A company has deployed a new Amazon API Gateway API that retrieves the cost of items for the company's online store. An flaws Lambda function supports the API and retrieves the data from an Amazon DynamoDB table. The API's latency increases during times of peak usage each day. However, the latency of the DynamoDB table reads is constant throughout the day.
A DevOps engineer configures DynamoDB Accelerator (DAX) for the DynamoDB table, and the API latency decreases throughout the day. The DevOps engineer then configures Lambda provisioned concurrency with a limit of two concurrent invocations. This change reduces the latency during normal usage. However, the company is still experiencing higher latency during times of peak usage than during times of normal usage.
Which set of additional steps should the DevOps engineer take to produce the LARGEST decrease in API latency?

A. Increase the read capacity of the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

B. Enable caching in API Gateway. Stop using provisioned concurrency for the Lambda function.

C. Delete the DAX cluster for the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

D. Enable caching in API Gateway. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function

A security team is concerned that a developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production. No developer should be allowed to attach an Elastic IP address to an instance. The security team must be notified if any production server has an Elastic IP address at any time.
How can this task be automated?

A. Use Amazon Athena to query flaws CloudTrail logs to check for any associate-address attempts. Create an flaws Lambda function to disassociate the Elastic IP address from the instance, and alert the security team.

B. Attach an IAM policy to the developers’ IAM group to deny associate-address permissions. Create a custom flaws Config rule to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team.

C. Ensure that all IAM groups associated with developers do not have associate-address permissions. Create a scheduled flaws Lambda function to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team if an instance has an Elastic IP address associated with it.

D. Create an flaws Config rule to check that all production instances have EC2 IAM roles that include deny associate-address permissions. Verify whether there is an Elastic IP address associated with any instance, and alert the security team if an instance has an Elastic IP address associated with it.

An Amazon EC2 instance is running in a Virtual Private Cloud (VPC) and needs to download an object from a restricted Amazon S3 bucket. When the DevOps engineer tries to download, the object an AccessDenied error is received.
What are the possible causes for this error? (Choose two.)

A. The S3 bucket default encryption is enabled

B. There is an error in the S3 bucket policy

C. The object has been moved to Amazon Glacier

D. There is an error in the IAM role configuration

E. S3 versioning is enabled

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which flaws Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US).
Which combination of actions will meet these requirements? (Choose two.)

A. Create an flaws Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

B. Configure flaws CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.

C. Use an flaws Lambda function that checks for flaws service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.

D. Use an flaws Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.

E. Write an SCP using the flaws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups and roles.

A DevOps engineer is tasked with creating a more stable deployment solution for a web application in flaws. Previous deployments have resulted in user-facing bugs, premature user traffic, and inconsistencies between web servers running behind an Application Load Balancer. The current strategy uses flaws CodeCommit to store the code for the application. When developers push to the main branch of the repository, CodeCommit triggers an flaws Lambda deploy function, which invokes an flaws Systems Manager run command to build and deploy the new code to all Amazon EC2 instances.
Which combination of actions should be taken to implement a more stable deployment solution? (Choose two.)

A. Create a pipeline in flaws CodePipeline with CodeCommit as a source provider. Create parallel pipeline stages to build and test the application. Pass the build artifact to flaws CodeDeploy.

B. Create a pipeline in flaws CodePipeline with CodeCommit as a source provider. Create separate pipeline stages to build and then test the application. Pass the build artifact to flaws CodeDeploy.

C. Create and use an flaws CodeDeploy application and deployment group to deploy code updates to the EC2 fleet. Select the Application Load Balancer for the deployment group.

D. Create individual Lambda functions to run all build, test, and deploy actions using flaws CodeDeploy instead of flaws Systems Manager.

E. Modify the Lambda function to build a single application package to be shared by all instances. Use flaws CodeDeploy instead of flaws Systems Manager to update the code on the EC2 fleet.

A DevOps engineer is building a multistage pipeline with flaws CodePipeline to build, verify, stage, test, and deploy an application. A manual approval stage is required between the test stage and the deploy stage. The development team uses a custom chat tool with webhook support that requires near-real-time notifications.
How should the DevOps engineer configure status updates for pipeline activity and approval requests to post to the chat tool?

A. Create an Amazon CloudWatch Logs subscription that filters on CodePipeline Pipeline Execution State Change. Publish subscription events to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the chat webhook URL to the SNS topic, and complete the subscription validation.

B. Create an flaws Lambda function that is invoked by flaws CloudTrail events. When a CodePipeline Pipeline Execution State Change event is detected, send the event details to the chat webhook URL.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that filters on CodePipeline Pipeline Execution State Change. Publish the events to an Amazon Simple Notification Service (Amazon SNS) topic. Create an flaws Lambda function that sends event details to the chat webhook URL. Subscribe the function to the SNS topic.

D. Modify the pipeline code to send the event details to the chat webhook URL at the end of each stage. Parameterize the URL so that each pipeline can send to a different URL based on the pipeline environment.

A company has a single flaws account that runs hundreds of Amazon EC2 instances in a single flaws Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an flaws Lambda function to attach the default instance profile to the EC2 instances.

B. Configure the ec2-instance-profile-attached flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 Startlnstances API calls. Configure the rule to invoke an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

D. Configure the iam-role-managed-policy-check flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Lambda function to attach the default instance profile to the EC2 instances.

A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps Engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours.
Which combination of actions will meet these requirements? (Choose three.)

A. Add the physical machines into flaws Systems Manager using Systems Manager Hybrid Activations.

B. Attach an IAM role to the EC2 instances, allowing them to be managed by flaws Systems Manager.

C. Create IAM access keys for the on-premises machines to interact with flaws Systems Manager.

D. Execute an flaws Systems Manager Automation document to patch the systems every hour.

E. Use Amazon CloudWatch Events scheduled events to schedule a patch window.

F. Use flaws Systems Manager Maintenance Windows to schedule a patch window.

A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure.
Which solution will accomplish this?

A. Configure a latency-based Amazon Route 53 CNAME with health checks so it points to both the primary and replica endpoints. Subscribe an Amazon SNS topic to Amazon RDS failure notifications from flaws CloudTrail and use that topic to trigger an flaws Lambda function that will promote the replica instance as the master.

B. Create an Aurora custom endpoint to point to the primary database instance. Configure the application to use this endpoint. Configure flaws CloudTrail to run an flaws Lambda function to promote the replica instance and modify the custom endpoint to point to the newly promoted instance.

C. Create an flaws Lambda function to modify the application’s flaws Cloud Formation template to promote the replica, apply the template to update the stack, and point the application to the newly promoted instance. Create an Amazon CloudWatch alarm to trigger this Lambda function after the failure event occurs.

D. Store the Aurora endpoint in flaws Systems Manager Parameter Store. Create an Amazon EventBridge (Amazon CloudWatch Events) event that defects the database failure and runs an flaws Lambda function to promote the replica instance and update the endpoint URL stored in flaws Systems Manager Parameter Store. Code the application to reload the endpoint from Parameter Store if a database connection fails.

A DevOps engineer is using flaws CodeDeploy across a fleet of Amazon EC2 Instances in an EC2 Auto Scaling group. The associated CodeDeploy deployment group, which is integrated with EC2 Auto Scaling, is configured to perform in-place deployments with CodeDeplcyDefault.OneAtATime. During an ongoing new deployment, the engineer discovers that although the overall deployment finished successfully, two out of five instances have the previous application revision deployed. The other three instances have the newest application revision.
What is likely causing this issue?

A. The two affected instances failed to fetch the new deployment.

B. A failed AfterInstall lifecycle event hook caused the CodeDeploy agent to roll back to the previous version on the affected instances.

C. The CodeDeploy agent was not installed in two affected instances.

D. EC2 Auto Scaling launched two new instances while the new deployment had not yet finished, causing the previous version to be deployed on the affected instances.

A DevOps engineer needs to apply a core set of security controls to an existing set of flaws accounts. The accounts are in an organization in flaws Organizations. Individual teams will administer individual accounts by using the AdministratorAccess flaws managed policy. For all accounts, flaws CloudTrail and flaws Config must be turned on in all available flaws Regions. Individual account administrators must not be able to edit or delete any of the baseline resources. However, individual account administrators must be able to edit or delete their own CloudTrail trails and flaws Config rules.
Which solution will meet these requirements in the MOST operationally efficient way?

A. Create an flaws CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization’s management account by using CloudFormation StackSets. Set the stack policy to deny Update Delete actions.

B. Enable flaws Control Tower. Enroll the existing accounts in flaws Control Tower. Grant the individual account administrators access to CloudTrail and flaws Config.

C. Designate an flaws Config management account. Create flaws Config recorders in all accounts by using flaws CloudFormation StackSets. Deploy flaws Config rules to the organization by using the flaws Config management account. Create a CloudTrail organization trail in the organization’s management account. Deny modification or deletion of the flaws Config recorders by using an SCP.

D. Create an flaws CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization’s management account by using CloudFormation StackSets. Create an SCP that prevents updates or deletions to CloudTrail resources or flaws Config resources unless the principal is an administrator of the organization’s management account.

A company has a web application that users access over the internet. The web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are in an Auto Scaling group. The ALB is associated with a security group that allows traffic from the internet. The web application has a local cache on each EC2 instance.
During a recent security incident requests overloaded the web application and caused an outage for the company's customers. In response to the incident, the company added Amazon CloudFront in front of the web application. All customers now access the web application through CloudFront.
A DevOps engineer must implement a solution that routes all requests through CloudFront. The solution also must give the company the ability to block requests based on the content of the requests, such as header or body information.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose two.)

A. Create an flaws WAF web ACL. Associate the web ACL with the CloudFront distribution. Create rules for each type of traffic that the company wants to block.

B. Create new ALB listener rules on the existing listeners. Configure the new rules to allow or reject incoming traffic based on whether the host header matches the CloudFront fully qualified domain name (FQDN).

C. Create an flaws PrivateLink endpoint service for the ALB Configure the endpoint service to allow requests from CloudFront. Update the web application origin in CloudFront to use the newly created endpoint service’s DNS name.

D. Create a CloudFront origin access identity (OAI) for the web application. Update the web application origin in CloudFront to use the OAI Update the ALB rules to check for the OAI and return an HTTP 403 error if the OAI header is not present.

E. Create an flaws Firewall Manager security policy. Attach the security policy to the CloudFront distribution. Use the security policy to attach flaws WAF rule groups for each type of traffic that the company wants to block.

A devops team uses flaws CloudFormation to build their infrastructure. The security team is concerned about sensitive parameters, such as passwords, being exposed.
Which combination of steps will enhance the security of flaws CloudFormation? (Choose three.)

A. Create a secure string with flaws KMS and choose a KMS encryption key. Reference the ARN of the secure string, and give flaws CloudFormation permission to the KMS key for decryption.

B. Create secrets using the flaws Secrets Manager flaws::SecretsManager::Secret resource type. Reference the secret resource return attributes in resources that need a password, such as an Amazon RDS database.

C. Store sensitive static data as secure strings in the flaws Systems Manager Parameter Store. Use dynamic references in the resources that need access to the data.

D. Store sensitive static data in the flaws Systems Manager Parameter Store as strings. Reference the stored value using types of Systems Manager parameters.

E. Use flaws KMS to encrypt the CloudFormation template.

F. Use the CloudFormation NoEcho parameter property to mask the parameter value.

A company requires its internal business teams to launch resources through pre-approved flaws CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.
Which strategy should be used to meet these requirements?

A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.

B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use flaws Config rules to detect when resources have drifted from their expected state.

C. Allow users to deploy CloudFormation stacks using flaws Service Catalog only. Enforce the use of a launch constraint. Use flaws Config rules to detect when resources have drifted from their expected state.

D. Allow users to deploy CloudFormation stacks using flaws Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.

A company is using flaws to deploy an application. The development team must automate the deployments. The team has created an flaws CodePipeline pipeline to deploy the application to Amazon EC2 instances using flaws CodeDeploy after it has been built using flaws CodeBuild.
The team wants to add automated testing to the pipeline to confirm that the application is healthy before deploying the code to the EC2 instances. The team also requires a manual approval action before the application is deployed, even if the tests are successful. The testing and approval must be accomplished at the lowest costs, using the simplest management solution.
Which solution will meet these requirements?

A. Create a manual approval action after the build action of the pipeline. Use Amazon SNS to inform the team of the stage being triggered. Next, add a test action using CodeBuild to perform the required tests. At the end of the pipeline, add a deploy action to deploy the application to the next stage.

B. Create a test action after the CodeBuild build of the pipeline. Configure the action to use CodeBuild to perform the required tests. If these tests are successful, mark the action as successful. Add a manual approval action that uses Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage.

C. Create a new pipeline that uses a source action that gets the code from the same repository as the first pipeline. Add a deploy action to deploy the code to a test environment. Use a test action using flaws Lambda to test the deployment. Add a manual approval action by using Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage.

D. Create a test action after the build action. Use a Jenkins server on Amazon EC2 to perform the required tests and mark the action as successful if the tests pass. Create a manual approval action that uses Amazon SQS to notify the team and add a deploy action to deploy the application to the next stage.

An e-commerce company is running a web application in an flaws Elastic Beanstalk environment. In recent months, the average load of the Amazon EC2 instances has been increased to handle more traffic.
The company would like to improve the scalability and resilience of the environment. The Development team has been asked to decouple long-running tasks from the environment if the tasks can be executed asynchronously. Examples of these tasks include confirmation emails when users are registered to the platform, and processing images or videos. Also, some of the periodic tasks that are currently running within the web server should be offloaded.
What is the MOST time-efficient and integrated way to achieve this?

A. Create an Amazon SQS queue and send the tasks that should be decoupled from the Elastic Beanstalk web server environment to the SQS queue. Create a fleet of EC2 instances under an Auto Scaling group. Use an AMI that contains the application to process the asynchronous tasks, configure the application to listen for messages within the SQS queue, and create periodic tasks by placing those into the cron in the operating system. Create an environment variable within the Elastic Beanstalk environment with a value pointing to the SQS queue endpoint.

B. Create a second Elastic Beanstalk worker tier environment and deploy the application to process the asynchronous tasks there. Send the tasks that should be decoupled from the original Elastic Beanstalk web server environment to the auto-generated Amazon SQS queue by the Elastic Beanstalk worker environment. Place a cron.yaml file within the root of the application source bundle for the worker environment for periodic tasks. Use environment links to link the web server environment with the worker environment.

C. Create a second Elastic Beanstalk web server tier environment and deploy the application to process the asynchronous tasks. Send the tasks that should be decoupled from the original Elastic Beanstalk web server to the auto-generated Amazon SQS queue by the second Elastic Beanstalk web server tier environment. Place a cron.yaml file within the root of the application source bundle for the second web server tier environment with the necessary periodic tasks. Use environment links to link both web server environments.

D. Create an Amazon SQS queue and send the tasks that should be decoupled from the Elastic Beanstalk web server environment to the SQS queue. Create a fleet of EC2 instances under an Auto Scaling group. Install and configure the application to listen for messages within the SQS queue from UserData and create periodic tasks by placing those into the cron in the operating system. Create an environment variable within the Elastic Beanstalk web server environment with a value pointing to the SQS queue endpoint.

A company is testing a web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The company uses a blue/green deployment process with immutable instances when deploying new software.
During testing, users are being automatically logged out of the application at random times. Testers also report that, when a new version of the application is deployed, all users are logged out. The development team needs a solution to ensure users remain logged in across scaling events and application deployments.
What is the MOST efficient way to ensure users remain logged in?

A. Enable smart sessions on the load balancer and modify the application to check for an existing session.

B. Enable session sharing on the load balancer and modify the application to read from the session store.

C. Store user session information in an Amazon S3 bucket and modify the application to read session information from the bucket.

D. Modify the application to store user session information in an Amazon ElastiCache cluster.

A company wants to use flaws development tools to replace its current bash deployment scripts. The company currently deploys a LAMP application to a group of
Amazon EC2 instances behind an Application Load Balancer (ALB). During the deployments, the company unit tests the committed application, stops and starts services, unregisters and re-registers instances with the load balancer, and updates file permissions. The company wants to maintain the same deployment functionality through the shift to using flaws services.
Which solution will meet these requirements?

A. Use flaws CodeBuild to test the application. Use bash scripts invoked by flaws CodeDeploy’s appspec.yml file to restart services, and deregister and register instances with the ALB. Use the appspec.yml file to update file permissions without a custom script.

B. Use flaws CodePipeline to move the application from the flaws CodeCommit repository to flaws CodeDeploy. Use CodeDeploy’s deployment group to test the application, unregister and re-register instances with the ALB, and restart services. Use the appspec.yml file to update the permissions without a custom script.

C. Use flaws CodePipeline to move the application source code from the flaws CodeCommit repository to flaws CodeDeploy. Use CodeDeploy to test the application. Use CodeDeploy’s appspec.yml file to restart services and update permissions without a custom script. Use flaws CodeBuild to unregister and re- register instances with the ALB.

D. Use flaws CodePipeline to trigger flaws CodeBuild to test the application. Use bash scripts invoked by flaws CodeDeploy’s appspec.yml file to restart services. Unregister and re-register the instances in the flaws CodeDeploy deployment group with the ALB. Update the appspec.yml file to update file permissions without a custom script.

A DevOps engineer has automated a web service deployment by using flaws CodePipeline with the following steps:
1. An flaws CodeBuild project compiles the deployment artifact and runs unit tests.
2. An flaws CodeDeploy deployment group deploys the web service to Amazon EC2 instances in the staging environment.
3. A CodeDeploy deployment group deploys the web service to EC2 instances in the production environment.
The quality assurance (QA) team requests permission to inspect the build artifact before the deployment to the production environment occurs. The QA team wants to run an internal penetration testing tool to conduct manual tests. The tool will be invoked by a REST API call.
Which combination of actions should the DevOps engineer take to fulfill this request? (Choose two.)

A. Insert a manual approval action between the test actions and deployment actions of the pipeline.

B. Modify the buildspec.yml file for the compilation stage to require manual approval before completion.

C. Update the CodeDeploy deployment groups so that they require manual approval to proceed.

D. Update the pipeline to directly call the REST API for the penetration testing tool.

E. Update the pipeline to invoke a Lambda function that calls the REST API for the penetration testing tool.

A software-as-a-service (SaaS) company is using flaws Elastic Beanstalk to deploy its primary .NET application. The Elastic Beanstalk environment is configured to use Amazon EC2 Auto Scaling and Elastic Load Balancing (ELB) for its underlying Amazon EC2 instances.
The company is experiencing incidents in which EC2 instances are marked unhealthy and are terminated by Auto Scaling groups after a failed ELB health check. The company's DevOps team must build a solution that will notify the operations team whenever an Auto Scaling group terminates EC2 instances for any existing client environments.
What should the DevOps team do to meet this requirement?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email addresses of all operations team members to the SNS topic. Apply a notification configuration for the autoscaling:EC2_INSTANCE_LAUNCH notification type to all the existing Auto Scaling groups.

B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Add an flaws Lambda function trigger to the SQS queue. Apply a notification configuration for the autoscaling:EC2_INSTANCE_LAUNCH notification type to all the existing Auto Scaling groups.

C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email addresses of all operations team members to the SNS topic. Apply a notification configuration for the autoscaling:EC2_INSTANCE_TERMINATE notification type to all the existing Auto Scaling groups.

D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Add an flaws Lambda function trigger to the SQS queue. Apply a notification configuration for the autoscaling:EC2_INSTANCE_TERMINATE notification type to all the existing Auto Scaling groups.

A business has an application that consists of five independent flaws Lambda functions.
The DevOps Engineer has built a CI/CD pipeline using flaws CodePipeline and flaws CodeBuild that builds, tests, packages, and deploys each Lambda function in sequence. The pipeline uses an Amazon CloudWatch Events rule to ensure the pipeline execution starts as quickly as possible after a change is made to the application source code.
After working with the pipeline for a few months, the DevOps Engineer has noticed the pipeline takes too long to complete.
What should the DevOps Engineer implement to BEST improve the speed of the pipeline?

A. Modify the CodeBuild projects within the pipeline to use a compute type with more available network throughput.

B. Create a custom CodeBuild execution environment that includes a symmetric multiprocessing configuration to run the builds in parallel.

C. Modify the CodePipeline configuration to execute actions for each Lambda function in parallel by specifying the same runOrder.

D. Modify each CodeBuild project to run within a VPC and use dedicated instances to increase throughput.

A company has developed a serverless web application that is hosted on flaws. The application consists of Amazon S3. Amazon API Gateway, several flaws Lambda functions, and an Amazon RDS for MySQL database. The company is using flaws CodeCommit to store the source code. The source code is a combination of flaws Serverless Application Model (flaws SAM) templates and Python code.
A security audit and penetration test reveal that user names and passwords for authentication to the database are hardcoded within CodeCommit repositories. A DevOps engineer must implement a solution to automatically detect and prevent hardcoded secrets.
What is the MOST secure solution that meets these requirements?

A. Enable Amazon CodeGuru Profiler. Decorate the handler function with @with_lambda_profiler(). Manually review the recommendation report. Write the secret to flaws Systems Manager Parameter Store as a secure string. Update the SAM templates and the Python code to pull the secret from Parameter Store.

B. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually check the code review for any recommendations. Choose the option to protect the secret. Update the SAM templates and the Python code to pull the secret from flaws Secrets Manager.

C. Enable Amazon CodeGuru Profiler. Decorate the handler function with @with lambda profiler(). Manually review the recommendation report. Choose the option to protect the secret. Update the SAM templates and the Python code to pull the secret from flaws Secrets Manager.

D. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually check the code review for any recommendations. Write the secret to flaws Systems Manager Parameter Store as a string. Update the SAM templates and the Python code to pull the secret from Parameter Store.

A company needs to scan code changes for security issues before deployment and must prevent noncompliant code from being deployed. The company uses an flaws CodePipeline pipeline that starts when code changes occur. The code changes occur many times each day.
The company's security team supports a third-party application for code scans and has provided command-line integration steps to submit code scans. The code scan step requires a user name and password.
Which solution will meet these requirements in the MOST secure way?

A. Create a new flaws CodeBuild project. Configure the user name and password in an environment variable. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

B. Create a new flaws CodeBuild project. Store the user name and password as a secret in flaws Secrets Manager Read the secret from Secrets Manager. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

C. Create a new flaws CodeBuild project. Store the user name and password as a string in flaws Systems Manager Parameter Store. Read the string from Parameter Store. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

D. Upload the user name and password in an encrypted JSON file to an Amazon S3 bucket that has a specific policy to allow only administrators to read the file. Create a new flaws CodeBuild project. Use the user name and password from the file in Amazon S3 to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

A company manages an application that stores logs in Amazon CloudWatch Logs. The company wants to archive the logs in Amazon S3. Logs are rarely accessed after 90 days and must be retained for 10 years.
Which combination of steps should a DevOps engineer take to meet these requirements? (Choose two.)

A. Configure a CloudWatch Logs subscription filter to use flaws Glue to transfer all logs to an S3 bucket.

B. Configure a CloudWatch Logs subscription filter to use Amazon Kinesis Data Firehose to stream all logs to an S3 bucket.

C. Configure a CloudWatch Logs subscription filter to stream all logs to an S3 bucket.

D. Configure the S3 bucket lifecycle policy to transition logs to S3 Glacier after 90 days and to expire logs after 3,650 days.

E. Configure the S3 bucket lifecycle policy to transition logs to Reduced Redundancy after 90 days and to expire logs after 3,650 days.

A company is reviewing its IAM policies. One policy written by the DevOps engineer has been flagged as too permissive. The policy is used by an flaws Lambda function that issues a stop command to Amazon EC2 instances tagged with Environment: NonProduction over the weekend. The current policy is:
What changes should the engineer make to achieve a policy of least permission? (Choose three.)

A. Add the following conditional expression:

B. Change “Resource”: “*” to “Resource”: “arn:flaws:ec2:*:*:instance/*”

C. Add the following conditional expression:

D. Add the following conditional expression:

E. Change “Action”: “ec2:*” to “Action”: “ec2:StopInstances”

F. Add the following conditional expression:

A company has multiple flaws accounts. The company uses flaws Single Sign-On (flaws SSO) that is integrated with flaws Toolkit for Microsoft Azure DevOps. The attributes for access control feature is enabled in flaws SSO.
The attribute mapping list contains two entries. The department key is mapped to ${path:enterprise.department}. The costCenter key is mapped to ${path:enterprise.costCenter}.
All existing Amazon EC2 instances have a department tag that corresponds to three company departments (d1, d2, d3). A DevOps engineer must create policies based on the matching attributes. The policies must minimize administrative effort and must grant each Azure AD user access to only the EC2 instances that are tagged with the user's respective department name.
Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?

A company has a guideline that every Amazon EC2 instance must be launched from an AMI that the company's security team produces. Every month, the security team sends an email message with the latest approved AMIs to all the development teams.
The development teams use flaws CloudFormation to deploy their applications. When developers launch a new service, they have to search their email for the latest AMIs that the security department sent. A DevOps engineer wants to automate the process that the security team uses to provide the AMI IDs to the development teams.
What is the MOST scalable solution that meets these requirements?

A. Direct the security team to use CloudFormation to create new versions of the AMIs and to list the AMI ARNs in an encrypted Amazon S3 object as part of the stack’s Outputs section. Instruct the developers to use a cross-stack reference to load the encrypted S3 object and obtain the most recent AMI ARNs.

B. Direct the security team to use a CloudFormation stack to create an flaws CodePipeline pipeline that builds new AMIs and places the latest AMI ARNs in an encrypted Amazon S3 object as part of the pipeline output. Instruct the developers to use a cross-stack reference within their own CloudFormation template to obtain the S3 object location and the most recent AMI ARNs.

C. Direct the security team to use Amazon EC2 Image Builder to create new AMIs and to place the AMI ARNs as parameters in flaws Systems Manager Parameter Store. Instruct the developers to specify a parameter of type SSM in their CloudFormation stack to obtain the most recent AMI ARNs from Parameter Store.

D. Direct the security team to use Amazon EC2 Image Builder to create new AMIs and to create an Amazon Simple Notification Service (Amazon SNS) topic so that every development team can receive notifications. When the development teams receive a notification, instruct them to write an flaws Lambda function that will update their CloudFormation stack with the most recent AMI ARNs.

A DevOps engineer needs to grant several external contractors access to a legacy application that runs on an Amazon Linux Amazon EC2 instance. The application server is available only in a private subnet. The contractors are not authorized for VPN access.
What should the DevOps engineer do to grant the contactors access to the application server?

A. Create an IAM user and SSH keys for each contractor. Add the public SSH key to the application server’s SSH authorized_keys file. Instruct the contractors to install the flaws CLI and flaws Systems Manager Session Manager plugin, update their flaws credentials files with their private keys, and use the flaws ssm start-session command to gain access to the target application server instance ID.

B. Ask each contractor to securely send their SSH public key. Add this public key to the application server’s SSH authorized-keys file. Instruct the contractors to use their private key to connect to the application server through SSH.

C. Ask each contractor to securely send their SSH public key. Use EC2 pairs to import their key. Update the application server’s SSH authorized_keys file. Instruct the contractors to use their private key to connect to the application server through SSH.

D. Create an IAM user for each contractor with programmatic access. Add each user to an IAM group that has a policy that allows the ssm:StartSession action. Instruct the contractors to install the flaws CLI and flaws Systems Manager Session Manager plugin, update their flaws credentials files with their access keys, and use the flaws ssm start-session to gain access to the target application server instance ID.

An Engineering team manages a Node.js e-commerce application. The current environment consists of the following components:
✑ Amazon S3 buckets for storing content
✑ Amazon EC2 for the front-end web servers
✑ flaws Lambda for image processing
✑ Amazon DynamoDB for storing session-related data
The team expects a significant increase in traffic to the site. The application should handle the additional load without interruption. The team ran initial tests by adding new servers to the EC2 front-end to handle the larger load, but the instances took up to 20 minutes to become fully configured. The team wants to reduce this configuration time.
What changes will the Engineering team need to implement to make the solution the MOST resilient and highly available while meeting the expected increase in demand?

A. Use flaws OpsWorks to automatically configure each new EC2 instance as it is launched. Configure the EC2 instances by using an Auto Scaling group behind an Application Load Balancer across multiple Availability Zones. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the Application Load Balancer.

B. Deploy a fleet of EC2 instances, doubling the current capacity, and place them behind an Application Load Balancer. Increase the Amazon DynamoDB read and write capacity units. Add an alias record that contains the Application Load Balancer endpoint to the existing Amazon Route 53 DNS record that points to the application.

C. Configure Amazon CloudFront and have its origin point to Amazon S3 to host the web application. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the CloudFront DNS name.

D. Use flaws Elastic Beanstalk with a custom AMI including all web components. Deploy the platform by using an Auto Scaling group behind an Application Load Balancer across multiple Availability Zones. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the Elastic Beanstalk load balancer.

A company is migrating Docker repositories to Amazon Elastic Container Registry (Amazon ECR) in an existing flaws account. A DevOps engineer needs to automate the management of images that are uploaded to the repositories. The solution must limit the number of image versions. As a first step, the DevOps engineer creates a private repository in Amazon ECR for each repository that the company will migrate.
What should the DevOps engineer do next to meet the requirements in the MOST operationally efficient manner?

A. Create an flaws Lambda function to scan the images in each repository for the number of versions present. Configure the Lambda function to delete older versions of images if the number of images is greater than the desired number of images. Schedule the Lambda function to run automatically at regular intervals,

B. Create a repository policy that assesses the number of images and deletes older versions if the number of images is greater than the desired number of images. Apply the repository policy to each private repository.

C. Create an flaws Step Functions state machine Express Workflow to scan the images in each repository for the number of versions present. Configure the Express Workflow to delete older versions of images if the number of images is greater than the desired number of images. Configure the state machine to run every time an image is pushed to a repository.

D. Push an image into each private repository. In each private repository, create a lifecycle policy preview to delete older versions of images if the number of images is greater than the desired number of images. Test the lifecycle policy and validate the impact. Apply the lifecycle policy to manage the images.

A DevOps Engineer administers an application that manages video files for a video production company. The application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon RDS PostgreSQL
Multi-AZ DB instance, and the video files are stored in an Amazon S3 bucket. On a typical day, 50 GB of new video are added to the S3 bucket. The Engineer must implement a multi-region disaster recovery plan with the least data loss and the lowest recovery times. The current application infrastructure is already described using flaws CloudFormation.
Which deployment option should the Engineer choose to meet the uptime and recovery objectives for the system?

A. Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Create an Amazon RDS read replica in the second region. In the second region, enable cross-region replication between the original S3 bucket and a new S3 bucket. To fail over, promote the read replica as master. Update the CloudFormation stack and increase the capacity of the Auto Scaling group.

B. Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Create a scheduled task to take daily Amazon RDS cross-region snapshots to the second region. In the second region, enable cross-region replication between the original S3 bucket and Amazon Glacier. In a disaster, launch a new application stack in the second region and restore the database from the most recent snapshot.

C. Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Use Amazon CloudWatch Events to schedule a nightly task to take a snapshot of the database, copy the snapshot to the second region, and replace the DB instance in the second region from the snapshot. In the second region, enable cross-region replication between the original S3 bucket and a new S3 bucket. To fail over, increase the capacity of the Auto Scaling group.

D. Use Amazon CloudWatch Events to schedule a nightly task to take a snapshot of the database and copy the snapshot to the second region. Create an flaws Lambda function that copies each object to a new S3 bucket in the second region in response to S3 event notifications. In the second region, launch the application from the CloudFormation template and restore the database from the most recent snapshot.

A company has multiple child accounts that are part of an organization in flaws Organizations. The security team needs to review every Amazon EC2 security group and their inbound and outbound rules. The security team wants to programmatically retrieve this information from the child accounts using an flaws Lambda function in the management account of the organization.
Which combination of access changes will meet these requirements? (Choose three.)

A. Create a trust relationship that allows users in the child accounts to assume the management account IAM role.

B. Create a trust relationship that allows users in the management account to assume the IAM roles of the child accounts.

C. Create an IAM role in each child account that has access to the AmazonEC2ReadOnlyAccess managed policy.

D. Create an IAM role in each child account to allow the sts:AssumeRole action against the management account IAM role’s ARN.

E. Create an IAM role in the management account that allows the sts:AssumeRole action against the child account IAM role’s ARN.

F. Create an IAM role in the management account that has access to the AmazonEC2ReadOnlyAccess managed policy.

A company is using flaws Database Migration Service (flaws DMS) to replicate data from a source database in a data center to a target Amazon Aurora PostgreSQL database. The company has created a DMS replication task with change data capture (CDC).
The replication instance sometimes gets interrupted and affects critical functionality. The company must improve the replication instance's resiliency and receive notifications about interruptions.
Which solution will meet these requirements with the LEAST operational overhead?

A. Copy data from the source database to Amazon S3 by using flaws DataSync. Configure flaws Lambda functions to copy the data to the target database. Configure Amazon CloudWatch alarms to monitor the Lambda functions for errors and throttles. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification.

B. Create Amazon CloudWatch alarms to monitor DMS replication task metrics and host metrics. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification and to invoke an flaws Lambda function to configure a standby DMS replication instance in a different flaws Region.

C. Create Amazon CloudWatch alarms to monitor DMS replication task metrics and host metrics. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification. After receiving the notification, configure a new DMS replication task in the same flaws Region.

D. Modify the DMS replication instance by tuming on Multi-AZ support. Create Amazon CloudWatch alarms to monitor DMS replication task metrics and host metrics. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification.

A production account has a requirement that any Amazon EC2 instance that has been logged into manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with Amazon CloudWatch Logs agent configured.
How can this process be automated?

A. Create a CloudWatch Logs subscription to an flaws Step Functions application. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Then create a CloudWatch Events rule to trigger a second flaws Lambda function once a day that will terminate all instances with this tag.

B. Create a CloudWatch alarm that will trigger on the login event. Send the notification to an Amazon SNS topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.

C. Create a CloudWatch alarm that will trigger on the login event. Configure the alarm to send to an Amazon SQS queue. Use a group of worker instances to process messages from the queue, which then schedules the Amazon CloudWatch Events rule to trigger.

D. Create a CloudWatch Logs subscription in an flaws Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create a CloudWatch Events rule to trigger a daily Lambda function that terminates all instances with this tag.

A rapidly growing company wants to scale for Developer demand for flaws development environments. Development environments are created manually in the
flaws Management Console. The Networking team uses flaws CloudFormation to manage the networking infrastructure, exporting stack output values for the
Amazon VPC and all subnets. The development environments have common standards, such as Application Load Balancers, Amazon EC2 Auto Scaling groups, security groups, and Amazon DynamoDB tables.
To keep up with the demand, the DevOps Engineer wants to automate the creation of development environments. Because the infrastructure required to support the application is expected to grow, there must be a way to easily update the deployed infrastructure. CloudFormation will be used to create a template for the development environments.
Which approach will meet these requirements and quickly provide consistent flaws environments for Developers?

A. Use Fn::ImportValue intrinsic functions in the Resources section of the template to retrieve Virtual Private Cloud (VPC) and subnet values. Use CloudFormation StackSets for the development environments, using the Count input parameter to indicate the number of environments needed. use the UpdateStackSet command to update existing development environments.

B. Use nested stacks to define common infrastructure components. To access the exported values, use TemplateURL to reference the Networking team’s template. To retrieve Virtual Private Cloud (VPC) and subnet values, use Fn::ImportValue intrinsic functions in the Parameters section of the master template. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.

C. Use nested stacks to define common infrastructure components. Use Fn::ImportValue intrinsic functions with the resources of the nested stack to retrieve Virtual Private Cloud (VPC) and subnet values. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.

D. Use Fn::ImportValue intrinsic functions in the Parameters section of the master template to retrieve Virtual Private Cloud (VPC) and subnet values. Define the development resources in the order they need to be created in the CloudFormation nested stacks. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.

An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). A DevOps Engineer is using flaws CodeDeploy to release a new version. The deployment fails during the AllowTraffic lifecycle event, but a cause for the failure is not indicated in the deployment logs.
What would cause this?

A. The appspec.yml file contains an invalid script to execute in the AllowTraffic lifecycle hook.

B. The user who initiated the deployment does not have the necessary permissions to interact with the ALB.

C. The health checks specified for the ALB target group are misconfigured.

D. The CodeDeploy agent was not installed in the EC2 instances that are part of the ALB target group.

(399)

A company has a single developer writing code for an automated deployment pipeline. The developer is storing source code in an Amazon S3 bucket for each project. The company wants to add more developers to the team but is concerned about code conflicts and lost work. The company also wants to build a test environment to deploy newer versions of code for testing and allow developers to automatically deploy to both environments when code is changed in the repository.
What is the MOST efficient way to meet these requirements?

A. Create an flaws CodeCommit repository for each project, use the main branch for production code, and create a testing branch for code deployed to testing. Use feature branches to develop new features and pull requests to merge code to testing and main branches.

B. Create another S3 bucket for each project for testing code, and use an flaws Lambda function to promote code changes between testing and production buckets. Enable versioning on all buckets to prevent code conflicts.

C. Create an flaws CodeCommit repository for each project, and use the main branch for production and test code with different deployment pipelines for each environment. Use feature branches to develop new features.

D. Enable versioning and branching on each S3 bucket, use the main branch for production code, and create a testing branch for code deployed to testing. Have developers use each branch for developing in each environment.

A DevOps team supports many accounts across an organization in flaws Organizations. The DevOps team has decided to use flaws Coring across the organization to implement centralized automatic remediation of Amazon S3 buckets that have public ACLs. Individual accounts must not be able to modify the remediation strategy.
Which solution will meet these requirements?

A. Create an flaws Config conformance pack that contains a rule that checks for S3 buckets that have public ACLs. Configure the conformance pack to use an flaws Systems Manager Automation runbook to block public access to the S3 buckets. Deploy the conformance pack across the organization.

B. Configure flaws Config rules that detect S3 buckets that have public ACLs. Configure a remediation action that uses flaws Lambda to block public access to the S3 buckets. Use flaws CloudFormation StackSets to deploy the rules across the organization.

C. Configure flaws Config rules that detect S3 buckets that have public ACLs. Configure a remediation action that uses an flaws Systems Manager Automation runbook to block public access to the S3 buckets. Use flaws CloudFormation StackSets to deploy the rules across the organization.

D. Create an flaws Config conformance pack that contains a rule that checks for 53 buckets that have public ACLs. Configure the conformance pack to use an flaws Lambda function to block public access to the S3 buckets. Deploy the conformance pack across the organization.

A company has developed a static website hosted on an Amazon S3 bucket. The website is deployed using flaws CloudFormation. The Cloud Formation template defines an S3 bucket and a custom resource that copies content into the bucket from a source location.
The company has decided that it needs to move the website to a new location, so the existing CloudFormation stack must be deleted and re-created. However, CloudFormation reports that the stack could not be deleted cleanly.
What is the MOST likely cause and how can the DevOps engineer mitigate this problem for this and future versions of the website?

A. Deletion has failed because the S3 bucket has an active website configuration. Modify the CloudFormation template to remove the WebsiteConfiguration property from the S3 bucket resource

B. Deletion has failed because the S3 bucket is not empty. Modify the custom resource’s flaws Lambda function code to recursively empty the bucket when RequestType is Delete.

C. Deletion has failed because the custom resource does not define a deletion policy. Add a DeletionPolicy property to the custom resource definition with a value of RemoveOnDeletion.

D. Deletion has failed because the S3 bucket is not empty. Modify the S3 bucket resource in the CloudFormation template to add a DeletionPolicy property with a value of Empty.

A DevOps engineer wants to implement an automated response that will occur if flaws Trusted Advisor detects an IAM access key in a public source code repository. The automated response must delete the exposed access key and must notify the security team.
Which solution will meet these requirements?

A. Create an flaws Lambda function to delete the 1AM access key. Configure flaws CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.

B. Create an flaws Lambda function to delete the IAM access key. Create an flaws Config rule for changes to “flaws.trustedadvisor” and the “Exposed Access Keys” status with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.

C. Create an flaws Lambda function that deletes the IAM access key and then uses Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an flaws Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event. Set the target of the Personal Health Dashboard rule to the ARN of the Lambda function.

D. Create an flaws Lambda function that deletes the IAM access key. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an “flaws.trustedadvisor” event source and the “Exposed Access Keys” status. Set the EventBridge (CloudWatch Events) rule to target the Lambda function and an Amazon Simple Notification Service (Amazon SNS) topic that notifies the security team.

A large company has acquired a small company. The large company has an organization in flaws Organizations. The large company needs to integrate the small company’s single flaws account into the organization with minimal impact to the applications that are deployed in the small company's account.
The large company has deployed flaws Control Tower in its organization and wants to enroll the small company’s account in flaws Control Tower. The large company’s flaws Control Tower configuration includes a security OU, a sandbox OU, and a new destination OU that is set up for the small company's migration. Each company is using flaws Config as part of its account management strategy.
Which combination of steps should a DevOps engineer take lo meet these requirements? (Choose two.)

A. Create a landing zone in the security OU of the large company’s flaws Control Tower landing zone. Provide the account’s email address, the account owners first and last name, and the name of the landing zone created in the security OU to complete the flaws Control Tower Account Factory enrollment request.

B. Create and apply SCPs in the destination OU to restrict the types of resources that can be created in the small company’s account. Assess the impact of the applied SCPs on the small company’s account. Delete existing SCPs in the small company’s account.

C. Create an flaws Config conformance pack that contains the policies that are currently applied to the large company’s account. Use flaws Config to assess the impact that enrollment in flaws Control Tower will have on the small company’s account. Delete the configuration recorder and delivery channels from the flaws Config settings of the small company’s account.

D. Enroll the OU of the small company’s account in the large company’s flaws Control Tower environment. Specify the destination OU in the large company’s flaws Control Tower landing zone as the receiving OU in the request.

E. Create an AWSControlTowerExecution role in the small company’s account. Provide the account’s email address, the account owner’s first and last name, and the destination OU to complete the flaws Control Tower Account Factory enrollment request.

A web application has been deployed using an flaws Elastic Beanstalk application. The application developers are concerned that they are seeing high latency in two different areas of the application:
• HTTP client requests to a third-party API
• MySQL client library queries to an Amazon RDS database
A DevOps engineer must gather trace data to diagnose the issues.
Which steps will gather the trace information with the LEAST amount of changes and performance impacts to the application?

A. Add additional logging to the application code. Use the Amazon CloudWatch agent to stream the application logs into Amazon OpenSearch Service. Query the log data in OpenSearch Service.

B. Instrument the application to use the flaws X-Ray SDK. Post trace data to an Amazon OpenSearch Service cluster. Query the trace data for calls to the HTTP client and the MySQL client.

C. On the flaws Elastic Beanstalk management page for the application, enable the flaws X-Ray daemon. View the trace data in the X-Ray console.

D. Instrument the application using the flaws X-Ray SDK. On the flaws Elastic Beanstalk management page for the application, enable the X-Ray daemon. View the trace data in the X-Ray console.

A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated.
How can log collection be automated?

A. Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait state. Create an Amazon CloudWatch alarm for EC2 Instance Terminate Successful and trigger an flaws Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

B. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an flaws Config rule for EC2 instance-terminate Lifecycle Action and trigger a step function that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

C. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

D. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an flaws Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

A DevOps engineer is planning to deploy a Ruby-based application to production. The application needs to interact with an Amazon RDS for MySQL database and should have automatic scaling and high availability. The stored data in the database is critical and should persist regardless of the state of the application stack.
The DevOps engineer needs to set up an automated deployment strategy for the application with automatic rollbacks. The solution also must alert the application team when a deployment fails.
Which combination of steps will meet these requirements? (Choose three.)

A. Deploy the application on flaws Elastic Beanstalk. Deploy an Amazon RDS for MySQL DB instance as part of the Elastic Beanstalk configuration.

B. Deploy the application on flaws Elastic Beanstalk. Deploy a separate Amazon RDS for MySQL DB instance outside of Elastic Beanstalk.

C. Configure a notification email address that alerts the application team in the flaws Elastic Beanstalk configuration.

D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor flaws Health events. Use an Amazon Simple Notification Service (Amazon SNS) topic as a target to alert the application team.

E. Use the immutable deployment method to deploy new application versions.

F. Use the rolling deployment method to deploy new application versions.

A DevOps engineer has created an flaws CloudFormation template. The template includes the following snippet:
When the template is launched, CloudFormation performs a rollback and reports the following error message: Received 0 SUCCESS signal(s) cut of 1.
Which combination of steps should the DevOps engineer take to resolve this error? (Choose two.)

A. Update the UserData attribute to use the cfn-signal helper script.

B. Update the AutoScalingGroup resource with a DependsOn LaunchConfig.

C. Update the LaunchConfig resource type to flaws::EC2::LaunchTemplate.

D. Increase the CreationPolicy ResourceSignal Timeout.

E. Remove the CreationPolicy attribute. Create new WaitHandle and WaitCondition resources.

A company hosts its staging website using an Amazon EC2 instance backed with Amazon EBS storage. The company wants to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance.
Which solution will meet these requirements?

A. Add the instance to an EC2 Auto Scaling group with the minimum, maximum, and desired capacity set to 1.

B. Add the instance to an EC2 Auto Scaling group with a lifecycle hook to detach the EBS volume when the EC2 instance shuts down or terminates.

C. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric and select the EC2 action to recover the instance.

D. Create an Amazon CloudWatch alarm for the StatusCheckFailed_Instance metric and select the EC2 action to reboot the instance.

A company has a data ingestion application that runs across multiple flaws accounts. The accounts are in an organization in flaws Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.
To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company's security team must receive a notification whenever the instances are accessed.
Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using flaws CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes flaws Systems Manager Agent.

B. Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install flaws Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon 83 for auditing. Send notifications to the security team by using S3 event notifications.

C. Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of flaws Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedlnstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

D. Use flaws Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure flaws Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

A company wants to use flaws Systems Manager documents to bootstrap physical laptops for developers. The bootstrap code is stored in GitHub. A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the registration code, and installed an activation ID on all the laptops.
Which set of steps should be taken next?

A. Configure the Systems Manager document to use the flaws-RunShellScript command to copy the files from GitHub to Amazon S3, then use the flaws-downloadContent plugin with a sourceType of S3.

B. Configure the Systems Manager document to use the flaws-configurePackage plugin with an install action and point to the Git repository.

C. Configure the Systems Manager document to use the flaws-downloadContent plugin with a sourceType of GitHub and sourcelnfo with the repository details.

D. Configure the Systems Manager document to use the flaws:softwarelnventory plugin and run the script from the Git repository.

A company uses Application Load Balancers (ALBs) as part of its application architecture. The company has ALBs in flaws accounts that are part of an organization in flaws Organizations. The company has configured flaws Config in all flaws accounts in the organization.
The company needs to apply an flaws WAF web ACL with a common set of rules to all ALBs, including any ALBs that are created in the future. Administrators of each flaws account must be able to define their own flaws WAF rules that are in addition to the common rules that the company’s security team provides for all the accounts.
Which solution will meet these requirements?

A. Configure flaws Firewall Manager for the organization. In the Firewall Manager administrator account, create an flaws WAF policy. Turn on automatic remediation and define the web ACL. Configure the policy scope to apply to all ALBs in the organization.

B. Use flaws Resource Access Manager (flaws RAM) from the organization’s management account to enable resource sharing in the organization. Create the web ACL. Configure a resource share of the web ACL for the organization. Associate the shared web ACL with all the ALBs in the organization.

C. Set up the ALB_WAF_ENABLED flaws Config managed rule with automatic remediation. Configure the rule to create the web ACL and to attach the web ACL to all ALBs in an flaws account. Create an flaws Config conformance pack that contains the rule. Deploy the conformance pack to all flaws accounts in the organization.

D. Configure flaws Firewall Manager for the organization. In the Firewall Manager administrator account, create an flaws WAF policy that defines the web ACL. Set up the ALB_WAF_ENABLED flaws Config managed rule with automatic remediation. Configure the rule to attach the web ACL to all ALBs in an flaws account. Deploy the rule to all flaws accounts in the organization.

A company has an application that runs on current-generation Amazon EC2 instances in a VPC. The EC2 instances run Amazon Linux and are launched in an Amazon EC2 Auto Scaling group. The application retrieves data from an Amazon S3 bucket, processes the data, and uploads the processed data to a different S3 bucket.
Recently, the application's performance worsened. A manual investigation identified that outbound network bandwidth utilization was too high for the type of EC2 instance. The company updated the EC2 instances to a larger EC2 instance size.
The company's DevOps team needs to receive notification from an Amazon CloudWatch alarm if the application attempts to use more outbound network bandwidth than is available to the EC2 instances.
Which solution will meet these requirements?

A. Configure EC2 detailed monitoring for the EC2 instances. Create an flaws Lambda function to create a CloudWatch alarm for the bw_out_allowance_exceeded CloudWatch metric for each EC2 instance Configure the alarm to notify the DevOps team.

B. Configure the unified CloudWatch agent on the EC2 instances to export the bw_out_allowance_exceeded metric to CloudWatch metrics. Create a CloudWatch composite alarm to monitor all bw_out_allowance_exceeded metrics. Configure the alarm to notify the DevOps team.

C. Configure VPC flow logging to Amazon CloudWatch Logs for the EC2 instances. Create a CloudWatch Logs metric filter to match events in which bandwidth allowance is exceeded. Create a CloudWatch composite alarm to monitor all bw_out_allowance_exceeded metrics. Configure the alarm to notify the DevOps team.

D. Configure the unified CloudWatch agent on the EC2 instances to export the bw_out_allowance_exceeded metric to CloudWatch metrics. Create an flaws Lambda function to create a CloudWatch alarm for the bw_out_allowance_exceeded CloudWatch metric for each EC2 instance. Configure the alarm to notify the DevOps team.