An application team has three environments for their application: development, pre-production, and production. The team recently adopted flaws CodePipeline. However, the team has had several deployments of misconfigured or nonfunctional development code into the production environment, resulting in user disruption and downtime. The DevOps engineer must review the pipeline and add steps to identify problems with the application before it is deployed.
What should the engineer do to identify functional issues during the deployment process? (Choose two.)

A. Use Amazon Inspector to add a test action to the pipeline. Use the Amazon Inspector Runtime Behavior Analysis Inspector rules package to check that the deployed code complies with company security standards before deploying it to production.

B. Using flaws CodeBuild to add a test action to the pipeline to replicate common user activities and ensure that the results are as expected before progressing to production deployment.

C. Create an flaws CodeDeploy action in the pipeline with a deployment configuration that automatically deploys the application code to a limited number of instances. The action then pauses the deployment so that the QA team can review the application functionality. When the review is complete, CodeDeploy resumes and deploys the application to the remaining production Amazon EC2 instances.

D. After the deployment process is complete, run a testing activity on an Amazon EC2 instance in a different region that accesses the application to simulate user behavior. If unexpected results occur the testing activity sends a warning to an Amazon SNS topic. Subscribe to the topic to get updates.

E. Add an flaws CodeDeploy action in the pipeline to deploy the latest version of the development code to pre-production Add a manual approval action in the pipeline so that the QA team can test and confirm the expected functionality. After the manual approval action, add a second CodeDeploy action that deploys the approved code to the production environment.

A company uses flaws CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the main branch when the changes are ready for production.
The developers should not be able to push changes directly to the main branch. The company applied the AWSCodeCommitPowerUser managed policy to the developers' IAM role, and now these developers can push changes to the main branch directly on every repository in the flaws account.
What should the company do to restrict the developers' ability to push changes to the main branch directly?

A. Create an additional policy to include a Deny rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the main branch.

B. Remove the IAM policy, and add an AWSCodeCommitReadOnly managed policy. Add an Allow rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

C. Modify the IAM policy. Include a Deny rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

D. Create an additional policy to include an Allow rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the feature branches.

The security team depends on flaws CloudTrail to detect sensitive security issues in the company's flaws account The DevOps engineer needs a solution to auto-remediate CloudTrail being turned off in an flaws account.
What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the CloudTrail StopLogging event. Create an flaws Lambda function that uses the flaws SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.

B. Deploy the flaws-managed CloudTrail-enabled flaws Config rule, set with a periodic interval of 1 hour. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for flaws Config rules compliance change. Create an flaws Lambda function that uses the flaws SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for a scheduled event every 5 minutes. Create an flaws Lambda function that uses the flaws SDK to call StartLogging on a CloudTrail trail in the flaws account. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.

D. Launch a t2.nano instance with a script running every 5 minutes that uses the flaws SDK to query CloudTrail in the current account. If the CloudTrail trail is disabled, have the script re-enable the trail.

A company runs applications in flaws accounts that are in an organization in flaws Organizations. The applications use Amazon EC2 instances and Amazon S3.
The company wants to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing flaws accounts and in any flaws accounts that the company creates in the future. When the company detects one of these events, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to send a notification to its operational support team for investigation and remediation.
Which solution will meet these requirements in accordance with flaws best practices?

A. In the organization’s management account, configure an flaws account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing flaws accounts to GuardDuty as members. In the GuardDuty administrator account, create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.

B. In the organization’s management account, configure Amazon GuardDuty to add newly created flaws accounts by invitation and to send invitations to the existing flaws accounts. Create an flaws CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all flaws accounts in the organization.

C. In the organization’s management account, create an flaws CloudTrail organization trail. Activate the organization trail in all flaws accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization Configure flaws Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

D. In the organization’s management account, configure an flaws account as the flaws CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing flaws accounts to the organization trail. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure flaws Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

A company has a single developer writing code for an automated deployment pipeline. The developer is storing source code in an Amazon S3 bucket for each project. The company wants to add more developers to the team but is concerned about code conflicts and lost work. The company also wants to build a test environment to deploy newer versions of code for testing and allow developers to automatically deploy to both environments when code is changed in the repository.
What is the MOST efficient way to meet these requirements?

A. Create an flaws CodeCommit repository for each project, use the main branch for production code, and create a testing branch for code deployed to testing. Use feature branches to develop new features and pull requests to merge code to testing and main branches.

B. Create another S3 bucket for each project for testing code, and use an flaws Lambda function to promote code changes between testing and production buckets. Enable versioning on all buckets to prevent code conflicts.

C. Create an flaws CodeCommit repository for each project, and use the main branch for production and test code with different deployment pipelines for each environment. Use feature branches to develop new features.

D. Enable versioning and branching on each S3 bucket, use the main branch for production code, and create a testing branch for code deployed to testing. Have developers use each branch for developing in each environment.

A company is using an organization in flaws Organizations to manage multiple flaws accounts. The company's development team wants to use flaws Lambda functions to meet resiliency requirements and is rewriting all applications to work with Lambda functions that are deployed in a VPC. The development team is using Amazon Elastic File System (Amazon EFS) as shared storage in Account A in the organization.
The company wants to continue to use Amazon EFS with Lambda. Company policy requires all serverless projects to be deployed in Account

A. A DevOps engineer needs to reconfigure an existing EFS file system to allow Lambda functions to access the data through an existing EFS access point.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

B. Update the EFS file system policy to provide Account B with access to mount and write to the EFS file system in Account

C. Create SCPs to set permission guardrails with fine-grained control for Amazon EFS.

D. Create a new EFS file system in Account

E. Use flaws Database Migration Service (flaws DMS) to keep data from Account A and Account B synchronized.

F. Update the Lambda execution roles with permission to access the VPC and the EFS file system.

G. Create a VPC peering connection to connect Account A to Account

H. Configure the Lambda functions in Account B to assume an existing IAM role in Account

A company's primary flaws Region contains the following infrastructure:
• An Amazon S3 bucket that contains an object package that is used in instance user data to configure an application.
• Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) with an instance profile that grants s3:Get* access on the S3 bucket.
The company has the following infrastructure in a backup Region:
• An S3 bucket with the same configuration as the S3 bucket in the primary flaws Region, but without any objects.
• EC2 instances in an Auto Scaling group behind an ALB that run with the same configuration as in the primary flaws Region.
To simulate a disaster recovery scenario, the company turns off all access to Amazon S3 and sets the Auto Scaling group's minimum, maximum, and desired instances to 0 in the primary Region. When the instances in the backup Region scale out, they do not pass Amazon Route 53 health checks.
Which combination of steps should the company take to resolve this issue? (Choose three.)

A. Update the Amazon EC2 Auto Scaling service-linked role to allow access to both S3 buckets.

B. Set up S3 Cross-Region Replication from the S3 bucket in the primary Region to the S3 bucket in the backup Region.

C. Update the instance user data to reference the S3 bucket in the primary Region.

D. Increase the timeout for the target group health check.

E. Update the EC2 instance profile to allow s3:list* actions.

F. Update the EC2 instance profile to allow read access to both S3 buckets.

A software company wants to automate the build process for a project where the code is stored in GitHub. When the repository is updated, source code should be compiled, tested, and pushed to Amazon S3.
Which combination of steps would address these requirements? (Choose three.)

A. Add a buildspec.yml file to the source code with build instructions.

B. Configure a GitHub webhook to trigger a build every time a code change is pushed to the repository.

C. Create an flaws CodeBuild project with GitHub as the source repository.

D. Create an flaws CodeDeploy application with the Amazon EC2/On-Premises compute platform.

E. Create an flaws OpsWorks deployment with the install dependencies command.

F. Provision an Amazon EC2 instance to perform the build.

An online retail company based in the United States plans to expand its operations to Europe and Asia in the next six months. Its product currently runs on
Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora database instance.
When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and purchases must be kept in each region.
How should the company meet these requirements with the LEAST amount of application changes?

A. Use Amazon Redshift for the product catalog and Amazon DynamoDB tables for the customer information and purchases.

B. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases.

C. Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.

D. Use Aurora for the product catalog and Amazon DynamoDB global tables for the customer information and purchases.

A company has 100 GB of log data in an Amazon S3 bucket stored in .csv format. SQL developers want to query this data and generate graphs to visualize it.
They also need an efficient, automated way to store metadata from the .csv file.
Which combination of steps should be taken to meet these requirements with the LEAST amount of effort? (Choose three.)

A. Filter the data through flaws X-Ray to visualize the data.

B. Filter the data through Amazon QuickSight to visualize the data.

C. Query the data with Amazon Athena.

D. Query the data with Amazon Redshift.

E. Use flaws Glue as the persistent metadata store.

F. Use Amazon S3 as the persistent metadata store.

A company has built a web service that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company has deployed the application in us-east-1. Amazon Route 53 provides an external DNS that routes traffic from example.com to the application, created with appropriate health checks.
The company has deployed a second environment for the application in eu-west-1. The company wants traffic to be routed to whichever environment results in the best response time for each user. If there is an outage in one Region, traffic should be directed to the other environment.
Which configuration will achieve these requirements?
✑ A subdomain us.example.com with weighted routing: the US ALB with weight 2 and the EU ALB with weight 1.
✑ Another subdomain eu.example.com with weighted routing: the EU ALB with weight 2 and the US ALB with weight 1.
✑ Geolocation routing records for example.com: North America aliased to us.example.com and Europe aliased to eu.example.com.
✑ A subdomain us.example.com with latency-based routing: the US ALB as the first target and the EU ALB as the second target.
✑ Another subdomain eu.example.com with latency-based routing: the EU ALB as the first target and the US ALB as the second target.
✑ Failover routing records for example.com aliased to us.example.com as the first target and eu.example.com as the second target.
✑ A subdomain us.example.com with failover routing: the US ALB as primary and the EU ALB as secondary.
✑ Another subdomain eu.example.com with failover routing: the EU ALB as primary and the US ALB as secondary.
✑ Latency-based routing records for example.com that are aliased to us.example.com and eu.example.com.
✑ A subdomain us.example.com with multivalue answer routing: the US ALB first and the EU ALB second.
✑ Another subdomain eu.example.com with multivalue answer routing: the EU ALB first and the US ALB second.
✑ Failover routing records for example.com that are aliased to us.example.com and eu.example.com.

An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). A DevOps Engineer is using flaws CodeDeploy to release a new version. The deployment fails during the AllowTraffic lifecycle event, but a cause for the failure is not indicated in the deployment logs.
What would cause this?

A. The appspec.yml file contains an invalid script to execute in the AllowTraffic lifecycle hook.

B. The user who initiated the deployment does not have the necessary permissions to interact with the ALB.

C. The health checks specified for the ALB target group are misconfigured.

D. The CodeDeploy agent was not installed in the EC2 instances that are part of the ALB target group.

(399)

A company has a single flaws account where active development occurs. The company's security team has implemented Amazon GuardDuty, flaws Config, and flaws CloudTrail within the account. The security team wants to receive notifications in near real time for only high-severity findings from GuardDuty. The security team uses an Amazon Simple Notification Service (Amazon SNS) topic for notifications from other security tools in the account.
How can a DevOps engineer meet these requirements?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects GuardDuty findings. Use an input transformer to detect high-severity event patterns. Configure the rule to publish a message to the SNS topic.

B. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects noncompliance with the guardduty-non-archived-findings flaws Config managed rule for high-severity GuardDuty findings. Configure the EventBridge (CloudWatch Events) rule to publish a message to the SNS topic.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardDuty ListFindings API calls with a high severity level. Configure the rule to publish a message to the SNS topic.

D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardOuty findings that have a high severity level within the event. Configure the rule to publish a message to the SNS topic.

A company plans to stop using Amazon EC2 key pairs for SSH access, and instead plans to use flaws Systems Manager Session Manager. To further enhance security, access to Session Manager must take place over a private network only.
Which combinations of actions will accomplish this? (Choose two.)

A. Allow inbound access to TCP port 22 in all associated EC2 security groups from the VPC CIDR range.

B. Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile.

C. Create a VPC endpoint for Systems Manager in the desired Region.

D. Deploy a new EC2 instance that will act as a bastion host to the rest of the EC2 instance fleet.

E. Remove any default routes in the associated route tables.

A DevOps engineer has implemented a Cl/CD pipeline to deploy an flaws CloudFormation template that provisions a web application. The web application consists of an Application Load Balancer (ALB), a target group, a launch template that uses an Amazon Linux 2 AMI, an Auto Scaling group of Amazon EC2 instances, a security group, and an Amazon RDS for MySOL database. The launch template includes user data that specifies a script to install and start the application.
The initial deployment of the application was successful. The DevOps engineer made changes to update the version of the application with the user data. The CI/CD pipeline has deployed a new version of the template. However, the health checks on the ALB are now failing. The health checks have marked all targets as unhealthy.
During investigation, the DevOps engineer notices that the CloudFormation stack has a status of UPDATE_COMPLETE. However, when the DevOps engineer connects to one of the EC2 instances and checks /var/log/messages, the DevOps engineer notices that the Apache web server failed to start successfully because of a configuration error.
How can the DevOps engineer ensure that the CloudFormation deployment will fail if the user data fails to successfully finish running?

A. Use the cfn-signal helper script to signal success or failure to CloudFormation. Use the WaitOnResourceSignals update policy within the CloudFormation template. Set an appropriate timeout for the update policy.

B. Create an Amazon CloudWatch alarm for the UnhealthyHostCount metric. Include an appropriate alarm threshold for the target group. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target to signal success or failure to CloudFormation.

C. Create a lifecycle hook on the Auto Scaling group by using the flaws::AutoScaling::LifecycleHook resource. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target to signal success or failure to CloudFormation. Set an appropriate timeout on the lifecycle hook.

D. Use the Amazon CloudWatch agent to stream the cloud-init logs. Create a subscription filter that includes an flaws Lambda function with an appropriate invocation timeout. Configure the Lambda function to use the SignalResource API operation to signal success or failure to CloudFormation.

An ecommerce company is looking for ways to deploy an application on flaws that satisfies the following requirements:
• Has a simple and automated application deployment process.
• Has minimal deployment costs while ensuring that at least half of the instances are available to receive end-user requests.
• If the application fails, an automated healing mechanism will replace the affected instances.
Which deployment strategy will meet these requirements?

A. Create an flaws Elastic Beanstalk environment and configure it to use Auto Scaling and an Elastic Load Balancer. Use rolling deployments with a batch size of 50%.

B. Create an flaws OpsWorks stack. Configure the application layer to use rolling deployments as a deployment strategy. Add an Elastic Load Balancing layer. Enable auto healing on the application layer.

C. Use flaws CodeDeploy with Auto Scaling and an Elastic Load Balancer. Use the CodeDeployDefault.HalfAtAtime deployment strategy. Enable an Elastic Load Balancing health check to report the status of the application, and set the Auto Scaling health check to ELB.

D. Use flaws CodeDeploy with Auto Scaling and an Elastic Load Balancer. Use a blue/green deployment strategy. Enable an Elastic Load Balancing health check to report the status of the application, and set the Auto Scaling health check to ELB.

A company manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto
Scaling group across multiple Availability Zones. The application uses an Amazon RDS for MySQL DB instance to store the data. The company has configured
Amazon Route 53 with an alias record that points to the ALB.
Anew company guideline requires a geographically isolated disaster recovery (DR) site with an RTO of 4 hours and an RPO of 15 minutes.
Which DR strategy will meet these requirements with the LEAST change to the application stack?

A. Launch a replica environment of everything except Amazon RDS in a different Availability Zone. Create an RDS read replica in the new Availability Zone, and configure the new stack to point to the local RDS DB instance. Add the new stack to the Route 53 record set by using a health check to configure a failover routing policy.

B. Launch a replica environment of everything except Amazon RDS in a different flaws Region. Create an RDS read replica in the new Region, and configure the new stack to point to the local RDS DB instance. Add the new stack to the Route 53 record set by using a health check to configure a latency routing policy.

C. Launch a replica environment of everything except Amazon RDS in a different flaws Region. In the event of an outage, copy and restore the latest RDS snapshot from the primary Region to the DR Region. Adjust the Route 53 record set to point to the ALB in the DR Region.

D. Launch a replica environment of everything except Amazon RDS in a different flaws Region. Create an RDS read replica in the new Region, and configure the new environment to point to the local RDS DB instance. Add the new stack to the Route 53 record set by using a health check to configure a failover routing policy. In the event of an outage, promote the read replica to primary.

A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated.
How can log collection be automated?

A. Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait state. Create an Amazon CloudWatch alarm for EC2 Instance Terminate Successful and trigger an flaws Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

B. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an flaws Config rule for EC2 instance-terminate Lifecycle Action and trigger a step function that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

C. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

D. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an flaws Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

A company has an organization in flaws Organizations. The company has configured flaws Single Sign-On (flaws SSO) tofficentrally manage access to the flaws accounts in the organization. A DevOps engineer needs to ensure that all users sign in by using multi-factor authentication (MFA). Users must be allowed to manage their own MFA devices. Users also must be prompted for MFA every time they sign in.
What should the DevOps engineer do to meet these requirements?

A. In flaws SSO, configure always-on MFBlock user sign-in when a user does not yet have a registered MFA device.

B. In flaws SSO, configure always-on MFA. Require a user to register an MFA device at sign-in when the user does not yet have a registered MFA device.

C. In flaws SSO, configure context-aware MFA. Update the trust policy of all permission sets to include the flaws:MultiFactorAuthPresent condition on the sts:AssumeRole action.

D. In flaws SSO, configure context-aware MFA. Block user sign-in when a user does not yet have a registered MFA device.

A company has a data ingestion application that runs across multiple flaws accounts. The accounts are in an organization in flaws Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.
To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company's security team must receive a notification whenever the instances are accessed.
Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using flaws CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes flaws Systems Manager Agent.

B. Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install flaws Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon 83 for auditing. Send notifications to the security team by using S3 event notifications.

C. Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of flaws Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedlnstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

D. Use flaws Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure flaws Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

A company has deployed a new Amazon API Gateway API that retrieves the cost of items for the company's online store. An flaws Lambda function supports the API and retrieves the data from an Amazon DynamoDB table. The API's latency increases during times of peak usage each day. However, the latency of the DynamoDB table reads is constant throughout the day.
A DevOps engineer configures DynamoDB Accelerator (DAX) for the DynamoDB table, and the API latency decreases throughout the day. The DevOps engineer then configures Lambda provisioned concurrency with a limit of two concurrent invocations. This change reduces the latency during normal usage. However, the company is still experiencing higher latency during times of peak usage than during times of normal usage.
Which set of additional steps should the DevOps engineer take to produce the LARGEST decrease in API latency?

A. Increase the read capacity of the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

B. Enable caching in API Gateway. Stop using provisioned concurrency for the Lambda function.

C. Delete the DAX cluster for the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

D. Enable caching in API Gateway. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function

An application is deployed on Amazon EC2 instances running in an Auto Scaling group. During the bootstrapping process, the instances register their private IP addresses with a monitoring system. The monitoring system performs health checks frequently by sending ping requests to those IP addresses and sending alerts if an instance becomes non-responsive.
The existing deployment strategy replaces the current EC2 instances with new ones. A DevOps Engineer has noticed that the monitoring system is sending false alarms during a deployment, and is tasked with stopping these false alarms.
Which solution will meet these requirements without affecting the current deployment method?

A. Define an Amazon CloudWatch Events target, an flaws Lambda function, and a lifecycle hook attached to the Auto Scaling group. Configure CloudWatch Events to invoke Amazon SNS to send a message to the Systems Administrator group for remediation.

B. Define an flaws Lambda function and a lifecycle hook attached to the Auto Scaling group. Configure the lifecycle hook to invoke the Lambda function, which removes the entry of the private IP from the monitoring system upon instance termination.

C. Define an Amazon CloudWatch Events target, an flaws Lambda function, and a lifecycle hook attached to the Auto Scaling group. Configure CloudWatch Events to invoke the Lambda function, which removes the entry of the private IP from the monitoring system upon instance termination.

D. Define an flaws Lambda function that will run a script when instance termination occurs in an Auto Scaling group. The script will remove the entry of the private IP from the monitoring system.

A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances.
Which solution will meet these requirements?

A. Use flaws Systems Manager to detect vulnerabilities on the EC2 instances. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.

B. Use flaws Systems Manager to detect vulnerabilities on the EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.

C. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances. Install the flaws Config daemon to capture system logs and view them in the flaws Config console.

D. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.

A devops team uses flaws CloudFormation to build their infrastructure. The security team is concerned about sensitive parameters, such as passwords, being exposed.
Which combination of steps will enhance the security of flaws CloudFormation? (Choose three.)

A. Create a secure string with flaws KMS and choose a KMS encryption key. Reference the ARN of the secure string, and give flaws CloudFormation permission to the KMS key for decryption.

B. Create secrets using the flaws Secrets Manager flaws::SecretsManager::Secret resource type. Reference the secret resource return attributes in resources that need a password, such as an Amazon RDS database.

C. Store sensitive static data as secure strings in the flaws Systems Manager Parameter Store. Use dynamic references in the resources that need access to the data.

D. Store sensitive static data in the flaws Systems Manager Parameter Store as strings. Reference the stored value using types of Systems Manager parameters.

E. Use flaws KMS to encrypt the CloudFormation template.

F. Use the CloudFormation NoEcho parameter property to mask the parameter value.

A company grants external users access to its flaws account by creating an IAM user for each external user. A DevOps engineer must implement a solution to revoke access from IAM users that have not accessed the account in 90 days.
Which solution will meet these requirements?

A. Turn on flaws Config in the flaws account. Deploy the lam-user-unused-credentials-check flaws Config managed rule Configure the rule to run periodically Configure flaws. Config automatic remediation to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials flaws Systems Manager Automation runbook.

B. Use flaws Identity and Access Management Access Analyzer to create an analyzer in the flaws account. Create an Amazon EventBridge rule to match IAM Access Analyzer events for IAM users that were last accessed more than 90 days ago. Configure the rule to run the AWSConfigRemediation-DetachlAMPolicy flaws Systems Manager Automation runbook to detach any policies that are attached to the IAM user.

C. Enable flaws Trusted Advisor in the flaws account. Use the flaws Developer Support plan to access the flaws Support API. Configure an Amazon EventBridge scheduled rule to use the Support API’s Trusted Advisor IAM Access Key Rotation check to discover IAM credentials that have not been accessed for more than 90 days. Configure another EventBridge rule to use the Trusted Advisor Check Item Refresh Status event type and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials flaws Systems Manager Automation runbook.

D. Enable flaws Security Hub in the flaws account. Configure a Security Hub rule that determines when an IAM user was last accessed. Configure an Amazon EventBridge rule to match the Security Hub rule and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials flaws Systems Manager Automation runbook.

A company is using flaws Organizations to create separate flaws accounts for each of its departments. The company needs to automate the following tasks:
✑ Update the Linux AMIs with new patches periodically and generate a golden image
✑ Install a new version of Chef agents in the golden image, if available
✑ Provide the newly generated AMIs to the department's accounts
Which solution meets these requirements with the LEAST management overhead?

A. Write a script to launch an Amazon EC2 instance from the previous golden image. Apply the patch updates. Install the new version of the Chef agent, generate a new golden image, and then modify the AMI permissions to share only the new image with the department’s accounts.

B. Use Amazon EC2 Image Builder to create an image pipeline that consists of the base Linux AMI and components to install the Chef agent. Use flaws Resource Access Manager to share EC2 Image Builder images with the department’s accounts.

C. Use an flaws Systems Manager Automation runbook to update the Linux AMI by using the previous image. Provide the URL for the script that will update the Chef agent. Use flaws Organizations to replace the previous golden image in the department’s accounts.

D. Use Amazon EC2 Image Builder to create an image pipeline that consists of the base Linux AMI and components to install the Chef agent. Create a parameter in flaws Systems Manager Parameter Store to store the new AMI ID that can be referenced by the department’s accounts.

A DevOps engineer wants to find a solution to migrate an application from on premises to flaws. The application is running on Linux and needs to run on specific versions of Apache Tomcat, HAProxy, and Varnish Cache to function properly. The application's operating system-level parameters require tuning. The solution must include a way to automate the deployment of new application versions. The infrastructure should be scalable and faulty servers should be replaced automatically.
Which solution should the DevOps engineer use?

A. Upload the application as a Docker image that contains all the necessary software to Amazon ECR. Create an Amazon ECS cluster using an flaws Fargate launch type and an Auto Scaling group. Create an flaws CodePipeline pipeline that uses Amazon ECR as a source and Amazon ECS as a deployment provider.

B. Upload the application code to an flaws CodeCommit repository with a saved configuration file to configure and install the software. Create an flaws Elastic Beanstalk web server tier and a load balanced-type environment that uses the Tomcat solution stack. Create an flaws CodePipeline pipeline that uses CodeCommit as a source and Elastic Beanstalk as a deployment provider.

C. Upload the application code to an flaws CodeCommit repository with a set of .ebextensions files to configure and install the software. Create an flaws Elastic Beanstalk worker tier environment that uses the Tomcat solution stack. Create an flaws CodePipeline pipeline that uses CodeCommit as a source and Elastic Beanstalk as a deployment provider.

D. Upload the application code to an flaws CodeCommit repository with an appspec.yml file to configure and install the necessary software. Create an flaws CodeDeploy deployment group associated with an Amazon EC2 Auto Scaling group. Create an flaws CodePipeline pipeline that uses CodeCommit as a source and CodeDeploy as a deployment provider.

An ecommerce company has chosen flaws to host its new platform. The company's DevOps team has started building an flaws Control Tower landing zone. The DevOps team has set the identity store within flaws Single Sign-On (flaws SSO) to external identity provider (IdP) and has configured SAML 2 0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)

A. Create IAM policies that include the required permissions. Include the flaws PrincipalTag condition key.

B. Create permission sets. Attach an inline policy that includes the required permissions and uses the flaws:PrincipalTag condition key to scope the permissions.

C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in flaws SSO.

D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.

E. Enable attributes for access control in flaws SSO. Apply tags to users. Map the tags as key-value pairs.

F. Enable attributes for access control in flaws SSO. Map attributes from the IdP as key-value pairs.

A DevOps engineer is researching the least expensive way to implement an image batch processing cluster on flaws. The application cannot run in Docker containers and must run on Amazon EC2. The batch job stores checkpoint data on an NFS and can tolerate interruptions. Configuring the cluster software from a generic EC2 Linux image takes 30 minutes.
What is the MOST cost-effective solution?

A. Use Amazon EFS for checkpoint data. To complete the job, use an EC2 Auto Scaling group and an On-Demand pricing model to provision EC2 instances temporarily.

B. Use GlusterFS on EC2 instances for checkpoint data. To run the batch job, configure EC2 instances manually. When the job completes, shut down the instances manually.

C. Use Amazon EFS for checkpoint data. Use EC2 Fleet to launch EC2 Spot Instances, and utilize user data to configure the EC2 Linux instance on startup.

D. Use Amazon EFS for checkpoint data. Use EC2 Fleet to launch EC2 Spot Instances. Create a custom AMI for the cluster and use the latest AMI when creating instances.

A company uses Application Load Balancers (ALBs) as part of its application architecture. The company has ALBs in flaws accounts that are part of an organization in flaws Organizations. The company has configured flaws Config in all flaws accounts in the organization.
The company needs to apply an flaws WAF web ACL with a common set of rules to all ALBs, including any ALBs that are created in the future. Administrators of each flaws account must be able to define their own flaws WAF rules that are in addition to the common rules that the company’s security team provides for all the accounts.
Which solution will meet these requirements?

A. Configure flaws Firewall Manager for the organization. In the Firewall Manager administrator account, create an flaws WAF policy. Turn on automatic remediation and define the web ACL. Configure the policy scope to apply to all ALBs in the organization.

B. Use flaws Resource Access Manager (flaws RAM) from the organization’s management account to enable resource sharing in the organization. Create the web ACL. Configure a resource share of the web ACL for the organization. Associate the shared web ACL with all the ALBs in the organization.

C. Set up the ALB_WAF_ENABLED flaws Config managed rule with automatic remediation. Configure the rule to create the web ACL and to attach the web ACL to all ALBs in an flaws account. Create an flaws Config conformance pack that contains the rule. Deploy the conformance pack to all flaws accounts in the organization.

D. Configure flaws Firewall Manager for the organization. In the Firewall Manager administrator account, create an flaws WAF policy that defines the web ACL. Set up the ALB_WAF_ENABLED flaws Config managed rule with automatic remediation. Configure the rule to attach the web ACL to all ALBs in an flaws account. Deploy the rule to all flaws accounts in the organization.

A DevOps engineer is working on a data archival project that requires the migration of on-premises data to an Amazon S3 bucket. The DevOps engineer develops a script that incrementally archives on-premises data that is older than 1 month to Amazon S3. Data that is transferred to Amazon S3 is deleted from the on-premises location. The script uses the S3 PutObject operation.
During a code review, the DevOps engineer notices that the script does not verify whether the data was successfully copied to Amazon S3. The DevOps engineer must update the script to ensure that data is not corrupted during transmission. The script must use MD5 checksums to verify data integrity before the on-premises data is deleted.
Which solutions for the script will meet these requirements? (Choose two.)

A. Check the returned response for the Versionld. Compare the returned VersionId against the MD5 checksum.

B. Include the MD5 checksum within the Content-MD5 parameter. Check the operation call’s return status to find out if an error was returned.

C. Include the checksum digest within the tagging parameter as a URL query parameter.

D. Check the returned response for the ETag. Compare the returned ETag against the MD5 checksum.

E. Include the checksum digest within the Metadata parameter as a name-value pair. After upload, use the S3 HeadObject operation to retrieve metadata from the object.

A company has flaws accounts that are members of the same organization in flaws Organizations. According to the company's security policy, IAM customer managed policies must be scoped to specific actions and must not include wildcard actions on wildcard resources.
If an IAM customer managed policy is created or modified in any of the company's flaws accounts to grant wildcard actions on resources that also specify wildcards, the policy must be detached from any IAM user, role, or group that the policy is attached to Individual flaws account administrators must not be able to prevent the removal of the policies.
Which combination of steps will meet these requirements? (Choose two.)

A. Configure automatic remediation to run the AWSConfigRemediation-DetachIAMPolicy flaws Systems Manager Automation runbook.

B. Configure automatic remediation to invoke a custom flaws Lambda function to detach the IAM policy from the affected resources.

C. Configure automatic remediation to use flaws Systems Manager Run Command to detach the IAM policy from the affected resources.

D. Turn on flaws Config by using an flaws CloudFormation stack set that is created in a central account. Configure automatic deployment for the stack set, and specify the organization as the target. Configure the iam-policy-no-statements-with-full-access flaws Config managed rule in the central account.

E. Turn on flaws Config for the organization. Create a new flaws account. Configure the account as a delegated administrator account for flaws Config. Configure the iam-policy-no-statements-with-full-access flaws Config managed rule in the delegated administrator account.

A development team manages website deployments using flaws CodeDeploy blue/green deployments. The application is running on Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group.
When deploying a new revision, the team notices the deployment eventually fails, but it takes a long time to fail. After further inspection, the team discovers the AllowTraffic lifecycle event ran for an hour and eventually failed without providing any other information. The team wants to ensure failure notices are delivered more quickly while maintaining application availability even upon failure.
Which combination of actions should be taken to meet these requirements? (Choose two.)

A. Change the deployment configuration to CodeDeployDefault.AllAtOnce to speed up the deployment process by deploying to all of the instances at the same time.

B. Create a CodeDeploy trigger for the deployment failure event and make the deployment fail as soon as a single health check failure is detected.

C. Reduce the HealthCheckIntervalSeconds and UnhealthyThresholdCount values within the target group health checks to decrease the amount of time it takes for the application to be considered unhealthy.

D. Use the appspec.yml file to run a script on the AllowTraffic hook to perform lighter health checks on the application instead of making CodeDeploy wait for the target group health checks to pass.

E. Use the appspec.yml file to run a script on the BeforeAllowTraffic hook to perform health checks on the application and fail the deployment if the health checks performed by the script are not successful.

A company has deployed an application on flaws Elastic Beanstalk by using an all-at-once deployment method. The deployment failed recently because of an application misconfiguration and resulted in significant downtime.
To prevent such downtime in the future, a DevOps engineer needs to revise the deployment method while maintaining the application performance. The DevOps engineer must ensure that application versions are consistently configured across all instances without creating new environments.
Which deployment solution will meet these requirements?

A. Switch to a rolling deployment strategy for future application updates.

B. Switch to a rolling deployment with additional batch strategy for future application updates.

C. Switch to an immutable deployment strategy for future application updates.

D. Switch to a blue/green deployment strategy for future application updates.

A company is using flaws to deploy an application. The development team must automate the deployments. The team has created an flaws CodePipeline pipeline to deploy the application to Amazon EC2 instances using flaws CodeDeploy after it has been built using flaws CodeBuild.
The team wants to add automated testing to the pipeline to confirm that the application is healthy before deploying the code to the EC2 instances. The team also requires a manual approval action before the application is deployed, even if the tests are successful. The testing and approval must be accomplished at the lowest costs, using the simplest management solution.
Which solution will meet these requirements?

A. Create a manual approval action after the build action of the pipeline. Use Amazon SNS to inform the team of the stage being triggered. Next, add a test action using CodeBuild to perform the required tests. At the end of the pipeline, add a deploy action to deploy the application to the next stage.

B. Create a test action after the CodeBuild build of the pipeline. Configure the action to use CodeBuild to perform the required tests. If these tests are successful, mark the action as successful. Add a manual approval action that uses Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage.

C. Create a new pipeline that uses a source action that gets the code from the same repository as the first pipeline. Add a deploy action to deploy the code to a test environment. Use a test action using flaws Lambda to test the deployment. Add a manual approval action by using Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage.

D. Create a test action after the build action. Use a Jenkins server on Amazon EC2 to perform the required tests and mark the action as successful if the tests pass. Create a manual approval action that uses Amazon SQS to notify the team and add a deploy action to deploy the application to the next stage.

An Amazon EC2 instance is running in a Virtual Private Cloud (VPC) and needs to download an object from a restricted Amazon S3 bucket. When the DevOps engineer tries to download, the object an AccessDenied error is received.
What are the possible causes for this error? (Choose two.)

A. The S3 bucket default encryption is enabled

B. There is an error in the S3 bucket policy

C. The object has been moved to Amazon Glacier

D. There is an error in the IAM role configuration

E. S3 versioning is enabled

During the next CodePipeline run, the pipeline exits with a FAILED state during the build stage. The DevOps engineer verifies that the correct Systems Manager parameter path is in place for the environment variable values that were changed. The DevOps engineer also validates that the environment variable type is Parameter.
Why did the pipeline fail?

A. The CodePipeline IAM service role does not have the required IAM permissions to use Parameter Store.

B. The CodePipeline IAM service role does not have the required IAM permissions to use the flaws/ssm KMS key.

C. The CodeBuild IAM service role does not have the required IAM permissions to use Parameter Store.

D. The CodeBuild IAM service role does not have the required IAM permissions to use the flaws/ssm KMS key.

A DevOps engineer sets up two Amazon S3 event notifications for an S3 bucket from the S3 console. Both event notifications will be invoked when an object PUT action occurs. One event notification will invoke an flaws Lambda function if the file suffix is .csv. Another event notification will invoke an Amazon Simple
Notification Service (Amazon SNS) topic if the file suffix is .xlsx
The DevOps engineer notices that files with the .csv suffix can invoke the Lambda function successfully. However, files with the .xlsx suffix cannot invoke the SNS topic.
Which reason explains why the SNS topic is not invoked when .xlsx files are added to the S3 bucket?

A. Only one event notification is allowed from the S3 console.

B. Amazon S3 needs proper permissions to publish an event notification to Amazon SNS.

C. Lambda has precedence over Amazon SNS in handling the event notification.

D. Amazon SNS is not a valid destination for some S3 event notifications, including object PUT.

A company is building a solution for storing files containing Personally Identifiable Information (PII) on flaws.
Requirements state:
✑ All data must be encrypted at rest and in transit.
✑ All data must be replicated in at least two locations that are at least 500 miles (805 kilometers) apart.
Which solution meets these requirements?

A. Create primary and secondary Amazon S3 buckets in two separate Availability Zones that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce Amazon S3 SSE-C on all objects uploaded to the bucket. Configure cross- region replication between the two buckets.

B. Create primary and secondary Amazon S3 buckets in two separate flaws Regions that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross-region replication between the two buckets.

C. Create primary and secondary Amazon S3 buckets in two separate flaws Regions that are at least 500 miles (805 kilometers) apart. Use an IAM role to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce Amazon S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross-region replication between the two buckets.

D. Create primary and secondary Amazon S3 buckets in two separate Availability Zones that are at least 500 miles (805 kilometers) apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce flaws KMS encryption on all objects uploaded to the bucket. Configure cross-region replication between the two buckets. Create a KMS Customer Master Key (CMK) in the primary region for encrypting objects.

A consulting company was hired to assess security vulnerabilities within a client company's application and propose a plan to remediate all identified issues. The architecture is identified as follows: Amazon S3 storage for content, an Auto Scaling group of Amazon EC2 instances behind an Elastic Load Balancer with attached Amazon EBS storage, and an Amazon RDS MySQL database. There are also several flaws Lambda functions that communicate directly with the RDS database using connection string statements in the code.
The consultants identified the top security threat as follows: the application is not meeting its requirement to have encryption at rest.
What solution will address this issue with the LEAST operational overhead and will provide monitoring for potential future violations?

A. Enable SSE encryption on the S3 buckets and RDS database. Enable OS-based encryption of data on EBS volumes. Configure Amazon Inspector agents on EC2 instances to report on insecure encryption ciphers. Set up flaws Config rules to periodically check for non-encrypted S3 objects.

B. Configure the application to encrypt each file prior to storing on Amazon S3. Enable OS-based encryption of data on EBS volumes. Encrypt data on write to RDS. Run cron jobs on each instance to check for unencrypted data and notify via Amazon SNS. Use S3 Events to call an flaws Lambda function and verify if the file is encrypted.

C. Enable Secure Sockets Layer (SSL) on the load balancer, ensure that flaws Lambda is using SSL to communicate to the RDS database, and enable S3encryption. Configure the application to force SSL for incoming connections and configure RDS to only grant access if the session is encrypted. Configure Amazon Inspector agents on EC2 instances to report on insecure encryption ciphers.

D. Enable SSE encryption on the S3 buckets, EBS volumes, and the RDS database. Store RDS credentials in EC2 Parameter Store. Enable a policy on the S3 bucket to deny unencrypted puts. Set up flaws Config rules to periodically check for non-encrypted S3 objects and EBS volumes, and to ensure that RDS storage is encrypted.

A company uses flaws CodePipeline pipelines to automate releases of its application. A typical pipeline consists of three stages: build, test, and deployment. The company has been using a separate flaws CodeBuild project to run scripts for each stage. However, the company now wants to use flaws CodeDeploy to handle the deployment stage of the pipelines.
The company has packaged the application as an RPM package and must deploy the application to a fleet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI.
Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.)

A. Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.

B. Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec file that contains application deployment scripts and grants access to CodeDeploy.

C. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Add a step to the CodePipeline pipeline to use EC2 Image Builder to create a new AMI. Configure CodeDeploy to deploy the newly created AMI.

D. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

E. Create an application in CodeDeploy. Configure an in-place deployment type. Specify the EC2 instances that are launched from the common AMI as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

A company develops and maintains a web application using Amazon EC2 instances and an Amazon RDS for SQL Server DB instance in a single Availability
Zone. The resources need to run only when new deployments are being tested using flaws CodePipeline. Testing occurs one or more times a week and each test takes 2-3 hours to run. A DevOps engineer wants a solution that does not change the architecture components.
Which solution will meet these requirements in the MOST cost-effective manner?

A. Convert the RDS database to an Amazon Aurora Serverless database. Use an flaws Lambda function to start and stop the EC2 instances before and after tests.

B. Put the EC2 instances into an Auto Scaling group. Schedule scaling to run at the start of the deployment tests.

C. Replace the EC2 instances with EC2 Spot Instances and the RDS database with an RDS Reserved Instance.

D. Subscribe Amazon CloudWatch Events to CodePipeline to trigger flaws Systems Manager Automation documents that start and stop all EC2 and RDS instances before and after deployment tests.

A company updated the flaws CloudFormation template for a critical business application. The stack update process failed due to an error in the updated template, and flaws CloudFormation automatically began the stack rollback process. Later, a DevOps engineer discovered that the application was still unavailable and that the stack was in the UPDATE_ROLLBACK_FAILED state.
Which combination of actions should the DevOps engineer perform so that the stack rollback can complete successfully? (Choose two.)

A. Attach the AWSCIoudFormationFullAccess IAM policy to the flaws CloudFormation role.

B. Automatically recover the stack resources by using flaws CloudFormation drift detection.

C. Issue a ContinueUpdateRollback command from the flaws CloudFormation console or the flaws CLI.

D. Manually adjust the resources to match the expectations of the stack.

E. Update the existing flaws CloudFormation stack by using the original template.

A company is deploying a new application that uses Amazon EC2 instances. The company needs a solution to query application logs and flaws account API activity.
Which solution will meet these requirements?

A. Use the Amazon CloudWatch agent to send logs from the EC2 instances to Amazon CloudWatch Logs. Configure flaws CloudTrail to deliver the API logs to Amazon S3. Use CloudWatch to query both sets of logs.

B. Use the Amazon CloudWatch agent to send logs from the EC2 instances to Amazon CloudWatch Logs. Configure flaws CloudTrail to deliver the API logs to CloudWatch Logs. Use CloudWatch Logs Insights to query both sets of logs.

C. Use the Amazon CloudWatch agent to send logs from the EC2 instances to Amazon Kinesis. Configure flaws CloudTrail to deliver the API logs to Kinesis. Use Kinesis to load the data into Amazon Redshift. Use Amazon Redshift to query both sets of logs.

D. Use the Amazon CloudWatch agent to send logs from the EC2 instances to Amazon S3. Use flaws CloudTrail to deliver the API logs to Amazon S3. Use Amazon Athena to query both sets of logs in Amazon S3.

A company has 20 service teams. Each service team is responsible for its own microservice. Each service team uses a separate flaws account for its microservice and a VPC with the 192.168.0.0/22 CIDR block. The company manages the flaws accounts with flaws Organizations.
Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer. The microservices communicate with each other across the public Internet. The company's security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public Internet.
A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team.
Which solution will meet these requirements?

A. Create a new flaws account in flaws Organizations. Create a VPC in this account and use flaws Resource Access Manager to share the private subnets of this VPC with the organization. Instruct the service teams to launch a new Network Load Balancer (NLB) and EC2 instances that use the shared private subnets. Use the NLB DNS names for communication between microservices.

B. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use flaws PrivateLink to create VPC endpoints in each flaws account for the NLBs. Create subscriptions to each VPC endpoint in each of the other flaws accounts. Use the VPC endpoint DNS names for communication between microservices.

C. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Create VPC peering connections between each of the microservice VPCs. Update the route tables for each VPC to use the peering links. Use the NLB DNS names for communication between microservices.

D. Create a new flaws account in flaws Organizations. Create a transit gateway in this account. and use flaws Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs, create a transit gateway attachment to the shared transit gateway. Update the route tables of each VPC to use the transit gateway. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use the NLB DNS names for communication between microservices.

A DevOps engineer is using flaws CodePipeline and flaws CodeBuild to create a CI/CD pipeline for a serverless application that is based on the flaws Serverless Application Model (flaws SAM). The source, build and test steps have been completed. The DevOps engineer has also created two pipeline deployment stages that use flaws CloudFormation as the action provider. One stage uses the "Create or replace a change set" action mode. The other stage uses the "Execute a change set" action mode.
The DevOps engineer needs to pass some parameters to a CloudFormation stack during the deployment without changing the code and pipeline structure.
Which solution will meet these requirements?

A. Set the –parameter-overrides option in the sam deploy command when the CodeBuild stage is invoked.

B. Add all parameters in flaws Systems Manager Parameter Store. Use dynamic references to specify template values in Parameter Store.

C. In the deployment stage where the “Create or replace a change set” action mode resides, apply the JSON object in the ParameterOverrides property.

D. In the deployment stage where the “Execute a change set” action mode resides, apply the JSON object in the ParameterOverrides property.

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an flaws CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows:
What changes should be recommended to comply with flaws security best practices? (Choose three.)

A. Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.

B. Update the CodeBuild project role with the necessary permissions and then remove the flaws credentials from the environment variable.

C. Store the DB_PASSWORD as a SecureString value in flaws Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables.

D. Move the environment variables to the ‘db-deploy-bucket’ Amazon S3 bucket add a prebuild stage to download, then export the variables.

E. Use flaws Systems Manager run command versus scp and ssh commands directly to the instance.

F. Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.

A company is implementing a well-architected design for its globally accessible API stack. The design needs to ensure both high reliability and fast response times for users located in North America and Europe.
The API stack contains the following three tiers:
• Amazon API Gateway
• flaws Lambda
• Amazon DynamoDB
Which solution will meet the requirements?

A. Configure Amazon Route 53 to point to API Gateway APIs in North America and Europe using health checks. Configure the APIs to forward requests to a Lambda function in that Region. Configure the Lambda functions to retrieve and update the data in a DynamoDB table in the same Region as the Lambda function.

B. Configure Amazon Route 53 to point to API Gateway APIs in North America and Europe using latency-based routing and health checks. Configure the APIs to forward requests to a Lambda function in that Region. Configure the Lambda functions to retrieve and update the data in a DynamoDB global table.

C. Configure Amazon Route 53 to point to API Gateway in North America, create a disaster recovery API in Europe, and configure both APIs to forward requests to the Lambda functions in that Region. Retrieve the data from a DynamoDB global table. Deploy a Lambda function to check the North America API health every 5 minutes. In the event of a failure, update Route 53 to point to the disaster recovery API.

D. Configure Amazon Route 53 to point to API Gateway API in North America using latency-based routing. Configure the API to forward requests to the Lambda function in the Region nearest to the user. Configure the Lambda function to retrieve and updathe data in a DynamoDB table.

A company is building a web and mobile application that uses a serverless architecture powered by flaws Lambda and Amazon API Gateway. The company wants to fully automate the backend Lambda deployment based on code that is pushed to the appropriate environment branch in an flaws CodeCommit repository.
The deployment must have the following:
• Separate environment pipelines for testing and production
• Automatic deployment that occurs for test environments only
Which steps should be taken to meet these requirements?

A. Configure a new flaws CodePipeline service. Create a CodeCommit repository for each environment. Set up CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with flaws CloudFormation.

B. Create two flaws CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create a CodeCommit repository for each environment. Set up each CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with flaws CloudFormation.

C. Create two flaws CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Set up each CodePipeline to retrieve the source code from the appropriate branch in the repository. Set up the deployment step to deploy the Lambda functions with flaws CloudFormation.

D. Create an flaws CodeBuild configuration for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Push the Lambda function code to an Amazon S3 bucket. Set up the deployment step to deploy the Lambda functions from the S3 bucket.

A DevOps Engineer administers an application that manages video files for a video production company. The application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon RDS PostgreSQL
Multi-AZ DB instance, and the video files are stored in an Amazon S3 bucket. On a typical day, 50 GB of new video are added to the S3 bucket. The Engineer must implement a multi-region disaster recovery plan with the least data loss and the lowest recovery times. The current application infrastructure is already described using flaws CloudFormation.
Which deployment option should the Engineer choose to meet the uptime and recovery objectives for the system?

A. Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Create an Amazon RDS read replica in the second region. In the second region, enable cross-region replication between the original S3 bucket and a new S3 bucket. To fail over, promote the read replica as master. Update the CloudFormation stack and increase the capacity of the Auto Scaling group.

B. Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Create a scheduled task to take daily Amazon RDS cross-region snapshots to the second region. In the second region, enable cross-region replication between the original S3 bucket and Amazon Glacier. In a disaster, launch a new application stack in the second region and restore the database from the most recent snapshot.

C. Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Use Amazon CloudWatch Events to schedule a nightly task to take a snapshot of the database, copy the snapshot to the second region, and replace the DB instance in the second region from the snapshot. In the second region, enable cross-region replication between the original S3 bucket and a new S3 bucket. To fail over, increase the capacity of the Auto Scaling group.

D. Use Amazon CloudWatch Events to schedule a nightly task to take a snapshot of the database and copy the snapshot to the second region. Create an flaws Lambda function that copies each object to a new S3 bucket in the second region in response to S3 event notifications. In the second region, launch the application from the CloudFormation template and restore the database from the most recent snapshot.