QUESTION 81
A DevOps engineer is working on a data archival project that requires the migration of on-premises data to an Amazon S3 bucket. The DevOps engineer develops a script that incrementally archives on-premises data that is older than 1 month to Amazon S3. Data that is transferred to Amazon S3 is deleted from the on-premises location. The script uses the S3 PutObject operation. During a code review, the DevOps engineer notices that the script does not verify whether the data was successfully copied to Amazon S3. The DevOps engineer must update the script to ensure that data is not corrupted during transmission. The script must use MD5 checksums to verify data integrity before the on-premises data is deleted. Which solutions for the script will meet these requirements? (Select TWO.)
A. Check the returned response for the VersionId. Compare the returned VersionId against the MD5 checksum.
B. Include the MD5 checksum within the Content-MD5 parameter. Check the operation call’s return status to find out if an error was returned.
C. Include the checksum digest within the tagging parameter as a URL query parameter.
D. Check the returned response for the Tag. Compare the returned Tag against the MD5 checksum.
E. Include the checksum digest within the Metadata parameter as a name-value pair. After upload, use the S3 HeadObject operation to retrieve metadata from the object.
Correct Answer: BD
QUESTION 82
A company has deployed a critical application in two AWS Regions. The application uses an Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53 alias DNS records for both ALBs. The company uses Amazon Route 53 Application Recovery Controller to ensure that the application can fail over between the two Regions. The Route 53 ARC configuration includes a routing control for both Regions. The company uses Route 53 ARC to perform quarterly disaster recovery (DR) tests. During the most recent DR test, a DevOps engineer accidentally turned off both routing controls. The company needs to ensure that at least one routing control is turned on at all times. Which solution will meet these requirements?
A. In Route 53 ARC, create a new assertion safety rule. Apply the assertion safety rule to the two routing controls. Configure the rule with the ATLEAST type with a threshold of 1.
B. In Route 53 ARC, create a new gating safety rule. Apply the gating safety rule to the two routing controls. Configure the rule with the OR type with a threshold of 1.
C. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS::Route53::HealthCheck resource type. Specify the ARNs of the two routing controls as the target resource. Create a new readiness check for the resource set.
D. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS::Route53RecoveryReadiness.DNS TargetResource resource type. Add the domain names of the two Route 53 alias DNS records as the target resource. Create a new readiness check for the resource set.
Correct Answer: A
QUESTION 83
A company uses AWS Control Tower and AWS CloudFormation to manage its AWS accounts and to create AWS resources. The company requires all Amazon S3 buckets to be encrypted with AWS Key Management Service (AWS KMS) when the S3 buckets are created in a CloudFormation stack. Which solution will meet this requirement?
A. Use AWS Organizations. Attach an SCP that denies the s3:PutObject permission if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with AWS KMS keys (SSE-KMS).
B. Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks.
C. Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks.
D. Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts.
Correct Answer: B
QUESTION 84
A company uses Amazon EC2 as its primary compute platform. A DevOps team wants to audit the company’s EC2 instances to check whether any prohibited applications have been installed on the EC2 instances. Which solution will meet these requirements with the MOST operational efficiency?
A. Configure AWS Systems Manager on each instance. Use AWS Systems Manager Inventory. Use Systems Manager resource data sync to synchronize and store findings in an Amazon S3 bucket. Create an AWS Lambda function that runs when new objects are added to the S3 bucket. Configure the Lambda function to identity prohibited applications.
B. Configure AWS Systems Manager on each instance. Use Systems Manager Inventory. Create AWS Config rules that monitor changes from Systems Manager Inventory to identify prohibited applications.
C. Configure AWS Systems Manager on each instance. Use Systems Manager Inventory. Filter a trail in AWS Cloud Trail for Systems Manager Inventory events to identify prohibited applications.
D. Designate Amazon CloudWatch Logs as the log destination for all application instances. Run an automated script across all instances to create an inventory of installed applications. Configure the script to forward the results to CloudWatch Logs. Create a CloudWatch alarm that uses filter patterns to search log data to identify prohibited applications.
Correct Answer: B
QUESTION 85
A DevOps engineer needs to design a cloud-based solution to standardize deployment artifacts for AWS Cloud deployments and on-premises deployments. There is currently no routing traffic between the on-premises data center and the AWS environment. The solution must be able to consume downstream packages from public repositories and must be highly available. Data must be encrypted in transit and at rest. The solution must store the deployment artifacts in object storage and deploy the deployment artifacts into Amazon Elastic Container Service (Amazon ECS). The deployment artifacts must be encrypted in transit if the deployment artifacts travel across the public internet. The DevOps engineer needs to deploy this solution in less than two weeks. Which solution will meet these requirements?
A. Use a third-party software VPN appliance to connect the on-premises data center and AWS. Use AWS CodeArtifact to store the deployment artifacts.
B. Use an AWS Direct Connect connection and a VPN connection to connect the on-premises data center to AWS. Deploy third-party artifact management software on Amazon EC2 instances.
C. Use two AWS VPN connections to connect the on-premises data center to AWS. Use AWS CodeArtifact to store the deployment artifacts.
D. Use parallel AWS Direct Connect connections to connect the on-premises data center to AWS. Deploy third-party artifact management software on Amazon EC2 instances.
Correct Answer: C
QUESTION 86
A DevOps engineer needs to troubleshoot a pipeline that uses a GitHub code repository. The pipeline contains a source stage, a build stage, and a deploy stage. The pipeline also has an AWS CodeStar connection to the GitHub code repository. The build stage uses an AWS CodeBuild build project. The build project needs to perform a git clone of the repository as part of the build process. The DevOps engineer validates that the source stage is working properly. However, the build stage fails each time the pipeline runs. What is the reason that the build stage fails in the pipeline?
A. The build stage within the pipeline needs to use the AWS CodeStar connection action.
B. The AWS CodeStar connection to GitHub contains incorrect credentials.
C. The AWS CodePipeline service role does not have permission to use the AWS CodeStar connection.
D. The AWS CodeBuild service role does not have permission to use the AWS CodeStar connection.
Correct Answer: D
QUESTION 87
A company runs a fleet of Amazon EC2 instances in a VPC. The company’s employees remotely access the EC2 instances by using the Remote Desktop Protocol (RDP). The company wants to collect metrics about how many RDP sessions the employees initiate every day. Which combination of steps will meet this requirement? (Select THREE.)
A. Create an Amazon EventBridge rule that reacts to EC2 Instance State-change Notification events.
B. Create an Amazon CloudWatch Logs log group. Specify the log group as a target for the EventBridge rule.
C. Create a flow log in VPC Flow Logs.
D. Create an Amazon CloudWatch Logs log group. Specify the log group as a destination for the flow log.
E. Create a log group metric filter.
F. Create a log group subscription filter. Use EventBridge as the destination.
Correct Answer: CDF
QUESTION 88
A company has an event-driven JavaScript application. The application uses decoupled AWS managed services that publish, consume, and route events. During application testing, events are not delivered to the target that is specified by an Amazon EventBridge rule. A DevOps team must provide application testers with additional functionality to view, troubleshoot, and prevent the loss of events without redeployment of the application. Which combination of steps should the DevOps team take to meet these requirements? (Select THREE.)
A. Launch AWS Device Farm with a standard test environment and project to run a specific build of the application.
B. Create an Amazon S3 bucket. Enable AWS CloudTrail. Create a CloudTrail trail that specifies the S3 bucket as the storage location.
C. Configure the EventBridge rule to use an Amazon Simple Queue Service (Amazon SQS) standard queue as a dead-letter queue.
D. Configure the EventBridge rule to use an Amazon Simple Queue Service (Amazon SQS) FIFO queue as a dead-letter queue.
E. Create a log group in Amazon CloudWatch Logs. Specify the log group as an additional target of the EventBridge rule.
F. Update the application code base to use the AWS X-Ray SDK tracing feature to instrument the code with support for the X-Amzn-Trace-Id header.
Correct Answer: CEF
QUESTION 89
A company uses an organization in AWS Organizations to manage its AWS accounts. The company’s automation account contains a CI/CD pipeline that creates and configures new AWS accounts. The company has a group of internal service teams that provide services to accounts in the organization. The service teams operate out of a set of services accounts. The service teams want to receive an AWS CloudTrail event in their services accounts when the CreateAccount API call creates a new account. How should the company share this Cloud Trail event with the service accounts?
A. Create an Amazon EventBridge rule in the automation account to send account creation events to the default event bus in the services accounts. Update the default event bus in the services accounts to allow events from the automation account.
B. Create a custom Amazon EventBridge event bus in the services accounts. Update the custom event bus to allow events from the automation account. Create an EventBridge rule in the services account that directly listens to CloudTrail events from the automation account.
C. Create a custom Amazon EventBridge event bus in the automation account and the services accounts. Create an EventBridge rule and policy that connects the custom event buses that are in the automation account and the services accounts.
D. Create a custom Amazon EventBridge event bus in the automation account. Create an EventBridge rule and policy that connects the custom event bus to the default event buses in the services accounts.
Correct Answer: A
QUESTION 90
A company uses an organization in AWS Organizations to manage its AWS accounts. The company’s DevOps team has developed an AWS Lambda function that calls the Organizations API to create new AWS accounts. The Lambda function runs in the organization’s management account. The DevOps team needs to move the Lambda function from the management account to a dedicated AWS account. The DevOps team must ensure that the Lambda function has the ability to create new AWS accounts only in Organizations before the team deploys the Lambda function to the new account. Which solution will meet these requirements?
A. In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
B. In the management account, turn on delegated administration for Organizations. Create a new delegation policy that grants the new AWS account permission to create new AWS accounts in Organizations. Ensure that the Lambda execution role has the organizations: CreateAccount permission.
C. In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda service principal. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
D. In the management account, enable AWS Control Tower. Turn on delegated administration for AWS Control Tower. Create a resource policy that allows the new AWS account to create new AWS accounts in AWS Control Tower. Update the Lambda function code to use the AWS Control Tower API in the new AWS account. Ensure that the Lambda execution role has the controltower:CreateManagedAccount permission.
Correct Answer: A
QUESTION 91
A DevOps administrator is configuring a repository to store a company’s container images. The administrator needs to configure a lifecycle rule that automatically deletes container images that have a specific tag and that are older than 15 days. Which solution will meet these requirements with the MOST operational efficiency?
A. Create a repository in Amazon Elastic Container Registry (Amazon ECR). Add a lifecycle policy to the repository to expire images that have the matching tag after 15 days.
B. Create a repository in AWS CodeArtifact. Add a repository policy to the CodeArtifact repository to expire old assets that have the matching tag after 15 days.
C. Create a bucket in Amazon S3. Add a bucket lifecycle policy to expire old objects that have the matching tag after 15 days.
D. Create an EC2 Image Builder container recipe. Add a build component to expire the container that has the matching tag after 15 days.
Correct Answer: A
QUESTION 92
A company’s DevOps team uses Node Package Manager (NPM) open source libraries to build applications. The DevOps team runs its application build process in an AWS CodeBuild project that downloads the PM libraries from public PM repositories. The company wants to host the NPM libraries in private PM repositories. The company also needs to be able to run checks on new versions of the libraries before the DevOps team uses the libraries. Which solution will meet these requirements with the LEAST operational effort?
A. Create an AWS CodeArtifact repository with an upstream repository named npm-store. Configure the application build process to use the CodeArtifact repository as the default source for NPM. Create an AWS CodePipeline pipeline to perform the required checks on package versions in the CodeArtifact repository. Set the package status to unlisted if a failure occurs.
B. Enable Amazon S3 caching in the CodeBuild project configuration. Add a step in the buildspec.yaml config file to perform the required checks on the package versions in the cache.
C. Create an AWS CodeCommit repository for each library. Clone the required NPM libraries to the appropriate CodeCommit repository. Modify the CodeBuild appspec.yaml config file to use the private CodeCommit repositories. Add a step to perform the required checks on the package versions.
D. Create an AWS CodeCommit repository for each library. Clone the required NPM libraries to the appropriate CodeCommit repository. Modify the CodeBuild buildspec.yaml config file so that PM uses the private CodeCommit repositories. Add an AWS CodePipeline pipeline that performs the required checks on the package versions for each new commit to the repositories. Configure the pipeline to revert to the most recent commit in the event of a failure.
Correct Answer: A
QUESTION 93
A company hosts an application in its AWS account. The application uses an Amazon S3 bucket to store objects that contain sensitive information. The company needs to capture object-level S3 API calls, including calls that are rejected because the calls were made by using credentials that are not valid. Which solution will meet these requirements?
A. Create an AWS CloudTrail trail in the account. Enable S3 data events logging. Configure the trail to log to Amazon CloudWatch.
B. Create a new S3 bucket. Configure access logging on the application’s S3 bucket. Deliver the access logs to the new S3 bucket.
C. Configure Amazon GuardDuty with S3 protection enabled for the account. Create an Amazon EventBridge rule that matches findings that are associated with the S3 bucket. Configure the rule to use an Amazon Simple Queue Service (Amazon SQS) queue as the target.
D. Create an AWS CloudTrail trail and a new S3 bucket in the account. Configure the trail to log to the S3 new bucket.
Correct Answer: A
QUESTION 94
A company has an application that runs in a single AWS Region. The application runs on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and connects to an Amazon Aurora MySQL cluster. The application is built in an AWS CodeBuild project. The container images are published to Amazon Elastic Container Registry (Amazon ECR). The company needs to replicate the state of the application for the container images and the database to a second Region. Which solution will meet these requirements in the MOST operationally efficient way?
A. Turn on Amazon S3 Cross-Region Replication (CRR) on the bucket that holds the ECR container images. Deploy the application to an EKS cluster in the second Region by referencing the new S3 bucket object URL for the container image in a Kubernetes deployment file. Configure a cross-Region Aurora Replica in the second Region. Configure the new application deployment to use the endpoints for the cross-Region Aurora Replica.
B. Create an Amazon EventBridge rule that reacts to image pushes to the ECR repository. Configure the EventBridge rule to invoke an AWS Lambda function to replicate the image to a new ECR repository in the second Region. Deploy the application to an EKS cluster in the second Region by referencing the new ECR repository in a Kubernetes deployment file. Configure a cross-Region Aurora Replica in the second Region. Configure the new application deployment to use the endpoints for the cross-Region Aurora Replica.
C. Turn on Cross-Region Replication to replicate the ECR repository to the second Region. Deploy the application to an EKS cluster in the second Region by referencing the new ECR repository in a Kubernetes deployment file. Configure an Aurora global database with clusters in the initial Region and the second Region. Configure the new application deployment to use the endpoints for the second Region’s cluster in the Aurora global database.
D. Configure the CodeBuild project to also push the container image to an ECR repository in the second Region. Deploy the application to an EKS cluster in the second Region by referencing the new ECR repository in a Kubernetes deployment file. Configure an Aurora MySQL cluster in the second Region as the target for binary log replication from the Aurora MySQL cluster in the initial Region. Configure the new application deployment to use the endpoints for the second Region’s cluster.
Correct Answer: C
QUESTION 95
A company uses Amazon S3 buckets to store application data. The company needs a centrally managed solution to restore the application data in Amazon S3 with an RPO of 15 minutes. The data must be copied into a second AWS Region. The RPO for the second Region can be up to 24 hours. Which solution will meet these requirements with the MOST operational efficiency?
A. Enable S3 Versioning on the S3 buckets. Create a vault and a backup plan by using AWS Backup. Add a backup rule that has continuous backup enabled and a cross-Region copy action. Add the S3 buckets to the backup plan. Use AWS Backup to manage data recovery.
B. Enable S3 Replication Time Control (S3 RTC) on the S3 buckets. Create a vault and a backup plan by using AWS Backup. Add a backup rule that has continuous backup enabled and a cross-Region copy action. Add the S3 buckets to the backup plan. Use AWS Backup to manage data recovery.
C. Enable S3 Versioning and S3 Replication Time Control (S3 RTC) on the S3 buckets. Run AWS CLI commands to automate the configuration of S3 Cross-Region Replication (CRR). Configure each S3 bucket to replicate into a different Region. Use S3 Versioning and S3 Batch Operations to manage data recovery.
D. Enable S3 Versioning on the S3 buckets. Create a vault and a backup plan by using AWS Backup. Add a backup rule with continuous multi-Region backup enabled. Add the S3 buckets to the backup plan. Use S3 Batch Operations to manage data recovery.
Correct Answer: A
QUESTION 96
A company uses AWS Organizations to manage its AWS accounts. A DevOps engineer must ensure that all users who access the AWS Management Console are authenticated through the company’s corporate identity provider (IdP). Which combination of steps will meet these requirements? (Select TWO.)
A. Use Amazon GuardDuty with a delegated administrator account. Use GuardDuty to enforce denial of IAM user logins.
B. Use AWS IAM Identity Center to configure identity federation with SAML 2.0.
C. Create a permissions boundary in AWS IAM Identity Center to deny password logins for IAM users.
D. Create IAM groups in the Organizations management account to apply consistent permissions for all IAM users.
E. Create an SCP in Organizations to deny password creation for IAM users.
Correct Answer: BE
QUESTION 97
A DevOps engineer is building the infrastructure for an application. The application needs to run on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that includes Amazon EC2 instances. The EC2 instances need to use an Amazon Elastic File System (Amazon EFS) file system as a storage backend. The Amazon EFS Container Storage Interface (CSI) driver is installed on the EKS cluster. When the DevOps engineer starts the application, the EC2 instances do not mount the EFS file system. Which solutions will fix the problem? (Select THREE.)
A. Switch the EKS nodes from Amazon EC2 to AWS Fargate.
B. Add an inbound rule to the EFS file system’s security group to allow NFS traffic from the EKS cluster.
C. Create an IAM role that allows the Amazon EFS CSI driver to interact with the file system.
D. Set up AWS DataSync to configure file transfer between the EFS file system and the EKS nodes.
E. Create a mount target for the EFS file system in the subnet of the EKS nodes.
F. Disable encryption on the EFS file system.
Correct Answer: BCE
QUESTION 98
A DevOps engineer is updating an existing service in an Amazon Elastic Container Service (Amazon ECS) cluster. The service uses the rolling update deployment type. All updates to the cluster are deployed by using AWS CloudFormation. Currently no automated remediation occurs when a deployment fails. The service remains in a FAILED state until the DevOps team manually resolves the discovered issues. The DevOps engineer needs to configure an automatic solution to remediate when a deployment fails because the service task fails to start. The service must be automatically rolled back to its most recent completed deployment. Which solution will meet these requirements with the LEAST operational overhead?
A. Configure Amazon CloudWatch alarms that check the service’s runtime metrics. Update the service deployment configuration to reference the new alarms.
B. Set an Amazon EventBridge rule that uses the SERVICE_DEPLOYMENT_FAILED event name. Add an AWS Lambda function target that rolls the service back to the most recent deployment that is in a COMPLETED state.
C. Update the service to use the ECS deployment circuit breaker failure detection support. Configure the service to roll back on failures.
D. Use an AWS CodeDeploy deployment group for all ECS service updates. Configure automatic rollbacks on the deployment group to roll back to the most recent successful deployment when a deployment fails.
Correct Answer: C
QUESTION 99
A security team must record the configuration of AWS resources, detect issues, and send notifications for findings. The main workload in the AWS account consists of an Amazon EC2 Auto Scaling group that scales in and out several times during the day. The team wants to be notified within 2 days if any Amazon EC2 security group allows traffic on port 22 for 0.0.0.0/0. The team also needs a snapshot of the configuration of the AWS resources to be taken routinely. The security team has already created and subscribed to an Amazon Simple Notification Service (Amazon SNS) topic. Which solution meets these requirements?
A. Configure AWS Config to use periodic recording for the AWS account. Deploy the vpc-sg-port-restriction-check AWS Config managed rule. Configure AWS Config to use the SNS topic as the target for notifications.
B. Configure AWS Config to use configuration change recording for the AWS account. Deploy the vpc-sg-open-only-to-authorized-ports AWS Config managed rule. Configure AWS Config to use the SNS topic as the target for notifications.
C. Configure AWS Config to use configuration change recording for the AWS account. Deploy the ssh-restricted AWS Config managed rule. Configure AWS Config to use the SNS topic as the target for notifications.
D. Create an AWS Lambda function to evaluate security groups and publish a message to the SNS topic. Use an Amazon EventBridge rule to schedule the Lambda function to run once a day.
Correct Answer: A
QUESTION 100
A company has an application that runs on Amazon EC2 instances in an Auto Scaling group. The application processes a high volume of messages from an Amazon Simple Queue Service (Amazon SQS) queue. A DevOps engineer noticed that the application took several hours to process a group of messages from the SQS queue. The average CPU utilization of the Auto Scaling group did not cross the threshold of a target tracking scaling policy when processing the messages. The application that processes the SQS queue publishes logs to Amazon CloudWatch Logs. The DevOps engineer needs to ensure that the queue is processed quickly. Which solution meets these requirements with the LEAST operational overhead?
A. Create an AWS Lambda function. Configure the Lambda function to publish a custom metric by using the ApproximateNumber0fMessagesVisible SQS queue attribute and the GroupInServiceInstances Auto Scaling group attribute to publish the queue messages for each instance. Schedule an Amazon EventBridge rule to run the Lambda function every hour. Create a target tracking scaling policy for the Auto Scaling group that uses the custom metric to scale in and out.
B. Create an AWS Lambda function. Configure the Lambda function to publish a custom metric by using the ApproximateNumberfMessagesVisible SQS queue attribute and the GroupInServiceInstances Auto Scaling group attribute to publish the queue messages for each instance. Create a CloudWatch subscription filter for the application logs with the Lambda function as the target. Create a target tracking scaling policy for the Auto Scaling group that uses the custom metric to scale in and out.
C. Create a target tracking scaling policy for the Auto Scaling group. In the target tracking policy, use the ApproximateNumberfMessagesVisible SQS queue attribute and the GroupInServiceInstances Auto Scaling group attribute to calculate how many messages are in the queue for each number of instances by using metric math. Use the calculated attribute to scale in and out.
D. Create an AWS Lambda function that logs the ApproximateNumberOfMessagesVisible attribute of the SQS queue to a CloudWatch Logs log group. Schedule an Amazon EventBridge rule to run the Lambda function every 5 minutes. Create a metric filter to count the number of log events from a CloudWatch logs group. Create a target tracking scaling policy for the Auto Scaling group that uses the custom metric to scale in and out.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.