QUESTION 21
A developer has an application that uses an Amazon DynamoDB table with a configured local secondary index (LSI). During application testing, the DynamoDB table metrics report a ProvisionedThroughputExceededException error message. The number of requests made by the test suite did not exceed the table’s provisioned capacity limits. What is the cause of this issue?
A. The data in the table’s partition key column is not evenly distributed.
B. The LSI’s capacity is different from the table’s capacity.
C. The application is not implementing exponential backoff retry logic while interacting with the DynamoDB API.
D. The application has the IAM permission to query the DynamoDB table but not to query the LSI.
Correct Answer: A
QUESTION 22
A developer is investigating recent performance bottlenecks within a company’s distributed web application that runs on various AWS services, including Amazon EC2 and Amazon DynamoDB. How can the developer determine the length of time of the application’s calls to the various downstream AWS services?
A. Enable VPC Flow Logs and analyze them in Amazon OpenSearch Service.
B. Use Amazon CloudWatch Logs to analyze application logs for the various calls.
C. Enable detailed monitoring for the EC2 instances in Amazon CloudWatch.
D. Implement AWS X-Ray with client handlers for the various downstream calls.
Correct Answer: D
QUESTION 23
A developer is designing an AWS Lambda function that creates temporary files that are less than 10 MB during invocation. The temporary files will be accessed and modified multiple times during invocation. The developer has no need to save or retrieve these files in the future. Where should the temporary files be stored?
A. the /tmp directory
B. Amazon EFS
C. Amazon EBS
D. Amazon S3
Correct Answer: A
QUESTION 24
A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practices to grant S3 read access to the application. Which solution meets these requirements?
A. Add the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2 instance profile.
B. Add the permissions inline to an IAM group. Attach the group to the EC2 instance profile.
C. Add the permissions to an IAM policy. Attach the policy to a user. Attach the user to the EC2 instance profile.
D. Add the permissions to an IAM policy. Use IAM web identity federation to access the S3 bucket with the policy.
Correct Answer: A
QUESTION 25
A company is building a serverless application. The application uses an API key to authenticate with a third-party application. The company needs to store the external API key as a part of an AWS Lambda configuration. The company needs full control over the AWS KMS keys that will encrypt the API key. The API key must be visible only to authorized entities. Which solution will meet these requirements?
A. Store the API key in AWS Systems Manager Parameter Store as a string parameter. Use the default AWS KMS key that AWS provides to encrypt the API key.
B. Store the API key in Lambda environment variables. Create an AWS KMS customer managed key to encrypt the API key.
C. Store the API key in the code repository. Use an AWS managed key to encrypt the code repository.
D. Store the API key as an Amazon DynamoDB table record. Use an AWS managed key to encrypt the API key.
Correct Answer: A
QUESTION 26
A developer updates an application to use a new version of a critical dependency that is provided by a public repository. The build for the application fails because the public repository is unavailable. The developer needs a solution that will track and resolve dependencies from the public repository. The solution must resolve to the most current version of dependencies, even when the public repository is unavailable. Which solution will meet these requirements?
A. Deploy Amazon CloudFront as a proxy server. Create an origin for the public repository. Set the longest possible maximum caching time. Update the library references in the application build dependencies to reference the CloudFront endpoint.
B. Deploy AWS CodeArtifact. Update the library references in the application build dependencies to reference the CodeArtifact repository. Connect the CodeArtifact repository to the public repository.
C. Deploy an Amazon S3 bucket. Update the library references in the application build dependencies to reference the S3 bucket. Set up an AWS Lambda function to download the most current version of the dependencies from the public repository and to store the dependencies in the S3 bucket every day.
D. Deploy AWS Artifact. Update the library references in the application build dependencies to reference the Artifact repository. Connect the Artifact repository to the public repository.
Correct Answer: B
QUESTION 27
A company creates a containerized application for its customers. The company will host the container images in Amazon ECR. The customers need to be able to find the images on their own. A developer must ensure that only the company can modify the published container images. Which combination of actions should the developer take to meet these requirements? (Select TWO.)
A. Create a new public ECR repository and registry. Configure an IAM role that can write to the new ECR repository.
B. Create a new private ECR repository and registry. Configure an IAM role that can write to the new ECR repository.
C. Create a new private ECR repository and registry. Configure Amazon Cognito to grant permissions to write images to the new ECR repository.
D. Create a resource policy that allows only specific accounts to add and edit images in the ECR repository.
E. Create a resource policy that allows all accounts to add and edit images in the ECR repository.
Correct Answer: AD
QUESTION 28
A developer manages a website that distributes its content by using Amazon CloudFront. The website’s static artifacts are stored in an Amazon S3 bucket. The developer deploys some changes and can see the new artifacts in the S3 bucket. However, the changes do not appear on the webpage that the CloudFront distribution delivers. How should the developer resolve this issue?
A. Configure S3 Object Lock to update to the latest version of the files every time an S3 object is updated.
B. Configure the S3 bucket to clear all old objects from the bucket before new artifacts are uploaded.
C. Set CloudFront to invalidate the cache after the artifacts have been deployed to Amazon S3.
D. Set CloudFront to modify the distribution origin after the artifacts have been deployed to Amazon S3.
Correct Answer: C
QUESTION 29
A developer is using an AWS CloudFormation template to create a pipeline in AWS CodePipeline. The template creates an Amazon S3 bucket that the pipeline references in a source stage. The template also creates an AWSCodeBuild project for a build stage. The pipeline sends notifications to an Amazon SNS topic. Logs for the CodeBuild project are stored in Amazon CloudWatch Logs. The company needs to ensure that the pipeline’s artifacts are encrypted with an existing customer managed AWS KMS key. The developer has granted the pipeline permissions to use the KMS key. Which additional step will meet these requirements?
A. Create an Amazon S3 gateway endpoint that the pipeline can access.
B. In the CloudFormation template, use the KMS key to encrypt the logs in CloudWatch Logs.
C. Apply an S3 bucket policy that ensures the pipeline sends only encrypted objects to the S3 bucket.
D. Configure the notification topic to use the existing KMS key to enable encryption with the existing KMS key.
Correct Answer: C
QUESTION 30
A company has developed an application that uses AWS Lambda functions to process messages from an Amazon SQS queue One of the Lambda functions makes a call to an external API that is expected to encounter temporary service unavailability. A developer needs to configure the function to retry failed messages from an Amazon SQS dead-letter queue. The developer notices that the Lambda function is re-processing some messages in the queue more than once. Which solution will resolve this issue?
A. Set a message retention period for each message. Configure the Lambda function to add a Messageld to each message.
B. Set the visibility timeout parameter at the queue level. Configure the Lambda function to delete processed messages from the queue.
C. Set a receive message wait time for each message. Configure the Lambda function to add a Messageld to each message.
D. Set the delivery delay parameter at the queue level. Configure the Lambda function to delete processed messages from the queue.
Correct Answer: B
QUESTION 31
A developer has a continuous integration and continuous delivery (CI/CD) pipeline that uses AWS CodeArtifact and AWS CodeBuild. The build artifacts are between 0.5 GB and 1.5 GB in size. The builds happen frequently and retrieve many dependencies from CodeArtifact each time. The builds have been slow because of the time it takes to transfer dependencies. The developer needs to improve build performance by reducing the number of dependencies that are retrieved for each build. Which solution will meet this requirement?
A. Specify an Amazon S3 cache in CodeBuild. Add the S3 cache folder path to the buildspec.yaml file for the build project.
B. Specify a local cache in CodeBuild. Add the CodeArtifact repository name to the buildspec.yaml file for the build project.
C. Specify a local cache in CodeBuild. Add the cache folder path to the buildspec.yaml file for the build project.
D. Retrieve the buildspec.yaml file directly from CodeArtifact. Add the CodeArtifact repository name to the buildspec.yaml file for the build project.
Correct Answer: C
QUESTION 32
A company has an ecommerce web application that uses an on-premises MySQL database as a data store. The company migrates the on-premises MySQL database to Amazon RDs for MySQL. A developer needs to configure the application’s access to the RDS for MySQL database. The developer’s solution must not use long-term credentials. Which solution will meet these requirements?
A. Enable IAM database authentication on the RDS for MySQL DB instance. Create an IAM role that has the minimum required permissions. Assign the role to the application.
B. Store the MySQL credentials as secrets in AWS Secrets Manager. Create an IAM role that has the minimum required permissions to retrieve the secrets. Assign the role to the application.
C. Configure the MySQL credentials as environment variables that are available at runtime for the application.
D. Store the MySQL credentials as SecureString parameters in AWS Systems Manager Parameter Store. Create an IAM role that has the minimum required permissions to retrieve the parameters. Assign the role to the application.
Correct Answer: A
QUESTION 33
A company maintains a REST service using Amazon API Gateway and the API Gateway native API key validation. The company recently launched a new registration page, which allows users to sign up for the service. The registration page creates a new API key using CreateApiKey and sends the new key to the user. When the user attempts to call the API using this key, the user receives a 403 Forbidden error. Existing users are unaffected and can still call the API. What code updates will grant these new users access to the API?
A. The createDeployment method must be called so the API can be redeployed to include the newly created API key.
B. The updateAuthorizer method must be called to update the API’s authorizer to include the newly created API key.
C. The importApiKeys method must be called to import all newly created API keys into the current stage of the API.
D. The createUsagePlanKey method must be called to associate the newly created API key with the correct usage plan.
Correct Answer: D
QUESTION 34
A company notices that credentials that the company uses to connect to an external software as a service (SaaS) vendor are stored in a configuration file as plaintext. The developer needs to secure the API credentials and enforce automatic credentials rotation on a quarterly basis. Which solution will meet these requirements MOST securely?
A. Use AWS KMS to encrypt the configuration file. Decrypt the configuration file when users make API calls to the Saas vendor. Enable rotation.
B. Retrieve temporary credentials from Aws STS every 15 minutes. Use the temporary credentials when users make API calls to the SaaS vendor.
C. Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access.
D. Store the credentials in AWS Systems Manager Parameter Store and enable rotation. Retrieve the credentials when users make API calls to the SaaS vendor.
Correct Answer: C
QUESTION 35
A developer has written an AWS Lambda function. The function is CPU-bound. The developer wants to ensure that the function returns responses quickly. How can the developer improve the function’s performance?
A. Increase the function’s CPU core count.
B. Increase the function’s memory.
C. Increase the function’s reserved concurrency.
D. Increase the function’s timeout.
Correct Answer: B
QUESTION 36
A healthcare company uses AWS Amplify to host a patient management system. The system uses Amazon API Gateway to expose RESTful APIs. The backend logic of the system is handled by AWS Lambda functions. One of the Lambda functions receives patient data that includes personally identifiable information (PII). The Lambda function sends the patient data to an Amazon DynamoDB table. The company must encrypt all patient data at rest and in transit before the data is stored in DynamoDB. Which solution will meet these requirements?
A. Configure the Lambda function to use AWS KMS keys with the AWS Database Encryption SDK to encrypt the patient data before sending the data to DynamoDB.
B. Use AWS managed AWS KMS keys to encrypt the data in the DynamoDB table.
C. Configure a DynamoDB stream on the table to invoke a Lambda function. Configure the Lambda function use an AWS KMS key to encrypt the DynamoDB table and to update the table.
D. Use an AWS Step Functions workflow to transfer the data to an Amazon SQs queue. Configure a Lambda function to encrypt the data in the queue before sending the data to the DynamoDB table.
Correct Answer: A
QUESTION 37
A company is creating an AWS Step Functions state machine to run a set of tests for an application. The tests need to run when a specific AWS CloudFormation stack is deployed. Which combination of steps will meet these requirements? (Select TWO.)
A. Create an AWS Lambda function to invoke the state machine.
B. Create an Amazon EventBridge rule on the default bus that matches on a detail type of CloudFormation stack status change, a status of UPDATE_IN_PROGRESS, and the stack ID of the CloudFormation stack.
C. Create a pipe in Amazon EventBridge Pipes that has a source of the default event bus. set the Lambda function as a target. File on a detail type of CloudFormation stack status change, a status of UPDATE_IN_PROGRESS, and the stack ID of the CloudFormation stack.
D. Create a pipe in Amazon EventBridge Pipes that has a source of the EventBridge rule. Set the state machine as a target.
E. Add the state machine as a target of the EventBridge rule.
Correct Answer: BE
QUESTION 38
A developer is using AWS AppConfig to manage feature flags for an application. The developer needs to enable a new premium feature only for a specific group of users based on the IDs of the users. Which solution will meet these requirements with the LEAST development effort?
A. Use a single AWS ApoConfig feature fag without any variants. Implement user D checks in the application to control access to the premium feature.
B. Create separate AWS AppConfig feature flags for each user group. Assign values to the feature flags.
C. Create an AIWS AppConfig feature flag. Define multiple variants. Set up rules to target the specific user group based on the 1Ds of the users.
D. Configure AWS AppConfig to use an external database to store user IDs. Retrieve the user IDs during flag evaluation.
Correct Answer: C
QUESTION 39
A developer is creating a serverless application that performs video encoding. The encoding process run as background jobs and takes several minutes to encode each video. The process must not send an immediate result to users. The developer is using Amazon API Gateway to manage an API for the application. The developer needs to run test invocations and request validations. The developer must distribute API keys to control access to the API. Which solution will meet these requirements?
A. Create an HTTP API. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the HTTP API. Use the Event invocation type to call the Lambda function.
B. Create a REST API with the default endpoint type. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the REST API. Use the Event invocation type to call the Lambda function.
C. Create an HTTP API. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the HTTP API. Use the RequestResponse invocation type to call the Lambda function.
D. Create a REST API with the default endpoint type. Create an AWS Lambda function to handle the encoding jobs. Integrate the function with the REST API. Use the RequestResponse invocation type to call the Lambda function.
Correct Answer: B
QUESTION 40
A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application the ability to read the S3 bucket. Which solution will meet this requirement with the LEAST application disruption?
A. Add the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance.
B. Add the permission to the role so that the change will take effect automatically.
C. Add the permission to the role. Hibernate and restart the existing EC2 instance.
D. Add the permission to the S3 bucket. Restart the EC2 instance.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.