A company using flaws CodeCommit for source control wants to automate its continuous integration and continuous delivery pipeline on flaws in its development environment. The company has three requirements:
1. There must be a legal and a security review of any code change to make sure sensitive information is not leaked through the source code.
2. Every change must go through unit testing.
3. Every change must go through a suite of functional testing to ensure functionality.
In addition, the company has the following requirements for automation:
1. Code changes should automatically trigger the CI/CD pipeline.
2. Any failure in the pipeline should notify devops-admin@xyz.com.
3. There must be an approval to stage the assets to Amazon S3 after tests have been performed.
What should a DevOps Engineer do to meet all of these requirements while following Cl/CD best practices?

A. Commit to the development branch and trigger flaws CodePipeline from the development branch. Make an individual stage in CodePipeline for security review, unit tests, functional tests, and manual approval. Use Amazon CloudWatch metrics to detect changes in pipeline stages and Amazon SES for emailing devops-admin@xyz.com.

B. Commit to mainline and trigger flaws CodePipeline from mainline. Make an individual stage in CodePipeline for security review, unit tests, functional tests, and manual approval. Use flaws CloudTrail logs to detect changes in pipeline stages and Amazon SNS for emailing devops-admin@xyz.com.

C. Commit to the development branch and trigger flaws CodePipeline from the development branch. Make an individual stage in CodePipeline for security review, unit tests, functional tests, and manual approval. Use Amazon CloudWatch Events to detect changes in pipeline stages and Amazon SNS for emailing devops-admin@xyz.com.

D. Commit to mainline and trigger flaws CodePipeline from mainline. Make an individual stage in CodePipeline for security review, unit tests, functional tests, and manual approval. Use Amazon CloudWatch Events to detect changes in pipeline stages and Amazon SES for emailing devops-admin@xyz.com.

A company that uses electronic health records is running a fleet of Amazon EC2 instances with an Amazon Linux operating system. As part of patient privacy requirements, the company must ensure continuous compliance for patches for operating system and applications running on the EC2 instances.
How can the deployments of the operating system and application patches be automated using a default and custom repository?

A. Use flaws Systems Manager to create a new patch baseline including the custom repository. Run the flaws-RunPatchBaseline document using the run command to verify and install patches.

B. Use flaws Direct Connect to integrate the corporate repository and deploy the patches using Amazon CloudWatch scheduled events, then use the CloudWatch dashboard to create reports.

C. Use yum-config-manager to add the custom repository under /etc/yum.repos.d and run yum-config-manager-enable to activate the repository.

D. Use flaws Systems Manager to create a new patch baseline including the corporate repository. Run the flaws-AmazonLinuxDefaultPatchBaseline document using the run command to verify and install patches.

A company has developed an flaws Lambda function that handles orders received through an API. The company is using flaws CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline.
A DevOps Engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation, the DevOps
Engineer believes the failures are due to database changes not having fully propagated before the Lambda function begins executing.
How should the DevOps Engineer overcome this?

A. Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function

B. Add an AfterAllowTraffic hook to the AppSpec file that forces traffic to wait for any pending database changes before allowing the new version of the Lambda function to respond

C. Add a BeforeInstall hook to the AppSpec file that tests and waits for any necessary database changes before deploying the new version of the Lambda function

D. Add a ValidateService hook to the AppSpec file that inspects incoming traffic and rejects the payload if dependent services, such as the database, are not yet ready

A company has a VPC that consists of a public subnet and a private subnet. The company has an application that runs on Amazon EC2 instances that are in the private subnet. An Application Load Balancer is in the public subnet and distributes traffic to the EC2 instances.
The company has enabled Amazon GuardDuty for the account. The company’s DevOps team has a list of external IP ranges that is updated each day. The list is stored in an Amazon S3 bucket in the account. A DevOps engineer needs to configure GuardDuty to create a GuardDuty finding when traffic to the application originates from an IP range in the external IP range list.
Which solution will meet these requirements?

A. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the publicIp filter attribute.

B. Configure a threat list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to refresh the threat list in GuardDuty to match the list of external IP ranges in the S3 bucket.

C. Configure a trusted IP list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to refresh the trusted IP list in GuardDuty to match the list of external IP ranges in the S3 bucket.

D. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the localIp filter attribute.

A company recently launched an application that is more popular than expected. The company wants to ensure the application can scale to meet increasing demands and provide reliability using multiple Availability Zones (AZs). The application runs on a fleet of Amazon EC2 instances behind an Application Load
Balancer (ALB). A DevOps engineer has created an Auto Scaling group across multiple AZs for the application. Instances launched in the newly added AZs are not receiving any traffic for the application.
What is likely causing this issue?

A. Auto Scaling groups can create new instances in a single AZ only.

B. The EC2 instances have not been manually associated to the ALB.

C. The ALB should be replaced with a Network Load Balancer (NLB).

D. The new AZ has not been added to the ALB.

A development team is using flaws CodeCommit to version control application code and flaws CodePipeline to orchestrate software deployments. The team has decided to use a remote master branch as the trigger for the pipeline to integrate code changes. A developer has pushed code changes to the CodeCommit repository, but noticed that the pipeline had no reaction, even after 10 minutes.
Which of the following actions should be taken to troubleshoot this issue?

A. Check that an Amazon CloudWatch Events rule has been created for the master branch to trigger the pipeline.

B. Check that the CodePipeline service role has permission to access the CodeCommit repository.

C. Check that the developer’s IAM role has permission to push to the CodeCommit repository.

D. Check to see if the pipeline failed to start because of CodeCommit errors in Amazon CloudWatch Logs.

A company manages an application that stores logs in Amazon CloudWatch Logs. The company wants to archive the logs in Amazon S3. Logs are rarely accessed after 90 days and must be retained for 10 years.
Which combination of steps should a DevOps engineer take to meet these requirements? (Choose two.)

A. Configure a CloudWatch Logs subscription filter to use flaws Glue to transfer all logs to an S3 bucket.

B. Configure a CloudWatch Logs subscription filter to use Amazon Kinesis Data Firehose to stream all logs to an S3 bucket.

C. Configure a CloudWatch Logs subscription filter to stream all logs to an S3 bucket.

D. Configure the S3 bucket lifecycle policy to transition logs to S3 Glacier after 90 days and to expire logs after 3,650 days.

E. Configure the S3 bucket lifecycle policy to transition logs to Reduced Redundancy after 90 days and to expire logs after 3,650 days.

The security team depends on flaws CloudTrail to detect sensitive security issues in the company's flaws account The DevOps engineer needs a solution to auto-remediate CloudTrail being turned off in an flaws account.
What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the CloudTrail StopLogging event. Create an flaws Lambda function that uses the flaws SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.

B. Deploy the flaws-managed CloudTrail-enabled flaws Config rule, set with a periodic interval of 1 hour. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for flaws Config rules compliance change. Create an flaws Lambda function that uses the flaws SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for a scheduled event every 5 minutes. Create an flaws Lambda function that uses the flaws SDK to call StartLogging on a CloudTrail trail in the flaws account. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.

D. Launch a t2.nano instance with a script running every 5 minutes that uses the flaws SDK to query CloudTrail in the current account. If the CloudTrail trail is disabled, have the script re-enable the trail.

An application running on a set of Amazon EC2 instances in an Auto Scaling group requires a configuration file to operate. The instances are created and maintained with flaws CloudFormation. A DevOps engineer wants the instances to have the latest configuration file when launched, and wants changes to the configuration file to be reflected on all the instances with a minimal delay when the CloudFormation template is updated. Company policy requires that application configuration files be maintained along with flaws infrastructure configuration files in source control.
Which solution will accomplish this?

A. In the CloudFormation template, add an flaws Config rule. Place the configuration file content in the rule’s InputParameters property, and set the Scope property to the EC2 Auto Scaling group. Add an flaws Systems Manager Resource Data Sync resource to the template to poll for updates to the configuration.

B. In the CloudFormation template, add an EC2 launch template resource. Place the configuration file content in the launch template. Configure the cfn-init script to run when the instance is launched, and configure the cfn-hup script to poll for updates to the configuration.

C. In the CloudFormation template add an EC2 launch template resource. Place the configuration file content in the launch template. Add an flaws Systems Manager Resource Data Sync resource to the template to poll for updates to the configuration.

D. In the CloudFormation template, add CloudFormation init metadata. Place the configuration file content in the metadata. Configure the cfn-init script to run when the instance is launched, and configure the cfn-hup script to poll for updates to the configuration.

A DevOps engineer is deploying an flaws Service Catalog portfolio using flaws CodePipeline. The pipeline should create products and templates based on a manifest file in either JSON or YAML, and should enforce security requirements on all flaws Service Catalog products managed through the pipeline.
Which solution will meet the requirements in an automated fashion?

A. Use the flaws Service Catalog deploy action in flaws CodeDeploy to push new versions of products into the flaws Service Catalog with verification steps in the CodeDeploy AppSpec.

B. Use the flaws Service Catalog deploy action in flaws CodeBuild to verify and push new versions of products into the AWService Catalog.

C. Use an flaws Lambda action in CodePipeline to run a Lambda function to verify and push new versions of products into the flaws Service Catalog.

D. Use an flaws Lambda action in flaws CodeBuild to run a Lambda function to verify and push new versions of products into the flaws Service Catalog.

A company has developed a Node.js web application which provides REST services to store and retrieve time series data. The web application is built by the development team on company laptops, tested locally, and manually deployed to a single on-premises server, which accesses a local MySQL database. The company is starting a trial in two weeks, during which the application will undergo frequent updates based on customer feedback. The following requirements must be met:
• The team must be able to reliably build, test, and deploy new updates on a daily basis, without downtime or degraded performance.
• The application must be able to scale to meet an unpredictable number of concurrent users during the trial.
Which action will allow the team to quickly meet these objectives?

A. Create two Amazon Lightsail virtual private servers for Node.js; one for test and one for production. Build the Node.js application using existing processes and upload it to the new Lightsail test server using the flaws CLI. Test the application, and if it passes all tests, upload it to the production server. During the trial, monitor the production server usage, and if needed, increase performance by upgrading the instance type.

B. Develop an flaws CloudFormation template to create an Application Load Balancer and two Amazon EC2 instances with Amazon EBS (SSD) volumes in an Auto Scaling group with rolling updates enabled. Use flaws CodeBuild to build and test the Node.js application and store it in an Amazon S3 bucket. Use user-data scripts to install the application and the MySQL database on each EC2 instance. Update the stack to deploy new application versions.

C. Configure flaws Elastic Beanstalk to automatically build the application using flaws CodeBuild and to deploy it to a test environment that is configured to support auto scaling. Create a second Elastic Beanstalk environment for production. Use Amazon RDS to store data. When new versions of the applications have passed all tests, use Elastic Beanstalk ‘swap cname’ to promote the test environment to production.

D. Modify the application to use Amazon DynamoDB instead of a local MySQL database. Use flaws OpsWorks to create a stack for the application with a DynamoDB layer, an Application Load Balancer layer, and an Amazon EC2 instance layer. Use a Chef recipe to build the application and a Chef recipe to deploy the application to the EC2 instance layer. Use custom health checks to run unit tests on each instance with rollback on failure.

A DevOps engineer is researching the least expensive way to implement an image batch processing cluster on flaws. The application cannot run in Docker containers and must run on Amazon EC2. The batch job stores checkpoint data on an NFS and can tolerate interruptions. Configuring the cluster software from a generic EC2 Linux image takes 30 minutes.
What is the MOST cost-effective solution?

A. Use Amazon EFS for checkpoint data. To complete the job, use an EC2 Auto Scaling group and an On-Demand pricing model to provision EC2 instances temporarily.

B. Use GlusterFS on EC2 instances for checkpoint data. To run the batch job, configure EC2 instances manually. When the job completes, shut down the instances manually.

C. Use Amazon EFS for checkpoint data. Use EC2 Fleet to launch EC2 Spot Instances, and utilize user data to configure the EC2 Linux instance on startup.

D. Use Amazon EFS for checkpoint data. Use EC2 Fleet to launch EC2 Spot Instances. Create a custom AMI for the cluster and use the latest AMI when creating instances.

An ecommerce company uses a large number of Amazon EBS backed Amazon EC2 instances. To decrease manual work across all the instances, a DevOps
Engineer is tasked with automating restart actions when EC2 instance retirement events are scheduled.
How can this be accomplished?

A. Create a scheduled Amazon CloudWatch Events rule to execute an flaws Systems Manager automation document that checks if any EC2 instances are scheduled for retirement once a week. If the instance is scheduled for retirement, the automation document will hibernate the instance.

B. Enable EC2 Auto Recovery on all of the instances. Create an flaws Config rule to limit the recovery to occur during a maintenance window only.

C. Reboot all EC2 instances during an approved maintenance window that is outside of standard business hours. Set up Amazon CloudWatch alarms to send a notification in case any instance is failing EC2 instance status checks.

D. Set up an flaws Health Amazon CloudWatch Events rule to execute flaws Systems Manager automation documents that stop and start the EC2 instance when a retirement scheduled event occurs.

A company requires its internal business teams to launch resources through pre-approved flaws CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.
Which strategy should be used to meet these requirements?

A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.

B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use flaws Config rules to detect when resources have drifted from their expected state.

C. Allow users to deploy CloudFormation stacks using flaws Service Catalog only. Enforce the use of a launch constraint. Use flaws Config rules to detect when resources have drifted from their expected state.

D. Allow users to deploy CloudFormation stacks using flaws Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.

A company runs several applications across multiple flaws accounts in an organization in flaws Organizations. Some of the resources are not tagged properly and the company's finance team cannot determine which costs are associated with which applications. A DevOps engineer must remediate this issue and prevent this issue from happening in the future.
Which combination of actions should the DevOps engineer take to meet these requirements? (Choose two.)

A. Activate the user-defined cost allocation tags in each flaws account.

B. Create and attach an SCP that requires a specific tag.

C. Define each line of business (LOB) in flaws Budgets. Assign the required tag to each resource.

D. Scan all accounts with Tag Editor. Assign the required tag to each resource.

E. Use the budget report to find untagged resources. Assign the required tag to each resource.

A large enterprise is deploying a web application on flaws. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Oracle DB instance and Amazon DynamoDB. There are separate environments for development, testing, and production.
What is the MOST secure and flexible way to obtain password credentials during deployment?

A. Retrieve an access key from an flaws Systems Manager SecureString parameter to access flaws services. Retrieve the database credentials from a Systems Manager SecureString parameter.

B. Launch the EC2 instances with an EC2 IAM role to access flaws services. Retrieve the database credentials from flaws Secrets Manager.

C. Retrieve an access key from an flaws Systems Manager plaintext parameter to access flaws services. Retrieve the database credentials from a Systems Manager SecureString parameter.

D. Launch the EC2 instances with an EC2 IAM role to access flaws services. Store the database passwords in an encrypted config file with the application artifacts.

A company is building a web and mobile application that uses a serverless architecture powered by flaws Lambda and Amazon API Gateway. The company wants to fully automate the backend Lambda deployment based on code that is pushed to the appropriate environment branch in an flaws CodeCommit repository.
The deployment must have the following:
• Separate environment pipelines for testing and production
• Automatic deployment that occurs for test environments only
Which steps should be taken to meet these requirements?

A. Configure a new flaws CodePipeline service. Create a CodeCommit repository for each environment. Set up CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with flaws CloudFormation.

B. Create two flaws CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create a CodeCommit repository for each environment. Set up each CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with flaws CloudFormation.

C. Create two flaws CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Set up each CodePipeline to retrieve the source code from the appropriate branch in the repository. Set up the deployment step to deploy the Lambda functions with flaws CloudFormation.

D. Create an flaws CodeBuild configuration for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Push the Lambda function code to an Amazon S3 bucket. Set up the deployment step to deploy the Lambda functions from the S3 bucket.

A company is developing a web application's infrastructure using flaws CloudFormation. The database engineering team maintains the database resources in a CloudFormation template, and the software development team maintains the web application resources in a separate CloudFormation template. As the scope of the application grows, the software development team needs to use resources maintained by the database engineering team. However, both teams have their own review and lifecycle management processes that they want to keep. Both teams also require resource-level change-set reviews. The software development team would like to deploy changes to this template using their CI/CD pipeline.
Which solution will meet these requirements?

A. Create a stack export from the database CloudFormation template and import those references into the web application CloudFormation template.

B. Create a CloudFormation nested stack to make cross-stack resource references and parameters available in both stacks.

C. Create a CloudFormation stack set to make cross-stack resource references and parameters available in both stacks.

D. Create input parameters in the web application CloudFormation template and pass resource names and IDs from the database stack.

A DevOps engineer needs to apply a core set of security controls to an existing set of flaws accounts. The accounts are in an organization in flaws Organizations. Individual teams will administer individual accounts by using the AdministratorAccess flaws managed policy. For all accounts, flaws CloudTrail and flaws Config must be turned on in all available flaws Regions. Individual account administrators must not be able to edit or delete any of the baseline resources. However, individual account administrators must be able to edit or delete their own CloudTrail trails and flaws Config rules.
Which solution will meet these requirements in the MOST operationally efficient way?

A. Create an flaws CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization’s management account by using CloudFormation StackSets. Set the stack policy to deny Update Delete actions.

B. Enable flaws Control Tower. Enroll the existing accounts in flaws Control Tower. Grant the individual account administrators access to CloudTrail and flaws Config.

C. Designate an flaws Config management account. Create flaws Config recorders in all accounts by using flaws CloudFormation StackSets. Deploy flaws Config rules to the organization by using the flaws Config management account. Create a CloudTrail organization trail in the organization’s management account. Deny modification or deletion of the flaws Config recorders by using an SCP.

D. Create an flaws CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization’s management account by using CloudFormation StackSets. Create an SCP that prevents updates or deletions to CloudTrail resources or flaws Config resources unless the principal is an administrator of the organization’s management account.

A company has developed a static website hosted on an Amazon S3 bucket. The website is deployed using flaws CloudFormation. The Cloud Formation template defines an S3 bucket and a custom resource that copies content into the bucket from a source location.
The company has decided that it needs to move the website to a new location, so the existing CloudFormation stack must be deleted and re-created. However, CloudFormation reports that the stack could not be deleted cleanly.
What is the MOST likely cause and how can the DevOps engineer mitigate this problem for this and future versions of the website?

A. Deletion has failed because the S3 bucket has an active website configuration. Modify the CloudFormation template to remove the WebsiteConfiguration property from the S3 bucket resource

B. Deletion has failed because the S3 bucket is not empty. Modify the custom resource’s flaws Lambda function code to recursively empty the bucket when RequestType is Delete.

C. Deletion has failed because the custom resource does not define a deletion policy. Add a DeletionPolicy property to the custom resource definition with a value of RemoveOnDeletion.

D. Deletion has failed because the S3 bucket is not empty. Modify the S3 bucket resource in the CloudFormation template to add a DeletionPolicy property with a value of Empty.

A space exploration company receives telemetry data from multiple satellites. Small packets of data are received through Amazon API Gateway and are placed directly into an Amazon Simple Queue Service (Amazon SOS) standard queue. A custom application is subscribed to the queue and transforms the data into a standard format.
Because of inconsistencies in the data that the satellites produce, the application is occasionally unable to transform the data. In these cases, the messages remain in the SQS queue. A DevOps engineer must develop a solution that retains the failed messages and makes them available to scientists for review and future processing.
Which solution will meet these requirements?

A. Configure flaws Lambda to poll the SOS queue and invoke a Lambda function to check whether the queue messages are valid. If validation fails, send a copy of the data that is not valid to an Amazon S3 bucket so that the scientists can review and correct the data. When the data is corrected, amend the message in the SOS queue by using a replay Lambda function with the corrected data

B. Convert the SQS standard queue to an SQS FIFO queue. Configure flaws Lambda to poll the SQS queue every 10 minutes by using an Amazon EventBridge schedule. Invoke the Lambda function to identify any messages with a SentTimestamp value that is older than 5 minutes, push the data to the same location as the application’s output location, and remove the messages from the queue.

C. Create an SOS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.

D. Configure API Gateway to send messages to different SOS virtual queues that are named for each of the satellites. Update the application to use a new virtual queue for any data that it cannot transform, and send the message to the new virtual queue. Instruct the scientists to use the virtual queue to review the data that is not valid. Reprocess this data at a later time.

A company stores purchase history in an Amazon DynamoDB table. The company needs other workloads that run on flaws to react to data changes in the table.
The company has enabled a DynamoDB stream on the table. Three existing flaws Lambda functions have an event source mapping configured for the DynamoDB stream. The company's application developers plan to add other applications that will need to react to changes in the table. A DevOps engineer must design an architecture that will give the additional consumers this functionality.
Which solution will meet these requirements in the MOST operationally efficient way?

A. Create an Amazon EventBridge event bus. Create a new Lambda function that uses the existing DynamoDB stream as an event source. Configure the new Lambda function to post those events to the event bus. Update the original Lambda functions to react to events in the event bus. As other applications need the events, configure the applications to use the event bus as an event source.

B. Create an Amazon Simple Queue Service (Amazon SOS) queue. Create a new Lambda function that uses the existing DynamoDB stream as an event source. Configure the new Lambda function to post those events to the SOS queue. Update the original Lambda functions to react to entries in the SOS queue. As other applications need the events, configure the applications to use the SOS queue as an event source.

C. Create an Amazon Kinesis data stream. Create a new Lambda function that uses the existing DynamoDB stream as an event source. Configure the new Lambda function to post those events to the Kinesis data stream. Update the original Lambda functions to subscribe to records in the Kinesis data stream. As other applications need the events, configure the applications to use the Kinesis data stream as an event source.

D. Configure the DynamoDB table to use on-demand capacity mode. Increase the memory of the Lambda functions. Configure the Lambda functions to use provisioned concurrency.

A DevOps engineer is tasked with creating a more stable deployment solution for a web application in flaws. Previous deployments have resulted in user-facing bugs, premature user traffic, and inconsistencies between web servers running behind an Application Load Balancer. The current strategy uses flaws CodeCommit to store the code for the application. When developers push to the main branch of the repository, CodeCommit triggers an flaws Lambda deploy function, which invokes an flaws Systems Manager run command to build and deploy the new code to all Amazon EC2 instances.
Which combination of actions should be taken to implement a more stable deployment solution? (Choose two.)

A. Create a pipeline in flaws CodePipeline with CodeCommit as a source provider. Create parallel pipeline stages to build and test the application. Pass the build artifact to flaws CodeDeploy.

B. Create a pipeline in flaws CodePipeline with CodeCommit as a source provider. Create separate pipeline stages to build and then test the application. Pass the build artifact to flaws CodeDeploy.

C. Create and use an flaws CodeDeploy application and deployment group to deploy code updates to the EC2 fleet. Select the Application Load Balancer for the deployment group.

D. Create individual Lambda functions to run all build, test, and deploy actions using flaws CodeDeploy instead of flaws Systems Manager.

E. Modify the Lambda function to build a single application package to be shared by all instances. Use flaws CodeDeploy instead of flaws Systems Manager to update the code on the EC2 fleet.

A DevOps engineer has automated a web service deployment by using flaws CodePipeline with the following steps:
1. An flaws CodeBuild project compiles the deployment artifact and runs unit tests.
2. An flaws CodeDeploy deployment group deploys the web service to Amazon EC2 instances in the staging environment.
3. A CodeDeploy deployment group deploys the web service to EC2 instances in the production environment.
The quality assurance (QA) team requests permission to inspect the build artifact before the deployment to the production environment occurs. The QA team wants to run an internal penetration testing tool to conduct manual tests. The tool will be invoked by a REST API call.
Which combination of actions should the DevOps engineer take to fulfill this request? (Choose two.)

A. Insert a manual approval action between the test actions and deployment actions of the pipeline.

B. Modify the buildspec.yml file for the compilation stage to require manual approval before completion.

C. Update the CodeDeploy deployment groups so that they require manual approval to proceed.

D. Update the pipeline to directly call the REST API for the penetration testing tool.

E. Update the pipeline to invoke a Lambda function that calls the REST API for the penetration testing tool.

An Engineering team manages a Node.js e-commerce application. The current environment consists of the following components:
✑ Amazon S3 buckets for storing content
✑ Amazon EC2 for the front-end web servers
✑ flaws Lambda for image processing
✑ Amazon DynamoDB for storing session-related data
The team expects a significant increase in traffic to the site. The application should handle the additional load without interruption. The team ran initial tests by adding new servers to the EC2 front-end to handle the larger load, but the instances took up to 20 minutes to become fully configured. The team wants to reduce this configuration time.
What changes will the Engineering team need to implement to make the solution the MOST resilient and highly available while meeting the expected increase in demand?

A. Use flaws OpsWorks to automatically configure each new EC2 instance as it is launched. Configure the EC2 instances by using an Auto Scaling group behind an Application Load Balancer across multiple Availability Zones. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the Application Load Balancer.

B. Deploy a fleet of EC2 instances, doubling the current capacity, and place them behind an Application Load Balancer. Increase the Amazon DynamoDB read and write capacity units. Add an alias record that contains the Application Load Balancer endpoint to the existing Amazon Route 53 DNS record that points to the application.

C. Configure Amazon CloudFront and have its origin point to Amazon S3 to host the web application. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the CloudFront DNS name.

D. Use flaws Elastic Beanstalk with a custom AMI including all web components. Deploy the platform by using an Auto Scaling group behind an Application Load Balancer across multiple Availability Zones. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the Elastic Beanstalk load balancer.

A company has flaws accounts that are members of the same organization in flaws Organizations. According to the company's security policy, IAM customer managed policies must be scoped to specific actions and must not include wildcard actions on wildcard resources.
If an IAM customer managed policy is created or modified in any of the company's flaws accounts to grant wildcard actions on resources that also specify wildcards, the policy must be detached from any IAM user, role, or group that the policy is attached to Individual flaws account administrators must not be able to prevent the removal of the policies.
Which combination of steps will meet these requirements? (Choose two.)

A. Configure automatic remediation to run the AWSConfigRemediation-DetachIAMPolicy flaws Systems Manager Automation runbook.

B. Configure automatic remediation to invoke a custom flaws Lambda function to detach the IAM policy from the affected resources.

C. Configure automatic remediation to use flaws Systems Manager Run Command to detach the IAM policy from the affected resources.

D. Turn on flaws Config by using an flaws CloudFormation stack set that is created in a central account. Configure automatic deployment for the stack set, and specify the organization as the target. Configure the iam-policy-no-statements-with-full-access flaws Config managed rule in the central account.

E. Turn on flaws Config for the organization. Create a new flaws account. Configure the account as a delegated administrator account for flaws Config. Configure the iam-policy-no-statements-with-full-access flaws Config managed rule in the delegated administrator account.

A security review has identified that an flaws CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project.
How can this issue be corrected in the MOST secure manner?

A. Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the flaws CLI to download the database population script.

B. Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script.

C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the flaws CLI to download the database population script.

D. Remove unauthenticated access from the S3 bucket with a bucket policy. Use the flaws CLI to download the database population script using an IAM access key and a secret access key.

A company has deployed a new Amazon API Gateway API that retrieves the cost of items for the company's online store. An flaws Lambda function supports the API and retrieves the data from an Amazon DynamoDB table. The API's latency increases during times of peak usage each day. However, the latency of the DynamoDB table reads is constant throughout the day.
A DevOps engineer configures DynamoDB Accelerator (DAX) for the DynamoDB table, and the API latency decreases throughout the day. The DevOps engineer then configures Lambda provisioned concurrency with a limit of two concurrent invocations. This change reduces the latency during normal usage. However, the company is still experiencing higher latency during times of peak usage than during times of normal usage.
Which set of additional steps should the DevOps engineer take to produce the LARGEST decrease in API latency?

A. Increase the read capacity of the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

B. Enable caching in API Gateway. Stop using provisioned concurrency for the Lambda function.

C. Delete the DAX cluster for the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

D. Enable caching in API Gateway. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function

A company's legacy application uses IAM user credentials to access resources in the company's flaws Organizations organization. A DevOps engineer must ensure that new IAM users cannot be created unless the employee who creates the IAM user is on an exception list.
Which solution will meet these requirements?

A. Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringEquals for flaws:username with a value of the exception list.

B. Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringNotLike for flaws:username with a value of the exception list.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an flaws Lambda function target. The function will check the user name and account against an exception list. If the user is not on the exception list, the function will delete the user.

D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an flaws Lambda function target. The function will check the user name and account against an exception list. If the user is not on the exception list, the function will delete the user.

A company is hosting a web application in an flaws Region. For disaster recovery purposes, a second region is being used as a standby. Disaster recovery requirements state that session data must be replicated between regions in near-real time and 1% of requests should route to the secondary region to continuously verify system functionality. Additionally, if there is a disruption in service in the main region, traffic should be automatically routed to the secondary region, and the secondary region must be able to scale up to handle all traffic.
How should a DevOps engineer meet these requirements?

A. In both regions, deploy the application on flaws Elastic Beanstalk and use Amazon DynamoDB global tables for session data. Use an Amazon Route 53 weighted routing policy with health checks to distribute the traffic across the regions.

B. In both regions, launch the application in Auto Scaling groups and use DynamoDB for session data. Use a Route 53 failover routing policy with health checks to distribute the traffic across the regions.

C. In both regions, deploy the application in flaws Lambda, exposed by Amazon API Gateway, and use Amazon RDS PostgreSQL with cross-region replication for session data. Deploy the web application with client-side logic to call the API Gateway directly.

D. In both regions, launch the application in Auto Scaling groups and use DynamoDB global tables for session data. Enable an Amazon CloudFront weighted distribution across regions. Point the Amazon Route 53 DNS record at the CloudFront distribution.

An ecommerce company is looking for ways to deploy an application on flaws that satisfies the following requirements:
• Has a simple and automated application deployment process.
• Has minimal deployment costs while ensuring that at least half of the instances are available to receive end-user requests.
• If the application fails, an automated healing mechanism will replace the affected instances.
Which deployment strategy will meet these requirements?

A. Create an flaws Elastic Beanstalk environment and configure it to use Auto Scaling and an Elastic Load Balancer. Use rolling deployments with a batch size of 50%.

B. Create an flaws OpsWorks stack. Configure the application layer to use rolling deployments as a deployment strategy. Add an Elastic Load Balancing layer. Enable auto healing on the application layer.

C. Use flaws CodeDeploy with Auto Scaling and an Elastic Load Balancer. Use the CodeDeployDefault.HalfAtAtime deployment strategy. Enable an Elastic Load Balancing health check to report the status of the application, and set the Auto Scaling health check to ELB.

D. Use flaws CodeDeploy with Auto Scaling and an Elastic Load Balancer. Use a blue/green deployment strategy. Enable an Elastic Load Balancing health check to report the status of the application, and set the Auto Scaling health check to ELB.

A DevOps Engineer must track the health of a stateless RESTful service sitting behind a Classic Load Balancer. The deployment of new application revisions is through a CI/CD pipeline. If the service's latency increases beyond a defined threshold, deployment should be stopped until the service has recovered.
Which of the following methods allow for the QUICKEST detection time?

A. Use Amazon CloudWatch metrics provided by Elastic Load Balancing to calculate average latency. Alarm and stop deployment when latency increases beyond the defined threshold.

B. Use flaws Lambda and Elastic Load Balancing access logs to detect average latency. Alarm and stop deployment when latency increases beyond the defined threshold.

C. Use flaws CodeDeploy’s MinimumHealthyHosts setting to define thresholds for rolling back deployments. If these thresholds are breached, roll back the deployment.

D. Use Metric Filters to parse application logs in Amazon CloudWatch Logs. Create a filter for latency. Alarm and stop deployment when latency increases beyond the defined threshold.

A company is using flaws Organizations to create separate flaws accounts for each of its departments. The company needs to automate the following tasks:
✑ Update the Linux AMIs with new patches periodically and generate a golden image
✑ Install a new version of Chef agents in the golden image, if available
✑ Provide the newly generated AMIs to the department's accounts
Which solution meets these requirements with the LEAST management overhead?

A. Write a script to launch an Amazon EC2 instance from the previous golden image. Apply the patch updates. Install the new version of the Chef agent, generate a new golden image, and then modify the AMI permissions to share only the new image with the department’s accounts.

B. Use Amazon EC2 Image Builder to create an image pipeline that consists of the base Linux AMI and components to install the Chef agent. Use flaws Resource Access Manager to share EC2 Image Builder images with the department’s accounts.

C. Use an flaws Systems Manager Automation runbook to update the Linux AMI by using the previous image. Provide the URL for the script that will update the Chef agent. Use flaws Organizations to replace the previous golden image in the department’s accounts.

D. Use Amazon EC2 Image Builder to create an image pipeline that consists of the base Linux AMI and components to install the Chef agent. Create a parameter in flaws Systems Manager Parameter Store to store the new AMI ID that can be referenced by the department’s accounts.

A DevOps engineer notices that all Amazon EC2 instances running behind an Application Load Balancer in an Auto Scaling group are failing to respond to user requests. The EC2 instances are also failing target group HTTP health checks.
Upon inspection, the engineer notices the application process was not running in any EC2 instances. There are a significant number of out of memory messages in the system logs. The engineer needs to improve the resilience of the application to cope with a potential application memory leak. Monitoring and notifications should be enabled to alert when there is an issue.
Which combination of actions will meet these requirements? (Choose two.)

A. Change the Auto Scaling configuration to replace the instances when they fail the load balancer’s health checks.

B. Change the target group health check HealthCheckIntervalSeconds parameter to reduce the interval between health checks.

C. Change the target group health checks from HTTP to TCP to check if the port where the application is listening is reachable.

D. Enable the available memory consumption metric within the Amazon CloudWatch dashboard for the entire Auto Scaling group. Create an alarm when the memory utilization is high. Associate an Amazon SNS topic to the alarm to receive notifications when the alarm goes off.

E. Use the Amazon CloudWatch agent to collect the memory utilization of the EC2 instances in the Auto Scaling group. Create an alarm when the memory utilization is high and associate an Amazon SNS topic to receive a notification.

A company has a guideline that every Amazon EC2 instance must be launched from an AMI that the company's security team produces. Every month, the security team sends an email message with the latest approved AMIs to all the development teams.
The development teams use flaws CloudFormation to deploy their applications. When developers launch a new service, they have to search their email for the latest AMIs that the security department sent. A DevOps engineer wants to automate the process that the security team uses to provide the AMI IDs to the development teams.
What is the MOST scalable solution that meets these requirements?

A. Direct the security team to use CloudFormation to create new versions of the AMIs and to list the AMI ARNs in an encrypted Amazon S3 object as part of the stack’s Outputs section. Instruct the developers to use a cross-stack reference to load the encrypted S3 object and obtain the most recent AMI ARNs.

B. Direct the security team to use a CloudFormation stack to create an flaws CodePipeline pipeline that builds new AMIs and places the latest AMI ARNs in an encrypted Amazon S3 object as part of the pipeline output. Instruct the developers to use a cross-stack reference within their own CloudFormation template to obtain the S3 object location and the most recent AMI ARNs.

C. Direct the security team to use Amazon EC2 Image Builder to create new AMIs and to place the AMI ARNs as parameters in flaws Systems Manager Parameter Store. Instruct the developers to specify a parameter of type SSM in their CloudFormation stack to obtain the most recent AMI ARNs from Parameter Store.

D. Direct the security team to use Amazon EC2 Image Builder to create new AMIs and to create an Amazon Simple Notification Service (Amazon SNS) topic so that every development team can receive notifications. When the development teams receive a notification, instruct them to write an flaws Lambda function that will update their CloudFormation stack with the most recent AMI ARNs.

A DevOps Engineer manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2
Auto Scaling group across multiple Availability Zones. The engineer needs to implement a deployment strategy that:
✑ Launches a second fleet of instances with the same capacity as the original fleet.
✑ Maintains the original fleet unchanged while the second fleet is launched.
✑ Transitions traffic to the second fleet when the second fleet is fully deployed.
✑ Terminates the original fleet automatically 1 hour after transition.
Which solution will satisfy these requirements?

A. Use an flaws CloudFormation template with a retention policy for the ALB set to 1 hour. Update the Amazon Route 53 record to reflect the new ALB.

B. Use two flaws Elastic Beanstalk environments to perform a blue/green deployment from the original environment to the new one. Create an application version lifecycle policy to terminate the original environment in 1 hour.

C. Use flaws CodeDeploy with a deployment group configured with a blue/green deployment configuration. Select the option Terminate the original instances in the deployment group with a waiting period of 1 hour.

D. Use flaws Elastic Beanstalk with the configuration set to Immutable. Create an .ebextension using the Resources key that sets the deletion policy of the ALB to 1 hour, and deploy the application.

A company uses flaws Organizations to manage its flaws accounts. A DevOps engineer wants to deploy a new flaws Lambda function to all accounts in the organization by using flaws CloudFormation StackSets. The DevOps engineer uses a delegated administrator account to deploy the stack sets to the member accounts. The stack operation keeps failing, and the stack instance status is OUTDATED.
Which actions should the DevOps engineer take to remediate this error? (Choose two.)

A. Ensure that the flaws Region is the same for the stack sets and the target resources.

B. Ensure that the delegated administrator account has a trust relationship with the target account.

C. Ensure that the resources in the stacks do not have termination protection enabled by default.

D. Ensure that the CloudFormation template is creating unique global resources.

E. Deploy the stack sets from the management account and not from the delegated administrator account.

A company plans to stop using Amazon EC2 key pairs for SSH access, and instead plans to use flaws Systems Manager Session Manager. To further enhance security, access to Session Manager must take place over a private network only.
Which combinations of actions will accomplish this? (Choose two.)

A. Allow inbound access to TCP port 22 in all associated EC2 security groups from the VPC CIDR range.

B. Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile.

C. Create a VPC endpoint for Systems Manager in the desired Region.

D. Deploy a new EC2 instance that will act as a bastion host to the rest of the EC2 instance fleet.

E. Remove any default routes in the associated route tables.

A company uses flaws Organizations to manage multiple accounts. Information security policies require that all unencrypted Amazon EBS volumes be marked as non-compliant. A DevOps engineer needs to automatically deploy the solution and ensure that this compliance check is always present.
With solution will accomplish this?

A. Create an flaws CloudFormation template that defines an flaws Inspector rule to check whether EBS encryption is enabled. Save the template to an Amazon S3 bucket that has been shared with all accounts within the company. Update the account creation script pointing to the CloudFormation template in Amazon S3.

B. Create an flaws Config organizational rule to check whether EBS encryption is enabled and deploy the rule using the flaws CLI. Create and apply an SCP to prohibit stopping and deleting flaws Config across the organization.

C. Create an SCP in Organizations. Set the policy to prevent the launch of Amazon EC2 instances without encryption on the EBS volumes using a conditional expression. Apply the SCP to all flaws accounts. Use Amazon Athena to analyze the flaws CloudTrail output, looking for events that deny an ec2:RunInstances action.

D. Deploy an IAM role to all accounts from a single trusted account. Build a pipeline with flaws CodePipeline with a stage in flaws Lambda to assume the IAM role, and list all EBS volumes in the account. Publish a report to Amazon S3.

A production account has a requirement that any Amazon EC2 instance that has been logged into manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with Amazon CloudWatch Logs agent configured.
How can this process be automated?

A. Create a CloudWatch Logs subscription to an flaws Step Functions application. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Then create a CloudWatch Events rule to trigger a second flaws Lambda function once a day that will terminate all instances with this tag.

B. Create a CloudWatch alarm that will trigger on the login event. Send the notification to an Amazon SNS topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.

C. Create a CloudWatch alarm that will trigger on the login event. Configure the alarm to send to an Amazon SQS queue. Use a group of worker instances to process messages from the queue, which then schedules the Amazon CloudWatch Events rule to trigger.

D. Create a CloudWatch Logs subscription in an flaws Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create a CloudWatch Events rule to trigger a daily Lambda function that terminates all instances with this tag.

A company has an application that runs on 12 Amazon EC2 instances. The instances run in an Amazon EC2 Auto Scaling group across three Availability Zones.
On a typical day each EC2 instance has 30% CPU utilization during business hours and 10% CPU utilization after business hours. The CPU utilization increases suddenly in the first few minutes of business hours each day. Other increases in CPU utilization are gradual. A DevOps engineer needs to optimize costs while maintaining or improving the application's reliability.
Which solution meets these requirements?

A. Configure a target tracking scaling policy that is based on the Auto Scaling group’s average CPU utilization, and set a target of 75%. Create a scheduled action for the Auto Scaling group to adjust the desired capacity to six instances just before business hours begin.

B. Configure the Auto Scaling group with two scheduled actions for Amazon EC2 Auto Scaling. Configure one action to start nine EC2 instances at the start of business hours. Configure the other action to stop nine instances at the end of business hours.

C. Change to an flaws Application Auto Scaling group. Configure a target tracking scaling policy that is based on the Auto Scaling group’s average CPU utilization, and set a target of 75%. Create a scheduled action for the Auto Scaling group to adjust the minimum number of instances to three instances at the end of business hours and to reset the number to six instances before business hours begin.

D. Change to an flaws Application Auto Scaling group. Configure a target tracking scaling policy that is based on the Auto Scaling group’s average CPU utilization, and set a target of 75%. Create a scheduled action to terminate nine instances each evening at the end of business hours.

A company uses flaws CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the main branch when the changes are ready for production.
The developers should not be able to push changes directly to the main branch. The company applied the AWSCodeCommitPowerUser managed policy to the developers' IAM role, and now these developers can push changes to the main branch directly on every repository in the flaws account.
What should the company do to restrict the developers' ability to push changes to the main branch directly?

A. Create an additional policy to include a Deny rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the main branch.

B. Remove the IAM policy, and add an AWSCodeCommitReadOnly managed policy. Add an Allow rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

C. Modify the IAM policy. Include a Deny rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

D. Create an additional policy to include an Allow rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the feature branches.

A software company wants to automate the build process for a project where the code is stored in GitHub. When the repository is updated, source code should be compiled, tested, and pushed to Amazon S3.
Which combination of steps would address these requirements? (Choose three.)

A. Add a buildspec.yml file to the source code with build instructions.

B. Configure a GitHub webhook to trigger a build every time a code change is pushed to the repository.

C. Create an flaws CodeBuild project with GitHub as the source repository.

D. Create an flaws CodeDeploy application with the Amazon EC2/On-Premises compute platform.

E. Create an flaws OpsWorks deployment with the install dependencies command.

F. Provision an Amazon EC2 instance to perform the build.

A company runs applications in flaws accounts that are in an organization in flaws Organizations. The applications use Amazon EC2 instances and Amazon S3.
The company wants to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing flaws accounts and in any flaws accounts that the company creates in the future. When the company detects one of these events, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to send a notification to its operational support team for investigation and remediation.
Which solution will meet these requirements in accordance with flaws best practices?

A. In the organization’s management account, configure an flaws account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing flaws accounts to GuardDuty as members. In the GuardDuty administrator account, create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.

B. In the organization’s management account, configure Amazon GuardDuty to add newly created flaws accounts by invitation and to send invitations to the existing flaws accounts. Create an flaws CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all flaws accounts in the organization.

C. In the organization’s management account, create an flaws CloudTrail organization trail. Activate the organization trail in all flaws accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization Configure flaws Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

D. In the organization’s management account, configure an flaws account as the flaws CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing flaws accounts to the organization trail. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure flaws Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

A company's DevOps engineer is working in a multi-account environment. The company uses flaws Transit Gateway to route all outbound traffic through a network operations account. In the network operations account, all account traffic passes through a firewall appliance for inspection before the traffic goes to an internet gateway.
The firewall appliance sends logs to Amazon CloudWatch Logs and includes event severities of CRITICAL, HIGH, MEDIUM, LOW, and INFO. The security team wants to receive an alert if any CRITICAL events occur.
What should the DevOps engineer do to meet these requirements?

A. Create an Amazon CloudWatch Synthetics canary to monitor the firewall state. If the firewall reaches a CRITICAL state or logs a CRITICAL event, use a CloudWatch alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

B. Create an Amazon CloudWatch mettic filter by using a search for CRITICAL events. Publish a custom metric for the finding. Use a CloudWatch alarm based on the custom metric to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

C. Enable Amazon GuardDuty in the network operations account. Configure GuardDuty to monitor flow logs. Create an Amazon EventBridge (Amazon CloudWatch Events) event rule that is invoked by GuardDuty events that are CRITICAL. Define an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the security team’s email address to the topic.

D. Use flaws Firewall Manager to apply consistent policies across all accounts. Create an Amazon EventBridge (Amazon CloudWatch Events) event rule that is invoked by Firewall Manager events that are CRITICAL. Define an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the security team’s email address to the topic.

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which flaws Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US).
Which combination of actions will meet these requirements? (Choose two.)

A. Create an flaws Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

B. Configure flaws CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.

C. Use an flaws Lambda function that checks for flaws service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.

D. Use an flaws Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.

E. Write an SCP using the flaws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups and roles.

The Development team has grown substantially in recent months and so has the number of projects that use separate code repositories. The current process involves configuring flaws CodePipeline manually. There have been service limit alerts regarding the number of Amazon S3 buckets that exist.
Which pipeline option will reduce S3 bucket sprawl alerts?

A. Combine the multiple separate code repositories into a single one, and deploy using an flaws CodePipeline that has logic for each project.

B. Create new pipelines by using the flaws API or flaws CLI, and configure them to use a single S3 bucket with separate prefixes for each project.

C. Create a new pipeline in a different region for each project to bypass the service limits for S3 buckets in a single region.

D. Create a new pipeline and S3 bucket for each project by using the flaws API or flaws CLI to bypass the service limits for S3 buckets in a single account.

A company is running an application on Amazon EC2 instances in an Auto Scaling group. Recently, an issue occurred that prevented EC2 instances from launching successfully, and it took several hours for the Support team to discover the issue. The Support team wants to be notified by email whenever an EC2 instance does not start successfully.
Which action will accomplish this?

A. Add a health check to the Auto Scaling group to invoke an flaws Lambda function whenever an instance status is impaired.

B. Configure the Auto Scaling group to send a notification to an Amazon SNS topic whenever a failed instance launch occurs.

C. Create an Amazon CloudWatch alarm that invokes an flaws Lambda function when a failed AttachInstances Auto Scaling API call is made.

D. Create a status check alarm on Amazon EC2 to send a notification to an Amazon SNS topic whenever a status check fail occurs.

A company hosts its staging website using an Amazon EC2 instance backed with Amazon EBS storage. The company wants to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance.
Which solution will meet these requirements?

A. Add the instance to an EC2 Auto Scaling group with the minimum, maximum, and desired capacity set to 1.

B. Add the instance to an EC2 Auto Scaling group with a lifecycle hook to detach the EBS volume when the EC2 instance shuts down or terminates.

C. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric and select the EC2 action to recover the instance.

D. Create an Amazon CloudWatch alarm for the StatusCheckFailed_Instance metric and select the EC2 action to reboot the instance.

A company is using flaws CodePipeline to automate its release pipeline. flaws CodeDeploy is being used in the pipeline to deploy an application to Amazon ECS using the blue/green deployment model. The company wants to implement scripts to test the green version of the application before shifting traffic. These scripts will complete in 5 minutes or less. If errors are discovered during these tests, the application must be rolled back.
Which strategy will meet these requirements?

A. Add a stage to the CodePipeline pipeline between the source and deploy stages. Use flaws CodeBuild to create an execution environment and build commands in the buildspec file to invoke test scripts. If errors are found, use the flaws deploy stop-deployment command to stop the deployment.

B. Add a stage to the CodePipeline pipeline between the source and deploy stages. Use this stage to execute an flaws Lambda function that will run the test scripts. If errors are found, use the flaws deploy stop-deployment command to stop the deployment.

C. Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTestTraffic lifecycle event to invoke an flaws Lambda function to run the test scripts. If errors are found, exit the Lambda function with an error to trigger rollback.

D. Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTraffic lifecycle event to invoke the test scripts. If errors are found, use the flaws deploy stop-deployment CLI command to stop the deployment.