A developer is modifying an existing AWS Lambda function. While checking the code, the developer notices hardcoded parameter values for an Amazon RDS for SQL Server user name, password, database, host, and port. There also are hardcoded parameter values for an Amazon DynamoDB table, an Amazon S3 bucket, and an Amazon Simple Notification Service (Amazon SNS) topic.
The developer wants to securely store the parameter values outside the code in an encrypted format and wants to turn on rotation for the credentials. The developer also wants to be able to reuse the parameter values from other applications and to update the parameter values without modifying code.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create an RDS database secret in AWS Secrets Manager. Set the user name, password, database, host, and port. Turn on secret rotation. Create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic.

B. Create an RDS database secret in AWS Secrets Manager. Set the user name, password, database, host, and port. Turn on secret rotation. Create SecureString parameters in AWS Systems Manager Parameter Store for the DynamoDB table, S3 bucket, and SNS topic.

C. Create RDS database parameters in AWS Systems Manager Parameter Store for the user name, password, database, host, and port. Create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic. Create a Lambda function and set the logic for the credentials rotation task. Schedule the credentials rotation task in Amazon EventBridge.

D. Create RDS database parameters in AWS Systems Manager Parameter Store for the user name, password, database, host, and port. Store the DynamoDB table, S3 bucket, and SNS topic in Amazon S3. Create a Lambda function and set the logic for the credentials rotation. Invoke the Lambda function on a schedule.

A developer is building an application on Amazon EC2. The developer encountered an “Access Denied” error on some of the API calls to AWS services while testing. The developer needs to modify permissions that have been already given to the instance.
How can these requirements be met with minimal changes and minimum downtime?

A. Make a new IAM role with the needed permissions. Stop the instance. Attach the new IAM role to the instance. Start the instance.

B. Delete the existing IAM role. Attach a new IAM role with the needed permissions.

C. Stop the instance. Update the attached IAM role adding the needed permissions. Start the instance.

D. Update the attached IAM role adding the needed permissions.

A developer is troubleshooting an application that uses Amazon DynamoDB in the us-west-2 Region. The application is deployed to an Amazon EC2 instance. The application requires read-only permissions to a table that is named Cars. The EC2 instance has an attached IAM role that contains the following IAM policy:
 
When the application tries to read from the Cars table, an Access Denied error occurs.
How can the developer resolve this error?

A. Modify the IAM policy resource to be “arn:aws:dynamodb-us-west-2:account-id:table/*”

B. Modify the IAM policy to include the dynamodb:* action.

C. Create a trust policy that specifies the EC2 service principal. Associate the role with the policy.

D. Create a trust relationship between the role and dynamodb.amazonaws.com.

A company has a web application that runs on Amazon EC2 instances with a custom Amazon Machine Image (AMI). The company uses AWS CloudFormation to provision the application. The application runs in the us-east-1 Region, and the company needs to deploy the application to the us-west-1 Region.
An attempt to create the AWS CloudFormation stack in us-west-1 fails. An error message states that the AMI ID does not exist. A developer must resolve this error with a solution that uses the least amount of operational overhead.
Which solution meets these requirements?

A. Change the AWS CloudFormation templates for us-east-1 and us-west-1 to use an AWS AMI. Relaunch the stack for both Regions.

B. Copy the custom AMI from us-east-1 to us-west-1. Update the AWS CloudFormation template for us-west-1 to refer to AMI ID for the copied AMI. Relaunch the stack.

C. Build the custom AMI in us-west-1. Create a new AWS CloudFormation template to launch the stack in us-west-1 with the new AMI ID.

D. Manually deploy the application outside AWS CloudFormation in us-west-1.

A company is running a software-as-a-service (SaaS) application in its on-premises data center. The application architecture uses a frontend Apache web server to support many customer-specific websites. The Apache web server routes traffic to a different set of servers based on the domain name that is specified in the host header of the initial request.
The company decides to move its architecture to AWS. A developer is moving the customer-specific backend servers onto Amazon EC2 instances. The developer must configure the EC2 instances in Auto Scaling groups for each customer and must register the instances in different target groups. The developer needs to replace the frontend Apache web server with an Elastic Load Balancing (ELB) load balancer. The developer also must forward queries for specific domain names to the appropriate target groups.
Which configuration on AWS will meet these requirements?

A. Use a Network Load Balancer and host-based routing to respective backend target groups.

B. Use a Network Load Balancer and path-based routing to respective backend target groups.

C. Use an Application Load Balancer and host-based routing to respective backend target groups.

D. Use an Application Load Balancer and path-based routing to respective backend target groups.

A company is hosting a workshop for external users and wants to share the reference documents with the external users for 7 days. The company stores the reference documents in an Amazon S3 bucket that the company owns.
What is the MOST secure way to share the documents with the external users?

A. Use S3 presigned URLs to share the documents with the external users. Set an expiration time of 7 days.

B. Move the documents to an Amazon WorkDocs folder Share the links of the WorkDocs folder with the external users.

C. Create temporary IAM users that have read-only access to the S3 bucket. Share the access keys with the external users. Expire the credentials after 7 days.

D. Create a role that has read-only access to the S3 bucket. Share the Amazon Resource Name (ARN) of this role with the external users.

A company is running its website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Amazon EC2 Auto Scaling group. A developer needs to secure the internet-facing connection with HTTPS. The developer uses AWS Certificate Manager (ACM) to issue an X.509 certificate.
What should the developer do to secure the connection?

A. Configure the ALB to use the X.509 certificate by using the AWS Management Console.

B. Configure each EC2 instance to use the same X.509 certificate by using the AWS Management Console.

C. Export the root key of the X.509 certificate to an Amazon S3 bucket. Configure each EC2 instance to use the same X.509 certificate from the S3 bucket.

D. Export the root key of the X.509 certificate to an Amazon S3 bucket. Configure the ALB to use the X.509 certificate from the S3 bucket.

A developer runs an application that uses an Amazon API Gateway REST API. The developer needs to implement a solution to proactively monitor the health of both API responses and latencies in case a deployment causes a service disruption despite passing deployment pipeline tests. The solution also must check for endpoint vulnerability and unauthorized changes to APIs, URLs, and website content.
Which solution will meet these requirements?

A. Use the Amazon CloudWatch Synthetics canary functionality to call the API and check the responses and duration of the request.

B. Use a custom health check in the API that queries hosts to check the duration of the request.

C. Implement a custom AWS Lambda function with an Amazon EventBridge event to periodically call the API and check the responses and duration of the request.

D. Use the built-in API Gateway metrics to monitor the average duration of the API response.

An open-source map application gathers data from several geolocation APIs. The application's source code repository is public and can be used by anyone, but the geolocation APIs must not be directly accessible.
A developer must implement a solution to prevent the credentials that are used to access the APIs from becoming public. The solution also must ensure that the application still functions properly.
Which solution will meet these requirements MOST cost-effectively?

A. Store the credentials in AWS Secrets Manager. Retrieve the credentials by using the GetSecretValue API operation.

B. Store the credentials in AWS Key Management Service (AWS KMS). Retrieve the credentials by using the GetPublicKey API operation.

C. Store the credentials in AWS Security Token Service (AWS STS). Retrieve the credentials by using the GetCallerldentity API operation.

D. Store the credentials in AWS Systems Manager Parameter Store. Retrieve the credentials by using the GetParameter API operation.

A Development team is working on a case management solution that allows medical claims to be processed and reviewed. Users log in to provide information related to their medical and financial situations.
As part of the application, sensitive documents such as medical records, medical imaging, bank statements, and receipts are uploaded to Amazon S3. All documents must be securely transmitted and stored. All access to the documents must be recorded for auditing.
What is the MOST secure approach?

A. Use S3 default encryption using Advanced Encryption Standard-256 (AES-256) on the destination bucket.

B. Use Amazon Cognito for authorization and authentication to ensure the security of the application and documents.

C. Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket.

D. Use client-side encryption/decryption with Amazon S3 and AWS KMS.

A developer needs to launch a new Amazon EC2 instance by using the AWS CLI.
Which AWS CLI command should the developer use to meet this requirement?

A. aws ec2 bundle-instance

B. aws ec2 start-instances

C. aws ec2 confirm-product-instance

D. aws ec2 run instances

A company hosts a client-side web application for one of its subsidiaries on Amazon S3. The web application can be accessed through Amazon CloudFront from https://www.example.com. After a successful rollout, the company wants to host three more client-side web applications for its remaining subsidiaries on three separate S3 buckets.
To achieve this goal, a developer moves all the common JavaScript files and web fonts to a central S3 bucket that serves the web applications. However, during testing, the developer notices that the browser blocks the JavaScript files and web fonts.
What should the developer do to prevent the browser from blocking the JavaScript files and web fonts?

A. Create four access points that allow access to the central S3 bucket. Assign an access point to each web application bucket.

B. Create a bucket policy that allows access to the central S3 bucket. Attach the bucket policy to the central S3 bucket.

C. Create a cross-origin resource sharing (CORS) configuration that allows access to the central S3 bucket. Add the CORS configuration to the central S3 bucket.

D. Create a Content-MD5 header that provides a message integrity check for the central S3 bucket. Insert the Content-MD5 header for each web application request.

A company has copies of customer ID cards in its on-premises system. The company wants the on-premises system to automatically upload the ID card images directly to an Amazon S3 bucket.
What is the MOST secure way to meet this requirement?

A. Use the AWS SDK to upload the images to the S3 bucket directly from the on-premises system. Create an IAM user. Attach the user to a policy that includes the s3:PutObject permission. Configure the on-premises system to use the generated access key and secrets to authenticate access to AWS.

B. Use the AWS SDK to upload the images to the S3 bucket directly from the on-premises system. Create an IAM role. Attach the role to a policy that includes the s3:PutObject permission. Configure the on-premises system to use the AssumeRole functionality in the AWS SDK to authenticate access to AWS.

C. Use S3 presigned URLs to upload the images to the S3 bucket directly from the on-premises system. Generate the presigned URLs by using an AWS Lambda function and a private REST API endpoint. Create an AWS Site-to-Site VPN connection between the on-premises network and the VPC to allow the on-premises system to call the API to receive the presigned URLs.

D. Use S3 presigned URLs to upload the images to the S3 bucket directly from the on-premises system. Generate the presigned URLs by using an AWS Lambda function and a public REST API endpoint. Secure the API by adding an Amazon Cognito authorizer. Create a user for the on-premises system to use for authentication to call the API to receive the presigned URLs.

A developer has created a Node.js web application on a local development machine. The developer wants to use AWS technology to host the website. The developer needs a solution that requires the least possible operational overhead and no code changes.
Which AWS service should the developer use to meet these requirements?

A. AWS Elastic Beanstalk

B. Amazon EC2

C. AWS Lambda

D. Amazon Elastic Kubernetes Service (Amazon EKS)

A company uses the AWS SDK for JavaScript in the Browser to build a web application and then hosts the application on Amazon S3. The company wants the application to support 10,000 users concurrently. The company selects Amazon DynamoDB to store user preferences in a table. There is a requirement to uniquely identify users at any scale.
Which solution will meet these requirements?

A. Create a user cookie. Attach an 1AM role to the S3 bucket that hosts the application.

B. Deploy an Amazon CloudFront distribution with an origin access identity (OAI) to access the S3 bucket.

C. Configure and use Amazon Cognito. Access DynamoDB with the authenticated users.

D. Create an IAM user for each user. Use fine-grained access control on the DynamoDB table to control access.

A company's website runs on an Amazon EC2 instance and uses Auto Scaling to scale the environment during peak times. Website users across the world are experiencing high latency due to static content on the EC2 instance, even during non-peak hours.
Which combination of steps will resolve the latency issue? (Choose two.)

A. Double the Auto Scaling group’s maximum number of servers.

B. Host the application code on AWS Lambda.

C. Scale vertically by resizing the EC2 instances.

D. Create an Amazon CloudFront distribution to cache the static content.

E. Store the application’s static content in Amazon S3.

A distributed application includes an AWS Lambda function that runs successfully in the DEV environment with 128 MB of memory assigned. The same function is failing in the TEST environment. The developer is monitoring the application using AWS X-Ray, but the Lambda function cannot be seen on the X-Ray service graph. The Lambda execution role has AWS X-Ray permissions.
What is the MOST LIKELY cause for AWS X-Ray not showing any data for the Lambda function?

A. The AWS SDK needs to be included in the AWS Lambda deployment package.

B. VPC Flow Logs are not enabled for the application VPC.

C. Active tracing needs to be enabled for the Lambda function.

D. The memory needs to be increased to 2 GB for the TEST environments.

A developer is building a three-tier application with an Application Load Balancer (ALB), Amazon EC2 instances, and Amazon RDS. There is an alias record in Amazon Route 53 that points to the ALB. When the developer tries to access the ALB from a laptop, the request times out.
Which logs should the developer investigate to verify that the request is reaching the AWS network?

A. VPC Flow Logs

B. Amazon Route 53 logs

C. AWS Systems Manager Agent logs

D. Amazon CloudWatch agent logs

A developer is deploying an AWS Lambda function. The developer wants the ability to return to older versions of the function quickly and seamlessly.
How can the developer achieve this goal with the LEAST operational overhead?

A. Use AWS OpsWorks to perform blue/green deployments.

B. Use a function alias with different versions.

C. Maintain deployment packages for older versions in Amazon S3.

D. Use AWS CodePipeline for deployments and rollbacks.

An application on AWS is using third-party APIs. A developer needs to monitor API errors in the code. The developer needs to receive notifications if failures reach a set threshold value.
How can the developer meet these requirements?

A. Publish a custom metric to Amazon CloudWatch. Create a metric alarm. Use Amazon Simple Email Service (Amazon SES) for notification.

B. Use an Amazon CloudWatch API error metric. Use Amazon Simple Notification Service (Amazon SNS) for notification.

C. Use an Amazon CloudWatch API error metric. Use Amazon Simple Email Service (Amazon SES) for notification.

D. Publish a custom metric to Amazon CloudWatch. Create a metric alarm. Use Amazon Simple Notification Service (Amazon SNS) for notification.

A developer is storing sensitive data generated by an application in Amazon S3. The developer wants to encrypt the data at rest A company policy requires an audit trail of when the AWS Key Management Service (AWS KMS) key was used and by whom.
Which encryption option will meet these requirements?

A. Server-side encryption with Amazon S3 managed keys (SSE-S3)

B. Server-side encryption with AWS KMS managed keys (SSE-KMS)

C. Server-side encryption with customer-provided keys (SSE-C)

D. Server-side encryption with self-managed keys

A Developer accesses AWS CodeCommit over SSH. The SSH keys configured to access AWS CodeCommit are tied to a user with the following permissions:
 
The Developer needs to create/delete branches.
Which specific IAM permissions need to be added, based on the principle of least privilege?

A. “codecommit:CreateBranch”“codecommit:DeleteBranch”

B. “codecommit:Put*”

C. “codecommit:Update*”

D. “codecommit:*”

A game stores user game data in an Amazon DynamoDB table. Individual users should not have access to other users' game data.
How can this be accomplished?

A. Encrypt the game data with individual user keys.

B. Restrict access to specific items based on certain primary key values.

C. Stage data in SQS queues to inject metadata before accessing DynamoDB.

D. Read records from DynamoDB and discard irrelevant data client-side.

A developer needs to deploy an application running on AWS Fargate using Amazon ECS. The application has environment variables that must be passed to a container for the application to initialize.
How should the environment variables be passed to the container?

A. Define an array that includes the environment variables under the environment parameter within the service definition.

B. Define an array that includes the environment variables under the environment parameter within the task definition.

C. Define an array that includes the environment variables under the entryPoint parameter within the task definition.

D. Define an array that includes the environment variables under the entryPoint parameter within the service definition.

An application under development is required to store hundreds of video files. The data must be encrypted within the application prior to storage, with a unique key for each video file.
How should the Developer code the application?

A. Use the KMS Encrypt API to encrypt the data. Store the encrypted data key and data.

B. Use a cryptography library to generate an encryption key for the application. Use the encryption key to encrypt the data. Store the encrypted data.

C. Use the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store the encrypted data key and data.

D. Upload the data to an S3 bucket using server side-encryption with an AWS KMS key.

A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function.
The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials.
Which solution will meet these requirements?

A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.

B. Include the database credentials as part of the Lambda function code. Update the credentials periodically and deploy the new Lambda function.

C. Use Lambda environment variables. Update the environment variables when new credentials are available.

D. Store the database credentials in AWS Systems Manager Parameter Store Turn on rotation. Write code in the Lambda function to retrieve the credentials from Systems Manager Parameter Store.

A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes user_id, user_name, user_score and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation.
Which set of conditions should be added in the policy attached to the role for the dynamodb:PutItem API call?

A.

B.

C.

D.

An organization is storing large files in Amazon S3, and is writing a web application to display meta-data about the files to end-users. Based on the metadata a user selects an object to download. The organization needs a mechanism to index the files and provide single-digit millisecond latency retrieval for the metadata.
What AWS service should be used to accomplish this?

A. Amazon DynamoDB

B. Amazon EC2

C. AWS Lambda

D. Amazon RDS

A developer supports an application that accesses data in an Amazon DynamoDB table. One of the item attributes is expiration Date in the timestamp format. The application uses this attribute to find items, archive them, and remove them from the table based on the timestamp value.
The application will be decommissioned soon, and the developer must find another way to implement this functionality. The developer needs a solution that will require the least amount of code to write.
Which solution will meet these requirements?

A. Enable TTL on the expirationDate attribute in the table. Create a DynamoDB stream. Create an AWS Lambda function to process the deleted items. Create a DynamoDB trigger for the Lambda function.

B. Create two AWS Lambda functions: one to delete the items and one to process the items. Create a DynamoDB stream. Use the DeleteItem API operation to delete the items based on the expirationDate attribute. Use the GetRecords API operation to get the items from the DynamoDB stream and process them.

C. Create two AWS Lambda functions: one to delete the items and one to process the items. Create an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to invoke the Lambda functions. Use the DeleteItem API operation to delete the items based on the expirationDate attribute. Use the GetRecords API operation to get the items from the DynamoDB table and process them.

D. Enable TTL on the expirationDate attribute in the table. Specify an Amazon Simple Queue Service (Amazon SQS) dead-letter queue as the target to delete the items. Create an AWS Lambda function to process the items.

A company has three different environments: Development. QA, and Production. The company wants to deploy its code first in the Development environment, then QA, and then Production.
Which AWS service can be used to meet this requirement?

A. Use AWS CodeCommit to create multiple repositories to deploy the application.

B. Use AWS CodeBuild to create, configure, and deploy multiple build application projects.

C. Use AWS Data Pipeline to create multiple data pipeline provisions to deploy the application.

D. Use AWS CodeDeploy to create multiple deployment groups.

A developer must extend an existing application that is based on the AWS Serverless Application Model (AWS SAM). The developer has used the AWS SAM CLI to create the project. The project contains different AWS Lambda functions.
Which combination of commands must the developer use to redeploy the AWS SAM application? (Choose two.)

A. sam init

B. sam validate

C. sam build

D. sam deploy

E. sam publish

A developer is writing a mobile application that allows users to view images from an S3 bucket. The users must be able to log in with their Amazon login, as well as supported social media accounts.
How can the developer provide this authentication functionality?

A. Use Amazon Cognito with web identity federation.

B. Use Amazon Cognito with SAML-based identity federation.

C. Use IAM access keys and secret keys in the application code to allow Get* on the S3 bucket.

D. Use AWS STS AssumeRole in the application code and assume a role with Get* permissions on the S3 bucket.

A developer has created a REST API using Amazon API Gateway. The developer wants to log who and how each caller accesses the API. The developer also wants to control how long the logs are kept.
What should the developer do to meet these requirements?

A. Enable API Gateway execution logging. Delete old logs using API Gateway retention settings.

B. Enable API Gateway access logs. Use Amazon CloudWatch retention settings to delete old logs.

C. Enable detailed Amazon CloudWatch metrics. Delete old logs with a recurring AWS Lambda function.

D. Create and use API Gateway usage plans. Delete old logs with a recurring AWS Lambda function.

A company is running an application on AWS Elastic Beanstalk in a single-instance environment. The company’s deployments must avoid any downtime.
Which deployment option will meet these requirements?

A. All at once

B. Rolling

C. Rolling with additional batch

D. Immutable

A company hosts a three-tier web application on AWS behind an Amazon CloudFront distribution. A developer wants a dashboard to monitor error rates and anomalies of the CloudFront distribution with the shortest possible refresh interval.
Which combination of slops should the developer take to meet these requirements? (Choose two.)

A. Activate real-time logs on the CloudFront distribution. Create a stream in Amazon Kinesis Data Streams.

B. Export the CloudFront logs to an Amazon S3 bucket. Detect anomalies and error rates with Amazon QuickSight.

C. Configure Amazon Kinesis Data Streams to deliver logs to Amazon OpenSearch Service (Amazon Elasticsearch Service). Create a dashboard in OpenSearch Dashboards (Kibana).

D. Create Amazon CloudWatch alarms based on expected values of selected CloudWatch metrics to detect anomalies and errors.

E. Design an Amazon CloudWatch dashboard of the selected CloudFront distribution metrics.

A developer has discovered that an application responsible for processing messages in an Amazon SQS queue is routinely falling behind. The application is capable of processing multiple messages in one invocation, but is only receiving one message at a time.
What should the developer do to increase the number of messages the application receives?

A. Call the ChangeMessageVisibility API for the queue and set MaxNumberOfMessages to a value greater than the default of 1.

B. Call the AddPermission API to set MaxNumberOfMessages for the ReceiveMessage action to a value greater than the default of 1.

C. Call the ReceiveMessage API to set MaxNumberOfMessages to a value greater than the default of 1.

D. Call the SetQueueAttributes API for the queue and set MaxNumberOfMessages to a value greater than the default of 1.

When a Developer tries to run an AWS CodeBuild project, it raises an error because the length of all environment variables exceeds the limit for the combined maximum of characters.
What is the recommended solution?

A. Add the export LC_ALL=ג€en_US.utf8ג€ command to the pre_build section to ensure POSIX localization.

B. Use Amazon Cognito to store key-value pairs for large numbers of environment variables.

C. Update the settings for the build project to use an Amazon S3 bucket for large numbers of environment variables.

D. Use AWS Systems Manager Parameter Store to store large numbers of environment variables.

A static website is hosted in an Amazon S3 bucket. Several HTML pages on the site use JavaScript to download images from another Amazon S3 bucket. These images are not displayed when users browse the site.
What is the possible cause for the issue?

A. The referenced Amazon S3 bucket is in another region.

B. The images must be stored in the same Amazon S3 bucket.

C. Port 80 must be opened on the security group in which the Amazon S3 bucket is located.

D. Cross Origin Resource Sharing must be enabled on the Amazon S3 bucket.

A company is working on a new serverless application. A developer needs to find an automated way to deploy AWS Lambda functions and the dependent infrastructure with minimum coding effort. The application also needs to be reliable.
Which method will meet these requirements with the LEAST operational overhead?

A. Build the application by using shell scripts to create .zip files for each Lambda function. Manually upload the .zip files to the AWS Management Console.

B. Build the application by using the AWS Serverless Application Model (AWS SAM). Use a continuous integration and continuous delivery (CI/CD) pipeline and the SAM CLI to deploy the Lambda functions.

C. Build the application by using shell scripts to create .zip files for each Lambda function. Upload the .zip files. Deploy the .zip files as Lambda functions by using the AWS CLI in a continuous integration and continuous delivery (CI/CD) pipeline.

D. Build a container for each Lambda function. Store the container images in AWS CodeArtifact. Deploy the containers as Lambda functions by using the AWS CLI in a continuous integration and continuous delivery (CI/CD) pipeline.

An application is processing clickstream data using Amazon Kinesis. The clickstream data feed into Kinesis experiences periodic spikes. The PutRecords API call occasionally fails and the logs show that the failed call returns the response shown below:
 
Which techniques will help mitigate this exception? (Choose two.)

A. Implement retries with exponential backoff.

B. Use a PutRecord API instead of PutRecords.

C. Reduce the frequency and/or size of the requests.

D. Use Amazon SNS instead of Kinesis.

E. Reduce the number of KCL consumers.

A developer is writing an application to analyze the traffic to a fleet of Amazon EC2 instances. The EC2 instances run behind a public Application Load Balancer
(ALB). An HTTP server runs on each of the EC2 instances, logging all requests to a log file.
The developer wants to capture the client public IP addresses. The developer analyzes the log files and notices only the IP address of the ALB.
What must the developer do to capture the client public IP addresses in the log file?

A. Add a Host header to the HTTP server log configuration file.

B. Install the Amazon CloudWatch Logs agent on each EC2 instance. Configure the agent to write to the log file.

C. Install the AWS X-Ray daemon on each EC2 instance. Configure the daemon to write to the log file.

D. Add an X-Forwarded-For header to the HTTP server log configuration file.

A Developer is working on an application that handles 10MB documents that contain highly-sensitive data. The application will use AWS KMS to perform client- side encryption.
What steps must be followed?

A. Invoke the Encrypt API passing the plaintext data that must be encrypted, then reference the customer managed key ARN in the KeyId parameter

B. Invoke the GenerateRandom API to get a data encryption key, then use the data encryption key to encrypt the data

C. Invoke the GenerateDataKey API to retrieve the encrypted version of the data encryption key to encrypt the data

D. Invoke the GenerateDataKey API to retrieve the plaintext version of the data encryption key to encrypt the data

A company's developer is creating an AWS Lambda function that will read data from an Amazon RDS database. The company's security policies require the database credentials to be encrypted at rest by AWS Key Management Service (AWS KMS) keys. The database credentials must also be automatically rotated. The Lambda function needs to be able to read the database credentials securely.
Which solution will meet these requirements?

A. Create an AWS Secrets Manager secret for the database credentials encrypted with a KMS key. Modify the Lambda function to retrieve the secret from Secrets Manager. Attach a custom IAM policy to the Lambda function execution role to allow access to secretsmanager:GetSecretValue from the secret’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

B. Create an Amazon S3 bucket for the database credentials. Encrypt the database credentials with server-side encryption with KMS keys (SSE-KMS). Modify the Lambda function to retrieve the database credentials from the S3 bucket. Attach a custom IAM policy to the Lambda function execution role to allow access to S3:GetObject from the S3 bucket’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

C. Create SecureString parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

D. Create String parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

A company is using AWS CodePipeline pipelines to deploy development Amazon EC2 instances for multiple teams. All the pipelines are using the same AWS CloudFormation template to deploy the EC2 instances and create dedicated CloudFormation stacks for each team. Each pipeline passes a parameter that is named TeamName to the CloudFormation stack to tag resources with the appropriate team’s name.
The company discovers that each team's usage of EC2 instances is not consistent with the type of EC2 instances that the teams are deploying. The company needs to allow the teams to deploy different types of EC2 instances.
Which solution will meet this requirement with the LEAST change to the pipelines?

A. For each team, use a dedicated CloudFormation template that includes different types of EC2 instances. Update CodePipeline to use the dedicated template for each team.

B. For each team, use a dedicated CloudFormation template that includes an InstanceType parameter and a value that is specific to the team’s requirement. Update CodePipeline to use the dedicated template for each team

C. Update the CloudFormation template by creating an InstanceType parameter. Update CodePipeline to pass the InstanceType parameter value that is specific to the team’s requirement.

D. Update the CloudFormation template by adding a map for the instance types to the Mappings section. Create a list of all the teams. Configure the required instance type for each team in the map.

An application running on Amazon EC2 opens connections to an Amazon RDS SQL Server database. The developer does not want to store the user name and password for the database in the code. The developer would also like to automatically rotate the credentials.
What is the MOST secure way to store and access the database credentials?

A. Create an IAM role that has permissions to access the database. Attach the role to the EC2 instance.

B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.

C. Store the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance’s user data to download the credentials from Amazon S3 as the instance boots.

D. Store the user name and password credentials directly in the source code. No further action is needed because the source code is stored in a private repository.

A company’s mock data from development environments has been appearing in the production environment. The company wants a member of the Admin IAM user group to manually approve all promotions to production in the company’s AWS CodePipeline pipeline before the promotions can proceed.
Which combination of steps will meet these requirements? (Choose two.)

A. Add an approval action to the pipeline. Set the Provider field to Group and the Owner field to the name of the IAM user group. Set the approval action to run before the production deploy action.

B. Add an approval action to the pipeline. Set the Provider field to Manual and the Owner field to AWS. Set the approval action to run before the production deploy action.

C. Add an approval action to the pipeline. Set the Provider field to Manual and the Owner field to the name of the IAM user group. Set the approval action to run before the production deploy action.

D. Add an inline policy to the Admin IAM user group to allow the codepipeline:GetPipeline* action and the codepipeline:PutApprovalResult action. Set the pipeline as the resource for the policy.

E. Add an inline policy to the Admin IAM user group to allow the codepipeline:GetPipeline* action. Set the pipeline as the resource for the policy. Add a second inline policy to allow the codepipeline:PutApprovalResult action. Set the approval action as the resource for the policy.

A developer is creating a serverless web application and maintains different branches of code. The developer wants to avoid updating the Amazon API Gateway target endpoint each time a new code push is performed.
What solution would allow the developer to perform a code push efficiently, without the need to update the API Gateway?

A. Associate different AWS Lambda functions to an API Gateway target endpoint.

B. Create different stages in API Gateway. then associate API Gateway with AWS Lambda.

C. Create aliases and versions in AWS Lambda.

D. Tag the AWS Lambda functions with different names.

A developer is debugging an AWS Lambda function behind an Amazon API Gateway. Whenever the API Gateway endpoint is called, HTTP status code 200 is returned even though AWS Lambda is recording a 4xx error.
What change needs to be made to return a proper error code through the API Gateway?

A. Enable CORS in the API Gateway method settings

B. Use a Lambda proxy integration to return HTTP codes and headers

C. Enable API Gateway error pass-through.

D. Return the value in the header x-Amzn-ErrorType.

A developer is using an AWS Key Management Service (AWS KMS) customer master key (CMK) with imported key material to encrypt data in Amazon S3. The developer accidentally deletes the key material of the CMK and is unable to decrypt the data.
How can the developer decrypt the data that was encrypted by the CMK?

A. Request support from AWS to recover the deleted key material.

B. Create a new CMK. Use the new CMK to decrypt the data.

C. Use the CMK without the key material.

D. Reimport the same key material to the CMK.

A developer is using AWS CodeDeploy to automate a company's application deployments to Amazon EC2.
Which application specification file properties are required to ensure the software deployments do not fail? (Choose two.)

A. The file must be a JSON-formatted file named appspec.json.

B. The file must be a YAML-formatted file named appspec.yml.

C. The file must be stored in AWS CodeBuild and referenced from the application’s source code.

D. The file must be placed in the root of the directory structure of the application’s source code.

E. The file must be stored in Amazon S3 and referenced from the application’s source code.