QUESTION 181
A company has an application that uses an Amazon API Gateway REST API, AWS Lambda functions, and an Amazon DynamoDB table. The application currently runs in a single AWS Region. The company wants to make the application highly available across two Regions. User traffic must be routed to the Region that provides the least latency. Which combination of steps will meet these requirements? (Select THREE.)
A. Create a global table replica of the DynamoDB table in a second Region.
B. Create a global secondary index for the DynamoDB table.
C. Create copies of the REST API and the Lambda functions in a second Region.
D. Create health checks in Amazon Route 53. Create DNS records that include a failover routing policy.
E. Create health checks in Amazon Route 53. Create DNS records that include a latency routing policy.
F. Create DNS records in Amazon Route 53 that include a multivalue answer routing policy.
Correct Answer: ACE
QUESTION 182
A company uses an organization in AWS Organizations to manage multiple AWS accounts in a hierarchical structure. An SCP that is associated with the organization root allows IAM users to be created. A DevOps team must be able to create IAM users with any level of permissions. Developers must also be able to create IAM users. However, developers must not be able to grant new IAM users excessive permissions. The developers have the CreateAndManageUsers role in each account. The DevOps team must be able to prevent other users from creating IAM users. Which combination of steps will meet these requirements? (Select TWO.)
A. Create an SCP in the organization to deny users the ability to create and modify IAM users. Attach the SCP to the root of the organization. Attach the CreateAndManageUsers role to developers.
B. Create an SCP in the organization to grant users that have the DeveloperBoundary policy attached the ability to create new IAM users and to modify IAM users. Configure the SCP to require users to attach the PermissionBoundaries policy to any new IAM user. Attach the SCP to the root of the organization.
C. Create an IAM permissions policy named PermissionBoundaries within each account. Configure the PermissionBoundaries policy to specify the maximum permissions that a developer can grant to a new IAM user.
D. Create an IAM permissions policy named PermissionBoundaries within each account. Configure PermissionBoundaries to allow users who have the PermissionBoundaries policy to create new IAM users.
E. Create an IAM permissions policy named DeveloperBoundary within each account. Configure the DeveloperBoundary policy to allow developers to create IAM users and to assign policies to IAM users of only if the developer includes the PermissionBoundaries policy as the permissions boundary. Attach the DeveloperBoundary policy to the CreateAndManage Users role within each account.
Correct Answer: CE
QUESTION 183
A company manages its accounts in an organization in AWS Organizations with all features enabled. The company’s DevOps engineer needs to provision user access to multiple accounts. The DevOps engineer must assign access to AWS accounts based on user groups in an external identity provider (IdP). The DevOps engineer has enabled AWS IAM Identity Center with the external IdP as the identity source. The DevOps engineer has also created permission sets with the required permissions. Which combination of steps will meet these requirements? (Select TWO.)
A. Create a SAML IdP in IAM Identity Center that uses the configuration from the external IdP.
B. Assign access to AWS accounts by using the permission sets and groups in IAM Identity Center.
C. Enable identity-enhanced sessions in IAM Identity Center.
D. Enable automatic provisioning in IAM Identity Center. Synchronize users and groups from the external IdP.
E. Create IAM groups that use names that match the external IdP group names.
Correct Answer: BD
QUESTION 184
A company is developing a web application and is using AWS CodeBuild for its CI/CD pipeline. The company must generate multiple artifacts from a single build process. The company also needs the ability to determine which build generated each artifact. The artifacts must be stored in an Amazon S3 bucket for further processing and deployment. Builds occur frequently and are based on a large Git repository. The company needs to optimize build times. Which solution will meet these requirements with the MOST operational efficiency?
A. Configure the buildspec.yml file to specify multiple artifacts with different file sets. Enable local caching for the build process by using source cache mode. Use environment variables to dynamically name artifacts based on the build ID.
B. Configure the buildspec.yml file to output all files as a single artifact. Enable local caching for the build process by using custom cache mode. Create an AWS Lambda function that is invoked by CodeBuild completion. Program the Lambda function to split the artifact into multiple files and to upload the files to the S3 bucket with dynamic names based on build ID.
C. Create separate CodeBuild projects for each artifact type. Enable local caching for the build process by using Docker layer cache mode. Configure each project to output a single artifact to the S3 bucket with a dynamic name based on build ID. Use AWS Step Functions to orchestrate the projects in parallel.
D. Set up CodeBuild to generate a single ZIP artifact that contains all files. Enable S3 caching for the build process. Use AWS CodePipeline with a custom action to extract the files and reorganize the files into multiple artifacts in the S3 bucket. Configure the custom action to dynamically name the files based on the time of the build.
Correct Answer: A
QUESTION 185
A company uses Amazon Elastic Container Registry (Amazon ECR) for all images of the company’s containerized infrastructure. The company uses the pull through cache functionality with the /external prefix to avoid throttling when the company retrieves images from external image registries. The company uses AWS Organizations for its accounts. Every image in the registry must be encrypted with a specific, pre-provisioned AWS Key Management Service (AWS KMS) key. The company’s internally created images already comply with this policy. However, cached external images use server-side encryption with Amazon S3 managed keys (SSE-S3). The company must remove the noncompliant cache repositories. The company must also implement a secure solution to ensure that all new pull through cache repositories are automatically encrypted with the required KMS key. Which solution will meet these requirements?
A. Configure AWS Config. Add a custom rule that uses Guard syntax. Write the rule to enable KMS encryption for new repositories.
B. Configure an ECR repository creation template for the prefix. Specify the KMS key. Wait for the repositories to repopulate.
C. Configure an SCP for all AWS accounts that requires all ECR repositories to be KMS encrypted.
D. Create a new Amazon EventBridge rule that triggers on all “ECR Pull Through Cache Action” events. Set AWS KMS as the rule target.
Correct Answer: B
QUESTION 186
A company is developing a microservices-based application on AWS. The application consists of AWS Lambda functions and Amazon Elastic Container Service (Amazon ECS) services that need to be deployed frequently. A DevOps engineer needs to implement a consistent deployment solution across all components of the application. The solution must automate the deployments, minimize downtime during updates, and manage configuration data for the application. Which solution will meet these requirements with the LEAST development effort?
A. Use AWS CloudFormation to define and provision the Lambda functions and ECS services. Implement stack updates with resource replacement for all components. Use AWS Secrets Manager to manage the configuration data.
B. Use AWS CodeDeploy to manage deployments for the Lambda functions and ECS services. Implement canary deployments for the Lambda functions. Implement blue/green deployments for the ECS services. Use AWS Systems Manager Parameter Store to manage the configuration data.
C. Use AWS Step Functions to orchestrate deployments for the Lambda functions and ECS services. Use canary deployments for the Lambda functions and ECS services in a different AWS Region. Use AWS Systems Manager Parameter Store to manage the configuration data.
D. Use AWS Systems Manager to manage deployments for the Lambda functions and ECS services. Implement all-at-once deployments for the Lambda functions. Implement rolling updates for the ECS services. Use AWS Secrets Manager to manage the configuration data.
Correct Answer: B
QUESTION 187
A DevOps engineer needs to implement a CI/CD pipeline in an AWS account. The pipeline must consume sensitive database credentials that are stored in an AWS Systems Manager Parameter Store parameter. The Parameter Store parameter is in a separate central account. The DevOps engineer needs to create and integrate the parameter with the CI/CD account. Which combination of steps will meet these requirements? (Select THREE.)
A. Use an advanced tier Parameter Store parameter to store the database credentials in the central AWS account.
B. Create an IAM role in the AWS account that hosts the CI/CD pipeline. Add the full ARN of the parameter to the IAM policy that is associated with the IAM role.
C. Use a standard tier Parameter Store parameter to store the database credentials in the central AWS account.
D. Use an AWS KMS managed key to encrypt the parameter. Grant decrypt permissions for the KMS key to the AWS account that hosts the CI/CD pipeline.
E. Use a customer managed AWS KMS key to encrypt the parameter. Grant decrypt permissions for the customer managed key to the AWS account that hosts the CI/CD pipeline.
F. Create an AWS Resource Access Manager (AWS RAM) resource share in the central AWS account. Share the parameter with the account that hosts the CH/CD pipeline.
Correct Answer: AEF
QUESTION 188
A company is experiencing failures in its AWS CodeDeploy deployments for a critical application. The application is deployed on Amazon EC2 instances. A DevOps engineer must analyze the failed deployments to identify the root cause of the failures. Which solution will provide the appropriate information to troubleshoot the deployment issues?
A. Configure VPC Flow Logs to monitor network traffic. Use Amazon Inspector to detect non-network deployment issues. Use Amazon Detective to analyze the findings.
B. Enable detailed monitoring on the EC2 instances. Use AWS Systems Manager Run Command to run troubleshooting scripts on all the EC2 instances simultaneously. Analyze the results in AWS CloudTrail logs.
C. Use Amazon CloudWatch Logs to review application logs. Analyze CodeDeploy deployment logs in the /opt/codedeploy-agent/deployment-root/ directory on the EC2 instances. Use AWS X-Ray to trace requests through the application components.
D. Examine AWS Trusted Advisor checks for the CodeDeploy deployments. Use the AWS Health Dashboard to monitor application health. Analyze performance metrics in Amazon CloudWatch dashboards.
Correct Answer: C
QUESTION 189
A DevOps engineer is building a photo sharing website that gives users the ability to upload photos and to view photos that other users share. Users upload photos to an Amazon S3 bucket by using presigned URLs. The DevOps engineer must ensure that photos are scanned for malware before the website returns the photos to other users. Which combination of steps will meet these requirements? (Select TWO.)
A. Enable Amazon GuardDuty S3 Protection. Create an AWS Lambda function to process S3 Protection findings and block access to any referenced objects.
B. Create a bucket policy for the S3 bucket. Update the IAM role that the website uses to restrict access to uploaded photos by using tag-based access control (TBAC).
C. Create a resource-based policy for the S3 bucket. Restrict access to uploaded photos by using the aws:Secure Transport condition key.
D. Enable Amazon Macie. Create an AWS Lambda function to process Macie findings and delete any referenced objects that contain malware.
E. Enable Amazon GuardDuty Malware Protection for S3 with object tagging.
Correct Answer: AE
QUESTION 190
A company has a workflow that generates a file for each of the company’s products and stores the files in a production environment Amazon S3 bucket. The company’s users can access the S3 bucket. Each file contains a product ID. Product IDs for products that have not been publicly announced are prefixed with a specific UUID. Product IDs are 12 characters long. IDs for products that have not been publicly announces begin with the letter P. The company does not want information about products that have not been publicly announced to be available in the production environment S3 bucket. Which solution will meet these requirements?
A. Create a new staging S3 bucket. Generate all files in the new staging bucket. Create an Amazon Macie custom data identifier to identify product IDs in the new bucket that begin with the specific UUID. Launch an Amazon Macie sensitive data discovery job with the custom data identifier. Copy all files that do not have a Macie finding to the production S3 bucket.
B. Create an Amazon Macie custom data identifier to identify product IDs in the production bucket that begin with the specific UUID. Launch an Amazon Macie sensitive data discovery job with the custom data identifier. Remove all files that have a Macie finding from the production S3 bucket.
C. Create a new staging S3 bucket. Generate all files in the new staging bucket. Launch an Amazon Macie sensitive data discovery job with a managed data identifier. Copy all files that do not have a Macie finding to the production S3 bucket.
D. Create an Amazon Macie sensitive data discovery job with a managed data identifier. Remove all files that have a Macie finding from the production S3 bucket.
Correct Answer: B
QUESTION 191
An ecommerce company hosts a web application on Amazon EC2 instances that are in an Auto Scaling group. The company deploys the application across multiple Availability Zones. Application users are reporting intermittent performance issues with the application. The company enables basic Amazon CloudWatch monitoring for the EC2 instances. The company identifies and implements a fix for the performance issues. After resolving the issues, the company wants to implement a monitoring solution that will quickly alert the company about future performance issues. Which solution will meet this requirement?
A. Enable detailed monitoring for the EC2 instances. Create custom CloudWatch metrics for application-specific performance indicators. Set up CloudWatch arms based on the custom metrics. Use CloudWatch Loas Insights to analyze application loas for error pattern.
B. Use AWS X-Ray to implement distributed tracing. Integrate X-Ray with Amazon CloudWatch RUM. Use Amazon EventBridge to trigger automatic scaling actions based on custom events.
C. Use Amazon CloudFront to deliver the application. Use AWS CloudTrail to monitor API calls. Use AWS Trusted Advisor to generate recommendations to optimize performance. Use Amazon GuardDuty to detect potential performance issues.
D. Enable VPC Flow Logs. Use Amazon Data Firehose to stream flow logs to Amazon S3. Use Amazon Athena to analyze the logs and to send alerts to the company.
Correct Answer: A
QUESTION 192
A company deployed an Amazon CloudFront distribution that accepts requests and routes to an Amazon API Gateway HTTP API. During a recent security audit, the company discovered that requests from the internet could reach the HTTP API without using the CloudFront distribution. A DevOps engineer must ensure that connections to the HTTP API use the CloudFront distribution. Which solution will meet these requirements?
A. Enable VPC Flow Logs to identify requests that reach the HTTP API.
B. Deploy AWS WAF in front of the CloudFront distribution.
C. Implement an identity-based policy on the CloudFront distribution that requires authentication to make requests to the HTTP API.
D. Implement a custom header in the CloudFront distribution. Implement an AWS Lambda authorizer associated with the HTTP API that verifies the custom header.
Correct Answer: D
QUESTION 193
A software as a service (SaaS) company uses an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB) to provide real-time analytics services to clients. The company is using AWS CodePipeline and AWS CodeDeploy to set up a blue/green deployment process for the solution. The company wants the deployment process to automatically shift traffic in equal increments over a specified total deployment time without any manual intervention. The deployment process must ensure zero downtime and provide seamless updates. Which solution will meet these requirements?
A. Set the TrafficRoutingConfig parameter to TimeBasedLinear in the appspec.yaml file of the CodeDeploy application that the company uses to deploy the ECS services. Set values for the linearPercentage parameter and the linearinterval parameter.
B. Update the TrafficRoutingConfig parameter of the appspec.yaml file of the CodeDeploy application that the company uses to deploy the ECS services to the AllAtOnce type.
C. Create a deployment group configuration. Set the TrafficRoutingConfig parameter to the TimeBasedCanary type. Configure listener rules on the ALB to forward traffic to the target groups based on specified weights.
D. Set up a deployment configuration in CodeDeploy. Configure weighted routing on the ALB during deployment.
Correct Answer: A
QUESTION 194
A company is developing a web application that runs on Amazon EC2 Linux instances. The application requires monitoring of custom performance metrics. The company must collect metrics for API response times and database query latency across multiple instances. Which solution will generate the custom metrics with the LEAST operational overhead?
A. Install the Amazon CloudWatch agent on the instances. Configure the agent to collect the custom metrics. Instrument the application to send the metrics to the agent.
B. Use Amazon Managed Service for Prometheus to scrape the custom metrics from the application. Use the Amazon CloudWatch agent to forward the metrics to CloudWatch.
C. Create a custom AWS Lambda function that polls the application endpoints and database at regular intervals. Program the Lambda function to calculate the custom metrics and to send the metrics to Amazon CloudWatch by using PutMetricData API calls.
D. Implement custom logging in the application code to record the custom metrics. Use Amazon CloudWatch Logs Insights to extract and analyze the metrics.
Correct Answer: B
QUESTION 195
A company uses an organization in AWS Organizations that has all features enabled to manage multiple AWS accounts. The company has enabled AWS Config in all accounts. The company requires developers to create AWS CloudFormation stacks in a new AWS account to test features for a new application that the developers are building. The company wants to ensure that the developers can use only approved Amazon EC2 instance types for the application. Which solution will meet these requirements?
A. Create an AWS Lambda function that returns SUCCESS when the EC2 instance type property matches a value from a list of approved instance types. Activate a CloudFormation Guard Hook in the new AWS account to run the Lambda function.
B. Create an AWS config rule that uses the desired-instance-type rule in the new AWS account. Provide the list of approved instance types in the rule configuration. Create a remediation for the AWS config rule that uses the AWS-StopEC2Instance remediation action.
C. Create an SCP that includes a Deny effect for ec2:Runinstnaces when the ec2: Instance Type property does not match a value from a list of approved instance types. Attach the SCP to the root of the organization.
D. Create a CloudFormation Guard rule to ensure that the EC2 instance type matches a value from a list of approved instance types. Activate a Guard Hook in the new AWS account to run the Guard rule.
Correct Answer: C
QUESTION 196
A company uses Amazon RDS for Microsoft SQL Server as its primary database for applications. The company needs to ensure high availability within and across AWS Regions. An Amazon Route 53 CNAME record is configured for the database endpoint. The applications connect to the database endpoint. The company must redirect application traffic
to a standby database during a failover event. The company must maintain an RPO of less than 1 minute and an RTO of less than 10 minutes. Which solution will meet these requirements?
A. Deploy an Amazon RDS for SQL Server Multi-AZ DB cluster deployment that uses cross-Region read replicas. Use automation to promote the read replica to a standalone instance and to update the Route 53 record.
B. Deploy an Amazon RDS for SQL Server Multi-AZ DB cluster deployment. Set up automated snapshots to be copied to another Region every 5 minutes. Use AWS Lambda to restore the latest snapshot in the secondary Region during failover.
C. Deploy an Amazon RDS for SQL Server Single-AZ DB instance. Use AWS Database Migration Service (AWS DMS) to replicate data continuously to an RDS DB instance in another Region. Use Amazon CloudWatch alarms to notify the company about failover events.
D. Deploy an Amazon RDS for SQL Server Single-AZ DB instance. Configure AWS Backup to create cross-Region backups every 30 seconds. Use automation to restore the latest backup and to update the Route 53 record during failover.
Correct Answer: A
QUESTION 197
A company wants to improve its security practices by enforcing least privilege across all projects. Developers must be able to access Amazon EC2 resources but not Amazon RDS resources. Database administrators must have access only to Amazon RDS resources. Every employee has a unique IAM user. There are already pre-existing IAM policies for developer and database administrator job functions. All AWS resources are already tagged with appropriate project tags. All the IAM users are tagged with the appropriate project and job function. The company must ensure that each employee can access only the project that the employee is working on. Which solution will meet these requirements? (Select THREE.)
A. For each project, create one IAM role for developers and one IAM role for database administrators. Tag the IAM roles with the corresponding projects and job functions.
B. Modify the pre-existing IAM policies to include a StringEquals Resource Tag condition for projects that match the PrincipalTag value. Attach the modified policies to the IAM roles for each job function.
C. Create an IAM policy that allows users to assume a role when the Resource Tag value matches the PrincipalTag value for project tags and job title tags. Attach the new policy to all IAM users.
D. Create an IAM policy that allows users to assume a role when the Resource Tag value matches the PrincipalTag value for project tags and job title tags. Attach the new policy to the IAM roles for each job function.
E. Tag the pre-existing IAM policies with the appropriate projects and job functions. Attach the modified policies to IAM roles for each job function.
F. For each project, create one IAM group for developers and one IAM group for database administrators. Add the appropriate users to each group so the users can assume their respective IAM roles.
Correct Answer: ABC
QUESTION 198
A company runs an application on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster in the company’s primary AWS Region and secondary Region. The company uses Auto Scaling groups to distribute each EKS cluster’s worker nodes across multiple Availability Zones. Both EKS clusters also have an Application Load Balancer (ALB) to distribute incoming traffic. The company wants to deploy a new stateless application to its infrastructure. The company requires a multi-Region, fault tolerant solution. Which solution will meet these requirements?
A. Deploy the new application to both EKS clusters. Create Amazon Route 53 records with health checks for both ALBs. Use a failover routing policy. Implement Kuberetes readiness and liveness probes.
B. Deploy the new application to the EKS cluster in the primary Region. Create Amazon Route 53 records with health checks for the primary Region ALB. Use a simple routing policy.
C. Deploy the new application to both EKS clusters. Create Amazon Route 53 records with a weighted routing policy that evenly splits traffic between both ALBs. Implement Kubernetes readiness and liveness probes.
D. Deploy the new application to the EKS cluster in the primary Region. Create Amazon Route 53 records with health checks for the primary Region ALB. Use a failover routing policy.
Correct Answer: A
QUESTION 199
A company manages multiple AWS accounts by using AWS Organizations with OUs for the different business divisions. The company is updating their corporate network to use new IP address ranges. The company has 10 Amazon S3 buckets in different AWS accounts. The S3 buckets store reports for the different divisions. The S3 bucket configurations allow only private corporate network IP addresses to access the S3 bucket. A DevOps engineer needs to change the range of IP addresses that have permission to access the contents of the S3 buckets. The DevOps engineer also needs to revoke the permissions of two OUs in the company. Which solution will meet these requirements?
A. Create a new SCP that has two statements, one that allows access to the new range of IP addresses for all the S3 buckets and one that denies access to the old range of IP addresses for all the S3 buckets. Set a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets.
B. Create a new SCP that has a statement that allows only the new range of IP addresses to access the S3 buckets. Create another SCP that denies access to the S3 buckets. Attach the second SCP to the two OUs.
C. On all the S3 buckets, configure resource-based policies that allow only the new range of IP addresses to access the S3 buckets. Create a new SCP that denies access to the S3 buckets. Attach the SCP to the two OUs.
D. On all the S3 buckets, configure resource-based policies that allow only the new range of IP addresses to access the S3 buckets. Set a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets.
Correct Answer: C
QUESTION 200
A company has a fleet of Amazon EC2 instances that run Linux in a single AWS account. The company is using an AWS Systems Manager Automation task across the EC2 instances. During the most recent patch cycle, several EC2 instances went into an error state because of insufficient available disk space. A DevOps engineer needs to ensure that the EC2 instances have sufficient available disk space during the patching process in the future. Which combination of steps will meet these requirements? (Select TWO.)
A. Ensure that the Amazon CloudWatch agent is installed on all EC2 instances.
B. Create a cron job that is installed on each EC2 instance to periodically delete temporary files.
C. Create an Amazon CloudWatch log group for the EC2 instances. Configure a cron job that is installed on each EC2 instance to write the available disk space to a CloudWatch log stream for the relevant EC2 instance.
D. Create an Amazon CloudWatch alarm to monitor available disk space on all EC2 instances. Add the alarm as a safety control to the Systems Manager Automation task.
E. Create an AWS Lambda function to periodically check for sufficient available disk space on all EC2 instances by evaluating each EC2 instance’s respective Amazon CloudWatch log stream.
Correct Answer: AD
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.