QUESTION 121
A company hosts a public static website on an Amazon S3 bucket that has a DNS-compliant name. The company manages the domain name in a third-party domain registrar. The company needs optimize delivery of the website content for the lowest possible latency. Which solution will meet this requirement?
A. Use an AWS Lambda function and an Amazon CloudWatch rule to set up an automated cache refresh schedule.
B. Create Amazon Route 53 alias records for the Amazon CloudFront distribution. Set the S3 bucket as the origin.
C. Configure an Amazon S3 REST API endpoint for the S3 bucket. Integrate the endpoint with an Amazon ElastiCache (Reds OSS) cluster.
D. Configure an Amazon S3 REST API endpoint for the S3 bucket. Enable Amazon S3 Transfer Acceleration on the bucket.
Correct Answer: B
QUESTION 122
A developer is investigating an issue for a company. Some requests are passing through an Amazon API Gateway endpoint, but they do not reach the AWS Lambda function that backs the endpoint. The developer finds that a second Lambda function sometimes runs at the maximum concurrency that is allowed for the AWS account. How can the developer address this issue?
A. Manually reduce the concurrency quota at the account level.
B. Add another API Gateway stage for the endpoint. Shard the requests.
C. Request to increase the Lambda concurrency quota through the Service Quotas dashboard.
D. Reduce the throttling quota in the API Gateway endpoint.
Correct Answer: C
QUESTION 123
A company has a web application in an Amazon ECS cluster running hundreds of secure services in AWS Fargate containers. The services are in target groups routed by an Application Load Balancer (ALB). Application users log in to the website anonymously, but they must be authenticated using any OpenID Connect protocol-compatible identity provider (IdP) to access the secure services. Which authentication approach would meet these requirements with the LEAST amount of effort?
A. Configure the services to use Amazon Cognito.
B. Configure the ALB to use Amazon Cognito.
C. Configure the services to use AWS STS with the OpenID Connect IdP.
D. Configure the Amazon ECS cluster to use AWS STS with the OpenID Connect IdP.
Correct Answer: B
QUESTION 124
A developer is creating an application that requires programmatic access to Amazon S3. The developer deploys the application as an AWS Lambda function. The developer creates an IAM policy that allows the required access to Amazon S3. The developer needs to configure an access solution that does not require the developer to manage long-lived credentials. Which additional steps will meet this requirement?
A. Create an IAM user and attach the existing IAM policy. Create an AWS access key and a secret for the IAM user. Store the credentials in ~/ aws/credentials within the Lambda function code. Configure the function to read the credentials from ~/.aws/credentials to access Amazon S3.
B. Create an IAM user and attach the existing IAM policy. Create an AWS access key and a secret for the IAM user. Store the credentials in an environment variable for the Lambda function. Configure the function to use the environment variable to access Amazon S3.
C. Create an IAM user and attach the existing IAM policy. Create an AWS access key and a secret for the IAM user. Store the credentials in AWS Secrets Manager. Configure the function to read the credentials from Secrets Manager to access Amazon S3.
D. Create an IAM role and attach the existing IAM policy. Specify the Lambda function as a trusted entity. Configure the Lambda function to use the IAM role as the function’s execution role.
Correct Answer: D
QUESTION 125
A company stores customer credit reports in an Amazon S3 bucket. An analytics service uses standard Amazon S3 GET requests to access the reports. A developer must implement a solution to redact personally identifiable information (PII) from the reports before the reports reach the analytics service. Which solution will meet this requirement with the MOST operational efficiency?
A. Load the S3 objects into Amazon Redshift by using a COPY command. Implement dynamic data masking. Refactor the analytics service to read from Amazon Redshift.
B. Set up an S3 Object Lambda function. Attach the function to an S3 Object Lambda Access Point. Program the function to call a PII redaction API.
C. Use AWS KMS to implement encryption in the S3 bucket. Re-upload all the existing S3 objects. Give the kms: Decrypt permission to the analytics service
D. Create an Amazon SNS topic. Implement message data protection. Refactor the analytics service to publish data access requests to the SNS topic.
Correct Answer: B
QUESTION 126
A developer is writing a new serverless application for a company. Several other developers must collaborate on the code for this application, and the company expects frequent changes to the code. The developer needs to deploy the code from source control to AWS Lambda with the fewest number of manual steps. Which strategy for the build and deployment should the developer use to meet these requirements?
A. Build the code locally, and then upload the code into the source control system. When a release is needed, run AWS CodePipeline to extract the uploaded build and deploy the resources.
B. Use the AWS SAM CLI to build and deploy the application from the developer’s local machine with the latest version checked out locally.
C. Use AWS CodeBuild and AWS CodePipeline to invoke builds and corresponding deployments when configured source controlled branches have pull requests merged into them.
D. Use the Lambda console to upload a zip file of the application that is created by the AWS SAM CLI build command.
Correct Answer: C
QUESTION 127
A developer is debugging an issue with an application that is based on an AWS Lambda function. The Lambda function intermittently fails during a 1-hour window. The developer needs to investigate the root cause of the intermittent failures. The application sends logs to an Amazon CloudWatch Logs log group. The developer must be able to collect logs that relate to Lambda function failures. The developer must capture the dates and times at which the failures occurred. Which solution will meet these requirements in the MOST operationally efficient way?
A. Use the AWS CLI in AWS CloudShell to browse the CloudWatch Logs log group to search for the error messages.
B. Use CloudWatch Insights to run a query on the log group that searches for specific patterns that match the error messages.
C. Download log files from the CloudWatch Logs log group to the developer’s local machine. Use a local text search tool to search for the error messages.
D. Export the CloudWatch Logs log group to an Amazon S3 bucket. Use Amazon Athena to run a SQL query against the bucket to search for the error messages.
Correct Answer: B
QUESTION 128
A developer is managing an application that uses Amazon SQS to handle system events. The developer must implement a solution to process messages 5 minutes after the messages are added to the queue. Which property should the developer change to meet this requirement?
A. ReceiveMessageWaitTimeSeconds
B. Visibility Timeout
C. DelaySeconds
D. MessageRetentionPeriod
Correct Answer: C
QUESTION 129
A developer has designed a customer-facing application that is running on an Amazon EC2 instance. The application logs every request made to it. The application usually runs seamlessly, but a spike in traffic generates several logs that cause the disk to fill up and eventually run out of memory. Company policy requires old logs to be centralized for analysis. Which long-term solution should the developer employ to prevent the issue from reoccurring?
A. Set up log rotation to rotate the file every day. Also set up log rotation to rotate after every 100 MB and compress the file.
B. Install the Amazon CloudWatch agent on the instance to send the logs to CloudWatch. Delete the logs from the instance once they are sent to CloudWatch.
C. Enable AWS Auto Scaling on Amazon EBS to automatically add volumes to the instance when it reaches a specified threshold.
D. Create an Amazon EventBridge rule to pull the logs from the instance. Configure the rule to delete the logs after they have been pulled.
Correct Answer: B
QUESTION 130
A developer is creating a web application for a school that stores data in Amazon DynamoDB. The ExamScores table has the following attributes: student_id, subject_name, and top_score. Each item in the ExamScores table is identified with student_ id as the partition key and subject_name as the sort key. The web application needs to display the student_id for the top scores for each school subject. The developer needs to increase the speed of the queries to retrieve the student_id for the top scorer for each school subject. Which solution will meet these requirements?
A. Create a local secondary index (LSI) with subject_name as the partition key and top_score as the sort key.
B. Create a local secondary index (LSI) with top_score as the partition key and student_id as the sort key.
C. Create a global secondary index (GSI) with subject_name as the partition key and top_score as the sort key.
D. Create a global secondary index (GSI) with subject_name as the partition key and student_id as the sort key.
Correct Answer: C
QUESTION 131
A developer must ensure that sensitive customer data that is stored in an AWS Lambda function is encrypted at rest and in transit. The sensitive data is stored in environment variables within the Lambda function. The developer needs to control encryption key rotation. Which combination of steps will meet these requirements? (Select TWO.)
A. Use AWS managed AWS KMS keys. Disable automatic key rotation. Specify the desired custom rotation period.
B. Assign the necessary AWS KMS permissions to the Lambda function’s execution role.
C. Use customer managed AWS KMS keys. Disable automatic key rotation. Modify the rotation period of the KMS keys.
D. Use AWS Certificate Manager (ACM) to provision a public certificate. Set up manual renewal and rotation of the certificate.
E. Update the policy for the AWS KMS keys to include any permissions that the Lambda function needs to interact with other AWS services.
Correct Answer: BC
QUESTION 132
A company develops an application that uses resources that are defined in an AWS CloudFormation stack. The company wants to have the ability to update the stack to manage the resources and infrastructure as code (IaC) by using general-purpose programming languages such as Python. Which solution will meet these requirements with the LEAST operational overhead?
A. Launch an Amazon EC2 instance and install Python. Use an AWS Glue job to migrate the current infrastructure to the new EC2 instance. Create a custom code transformation.
B. Use an AWS CDK migrate command to migrate the existing stack to an AWS CDK application.
C. Use an AWS CDK import command to migrate the existing stack to an AWS CDK application.
D. Within CloudFormation, migrate the existing code by creating a change set to automatically import the code to JavaScript.
Correct Answer: B
QUESTION 133
A company’s application has pricing tiers to group features and usage limits. The company needs to configure values for feature groups and usage limits dynamically for multiple tenants. The company needs a solution that requires minimal operational overhead and does not require code changes when the values change. Which solution will meet these requirements?
A. Store the values in AWS Systems Manager Parameter Store. Manually run a script for the application to update the values.
B. Store the values in an Amazon DynamoDB table. Configure DynamoDB streams to trigger an AWS Lambda function for the application to update the values.
C. Store the values in AWS Secrets Manager. Manually run a script for the application to update the values.
D. Store the values in AWS AppConfig. Configure the application to get updated values from AWS AppConfig.
Correct Answer: D
QUESTION 134
An application stores user data in Amazon S3 buckets in multiple AWS Regions. A developer needs to implement a solution that analyzes the user data in the S3 buckets to find sensitive information. The analysis findings from all the S3 buckets must be available in the eu-west-2 Region. Which solution will meet these requirements with the LEAST development effort?
A. Create an AWS Lambda function to generate findings. Program the Lambda function to send the findings to another S3 bucket in eu-west-2.
B. Configure Amazon Macie to generate findings. Use Amazon EventBridge to create rules that copy the findings to eu-west-2.
C. Configure Amazon Inspector to generate findings. Use Amazon EventBridge to create rules that copy the findings to eu-west-2.
D. Configure Amazon Macie to generate findings and to publish the findings to AWS CloudTrail. Use a CloudTrail trail to copy the results to eu-west-2.
Correct Answer: B
QUESTION 135
A developer is investigating an issue in part of a company’s application. In the application, messages are sent to an Amazon SQS queue. The AWS Lambda function polls messages from the SQS queue and sends email messages by using Amazon SES. Users have been receiving duplicate email messages during periods of high traffic. Which reasons could explain the duplicate email messages? (Select TWO.)
A. Standard SQS queues support at-least-once message delivery.
B. Standard SQS queues support exactly-once processing, so the duplicate email messages are because of user error.
C. Amazon SES has the DomainKeys Identified Mail (DKIM) authentication incorrectly configured.
D. The SQS queue’s visibility timeout is lower than or the same as the Lambda function’s timeout.
E. The Amazon SES bounce rate metric is too high.
Correct Answer: AD
QUESTION 136
A developer is building a microservices-based application by using Python on AWS and several AWS services. The developer must use AWS X-Ray. The developer views the service map by using the console to view the service dependencies. During testing, the developer notices that some services are missing from the service map. What can the developer do to ensure that all services appear in the X-Ray service map?
A. Modify the X-Ray Python agent configuration in each service to increase the sampling rate.
B. Instrument the application by using the X-Ray SDK for Python. Install the X-Ray SDK for all the services that the application uses.
C. Enable X-Ray data aggregation in Amazon CloudWatch Logs for all the services that the application uses.
D. Increase the X-Ray service map timeout value in the X-Ray console.
Correct Answer: B
QUESTION 137
A developer creates three Amazon SQS standard queues. The first queue is named process_ queue and processes messages. The second queue is named dl_queue and serves as a dead-letter queue for process _queue. The third queue is named inspect_queue. The developer uses inspect_queue to inspect failed messages. There are several
messages in di_queue that the developer wants to inspect by using inspect_queue. How can the developer move messages to inspect_queue with the LEAST operational effort?
A. Use Amazon EventBridge to invoke an AWS Lambda function to move messages to inspect_queue when the messages appear in dl_queue.
B. Redrive the messages to a custom destination. Specify inspect_queue as the destination.
C. Set inspect_queue as a dead-letter queue for process_queue.
D. Poll for the messages in dl_queue
Correct Answer: B
QUESTION 138
A developer is deploying an application on Amazon EC2 instances that run in Account A. In certain cases, this application needs to read data from a private Amazon S3 bucket in Account B. The developer must provide the application access to the S3 bucket without exposing the S3 bucket to anyone else. Which combination of actions should the developer take to meet these requirements? (Select TWO.)
A. Create an IAM role with S3 read permissions in Account B.
B. Update the instance profile IAM role in Account A with S3 read permissions.
C. Make the S3 bucket public with limited access for Account A.
D. Configure the bucket policy in Account B to grant permissions to the instance profile role.
E. Add a trust policy that allows s3: Get* permissions to the IAM role in Account B.
Correct Answer: BD
QUESTION 139
A company stores all personally identifiable information (PII) in an Amazon DynamoDB table named PII in Account A. Developers are working on an application that is running on Amazon EC2 instances in Account B. The application in Account B requires access to the PII table. An administrator in Account A creates an IAM role named AccessPII that has permission to access the PII table. The administrator also creates a trust policy that specifies Account B as a principal that can assume the role. Which combination of steps should the developers take in Account B to allow their application to access the II table? (Select TWO.)
A. Allow the EC2 IAM role the permission to assume the AccessPII role.
B. Allow the EC2 IAM role the permission to access the PII table.
C. Include the AWS API in the application code logic to obtain temporary credentials from the EC2 IAM role to access the PII table.
D. Include the AssumeRole API operation in the application code logic to obtain temporary credentials to access the PII table.
E. Include the GetSession Token API operation in the application code logic to obtain temporary credentials to access the PII table.
Correct Answer: AD
QUESTION 140
A company has an application that processes audio files for different departments. When audio files are saved to an Amazon S3 bucket, an AWS Lambda function receives an event notification and processes the audio input. A developer needs to update the solution so that the application can process the audio files for each department independently. The application must publish the audio file location for each department to each department’s existing Amazon SQS queue. Which solution will meet these requirements with no changes to the Lambda function code?
A. Configure the S3 bucket to send the event notifications to an Amazon SNS topic. Subscribe each department’s SQS queue to the SNS topic. Configure subscription filter policies.
B. Update the Lambda function to write the file location to a single shared SQS queue. Configure the shared SQS queue to send the file reference to each department’s SQS queue.
C. Update the Lambda function to send the file location to each department’s SQS queue.
D. Configure the S3 bucket to send the event notifications to each department’s SQS queue.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.