QUESTION 101
A company is migrating to AWS. The company created a central networking account in an organization in AWS Organizations with all features enabled. The networking account has a VPC that includes a custom firewall appliance. The company configured the inbound routes from the internet to route to the appliance. The company will set up new AWS accounts for the company’s migrated services. All the new accounts will share the same new OU. Users of the new accounts will assume IAM roles that have the AdministratorAccess policy. All inbound traffic from the internet in all new accounts must be routed through the central networking account. The company needs a solution that does not deploy an internet gateway into the new accounts. The solution must not allow changes to the route tables for any public subnets. Which solution will meet these requirements?
A. Create an IAM permissions boundary that blocks access to the CreateInternetGateway action. Assign the permissions boundary to the IAM roles in each account. Configure AWS Resource Access Manager (AWS RAM) to share the route table from the networking account. Assign the route table to any new public subnets in the new accounts that require inbound access.
B. Create an SCP that allows only the specific actions that users need in the new accounts. Configure VPC peering with any of the new VPCs in the new accounts. Configure the route tables that are attached to the public subnets in the networking account to point traffic to the new VPCs that require inbound access.
C. Create an SCP that blocks the creation and attachment of internet gateways. Assign the SCP to the OU. Configure AWS Resource Access Manager (AWS RAM) to share the public subnets from the networking account. Use the OU ID as the principal. Use the shared subnets for resources that require inbound internet access.
D. Update the IAM roles with an inline policy that adds a Deny statement to block the ReplaceRoute action. Create a transit gateway. Enable appliance mode on the transit gateway. Attach the transit gateway to the networking account’s VPC and to each of the new accounts. Route traffic from the internet to the transit gateway for any subnet that requires inbound access.
Correct Answer: C
QUESTION 102
A company is migrating many VMs from an on-premises environment to AWS. The company requires an initial assessment of the on-premises environment before the migration. The company also needs a visualization of the dependencies between applications that run on the VMs. Finally, the company needs a report that provides an assessment of the on-premises environment. The company has initiated a Migration Evaluator assessment request. The company has the ability to install collector software in its on-premises environment without any constraints. Which solution will provide the company with the required information with the LEAST operational overhead?
A. Install the AWS Application Discovery Agent on each on-premises VM. After the data collection period ends, use AWS Migration Hub to view the application dependencies. Download the Quick Insights assessment report from Migration Hub.
B. Install the Migration Evaluator Collector on each on-premises VM. After the data collection period ends, use Migration Evaluator to view the application dependencies. Download and export the discovered server list from Migration Evaluator. Upload the list to Amazon QuickSight. When the QuickSight report is generated, download the Quick Insights assessment report.
C. Install the AWS Application Discovery Service Agentless Collector in the on-premises environment. After the data collection period ends, use AWS Migration Hub to view the application dependencies. Export the discovered server list from Application Discovery Service. Upload the list to Migration Evaluator. When the Migration Evaluator report is generated, download the Quick Insights assessment.
D. Install the Migration Evaluator Collector in the on-premises environment. Install the AWS Application Discovery Agent on each VM. After the data collection period ends, use AWS Migration Hub to view the application dependencies. Download the Quick Insights assessment report from Migration Evaluator.
Correct Answer: C
QUESTION 103
A company is migrating a small data center to AWS. A solutions architect needs to evaluate the data center environment and collect metrics on the infrastructure. The solutions architect needs to generate a report that has recommendations on what machine types to use for the target environment. Which solution meets these requirements?
A. Download and install the Migration Evaluator agent on all on-premises servers. Configure the agent to collect and transmit data to Amazon CloudWatch Logs. After 2 weeks, generate recommendations from the log data.
B. Download and install the Migration Evaluator Collector on an on-premises server. After 2 weeks, upload the collected data to Migration Evaluator and generate recommendations.
C. Download and install the AWS Application Discovery Service agent on an on-premises server. Configure the agent to collect and transmit data to Amazon CloudWatch Logs. After 2 weeks, generate recommendations from the log data.
D. Download and install the AWS Systems Manager agent on all on-premises servers. Use the agent to collect and transmit data to AWS Config for 2 weeks. Import the data into Migration Evaluator and generate recommendations.
Correct Answer: C
QUESTION 104
A company needs to migrate a 50 TB Oracle data warehouse from on premises to Amazon Redshift. Major updates to the data warehouse occur on the final calendar day of each month. The data warehouse receives only minor daily updates and is primarily used for reading and reporting for the other days of the month. The company needs to synchronize minor daily changes to the data warehouse with the migration to Amazon Redshift. The company will cut over to strictly using Amazon Redshift after completing the data migration. Which combination of steps will meet these requirements? (Select THREE.)
A. Create an AWS Snowball Edge export job into Amazon S3. Copy data to the Snowball Edge device. Return the Snowball Edge device to AWS. Use AWS DMS to copy data from Amazon S3 to Amazon Redshift.
B. Create an AWS Snowball Edge import job into Amazon S3. Copy data to the Snowball Edge device. Return the Snowball Edge device to AWS. Use AWS DMS to copy data from Amazon S3 to Amazon Redshift.
C. Configure a server in the company’s data center with a data extraction agent. Use AWS SCT to manage the data extraction agent and convert the Oracle schema to an Amazon Redshift schema.
D. Configure a server in the company’s VPC with a data extraction agent. Use AWS SCT to manage the data migration agent and convert the Oracle schema to an Amazon Redshift schema.
E. Create a new project in AWS SCT by using the registered agent. Create a local task and an AWS DMS task in AWS SCT that uses the full load and change data capture (CDC) replication type.
F. Create a new project in AWS SCT by using the registered agent. Create a local task and an AWS DMS task in AWS SCT that uses the change data capture (CDC) replication type.
Correct Answer: BDF
QUESTION 105
A company wants to migrate its website to AWS. The website uses microservices and runs on containers that are deployed in an on-premises, self-managed Kubernetes cluster. All the manifests that define the deployments for the containers in the Kubernetes deployment are in source control. All data for the website is stored in a PostgreSQL database. An open source container image repository runs alongside the on-premises environment. A solutions architect needs to determine the architecture that the company will use for the website on AWS. Which solution will meet these requirements with the LEAST effort to migrate?
A. Create an AWS App Runner service. Connect the App Runner service to the open source container image repository. Deploy the manifests from on premises to the App Runner service. Create an Amazon RDS for PostgreSQL database.
B. Create an Amazon EKS cluster that has managed node groups. Copy the application containers to a new Amazon ECR repository. Deploy the manifests from on premises to the EKS cluster. Create an Amazon Aurora PostgreSQL DB cluster.
C. Create an Amazon ECS cluster that has an Amazon EC2 capacity pool. Copy the application containers to a new Amazon ECR repository. Register each container image as a new task definition. Configure ECS services for each task definition to match the original Kubernetes deployments. Create an Amazon Aurora PostgreSQL DB cluster.
D. Rebuild the on-premises Kubernetes cluster by hosting the cluster on Amazon EC2 instances. Migrate the open source container image repository to the EC2 instances. Deploy the manifests from on premises to the new cluster on AWS. Deploy an open source PostgreSQL database on the new cluster.
Correct Answer: B
QUESTION 106
A company runs its sales reporting application in an AWS Region in the United States. The application uses an Amazon API Gateway Regional API and AWS Lambda functions to generate on-demand reports from data in an Amazon RDS for MySOL database. The fronted of the application is hosted on Amazon S3 and is accessed by users through an Amazon CloudFront distribution. The company is using Amazon Route 53 as the DNS service for the domain. Route 53 is configured with a simple routing policy to route traffic to the API Gateway API. In the next 6 months, the company plans to expand operations to Europe. More than 90% of the database traffic is read-only traffic. The company has already deployed an API Gateway API and Lambda functions in the new Region. A solutions architect must design a solution that minimizes latency for users who download reports. Which solution will meet these requirements?
A. Use an AWS DMS task with full load to replicate the primary database in the original Region to the database in the new Region. Change the Route 53 record to latency-based routing to connect to the API Gateway API.
B. Use an AWS DMS task with full load plus change data capture (CDC) to replicate the primary database in the original Region to the database in the new Region. Change the Route 53 record to geolocation routing to connect to the API Gateway API.
C. Configure a cross-Region read replica for the RDS database in the new Region. Change the Route 53 record to latency-based routing to connect to the API Gateway API.
D. Configure a cross-Region read replica for the RDS database in the new Region. Change the Route 53 record to geolocation routing to connect to the API Gateway API.
Correct Answer: D
QUESTION 107
A company has multiple business units that each have separate accounts on AWS. Each business unit manages its own network with several VPCs that have CID ranges that overlap. The company’s marketing team has created a new internal application and wants to make the application accessible to all the other business units. The solution must use private IP addresses only. Which solution will meet these requirements with the LEAST operational overhead?
A. Instruct each business unit to add a unique secondary CIDR range to the business unit’s VPC. Peer the VPCs and use a private NAT gateway in the secondary range to route traffic to the marketing team.
B. Create an Amazon EC2 instance to serve as a virtual appliance in the marketing account’s VPC. Create an AWS Site-to-Site VPN connection between the marketing team and each business unit’s VPC. Perform NAT where necessary.
C. Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.
D. Create a Network Load Balancer (NLB) in front of the marketing application in a private subnet. Create an API Gateway API. Use the Amazon API Gateway private integration to connect the API to the NLB. Activate IAM authorization for the API. Grant access to the accounts of the other business units.
Correct Answer: C
QUESTION 108
A company’s public API runs as tasks on Amazon ECS. The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months. Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount. A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency. Which solution meets these requirements?
A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.
B. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.
C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.
D. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks.
Correct Answer: C
QUESTION 109
A company uses multiple software as a service (SaaS) applications for messaging, email, and file sharing. The SaaS applications are compatible with AWS AppFabric. The company’s web application runs in a VPC on an Amazon EKS cluster and uses Amazon S3 to store data. The company wants to detect security incidents across the SaaS applications and the web application that could compromise company data. The company needs a centralized solution that provides a dashboard. The dashboard must show the IP addresses, email addresses, and access frequencies of unique users across its Saas applications and the web application. Which combination of steps will meet these requirements with LEAST operational overhead? (Select THREE.)
A. Ingest audit log data from each SaaS application into AWS AppFabric. Convert the audit log data into Open Cybersecurity Schema Framework (OCSF) normalized Apache Parquet format. Send the logs to Amazon Data Firehose to be delivered to an Amazon Security Lake S3 bucket.
B. Ingest networking and usage log data from each SaaS application into AWS AppFabric. Convert the networking and usage log data into JSON format. Send the logs to Amazon Data Firehose to be delivered to Amazon OpenSearch Service.
C. Create an Amazon S3 bucket to receive logs in JSON format through Amazon Data Firehose. Create a dashboard in Amazon CloudWatch. Configure the dashboard to visualize the location of the IP addresses, email addresses, and access frequencies of unique users by using data from the S3 bucket.
D. Configure the logs associated with AWS CloudTrail management events, AWS CloudTrail data events for Amazon S3, Amazon EKS audit logs, and VPC Flow Logs as sources in Amazon Security Lake. Add AWS AppFabric as a custom source in Security Lake.
E. Configure Amazon Security Lake to send security data from different sources to Amazon Redshift. Use Amazon QuickSight to create a visualization of the security data.
F. Configure Amazon Security Lake to send security data from different sources to Amazon OpenSearch Service by using OpenSearch Ingestion. Use the OpenSearch Service dashboard to create a visualization of the security data.
Correct Answer: ADF
QUESTION 110
A company is migrating a document processing application to AWS. Documents are generated at a rate of five documents each second. The company will store the documents in an Amazon S3 bucket. The documents need to be downloaded from Amazon S3 as soon as the documents are available. The document processing application runs on Amazon EC2 instances and uses Linux servers that are optimized for CPU-intensive tasks. The document generation process requires fast local access to the files in Amazon S3. The company is unable to use S3 APIs for several months. The migration to AWS must be expedited. Which solution will meet these requirements?
A. Create an Amazon EFS file system and endpoint. Mount the file system by using NFS. Configure AWS Transfer Family to synchronize to the S3 bucket.
B. Configure Amazon S3 File Gateway. Set up a file share that is linked to the S3 bucket. On the EC2 instances, mount the file share by using SFTP.
C. Deploy AWS DataSync to connect to the EC2 instances. Configure a task to synchronize the generated files to and from the S3 bucket. Mount the S3 bucket to the instance by using DataSync.
D. Set up an Amazon FSx for Lustre file system with an import and export policy. Link the new file system to the S3 bucket. Install the Lustre client. Mount the document store by using NFS.
Correct Answer: D
QUESTION 111
Company A has AWS accounts in an organization in AWS Organizations and uses AWS Control Tower to orchestrate the environment. Company A recently acquired Company B. Company B has AWS accounts in its own organization in Organizations. An account from Company B’s organization needs to move to Company A’s organization. AWS Control Tower must be enabled for the moved account. Which solution will meet these requirements?
A. Convert the account to a management account in Company B’s organization. Sign in to AWS Control Tower and invite the account to join Company A’s organization. After the invitation is accepted, enroll the account into Company A’s AWS Control Tower.
B. Convert the account to a management account in Company B’s organization. In Company A’s AWS Control Tower environment, use Account Factory to invite the account to join Company A’s organization. After the invitation is accepted, enroll the account into Company A’s AWS Control Tower.
C. Remove the account from Company B’s organization. Sign in to AWS Control Tower and invite the account to join Company A’s organization. After the invitation is accepted, enroll the account into Company A’s AWS Control Tower.
D. Remove the account from Company B’s organization. In Company A’s AWS Control Tower environment, use Account Factory to invite the account to join Company A’s organization. After the invitation is accepted, enroll the account into Company A’s AWS Control Tower.
Correct Answer: C
QUESTION 112
A solutions architect has created a single VPC on AWS. The VPC has one internet gateway and one NAT gateway. The VPC extends across three Availability Zones. Each Availability Zone includes one public subnet and one private subnet. The three private subnets contain Amazon EC2 instances that must be able to connect to the internet. Which solution will increase the network resiliency of this architecture?
A. Add two NAT gateways so that each Availability Zone has a NAT gateway. Configure a route table for each private subnet to send traffic to the NAT gateway in the subnet’s Availability Zone.
B. Add two NAT gateways so that each Availability Zone has a NAT gateway. Configure a route table for each public subnet to send traffic to the NAT gateway in the subnet’s Availability Zone.
C. Add two internet gateways so that each Availability Zone has an internet gateway. Configure a route table for each private subnet to send traffic to the internet gateway in the subnet’s Availability Zone.
D. Add two internet gateways so that each Availability Zone has an internet gateway. Configure a route table for each public subnet to send traffic to the internet gateway in the subnet’s Availability Zone.
Correct Answer: A
QUESTION 113
A company runs an application on AWS. The application uses an Amazon Aurora MySQL database that is encrypted with the default AWS managed AWS KMS key. The company must implement a solution to rotate the database encryption key every 180 days. The solution must provide a notification if the encryption key is noncompliant with this standard. Which solution will meet these requirements?
A. Configure the rotation period for the existing AWS managed KMS key to be 180 days. Implement the cmk-backing-key-rotation-enabled AWS Config managed rule for the existing KMS key. Configure AWS Config to use Amazon SNS to notify the security team if key rotation is noncompliant.
B. Create a new AWS managed KMS key with automatic rotation set for 180 days. Take a snapshot of the database. Restore the snapshot to a new Aurora cluster that uses the new KMS key. Create an AWS Config custom rule that uses an AWS Lambda function to validate the key rotation period. Configure AWS Config to use Amazon SES to notify the security team if key encryption is noncompliant.
C. Create a new customer managed KMS key with automatic rotation set for 180 days. Take a snapshot of the database. Restore the snapshot to a new Aurora cluster that uses the new KMS key. Create an AWS Config custom rule that uses an AWS Lambda function to validate the key rotation period. Configure AWS Config to use Amazon SNS to notify the security team if key encryption is noncompliant.
D. Create a new customer managed KMS key with automatic rotation set for 180 days. Update the database to use the new KMS key for encryption. Implement the cmk-backing-key-rotation-enabled AWS Config managed rule for the new KMS key. Configure AWS Config to use Amazon SES to notify the security team if key rotation is noncompliant.
Correct Answer: C
QUESTION 114
A company is moving its call center to Amazon Connect. The company needs to transfer 200 TB of call recordings in .wav format to AWS within 2 months. The company has 10 Mbps of internet bandwidth available for the transfer. Most call recordings will not be accessed but must be available within seconds for 1 year. After 1 year, the company does not require retrieval within seconds. The call recordings must be deleted after 5 years (1,827 days). Which solution meets these requirements?
A. Set up an AWS Direct Connect connection to transfer the call recordings to an Amazon S3 bucket. Configure an S3 Lifecycle policy on the S3 bucket to transition objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days. Configure the S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 366 days. Configure the S3 Lifecycle policy to permanently delete objects after 1,827 days.
B. Order an AWS Snowball Edge Storage Optimized device to transfer the call recordings to an Amazon S3 bucket. Configure an S3 Lifecycle policy on the S3 bucket to transition objects to S3 Glacier Instant Retrieval after 0 days. After 366 days, move the objects to S3 Glacier Deep Archive. Set the objects to expire 1,827 days after the upload date.
C. Order an AWS Snowball Edge Compute Optimized device to transfer the call recordings to an Amazon S3 bucket. Configure an S3 Lifecycle policy on the S3 bucket to transition objects to S3 Express One Zone immediately. After 366 days, move the objects to S3 Glacier Deep Archive. Set the objects to expire 1,827 days after the upload date.
D. Use Amazon S3 Multi-Region Access Points to upload files over the existing internet connection. Configure an S3 Lifecycle policy on the S3 bucket to transition objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately. Configure the S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 366 days. Configure the S3 Lifecycle policy to permanently delete objects after 1,827 days.
Correct Answer: B
QUESTION 115
A company stores a static website on Amazon S3. AWS Lambda functions retrieve content from an S3 bucket and serve the content as a website. An Application Load Balancer (ALB)directs incoming traffic to the Lambda functions. An Amazon CloudFront distribution routes requests to the ALB. The company has set up an AWS Certificate Manager (ACM) certificate on the HTTPS listener of the ALB. The company needs all users to communicate with the website through HTTPS. HTTP users must not receive an error. Which combination of steps will meet these requirements? (Select THREE.)
A. Configure the ALB with a TCP listener on port 443 for passthrough to backend systems.
B. Create an S3 bucket policy that denies access to the S3 bucket if the aws:SecureTransport request is false.
C. Configure HTTP to HTTPS redirection on the S3 bucket.
D. Set the origin protocol policy to HTTPS Only for CloudFront.
E. Set the viewer protocol policy to HTTPS Only for CloudFront.
F. Set the viewer protocol policy to Redirect HTTP to HTTPS for CloudFront.
Correct Answer: BDF
QUESTION 116
A company runs AWS workloads that are integrated with software as a service (SaaS) applications. The company needs to analyze the SaaS applications to identify unused licenses.Which solution will meet this requirement with the LEAST operational overhead?
A. Use AWS License Manager automated discovery to retrieve audit logs from the SaaS applications. Use Amazon Athena to analyze the data and to identify unused SaaS licenses.
B. Create an AWS Lambda function to retrieve audit logs from the SaaS applications and to store the data in Amazon S3. Use Amazon EMR to analyze the data and to identify unused SaaS licenses.
C. Use AWS AppFabric to ingest audit logs from the SaaS applications into Amazon S3. Use Amazon Athena to analyze the data and to identify unused SaaS licenses.
D. Use AWS App Runner to ingest audit logs from the SaaS applications into Amazon S3. Use Amazon EMR to analyze the data and to identify unused SaaS licenses.
Correct Answer: C
QUESTION 117
A company is migrating an application to the AWS Cloud. The application currently runs in an on-premises data center and writes thousands of images into a mounted NFS file system each night. The company has established an AWS Direct Connect connection to AWS. After the company migrates the application, the application will run on an Amazon EC2 instance with a mounted Amazon EFS file system. Before the migration, the company must synchronize the images to the EFS file system each night. Which solution will replicate the images with the LEAST operational overhead?
A. Configure a daily process to run the aws s3 sync command from the on-premises file system to Amazon S3. Configure an AWS Lambda function to process event notifications from Amazon S3 and copy the images from Amazon S3 to the EFS file system.
B. Deploy an AWS DataSync agent to an on-premises server. Send images over the Direct Connect connection to an AWS PrivateLink interface VPC endpoint for Amazon EFS. Configure a DataSync scheduled task to send the images to the EFS file system.
C. Deploy an Amazon S3 File Gateway with an NFS mount point. Mount the S3 File Gateway file system on the on-premises server. Configure a daily process to copy the images to the mount point.
D. Deploy an AWS Transfer Family for SFTP server. Integrate the SFTP server with the EFS file system. Create and schedule an AWS Step Functions state machine to transfer images to the SFTP server over the Direct Connect connection.
Correct Answer: B
QUESTION 118
A company is redesigning its network and uses AWS Organizations to manage a multi-account setup. The company has three OUs, and each OU contains more than 100 AWS accounts. Each account has a single VPC. All the VPCs in each OU are in the same AWS Region. The CIDR ranges for all the accounts do not overlap. The company needs a solution in which VPCs in the same OU can communicate with each other but cannot
communicate with VPCs in other OUs. Which solution will meet these requirements with the LEAST operational overhead?
A. Create an AWS CloudFormation stack set that establishes VPC peering between accounts in each OU. Provision the stack set in each OU.
B. Create a transit gateway in an account in each OU. Share the transit gateway across the organization by using AWS Resource Access Manager (AWS RAM). Create transit gateway VPC attachments for each VPC in the OU.
C. In each OU, create a dedicated networking account that has a single VPC. Share this VPC with all the other accounts in the OU by using AWS Resource Access Manager (AWS RAM). Create a VPC peering connection between the networking account VPC and each VPC from the other accounts in the OU.
D. In each OU, create a dedicated networking account that has a single VPC. Create a VPN connection between the networking account VPC and the VPCs from the other accounts in the OU. Use third-party routing software to route transitive traffic between the VPCs.
Correct Answer: B
QUESTION 119
A company is developing a solution to analyze images. The solution uses a 50 TB reference dataset and analyzes images up to 1 TB in size. The solution spreads requests across an Auto Scaling group of Amazon EC2 Linux instances in a VPC. The EC2 instances are attached to shared Amazon EBS io2 volumes in each Availability Zone. The EBS volumes store the reference dataset. During testing, multiple parallel analyses led to numerous disk errors, which caused job failures. The company wants the solution to provide seamless data reading for all instances. Which solution will meet these requirements MOST cost-effectively?
A. Create a new EBS volume for each EC2 instance. Copy the data from the shared volume to the new EBS volume regularly. Update the application to reference the new EBS volume.
B. Move all the reference data to an Amazon S3 bucket. Install Mountpoint for Amazon S3 on the EC2 instances. Create gateway endpoints for Amazon S3 in the VPC. Replace the EBS mount point with the S3 mount point.
C. Move all the reference data to an Amazon S3 bucket. Create an Amazon S3 backed Multi-AZ Amazon EFS volume. Mount the EFS volume on the EC2 instances. Replace the EBS mount point with the EFS mount point.
D. Upgrade the instances to local storage. Copy the data from the shared EBS volume to the local storage regularly. Update the application to reference the local storage.
Correct Answer: B
QUESTION 120
A company has an application that partners use to upload objects directly to an Amazon S3 bucket. The company needs a solution that can scan uploaded objects for malware, delete objects that contain malware, and notify the company’s security team. Which solution will meet these requirements?
A. Enable Amazon GuardDuty Malware Protection for the S3 bucket. Create an AWS Step Functions state machine that is invoked by GuardDuty findings. Program the state machine to delete objects that contain malware and to send an Amazon SNS notification to the security team.
B. Enable Amazon GuardDuty Malware Protection for the S3 bucket. Create an AWS Lambda function that is invoked by an Amazon EventBridge rule that matches the GuardDuty scan result event. Program the Lambda function to delete objects that contain malware and to send an Amazon SNS notification to the security team.
C. Configure Amazon Macie to scan the S3 bucket for malware. Create an AWS Lambda function that is invoked by an Amazon EventBridge rule that matches the Macie scan result event. Program the Lambda function to delete objects that contain malware and to send an Amazon SNS notification to the security team.
D. Configure Amazon Inspector for vulnerability scanning. Create an AWS Step Functions state machine that is invoked by Amazon Inspector findings. Program the state machine to delete objects that contain malware and to send an Amazon SES notification to the security team.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.