QUESTION 101
A DevOps engineer uses AWS WAF to manage web ACLs across an AWS account. The DevOps engineer must ensure that AWS WAF is enabled for all Application Load Balancers (ALBs) in the account. The DevOps engineer uses an AWS CloudFormation template to deploy an individual ALB and AWS WAF as part of each application stack’s deployment process. If AWS WAF is removed from the ALB after the ALB is deployed, AWS WAF must be added to the ALB automatically. Which solution will meet these requirements with the MOST operational efficiency?
A. Enable AWS Config. Add the alb-waf-enabled managed rule. Create an AWS Systems Manager Automation document to add AWS WAF to an ALB. Edit the rule to automatically remediate. Select the Systems Manager Automation document as the remediation action.
B. Enable AWS Config. Add the alb-waf-enabled managed rule. Create an Amazon EventBridge rule to send all AWS Config Configuration]temChangeNotification notification types to an AWS Lambda function. Configure the Lambda function to call the AWS Config start-resource-evaluation API in detective mode.
C. Configure an Amazon EventBridge rule to periodically call an AWS Lambda function that calls the detect-stack-drift API on the CloudFormation template. Configure the Lambda function to modify the ALB attributes with waf. fail_open.enabled set to true if the AWS::WAFv2::WebACLAssociation resource shows a status of drifted.
D. Configure an Amazon EventBridge rule to periodically call an AWS Lambda function that calls the detect-stack-drift API on the CloudFormation template. Configure the Lambda function to delete and redeploy the CloudFormation stack if the AWS::WAFv2::WebACLAssociation resource shows a status of drifted.
Correct Answer: C
QUESTION 102
A DevOps administrator is responsible for managing the security of a company’s Amazon CloudWatch Logs log groups. The company’s security policy states that employee IDs must not be visible in logs except by authorized personnel. Employee IDs follow the pattern of Emp-XXXXXX, where each X is a digit. An audit discovered that employee IDs are found in a single log file. The log file is available to engineers, but the engineers are not authorized to view employee IDs. Engineers currently have an AWS IAM Identity Center permission that allows logs:* on all resources in the account. The administrator must mask the employee ID so that new log entries that contain the employee ID are not visible to unauthorized personnel. Which solution will meet these requirements with the MOST operational efficiency?
A. Create a new data protection policy on the log group. Add an Emp-d<{6} custom data identifier configuration. Create an IAM policy that has a Deny action for the “Action”: “logs:Unmask” permission on the resource. Attach the policy to the engineering accounts.
B. Create a new data protection policy on the log group. Add managed data identifiers for the personal data category. Create an IAM policy that has a Deny action for the “NotAction”:”logs: Unmask” permission on the resource. Attach the policy to the engineering accounts.
C. Create an AWS Lambda function to parse a log file entry, remove the employee ID, and write the results to a new log file. Create a Lambda subscription filter on the log group and select the Lambda function. Grant the lambda:InvokeFunction permission to the log group.
D. Create an Amazon Data Firehose delivery stream that has an Amazon S3 bucket as the destination. Create a Firehose subscription filter on the log group that uses the Firehose delivery stream. Remove the “logs:*” permission on the engineering accounts. Create an Amazon Macie job on the S3 bucket that has an Emp-d<{6} custom identifier.
Correct Answer: A
QUESTION 103
A company uses an organization in AWS Organizations to manage its 500 AWS accounts. The organization has all features enabled. The AWS accounts are in a single OU. The developers need to use the CostCenter tag key for all resources in the organization’s member accounts. Some teams do not use the CostCenter tag key to tag their Amazon EC2 instances. The cloud team wrote a script that scans all EC2 instances in the organization’s member accounts. If the EC2 instances do not have a CostCenter tag key, the script will notify AWS account administrators. To avoid this notification, some developers use the CostCenter tag key with an arbitrary string in the tag value. The cloud team needs to ensure that all EC2 instances in the organization use a CostCenter tag key with the appropriate cost center value. Which solution will meet these requirements?
A. Create an SCP that prevents the creation of EC2 instances without the CostCenter tag key. Create a tag policy that requires the CostCenter tag to be values from a known list of cost centers for all EC2 instances. Attach the policy to the OU. Update the script to scan the tag keys and tag values. Modify the script to update noncompliant resources with a default approved tag value for the CostCenter tag key.
B. Create an SCP that prevents the creation of EC2 instances without the CostCenter tag key. Attach the policy to the OU. Update the script to scan the tag keys and tag values and notify the administrators when the tag values are not valid.
C. Create an SCP that prevents the creation of EC2 instances without the CostCenter tag key. Attach the policy to the OU. Create an IAM permission boundary in the organization’s member accounts that restricts the CostCenter tag values to a list of valid cost centers.
D. Create a tag policy that requires the CostCenter tag to be values from a known list of cost centers for all EC2 instances. Attach the policy to the OU. Configure an AWS Lambda function that adds an empty CostCenter tag key to an EC2 instance. Create an Amazon EventBridge rule that matches events to the RunInstances API action with the Lambda function as the target.
Correct Answer: A
QUESTION 104
A company uses an AWS Cloud Development Kit (AWS CDK) application for its infrastructure. The AWS CDK application creates AWS Lambda functions and the IAM roles that are attached to the functions. The company also uses AWS Organizations. The company’s developers can assume the AWS CDK application deployment role. The company’s security team discovered that the developers and the role used to deploy the AWS CDK application have more permissions than necessary. The security team also discovered that the roles attached to the Lambda functions that the CDK application creates have more permissions than necessary. The developers must not have the ability to grant additional permissions. Which solution will meet these requirements with the LEAST operational overhead?
A. Create an SCP that denies the am:CreateRole action and the am:UpdateRole action for the developer role and the AWS CDK application deployment role. Centrally create new IAM roles to attach to the Lambda functions for the developers to use to provision Lambda functions.
B. Create an IAM permission boundary policy. Define the maximum actions that the AWS CDK application requires in the policy. Update the account’s AWS CDK bootstrapping to use the permission boundary. Update the configuration in the AWS CDK application for the default permissions boundary to use the policy.
C. Create an IAM permission boundary policy. Define the maximum actions that the AWS CDK application requires in the policy. Instruct the developers to use the permission boundary policy name when they create a role in the AWS CDK application code.
D. Create an SCP that denies the lam:CreateRole action and the am:UpdateRole action for the developer role. Give the AWS CDK deployment role access to create roles associated with Lambda functions. Run AWS Identity and Access Management Access Analyzer to verify that the Lambda functions role does not have permissions.
Correct Answer: B
QUESTION 105
A company is using Amazon Elastic Kuberetes Service (Amazon EKS) to run its applications. The EKS cluster is successfully running multiple pods. The company stores the pod images in Amazon Elastic Container Registry (Amazon ECR). The company needs to configure Pod Identity access for the EKS cluster. The company has already updated the node IAM role by using the permissions for Pod Identity access. Which solution will meet these requirements?
A. Create an IAM OpenID Connect (OIDC) provider for the EKS cluster.
B. Ensure that the nodes can reach the EKS Auth API. Add and configure the EKS Pod Identity Agent add-on for the EKS cluster.
C. Create an EKS access entry that uses the API_AND-CONFIG_MAP cluster authentication mode.
D. Configure the AWS Security Token Service (AWS STS) endpoint for the Kubernetes service account that the pods in the EKS cluster use.
Correct Answer: AD
QUESTION 106
A company stores its Python-based application code in AWS CodeCommit. The company uses AWS CodePipeline to deploy the application. The CodeCommit repository and the CodePipeline pipeline are deployed to the same AWS account. The company’s security team requires all code to be scanned for vulnerabilities before the code is deployed to production. If any vulnerabilities are found, the deployment must stop.Which solution will meet these requirements?
A. Create a new CodeBuild project. Configure the project to run a security scan on the code by using Amazon CodeGuru Security. Configure the CodeBuild project to raise an error if CodeGuru Security finds vulnerabilities. Create a new IAM role that has sufficient permissions to run CodeGuru Security scans. Assign the role to the CodeBuild project. In the CodePipeline pipeline, add a new stage before the deployment stage. Select AWS CodeBuild as the action provider for the new stage. Use the source artifact from the CodeCommit repository. Configure the action to use the CodeBuild project.
B. Create a new CodeBuild project. Configure the project to run a security scan on the code by using Amazon Inspector. Configure the CodeBuild project to raise an error if Amazon Inspector finds vulnerabilities. Create a new IAM role that has sufficient permissions to run Amazon Inspector scans. Assign the role to the CodeBuild project. In the CodePipeline pipeline, add a new stage before the deployment stage. Select AWS CodeBuild as the action provider for the new stage. Use the source artifact from the CodeCommit repository. Configure the action to use the CodeBuild project.
C. Update the IAM role that is attached to CodePipeline to include sufficient permissions to invoke Amazon DevOps Guru. In the CodePipeline pipeline, add a new stage before the deployment stage. Select DevOps Guru as the action provider for the new stage. Use the source artifact from the CodeCommit repository.
D. Update the IAM role that is attached to CodePipeline to include sufficient permissions to invoke Amazon DevOps Guru. In the CodePipeline pipeline, add a new stage before the deployment stage. Select CodeGuru Security as the action provider for the new stage. Use the source artifact from the CodeCommit repository.
Correct Answer: A
QUESTION 107
A video platform company is migrating its video catalog to AWS. The company will host MP4 videos files in an Amazon S3 bucket. The company will use Amazon CloudFront and Amazon EC2 instances to serve the video files. Users first connect to a frontend application that redirects to a video URL. The video URL contains an authorization token in CloudFront. The cache is activated on the CloudFront distribution. Authorization token check activity needs to be logged in Amazon CloudWatch. The company wants to prevent direct access to video files on CloudFront and Amazon S3 and wants to implement checks of the authorization token that the frontend application provides. The company also wants to perform regular rolling updates of the code that checks the authorization token signature. Which solution will meet these requirements with the LEAST operational effort?
A. Implement an authorization token check in Lambda@Edge as a trigger on the CloudFront distribution. Enable CloudWatch logging for the Lambda@Edge function. Attach the Lambda@Edge function to the CloudFront distribution. Implement CloudFront continuous deployment to perform updates.
B. Implement an authorization token check in CloudFront Functions. Enable CloudWatch logging for the CloudFront function. Attach the CloudFront function to the CloudFront distribution. Implement CloudFront continuous deployment to perform updates.
C. Implement an authorization token check in the application code that is installed on the EC2 instances. Install the CloudWatch agent on the EC2 instances. Configure the application to log to the CloudWatch agent. Implement a second CloudFront distribution. Migrate the traffic from the first CloudFront distribution by using Amazon Route 53 weighted routing.
D. Implement an authorization token check in CloudFront Functions. Enable CloudWatch logging for the CloudFront function. Attach the CloudFront function to the CloudFront distribution. Implement a second CloudFront distribution. Migrate the traffic from the first CloudFront distribution by using Amazon Route 53 weighted routing.
Correct Answer: A
QUESTION 108
A company runs several applications in the same AWS account. The applications send logs to Amazon CloudWatch. A data analytics team needs to collect performance metrics and custom metrics from the applications. The analytics team needs to transform the metrics data before storing the data in an Amazon S3 bucket. The analytics team must automatically collect any new metrics that are added to the CloudWatch namespace. Which solution will meet these requirements with the LEAST operational overhead?
A. Configure a CloudWatch metric stream to include metrics from the application and the CloudWatch namespace. Configure the metric stream to deliver the metrics to an Amazon Data Firehose delivery stream. Configure the Firehose delivery stream to invoke an AWS Lambda function to transform the data. Configure the delivery stream to send the transformed data to the S3 bucket.
B. Configure a CloudWatch metrics stream to include all the metrics and to deliver the metrics to an Amazon Data Firehose delivery stream. Configure the Firehose delivery stream to invoke an AWS Lambda function to transform the data. Configure the delivery stream to send the transformed data to the S3 bucket
C. Configure metric filters for the CloudWatch logs to create custom metrics. Configure a CloudWatch metric stream to deliver the application metrics to the S3 bucket.
D. Configure subscription filters on the application log groups to target an Amazon Data Firehose delivery stream. Configure the Firehose delivery stream to invoke an AWS Lambda function to transform the data. Configure the delivery stream to send the transformed data to the S3 bucket
Correct Answer: A
QUESTION 109
A company has multiple AWS accounts in an organization in AWS Organizations that has all features enabled. The company’s DevOps administrator needs to improve security across all the company’s AWS accounts. The administrator needs to identify the top users and roles in use across all accounts. Which solution will meet these requirements with the MOST operational efficiency?
A. Create a new organization trail in AWS CloudTrail. Configure the trail to send log events to Amazon CloudWatch Logs. Create a CloudWatch Contributor Insights rule for the userIdentity.arn log field. View the results in CloudWatch Contributor Insights.
B. Create an unused access analysis for the organization by using AWS Identity and Access Management Access Analyzer. Review the analyzer results and determine if each finding has the intended level of permissions required for the workload.
C. Create a new organization trail in AWS CloudTrail. Create a table in Amazon Athena that uses partition projection. Load the Athena table with CloudTrail data. Query the Athena table to find the top users and roles.
D. Generate a Service access report for each account by using Organizations. From the results, pull the last accessed date and last accessed by account fields to find the top users and roles.
Correct Answer: C
QUESTION 110
A company is redesigning its web application architecture. The application runs on an Amazon EC2 instance and connects to a relational database. An Amazon Route 53 record points to the EC2 instance. The company must implement a solution to make the application highly available across two AWS Regions. Application requests from global customers must be routed to the Region with the lowest latency. Which solution will meet these requirements?
A. Create an Application Load Balancer (ALB) in each Region. Create an Auto Scaling group of EC2 instances across multiple Availability Zones in each Region. Register the Auto Scaling group with the ALB. Create an Amazon Aurora global database that has read replicas in each Region. Update the Route 53 record with latency-based routing to point to the ALBs.
B. Create an Application Load Balancer (ALB) in each Region. Create an Auto Scaling group of EC2 instances across multiple Availability Zones in each Region. Register the Auto Scaling group with the ALB. Create an Amazon RDS database in one Region and read replicas in each Region. Update the Route 53 record with failover routing to point to the ALBs.
C. Use AWS Elastic Beanstalk to deploy the application with an Application Load Balancer (ALB) in each Region. Create an Amazon Aurora global database that has read replicas in each Region. Create an Amazon CloudFront distribution with a custom origin for each ALB. Update the Route 53 record with latency-based routing to point to the CloudFront distribution.
D. Use AWS Elastic Beanstalk to deploy the application with an Application Load Balancer (ALB) in each Region. Create an Amazon RDS database in one Region and read replicas in each Region. Create an Amazon CloudFront distribution with a custom origin for each ALB. Update the Route 53 record with failover routing to point to the CloudFront distribution.
Correct Answer: A
QUESTION 111
A DevOps team operates an integration service that runs on an Amazon EC2 instance. The DevOps team uses Amazon Route 53 to manage the integration service’s domain name by using a simple routing record. The integration service is stateful and uses Amazon Elastic File System (Amazon EFS) for data storage and state storage. The integration service does not support load balancing between multiple nodes. The DevOps team deploys the integration service on a new EC2 instance as a warm standby to reduce the mean time to recovery. The DevOps team wants the integration service to automatically fail over to the standby EC2 instance. Which solution will meet these requirements?
A. Update the existing Route 53 DNS record’s routing policy to weighted. Set the existing DNS record’s weighting to 100. For the same domain, add a new DNS record that points to the standby EC2 instance. Set the new DNS record’s weighting to 0. Associate an application health check with each record.
B. Update the existing Route 53 DNS record’s routing policy to weighted. Set the existing DNS record’s weighting to 99. For the same domain, add a new DNS record that points to the standby EC2 instance. Set the new DNS record’s weighting to 1. Associate an application health check with each record.
C. Create an Application Load Balancer (ALB). Update the existing Route 53 record to point to the ALB. Create a target group for each EC2 instance. Configure an application health check on each target group. Associate both target groups with the same ALB listener. Set the primary target group’s weighting to 100. Set the standby target group’s weighting to 100.
D. Create an Application Load Balancer (ALB). Update the existing Route 53 record to point to the ALB. Create a target group for each EC2 instance. Configure an application health check on each target group. Associate both target groups with the same ALB listener. Set the primary target group’s weighting to 99. Set the standby target group’s weighting to 1.
Correct Answer: A
QUESTION 112
A company has multiple development teams in separate business units that work in a single shared AWS account. All Amazon EC2 resources that users create in the account must include tags that specify which user created the resources. The tagging must occur within the first hour of resource creation. A DevOps engineer needs to add tags to new resources that include the ID of the user that created the resource and the appropriate cost center ID. The DevOps engineer configures an AWS Lambda function to use the cost center mappings to tag the resources. The DevOps engineer also sets up AWS CloudTrail in the shared AWS account. An Amazon S3 bucket stores the CloudTrail event logs. Which solution will meet the tagging requirements?
A. Create an S3 event notification on the S3 bucket to invoke the Lambda function for s3:ObjectTagging:Put events. Enable bucket versioning on the S3 bucket.
B. Enable server access logging on the S3 bucket. Create an S3 event notification on the S3 bucket for s3:Object Tagging:* events.
C. Enable AWS Config in the account. Configure the required-tags AWS managed rule to check and update the required tags.
D. Create an Amazon EventBridge rule that uses Amazon EC2 as the event source. Configure the rule to match events that CloudTrail delivers. Configure the rule to target the Lambda function.
Correct Answer: D
QUESTION 113
A company manages its multi-account environment by using AWS Organizations and AWS Control Tower. The company must deploy standardized security controls and compliance policies across all of its AWS accounts and AWS Regions. Any changes to these controls must be automatically applied to all accounts simultaneously. The company has the required security controls and compliance policies defined in AWS Cloud Development Kit (AWS CDK) as a security controls construct. Which solution will deploy these controls across all accounts and Regions with the LEAST operational overhead?
A. Create an AWS CDK app that includes an AWS CloudFormation StackSets construct. Configure the StackSets construct to use the security controls construct as its template. Specify the target accounts and Regions. Create automation to deploy the CDK app to create and manage the CloudFormation stack set.
B. Create an AWS CDK app that synthesizes an AWS CloudFormation template from the security controls construct. Use Amazon EventBridge to invoke an AWS Lambda function to update a CloudFormation stack set when changes are made to the security controls construct.
C. Convert the security controls construct to an AWS CloudFormation macro. Create a CloudFormation stack set that references the macro and deploys the macro to all target accounts. Use Organizations to automatically add new accounts to the stack set’s list of target accounts.
D. Use AWS Control Tower to create a customized landing zone that includes configurations from the security controls construct. Configure AWS Control Tower to automatically enroll new accounts and to apply the landing zone template.
Correct Answer: D
QUESTION 114
A company has deployed a new REST API by using Amazon API Gateway. The company uses the API to access confidential data. The API must be accessed from only specific VPCs in the company. Which solution will meet these requirements?
A. Create and attach a resource policy to the API Gateway API. Configure the resource policy to allow only the specific VPC IDs.
B. Add a security group to the API Gateway API. Configure the inbound rules to allow only the specific VPC IP address ranges.
C. Create and attach an IAM role to the API Gateway API. Configure the IAM role to allow only the specific VPC IDs.
D. Add an ACL to the API Gateway API. Configure the outbound rules to allow only the specific VPC IP address ranges.
Correct Answer: A
QUESTION 115
A company has a search application that has a web interface. The company uses Amazon CloudFront, Application Load Balancers (ALBs), and Amazon EC2 instances in an Auto Scaling group with a desired capacity of 3. The company uses prebaked AMIs. The application starts in 1 minute. The application queries an Amazon OpenSearch Service cluster. The application is deployed to multiple Availability Zones. Because of compliance requirements, the application needs to have a disaster recovery (DR) environment in a separate AWS Region. The company wants to minimize the ongoing cost of the DR environment and requires an RTO and an RPO of under 30 minutes. The company has created an ALB in the DR Region. Which solution will meet these requirements?
A. Add the new ALB as an origin in the CloudFront distribution. Configure origin failover functionality. Copy the AMI to the DR Region. Create a launch template and an Auto Scaling group with a desired capacity of 0 in the DR Region. Create a new OpenSearch Service cluster in the DR Region. Set up cross-cluster replication for the cluster.
B. Create a new CloudFront distribution in the DR Region and add the new ALB as an origin. Use Amazon Route 53 DNS for Regional failover. Copy the AMI to the DR Region. Create a launch template and an Auto Scaling group with a desired capacity of 0 in the DR Region. Reconfigure the OpenSearch Service cluster as a Multi-AZ with Standby deployment. Ensure that the standby nodes are in the DR Region.
C. Create a new CloudFront distribution in the DR Region and add the new ALB as an origin. Use Amazon Route 53 DNS for Regional failover. Copy the AMI to the DR Region. Create a launch template and an Auto Scaling group with a desired capacity of 3 in the DR Region. Reconfigure the OpenSearch Service cluster as a Multi-AZ with Standby deployment. Ensure that the standby nodes are in the DR Region.
D. Add the new ALB as an origin in the CloudFront distribution. Configure origin failover functionality. Copy the AMI to the DR Region. Create a launch template and an Auto Scaling group with a desired capacity of 3 in the DR Region. Create a new OpenSearch Service cluster in the DR Region. Set up cross-cluster replication for the cluster.
Correct Answer: A
QUESTION 116
A company is implementing a CI/CD pipeline for an application by using AWS CodePipeline and AWS CodeBuild. The company needs a solution to run unit tests and automatically generate code coverage reports before any code is deployed to production. The CI/CD pipeline execution must fail if the code coverage is less than 80%. Which solution will meet these requirements?
A. Create an AWS Lambda function to run unit tests and generate code coverage reports. Add a Lambda invoke action to a stage in the CodePipeline pipeline. Create an Amazon EventBridge scheduled rule to run hourly to monitor the Lambda function’s output. Configure the rule to fail the pipeline if coverage is less than 80%.
B. Create an AWS Step Functions workflow to run unit tests and generate code coverage reports. Add a Step Functions test action to a stage in the CodePipeline pipeline to invoke the workflow. Configure the workflow to fail if the code coverage is less than 80%.
C. Create a CodeBuild project with a buildspec.yml file that includes commands to run unit tests and generate code coverage reports. Add a CodeBuild test action to a stage in the CodePipeline pipeline. Configure the CodeBuild test action to use the source artifacts from the source action as input. Modify the buildspec.yml file to fail the build if coverage is less than 80%.
D. Create a CodeBuild project with Jenkins installed. Configure Jenkins to run unit tests and generate code coverage reports. Add a Jenkins test action to a stage in the CodePipeline pipeline. Configure the Jenkins test action to output the coverage report as an output artifact. Configure an approval action to fail the pipeline if code coverage is less than 80%.
Correct Answer: C
QUESTION 117
A company uses machine learning (ML) on transactional data that a development team uploads from multiple sources to an Amazon S3 bucket. The development team finds duplicate objects in the S3 bucket across multiple prefixes. The duplications are increasing the company’s storage costs. The company wants to implement an automated solution to identify and remove duplicate objects from the S3 bucket. Which solution will meet this requirement?
A. Use Amazon S3 Storage Lens to scan the S3 bucket and prefixes, create an inventory of the duplicate objects, and invoke an AWS Lambda function to delete the duplicate objects.
B. Configure AWS CloudTrail to record data events for the S3 bucket. Use Amazon Athena to query S3 data events to identify duplicate objects. Use an AWS Lambda function to delete duplicate objects.
C. Use Amazon S3 Inventory to generate reports. Use Amazon Athena to query the reports based on Tag values. Use S3 Batch Operations and an AWS Lambda function to remove duplicate objects.
D. Use AWS Config to identify object changes. Use Amazon EventBridge to delete duplicate objects by running the aws:executeScript action in AWS Systems Manager.
Correct Answer: C
QUESTION 118
A DevOps engineer manages a Java-based application that runs in an Amazon Elastic Container Service (Amazon ECS) cluster on AWS Fargate. Auto scaling has not been configured for the application. The DevOps engineer has determined that the Java Virtual Machine (JVM) thread count is a good indicator of when to scale the application. The application serves customer traffic on port 8080 and makes JVM metrics available on port 9404. Application use has recently increased. The DevOps engineer needs to configure auto scaling for the application. Which solution will meet these requirements with the LEAST operational overhead?
A. Deploy the Amazon CloudWatch agent as a container sidecar. Configure the CloudWatch agent to retrieve JVM metrics from port 9404. Create CloudWatch alarms on the JVM thread count metric to scale the application. Add a step scaling policy in Fargate to scale up and scale down based on the CloudWatch alarms.
B. Deploy the Amazon CloudWatch agent as a container sidecar. Configure a metric filter for the JVM thread count metric on the CloudWatch log group for the CloudWatch agent. Add a target tracking policy in Fargate. Select the metric from the metric filter as a scale target.
C. Create an Amazon Managed Service for Prometheus workspace. Deploy AWS Distro for Open Telemetry as a container sidecar to publish the JVM metrics from port 9404 to the Prometheus workspace. Configure rules for the workspace to use the JVM thread count metric to scale the application. Add a step scaling policy in Fargate. Select the Prometheus rules to scale up and scaling down.
D. Create an Amazon Managed Service for Prometheus workspace. Deploy AWS Distro for Open Telemetry as a container sidecar to retrieve JVM metrics from port 9404 to publish the JVM metrics from port 9404 to the Prometheus workspace. Add a target tracking policy in Fargate. Select the Prometheus metric as a scale target.
Correct Answer: B
QUESTION 119
A company is using an Amazon Aurora cluster as the data store for its application. The Aurora cluster is configured with a single DB instance. The application performs read operations and write operations on the database by using the cluster’s instance endpoint. The company has scheduled an update to the cluster during the next maintenance window. The cluster must remain available with the least possible interruption during the maintenance window. Which solution will meet these requirements?
A. Add a reader instance to the Aurora cluster. Update the application to use the Aurora cluster’s cluster endpoint for write operations. Update the application to use the Aurora cluster’s reader endpoint for read operations.
B. Add a reader instance to the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster’s custom ANY endpoint for read operations and write operations.
C. Turn on the Multi-AZ option on the Aurora cluster. Configure an Amazon RDS proxy in front of the Aurora cluster. Update the application to use the RDS proxy’s default endpoint for read operations and write operations.
D. Turn on the Multi-AZ option on the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster’s custom ANY endpoint for read operations and write operations.
Correct Answer: A
QUESTION 120
A company has a continuous integration pipeline where the company creates container images by using AWS CodeBuild. The created images are stored in Amazon Elastic Container Registry (Amazon ECR). Checking for and fixing the vulnerabilities in the images takes the company too much time. The company wants to identify the image vulnerabilities quickly and notify the security team of the vulnerabilities. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)
A. Activate Amazon Inspector enhanced scanning for Amazon ECR. Configure the enhanced scanning to use continuous scanning. Set up a topic in Amazon Simple Notification Service (Amazon SNS).
B. Create an Amazon EventBridge rule for Amazon Inspector findings. Set an Amazon Simple Notification Service (Amazon SNS) topic as the rule target.
C. Activate AWS Lambda enhanced scanning for Amazon ECR. Configure the enhanced scanning to use continuous scanning. Set up a topic in Amazon Simple Email Service (Amazon SES).
D. Create a new AWS Lambda function. Invoke the new Lambda function when scan findings are detected.
E. Activate default basic scanning for Amazon ECR for all container images. Configure the default basic scanning to use continuous scanning. Set up a topic in Amazon Simple Notification Service (Amazon SNS).
Correct Answer: AB
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.