Amazon AWS Certified DevOps Engineer - Professional DOP-C02 Exam
AWS Certified DevOps Engineer - Professional DOP-C02
The AWS Certified DevOps Engineer – Professional (DOP-C02) exam validates advanced skills in automating CI/CD pipelines, infrastructure as code, monitoring, security, and high-availability systems on AWS. This certification is ideal for experienced DevOps engineers who design, deploy, and manage scalable, resilient, and secure cloud applications using AWS best practices.
1) A company uses an organization in AWS Organizations to manage its AWS accounts. The company's automation account contains a CI/CD pipeline that creates and configures new AWS accounts
The company has a group of internal service teams that provide services to accounts in the organization. The service teams operate out of a set of services accounts. The service teams want to receive an AWS CloudTrail event in their services accounts when the CreateAccount API call creates a new account
How should the company share this CloudTrail event with the service accounts?
A. Create an Amazon EventBridge rule in the automation account to send account creation events to the default event bus in the services accounts. Update the default event bus in the services accounts to allow events from the automation account
B. Create a custom Amazon EventBridge event bus in the services accounts. Update the custom event bus to allow events from the automation account. Create an EventBridge rule in the services account that directly listens to CloudTrail events from the automation account
C. Create a custom Amazon EventBridge event bus in the automation account and the services accounts Create an EventBridge rule and policy that connects the custorn event buses that are in the automation account and the services accounts.
D. Create a custom Amazon EventBridge event bus in the automation account. Create an EventBridge rule and policy that connects the custom event bus to the default event buses in the services accounts
Correct Answer: A
2) A DevOps engineer manages a company's Amazon Elastic Container Service (Amazon ECS) cluster. The cluster runs on several Amazon EC2 instances that are in an Auto Scaling group. The DevOps engineer must implement a solution that logs and reviews all stopped tasks for errors
Which solution will meet these requirements?
A. Create an Amazon EventBridge rule to capture task state changes. Send the event to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to investigate stopped tasks.
B. Configure tasks to write log data in the embedded metric format. Store the logs in Amazon CloudWatch Logs. Monitor the ContainerinstanceCount metric for changes
C. Configure the EC2 instances to store logs in Amazon CloudWatch Logs Create a CloudWatch Contributor Insights rule that uses the EC2 instance log data. Use the Contributor Insights rule to investigate stopped tasks
D. Configure an EC2 Auto Scaling lifecycle hook for the EC2_INSTANCE_TERMINATING scale-in event. Write the SystemEventLog file to Amazon S3. Use Amazon Athena to query the log file for errors
Correct Answer: A
3) A company built its serverless infrastructure on AWS The infrastructure consists of an Amazon API Gateway REST API, multiple AWS Lambda functions, and Amazon EventBridge
The company wants to be aware of any new supply chain attacks that the company's CI/CD pipelines do not catch. The company needs a solution to detect malicious activity in the deployed application
Which solution meets these requirements?
A. Enable AWS WAF for the API Gateway REST API Configure an AWS WAF ACL. Add the known bad inputs managed rule group
B. Enable Amazon GuardDuty. Enable Lambda Protection. Use EventBridge for event notifications
C. Deploy AWS CloudFormation Guard in the CI/CD pipelines Write rules to catch the supply chain attacks
D. Create a firewall in AWS Network Firewall. Configure a policy. Add the managed rule for the Emerging Threats rule group.
Correct Answer: B
4) A company is migrating from its on-premises data center to AWS. The company currently uses a custom on-premises CI/CD pipeline solution to build and package software.
The company wants its software packages and dependent public repositories to be available in AWS CodeArtifact to facilitate the creation of application-specific pipelines
Which combination of steps should the company take to update the CI/CD pipeline solution and to configure CodeArtifact with the LEAST operational overhead? (Select TWO.)
A. Update the CI/CD pipeline to create a VM image that contains newly packaged software. Use AWS Import/Export to make the VM image available as an Amazon EC2 AMI. Launch the AMI with an attached IAM instance profile that allows CodeArtifact actions. Use AWS CLI commands to publish the packages to a CodeArtifact repository
B. Create an AWS Identity and Access Management Roles Anywhere trust anchor Create an IAM role that allows CodeArtifact actions and that has a trust relationship on the trust anchor. Update the on-premises CI/CD pipeline to assume the new IAM role and to publish the packages to CodeArtifact
C. Create a new Amazon S3 bucket. Generate a presigned URL that allows the PutObject request. Update the on-premises CI/CD pipeline to use the presigned URL to publish the packages from the on-premises location to the S3 bucket. Create an AWS Lambda function that runs when packages are created in the bucket through a put command. Configure the Lambda function to publish the packages to CodeArtifact
D. For each public repository, create a CodeArtifact repository that is configured with an external connection. Configure the dependent repositories as upstream public repositories.
E. Create a CodeArtifact repository that is configured with a set of external connections to the public repositories. Configure the external connections to be downstream of the repository
Correct Answer: B, D
5) A company is migrating its product development teams from an on-premises data center to a hybrid environment. The new environment will add four AWS Regions and will give the developers the ability to use the Region that is geographically closest to them.
All the development teams use a shared set of Linux applications. The on-premises data center stores the applications on a NetApp ONTAP storage device. The storage volume is mounted read-only on the development on-premises VMs. The company updates the applications on the shared volume once a week
A DevOps engineer needs to replicate the data to all the new Regions. The DevOps engineer must ensure that the data is always up to date with deduplication. The data also must not be dependent on the availability of the on-premises storage device.
Which solution will meet these requirements?
A. Create an Amazon S3 File Gateway in the on-premises data center Create S3 buckets in each Region. Set up a cron job to copy the data from the storage device to the S3 File Gateway Set up S3 Cross-Region Replication (CRR) to the S3 buckets in each Region
B. Create an Amazon FSx File Gateway in one Region Create file servers in Amazon FSx for Windows File Server in each Region Set up a cron job to copy the data from the storage device to the FSx File Gateway
C. Create Multi-AZ Amazon FSx for NetApp ONTAP instances and volumes in each Region Configure a scheduled SnapMirror relationship between the on-premises storage device and the FSx for ONTAP instances
D. Create an Amazon Elastic File System (Amazon EFS) file system in each Region Deploy an AWS DataSync agent in the on-premises data center Configure a schedule for DataSync to copy the data to Amazon EFS daily
Correct Answer: C
6) A company has an application that receives file uploads from users. The application processes the uploads in multiple threads An Amazon Elastic Container Service (Amazon ECS) service runs multiple instances of the application task. The task publishes an ApplicationFileUpload custom metric each time a file is uploaded to be processed.
Each file can take a while to process. The company wants to ensure that the tasks scale based on the number of files for each available task. Recently many uploads in a short amount of time took a long time to process because individual tasks became overloaded with too many files.
Which solution will fix the problem with the LEAST operational effort?
A. Modify the application to publish a custom Amazon CloudWatch metric named Uploads PerTask Configure the application to calculate the Uploads PerTask metric by using the existing ApplicationFileUploads metric and information from Amazon ECS about running tasks. Create a CloudWatch alarm that triggers if the Uploads Per Task metric exceeds a target value. Create a step scaling policy that references the alarm. Configure the step scaling policy to scale in and out based on alarm conditions.
B. Create a step scaling policy with the appropriate ScaleUpPolicy and ScaleDownPolicy scaling policies. Create an Amazon CloudWatch alarm that triggers if the ApplicationFileUpload metric exceeds a target value Configure the alarm action to reference the ScaleUpPolicy scaling policy. Create a second CloudWatch alarm that triggers if the ApplicationFileUpload metric falls below a target value. Configure the alarm action to reference the ScaleDownPolicy scaling policy
C. Create a target tracking policy by using the CustomizedMetricSpecification data type that references a target value for a metric Configure the CustomizedMetric Specification data type to use metric math that combines the ApplicationFileUpload metric (with sum statistic) and the ECS running task count (with average statistic) to calculate an Uploads Per Task metric that represents the number of files for each task
D. Modify the application to publish a custom Amazon CloudWatch metric named Uploads PerTask Configure the application to calculate the Uploads PerTask metric by using the existing ApplicationFileUploads metric and information from Amazon ECS about running tasks. Create a predictive scaling policy that uses a custom metric that references an ALBRequestCount Per Target load metric, an Uploads PerTask scaling metric, and an appropriate target utilization
Correct Answer: C
7) A development team manually builds a local artifact. The development team moves the artifact to an Amazon S3 bucket to support an application. The application has a local cache that must be cleared when the development team deploys the application to Amazon EC2 instances For each deployment, the development team runs a command to clear the cache, download the artifact from the S3 bucket, and unzip the artifact to complete the deployment
The development team wants to migrate the deployment process to a CI/CD process and to track the progress of each deployment
Which combination of actions will meet these requirements with the MOST operational efficiency? (Select THREE)
A. Set up an AWS CodeConnections compatible Git repository Allow developers to merge code into the repository Use AWS CodeBuild to build an artifact and copy the object into the S3 bucket. Configure CodeBuild to run for every merge into the main branch
B. Create a custom script to clear the cache. Specify the script in the Beforeinstall lifecycle hook in the AppSpec file.
C. Create user data for each EC2 instance that contains the cache clearing script. Test the application after deployment. If the deployment is not successful, then redeploy.
D. Use AWS CodePipeline to deploy the application. Set up an AWS CodeConnections compatible Git repository. Allow developers to merge code into the repository as a source for the pipeline
E. Use AWS CodeBuild to build the artifact and place the artifact in the S3 bucket. Use AWS CodeDeploy to deploy the artifact to EC2 instances
F. Use AWS Systems Manager to fetch the artifact from the S3 bucket and to deploy the artifact to all the EC2 instances.
Correct Answer: B, D, E
8) A company uses Amazon RDS for Microsoft SQL Server as its primary database for applications. The company needs to ensure high availability within and across AWS Regions.
An Amazon Route 53 CNAME record is configured for the database endpoint The applications connect to the database endpoint The company must redirect application traffic to a standby database during a failover event. The company must maintain an RPO of less than 1 minute and an RTO of less than 10 minutes.
Which solution will meet these requirements?
A. Deploy an Amazon RDS for SQL Server Multi-AZ DB cluster deployment that uses cross-Region read replicas. Use automation to promote the read replica to a standalone instance and to update the Route 53 record.
B. Deploy an Amazon RDS for SQL Server Multi-AZ DB cluster deployment. Set up automated snapshots to be copied to another Region every 5 minutes Use AWS Lambda to restore the latest snapshot in the secondary Region during failover
C. Deploy an Amazon RDS for SQL Server Single-AZ DB instance. Use AWS Database Migration Service (AWS DMS) to replicate data continuously to an RDS DB instance in another Region. Use Amazon CloudWatch alarms to notify the company about failover events.
D. Deploy an Amazon RDS for SQL Server Single-AZ DB instance. Configure AWS Backup to create cross-Region backups every 30 seconds. Use automation to restore the latest backup and to update the Route 53 record during failover
Correct Answer: A
9)
A company needs to update its order processing application to improve resilience and availability The application requires a stateful database and uses a single-node Amazon RDS DB instance to store customer orders and transaction history A DevOps engineer must make the database highly available
Which solution will meet this requirement?
A. Migrate the database to Amazon DynamoDB global tables. Configure automatic failover between AWS Regions by using Amazon Route 53 health checks
B. Migrate the database to Amazon EC2 instances in multiple Availability Zones. Use Amazon Elastic Block Store (Amazon EBS) Multi-Attach to connect all the instances to a single EBS volume
C. Use the RDS DB instance as the source instance to create read replicas in multiple Availability Zones Deploy an Application Load Balancer to distribute read traffic across the read replicas.
D. Modify the RDS DB instance to be a Multi-AZ deployment. Verify automatic failover to the standby instance if the primary instance becomes unavailable
Correct Answer: D
10) A company has multiple AWS accounts. The company uses AWS IAM Identity Center that is integrated with a third-party SAML 2.0 identity provider (IdP)
The attributes for access control feature is enabled in IAM Identity Center. The attribute mapping list maps the department key from the idP to the $(path enterprise department) attribute. All existing Amazon EC2 instances have a d1, d2, or d3 department tag that corresponds to three of the company's departments
A DevOps engineer must create policies based on the matching attributes. The policies must grant each user access to only the EC2 instances that are tagged with the user's respective department name.
Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?
A.
"Condition": (
" ForAllValues:StringEquals": {
"aws: TagKeys": ["department"]
}
}
B.
"Condition": (
"StringEquals": (
"aws: PrincipalTag/department": "Staws: ResourceTag/department)"
}
}
C.
"Condition": (
"StringEquals": {
"ec2: ResourceTag/department": "${aws: PrincipalTag/department)"
}
}
D.
"Condition": (
"ForAllValues: StringEquals ": {
"ec2: ResourceTag/department": ["d1", "d2","d3"]
}
}
Correct Answer: C
11) A developer is creating a proof of concept for a new software as a service (SaaS) application. The application is in a shared development AWS account that is part of an organization in AWS Organizations.
The developer needs to create service-linked IAM roles for the AWS services that are being considered for the proof of concept. The solution needs to give the developer the ability to create and configure the service-linked roles only
Which solution will meet these requirements?
A. Create an IAM user for the developer in the organization's management account. Configure a cross-account role in the development account for the developer to use. Limit the scope of the cross-account role to common services
B. Add the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM group. Enforce multi-factor authentication (MFA) on the user account
C. Add an SCP to the development account in Organizations Configure the SCP with a Deny rule for iam to limit the developer's access
D. Create an IAM role that has the necessary IAM access to allow the developer to create policies and roles. Create and attach a permissions boundary to the role Grant the developer access to assume the role
Correct Answer: D
12) A DevOps engineer needs to implement a CI/CD pipeline that uses AWS CodeBuild to run a test suite. The test suite contains many test cases and takes a long time to finish running. The DevOps engineer wants to reduce the duration to run the tests. However, the DevOps engineer still wants to generate a single test report for all the test cases.
Which solution will meet these requirements?
A. Run the test suite in a batch build type of build matrix by using the codebuild-tests-run command
B. Run the test suite in a batch build type of build fanout by using the codebuild-tests-run command.
C. Run the test suite in a batch build type of build list by using different subsets of the test cases
D. Run the test suite in a batch build type of build graph by using different subsets of the test cases
Correct Answer: B
13) A rapidly growing company wants to scale for developer demand for AWS development environments Development environments are created manually in the AWS Management Console The networking team uses AWS CloudFormation to manage the networking infrastructure, exporting stack output values for the Amazon VPC and all subnets. The development environments have common standards, such as Application Load Balancers, Amazon EC2 Auto Scaling groups, security groups, and Amazon DynamoDB tables
To keep up with demand, the DevOps engineer wants to automate the creation of development environments. Because the infrastructure required to support the application is expected to grow, there must be a way to easily update the deployed infrastructure CloudFormation will be used to create a template for the development environments.
Which approach will meet these requirements and quickly provide consistent AWS environments for developers?
A. Use Fn:: ImportValue intrinsic functions in the Resources section of the template to retrieve Virtual Private Cloud (VPC) and subnet values Use CloudFormation StackSets for the development environments, using the count input parameter to indicate the number of environments needed. Use the UpdateStackSet command to update existing development environments
B. Use nested stacks to define common infrastructure components. To access the exported values, use TemplateURL to reference the networking team's template. To retrieve Virtual Private Cloud (VPC) and subnet values, use Fn:: ImportValue intrinsic functions in the Parameters section of the root template. Use the CreateChangeset and ExecuteChangeset commands to update existing development environments.
C. Use nested stacks to define common infrastructure components. Use Fn:: ImportValue intrinsic functions with the resources of the nested stack to retrieve Virtual Private Cloud (VPC) and subnet values. Use the createChangeset and ExecuteChangeset commands to update existing development environments
D. Use Fn:: ImportValue intrinsic functions in the Parameters section of the root template to retrieve Virtual Private Cloud (VPC) and subnet values. Define the development resources in the order they need to be created in the CloudFormation nested stacks. Use the createChangeSet and ExecuteChangeset commands to update existing development environments
Correct Answer: C
14) A company runs an application in an Amazon Elastic Container Service (Amazon ECS) service that is associated with an Elastic Load Balancing (ELB) target group. A DevOps engineer updates the service to include a new task definition version. The DevOps engineer notices that the deployment does not finish running. New tasks enter a stopped state soon after the tasks launch. The task definition references an Amazon CloudWatch Logs log group.
Which issues are most likely the cause of the failing deployment? (Select TWO.)
A. The target group health check is failing, which causes Amazon ECS to stop the tasks.
B. The IAM role that DevOps engineer used to update the ECS services does not have the Amazon ECS RunTask permission
C. The CloudWatch Logs log group that is referenced in the task definition does not exist.
D. The task role does not have the required permissions to launch the task.
E. An essential container in the ECS task is exiting
Correct Answer: A, E
15) A company has a stateless web application that is deployed on Amazon EC2 instances. The EC2 instances are in a target group behind an Application Load Balancer (ALB). Amazon Route 53 manages the application domain
The company updates the application Ul and develops a beta version of the application. The company wants to test the beta version on 10% of its traffic
Which solution will meet these requirements with the LEAST number of configuration changes?
A. Deploy the beta version to new EC2 instances in a new target group. Associate the new target group with a new ALB Update the existing Route 53 record to use a weighted routing policy Add a new Route 53 record that points to the new ALB with the same routing policy. Assign a weight of 90 to the existing record. Assign a weight of 10 to the new record.
B. Deploy the beta version to new EC2 instances in a new target group. Associate the new target group with the same ALB listener rule Assign a weight of 90 to the existing target group Assign a weight of 10 to the new target group
C. Refactor the application to implement a feature flag for the beta version by using AWS AppConfig Use the feature flag to enable the beta version for 10% of the EC2 instances
D. Containerize and deploy the application on Amazon Elastic Container Service (Amazon ECS). Use AWS CodeDeploy to deploy the beta version by using the CodeDeployDefault ECSCanary10Percent15Minutes deployment configuration
Correct Answer: B
16) A company is developing a mobile app that requires extensive automated testing across multiple device types. The company is using AWS CodePipeline for its CI/CD pipeline.
The company must implement a scalable testing solution that can handle increased test loads as the app grows
Which solution will meet these requirements with the LEAST management overhead?
A. Integrate AWS Device Farm with the pipeline to run the tests and scale as needed
B. Deploy a fleet of Amazon EC2 instances with various mobile device emulators and auto scaling to run the tests Create a custom AWS Lambda function to invoke EC2 test runs
C. Implement a containerized testing solution that uses Amazon Elastic Container Service (Amazon ECS) with auto scaling. Configure the pipeline to invoke an AWS Lambda function to start the test runs on the ECS cluster
D. Use AWS Lambda functions with custom runtime emulators to run the tests. integrate the Lambda functions with the pipeline.
Correct Answer: A
17) A company is developing a web application that runs on Amazon EC2 Linux instances. The application requires monitoring of custom performance metrics. The company must collect metrics for API response times and database query latency across multiple instances
Which solution will generate the custom metrics with the LEAST operational overhead?
A. Install the Amazon CloudWatch agent on the instances. Configure the agent to collect the custom metrics. Instrument the application to send the metrics to the agent
B. Use Amazon Managed Service for Prometheus to scrape the custom metrics from the application. Use the Amazon CloudWatch agent to forward the metrics to CloudWatch
C. Create a custom AWS Lambda function that polls the application endpoints and database at regular intervals Program the Lambda function to calculate the custom metrics and to send the metrics to Amazon CloudWatch by using PutMetricData API calls.
D. Implement custom logging in the application code to record the custom metrics. Use Amazon CloudWatch Logs Insights to extract and analyze the metrics
Correct Answer: A
18) A DevOps team is deploying microservices for an application on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The cluster uses managed node groups
The DevOps team wants to enable auto scaling for the microservice Pods based on a specific CPU utilization percentage. The DevOps team has already installed the Kubernetes Metrics Server on the cluster
Which solution will meet these requirements in the MOST operationally efficient way?
A. Edit the Auto Scaling group that is associated with the worker nodes of the EKS cluster Configure the Auto Scaling group to use a target tracking scaling policy to scale when the average CPU utilization of the Auto Scaling group reaches a specific percentage
B. Deploy the Kubernetes Horizontal Pod Autoscaler (HPA) and the Kubernetes Vertical Pod Autoscaler (VPA) in the cluster. Configure the HPA to scale based on the target CPU utilization percentage Configure the VPA to use the recommender mode setting
C. Run the AWS Systems Manager AWS-UpdateEKSManagedNodeGroup Automation document Modify the values for NodeGroupDesiredSize, NodeGroupMaxSize, and NodeGroupMinSize to be based on an estimate for the required node size
D. Deploy the Kubernetes Horizontal Pod Autoscaler (HPA) and the Kubernetes Cluster Autoscaler in the cluster. Configure the HPA to scale based on the target CPU utilization percentage. Configure the Cluster Autoscaler to use the auto-discovery setting
Correct Answer: D
19) A company has implemented a new microservices-based application on an Amazon Elastic Container Service (Amazon ECS) cluster. After each deployment, the company wants to validate the critical user journeys and API endpoints before routing traffic to the new application version
The company must implement an automated solution to detect issues in the new deployment and to initiate a rollback if necessary
Which solution will meet these requirements with the LEAST operational overhead?
A. Set up Amazon CloudWatch Application insights for the ECS cluster Create an Amazon EventBridge rule to invoke an AWS Lambda function to analyze the task states. Program the Lambda function to use the ECS UpdateService API call to initiate a rollback if a specific percentage of tasks fail.
B. Set up Amazon CloudWatch Application Insights for the ECS cluster. Configure Application Insights to monitor key performance indicators of the microservices in the critical user journeys and API calls Create CloudWatch alarms based on the insights. Use Amazon EventBridge to invoke an AWS Step Functions workflow to evaluate the alarms. Configure the workflow to initiate a rollback if necessary by using the alarms' built-in integration with Amazon ECS.
C. Create CloudWatch Synthetics canaries that simulate critical user journeys and API calls Implement AWS X-Ray tracing for all the microservices Configure X-Ray to send traces to CloudWatch Create CloudWatch alarms based on erroг rates and latency metrics Create an AWS Lambda function to analyze the traces and to initiate a rollback if necessary by using the alarms' built-in integration with Amazon ECS
D. Create CloudWatch Synthetics canaries that simulate critical user journeys and API calls. Configure the canaries to run against the new deployment Create CloudWatch alarms that are invoked when canaries fail. Use the alarms' built-in integration with Amazon ECS to initiate a rollback if the alarms are invoked before traffic is routed to the new deployment
Correct Answer: D
20) A DevOps engineer needs to configure an AWS CodePipeline pipeline that publishes container images to an Amazon Elastic Container Registry (Amazon ECR) repository The pipeline must wait for the previous run to finish and must run when new Git tags are pushed to a Git repository that is connected to AWS CodeConnections. An existing deployment pipeline needs to run in response to the publication of new container images
Which solution will meet these requirements?
A. Configure a CodePipeline V2 type pipeline that uses QUEUED mode. Add a trigger filter to the pipeline definition that includes all tags. Configure an Amazon EventBridge rule that matches container image pushes to start the existing deployment pipeline
B. Configure a CodePipeline V2 type pipeline that uses SUPERSEDED mode. Add a trigger filter to the pipeline definition that includes all branches Configure an Amazon EventBridge rule that matches container image pushes to start the existing deployment pipeline.
C. Configure a CodePipeline V1 type pipeline that uses SUPERSEDED mode. Add a trigger filter to the pipeline definition that includes all tags. Add a stage at the end of the pipeline to invoke the existing deployment pipeline
D. Configure a CodePipeline V1 type pipeline that uses QUEUED mode. Add a trigger filter to the pipeline definition that includes all branches. Add a stage at the end of the pipeline to invoke the existing deployment pipeline.
Correct Answer: A
21) A company has an AWS account named PipelineAccount. The account manages a pipeline in AWS CodePipeline. The account uses an IAM role named CodePipeline_Service_Role and produces an artifact that is stored in an Amazon S3 bucket The company uses a customer managed AWS KMS key to encrypt objects in the S3 bucket
A DevOps engineer wants to configure the pipeline to use an AWS CodeDeploy application in an AWS account named CodeDeployAccount to deploy the produced artifact
The DevOps engineer updates the KMS key policy to grant the CodeDeployAccount account permission to use the key. The DevOps engineer configures an IAM role named DevOps Role in the CodeDeployAccount account that has access to the CodeDeploy resources that the pipeline requires. The DevOps engineer updates an Amazon EC2 instance role that operates within the CodeDeployAccount account to allow access to the S3 bucket and the KMS key that is in the Pipeline Account account
Which additional steps will meet these requirements?
A. Update the S3 bucket policy to grant the CodeDeployAccount account access to the S3 bucket Configure the DevOps_Role IAM role to have an IAM trust policy that allows the PipelineAccount account to assume the role. Update the CodePipeline Service_Role IAM role to grant permission to assume the DevOps Role role.
B. Update the S3 bucket policy to grant the CodeDeployAccount account access to the S3 bucket Configure the DevOps Role IAM role to have an IAM trust policy that allows the PipelineAccount account to assume the role. Update the DevOps_Role IAM role to grant permission to assume CodePipeline_Service_Role role.
C. Update the S3 bucket policy to grant the Pipeline Account account access to the S3 bucket Configure the DevOps_Role IAM role to have an IAM trust policy that allows the PipelineAccount account to assume the role Update the CodePipeline_Service_Role IAM to grant permission to assume the DevOps_Role role
D. Update the S3 bucket policy to grant the CodeDeployAccount account access to the S3 bucket Configure the DevOps Role IAM role to have an IAM trust policy that allows the CodeDeployAccount account to assume the role. Update the CodePipeline_Service_Role IAM role to grant permission to assume the DevOps_Role role
Correct Answer: A
22) A company is using AWS Organizations and wants to implement a governance strategy with the following requirements:
• AWS resource access is restricted to the same two Regions for all accounts
• AWS services are limited to a specific group of authorized services for all accounts
• Authentication is provided by Active Directory
• Access permissions are organized by job function and are identical in each account
Which solution will meet these requirements?
A. Establish an organizational unit (OU) with group policies in the management account to restrict Regions and authorized services Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account
B. Establish a permission boundary in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account
C. Establish a service control policy in the management account to restrict Regions and authorized services. Use AWS Resource Access Manager (AWS RAM) to share management account roles with permissions for each job function, including AWS IAM Identity Center for authentication in each account
D. Establish a service control policy in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account
Correct Answer: D
23) A company has deployed an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon EC2 node groups. The company's DevOps team uses the Kubernetes Horizontal Pod Autoscaler and recently installed a supported EKS cluster Autoscaler
The DevOps team needs to implement a solution to collect metrics and logs of the EKS cluster to establish a baseline for performance. The DevOps team will create an initial set of thresholds for specific metrics and will update the thresholds over time as the cluster is used. The DevOps team must receive an Amazon Simple Notification Service (Amazon SNS) email notification if the initial set of thresholds is exceeded or if the EKS cluster Autoscaler is not functioning properly
The solution must collect cluster, node, and pod metrics. The solution also must capture logs in Amazon CloudWatch
Which combination of steps should the DevOps team take to meet these requirements? (Select THREE)
A. Deploy the CloudWatch agent and Fluent Bit to the cluster Ensure that the EKS cluster has appropriate permissions to send metrics and logs to CloudWatch
B. Deploy AWS Distro for Open Telemetry to the cluster. Ensure that the EKS cluster has appropriate permissions to send metrics and logs to CloudWatch.
C. Create CloudWatch alarms to monitor the CPU, memory, and node failure metrics of the cluster Configure the alarms to send an SNS email notification to the DevOps team if thresholds are exceeded.
D. Create a CloudWatch composite alarm to monitor a metric log filter of the CPU, memory, and node metrics of the cluster. Configure the alarm to send an SNS email notification to the DevOps team when anomalies are detected
E. Create a CloudWatch alarm to monitor the logs of the Autoscaler deployments for errors. Configure the alarm to send an SNS email notification to the DevOps team if thresholds are exceeded
F. Create a CloudWatch alarm to monitor a metric log filter of the Autoscaler deployments for errors Configure the alarm to send an SNS email notification to the DevOps team if thresholds are exceeded.
Correct Answer: A, C, F
24) A DevOps engineer is building a photo sharing website that gives users the ability to upload photos and to view photos that other users share. Users upload photos to an Amazon S3 bucket by using presigned URLs.
The DevOps engineer must ensure that photos are scanned for malware before the website returns the photos to other users.
Which combination of steps will meet these requirements? (Select TWO.)
A. Enable Amazon GuardDuty S3 Protection. Create an AWS Lambda function to process S3 Protection findings and block access to any referenced objects.
B. Create a bucket policy for the S3 bucket Update the IAM role that the website uses to restrict access to uploaded photos by using tag-based access control (TBAC)
C. Create a resource-based policy for the S3 bucket. Restrict access to uploaded photos by using the aws Secure Transport condition key
D. Enable Amazon Macie Create an AWS Lambda function to process Macie findings and delete any referenced objects that contain malware.
E. Enable Amazon GuardDuty Malware Protection for S3 with object tagging
Correct Answer: A, E
25) A company's application is currently deployed to a single AWS Region Recently, the company opened a new office on a different continent. The users in the new office are experiencing high latency. The company's application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon DynamoDB as the database layer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones A DevOps engineer is tasked with minimizing application response times and improving availability for users in both Regions
Which combination of actions should be taken to address the latency issues? (Select THREE)
A. Create a new DynamoDB table in the new Region with cross-Region replication enabled.
B. Create new ALB and Auto Scaling group global resources and configure the new ALB to direct traffic to the new Auto Scaling group.
C. Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group
D. Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB
E. Create Amazon Route 53 aliases, health checks, and failover routing policies to route to the ALB
F. Convert the DynamoDB table to a global table.
Correct Answer: C, D, F
26) A company has an application that runs on Amazon EC2 instances that are in an Auto Scaling group. When the application starts up. the application needs to process data from an Amazon S3 bucket before the application can start to serve requests.
The size of the data that is stored in the S3 bucket is growing When the Auto Scaling group adds new instances, the application now takes several minutes to download and process the data before the application can serve requests. The company must reduce the time that elapses before new EC2 instances are ready to serve requests
Which solution is the MOST cost-effective way to reduce the application startup time?
Configure a warm pool for the Auto Scaling group with warmed EC2 instances in the Stopped state Configure an autoscaling EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling group. Modify the application to complete the lifecycle hook when the application is ready to serve requests
Increase the maximum instance count of the Auto Scaling group Configure an autoscaling EC2 INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling group. Modify the application to complete the lifecycle hook when the application is ready to serve requests
Configure a warm pool for the Auto Scaling group with warmed EC2 instances in the Running state. Configure an autoscaling EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling group. Modify the application to complete the lifecycle hook when the application is ready to serve requests.
Increase the maximum instance count of the Auto Scaling group Configure an autoscaling EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling group. Modify the application to complete the lifecycle hook and to place the new instance in the Standby state when the application is ready to serve requests.
Correct Answer: A
27) A company wants to deploy a workload on several hundred Amazon EC2 instances. The company will provision the EC2 instances in an Auto Scaling group by using a launch template.
The workload will pull files from an Amazon S3 bucket, process the data, and put the results into a different S3 bucket The EC2 instances must have least-privilege permissions and must use temporary security credentials.
Which combination of steps will meet these requirements? (Select TWO.)
A. Create an IAM role that has the appropriate permissions for S3 buckets. Add the IAM role to an instance profile
B. Update the launch template to include the IAM instance profile.
C. Create an IAM user that has the appropriate permissions for Amazon S3 Generate a secret key and token
D. Create a trust anchor and profile Attach the IAM role to the profile
E. Update the launch template. Modify the user data to use the new secret key and token
Correct Answer: A, B
28) A company is using AWS CodeDeploy to deploy applications to a fleet of Amazon EC2 instances. During a recent deployment, several EC2 instances failed to update successfully
A DevOps engineer must investigate the root cause of the failures and must determine which specific deployment lifecycle events encountered errors
What is the MOST operationally efficient way to access and analyze the detailed deployment logs for troubleshooting?
A. Use SSH to connect to each EC2 instance that failed to update successfully. Read the logs from the CodeDeploy agent.
B. Use AWS Systems Manager Session Manager to connect to each EC2 instance that failed to update successfully. Read the logs from the CodeDeploy agent
C. Create an Amazon S3 bucket to store CodeDeploy logs. Update the appspec ymi file to copy logs to the S3 bucket Query the S3 bucket by using Amazon Athena
D. Send CodeDeploy agent logs to Amazon CloudWatch Logs by using the CloudWatch agent. Analyze the logs by using CloudWatch Logs insights.
Correct Answer: D
29) A company runs an application as an Amazon Elastic Container Service (Amazon ECS) task to process messages from an Amazon Simple Queue Service (Amazon SQS) queue The ECS task runs on a schedule to process the SQS queue every 10 minutes.
A high volume of messages was delivered to the SQS queue. The application took several hours to process all the messages. The company's new service level objective (SLO) requires that the application must process messages within 10 minutes of delivery
A DevOps engineer needs to configure the application to meet the SLO while minimizing idle running resources.
Which solution meets these requirements with the MOST operational efficiency?
A. Configure a step scaling policy for the ECS task. Configure the step scaling policy to use the ECSServiceAverageMemory Utilization metric. Set the maximum number of tasks to equal the number of messages the application receives at peak hours.
B. Configure a target tracking scaling policy for the ECS task. Calculate the number of messages for each task by using the SQS ApproximateNumberOfMessagesVisible metric and the ECS Running TaskCount metric. Scale the number of tasks based on the calculated attribute.
C. Create a scheduled scaling policy to increase the number of ECS tasks available during peak volume periods. Set the schedule as a cron for the application's peak hours. Set the maximum number of tasks to equal the number of messages the application receives at peak hours
D. Create a predictive scaling policy to increase the number of available ECS tasks during peak volume periods. Configure the predictive scaling policy to use the ECSService Average CPUUtilization metric Set the maximum number of tasks to equal the number of messages the application receives at peak hours
Correct Answer: B
30) A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances
Which solution will meet these requirements?
A. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
B. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console
C. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances. Install the AWS Config daemon to capture system logs and view them in the AWS Config console
D. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.
Correct Answer: D
31) A DevOps engineer needs to implement a solution to install antivirus software on all the Amazon EC2 instances in an AWS account. The EC2 instances run the most recent version of Amazon Linux.
The solution must detect all instances and must use an AWS Systems Manager document to install the software if the software is not present
Which solution will meet these requirements?
A. Create an association in Systems Manager State Manager. Target all the managed nodes Include the software in the association Configure the association to use the Systems Manager document
B. Set up AWS Config to record all the resources in the account Create an AWS Config custom rule to determine if the software is installed on all the EC2 instances Configure an automatic remediation action that uses the Systems Manager document for noncompliant EC2 instances
C. Activate Amazon EC2 scanning on Amazon Inspector to determine if the software is installed on all the EC2 instances. Associate the findings with the Systems Manager document
D. Create an Amazon EventBridge rule that uses AWS CloudTrail to detect the Runinstances API call Configure inventory collection in Systems Manager Inventory to determine if the software is installed on the EC2 instances. Associate the Systems Manager inventory with the Systems Manager document
Correct Answer: A
32) A company has a new AWS account that teams will use to deploy various applications The teams will create many Amazon S3 buckets for application-specific purposes and to store AWS CloudTrail logs. The company has enabled Amazon Macie for the account
A DevOps engineer needs to optimize the Macie costs for the account without compromising the account's functionality.
Which solutions will meet these requirements? (Select TWO.)
A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
B. Exclude S3 buckets that have public read access from automated discovery
C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
D. Configure discovery jobs to include S3 objects based on the last modified criterion.
E. Configure discovery jobs to include S3 objects that are tagged as production only
Correct Answer: A, D
33) A company has an organization in AWS Organizations. The organization has all features enabled and has AWS CloudTrail trusted access configured for the management account. An Amazon Simple Notification Service (Amazon SNS) topic is configured for notifications
The company needs all AWS events in all AWS Regions in the organization to be recorded and retained in an audit account. The company needs near real-time notifications of any failed login attempts
A DevOps engineer has created an organization trail in the management account to log events for all Regions.
Which solution will meet these requirements with the LEAST operational effort?
A. Configure the trail to publish logs to a new Amazon S3 bucket in the audit account. In the audit account, create an Amazon EventBridge rule that reacts to failed login events in CloudTrail. Configure the EventBridge rule to notify the SNS topic
B. Configure the trail to publish logs to a new Amazon S3 bucket in the management account Configure an Amazon Athena table to read from the new S3 bucket. Create an AWS Lambda function that queries the Athena table for failed login events and publishes the findings to the SNS topic Create an Amazon EventBridge scheduled rule to invoke the Lambda function every 5 minutes
C. Configure the trail to publish logs to a new Amazon S3 bucket in the audit account and a new Amazon CloudWatch log group in the management account. Create a CloudWatch Logs metric filter on the log group to create a custom metric for failed logins Configure a CloudWatch alarm that uses the custom metric and notifies the SNS topic
D. Configure the trail to publish logs to a new Amazon CloudWatch log group in the audit account. Create an Amazon Kinesis data stream in the audit account Configure a subscription filter on the log group to send the logs to the data stream. Use Amazon Managed Service for Apache Flink to filter the data stream for failed logins. Publish the results to the SNS topic
Correct Answer: A
34) A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI The DevOps engineer must share the AMI with the target account
The company has created an AWS Key Management Service (AWS KMS) key in the source account
Which additional steps should the DevOps engineer perform to meet the requirements? (Select THREE)
A. In the source account, copy the unencrypted AMI to an encrypted AMI Specify the KMS key in the copy action.
B. In the source account copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.
C. In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.
D. In the source account, modify the key policy to give the target account permissions to create a grant in the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role
E. In the source account, share the unencrypted AMI with the target account
F. In the source account, share the encrypted AMI with the target account
Correct Answer: A, D, F
35) A company is running an application on Amazon Elastic Kubernetes Service (Amazon EKS) The company needs to implement comprehensive logging for the control plane and the nodes The company must analyze API requests to the Kubernetes control plane and must monitor container performance on the nodes
Which solution will meet these requirements with the LEAST operational overhead?
A. Enable AWS CloudTrail for control plane logging Deploy Logstash as a ReplicaSet on the nodes to collect logs from the nodes Use Amazon OpenSearch Service to store and analyze the logs for the control plane and the nodes
B. Enable control plane logging for the EKS cluster. Send the logs to Amazon CloudWatch. Use CloudWatch Container Insights to collect logs for the nodes and the containers. Use CloudWatch Logs Insights to query and analyze the logs for the control plane and the nodes
C. Enable API server control plane logging for the EKS cluster. Send the logs to Amazon S3. Deploy Kubernetes Event Exporter to the nodes to collect logs from the nodes Send the logs to Amazon S3. Use Amazon Athena to query logs for the control plane and the nodes. Use Amazon QuickSight for visualization
D. Use AWS Distro for Open Telemetry to collect logs for the control plane and the nodes. Stream all the logs to Amazon Data Firehose. Use Amazon Redshift to analyze the aggregated log data for the control plane and the nodes
Correct Answer: B
36) A company deploys a web application on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The company stores the application code in an AWS CodeConnections compatible Git repository
When the company merges code to the main branch, an AWS CodeBuild project is initiated The CodeBuild project compiles the code, stores the packaged code in AWS CodeArtifact, and invokes AWS Systems Manager Run Command to deploy the packaged code to the EC2 instances
Previous deployments have resulted in defects, EC2 instances that were not running the latest version of the packaged code, and inconsistencies between instances. A DevOps engineer needs to improve the reliability of the deployment solution
Which combination of actions will meet this requirement? (Select TWO)
A. Create a pipeline in AWS CodePipeline that uses the Git repository as the source provider. Configure the pipeline to have parallel build and test stages in the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action
B. Create a pipeline in AWS CodePipeline that uses the Git repository as the source provider. Configure the pipeline to have a build stage followed by a test stage in the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action
C. Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instances. Configure the ALB for the deployment group.
D. Create individual AWS Lambda functions that use AWS CodeDeploy instead of Systems Manager to run build, test, and deploy actions
E. Create an Amazon S3 bucket Modify the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifact. Use deploy actions in CodeDeploy to deploy the artifact to the EC2 instances.
Correct Answer: B, C
37) A global company uses Amazon S3 to host its product catalog website in the us-east-1 Region. The company must improve website performance for users across different geographical regions and must reduce the load on the origin server. The company must implement a highly available cross-Region solution that uses Amazon CloudFront
Which solution will meet these requirements with the LEAST operational effort?
A. Set up multiple CloudFront distributions Point each distribution to another S3 bucket in a different Region. Use Amazon Route 53 latency-based routing to direct users to the nearest distribution. Enable S3 replication between the S3 bucket in us-east-1 and the S3 bucket in the different Region.
B. Enable CloudFront with Origin Shield in us-east-1 Configure global edge locations. Set up cache behaviors with optimal TTLS for static content and dynamic content. Configure origin failover to an S3 bucket in a different Region. Enable S3 replication between the S3 bucket in us-east-1 and the S3 bucket in the different Region
C. Enable CloudFront with Origin Shield in us-east-1 Configure Amazon ElastiCache clusters in multiple Regions to serve as a distributed caching layer between CloudFront and the S3 origin Set up a replication script to synchronize the S3 bucket in us-east-1 to an S3 bucket in a different Region Use Amazon EventBridge to schedule the script to run once a day
D. Enable CloudFront with Origin Shield in the eu-west-1 Region Configure Regional edge caches. Implement AWS Global Accelerator to route requests to the nearest Regional edge location. Enable S3 replication between the S3 bucket in us-east-1 and an S3 bucket in a different Region
Correct Answer: B
38) A company uses a trunk-based development branching strategy The company has two AWS CodePipeline pipelines that are integrated with a Git provider. The pull_request pipeline has a branch filter that matches the feature branches. The main_branch pipeline has a branch filter that matches the main branch
When pull requests are merged into the main branch, the pull requests are deployed by using the main branch pipeline.
The company's developers need test results for all submitted pull requests as quickly as possible from the pull_request pipeline. The company wants to ensure that the main_branch pipeline's test results finish and that each deployment is complete before the next pipeline execution
Which solution will meet these requirements?
A. Configure the pull_request pipeline to use PARALLEL mode. Configure the main_branch pipeline to use QUEUED mode
B. Configure the pull_request pipeline to use SUPERSEDED mode. Configure the main_branch pipeline to use QUEUED mode
C. Configure the pull_request pipeline to use PARALLEL mode. Configure the main_branch pipeline to use SUPERSEDED mode
D. Configure the pull_request pipeline to use QUEUED mode. Configure the main_branch pipeline to use SUPERSEDED mode.
Correct Answer: A
39) A company is migrating an application to Amazon Elastic Container Service (Amazon ECS). The company wants to consolidate log data in Amazon CloudWatch in the us-west-2 Region No CloudWatch log groups currently exist for Amazon ECS.
The company receives the following error code when an ECS task attempts to launch "service my-service-name was unable to place a task because no container instance met all of its requirements" The ECS task definition includes the following container log configuration
"logConfiguration":1
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "awslogs-mytask",
"awsloga-region": "us-west-2",
"awslogs-stream-prefix": "awslogs-mytask",
"mode": "non-blocking",
"max-buffer-size": "25m"
}
}
The ECS cluster uses an Amazon EC2 Auto Scaling group to provide capacity for tasks EC2 instances launch an Amazon ECS-optimized AMI.
Which solution will fix the problem?
A. Modify the ECS infrastructure IAM role to add the logs: CreateLogStream and logs: PutLogEvents permissions
B. Modify the ECS log configuration to use blocking mode
C. Modify the ECS container instance IAM role to add the logs CreateLogStream and logs PutLogEvents permissions
D. Modify the ECS log configuration by setting the awslogs-create-group option to false
Correct Answer: C
40) A company is using the AWS Cloud Development Kit (AWS CDK) to develop a microservices-based application The company needs to create reusable infrastructure components for three environments development, staging, and production. The components must include networking resources, database resources, and serverless compute resources
The company must implement a solution that provides consistent infrastructure across environments while offering the option for environment-specific customizations. The solution also must minimize code duplication
Which solution will meet these requirements with the LEAST development overhead?
A. Create custom Level 1 (L1) constructs out of Level 2 (L2) constructs where repeatable patterns exist. Create a single set of deployment stacks that takes the environment name as an argument upon instantiation. Deploy CDK applications for each environment.
B. Create custom Level 1 (L1) constructs out of Level 2 (L2) constructs where repeatable patterns exist. Create separate deployment stacks for each environment. Use the CDK context command to determine which stacks to run when deploying to each environment
C. Create custom Level 3 (L3) constructs out of Level 2 (L2) constructs where repeatable patterns exist. Create a single set of deployment stacks that takes the environment name as an argument upon instantiation. Deploy CDK applications for each environment
D. Create custom Level 3 (L3) constructs out of Level 2 (L2) constructs where repeatable patterns exist. Create separate deployment stacks for each environment. Use the CDK context command to determine which stacks to run when deploying to each environment.
Correct Answer: C
41) A company hired a penetration tester to simulate an internal security breach. The tester performed port scans on the company's Amazon EC2 instances. The company's security measures did not detect the port scans
The company needs a solution that automatically provides notification when port scans are performed on EC2 instances. The company creates and subscribes to an Amazon Simple Notification Service (Amazon SNS) topic
What should the company do next to meet the requirement?
A. Ensure that Amazon GuardDuty is enabled. Create an Amazon CloudWatch alarm for detected EC2 and port scan findings Connect the alarm to the SNS topic
B. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event for detected network reachability findings that indicate port scans. Connect the event to the SNS topic
C. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event for detected CVEs that cause open port vulnerabilities Connect the event to the SNS topic
D. Ensure that AWS CloudTrail is enabled Create an AWS Lambda function to analyze the CloudTrail logs for unusual amounts of traffic from an IP address range Connect the Lambda function to the SNS topic
Correct Answer: A
42) A company uses AWS Organizations, AWS Control Tower, AWS Config, and Terraform to manage its AWS accounts and resources. The company must ensure that users deploy only AWS Lambda functions that are connected to a VPC in member AWS accounts
Which solution will meet these requirements with the LEAST operational effort?
A. Configure AWS Control Tower to use proactive controls (guardrails) Enable the optional controls (guardrails) implemented with AWS CloudFormation hooks for Lambda on all OUs
B. Create a new SCP Include a conditional statement that uses a StringEquals condition operator to check the lambda Vpcids condition key against a list of VPC IDs Configure the SCP to allow the lambda CreateFunction action and the lambda: UpdateFunctionConfiguration action if the value of the condition key matches one of the VPC IDs
C. Create a custom rule in AWS Config to detect Lambda functions that are not connected to a VPC when any Lambda function is created or updated
D. Create a new SCP Include a conditional statement that uses a Null condition operator to determine whether the lambda Vpcids condition key is absent Configure the SCP to deny the lambda CreateFunction action and the lambda. UpdateFunctionConfiguration action if the condition key is absent.
Correct Answer: D
43) A company sells products through an ecommerce web application. The company wants a dashboard that shows a pie chart of product transaction details. The company wants to integrate the dashboard with the company's existing Amazon CloudWatch dashboards
Which solution will meet these requirements with the MOST operational efficiency?
A. Update the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction. Use CloudWatch Logs Insights to query the log group and to visualize the results in a pie chart format. Attach the results to the desired CloudWatch dashboard.
B. Update the ecommerce application to emit a JSON object to an Amazon S3 bucket for each processed transaction. Use Amazon Athena to query the S3 bucket and to visualize the results in a pie chart format Export the results from Athena Attach the results to the desired CloudWatch dashboard
C. Update the ecommerce application to use AWS X-Ray for instrumentation Create a new X-Ray subsegment. Add an annotation for each processed transaction Use X-Ray traces to query the data and to visualize the results in a pie chart format. Attach the results to the desired CloudWatch dashboard
D. Update the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction. Create an AWS Lambda function to aggregate and write the results to Amazon DynamoDB. Create a Lambda subscription filter for the log file. Attach the results to the desired CloudWatch dashboard
Correct Answer: A
44) A security team is concerned that a developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production No developer should be allowed to attach an Elastic IP address to an instance. The security team must be notified if any production server has an Elastic IP address at any time
How can this task be automated?
A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-address attempts. Create an AWS Lambda function to disassociate the Elastic IP address from the instance, and alert the security team
B. Attach an IAM policy to the developers' IAM group to deny associate-address permissions. Create a custom AWS Config rule to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team
C. Ensure that all IAM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team if an instance has an Elastic IP address associated with it
D. Create an AWS Config rule to check that all production instances have EC2 IAM roles that include deny associate-address permissions. Verify whether there is an Elastic IP address associated with any instance, and alert the security team if an instance has an Elastic IP address associated with it.
Correct Answer: B
45) A company needs to ensure that flow logs remain configured for all existing and new VPCs in its AWS account. The company uses an AWS CloudFormation stack to manage its VPCs. The company needs a solution that will work for any VPCs that any IAM user creates
Which solution will meet these requirements?
A. Add the AWS EC2 FlowLog resource to the CloudFormation stack that creates the VPCS.
B. Create an organization in AWS Organizations. Add the company's AWS account to the organization Create an SCP to prevent users from modifying VPC flow logs
C. Turn on AWS Config Create an AWS Config rule to check whether VPC flow logs are turned on. Configure automatic remediation to turn on VPC flow logs.
D. Create an IAM policy to deny the use of API calls for VPC flow logs. Attach the IAM policy to all IAM users
Correct Answer: C
46) A company runs an application for multiple environments in a single AWS account. An AWS CodePipeline pipeline uses a development Amazon Elastic Container Service (Amazon ECS) cluster to test an image for the application from an Amazon Elastic Container Registry (Amazon ECR) repository. The pipeline promotes the image to a production ECS cluster
The company needs to move the production cluster into a separate AWS account in the same AWS Region. The production cluster must be able to download the images over a private connection
Which solution will meet these requirements?
A. Use Amazon ECR VPC endpoints and an Amazon S3 gateway endpoint In the separate AWS account, create an ECR repository. Set the repository policy to allow the production ECS tasks to pull images from the main AWS account Configure the production ECS task execution role to have permission to download the image from the ECR repository.
B. Set a repository policy on the production ECR repository in the main AWS account Configure the repository policy to allow the production ECS tasks in the separate AWS account to pull images from the main account. Configure the production ECS task execution role to have permission to download the image from the ECR repository.
C. Configure ECR private image replication in the main AWS account. Activate cross-account replication. Define the destination account ID of the separate AWS account
D. Use Amazon ECR VPC endpoints and an Amazon S3 gateway endpoint Set a repository policy on the production ECR repository in the main AWS account Configure the repository policy to allow the production ECS tasks in the separate AWS account to pull images from the main account Configure the production ECS task execution role to have permission to download the image from the ECR repository
Correct Answer: D
47) A company needs to adopt a multi-account strategy to deploy its applications and the associated CI/CD infrastructure. The company has created an organization in AWS Organizations that has all features enabled. The company has configured AWS Control Tower and has set up a landing zone
The company needs to use AWS Control Tower controls (guardrails) in all AWS accounts in the organization. The company must create the accounts for a multi-environment application and must ensure that all accounts are configured to an initial baseline
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an AWS Control Tower Account Factory Customization (AFC) blueprint that uses the baseline configuration. Use AWS Control Tower Account Factory to provision a dedicated AWS account for each environment and a CI/CD account by using the blueprint
B. Use AWS Control Tower Account Factory to provision a dedicated AWS account for each environment and a CI/CD account Use AWS CloudFormation StackSets to apply the baseline configuration to the new accounts
C. Use Organizations to provision a multi-environment AWS account and a CI/CD account in the Organizations management account, create an AWS Lambda function that assumes the Organizations access role to apply the baseline configuration to the new accounts
D. Use Organizations to provision a dedicated AWS account for each environment, an audit account, and a CI/CD account Use AWS CloudFormation StackSets to apply the baseline configuration to the new accounts.
Correct Answer: A
48) A company's DevOps engineer uses AWS Systems Manager to perform maintenance tasks. The company has a few Amazon EC2 instances that require a restart after notifications from AWS Health
The DevOps engineer must implement an automated solution that uses Amazon EventBridge to remediate the notifications during the company's scheduled maintenance windows
How should the DevOps engineer configure an EventBridge rule to meet these requirements?
A. Configure an event source of AWS Health. Configure event types that indicate scheduled instance termination and retirement Target the AWS-RestartEC2Instance Systems Manager Automation runbook to restart the EC2 instances
B. Configure an event source of Systems Manager Configure an event type that indicates a maintenance window. Target the AWS-RestartEC2Instance Systems Manager Automation runbook to restart the EC2 instances.
C. Configure an event source of AWS Health. Configure event types that indicate scheduled instance termination and retirement Target a newly created AWS Lambda function that registers a Systems Manager maintenance window task to restart the EC2 instances
D. Configure an event source of EC2. Configure an event type that indicates instance state notification Target a newly created AWS Lambda function that registers a Systems Manager maintenance window task to restart the EC2 instances
Correct Answer: A
49) A software as a service (SaaS) company uses an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB) to provide real-time analytics services to clients. The company is using AWS CodePipeline and AWS CodeDeploy to set up a blue/green deployment process for the solution
The company wants the deployment process to automatically shift traffic in equal increments over a specified total deployment time without any manual intervention. The deployment process must ensure zero downtime and provide seamless updates
Which solution will meet these requirements?
A. Set the TrafficRoutingConfig parameter to TimeBasedLinear in the appspec yami file of the CodeDeploy application that the company uses to deploy the ECS services. Set values for the linear Percentage parameter and the linearInterval parameter
B. Update the Traffic RoutingConfig parameter of the appspec yami file of the CodeDeploy application that the company uses to deploy the ECS services to the AllAtOnce type.
C. Create a deployment group configuration. Set the TrafficRouting Config parameter to the TimeBasedCanary type Configure listener rules on the ALB to forward traffic to the target groups based on specified weights.
D. Set up a deployment configuration in CodeDeploy Configure weighted routing on the ALB during deployment
Correct Answer: A
50) A company has a web application that publishes logs that contain metadata for transactions, with a status of success or failure for each log. The logs are in JSON format. The application publishes the logs to an Amazon CloudWatch Logs log group.
The company wants to create a dashboard that displays the number of successful transactions
Which solution will meet this requirement with the LEAST operational overhead?
A. Create an Amazon OpenSearch Service cluster and an OpenSearch Service subscription filter to send the log group data to the cluster Create a dashboard within the Dashboards feature in the OpenSearch Service cluster by using a search query for transactions that have a status of success
B. Create a CloudWatch subscription filter for the log group that uses an AWS Lambda function. Configure the Lambda function to parse the JSON logs and publish a custom metric to CloudWatch for transactions that have a status of success. Create a CloudWatch dashboard by using a metric graph that displays the custom metric
C. Create a CloudWatch metric filter for the log groups with a filter pattern that matches the transaction status property and a value of success. Create a CloudWatch dashboard by using a metric graph that displays the new metric
D. Create an Amazon Kinesis data stream that is subscribed to the log group. Configure the data stream to filter incoming log data based on a status of success and to send the filtered logs to an AWS Lambda function. Configure the Lambda function to publish a custom metric to CloudWatch. Create a CloudWatch dashboard by using a metric graph that displays the custom metric
Correct Answer: C
51) A DevOps engineer is planning to use the AWS Cloud Development Kit (AWS CDK) to manage infrastructure as code (laC) for a microservices-based application. The DevOps engineer must create reusable components for common infrastructure patterns and must apply the same cost allocation tags across different microservices
Which solution will meet these requirements?
A. Create a custom CDK construct library that includes common infrastructure patterns. Create a CDK app. Use the TagManager class to add cost allocation tags to the whole app. Use the custom CDK construct library to write a higher-level construct that contains all the microservices. Deploy the microservices as a single CDK stack with environment-specific configurations
B. Create a custom CDK construct library that includes common infrastructure patterns. Create a CDK app Use the Tags class to add cost allocation tags to the whole app. Use the custom CDK construct library to write higher-level constructs for each microservice Deploy the microservices as separate CDK stacks with environment-specific configurations
C. Create AWS Service Catalog products that contain common infrastructure components. Create a CDK app. Use the TagManager class to add cost allocation tags to the whole app. Use the Service Catalog products to write a higher-level construct that contains all the microservices. Deploy the microservices as a single CDK stack with environment-specific configurations.
D. Create AWS Service Catalog products that contain common infrastructure components. Create a CDK app. Use the Tags class to add cost allocation tags to the whole app. Use the Service Catalog products to write higher-level constructs for each microservice Deploy the microservices as separate CDK stacks with environment-specific configurations
Correct Answer: B
52) A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications
The DevOps team needs to allow only a specific management IAM role to manage the IAM roles and policies of any AWS accounts in only the production OU
Which combination of steps will meet these requirements? (Select TWO.)
A. Create an SCP that denies full access with a condition to exclude the management IAM role for the organization root
B. Ensure that the FullAWSAccess SCP is applied at the organization root.
C. Create an SCP that allows IAM related actions Attach the SCP to the development OU
D. Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the workload OU
E. Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the production OU
Correct Answer: B, E
53) A company runs a microservices application on Amazon Elastic Kubernetes Service (Amazon EKS) Users recently reported significant delays while accessing an account summary feature, particularly during peak business hours.
A DevOps engineer used Amazon CloudWatch metrics and logs to troubleshoot the issue. The logs indicated normal CPU and memory utilization on the EKS nodes. The DevOps engineer was not able to identify where the delays occurred within the microservices architecture.
The DevOps engineer needs to increase the observability of the application to pinpoint where the delays are occurring
Which solution will meet these requirements?
Deploy the AWS X-Ray daemon as a DaemonSet in the EKS cluster. Use the X-Ray SDK to instrument the application code Redeploy the application
Enable CloudWatch Container Insights for the EKS cluster Use the Container Insights data to diagnose the delays.
Create alarms based on the existing CloudWatch metrics. Set up an Amazon Simple Notification Service (Amazon SNS) topic to send email alerts
Increase the timeout settings in the application code for network operations to allow more time for operations to finish
Correct Answer: A
54) A company frequently creates Docker images of an application. The company stores the images in Amazon Elastic Container Registry (Amazon ECR). The company creates both tagged images and untagged images
The company wants to implement a solution to automatically delete images that have not been updated for a long time and are not frequently used. The solution must retain at least a specified number of images.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use Amazon S3 Lifecycle policies on the ECR repository to automatically delete images based on image age or the absence of tags on the image
B. Use Amazon ECR lifecycle policies to delete images based on age or the number of images that need to be to retained in the repository
C. Configure an AWS Lambda function to run a schedule to delete images based on age or the number of images that need to be retained in the repository.
D. Use AWS Systems Manager to run a script by using the aws executeScript action to automatically delete images based on image age or the absence of tags on the image.
Correct Answer: B
55) A company has a mission-critical application on AWS that uses automatic scaling The company wants the deployment lifecycle to meet the following parameters
The application must be deployed one instance at a time to ensure the remaining fleet continues to serve traffic
The application is CPU intensive and must be closely monitored.
The deployment must automatically roll back if the CPU utilization of the deployment instance exceeds 85%
Which solution will meet these requirements?
A. Use AWS CloudFormation to create an AWS Step Functions state machine and Auto Scaling lifecycle hooks to move to one instance at a time into a wait state. Use AWS Systems Manager automation to deploy the update to each instance and move it back into the Auto Scaling group using the heartbeat timeout
B. Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to the CPU utilization metric. Use the CodeDeployDefault OneAtAtime configuration as a deployment strategy. Configure automatic rollbacks within the deployment group to roll back the deployment if the alarm thresholds are breached
C. Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling Configure an alarm tied to the CPU utilization metric. Configure rolling deployments with a fixed batch size of one instance. Enable enhanced health to monitor the status of the deployment and roll back based on the alarm previously created.
D. Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2 Auto Scaling Configure an alarm tied to the CPU utilization metric Deploy updates one at a time Configure automatic rollbacks within the Auto Scaling group to roll back the deployment if the alarm thresholds are breached
Correct Answer: B
56) A DevOps engineer is working on a member account in an organization in AWS Organizations with all features enabled. The account has sensitive data stored in Amazon S3 buckets
The DevOps engineer must ensure that all public access to S3 buckets in the account is blocked If the account-level block public access settings change in the future, the changes must be reverted automatically so that all public access is blocked again.
Which solution meets these requirements?
A. Enable AWS Security Hub in the account. Enable the Security Hub control to evaluate the account-level block public access settings. Enable automated remediation for the Security Hub control
B. Set up AWS Config in the account. Create an AWS Config managed rule that evaluates the account-level block public access settings. Enable automated remediation for the rule by using a predefined AWS Systems Manager runbook to configure S3 block public access settings.
C. In the organization's management account, create an SCP that denies S3 actions from outside the AWS account. Attach the SCP to the member account
D. Enable Amazon Macie in the account Create an Amazon EventBridge rule with an event pattern that matches Macie policy findings. Configure the rule with an EventBridge target to run a predefined AWS Systems Manager runbook to configure S3 block public access settings.
Correct Answer: B
57) A company has an application that streams logs to an Amazon CloudWatch Logs log group. The logs must be available for the team to search in CloudWatch for at least 30 days. Logs must be accessible with low latency for at least 90 days. After 180 days, log retrieval is rare and latency is not important
A DevOps engineer creates an Amazon S3 bucket to store the logs. Log availability metrics and data protection are important to the company
Which solution will meet these requirements in the MOST cost-effective way?
A. Configure the log group to have a retention period of 30 days and to use the infrequent access log class. Create a CloudWatch metric stream that uses Amazon Kinesis Data Streams to send log events to the S3 bucket Create an S3 Lifecycle policy to move objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days and to Amazon Glacier Flexible Retrieval after 180 days:
B. Configure the log group to have a retention period of 30 days and to use the infrequent access log class. Create a CloudWatch metric stream that uses Amazon Data Firehose to send log events to the S3 bucket. Create an S3 Lifecycle policy to move objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 90 days and to Amazon S3 Glacier Flexible Retrieval after 180 days
C. Configure the log groups to have a retention period of 30 days Create a CloudWatch subscription filter that uses Amazon Kinesis Data Streams to send log events to the S3 bucket by writing files. Create an S3 Lifecycle policy to move objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days and to Amazon S3 Glacier Instant Retrieval after 180 days.
D. Configure the log groups to have a retention period of 30 days. Create a CloudWatch subscription filter that uses Amazon Data Firehose to send log events to the S3 bucket Create an S3 Lifecycle policy to move objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days and to Amazon S3 Glacier Deep Archive after 180 days.
Correct Answer: D
58) A company wants to build a pipeline to update the standard AMI monthly. The AMI must be updated to use the most recent patches to ensure that launched Amazon EC2 instances are up to date. Each new AMI must be available to all AWS accounts in the company's organization in AWS Organizations.
The company needs to configure an automated pipeline to build the AMI
Which solution will meet these requirements with the MOST operational efficiency?
A. Create an AWS CodePipeline pipeline that uses AWS CodeBuild. Create an AWS Lambda function to run the pipeline every month Create an AWS CloudFormation template. Share the template with all AWS accounts in the organization
B. Create an AMI pipeline by using EC2 image Builder. Configure the pipeline to distribute the AMI to the AWS accounts in the organization Configure the pipeline to run monthly
C. Create an AWS CodePipeline pipeline that runs an AWS Lambda function to build the AMI Configure the pipeline to share the AMI with the AWS accounts in the organization Configure Amazon EventBridge Scheduler to invoke the pipeline every month
D. Create an AWS Systems Manager Automation runbook. Configure the automation to run in all AWS accounts in the organization Create an AWS Lambda function to run the automation every month
Correct Answer: B
59) A DevOps engineer has developed an AWS Lambda function. The Lambda function starts an AWS CloudFormation drift detection operation on all supported resources for a specific CloudFormation stack. The Lambda function then exits its invocation
The DevOps engineer has created an Amazon EventBridge scheduled rule that invokes the Lambda function every hour. An Amazon Simple Notification Service (Amazon SNS) topic already exists in the AWS account. The DevOps engineer has subscribed to the SNS topic to receive notifications
The DevOps engineer needs to receive a notification as soon as possible when drift is detected in this specific stack configuration
Which solution will meet these requirements?
A. Configure the existing EventBridge rule to also target the SNS topic Configure an SNS subscription filter policy to match the CloudFormation stack Attach the subscription filter policy to the SNS topic
B. Create a second Lambda function to query the CloudFormation API for the drift detection results for the stack. Configure the second Lambda function to publish a message to the SNS topic if drift is detected Adjust the existing EventBridge rule to also target the second Lambda function
C. Configure Amazon GuardDuty in the account with drift detection for all CloudFormation stacks Create a second EventBridge rule that reacts to the GuardDuty drift detection event finding for the specific CloudFormation stack Configure the SNS topic as a target of the second EventBridge rule
D. Configure AWS Config in the account. Use the cloudformation-stack-drift-detection-check managed rule. Create a second EventBridge rule that reacts to a compliance change event for the CloudFormation stack Configure the SNS topic as a target of the second EventBridge rule.
Correct Answer: D
60) A company is launching an application. The application must use only approved AWS services. The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU
The company needs to create a new Organizations account structure. The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account. The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution
Which solution will meet these requirements?
A. Create an SCP that allows the services that IAM Access Analyzer identifies Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.
B. Create an SCP that denies the services that IAM Access Analyzer identifies Create an OU for the account. Move the account into the new OU Attach the new SCP to the new OU
C. Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization's root.
D. Create an SCP that allows the services that IAM Access Analyzer identifies Create an OU for the account Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU
Correct Answer: A
61) A company is migrating its web application to AWS. The application uses WebSocket connections for real-time updates and requires sticky sessions.
A DevOps engineer must implement a highly available architecture for the application. The application must be accessible to users worldwide with the least possible latency.
Which solution will meet these requirements with the LEAST operational overhead?
A. Deploy an Application Load Balancer (ALB) Deploy another ALB in a different AWS Region Enable cross-zone load balancing and sticky sessions on the ALBs Integrate the ALBs with Amazon Route 53 latency-based routing
B. Deploy a Network Load Balancer (NLB). Deploy another NLB in a different AWS Region. Enable cross-zone load balancing and sticky sessions on the NLBS. Integrate the NLBs with Amazon Route 53 geolocation routing
C. Deploy a Network Load Balancer (NLB) with cross-zone load balancing enabled. Configure the NLB with IP-based targets in multiple Availability Zones. Use Amazon CloudFront for global content delivery Implement sticky sessions by using source IP address preservation on the NLB
D. Deploy an Application Load Balancer (ALB) for HTTP traffic. Deploy a Network Load Balancer (NLB) in each of the company's AWS Regions for WebSocket connections. Enable sticky sessions on the ALB. Configure the ALB to forward requests to the NLB
Correct Answer: A
62) A company has deployed a critical application in two AWS Regions. The application uses an Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53 alias DNS records for both ALBs
The company uses Amazon Route 53 Application Recovery Controller to ensure that the application can fail over between the two Regions. The Route 53 ARC configuration includes a routing control for both Regions. The company uses Route 53 ARC to perform quarterly disaster recovery (DR) tests.
During the most recent DR test, a DevOps engineer accidentally turned off both routing controls. The company needs to ensure that at least one routing control is turned on at all times
Which solution will meet these requirements?
A. In Route 53 ARC, create a new assertion safety rule. Apply the assertion safety rule to the two routing controls Configure the rule with the ATLEAST type with a threshold of 1
B. In Route 53 ARC, create a new gating safety rule. Apply the gating safety rule to the two routing controls. Configure the rule with the OR type with a threshold of 1
C. In Route 53 ARC, create a new resource set Configure the resource set with an AWS Route53 HealthCheck resource type. Specify the ARNs of the two routing controls as the target resource Create a new readiness check for the resource set
D. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS Route53RecoveryReadiness DNS TargetResource resource type. Add the domain names of the two Route 53 alias DNS records as the target resource Create a new readiness check for the resource set
Correct Answer: A
63) A DevOps team has created a Custom Lambda rule in AWS Config. The rule monitors Amazon Elastic Container Repository (Amazon ECR) policy statements for ecr actions. When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route the notification to a security team
When the custom AWS Config rule is evaluated, the AWS Lambda function fails to run
Which solution will resolve the issue?
A. Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function
B. Modify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.
C. Modify the Lambda function's execution role to include configuration changes for custom AWS Config rules
D. Modify all the ECR repository policies to grant AWS Config access to the necessary ECR API actions
Correct Answer: A
64) A DevOps engineer at a company is supporting an AWS environment in which all users use AWS IAM Identity Center. The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification
Which combination of steps should the DevOps engineer take to meet these requirements? (Select THREE)
Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail
Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail
Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user
Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user
Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule Subscribe the security team's group email address to the topic
Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team's group email address to the queue.
Correct Answer: A, C, E
65) A company uses an organization in AWS Organizations to manage its AWS accounts. The company recently acquired another company that has standalone AWS accounts. The acquiring company's DevOps team needs to consolidate the administration of the AWS accounts for both companies and retain full administrative control of the accounts. The DevOps team also needs to collect and group findings across all the accounts to implement and maintain a security posture
Which combination of steps should the DevOps team take to meet these requirements? (Select TWO.)
A. Invite the acquired company's AWS accounts to join the organization Create an SCP that has full administrative privileges Attach the SCP to the management account
B. Invite the acquired company's AWS accounts to join the organization Create the OrganizationAccountAccess Role IAM role in the invited accounts Grant permission to the management account to assume the role.
C. Use AWS Security Hub to collect and group findings across all accounts. Use Security Hub to automatically detect new accounts as the accounts are added to the organization
D. Use AWS Firewall Manager to collect and group findings across all accounts Enable all features for the organization Designate an account in the organization as the delegated administrator account for Firewall Manager
E. Use Amazon Inspector to collect and group findings across all accounts Designate an account in the organization as the delegated administrator account for Amazon Inspector
Correct Answer: B, C
66) A company deploys an application to Amazon EC2 instances. The application runs Amazon Linux 2 and uses AWS CodeDeploy. The application has the following file structure for its code repository
appspec.yml
config/config.txt
application/web
The appspec.yml file has the following contents in the files section
files:
- source: config/config.txt
- destination: /usr/local/src/config.txt
- source: /
destination: /var/www/html
What will the result be for the deployment of the config txt file?
A. The config txt file will be deployed to only /var/www/html/config/config.txt
B. The config txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/config/config.txt
C. The config txt file will be deployed to only /usr/local/src/config.txt
D. The config txt file will be deployed to /usr/local/src/config txt and to /var/www/html/application/web/config.txt
Correct Answer: B
67) A company operates a fleet of Amazon EC2 instances that host critical applications and handle sensitive data. The EC2 instances must have up-to-date security patches to protect against vulnerabilities and ensure compliance with industry standards and regulations The company needs an automated solution to monitor and enforce security patch compliance across the EC2 fleet.
Which solution will meet these requirements?
A. Configure AWS Systems Manager Patch Manager and AWS Config with defined patch baselines and compliance rules that run Systems Manager Automation documents
B. Access each EC2 instance by using SSH keys. Check for and apply security updates by using package managers. Verity the installations
C. Configure Auto Scaling groups that have scaling policies based on Amazon CloudWatch metrics Configure Auto Scaling launch templates that launch new instances by using the latest AMIs that contain new security patches.
D. Use AWS CloudFormation to recreate EC2 instances with the latest AMI every time a new patch becomes available. Use AWS CloudTrail logs to monitor patch compliance and to send alerts for non-compliant instances.
Correct Answer: A
68) A company runs an application that uses an Amazon S3 bucket to store images. A DevOps engineer needs to implement a multi-Region disaster recover (DR) strategy for the S3 objects. The DevOps engineer enables two-way replication between the S3 buckets
The company must be able to fail over to a second S3 bucket that is in a second AWS Region When an image is added to either S3 bucket, the image must be replicated to the other S3 bucket within 15 minutes
Which combination of steps will meet these requirements in the MOST operationally efficient way? (Select THREE)
Enable S3 Replication Time Control (S3 RTC) for each replication rule used in the configuration
Create an S3 Multi-Region Access Point in an active-passive configuration.
Call the SubmitMultiRegionAccess Point Routes operation in the Amazon S3 API when the company needs to fail over to the S3 bucket in the second Region
Enable S3 Transfer Acceleration on both S3 buckets
Configure a routing control in Amazon Route 53 Application Recovery Controller. Add both S3 buckets in an active-passive configuration
Use an Amazon Route 53 Application Recovery Controller to shift traffic from the primary bucket to the failover bucket in the second Region.
Correct Answer: A, B, C
69) A company is running an application on Amazon EC2 instances in an Auto Scaling group Recently, an issue occurred that prevented EC2 instances from launching successfully, and it took several hours for the support team to discover the issue. The support team wants to be notified by email whenever an EC2 instance does not start successfully
Which action will accomplish this?
A. Add a health check to the Auto Scaling group to invoke an AWS Lambda function whenever an instance status is impaired
B. Configure the Auto Scaling group to send a notification to an Amazon SNS topic whenever a failed instance launch occurs.
C. Create an Amazon CloudWatch alarm that invokes an AWS Lambda function when a failed Attachinstances Auto Scaling API call is made.
D. Create a status check alarm on Amazon EC2 to send a notification to an Amazon SNS topic whenever a status check fail occurs
Correct Answer: B
70) A company runs a development environment website and database on an Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS) storage. The company wants to make the instance more resilient to underlying hardware issues The company wants to automatically recover the EC2 instance if AWS determines the instance has lost network connectivity
Which solution will meet these requirements?
A. Add the EC2 instance to an Auto Scaling group. Set the minimum, maximum, and desired capacity to 1
B. Add the EC2 instance to an Auto Scaling group. Configure a lifecycle hook to detach the EBS volume if the EC2 instance shuts down or terminates
C. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric. Add an EC2 action to recover the instance when the alarm state is in ALARM
D. Create an Amazon CloudWatch alarm for the NetworkOut metric. Add an EC2 action to recover the instance when the alarm state is in INSUFFICIENT_DATA
Correct Answer: C
71) A media company has several thousand Amazon EC2 instances in an AWS account. The company is using Slack and a shared email inbox for team communications and important updates. A DevOps engineer needs to send all AWS-scheduled EC2 maintenance notifications to the Slack channel and the shared inbox The solution must include the instances Name and Owner tags
Which solution will meet these requirements?
A. Integrate AWS Trusted Advisor with AWS Config Configure a custom AWS Config rule to invoke an AWS Lambda function to publish notifications to an Amazon Simple Notification Service (Amazon SNS) topic Subscribe a Slack channel endpoint and the shared inbox to the topic
B. Use Amazon EventBridge to monitor for AWS Health events. Configure the maintenance events to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe an AWS Lambda function to the SNS topic to send notifications to the Slack channel and the shared inbox
C. Create an AWS Lambda function that sends EC2 maintenance notifications to the Slack channel and the shared inbox Monitor EC2 health events by using Amazon CloudWatch metrics. Configure a CloudWatch alarm that invokes the Lambda function when a maintenance notification is received
D. Configure AWS Support integration with AWS CloudTrail Create a CloudTrail lookup event to invoke an AWS Lambda function to pass EC2 maintenance notifications to Amazon Simple Notification Service (Amazon SNS) Configure Amazon SNS to target the Slack channel and the shared inbox.
Correct Answer: B
72) A company has application code in an AWS CodeConnections compatible Git repository The company wants to configure unit tests to run when pull requests are opened. The company wants to ensure that the test status is visible in pull requests when the tests are completed. The company wants to save output data files that the tests generate to an Amazon S3 bucket after the tests are finished.
Which combination of solutions will meet these requirements? (Select THREE)
A. Create an IAM service role to allow access to the resources that are required to run the tests
B. Create a pipeline in AWS CodePipeline that has a test stage. Create a trigger to run the pipeline when pull requests are created or updated Add a source action to report test results
C. Create an AWS CodeBuild project to run the tests. Enable webhook triggers to run the tests when pull requests are created or updated. Enable build status reporting to report test results
D. Create a buildspec.yml file that has a reports section to upload output files when the tests have finished running.
E. Create a buildspec yml file that has an artifacts section to upload artifacts when the tests have finished running
F. Create an appspec yml file that has a files section to upload output files when the tests have finished running
Correct Answer: A, C ,E
73) A DevOps engineer notices that all Amazon EC2 instances running behind an Application Load Balancer in an Auto Scaling group are failing to respond to user requests. The EC2 instances are also failing target group HTTP health checks.
Upon inspection, the engineer notices the application process was not running in any EC2 instances. There are a significant number of out of memory messages in the system logs. The engineer needs to improve the resilience of the application to cope with a potential application memory leak. Monitoring and notifications should be enabled to alert when there is an issue.
Which combination of actions will meet these requirements? (Select TWO.)
A. Change the Auto Scaling configuration to replace the instances when they fail the load balancer's health checks
B. Change the target group health check Health Checkinterval Seconds parameter to reduce the interval between health checks
C. Change the target group health checks from HTTP to TCP to check if the port where the application is listening is reachable.
D. Enable the available memory consumption metric within the Amazon CloudWatch dashboard for the entire Auto Scaling group Create an alarm when the memory utilization is high Associate an Amazon SNS topic to the alarm to receive notifications when the alarm goes off.
E. Use the Amazon CloudWatch agent to collect the memory utilization of the EC2 instances in the Auto Scaling group Create an alarm when the memory utilization is high and associate an Amazon SNS topic to receive a notification
Correct Answer: A, E
74) A company uses the AWS Cloud Development Kit (AWS CDK) to define its application. The company uses a pipeline that consists of AWS CodePipeline and AWS CodeBuild to deploy the CDK application.
The company wants to introduce unit tests to the pipeline to test various infrastructure components. The company wants to ensure that a deployment proceeds if no unit tests result in a failure.
Which combination of steps will enforce the testing requirement in the pipeline? (Select TWO)
A. Update the CodeBuild build phase commands to run the tests then to deploy the application. Set the OnFailure phase property to ABORT
B. Update the CodeBuild build phase commands to run the tests then to deploy the application. Add the rollback true flag to the cdk deploy command
C. Update the CodeBuild build phase commands to run the tests then to deploy the application. Add the --require-approval any-change flag to the cdk deploy command
D. Create a test that uses the AWS CDK assertions module. Use the template has Resource Properties assertion to test that resources have the expected properties
E. Create a test that uses the cdk diff command. Configure the test to fail if any resources have changed.
Correct Answer: A, D
75) A DevOps engineer is building the infrastructure for an application. The application needs to run on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that includes Amazon EC2 instances. The EC2 instances need to use an Amazon Elastic File System (Amazon EFS) file system as a storage backend. The Amazon EFS Container Storage Interface (CSI) driver is installed on the EKS cluster
When the DevOps engineer starts the application, the EC2 instances do not mount the EFS file system.
Which solutions will fix the problem? (Select THREE)
A. Switch the EKS nodes from Amazon EC2 to AWS Fargate
B. Add an inbound rule to the EFS file system's security group to allow NFS traffic from the EKS cluster
C. Create an IAM role that allows the Amazon EFS CSI driver to interact with the file system
D. Set up AWS DataSync to configure file transfer between the EFS file system and the EKS nodes
E. Create a mount target for the EFS file system in the subnet of the EKS nodes
F. Disable encryption on the EFS file system
Correct Answer: B, C, E
