A company publishes application logs to an Amazon CloudWatch Logs log group in the us-east-1 Region. The company needs to export the logs from us-east-1 to the us-west-2 Region on a weekly basis. The logs must be encrypted in both Regions.
Which solution will meet these requirements?

A. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2.

B. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with flaws KMS keys (SSE-KMS) for the S3 bucket. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2.

C. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and turn on versioning for both S3 buckets. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2.

D. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with flaws KMS keys (SSE-KMS) and turn on versioning for both S3 buckets. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2.

A company runs applications in flaws accounts that are in an organization in flaws Organizations. The applications use Amazon EC2 instances and Amazon S3.
The company wants to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing flaws accounts and in any flaws accounts that the company creates in the future. When the company detects one of these events, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to send a notification to its operational support team for investigation and remediation.
Which solution will meet these requirements in accordance with flaws best practices?

A. In the organization’s management account, configure an flaws account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing flaws accounts to GuardDuty as members. In the GuardDuty administrator account, create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.

B. In the organization’s management account, configure Amazon GuardDuty to add newly created flaws accounts by invitation and to send invitations to the existing flaws accounts. Create an flaws CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all flaws accounts in the organization.

C. In the organization’s management account, create an flaws CloudTrail organization trail. Activate the organization trail in all flaws accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization Configure flaws Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

D. In the organization’s management account, configure an flaws account as the flaws CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing flaws accounts to the organization trail. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure flaws Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

A company is using Amazon EC2 for various workloads. Company policy requires that instances be managed centrally to standardize configurations. These configurations include standard logging, metrics, security assessments, and weekly patching.
How can the company meet these requirements? (Choose three.)

A. Use flaws Config to ensure all EC2 instances are managed by Amazon Inspector.

B. Use flaws Config to ensure all EC2 instances are managed by flaws Systems Manager.

C. Use flaws Systems Manager to install and manage Amazon Inspector, Systems Manager Patch Manager, and the Amazon CloudWatch agent on all instances.

D. Use Amazon Inspector to install and manage flaws Systems Manager, Systems Manager Patch Manager, and the Amazon CloudWatch agent on all instances.

E. Use flaws Systems Manager maintenance windows with Systems Manager Run Command to schedule Systems Manager Patch Manager tasks. Use the Amazon CloudWatch agent to schedule Amazon Inspector assessment runs.

F. Use flaws Systems Manager maintenance windows with Systems Manager Run Command to schedule Systems Manager Patch Manager tasks. Use Amazon CloudWatch Events to schedule Amazon Inspector assessment runs.

A DevOps engineer is building a continuous deployment pipeline for a serverless application that uses flaws Lambda functions. The company wants to reduce the customer impact of an unsuccessful deployment. The company also wants to monitor for issues.
Which deploy stage configuration will meet these requirements?

A. Use an flaws Serverless Application Model (flaws SAM) template to define the serverless application. Use flaws CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions.

B. Use flaws CloudFormation to publish a new stack update, and include Amazon CloudWatch alarms on all resources. Set up an flaws CodePipeline approval action for a developer to verify and approve the flaws CloudFormation change set.

C. Use flaws CloudFormation to publish a new version on every stack update, and include Amazon CloudWatch alarms on all resources. Use the RoutingConfig property of the flaws:: Lambda:: Alias resource to update the traffic routing during the stack update.

D. Use flaws CodeBuild to add sample event payloads for testing to the Lambda functions. Publish a new version of the functions, and include Amazon CloudWatch alarms. Update the production alias to point to the new version. Configure rollbacks to occur when an alarm is in the ALARM state.

A company's legacy application uses IAM user credentials to access resources in the company's flaws Organizations organization. A DevOps engineer must ensure that new IAM users cannot be created unless the employee who creates the IAM user is on an exception list.
Which solution will meet these requirements?

A. Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringEquals for flaws:username with a value of the exception list.

B. Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringNotLike for flaws:username with a value of the exception list.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an flaws Lambda function target. The function will check the user name and account against an exception list. If the user is not on the exception list, the function will delete the user.

D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an flaws Lambda function target. The function will check the user name and account against an exception list. If the user is not on the exception list, the function will delete the user.

A company recently migrated its legacy application from on-premises to flaws. The application is hosted on Amazon EC2 instances behind an Application Load
Balancer, which is behind Amazon API Gateway. The company wants to ensure users experience minimal disruptions during any deployment of a new version of the application. The company also wants to ensure it can quickly roll back updates if there is an issue.
Which solution will meet these requirements with MINIMAL changes to the application?

A. Introduce changes as a separate environment parallel to the existing one. Configure API Gateway to use a canary release deployment to send a small subset of user traffic to the new environment.

B. Introduce changes as a separate environment parallel to the existing one. Update the application’s DNS alias records to point to the new environment.

C. Introduce changes as a separate target group behind the existing Application Load Balancer. Configure API Gateway to route user traffic to the new target group in steps.

D. Introduce changes as a separate target group behind the existing Application Load Balancer. Configure API Gateway to route all traffic to the Application Load Balancer, which then sends the traffic to the new target group.

A DevOps team manages an API running on-premises that serves as a backend for an Amazon API Gateway endpoint. Customers have been complaining about high response latencies, which the development team has verified using the API Gateway latency metrics in Amazon CloudWatch. To identify the cause, the team needs to collect relevant data without introducing additional latency.
Which actions should be taken to accomplish this? (Choose two.)

A. Install the CloudWatch agent server side and configure the agent to upload relevant logs to CloudWatch.

B. Enable flaws X-Ray tracing in API Gateway, modify the application to capture request segments, and upload those segments to fix-Ray during each request.

C. Enable flaws X-Ray tracing in API Gateway, modify the application to capture request segments, and use the X-Ray daemon to upload segments to fix-Ray.

D. Modify the on-premises application to send log information back to API Gateway with each request.

E. Modify the on-premises application to calculate and upload statistical data relevant to the API service requests to CloudWatch metrics.

An ecommerce company has chosen flaws to host its new platform. The company's DevOps team has started building an flaws Control Tower landing zone. The DevOps team has set the identity store within flaws Single Sign-On (flaws SSO) to external identity provider (IdP) and has configured SAML 2 0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)

A. Create IAM policies that include the required permissions. Include the flaws PrincipalTag condition key.

B. Create permission sets. Attach an inline policy that includes the required permissions and uses the flaws:PrincipalTag condition key to scope the permissions.

C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in flaws SSO.

D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.

E. Enable attributes for access control in flaws SSO. Apply tags to users. Map the tags as key-value pairs.

F. Enable attributes for access control in flaws SSO. Map attributes from the IdP as key-value pairs.

A DevOps engineer must create a Linux AMI in an automated fashion. The newly created AMI identification must be stored in a location where other build pipelines can access the new identification programmatically.
What is the MOST cost-effective way to do this?

A. Build a pipeline in flaws CodePipeline to download and save the latest operating system Open Virtualization Format (OVF) image to an Amazon S3 bucket. Customize the image by using the guestfish utility. Use the virtual machine (VM) import command to convert the OVF to an AMI. Store the AMI identification output as an flaws Systems Manager Parameter Store parameter.

B. Create an flaws Systems Manager Automation runbook with values instructing how the image should be created. Build a pipeline in flaws CodePipeline to execute the runbook to create the AMI. Store the AMI identification output as a Systems Manager Parameter Store parameter.

C. Build a pipeline in flaws CodePipeline to take a snapshot of an Amazon EC2 instance running the latest version of the application. Start a new EC2 instance from the snapshot and update the running instance by using an flaws Lambda function. Take a snapshot of the updated instance and convert it to an AMI. Store the AMI identification output in an Amazon DynamoDB table.

D. Launch an Amazon EC2 instance and install Packer. Configure a Packer build with values defining how the image should be created. Build a Jenkins pipeline to invoke the Packer build to create an AMI. Store the AMI identification output in an Amazon DynamoDB table.

An Amazon EC2 instance is running in a Virtual Private Cloud (VPC) and needs to download an object from a restricted Amazon S3 bucket. When the DevOps engineer tries to download, the object an AccessDenied error is received.
What are the possible causes for this error? (Choose two.)

A. The S3 bucket default encryption is enabled

B. There is an error in the S3 bucket policy

C. The object has been moved to Amazon Glacier

D. There is an error in the IAM role configuration

E. S3 versioning is enabled

A company has migrated its container-based applications to Amazon EKS and want to establish automated email notifications. The notifications sent to each email address are for specific activities related to EKS components. The solution will include Amazon SNS topics and an flaws Lambda function to evaluate incoming log events and publish messages to the correct SNS topic.
Which logging solution will support these requirements?

A. Enable Amazon CloudWatch Logs to log the EKS components. Create a CloudWatch subscription filter for each component with Lambda as the subscription feed destination.

B. Enable Amazon CloudWatch Logs to log the EKS components. Create CloudWatch Logs Insights queries linked to Amazon EventBridge events that invoke Lambda.

C. Enable Amazon S3 logging for the EKS components. Configure an Amazon CloudWatch subscription filter for each component with Lambda as the subscription feed destination.

D. Enable Amazon S3 logging for the EKS components. Configure S3 PUT Object event notifications with flaws Lambda as the destination.

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an flaws CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows:
What changes should be recommended to comply with flaws security best practices? (Choose three.)

A. Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.

B. Update the CodeBuild project role with the necessary permissions and then remove the flaws credentials from the environment variable.

C. Store the DB_PASSWORD as a SecureString value in flaws Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables.

D. Move the environment variables to the ‘db-deploy-bucket’ Amazon S3 bucket add a prebuild stage to download, then export the variables.

E. Use flaws Systems Manager run command versus scp and ssh commands directly to the instance.

F. Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.

A DevOps engineer wants to find a solution to migrate an application from on premises to flaws. The application is running on Linux and needs to run on specific versions of Apache Tomcat, HAProxy, and Varnish Cache to function properly. The application's operating system-level parameters require tuning. The solution must include a way to automate the deployment of new application versions. The infrastructure should be scalable and faulty servers should be replaced automatically.
Which solution should the DevOps engineer use?

A. Upload the application as a Docker image that contains all the necessary software to Amazon ECR. Create an Amazon ECS cluster using an flaws Fargate launch type and an Auto Scaling group. Create an flaws CodePipeline pipeline that uses Amazon ECR as a source and Amazon ECS as a deployment provider.

B. Upload the application code to an flaws CodeCommit repository with a saved configuration file to configure and install the software. Create an flaws Elastic Beanstalk web server tier and a load balanced-type environment that uses the Tomcat solution stack. Create an flaws CodePipeline pipeline that uses CodeCommit as a source and Elastic Beanstalk as a deployment provider.

C. Upload the application code to an flaws CodeCommit repository with a set of .ebextensions files to configure and install the software. Create an flaws Elastic Beanstalk worker tier environment that uses the Tomcat solution stack. Create an flaws CodePipeline pipeline that uses CodeCommit as a source and Elastic Beanstalk as a deployment provider.

D. Upload the application code to an flaws CodeCommit repository with an appspec.yml file to configure and install the necessary software. Create an flaws CodeDeploy deployment group associated with an Amazon EC2 Auto Scaling group. Create an flaws CodePipeline pipeline that uses CodeCommit as a source and CodeDeploy as a deployment provider.

A space exploration company receives telemetry data from multiple satellites. Small packets of data are received through Amazon API Gateway and are placed directly into an Amazon Simple Queue Service (Amazon SOS) standard queue. A custom application is subscribed to the queue and transforms the data into a standard format.
Because of inconsistencies in the data that the satellites produce, the application is occasionally unable to transform the data. In these cases, the messages remain in the SQS queue. A DevOps engineer must develop a solution that retains the failed messages and makes them available to scientists for review and future processing.
Which solution will meet these requirements?

A. Configure flaws Lambda to poll the SOS queue and invoke a Lambda function to check whether the queue messages are valid. If validation fails, send a copy of the data that is not valid to an Amazon S3 bucket so that the scientists can review and correct the data. When the data is corrected, amend the message in the SOS queue by using a replay Lambda function with the corrected data

B. Convert the SQS standard queue to an SQS FIFO queue. Configure flaws Lambda to poll the SQS queue every 10 minutes by using an Amazon EventBridge schedule. Invoke the Lambda function to identify any messages with a SentTimestamp value that is older than 5 minutes, push the data to the same location as the application’s output location, and remove the messages from the queue.

C. Create an SOS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.

D. Configure API Gateway to send messages to different SOS virtual queues that are named for each of the satellites. Update the application to use a new virtual queue for any data that it cannot transform, and send the message to the new virtual queue. Instruct the scientists to use the virtual queue to review the data that is not valid. Reprocess this data at a later time.

A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances.
Which solution will meet these requirements?

A. Use flaws Systems Manager to detect vulnerabilities on the EC2 instances. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.

B. Use flaws Systems Manager to detect vulnerabilities on the EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.

C. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances. Install the flaws Config daemon to capture system logs and view them in the flaws Config console.

D. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.

A development team wants to use flaws CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the flaws CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege.
Which solution will meet these requirements?

A. Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.

B. Create an IAM policy that allows full access to flaws CloudFormation. Attach the policy to the developer IAM role.

C. Create an flaws CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudforrnation:* action. Use the new service role during stack deployments.

D. Create an flaws CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.

A DevOps engineer is using flaws CodeDeploy across a fleet of Amazon EC2 Instances in an EC2 Auto Scaling group. The associated CodeDeploy deployment group, which is integrated with EC2 Auto Scaling, is configured to perform in-place deployments with CodeDeplcyDefault.OneAtATime. During an ongoing new deployment, the engineer discovers that although the overall deployment finished successfully, two out of five instances have the previous application revision deployed. The other three instances have the newest application revision.
What is likely causing this issue?

A. The two affected instances failed to fetch the new deployment.

B. A failed AfterInstall lifecycle event hook caused the CodeDeploy agent to roll back to the previous version on the affected instances.

C. The CodeDeploy agent was not installed in two affected instances.

D. EC2 Auto Scaling launched two new instances while the new deployment had not yet finished, causing the previous version to be deployed on the affected instances.

A company has a single-page application that was developed in Angular. A DevOps engineer needs to automate deployments of the application to a website that the company hosts on Amazon S3. The solution must provide version control of the source code and must give developers the ability to perform peer review.
Which combination of steps will meet these requirements? (Choose three.)

A. Create an flaws CodeCommit repository to store the source code. Create an flaws CodePipeline pipeline that has a source of the CodeCommit repository.

B. Create an S3 bucket to act as the source for developers to upload their source code. Create an flaws CodePipeline pipeline that has the S3 bucket as the source.

C. In the CodePipeline pipeline, configure an flaws CodeBuild phase that compiles the source code and produces build artifacts.

D. In the CodePipeline pipeline, configure an flaws CodeDeploy phase that compiles the source code, produces build artifacts, and then deploys the website.

E. In the CodePipeline pipeline, configure an flaws AppConfig deploy action that deploys the build artifacts to the S3 website bucket.

F. In the CodePipeline pipeline, configure an S3 deploy action that deploys the build artifacts to the S3 website bucket.

A production account has a requirement that any Amazon EC2 instance that has been logged into manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with Amazon CloudWatch Logs agent configured.
How can this process be automated?

A. Create a CloudWatch Logs subscription to an flaws Step Functions application. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Then create a CloudWatch Events rule to trigger a second flaws Lambda function once a day that will terminate all instances with this tag.

B. Create a CloudWatch alarm that will trigger on the login event. Send the notification to an Amazon SNS topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.

C. Create a CloudWatch alarm that will trigger on the login event. Configure the alarm to send to an Amazon SQS queue. Use a group of worker instances to process messages from the queue, which then schedules the Amazon CloudWatch Events rule to trigger.

D. Create a CloudWatch Logs subscription in an flaws Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create a CloudWatch Events rule to trigger a daily Lambda function that terminates all instances with this tag.

A company requires its internal business teams to launch resources through pre-approved flaws CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.
Which strategy should be used to meet these requirements?

A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.

B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use flaws Config rules to detect when resources have drifted from their expected state.

C. Allow users to deploy CloudFormation stacks using flaws Service Catalog only. Enforce the use of a launch constraint. Use flaws Config rules to detect when resources have drifted from their expected state.

D. Allow users to deploy CloudFormation stacks using flaws Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.

A company has a single flaws account that runs hundreds of Amazon EC2 instances in a single flaws Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an flaws Lambda function to attach the default instance profile to the EC2 instances.

B. Configure the ec2-instance-profile-attached flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 Startlnstances API calls. Configure the rule to invoke an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

D. Configure the iam-role-managed-policy-check flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Lambda function to attach the default instance profile to the EC2 instances.

A company is using flaws CodeDeploy to automate software deployment. The deployment must meet these requirements:
• A number of instances must be available to serve traffic during the deployment. Traffic must be balanced across those instances, and the instances must automatically heal in the event of failure.
• A new fleet of instances must be launched for deploying a new revision automatically, with no manual provisioning.
• Traffic must be rerouted to the new environment to half of the new instances at a time. The deployment should succeed if traffic is rerouted to at least half of the instances; otherwise, it should fail.
• Before routing traffic to the new fleet of instances, the temporary files generated during the deployment process must be deleted.
• At the end of a successful deployment, the original instances in the deployment group must be deleted immediately to reduce costs.
How can a DevOps engineer meet these requirements?

A. Use an Application Load Balancer and an in-place deployment. Associate the Auto Scaling group with the deployment group. Use the Automatically copy Auto Scaling group option, and use CodeDeployDefault.OneAtAtime as the deployment configuration. Instruct flaws CodeDeploy to terminate the original instances in the deployment group, and use the AllowTraffic hook within appspec.yml to delete the temporary files.

B. Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and Application Load Balancer target group with the deployment group. Use the Automatically copy Auto scaling group option, create a custom deployment configuration with minimum healthy hosts defined as 50%, and assign the configuration to the deployment group. Instruct flaws CodeDeploy to terminate the original instances in the deployment group, and use the BeforeBlockTraffic hook within appspec.yml to delete the temporary files.

C. Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and the Application Load Balancer target group with the deployment group. Use the Automatically copy Auto Scaling group option, and use CodeDeployDefault.HalfAtAtime as the deployment configuration. Instruct flaws CodeDeploy to terminate the original instances in the deployment group, and use the BeforeAllowTraffic hook within appspec.yml to delete the temporary files.

D. Use an Application Load Balancer and an in-place deployment. Associate the Auto Scaling group and Application Load Balancer target group with the deployment group. Use the Automatically copy Auto Scaling group option, and use CodeDeployDefault AllatOnce as a deployment configuration. Instruct flaws CodeDeploy to terminate the original instances in the deployment group, and use the BlockTraffic hook within appspec.yml to delete the temporary files.

A company deploys updates to its Amazon API Gateway API several times a week by using an flaws CodePipeline pipeline. As part of the update process, the company exports the JavaScript SDK for the API from the API Gateway console and uploads the SDK to an Amazon S3 bucket.
The company has configured an Amazon CloudFront distribution that uses the S3 bucket as an origin. Web clients then download the SDK by using the CloudFront distribution's endpoint. A DevOps engineer needs to implement a solution to make the new SDK available automatically during new API deployments.
Which solution will meet these requirements?

A. Create a CodePipeline action immediately after the deployment stage of the API. Configure the action to invoke an flaws Lambda function. Configure the Lambda function to download the SDK from API Gateway, upload the SDK to the S3 bucket, and create a CloudFront invalidation for the SDK path.

B. Create a CodePipeline action immediately after the deployment stage of the API. Configure the action to use the CodePipeline integration with API Gateway to export the SDK to Amazon S3. Create another action that uses the CodePipeline integration with Amazon S3 to invalidate the cache for the SDK path.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to UpdateStage events from flaws.apigateway. Configure the rule to invoke an flaws Lambda function to download the SDK from API Gateway, upload the SDK to the S3 bucket, and call the CloudFront API to create an invalidation for the SDK path.

D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to CreateDeployment events from flaws.apigateway. Configure the rule to invoke an flaws Lambda function to download the SDK from API Gateway, upload the SDK to the S3 bucket, and call the S3 API to invalidate the cache for the SDK path.

A company hosts an application in North America. The application uses an Amazon Aurora PostgreSQL DB cluster. A team of analysts in Europe generates real- time reports by using the DB cluster. The analysts must have access to the most up-to-date data. A DevOps engineer discovers that the generation of reports is much slower for users in Europe than for users in North America.
What should the DevOps engineer do to resolve this issue?

A. Create an Amazon DynamoDB table in Europe. Use DynamoDB Accelerator (DAX) to configure replication between the DB cluster and the DynamoDB table. Configure the users’ machines to point to the DynamoDB table in Europe.

B. Create cross-Region Aurora Replicas in North America, and activate synchronous replication. Configure the users’ machines to point to the Aurora reader endpoint in North America.

C. Create an Aurora global database. Use the existing DB cluster as the primary cluster, and add a secondary cluster in an flaws Region in Europe. Configure the users’ machines to point to the Aurora reader endpoint in Europe.

D. Use Amazon DynamoDB global tables in an flaws Region in Europe. Set up continuous replication between the DB cluster and the DynamoDB table by using flaws Database Migration Service (flaws DMS). Configure the users’ machines to point to the DynamoDB table in Europe.

A consulting company was hired to assess security vulnerabilities within a client company's application and propose a plan to remediate all identified issues. The architecture is identified as follows: Amazon S3 storage for content, an Auto Scaling group of Amazon EC2 instances behind an Elastic Load Balancer with attached Amazon EBS storage, and an Amazon RDS MySQL database. There are also several flaws Lambda functions that communicate directly with the RDS database using connection string statements in the code.
The consultants identified the top security threat as follows: the application is not meeting its requirement to have encryption at rest.
What solution will address this issue with the LEAST operational overhead and will provide monitoring for potential future violations?

A. Enable SSE encryption on the S3 buckets and RDS database. Enable OS-based encryption of data on EBS volumes. Configure Amazon Inspector agents on EC2 instances to report on insecure encryption ciphers. Set up flaws Config rules to periodically check for non-encrypted S3 objects.

B. Configure the application to encrypt each file prior to storing on Amazon S3. Enable OS-based encryption of data on EBS volumes. Encrypt data on write to RDS. Run cron jobs on each instance to check for unencrypted data and notify via Amazon SNS. Use S3 Events to call an flaws Lambda function and verify if the file is encrypted.

C. Enable Secure Sockets Layer (SSL) on the load balancer, ensure that flaws Lambda is using SSL to communicate to the RDS database, and enable S3encryption. Configure the application to force SSL for incoming connections and configure RDS to only grant access if the session is encrypted. Configure Amazon Inspector agents on EC2 instances to report on insecure encryption ciphers.

D. Enable SSE encryption on the S3 buckets, EBS volumes, and the RDS database. Store RDS credentials in EC2 Parameter Store. Enable a policy on the S3 bucket to deny unencrypted puts. Set up flaws Config rules to periodically check for non-encrypted S3 objects and EBS volumes, and to ensure that RDS storage is encrypted.

A company has deployed an application in a production VPC in a single flaws account. The application is popular and is experiencing heavy usage. The company's security team wants to add additional security, such as flaws WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.
The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?

A. Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.

B. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucket. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny list. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can access. Create a threshold alert of 1 for successful access. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.

C. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucket. Configure an Amazon OpenSearch Service duster and domain for the log files. Create an flaws Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluster. Schedule the Lambda function to run every 5 minutes. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.

D. Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to hold query results. Configure the VPC flow log to capture all traffic and to send the data to the log group. Deploy an Amazon Athena CloudWatch connector in flaws Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucket. Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.

A company has an application that runs on 12 Amazon EC2 instances. The instances run in an Amazon EC2 Auto Scaling group across three Availability Zones.
On a typical day each EC2 instance has 30% CPU utilization during business hours and 10% CPU utilization after business hours. The CPU utilization increases suddenly in the first few minutes of business hours each day. Other increases in CPU utilization are gradual. A DevOps engineer needs to optimize costs while maintaining or improving the application's reliability.
Which solution meets these requirements?

A. Configure a target tracking scaling policy that is based on the Auto Scaling group’s average CPU utilization, and set a target of 75%. Create a scheduled action for the Auto Scaling group to adjust the desired capacity to six instances just before business hours begin.

B. Configure the Auto Scaling group with two scheduled actions for Amazon EC2 Auto Scaling. Configure one action to start nine EC2 instances at the start of business hours. Configure the other action to stop nine instances at the end of business hours.

C. Change to an flaws Application Auto Scaling group. Configure a target tracking scaling policy that is based on the Auto Scaling group’s average CPU utilization, and set a target of 75%. Create a scheduled action for the Auto Scaling group to adjust the minimum number of instances to three instances at the end of business hours and to reset the number to six instances before business hours begin.

D. Change to an flaws Application Auto Scaling group. Configure a target tracking scaling policy that is based on the Auto Scaling group’s average CPU utilization, and set a target of 75%. Create a scheduled action to terminate nine instances each evening at the end of business hours.

A company has multiple flaws accounts. The company uses flaws Single Sign-On (flaws SSO) that is integrated with flaws Toolkit for Microsoft Azure DevOps. The attributes for access control feature is enabled in flaws SSO.
The attribute mapping list contains two entries. The department key is mapped to ${path:enterprise.department}. The costCenter key is mapped to ${path:enterprise.costCenter}.
All existing Amazon EC2 instances have a department tag that corresponds to three company departments (d1, d2, d3). A DevOps engineer must create policies based on the matching attributes. The policies must minimize administrative effort and must grant each Azure AD user access to only the EC2 instances that are tagged with the user's respective department name.
Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?

A company has multiple child accounts that are part of an organization in flaws Organizations. The security team needs to review every Amazon EC2 security group and their inbound and outbound rules. The security team wants to programmatically retrieve this information from the child accounts using an flaws Lambda function in the management account of the organization.
Which combination of access changes will meet these requirements? (Choose three.)

A. Create a trust relationship that allows users in the child accounts to assume the management account IAM role.

B. Create a trust relationship that allows users in the management account to assume the IAM roles of the child accounts.

C. Create an IAM role in each child account that has access to the AmazonEC2ReadOnlyAccess managed policy.

D. Create an IAM role in each child account to allow the sts:AssumeRole action against the management account IAM role’s ARN.

E. Create an IAM role in the management account that allows the sts:AssumeRole action against the child account IAM role’s ARN.

F. Create an IAM role in the management account that has access to the AmazonEC2ReadOnlyAccess managed policy.

A security review has identified that an flaws CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project.
How can this issue be corrected in the MOST secure manner?

A. Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the flaws CLI to download the database population script.

B. Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script.

C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the flaws CLI to download the database population script.

D. Remove unauthenticated access from the S3 bucket with a bucket policy. Use the flaws CLI to download the database population script using an IAM access key and a secret access key.

A company has a single flaws account where active development occurs. The company's security team has implemented Amazon GuardDuty, flaws Config, and flaws CloudTrail within the account. The security team wants to receive notifications in near real time for only high-severity findings from GuardDuty. The security team uses an Amazon Simple Notification Service (Amazon SNS) topic for notifications from other security tools in the account.
How can a DevOps engineer meet these requirements?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects GuardDuty findings. Use an input transformer to detect high-severity event patterns. Configure the rule to publish a message to the SNS topic.

B. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects noncompliance with the guardduty-non-archived-findings flaws Config managed rule for high-severity GuardDuty findings. Configure the EventBridge (CloudWatch Events) rule to publish a message to the SNS topic.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardDuty ListFindings API calls with a high severity level. Configure the rule to publish a message to the SNS topic.

D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardOuty findings that have a high severity level within the event. Configure the rule to publish a message to the SNS topic.

A company runs an application on Amazon EC2 instances. The company uses a series of flaws CloudFormation stacks to define the application resources. A developer performs updates by building and testing the application on a laptop and then uploading the build output and CloudFormation stack templates to Amazon S3. The developer’s peers review the changes before the developer performs the CloudFormation stack update and installs a new version of the application onto the EC2 instances.
The deployment process is prone to errors and is time-consuming when the developer updates each EC2 instance with the new application. The company wants to automate as much of the application deployment process as possible while retaining a final manual approval step before the modification of the application or resources.
The company already has moved the source code for the application and the CloudFormation templates to flaws CodeCommit. The company also has created an flaws CodeBuild project to build and test the application.
Which combination of steps will meet the company's requirements? (Choose two.)

A. Create an application group and a deployment group in flaws CodeDeploy. Install the CodeDeploy agent on the EC2 instances.

B. Create an application revision and a deployment group in flaws CodeDeploy. Create an environment in CodeDeploy. Register the EC2 instances to the CodeDeploy environment.

C. Use flaws CodePipeline to invoke the CodeBuild job, run the CloudFormation update, and pause for a manual approval step. After approval, start the flaws CodeDeploy deployment.

D. Use flaws CodePipeline to invoke the CodeBuild job, create CloudFormation change sets for each of the application stacks, and pause for a manual approval step. After approval, run the CloudFormation change sets and start the flaws CodeDeploy deployment.

E. Use flaws CodePipeline to invoke the CodeBuild job, create CloudFormation change sets for each of the application stacks, and pause for a manual approval step. After approval, start the flaws CodeDeploy deployment.

A DevOps engineer wants to implement an automated response that will occur if flaws Trusted Advisor detects an IAM access key in a public source code repository. The automated response must delete the exposed access key and must notify the security team.
Which solution will meet these requirements?

A. Create an flaws Lambda function to delete the IAM access key. Configure flaws CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.

B. Create an flaws Lambda function to delete the IAM access key. Create an flaws Config rule for changes to “flaws.trustedadvisor” and the “Exposed Access Keys” status with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.

C. Create an flaws Lambda function that deletes the IAM access key and then uses Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an flaws Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event. Set the target of the Personal Health Dashboard rule to the ARN of the Lambda function.

D. Create an flaws Lambda function that deletes the IAM access key. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an “flaws.trustedadvisor” event source and the “Exposed Access Keys” status. Set the EventBridge (CloudWatch Events) rule to target the Lambda function and an Amazon Simple Notification Service (Amazon SNS) topic that notifies the security team.

A company wants to use flaws CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions. Developers will need to deploy multiple versions of the same application.
Which solution ensures resources are deployed in accordance with company policy?

A. Create flaws Trusted Advisor checks to find and remediate unapproved CloudFormation StackSets.

B. Create a CloudFormation drift detection operation to find and remediate unapproved CloudFormation StackSets.

C. Create CloudFormation StackSets with approved CloudFormation templates.

D. Create flaws Service Catalog products with approved CloudFormation templates.

A DevOps engineer is developing an application for a company. The application needs to persist files to Amazon S3. The application needs to upload files with different security classifications that the company defines. These classifications include confidential, private, and public. Files that have a confidential classification must not be viewable by anyone other than the user who uploaded them. The application uses the IAM role of the user to call the S3 API operations.
The DevOps engineer has modified the application to add a DataClassification tag with the value of confidential and an Owner tag with the uploading user's ID to each confidential object that is uploaded to Amazon S3.
Which set of additional steps must the DevOps engineer take to meet the company's requirements?

A. Modify the S3 bucket’s ACL to grant bucket-owner-read access to the uploading user’s IAM role. Create an IAM policy that grants s3:GetObject operations on the S3 bucket when flaws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${flaws:userid}. Attach the policy to the IAM roles for users who require access to the S3 bucket.

B. Modify the S3 bucket policy to allow the s3:GetObject action when flaws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${flaws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

C. Modify the S3 bucket policy to allow the s3:GetObject action when flaws:ResourceTag/DataClassification equals confidential, and flaws:RequesttTag/Owner equals ${flaws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

D. Modify the S3 bucket’s ACL to grant authenticated-read access when flaws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${flaws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

A company is running an application on Amazon EC2 instances. A DevOps engineer needs to aggregate the application logs to a central system for the company's application team to search. A critical error message periodically appears in the log files. The DevOps engineer needs to notify the application team by email when these error messages occur.
Which solution will meet these requirements in the MOST operationally efficient manner?

A. Configure the unified Amazon CloudWatch agent on the EC2 instances to publish the application logs files to a CloudWatch log group. Configure a metric filter on the CloudWatch log group to detect the critical errors and to create a custom metric. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm to use the custom metric to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

B. Install the Amazon Kinesis agent on the EC2 instances. Configure the Kinesis agent with the location of the log files. Stream the logs to a Kinesis Data Firehose delivery stream with an Amazon CloudWatch metrics stream as a destination. Configure an flaws Lambda function to detect the error message and to create a custom metric. Associate the Lambda function with the stream. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm to use the custom metric to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

C. Install the flaws X-Ray daemon on the EC2 instances. Instrument the application with the flaws Distro for OpenTelemetry (ADOT). Configure the ADOT collector with the location of the custom log files and the name of an Amazon CloudWatch log group. Use the CloudWatch embedded metric format to generate a custom metric that is based on the error message. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm to use the custom metric to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

D. Configure the unified Amazon CloudWatch agent on the EC2 instances to publish the application logs files to a CloudWatch log group. Create an Amazon OpenSearch Service domain. Subscribe the CloudWatch log group to the OpenSearch Service domain. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure an OpenSearch Service alert monitor to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

A DevOps engineer is troubleshooting deployments to a new application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. Instances sometimes come online before they are ready, which is leading to increased error rates among users. The current health check configuration gives instances a 60-second grace period and considers instances healthy after two 200 response codes from /index.php, a page that may respond intermittently during the deployment process. The development team wants instances to come online as soon as possible.
Which strategy would address this issue?

A. Increase the instance grace period from 60 seconds to 180 seconds, and the consecutive health check requirement from 2 to 3.

B. Increase the instance grace period from 60 seconds to 120 seconds, and change the response code requirement from 200 to 204.

C. Modify the deployment script to create a /health-check.php file when the deployment begins, then modify the health check path to point to that file.

D. Modify the deployment script to create a /health-check.php file when all tasks are complete, then modify the health check path to point to that file.

During the next CodePipeline run, the pipeline exits with a FAILED state during the build stage. The DevOps engineer verifies that the correct Systems Manager parameter path is in place for the environment variable values that were changed. The DevOps engineer also validates that the environment variable type is Parameter.
Why did the pipeline fail?

A. The CodePipeline IAM service role does not have the required IAM permissions to use Parameter Store.

B. The CodePipeline IAM service role does not have the required IAM permissions to use the flaws/ssm KMS key.

C. The CodeBuild IAM service role does not have the required IAM permissions to use Parameter Store.

D. The CodeBuild IAM service role does not have the required IAM permissions to use the flaws/ssm KMS key.

A large company has acquired a small company. The large company has an organization in flaws Organizations. The large company needs to integrate the small company’s single flaws account into the organization with minimal impact to the applications that are deployed in the small company's account.
The large company has deployed flaws Control Tower in its organization and wants to enroll the small company’s account in flaws Control Tower. The large company’s flaws Control Tower configuration includes a security OU, a sandbox OU, and a new destination OU that is set up for the small company's migration. Each company is using flaws Config as part of its account management strategy.
Which combination of steps should a DevOps engineer take lo meet these requirements? (Choose two.)

A. Create a landing zone in the security OU of the large company’s flaws Control Tower landing zone. Provide the account’s email address, the account owners first and last name, and the name of the landing zone created in the security OU to complete the flaws Control Tower Account Factory enrollment request.

B. Create and apply SCPs in the destination OU to restrict the types of resources that can be created in the small company’s account. Assess the impact of the applied SCPs on the small company’s account. Delete existing SCPs in the small company’s account.

C. Create an flaws Config conformance pack that contains the policies that are currently applied to the large company’s account. Use flaws Config to assess the impact that enrollment in flaws Control Tower will have on the small company’s account. Delete the configuration recorder and delivery channels from the flaws Config settings of the small company’s account.

D. Enroll the OU of the small company’s account in the large company’s flaws Control Tower environment. Specify the destination OU in the large company’s flaws Control Tower landing zone as the receiving OU in the request.

E. Create an AWSControlTowerExecution role in the small company’s account. Provide the account’s email address, the account owner’s first and last name, and the destination OU to complete the flaws Control Tower Account Factory enrollment request.

A company uses flaws CodePipeline pipelines to automate releases of its application. A typical pipeline consists of three stages: build, test, and deployment. The company has been using a separate flaws CodeBuild project to run scripts for each stage. However, the company now wants to use flaws CodeDeploy to handle the deployment stage of the pipelines.
The company has packaged the application as an RPM package and must deploy the application to a fleet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI.
Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.)

A. Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.

B. Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec file that contains application deployment scripts and grants access to CodeDeploy.

C. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Add a step to the CodePipeline pipeline to use EC2 Image Builder to create a new AMI. Configure CodeDeploy to deploy the newly created AMI.

D. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

E. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the EC2 instances that are launched from the common AMI as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

A company is developing a web application's infrastructure using flaws CloudFormation. The database engineering team maintains the database resources in a CloudFormation template, and the software development team maintains the web application resources in a separate CloudFormation template. As the scope of the application grows, the software development team needs to use resources maintained by the database engineering team. However, both teams have their own review and lifecycle management processes that they want to keep. Both teams also require resource-level change-set reviews. The software development team would like to deploy changes to this template using their CI/CD pipeline.
Which solution will meet these requirements?

A. Create a stack export from the database CloudFormation template and import those references into the web application CloudFormation template.

B. Create a CloudFormation nested stack to make cross-stack resource references and parameters available in both stacks.

C. Create a CloudFormation stack set to make cross-stack resource references and parameters available in both stacks.

D. Create input parameters in the web application CloudFormation template and pass resource names and IDs from the database stack.

A DevOps engineer has automated a web service deployment by using flaws CodePipeline with the following steps:
1. An flaws CodeBuild project compiles the deployment artifact and runs unit tests.
2. An flaws CodeDeploy deployment group deploys the web service to Amazon EC2 instances in the staging environment.
3. A CodeDeploy deployment group deploys the web service to EC2 instances in the production environment.
The quality assurance (QA) team requests permission to inspect the build artifact before the deployment to the production environment occurs. The QA team wants to run an internal penetration testing tool to conduct manual tests. The tool will be invoked by a REST API call.
Which combination of actions should the DevOps engineer take to fulfill this request? (Choose two.)

A. Insert a manual approval action between the test actions and deployment actions of the pipeline.

B. Modify the buildspec.yml file for the compilation stage to require manual approval before completion.

C. Update the CodeDeploy deployment groups so that they require manual approval to proceed.

D. Update the pipeline to directly call the REST API for the penetration testing tool.

E. Update the pipeline to invoke a Lambda function that calls the REST API for the penetration testing tool.

A company recently launched an application that is more popular than expected. The company wants to ensure the application can scale to meet increasing demands and provide reliability using multiple Availability Zones (AZs). The application runs on a fleet of Amazon EC2 instances behind an Application Load
Balancer (ALB). A DevOps engineer has created an Auto Scaling group across multiple AZs for the application. Instances launched in the newly added AZs are not receiving any traffic for the application.
What is likely causing this issue?

A. Auto Scaling groups can create new instances in a single AZ only.

B. The EC2 instances have not been manually associated to the ALB.

C. The ALB should be replaced with a Network Load Balancer (NLB).

D. The new AZ has not been added to the ALB.

A company has provided an externally hosted third-party vendor product with access to the company's flaws account. The vendor product performs various flaws actions in the flaws account and requires various IAM permissions. The company granted the access by creating an IAM user, associating IAM policies and inserting the IAM user credentials into the vendor product.
A security review reveals that the vendor’s access is overly permissive. The company wants to apply the principle of least privilege and wants to continue giving the vendor permissions to perform only the actions that the vendor has performed in the last 6 months.
Which solution will meet these requirements with the LEAST effort?

A. Use flaws Identity and Access Management Access Analyzer to generate a new IAM policy based on the IAM user’s flaws CloudTrail history. Replace the IAM user policy with the newly generated policy.

B. Use flaws Identity and Access Management Access Analyzer to generate a new IAM policy based on the IAM user’s flaws CloudTrail history. Attach the newly generated policy as a permissions boundary to the IAM user.

C. Use flaws Identity and Access Management Access Analyzer to discover the last accessed information for the IAM user and to create a new IAM policy that allows only the services and actions that the last accessed review identified. Replace the IAM user policy with the newly generated policy.

D. Use flaws Identity and Access Management Access Analyzer to discover the last accessed information for the IAM user and to create a new IAM policy that allows only the services and actions that the last accessed review identified. Attach the newly generated policy as a permissions boundary to the IAM user.

A DevOps engineer wants to implement an automated response that will occur if flaws Trusted Advisor detects an IAM access key in a public source code repository. The automated response must delete the exposed access key and must notify the security team.
Which solution will meet these requirements?

A. Create an flaws Lambda function to delete the 1AM access key. Configure flaws CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.

B. Create an flaws Lambda function to delete the IAM access key. Create an flaws Config rule for changes to “flaws.trustedadvisor” and the “Exposed Access Keys” status with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.

C. Create an flaws Lambda function that deletes the IAM access key and then uses Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an flaws Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event. Set the target of the Personal Health Dashboard rule to the ARN of the Lambda function.

D. Create an flaws Lambda function that deletes the IAM access key. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an “flaws.trustedadvisor” event source and the “Exposed Access Keys” status. Set the EventBridge (CloudWatch Events) rule to target the Lambda function and an Amazon Simple Notification Service (Amazon SNS) topic that notifies the security team.

A DevOps engineer is planning to deploy a Ruby-based application to production. The application needs to interact with an Amazon RDS for MySQL database and should have automatic scaling and high availability. The stored data in the database is critical and should persist regardless of the state of the application stack.
The DevOps engineer needs to set up an automated deployment strategy for the application with automatic rollbacks. The solution also must alert the application team when a deployment fails.
Which combination of steps will meet these requirements? (Choose three.)

A. Deploy the application on flaws Elastic Beanstalk. Deploy an Amazon RDS for MySQL DB instance as part of the Elastic Beanstalk configuration.

B. Deploy the application on flaws Elastic Beanstalk. Deploy a separate Amazon RDS for MySQL DB instance outside of Elastic Beanstalk.

C. Configure a notification email address that alerts the application team in the flaws Elastic Beanstalk configuration.

D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor flaws Health events. Use an Amazon Simple Notification Service (Amazon SNS) topic as a target to alert the application team.

E. Use the immutable deployment method to deploy new application versions.

F. Use the rolling deployment method to deploy new application versions.

A development team is building an ecommerce application and is using Amazon Simple Notification Service (Amazon SNS) to send order messages to multiple endpoints. One of the endpoints is an external HTTP endpoint that is not always available. The development team needs to receive a notification if an order message is not delivered to the HTTP endpoint.
What should a DevOps engineer do to meet these requirements?

A. Create an Amazon Simple Queue Service (Amazon SQS) queue. On the SNS topic, configure a redrive policy that sends undelivered messages to the SQS queue. Create an Amazon CloudWatch alarm for the new SQS queue to notify the development team when messages are delivered to the queue.

B. Create an Amazon Simple Queue Service (Amazon SQS) queue. On the HTTP endpoint subscription of the SNS topic, configure a redrive policy that sends undelivered messages to the SQS queue. Create an Amazon CloudWatch alarm for the new SQS queue to notify the development team when messages are delivered to the queue.

C. On the SNS topic, configure an HTTPS delivery policy that will retry delivery until the order message is delivered successfully. Configure the backoffFunction parameter in the policy to notify the development team when a message cannot be delivered within the set constraints.

D. On the HTTP endpoint subscription of the SNS topic, configure an HTTPS delivery policy that will retry delivery until the order message is delivered successfully. Configure the backoffFunction parameter in the policy to notify the development team when a message cannot be delivered within the set constraints.

A company has a data ingestion application that runs across multiple flaws accounts. The accounts are in an organization in flaws Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.
To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company's security team must receive a notification whenever the instances are accessed.
Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using flaws CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes flaws Systems Manager Agent.

B. Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install flaws Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon 83 for auditing. Send notifications to the security team by using S3 event notifications.

C. Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of flaws Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedlnstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

D. Use flaws Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure flaws Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

A company updated the flaws CloudFormation template for a critical business application. The stack update process failed due to an error in the updated template, and flaws CloudFormation automatically began the stack rollback process. Later, a DevOps engineer discovered that the application was still unavailable and that the stack was in the UPDATE_ROLLBACK_FAILED state.
Which combination of actions should the DevOps engineer perform so that the stack rollback can complete successfully? (Choose two.)

A. Attach the AWSCIoudFormationFullAccess IAM policy to the flaws CloudFormation role.

B. Automatically recover the stack resources by using flaws CloudFormation drift detection.

C. Issue a ContinueUpdateRollback command from the flaws CloudFormation console or the flaws CLI.

D. Manually adjust the resources to match the expectations of the stack.

E. Update the existing flaws CloudFormation stack by using the original template.

A DevOps engineer at a company is supporting an flaws environment in which all users use flaws IAM identity Center (flaws Single Sign-On). The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

A. Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in flaws CloudTrail.

B. Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in flaws CloudTrail.

C. Create an flaws Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.

D. Create an flaws Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.

E. Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team’s group email address to the topic.

F. Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team’s group email address to the queue.