke application that is currently running on AWS Elastic Beanstalk.
What solutions will update the Elastic Beanstalk environment with the new application version after the Developer completes the changes? (Select two.)
Package the application code into a .zip file, and upload, then deploy the packaged application from the AWS Management Console Package the application code into a .tar file, create a new application version from the AWS Management Console, then update the environment by using AWS CLI Package the application code into a .tar file, and upload and deploy the packaged application from the AWS Management Console Package the application code into a .zip file, create a new application version from the packaged application by using AWS CLI, then update the environment by using AWS CLI Package the application code into a .zip file, create a new application version from the AWS Management Console, then rebuild the environment by using AWS CLI.
A developer is debugging connection difficulties between an Amazon Web Services Lambda function and an Amazon EC2 machine running Amazon Linux 2. Even if the Lambda function is enabled to access resources on the EC2 instance's network, the Lambda function and the EC2 instance are unable to interact.
How can the developer see the network traffic between the Lambda function and the Amazon Elastic Compute Cloud instance?
Inspect the VPC flow logs for network activity. Use the traceroute command on the EC2 instance to check connectivity. Analyze the Amazon CloudWatch metrics for network traffic. Use the telnet command on the EC2 instance to check connectivity.
A business wishes to transition an imaging service to Amazon EC2 while adhering to industry best practices for security. The photos are obtained and read from an Amazon S3 bucket that is not publicly accessible.
What actions should a developer take to ensure compliance with these requirements?
Create an IAM user with read-only permissions for the S3 bucket. Temporarily store the user credentials in the Amazon EBS volume of the EC2 instance. Create an IAM user with read-only permissions for the S3 bucket. Temporarily store the user credentials in the user data of the EC2 instance. Create an EC2 service role with read-only permissions for the S3 bucket. Attach the role to the EC2 instance. Create an S3 service role with read-only permissions for the S3 bucket. Attach the role to the EC2 instance.
How does AWS KMS's Envelope Encryption work? The Customer Master Key is used to encrypt/decrypt a data key. The Plaintext Data Key is used to encrypt customer data. Two encryption keys are used. The Customer Master Key encrypts customer data. The Data Key is used to re-encrypt the encrypted data. Two encryption keys are used. The Data Key encrypts customer data. The ׀¡ustomer Master Key is used to re-encrypt the encrypted data. The Customer Master Key is used to encrypt/decrypt a data key. The Encrypted Data Key is used to encrypt customer data.
A developer must construct an application that supports SAML and Facebook authentication. Additionally, it must provide access to AWS services such as Amazon DynamoDB.
Which AWS service or feature will allow for the LEAST amount of extra code to achieve these requirements?
AWS AppSync Amazon Cognito identity pools Amazon Cognito user pools Amazon Lambda@Edge.
A developer is troubleshooting an AWS Lambda function that is being used in conjunction with an Amazon API Gateway. HTTP status code 200 is returned whenever the API Gateway endpoint is contacted, despite the fact that AWS Lambda is logging a 4xx error.
What modification is required to deliver an appropriate error code through the API Gateway?
Enable CORS in the API Gateway method settings Use a Lambda proxy integration to return HTTP codes and headers Enable API Gateway error pass-through. Return the value in the header x-Amzn-ErrorType.
A development team is now working on a case management system that will enable the processing and evaluation of medical claims. Users log in to share medical and financial information.
Sensitive data such as medical records, medical imaging, bank statements, and invoices are uploaded to Amazon S3 as part of the program. All papers must be sent and kept securely. All access to documents must be documented for auditing purposes.
Which technique is the MOST SECURE?
Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket. Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents. Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket. Use client-side encryption/decryption with Amazon S3 and AWS KMS.
A business administers a website that is hosted on Amazon EC2 instances that are routed via an Elastic Load Balancer. CPU use is limited on EC2 Instances. The technical staff at the organization is responsible for securing incoming internet traffic.
Which combination of actions will satisfy these criteria? (Select two.)
Configure the Elastic Load Balancer with SSL passthrough. Configure SSL certificates on the Elastic Load Balancer. Configure the Elastic Load Balancer with a Loadable Storage System. Install SSL certificates on the EC2 instances. Configure the Elastic Load Balancer with SSL termination.
A developer is constructing a template that will be used to deploy an application through AWS CloudFormation. This is a serverless application that makes use of Amazon API Gateway, Amazon DynamoDB, and AWS Lambda.
Which tool should the developer use to create simpler syntax for serverless resource expressions?
CloudFormation serverless intrinsic functions AWS serverless express An AWS serverless application model A CloudFormation serverless plugin.
On AWS, a developer is developing a new sophisticated application. The application is composed of a number of microservices that are hosted on Amazon EC2. The developer want to ascertain which microservice incurs the most amount of delay while processing a request.
Which technique should the developer use to determine this?
Instrument each microservice request using the AWS X-Ray SDK. Examine the annotations associated with the requests. Instrument each microservice request using the AWS X-Ray SDK. Examine the subsegments associated with the requests. Instrument each microservice request using the AWS X-Ray SDK. Examine the Amazon CloudWatch EC2 instance metrics associated with the requests. Instrument each microservice request using the Amazon CloudWatch SDK. Examine the CloudWatch EC2 instance metrics associated with the requests.
393) A deployment package utilizes the AWS CLI to put files into any S3 bucket in the account, using environment variables to keep access keys. The package is operating on Amazon EC2 instances that have been updated to run with an assumed IAM role and a more restricted policy that restricts access to a single bucket. Following the update, the Developer login into the host and retains the ability to write to all of the account's S3 buckets.
What is the MOST LIKELY REASON for this occurrence?
An IAM inline policy is being used on the IAM role An IAM managed policy is being used on the IAM role The AWS CLI is corrupt and needs to be reinstalled The AWS credential provider looks for instance profile credentials last.
A business is in the process of building a new web application in Python. The application must be deployed using AWS Elastic Beanstalk via the AWS Management Console. The developer produces an Elastic Beanstalk source bundle, which he or she then uploads through the console.
Which of the following are prerequisites for developing the source bundle? (Select two.)
The source bundle must include the ebextensions.yaml file The source bundle must not include a top-level directory The source bundle must be compressed with any required dependencies in a top-level parent folder The source bundle must be created as a single .zip or .war file The source bundle must be uploaded into Amazon EFS.
A developer is developing an AWS Lambda function that creates a new file upon execution. Each new file must be checked into the same AWS CodeCommit repository.
How should the developer go about doing this?
When the Lambda function starts, use the Git CLI to clone the repository. Check the new file into the cloned repository and push the change. After the new file is created in Lambda, use cURL to invoke the CodeCommit API. Send the file to the repository. Use an AWS SDK to instantiate a CodeCommit client. Invoke the put_file method to add the file to the repository. Upload the new to an Amazon S3 bucket. Create an AWS Step Function to accept S3 events. In the Step Function, add the new file to the repository.
A developer is publishing vital log data to a log group formed two months ago in Amazon CloudWatch Logs. The developer must encrypt the log data using an AWS KMS customer master key (CMK) in order to ensure that future data is encrypted in accordance with the company's security policy.
How is the Developer going to fulfill this requirement?
Use the CloudWatch Logs console and enable the encrypt feature on the log group Use the AWS CLI create-log-group command and specify the key Amazon Resource Name (ARN) Use the KMS console and associate the CMK with the log group Use the AWS CLI associate-kms-key command and specify the key Amazon Resource Name (ARN).
A developer must invoke an AWS Lambda function depending on the lifecycle activity of an item in an Amazon DynamoDB database.
How does the developer go about developing the solution?
Enable a DynamoDB stream that publishes an Amazon SNS message. Trigger the Lambda function synchronously from the SNS message. Enable a DynamoDB stream that publishes an SNS message. Trigger the Lambda function asynchronously from the SNS message. Enable a DynamoDB stream, and trigger the Lambda function synchronously from the stream. Enable a DynamoDB stream, and trigger the Lambda function asynchronously from the stream.
AWS Lambda functions must read data from an Amazon RDS MySQL database contained inside a VPC and also connect to a public endpoint on the internet to get extra data.
Which actions must be made to provide access to both the RDS resource and the public endpoint by the function? (Select two.)
Modify the default configuration for the Lambda function to associate it with an Amazon VPC private subnet. Modify the default network access control list to allow outbound traffic. Add a NAT Gateway to the VPC. Modify the default configuration of the Lambda function to associate it with a VPC public subnet. Add an environmental variable to the Lambda function to allow outbound internet access.
A web application is being developed to audit several Amazon Web Services accounts. The application will be hosted in Account A and will need access to AWS services hosted in Accounts B and C.
What is the SAFEST method for the application to access AWS services in each audited account?
Configure cross-account roles in each audited account. Write code in Account A that assumes those roles Use S3 cross-region replication to communicate among accounts, with Amazon S3 event notifications to trigger Lambda functions Deploy an application in each audited account with its own role. Have Account A authenticate with the application Create an IAM user with an access key in each audited account. Write code in Account A that uses those access keys.
The following conditions apply to an application:
✑ Performance efficiency of seconds with up to a minute of latency.
✑ The data storage size may grow up to thousands of terabytes.
✑ Per-message sizes may vary between 100 KB and 100 MB.
✑ Data can be stored as key/value stores supporting eventual consistency.
Which AWS service would be the MOST cost-effective to accomplish these requirements?
Amazon DynamoDB Amazon S3 Amazon RDS (with a MySQL engine) Amazon ElastiCache.
A developer is developing a Linux application that will be hosted on AWS Elastic Beanstalk. The application's requirements indicate that it must retain full capacity throughout upgrades while keeping costs to a minimum.
Which deployment policy for Elastic Beanstalk should the developer select for the environment?
Immutable Rolling All at Once Rolling with additional batc.
A developer is developing a web application for AWS Lambda. Users will be able to log in and see private documents using the application. All pages in the application must adhere to the company's branding guidelines.
How can the developer host the sign-in pages with the LESS custom code possible?
Upload files for the sign-in pages with the required branding to an Amazon S3 bucket. Configure static website hosting for the S3 bucket. Create a Lambda function to serve the sign-in pages with the required branding. Configure Amazon API Gateway to route traffic to the function. Create a Lambda@Edge function to serve the sign-in pages with the required branding. Configure Amazon CloudFront to invoke the function in response to user requests Configure an Amazon Cognito user pool with an Amazon Cognito hosted UI for the sign-in pages. Customize the pages with the required branding.
A business has an Amazon S3 bucket holding premium material that it wants to make accessible exclusively to paying website subscribers. Currently, the S3 bucket's default permissions set all objects to private to avoid inadvertently exposing premier material to non-paying website users.
How is the corporation able to restrict access to a premium content file in the S3 bucket to just paying subscribers?
Apply a bucket policy that allows anonymous users to download the content from the S3 bucket. Generate a pre-signed object URL for the premier content file when a paid subscriber requests a download. Add a bucket policy that requires multi-factor authentication for requests to access the S3 bucket objects. Enable server-side encryption on the S3 bucket for data protection against the non-paying website visitors.
A developer is developing an AWS Lambda function to handle data coming from an Amazon Kinesis Data Stream. When the Lambda function parses the data and comes across an empty field, it returns an error. The function duplicates the records in the Kinesis stream. There are no duplicate entries when the Developer examines the stream output without using the Lambda function.
What accounts for the duplicates?
The Lambda function did not advance the Kinesis stream pointer to the next record after the error The Lambda event source used asynchronous invocation, resulting in duplicate records. The Lambda function did not handle the error, and the Lambda service attempted to reprocess the data. The Lambda function is not keeping up with the amount of data coming from the stream.
A developer wishes to activate AWS X-Ray for a secure application hosted on Amazon ECS.
Which sequence of actions enables X-Ray? (Select three.)
Create a Docker image that runs the X-Ray daemon. Add instrumentation to the application code for X-Ray. Install the X-Ray daemon on the underlying EC2 instance. Configure and use an IAM EC2 instance role. Register the application with X-Ray. Configure and use an IAM role for tasks.
A corporation has integrated AWS CodeDeploy into their cloud native continuous integration and delivery (CI/CD) stack. Automatic rollbacks are enabled during the deployment of a new version of a popular web application from on-premises to Amazon EC2.
What happens if the new version's deployment fails due to code regression?
The last known good deployment is automatically restored using the snapshot stored in Amazon S3. CodeDeploy switches the Amazon Route 53 alias records back to the known good green deployment and terminates the failed blue deployment. A new deployment of the last known version of the application is deployed with a new deployment ID. AWS CodePipeline promotes the most recent deployment with a SUCCEEDED status to production.
A business has developed a serverless application that makes use of Amazon Simple Queue Service (Amazon SQS) and an Amazon Web Services Lambda function. On the final day of each month, the application gets data in a SQS queue. Within one day, the function successfully processes all of the data in the queue.
A comprehensive AWS bill reveals a high volume of SQS API queries throughout the month, despite the fact that the queue gets data only on the month's last day.
What is causing the increased API requests?
Lambda is using long polling to check for messages in the SQS queue. The SQS queue is sending ping messages to Lambda. The function is not automatically deleting the messages from the SQS queue. Visibility timeout is not set to 0 to remove the extra API requests.
A developer chooses to use Amazon S3 to store highly secure data and want to build server-side encryption (SSE) with granular control over who may access the master key. For security reasons, company policy demands that the master key be established, cycled, and deactivated easily as necessary.
Which option is most appropriate for meeting these requirements?
SSE with Amazon S3 managed keys (SSE-S3) SSE with AWS KMS managed keys (SSE-KMS) SSE with AWS Secrets Manager SSE with customer-provided encryption keys.
A developer is testing an application that asynchronously executes an AWS Lambda function. The Lambda function fails to process after two retries during the testing phase.
How can the developer debug the error?
Configure AWS CloudTrail logging to investigate the invocation failures Configure Dead Letter Queues by sending events to Amazon SQS for investigation Configure Amazon Simple Workflow Service to process any direct unprocessed events Configure AWS Config to process any direct unprocessed events.
14) Thousands of sensitive audio and video data must be stored in an Amazon S3 bucket. All data written to this bucket must be encrypted according to organizational security rules.
How can this policy's compliance be ensured?
Use AWS Lambda to send notifications to the security team if unencrypted objects are pun in the bucket. Configure an Amazon S3 bucket policy to prevent the upload of objects that do not contain the x-amz-server-side-encryption header. Create an Amazon CloudWatch event rule to verify that all objects stored in the Amazon S3 bucket are encrypted. Configure an Amazon S3 bucket policy to prevent the upload of objects that contain the x-amz-server-side-encryption header.
16) When attempting to start or stop an Amazon EC2 instance using a boto3 script, the developer gets the following error message.
What is the developer's responsibility in resolving this error message?
Assign an IAM role to the EC2 instance to allow necessary API calls on behalf of the client. Implement an exponential backoff algorithm for optimizing the number of API requests made to Amazon EC2. Increase the overall network bandwidth to handle higher API request rates. Upgrade to the latest AWS CLI version so that boto3 can handle higher request rates.
34) A business is building a new online game using the Amazon ECS platform. The design will have four separate Amazon ECS services, each of which will need unique permissions to various AWS services. By bin packing the containers depending on memory reservation, the business hopes to optimize the utilization of the underlying Amazon EC2 instances.
Which configuration would enable the Development team to accomplish these criteria in the most secure manner possible?
Create a new Identity and Access Management (IAM) instance profile containing the required permissions for the various ECS services, then associate that instance role with the underlying EC2 instances. Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then configure each ECS service to reference the associated IAM role. Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then, create an IAM group and configure the ECS cluster to reference that group. Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then configure each ECS task definition to referenׁe the associated IAM role.
There are two categories of members on a video-hosting website: those who pay a charge and those who do not. Each video upload creates a message in Amazon Simple Queue Service (SQS). Each video is processed by a fleet of Amazon EC2 instances that poll Amazon SQS.
The developer must guarantee that the developer processes the films submitted by paying users first.
How is the developer to achieve this criterion?
Create two SQS queues: one for paying members, and one for non-paying members. Poll the paying member queue first and then poll the non-paying member queue. Use SQS to set priorities on individual items within a single queue; give the paying members' videos the highest priority. Use SQS to set priorities on individual items within a single queue and use Amazon SNS to encode the videos. Create two Amazon SNS topics: one for paying members and one for non-paying members. Use SNS topic subscription priorities to differentiate between the two types of members.
A developer wants to monitor an application that is deployed on Amazon EC2 instances using AWS X-Ray.
What procedures must be taken to do the monitoring?
Deploy the X-Ray SDK with the application and use X-Ray annotation. Install the X-Ray daemon and instrument the application code. Install the X-Ray daemon and configure it to forward data to Amazon CloudWatch Events. Deploy the X-Ray SDK with the application and instrument the application code.
To increase read speed, an application makes use of a single-node Amazon ElastiCache for Redis instance. Demand for the application has grown significantly over time, putting an increasing strain on the ElastiCache instance. It is vital that this cache layer is capable of handling the load and being robust in the event of a node failure.
What can be done by the developer to meet load and resilience requirements?
Migrate to an elasticsearch service cluster Migrate to memcached cluster vertically scale to the elasticcache istance Add a read replica istance.
A company created a serverless application that includes users' favorite actors. The company modeled its data in an Amazon DynamoDB table The categories of the table are Actor, Movie, and Year.
Each actor appears in several movies and can appear in multiple movies in a single year. The company wants to see which of the users' favorite actors were in the same movie and which movies were in the same year. A developer needs to design the DynamoDB table to minimize response time for those queries.
Which solution meets these requirements? Create a composite primary key with Actor as the partition key and Movie as the sort key Use Year as the sort key for a global secondary index (GSI). Create a composite primary key with Actor as the partition key and Year as the sort key Use Movie as the sort key for a global secondary index (GSI). Create a composite primary key with Movie as the partition key and Actor as the sort key Use Year as the sort key for a global secondary index (GSI). Create a simple primary key with Actor as the partition key. Use Year as the sort key for a local secondary index (LSI).
An application is designed to use Amazon SQS to manage messages from many independent senders. Each sender's messages must be processed in the order they are received.
Which SQS feature should be implemented by the Developer? Configure each sender with a unique MessageGroupId Enable MessageDeduplicationIds on the SQS queue Configure each message with unique MessageGroupIds. Enable ContentBasedDeduplication on the SQS queue.
A developer must increase read performance from an unencrypted Amazon S3 bucket. The application requires 100,000 read requests each second. Cost- effectiveness is a priority.
What would be the SIMPLEST approach to implement these requirements? Create 20 or more prefixes in Amazon S3. Place files by prefixes. Read in parallel by prefixes. Create 20 or more AWS accounts. Create a bucket in each account. Read in parallel by bucket. Deploy Memcached on Amazon EC2. Cache the files in memory. Retrieve from the Memcached cache. Copy all files to Amazon DynamoDB. Index the files with S3 metadata. Retrieve from DynamoDB.
A multinational corporation runs an application on Amazon EC2 instances that provides image files stored in Amazon S3. User queries from the browser generate a lot of traffic, which leads in performance degradation.
Which optimization technique should a developer use to boost the speed of an application?
Create multiple prefixes in the S3 bucket to increase the request rate. Create an Amazon ElastiCache cluster to cache and serve frequently accessed items. Use Amazon CloudFront to serve the content of images stored in Amazon S3. Submit a ticket to AWS Support to request a rate limit increase for the S3 bucket.
A Developer wants to encrypt new objects that are being uploaded to an Amazon S3 bucket by an application. There must be an audit trail of who has used the key during this process. There should be no change to the performance of the application.
Which type of encryption meets these requirements? Server-side encryption using S3-managed keys Server-side encryption with AWS KMS-managed keys Client-side encryption with a client-side symmetric master key Client-side encryption with AWS KMS-managed keys.
A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in.
What is the MOST operationally efficient solution that meets this requirement? Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon API Gateway API to invoke the function. Call the API from the client side when login confirmation is received. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Create an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose. Create an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user.
A developer is building a serverless application that is based on AWS Lambda. The developer initializes the AWS software development kit (SDK) outside of the
Lambda handler function.
What is the PRIMARY benefit of this action?
Improves legibility and stylistic convention Takes advantage of runtime environment reuse Provides better error handling Creates a new SDK instance for each invocation.
A developer needs to use Amazon DynamoDB to store customer orders. The developer's company requires all customer data to be encrypted at rest with a key that the company generates.
What should the developer do to meet these requirements? Create the DynamoDB table with encryption set to None. Code the application to use the key to decrypt the data when the application reads from the table. Code the application to use the key to encrypt the data when the application writes to the table. Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS customer managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key. Store the key by using AWS Key Management Service (AWS KMS). Create the DynamoDB table with default encryption. Include the kms:Encrypt parameter with the Amazon Resource Name (ARN) of the AWS KMS key when using the DynamoDB software development kit (SDK). Store the key by using AWS Key Management Service (AWS KMS). Choose an AWS KMS AWS managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
A developer is working on a web application that runs on Amazon Elastic Container Service (Amazon ECS) and uses an Amazon DynamoDB table to store data.
The application performs a large number of read requests against a small set of the table data.
How can the developer improve the performance of these requests? (Choose two.)
Create an Amazon ElastiCache cluster. Configure the application to cache data in the cluster. Create a DynamoDB Accelerator (DAX) cluster. Configure the application to use the DAX cluster for DynamoDB requests. Configure the application to make strongly consistent read requests against the DynamoDB table. Increase the read capacity of the DynamoDB table. Enable DynamoDB adaptive capacity.
A development team has been using a builder server that is hosted on an Amazon EC2 instance to perform builds and deployments for the last 3 months. The
EC2 instance's instance profile uses an IAM role that contains the Administrator Access managed policy. The development team must replace that policy with a policy that provides only the required permissions.
What is the FASTEST way to create a custom 1AM policy for the EC2 instance to meet this requirement? Create a new IAM policy based on services that the build server deployed or updated in the last 3 months. Create a new IAM policy that includes all actions that AWS CloudTrail recorded for the IAM role in the last 3 months. Create a new permissions boundary policy that denies all access. Associate the permissions boundaries with the IAM role. reate a new IAM policy by using Amazon Athena to query an Amazon S3 bucket that contains AWS CloudTrail events that the IAM role performed in the last 3 months.
A global company has a mobile app with static data stored in an Amazon S3 bucket in the us-east-1 Region. The company serves the content through an Amazon
CloudFront distribution. The company is launching the mobile app in South Africa. The data must reside in the af-south-1 Region. The company does not want to deploy a specific mobile client for South Africa.
What should the company do to meet these requirements?
Use the CloudFront geographic restriction feature to block access to users in South Africa. Create a Lambda@Edge function. Associate the Lambda@Edge function as an origin request trigger with the CloudFront distribution to change the S3 origin Region. Create a Lambda@Edge function. Associate the Lambda@Edge function as a viewer response trigger with the CloudFront distribution to change the S3 origin Region. Include af-south-1 in the alternate domain name (CNAME) of the CloudFront distribution.
A developer is deploying on application on Amazon EC2 instances that run in Account A. In certain cases, this application needs to read data from a private
Amazon S3 bucket in Account B. The developer must provide the application access to the S3 bucket without exposing the S3 bucket to anyone else.
Which combination of actions should the developer take to meet these requirements? (Choose two.) Create an IAM role with S3 read permissions in Account B. Update the instance profile IAM role in Account A with S3 read permissions. Make the S3 bucket public with limited access for Account A. Configure the bucket policy in Account B to grant permissions to the instance profile role. Add a trust policy that allows s3:Get* permissions to the IAM rote in Account B.
A developer has created on AWS Lambda function tool uses 15 MB of memory. When the developer runs the code natively on a laptop that has 4 cores, the function runs within 100 ms. When the developer deploys the code as a Lambda function with 128 MB of memory, the first run takes 3 seconds. Subsequent runs take more than 500 ms to finish.
The developer needs to improve the performance of the Lambda function so that the function runs consistently in less than 100 ms, excluding the initial startup time.
Which solution will meet this requirement? Increase the reserved concurrency of the Lambda function. Increase the provisioned concurrency of the Lambda function Increase the memory of the Lambda function. Repackage the Lambda function as a container. Redeploy the function.
A company has an application that analyzes photographs. A developer is preparing the application for deployment to Amazon EC2 instances. The application's image analysis functions require a mix of GPU instances and CPU instances that run on Amazon Linux. The developer needs to add code to the application so that the functions can determine whether they are running on a GPU instance.
What should the functions do to obtain this information?
Call the DescribeInstances API operation and filter on the current instance ID. Examine the ElasticGpuAssociations property. Evaluate the GPU AVAILABLE environment variable. Call the DescribeElasticGpus API operation. Retrieve the instance type from the instance metadata.
A developer designed an application on an Amazon EC2 instance. The application makes API requests to objects in an Amazon S3 bucket.
Which combination of steps will ensure that the application makes the API requests in the MOST secure manner? (Choose two.)
Create an IAM user that has permissions to the S3 bucket. Add the user to an IAM group. Create an IAM role that has permissions to the S3 bucket. Add the IAM role to an instance profile. Attach the instance profile to the EC2 instance. Create an IAM role that has permissions to the S3 bucket. Assign the role to an 1AM group. Store the credentials of the IAM user in the environment variables on the EC2 instance.
A developer needs to deploy an application to AWS Elastic Beanstalk for a company. The application consists of a single Docker image. The company's automated continuous integration and continuous delivery (CI/CD) process builds the Docker image and pushes the image to a public Docker registry.
How should the developer deploy the application to Elastic Beanstalk?
Create a Dockerfile. Configure Elastic Beanstalk to build the application as a Docker image. Create a docker-compose.yml file. Use the Elastic Beanstalk CLI to deploy the application. Create a .zip file that contains the Docker image. Upload the .zip file to Elastic Beanstalk. Create a Dockerfile. Run the Elastic Beanstalk CLI eb local run command in the same directory.
A software company is using AWS CodeBuild to build an application. The buildspec runs the application build and creates a Docker image that contains the application. The company needs to push the Docker image to Amazon Elastic Container Registry (Amazon ECR) only upon the completion of each successful build.
Which solution meets these requirements?
. Change the buildspec by adding a post_build phase that uses the commands block to push the Docker image. Change the buildspec by adding a post_build phase that uses the finally block to push the Docker image. Specify the Docker image in the buildspec's artifacts sequence with an action to push the image. Use a batch build to define a build matrix. Use the batch build to push the Docker image.
A developer has built an application that inserts data into an Amazon DynamoDB table. The table is configured to use provisioned capacity. The application is deployed on a burstable nano Amazon EC2 Instance. The application logs show that the application has been failing because of a
ProvisionedThroughputExceedException error.
Which actions should the developer take to resolve this issue? (Choose two.)
Move The application to a larger EC instance Increase the number or read capacity units (RCUs) that are provisioned for the DynamoDB table. Reduce the frequency of requests to DynamoDB by implement ng exponential backoff. Increase the frequency of requests to DynamoDB by decreasing the retry delay. Change the capacity mode of the DynamoDB table from provisioned to on-demand.
A gaming website gives users the ability to trade game items with each other on the platform. The platform requires both users' records to be updated and persisted in one transaction. If any update fails, the transaction must roll back.
Which AWS solution can provide the transactional capability that is required for this feature? Amazon DynamoDB with operations made with the Consistent Read parameter set to true Amazon ElastiCache for Memcached with operations made within a transaction block Amazon DynamoDB with reads and writes made by using Transact* operations Amazon Aurora MySQL with operations made within a transaction block Amazon Athena with operations made within a transaction block.
A developer has created a Java application that makes HTTP requests directly to AWS services. Application logging shows 5xx HTTP response codes that occur at irregular intervals. The errors are affecting users.
How should the developer update the application to improve the application's resiliency? Revise the request content in the application code. Use the AWS SDK for Java to interact with AWS APIs. Scale out the application so that more instances of the application are running. Add additional logging to the application code.
A developer is testing an AWS Lambda function by using the AWS Serverless Application Model (AWS SAM) local CLI. The application that is implemented by the
Lambda function makes several AWS API calls by using the AWS software development kit (SDK). The developer wants to allow the function to make AWS API calls in a test AWS account from the developer's laptop.
What should the developer do to meet these requirements? Edit the template.yml file. Add the AWS_ACCESS_KEY_ID property and the AWS_SECRET_ACCESS_KEY property in the Globals section. Add a test profile by using the aws configure command with the --profile option. Run AWS SAM by using the sam local invoke command with the -profile option. Edit the template.yml tile. For the AWS::Serverless::Function resource, set the role to an IAM role in the AWS account. Run the function by using the sam local invoke command. Override the AWS_ACCESS_KEY_ID parameter and the AWS_SECRET_ACCESS_KEY parameter by specifying the --parameter-overrides option.
A developer is configuring an Amazon CloudFront distribution for a new application to provide encryption in transit. The application is running in the eu-west-1
Region. The developer creates a new certificate in AWS Certificate Manager (ACM) in eu-west-1, but the certificate is not visible in the CloudFront distribution settings.
What should the developer do to fix this problem?
Create the certificate for the domain in the same Region as the application. Ensure that the alternate domain name (CNAME) in the distribution settings matches the domain name in the certificate. Create the certificate in the eu-west-1 Region. Ensure that the alternate domain name (CNAME) in the distribution settings matches the domain name in the certificate. Recreate the CloudFront distribution in the same Region as the certificate Specify the ACM certificate name as the default root object of the CloudFront distribution.
A developer is building an application that runs behind an Application Load Balancer (ALB). The ALB is configured as the origin for an Amazon CloudFront distribution. Users will log in to the application by using their social media accounts.
How can the developer authenticate users? Validate the users by inspecting the tokens in an AWS Lambda authorizer on the ALB. Configure the ALB to use Amazon Cognito as one of the authentication providers. Configure CloudFront to use Amazon Cognito as one of the authentication providers. Validate the users by calling the Amazon Cognito API in an AWS Lambda authorizer on the ALB.
A company hosts a three-tier web application on AWS behind an Amazon CloudFront distribution. A developer wants a dashboard to monitor error rates and anomalies of the CloudFront distribution with the shortest possible refresh interval.
Which combination of slops should the developer take to meet these requirements? (Choose two.) Activate real-time logs on the CloudFront distribution. Create a stream in Amazon Kinesis Data Streams. Export the CloudFront logs to an Amazon S3 bucket. Detect anomalies and error rates with Amazon QuickSight. Configure Amazon Kinesis Data Streams to deliver logs to Amazon OpenSearch Service (Amazon Elasticsearch Service). Create a dashboard in OpenSearch Dashboards (Kibana). Create Amazon CloudWatch alarms based on expected values of selected CloudWatch metrics to detect anomalies and errors. Design an Amazon CloudWatch dashboard of the selected CloudFront distribution metrics.
A global company has a mobile app with static data stored in an Amazon S3 bucket in the us-east-1 Region. The company serves the content through an Amazon
CloudFront distribution. The company is launching the mobile app in South Africa. The data must reside in the af-south-1 Region. The company does not want to deploy a specific mobile client for South Africa.
What should the company do to meet these requirements? Use the CloudFront geographic restriction feature to block access to users in South Africa. Create a Lambda@Edge function. Associate the Lambda@Edge function as an origin request trigger with the CloudFront distribution to change the S3 origin Region Create a Lambda@Edge function. Associate the Lambda@Edge function as a viewer response trigger with the CloudFront distribution to change the S3 origin Region Include af-south-1 in the alternate domain name (CNAME) of the CloudFront distribution.
A developer creates a customer managed key for multiple AWS users to encrypt data in Amazon S3. The developer configures Amazon Simple Notification
Service (Amazon SNS) to publish a message if key deletion is scheduled. The developer needs to preserve any SNS messages that cannot be delivered so that those messages can be reprocessed.
Which AWS service or feature should the developer use to meet this requirement? Amazon CloudWatch alarm Amazon Simple Queue Service (Amazon SQS) AWS Lambda Amazon Simple Email Service (Amazon SES).
A company is using AWS CodeDeploy for all production deployments. A developer has an Amazon Elastic Container Service (Amazon ECS) application that uses the CodeDeployDefault.ECSAIIAtOnce configuration. The developer needs to update the production environment in increments of 10% until the entire production environment is updated.
Which CodeDeploy configuration should the developer use to meet these requirements?
CodeDeployDefault.ECSCanary10Percent5Minutes CodeDeployDefault.ECSLinear10PercentEvery3Minutes CodeDeployDefault.OneAtATime CodeDeployDefault.LambdaCanary10Percent5Minutes.
A company is using AWS Elastic Beanstalk to deploy a three-tier application. The application uses an Amazon RDS DB instance as the database tier. The company wants to decouple the DB instance from the Elastic Beanstalk environment.
Which combination of steps should a developer lake to meet this requirement? (Choose two.)
Create a new Elastic Beanstalk environment that connects to the DB instance. Create a new DB instance from a snapshot of the previous DB instance. Use the Elastic Beanstalk CLI to decouple the DB instance. Use the AWS CLI to decouple the DB instance. Modify the current Elastic Beanstalk environment to connect to the DB instance.
A company has point-of-sale devices across thousands of retail shops that synchronize sales transactions with a centralized system. The system includes an
Amazon API Gateway API that exposes an AWS Lambda function. The Lambda function processes the transactions and stores the transactions in Amazon RDS for MySQL. The number of transactions increases rapidly during the day and is near zero at night.
How can a developer increase the elasticity of the system MOST cost-effectively?
Migrate from Amazon RDS to Amazon Aurora MySQL. Use an Aurora Auto Scaling policy to scale road replicas based on CPU consumption. Migrate from Amazon RDS to Amazon Aurora MySQL. Use an Aurora Auto Scaling policy to scale read replicas based on the number of database connections. Create an Amazon Simple Queue Service (Amazon SQS) queue. Publish transactions to the queue. Set the queue to invoke the Lambda function. Turn on enhanced fanout for the Lambda function. Create an Amazon Simple Queue Service (Amazon SQS) queue. Publish transactions to the queue. Set the queue to invoke the Lambda function. Set the reserved concurrency of the Lambda function to be less than the number of database connections.
A developer is writing an AWS Lambda function. The Lambda function needs to access items that are stored in an Amazon DynamoDB table.
What is the MOST secure way to configure this access for the Lambda function? Create an IAM user that has permissions to access the DynamoDB table. Create an access key for this user. Store the access key ID and secret access key in the Lambda function environment variables. Add a resource-based policy to the DynamoDB table to allow access from the Lambda function's IAM role. Create an IAM policy that allows access to the DynamoDB table. Attach this policy to the Lambda function's IAM role. Create a DynamoDB Accelerator (DAX) cluster. Configure the Lambda function to use the DAX duster to access the DynamoDB table.
A developer is implementing user authentication and authorization for a web application that is hosted on an Amazon EC2 instance. The developer needs to ensure that the user credentials are encrypted and secure when they are stored and transmitted.
Which solution will meet these requirements? Activate web server modules for authentication and authorization on the instance. Use HTTP basic authentication for the user login. Deploy a custom authentication and authorization API over HTTP. Store the user credentials on Amazon ElastiCache for Redis. Use Amazon Cognito to configure a user pool. Use the Amazon Cognito API to authenticate and authorize the users. Create IAM users. Assign the users to different IAM groups. Use AWS Single Sign-On to authenticate and authorize each user.
A company that has multiple offices uses an Amazon DynamoDB table to store employee payroll information. Item attributes consist of employee names, office identifiers, and cumulative daily hours worked The most frequently used query extracts a report of an alphabetical subset of employees for a specific office.
Which design of the DynamoDB table primary key will have the MINIMUM performance impact?
Partition key on the office identifier and sort key on the employee name Partition key on the employee name and sort key on the office identifier Partition key on the employee name Partition key on the office identifier.
A company hosts a microservices application that uses Amazon API Gateway. AWS Lambda, Amazon Simple Queue Service (Amazon SQS), and Amazon
DynamoDB. One of the Lambda functions adds messages to an SQS FIFO queue.
When a developer checks the application logs, the developer finds a few duplicated items in a DynamoDB table. The items were inserted by another polling function that processes messages from the queue.
What is the MOST likely cause of this issue? Write operations on the DynamoDB table are being throttled. The SQS queue delivered the message to the function more than once. API Gateway duplicated the message in the SQS queue The polling function timeout is greater than the queue visibility timeout.
A developer needs to write an AWS CloudFormation template on a local machine and deploy a CloudFormation stack to AWS.
What must the developer do to complete these tasks? Install the AWS CLI. Configure the AWS CLI by using an IAM user name and password. Install the AWS CLI. Configure the AWS CLI by using an SSH key Install the AWS CLI. Configure the AWS CLI by using an IAM user access key and secret key. Install an AWS software development kit (SDK). Configure the SDK by using an X.509 certificate.
A developer is working on a web application that runs on Amazon Elastic Container Service (Amazon ECS) and uses an Amazon DynamoDB table to store data.
The application performs a large number of read requests against a small set of the table data.
How can the developer improve the performance of these requests? (Choose two.)
Create an Amazon ElastiCache cluster. Configure the application to cache data in the cluster. Create a DynamoDB Accelerator (DAX) cluster. Configure the application to use the DAX cluster for DynamoDB requests. Configure the application to make strongly consistent read requests against the DynamoDB table. Increase the read capacity of the DynamoDB table. Enable DynamoDB adaptive capacity.
A developer is creating a solution to track an account's Amazon S3 buckets over time. The developer has created an AWS Lambda function that will run on a schedule. The function will list the account's S3 buckets and will store the list in an Amazon DynamoDB table. The developer receives a permissions error when the developer runs the function with the AWSLambdaBasicExecutionRole AWS managed policy.
Which combination of permissions should the developer use to resolve this error? (Choose two.)
Cross-account IAM role Permission for the Lambda function to list buckets in Amazon S3 Permission for the Lambda function to write in DynamoDB Permission for Amazon S3 to invoke the Lambda function Permission for DynamoDB to invoke the Lambda function.
A company is adding items to an Amazon DynamoDB table from an AWS Lambda function that is written in Python. A developer needs to implement a solution that inserts records in the DynamoDB table and performs automatic retry when the insert fails.
Which solution meets these requirements with MINIMUM code changes? Configure the Python code to run the AWS CLI through shell to call the PutItem operation Call the PutItem operation from Python by using the DynamoDB HTTP API Queue the items in AWS Glue, which will put them into the DynamoDB table Use the AWS software development kit (SDK) for Python (boto3) to call the PutItem operation.
A Development team decides to adopt a continuous integration/continuous delivery (CI/CD) process using AWS CodePipeline and AWS CodeCommit for a new application. However, management wants a person to review and approve the code before it is deployed to production.
How can the Development team add a manual approver to the CI/CD pipeline? Use AWS SES to send an email to approvers when their action is required. Develop a simple application that allows approvers to accept or reject a build. Invoke an AWS Lambda function to advance the pipeline when a build is accepted. If approved, add an approved tag when pushing changes to the CodeCommit repository. CodePipeline will proceed to build and deploy approved commits without interruption. Add an approval step to CodeCommit. Commits will not be saved until approved. Add an approval action to the pipeline. Configure the approval action to publish to an Amazon SNS topic when approval is required. The pipeline execution will stop and wait for an approval.
An application uploads photos to an Amazon S3 bucket. Each photo that is uploaded to the S3 bucket must be resized to a thumbnail image by the application.
Each thumbnail image is uploaded with a new name in the same S3 bucket.
Which AWS service can a developer configure to directly process each single S3 event for each S3 object upload? Amazon EC2 Amazon Elastic Container Service (Amazon ECS) AWS Elastic Beanstalk AWS Lambda.
Where should the appspec.yml file be placed in order for AWS CodeDeploy to work? In the root of the application source code directory structure In the bin folder along with all the complied code In an S3 bucket In the same folder as the application configuration files.
A Developer has written an application that runs on Amazon EC2 instances and generates a value every minute. The Developer wants to monitor and graph the values generated over time without logging in to the instance each time.
Which approach should the Developer use to achieve this goal? Use the Amazon CloudWatch metrics reported by default for all EC2 instances. View each value from the CloudWatch console. Develop the application to store each value in a file on Amazon S3 every minute with the timestamp as the name. Publish each generated value as a custom metric to Amazon CloudWatch using available AWS SDKs. Store each value as a variable and add the variable to the list of EC2 metrics that should be reported to the Amazon CloudWatch console.
A serverless application is using AWS Step Functions to process data and save it to a database. The application needs to validate some data with an external service before saving the data. The application will call the external service from an AWS Lambda function, and the external service will take a few hours to validate the data. The external service will respond to a webhook when the validation is complete.
A developer needs to pause the Step Functions workflow and wait for the response from the external service.
What should the developer do to meet this requirement? Use the .wait ForTaskToken option in the Lambda function task state. Pass the token in the body. Use the .waitForTaskToken option in the Lambda function task state. Pass the invocation request. Call the Lambda function in synchronous mode. Wait for the external service to complete the processing. Call the Lambda function in asynchronous mode. Use the Wait state until the external service completes the processing.
A developer must use AWS X-Ray to monitor an application that is running on an Amazon EC2 instance. The developer has prepared the application by using the
X-Ray SDK.
What should the developer do to perform the monitoring?
Configure the X-Ray SDK sampling rule and target. Activate the X-Ray daemon from the EC2 console or the AWS CLI with the modify-instance-attribute command to set the XRayEnabled flag Install the X-Ray daemon. Assign an IAM role to the EC2 instance with a policy that allows writes to X-Ray. Install the X-Ray daemon. Configure it to forward data to Amazon EventBridge (Amazon CloudWatch Events). Grant the EC2 instance permission to write to Event Bridge (CloudWatch Events). Deploy the X-Ray SDK with the application, and instrument the application code. Use the SDK logger to capture and send the events.
A developer is designing a full-stack serverless application. Files for the website are stored in an Amazon S3 bucket. AWS Lambda functions that use Amazon
API Gateway endpoints return results from an Amazon DynamoDB table.
The developer must create a solution that securely provides registration and authentication for the application while minimizing the amount of configuration.
Which solution meets these requirements? Create an Amazon Cognito user pool and an app client. Configure the app client to use the user pool and provide the hosted web UI provided for sign-up and sign-in. Configure an Amazon Cognito identity pool. Map the users with IAM roles that are configured to access the S3 bucket that stores the website. Configure and launch an Amazon EC2 instance to set up an identity provider with an Amazon Cognito user pool. Configure the user pool to provide the hosted web UI for sign-up and sign-in. Create an IAM policy that allows access to the website that is stored in the S3 bucket. Attach the policy to an IAM group. Add IAM users to the group.
A company has an application that writes files to an Amazon S3 bucket. Whenever there is a new file, an S3 notification event invokes an AWS Lambda function to process the file. The Lambda function code works as expected. However, when a developer checks the Lambda function logs, the developer finds that multiple invocations occur for every file.
What is causing the duplicate entries? The S3 bucket name is incorrectly specified in the application and is targeting another S3 bucket. The Lambda function did not run correctly, and Lambda retried the invocation with a delay. Amazon S3 is delivering the same event multiple times. The application stopped intermittently and then resumed, splitting the logs into multiple smaller files.
A developer needs to use the AWS CLI on an on-premises development server temporarily to access AWS services while performing maintenance. The developer needs to authenticate to AWS with their identity for several hours.
What is the MOST secure way to call AWS CLI commands with the developer's IAM identity? Specify the developer's IAM access key ID and secret access key as parameters for each CLI command Run the aws configure CLI command. Provide the developer's IAM access key ID and secret access key. Specify the developer's IAM profile as a parameter for each CLI command. Run the get-session-token CLI command with the developer's IAM user. Use the returned credentials to call the CLI.
A developer is designing an AWS Lambda function to perform a maintenance activity. The developer will use Amazon EventBridge (Amazon CloudWatch Events) to invoke the function on an hourly schedule. The developer wants the function to log information at different levels of detail according to the value of a log level variable. The developer must design the function so that the log level can be set without requiring a change to the function code.
Which solution will meet these requirements? Add a custom log level parameter for the Lambda function. Set the parameter by using the Lambda console Set the log level in a Lambda environment variable Set the log level in the Amazon CloudWatch Logs console. Add a custom log level parameter for the Lambda function. Set the parameter by using the AWS CLI.
A company is running an application on Amazon Elastic Container Service (Amazon ECS). When the company deploys a new version of the application, the company initially needs to expose 10% of live traffic to the new version. After a period of time, the company needs to immediately route all the remaining live traffic to the new version.
Which ECS deployment should the company use to meet these requirements? Rolling update Blue/green with canary Blue/green with all at once Blue/green with linear.
A company is building a compute-intensive application that will run on a fleet of Amazon EC2 instances. The application uses attached Amazon EBS disks for storing data. The application will process sensitive information and all the data must be encrypted.
What should a Developer do to ensure the data is encrypted on disk without impacting performance? Configure the Amazon EC2 instance fleet to use encrypted EBS volumes for storing data. Add logic to write all data to an encrypted Amazon S3 bucket Add a custom encryption algorithm to the application that will encrypt and decrypt all data. Create a new Amazon Machine Image (AMI) with an encrypted root volume and store the data to ephemeral disks.
A company has a website that displays a daily newsletter. When a user visits the website, an AWS Lambda function processes the browser's request and queries the company's on-premises database to obtain the current newsletter. The newsletters are stored in English. The Lambda function uses the Amazon Translate
TranslateText API operation to translate the newsletters, and the translation is displayed to the user.
Due to an increase in popularity, the website's response time has slowed. The database is overloaded. The company cannot change the database and needs a solution that improves the response time of the Lambda function.
Which solution meets these requirements? Change to asynchronous Lambda function invocation. Cache the translated newsletters in the Lambda /tmp directory. Enable TranslateText API caching. Change the Lambda function to use parallel processing.
A company has an online order website that uses Amazon DynamoDB to store item inventory. A sample of the inventory object is as follows:
A developer needs to reduce all inventory prices by 100 as long as the resulting price would not be less than 500.
What should the developer do to make this change with the LEAST number of calls to DynamoDB?
Perform a DynamoDB Query operation with the Id. If the price is >= 600, perform an UpdateItem operation to update the price. Perform a DynamoDB UpdateItem operation with a condition expression of "Price >= 600". Perform a DynamoDB UpdateItem operation with a condition expression of "ProductCategory IN ({"S": "Sporting Goods"}) and Price 600". Perform a DynamoDB UpdateItem operation with a condition expression of "MIN Price = 500".
A company has an application that runs on AWS Elastic Beanstalk in a load-balanced environment. The company needs to update the instance types in the environment to a more recent generation of instance types. The company must minimize downtime during the deployment of this configuration change.
Which deployment options will meet these requirements? (Choose two.) Disabled Rolling based on Health Immutable All at once Canary.
A developer wants to use AWS Elastic Beanstalk to test a new version of on application in a test environment.
Which deployment method offers the FASTEST deployment?
Immutable Rolling Rolling with additional batch All at once.
A company has moved a legacy on-premises application to AWS by performing a lift and shift. The application exposes a REST API that can be used to retrieve billing information. The application is running on a single Amazon EC2 instance. The application code cannot support concurrent invocations. Many clients access the API, and the company adds new clients all the time.
A developer is concerned that the application might become overwhelmed by too many requests. The developer needs to limit the number of requests to the API for all current and future clients. The developer must not change the API, the application, or the client code.
What should the developer do to meet these requirements?
Place the API behind an Application Load Balancer. Set the target group throttling limits. Place the API behind an Amazon API Gateway API. Set the per-client throttling limits. Place the API behind a Network Load Balancer. Set the target group throttling limits. Place the API behind an Amazon API Gateway API. Set the server-side throttling limits.
A developer has created a web API that uses Amazon Elastic Container Service (Amazon ECS) and an Application Load Balancer (ALB). An Amazon CloudFront distribution uses the API as an origin for web clients. The application has received millions of requests with a JSON Web Token (JWT) that is not valid in the authorization header. The developer has scaled out the application to handle the unauthenticated requests.
What should the developer do to reduce the number of unauthenticated requests to the API?
Add a request routing rule to the ALB to return a 401 status code if the authorization header is missing. Add a container to the ECS task definition to validate JWTs Set the new container as a dependency of the application container. Create a CloudFront function for the distribution Use the crypto module in the function to validate the JWT. Add a custom authorizer for AWS Lambda to the CloudFront distribution to validate the JWT.
A developer needs to build and deploy a serverless application that has an API that mobile clients will use. The API will use Amazon DynamoDB and Amazon
OpenSearch Service (Amazon Elasticsearch Service) as data sources. Responses that are sent to the clients will contain aggregated data from both data sources.
The developer must minimize the number of API endpoints and must minimize the number of API calls that are required to retrieve the necessary data.
Which solution should the developer use to meet these requirements? GraphQL API on AWS AppSync REST API on Amazon API Gateway GraphQL API on an Amazon EC2 instance REST API on AWS Elastic Beanstalk.
A developer is using an AWS Key Management Service (AWS KMS) customer master key (CMK) with imported key material to encrypt data in Amazon S3. The developer accidentally deletes the key material of the CMK and is unable to decrypt the data.
How can the developer decrypt the data that was encrypted by the CMK? Request support from AWS to recover the deleted key material Create a new CMK. Use the new CMK to decrypt the data. Use the CMK without the key material. Reimport the same key material to the CMK.
A developer is designing an Amazon DynamoDB table for an application. The application will store user information that includes a unique identifier and an email address for each user. The application must be able to query the table by using either the unique identifier or the email address.
How should the developer design the DynamoDB table to meet these requirements? For the primary key of the table, specify the unique identifier as the partition key and specify the email address as the sort key. For the primary key of the table, specify the unique identifier as the partition key. Create a local secondary index (LSI) based on the email address. For the primary key of the table, specify the email address as the partition key and specify the unique identifier as the sort key. For the primary key of the table, specify the unique identifier as the partition key. Create a global secondary index (GSI) based on the email address.
A developer notices timeouts from the AWS CLI when the developer runs list commands.
What should the developer do to avoid these timeouts? Use the --page-size parameter to request a smaller number of items. Use shorthand syntax to separate the list by a single space. Use the yaml-stream output for faster viewing of large datasets. Use quotation marks around strings to enclose data structure.
A company is planning to use AWS CodeDeploy to deploy an application to Amazon Elastic Container Service (Amazon ECS). During the deployment of a new version of the application, the company initially must expose only 10% of live traffic to the new version of the deployed application. Then, after 15 minutes elapse, the company must route all the remaining live traffic to the new version of the deployed application.
Which CodeDeploy predefined configuration will meet these requirements? CodeDeployDefault.ECSCanary10Percent15Minutes CodeDeployDefault.LambdaCanary10Percent5Minutes CodeDeployDefault.LambdaCanary10Percent15Minutes CodeDeployDefault.ECSLinear10PercentEvery1 Minutes.
An ecommerce company wants to redirect users to a country-specific website when they enter the example.com website. For example, the company wants to redirect United States users to example.com/us/ and wants to redirect French users to example.com/fr/. The web application is using Amazon CloudFront and an
Application Load Balancer with an Amazon Elastic Container Service (Amazon ECS) cluster. The application's domain name resolution is configured in an
Amazon Route 53 public hosted zone.
Which solution will meet these requirements with the LEAST operational effort? Update the routing policy for the application's Route 53 record to specify geolocation routing. Configure listener rules based on a unique alias location to redirect requests to the correct URLs by country. Create a CloudFront function to inspect the CloudFront-Viewer-Country header and return redirect responses to different URLs based on user location. On the ECS web server configuration, use a GeoIP database to look up the requested IP address and redirect requests to the correct URLs by country. Use AWS WAF to determine the country of origin. Create an AWS WAF custom rule with a geographic match condition to redirect traffic from each country to the correct URL.
A developer creates an AWS Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. All message content must be encrypted in transit and at rest between Lambda and Amazon SNS.
A part of the Lambda execution role is as follows:
Which combination of steps should the developer take to meet these requirements? (Choose two.) Enable server-side encryption on the SNS topic. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify "aws:SecureTransport": "trueג€ as the condition. Create a VPC endpoint for Amazon SNS. Add a StringEquals condition of "sns:Protocol": "https" to the Lambda execution role. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify "aws:SecureTransport": "false" as the condition.
A company is running a web application that is using Amazon Cognito for authentication. The company does not want to use multi-factor authentication (MFA) for all the visitors every time, but the company's security team has concerns about compromised credentials. The development team needs to configure mandatory
MFA only when suspicious sign-in attempts are detected.
Which Amazon Cognito feature will meet these requirements? Short message service (SMS) text message MFA Advanced security metrics Time-based one-time password (TOTP) software token MFA Adaptive authentication.
A company created an application to consume and process data. The application uses Amazon Simple Queue Service (Amazon SQS) and AWS Lambda functions. The application is currently working as expected, but it occasionally receives several messages that it cannot process properly. The company needs to clear these messages to prevent the queue from becoming blocked.
A developer must implement a solution that makes queue processing always operational. The solution must give the company the ability to defer the messages with errors and save these messages for further analysis.
What is the MOST operationally efficient solution that meets these requirements? Configure Amazon CloudWatch Logs to save the error messages to a separate log stream. Create a new SQS queue. Set the new queue as a dead-letter queue for the application queue. Configure the Maximum Receives setting. Change the SQS queue to a FIFO queue. Configure the message retention period to 0 seconds. Configure an Amazon CloudWatch alarm for Lambda function errors. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic to notify administrator users.
A company has a web application that runs on Amazon EC2 instances with a custom Amazon Machine Image (AMI). The company uses AWS CloudFormation to provision the application. The application runs in the us-east-1 Region, and the company needs to deploy the application to the us-west-1 Region.
An attempt to create the AWS CloudFormation stack in us-west-1 fails. An error message states that the AMI ID does not exist. A developer must resolve this error with a solution that uses the least amount of operational overhead.
Which solution meets these requirements? Change the AWS CloudFormation templates for us-east-1 and us-west-1 to use an AWS AMI. Relaunch the stack for both Regions. Copy the custom AMI from us-east-1 to us-west-1. Update the AWS CloudFormation template for us-west-1 to refer to AMI ID for the copied AMI. Relaunch the stack. Build the custom AMI in us-west-1. Create a new AWS CloudFormation template to launch the stack in us-west-1 with the new AMI ID. Manually deploy the application outside AWS CloudFormation in us-west-1.
A developer needs to launch a new Amazon EC2 instance by using the AWS CLI.
Which AWS CLI command should the developer use to meet this requirement? aws ec2 bundle-instance aws ec2 start-instances aws ec2 confirm-product-instance aws ec2 run instances.
A development team uses AWS Elastic Beanstalk for application deployment. The development team has configured the application version lifecycle policy to limit the number of application versions to 25. However, even with the application version lifecycle policy, the source bundle is deleted from the Amazon S3 source bucket.
What should the development team do in the Elastic Beanstalk application version lifecycle settings to retain the source code in the S3 bucket? Enable versioning on the source bundle S3 bucket. Disable the S3 bucket lifecycle policy to avoid the archiving of the source bundle. Update the Elastic Beanstalk application version lifecycle policy to increase the version quota to 50. Update the Elastic Beanstalk application version lifecycle policy to retain the source bundle in Amazon S3.
A developer needs to implement a cache to store data that an application frequently queries from an Amazon RDS for MySQL database. The data structures that will be cached include sets and sorted sets.
How should the developer implement the cache to achieve the LOWEST latency? Create an Amazon ElastiCache for Memcached instance. Serialize the data as JSON before caching the data. Create an Amazon ElastiCache for Redis instance. Use a Redis client library to cache the data. Create an Amazon DynamoDB table. Serialize the data as JSON before caching the data. Create an Amazon ElastiCache for Memcached instance. Use a Memcached client library to cache the data.
An application that is hosted on an Amazon EC2 instance needs access to files that are stored in an Amazon S3 bucket. The application lists the objects that are stored in the S3 bucket and displays a table to the user. During testing, a developer discovers that the application does not show any objects in the list.
What is the MOST secure way to resolve this issue? Update the IAM instance profile that is attached to the EC2 instance to include the S3:' permission for the S3 bucket. Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket Update the developer's user permissions to include the S3:ListBucket permission for the S3 bucket. Update the S3 bucket policy by including the S3:ListBucket permission and by setting the Principal element to specify the account number of the EC2 instance.
A developer is writing an application in Python. The application runs on AWS Lambda. The application generates a file and needs to upload this file to Amazon S3.
The developer must implement this upload functionality with the least possible change to the application code.
Which solution meets these requirements? Make an HTTP request directly to the S3 API to upload the file. Include the AWS SDK for Python in the Lambda function. Use the SDK to upload the file. Use the AWS SDK for Python that is installed in the Lambda environment to upload the file. Use the AWS CLI that is installed in the Lambda environment to upload the file.
A developer has an application that asynchronously invokes an AWS Lambda function. The developer wants to store messages that resulted in failed invocations of the Lambda function so that the application can retry the call later.
What should the developer do to accomplish this goal with the LEAST operational overhead? Set up Amazon CloudWatch Logs log groups to filter and store the messages in an Amazon S3 bucket. Import the messages in Lambda. Run the Lambda function again. Configure Amazon EventBridge (Amazon CloudWatch Events) to send the messages to Amazon Simple Notification Service (Amazon SNS) to initiate the Lambda function again. Implement a dead-letter queue for discarded messages. Set the dead-letter queue as an event source for the Lambda function. Send Amazon EventBridge (Amazon CloudWatch Events) events to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the Lambda function to pull messages from the SQS queue. Run the Lambda function again.
A developer is designing a serverless application for an ecommerce website. An Amazon API Gateway API exposes AWS Lambda functions for billing, payment, and user operations. The website features shopping carts for the users. The shopping carts must be stored for extended periods of time and will be retrieved frequently by the front-end application.
The load on the application will vary significantly based on the time of day and the promotional sales that are offered on the website. The application must be able to scale automatically to meet these changing demands.
Which solution will meet these requirements? Store the data objects on an Amazon RDS DB instance. Cache the data objects in memory by using Amazon ElastiCache. Store the data objects on Amazon EC2 instances behind an Application Load Balancer. Use session affinity (sticky sessions) for each user's shopping cart. Store the data objects in Amazon S3 buckets. Cache the data objects by using Amazon CloudFront with the maximum TTL. Store the data objects in Amazon DynamoDB tables. Cache the data objects by using DynamoDB Accelerator (DAX).
A developer must extend an existing application that is based on the AWS Serverless Application Model (AWS SAM). The developer has used the AWS SAM CLI to create the project. The project contains different AWS Lambda functions.
Which combination of commands must the developer use to redeploy the AWS SAM application? (Choose two.) sam init sam validate sam build sam deploy sam publish.
A developer is creating an AWS CloudFormation template for an application. The application includes an Amazon RDS database. The password to be set for the resource's MasterUserPassword property is already stored in AWS Secrets Manager.
How can the developer reference the value of the password in the CloudFormation template? Use a parameter in the CloudFormation template with the same name of the secret. Use the ssm dynamic reference by specifying the name of the secret and its version. Use the secretsmanager dynamic reference by specifying the appropriate reference-key segment. Use the ssm-secure dynamic reference by specifying the name of the secret and its version.
A company stores documents in Amazon S3 with default settings. A new regulation requires the company to encrypt the documents at rest, rotate the encryption keys annually, and keep a record of when the encryption keys were rotated. The company does not want to manage the encryption keys outside of AWS.
Which solution will meet these requirements? Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Use server-side encryption with customer-provided encryption keys (SSE-C). Use client-side encryption before sending the data to Amazon S3.
A Developer has written a serverless application using multiple AWS services. The business logic is written as a Lambda function which has dependencies on third-party libraries. The Lambda function endpoints will be exposed using Amazon API Gateway. The Lambda function will write the information to Amazon
DynamoDB. The Developer is ready to deploy the application but must have the ability to rollback. How can this deployment be automated, based on these requirements? Deploy using Amazon Lambda API operations to create the Lambda function by providing a deployment package. Use an AWS CloudFormation template and use CloudFormation syntax to define the Lambda function resource in the template. Use syntax conforming to the Serverless Application Model in the AWS CloudFormation template to define the Lambda function resource. Create a bash script which uses AWS CLI to package and deploy the application.
An application is using Amazon DynamoDB as its data store, and should be able to read 100 items per second as strongly consistent reads. Each item is 5 KB in size.
To what value should the table's provisioned read throughput be set?
50 read capacity units 100 read capacity units 200 read capacity units 500 read capacity units.
A developer is using an Amazon Kinesis Data Firehose delivery stream to store data in Amazon S3. Before storing the data in Amazon S3, the developer wants to enrich the data by combining the data with data from an Amazon DynamoDB table.
How can the developer implement the data enrichment?
Create a Kinesis Data Firehose data transformation by using an Amazon EC2 instance. Configure the Kinesis Data Firehose delivery stream to send data to a Kinesis data stream. Enrich the data by using an AWS Lambda function. Configure the Kinesis Data Firehose delivery stream to store data in the DynamoDB table. Export the table to Amazon S3. Create a Kinesis Data Firehose data transformation by using an AWS Lambda function.
A developer is designing an Amazon DynamoDB table for an application. The application will store user information that includes a unique identifier and an email address for each user. The application must be able to query the table by using either the unique identifier or the email address.
How should the developer design the DynamoDB table to meet these requirements? For the primary key of the table, specify the unique identifier as the partition key and specify the email address as the sort key. For the primary key of the table, specify the unique identifier as the partition key. Create a local secondary index (LSI) based on the email address. For the primary key of the table, specify the email address as the partition key and specify the unique identifier as the sort key. For the primary key of the table, specify the unique identifier as the partition key. Create a global secondary index (GSI) based on the email address.
An ecommerce application is running behind an Application Load Balancer. A developer observes some unexpected load on the application during non-peak hours. The developer wants to analyze patterns for the client IP addresses that use the application.
Which HTTP header should the developer use for this analysis? The X-Forwarded-Proto header The X-Forwarded-Host header The X-Forwarded-For header The X-Forwarded-Port header.
A developer is deploying an application that will store files in an Amazon S3 bucket. The files must be encrypted at rest. The developer wants to automatically replicate the files to an S3 bucket in a different AWS Region for disaster recovery.
How can the developer accomplish this task with the LEAST amount of configuration? Encrypt the files by using server-side encryption with S3 managed encryption keys (SSE-S3). Enable S3 bucket replication. Most Voted Encrypt the files by using server-side encryption (SSE) with an AWS Key Management Service (AWS KMS) customer master key (CMK). Enable S3 bucket replication Use the s3 sync command to sync the files to the S3 bucket in the other Region Configure an S3 Lifecycle configuration to automatically transfer files to the S3 bucket in the other Region.
A developer received the following error message during an AWS CloudFormation deployment:
DELETE_FAILED (The following resource(s) failed to delete: [ASGInstanceRolel2345678].)
Which action should the developer take to resolve this error? Contact AWS Support to report an issue with the Auto Scaling Groups (ASG) service Add a DependsOn attribute to the ASGInstanceRole12345678 resource in the CloudFormation template. Then delete the stack. Modify the CloudFormation template to retain the ASGInstanceRolel2345678 resource. Then manually delete the resource after deployment. Add a force parameter when calling CloudFormation with the role-arn of ASGInstanceRolel2345678.
A developer deploys an AWS Lambda function that runs each time a new Amazon S3 bucket is created. The Lambda function is supposed to attach an S3
Lifecycle policy to each new S3 bucket. The developer discovers that newly created S3 buckets have no S3 Lifecycle policy attached.
Which AWS service should the developer use to find a possible error in the Lambda function? AWS CloudTrail Amazon S3 AWS CloudFormation Amazon CloudWatch.
A developer has code stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function across multiple accounts in the same Region as the S3 bucket. The Lambda function will be deployed using an AWS CloudFormation template that is run for each account.
What is the MOST secure approach to allow access to the Lambda code in the S3 bucket? Grant the CloudFormation execution role S3 list and get permissions. Add a bucket policy to Amazon S3 with the Principal of ג€AWSג€: [account numbers]. Grant the CloudFormation execution role S3 get permissions. Add a bucket policy to Amazon S3 with the Principal of ג€*ג€. Use a service-based link to grant the Lambda function S3 list and get permissions by explicitly adding the S3 bucket's account number in the resource. Use a service-based link to grant the Lambda function S3 get permissions and add a Resource of ג€*ג€ to allow access to the S3 bucket.
A developer is creating a role to access Amazon S3 buckets. To create the role, the developer uses the AWS CLI create-role command.
Which policy should be added to allow the Amazon EC2 service to assume the role? Managed policy Trust policy Inline policy Service control policy (SCP).
An application running on Amazon EC2 opens connections to an Amazon RDS SQL Server database. The developer does not want to store the user name and password for the database in the code. The developer would also like to automatically rotate the credentials.
What is the MOST secure way to store and access the database credentials? Create an IAM role that has permissions to access the database. Attach the role to the EC2 instance. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed. Store the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance's user data to download the credentials from Amazon S3 as the instance boots. Store the user name and password credentials directly in the source code. No further action is needed because the source code is stored in a private repository.
An AWS Elastic Beanstalk application needs to be deployed in multiple regions and requires a different Amazon Machine Image (AMI) in each region.
Which AWS CloudFormation template key can be used to specify the correct AMI for each region? Parameters Outputs Mappings Resources.
A company is using Amazon API Gateway to manage its public-facing API. The CISO requires that the APIs be used by test account users only.
What is the MOST secure way to restrict API access to users of this particular AWS account? Usage plans Cross-origin resource sharing (CORS) API Gateway resource policies Client-side SSL certificates for authentication.
A developer is updating an application deployed on AWS Elastic Beanstalk. The new version is incompatible with the old version. To successfully deploy the update, a full cutover to the new, updated version must be performed on all instances at one time, with the ability to roll back changes in case of a deployment failure in the new version.
How can this be performed with the LEAST amount of downtime? Perform an Elastic Beanstalk Rolling deployment Deploy the new version in a new Elastic Beanstalk environment and swap environment URLs. Perform an Elastic Beanstalk Rolling with additional batch deployment. Use the Elastic Beanstalk All at once deployment policy to update all instances simultaneously.
A Developer must allow guest users without logins to access an Amazon Cognito-enabled site to view files stored within an Amazon S3 bucket.
How should the Developer meet these requirements? Create a blank user ID in a user pool, add to the user group, and grant access to AWS resources. Create a new identity pool, enable access to authenticated identities, and grant access to AWS resources Create a new user pool, enable access to authenticated identifies, and grant access to AWS resources Create a new user pool, disable authentication access, and grant access to AWS resources.
A company is using Amazon RDS as the backend database for its application. After a recent marketing campaign, a surge of read requests to the database increased the latency of data retrieval from the database.
The company has decided to implement a caching layer in front of the database. The cached content must be encrypted and must be highly available.
Which solution will meet these requirements? Amazon CloudFront Amazon ElastiCache for Memcached Amazon ElastiCache for Redis in cluster mode Amazon DynamoDB Accelerator (DAX).
A developer uses a single AWS CloudFormation template to configure the test environment and the production environment for an application. The developer handles environment-specific requirements in the CloudFormation template.
The developer decides to update the Amazon EC2 Auto Scaling launch template with new Amazon Machine Images (AMIs) for each environment. The
CloudFormation update for the new AMIs is successful in the test environment, but the update fails in the production environment.
What are the possible causes of the CloudFormation update failure in the production environment? (Choose two.)
The new AMIs do not fulfill the specified conditions in the CloudFormation template. The service quota for the number of EC2 vCPUs in the AWS Region has been exceeded. The security group that is specified in the CloudFormation template does not exist. CloudFormation does not recognize the template change as an update. CloudFormation does not have sufficient IAM permissions to make the changes.
A developer has created an AWS Lambda function to provide notification through Amazon Simple Notification Service (Amazon SNS) whenever a file is uploaded to Amazon S3 that is larger than 50 MB. The developer has deployed and tested the Lambda function by using the CLI. However, when the event notification is added to the S3 bucket and a 3,000 MB file is uploaded, the Lambda function does not launch.
Which of the following is a possible reason for the Lambda function's inability to launch? The S3 event notification does not activate for files that are larger than 1,000 MB. The resource-based policy for the Lambda function does not have the required permissions to be invoked by Amazon S3. Lambda functions cannot be invoked directly from an S3 event. The S3 bucket needs to be made public.
A developer has created a new IAM user that has the s3:PutObject permission to write to a specific Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) as the default encryption. When an application uses the access key and secret key of the IAM user to call the PutObject API operation, the application receives an access denied error.
What should the developer do to resolve this error? Update the policy of the IAM user to allow the s3:EncryptionConfiguration action. Update the bucket policy of the S3 bucket to allow the IAM user to upload objects. Update the policy of the IAM user to allow the kms:GenerateDataKey action. Update the ACL of the S3 bucket to allow the IAM user to upload objects.
A developer is designing a serverless application with two AWS Lambda functions to process photos. One Lambda function stores objects in an Amazon S3 bucket and stores the associated metadata in an Amazon DynamoDB table. The other Lambda function fetches the objects from the S3 bucket by using the metadata from the DynamoDB table. Both Lambda functions use the same Python library to perform complex computations and are approaching the quota for the maximum size of zipped deployment packages.
What should the developer do to reduce the size of the Lambda deployment packages with the LEAST operational overhead? Package each Python library in its own .zip file archive. Deploy each Lambda function with its own copy of the library. Create a Lambda layer with the required Python library. Use the Lambda layer in both Lambda functions. Combine the two Lambda functions into one Lambda function. Deploy the Lambda function as a single .zip file archive. Download the Python library to an S3 bucket. Program the Lambda functions to reference the object URLs.
Which features can be used to restrict access to data in S3? (Choose two.) Use S3 Virtual Hosting Set an S3 Bucket policy. Enable IAM Identity Federation. Set an S3 ACL on the bucket or the object. Create a CloudFront distribution for the bucket.
A developer is writing an application to analyze the traffic to a fleet of Amazon EC2 instances. The EC2 instances run behind a public Application Load Balancer
(ALB). An HTTP server runs on each of the EC2 instances, logging all requests to a log file.
The developer wants to capture the client public IP addresses. The developer analyzes the log files and notices only the IP address of the ALB.
What must the developer do to capture the client public IP addresses in the log file? Add a Host header to the HTTP server log configuration file. Install the Amazon CloudWatch Logs agent on each EC2 instance. Configure the agent to write to the log file.
Install the AWS X-Ray daemon on each EC2 instance. Configure the daemon to write to the log file. Add an X-Forwarded-For header to the HTTP server log configuration file.
565) Which DynamoDB limits can be raised by contacting AWS support? (Choose two.) The number of hash keys per account The maximum storage used per account The number of tables per account The number of local secondary indexes per account The number of provisioned throughput units per account.
|
