A developer is creating an AWS CloudFormation template to deploy Amazon EC2 instances across multiple AWS accounts. The developer must choose the EC2 instances from a list of approved instance types.
How can the developer incorporate the list of approved instance types in the CloudFormation template?

A. Create a separate CloudFormation template for each EC2 instance type in the list.

B. In the Resources section of the CloudFormation template, create resources for each EC2 instance type in the list.

C. In the CloudFormation template, create a separate parameter for each EC2 instance type in the list.

D. In the CloudFormation template, create a parameter with the list of EC2 instance types as Allowed Values.

A developer is deploying a company's application to Amazon EC2 instances. The application generates gigabytes of data files each day. The files are rarely accessed, but the files must be available to the application’s users within minutes of a request during the first year of storage. The company must retain the files for 7 years.
How can the developer implement the application to meet these requirements MOST cost-effectively?

A. Store the files in an Amazon S3 bucket Use the S3 Glacier Instant Retrieval storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Deep Archive storage class after 1 year.

B. Store the files in an Amazon S3 bucket. Use the S3 Standard storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Flexible Retrieval storage class after 1 year.

C. Store the files on an Amazon Elastic Block Store (Amazon EBS) volume. Use Amazon Data Lifecycle Manager (Amazon DLM) to create snapshots of the EBS volumes and to store those snapshots in Amazon S3.

D. Store the files on an Amazon Elastic File System (Amazon EFS) mount. Configure EFS lifecycle management to transition the files to the EFS Standard-Infrequent Access (Standard-IA) storage class after 1 year.

A developer is using AWS Elastic Beanstalk to create a deployment for a web application that supports ecommerce. According to a company requirement. Amazon EC2 instances that host one version of the application must be retired when the deployment of a new version is complete.
Which deployment methods can the developer use to meet this requirement? (Choose two.)

A. All-al-once deployment

B. In-place deployment

C. Rolling deployment without an additional batch

D. Blue/green deployment

E. Immutable deployment

A developer has written the following IAM policy to provide access to an Amazon S3 bucket:
 
Which access does the policy allow regarding the s3:GetObject and s3:PutObject actions?

A. Access on all buckets except the “DOC-EXAMPLE-BUCKET” bucket

B. Access on all buckets that start with “DOC-EXAMPLE-BUCKET” except the “DOC-EXAMPLE-BUCKET/secrets” bucket

C. Access on all objects in the “DOC-EXAMPLE-BUCKET” bucket along with access to all S3 actions for objects in the “DOC-EXAMPLE-BUCKET” bucket that start with “secrets”

D. Access on all objects in the “DOC-EXAMPLE-BUCKET” bucket except on objects that start with “secrets”

A developer is setting up the deployment of application stacks to new test environments by using the AWS Cloud Development Kit (AWS CDK). The application contains the code for several AWS Lambda functions that will be deployed as assets. Each Lambda function is defined by using the AWS CDK Lambda construct library.
The developer has already successfully deployed the application stacks to the alpha environment in the first account by using the AWS CDK CLI’s cdk deploy command. The developer is preparing to deploy to the beta environment in a second account for the first time. The developer makes no significant changes to the CDK code between deployments, but the initial deployment in the second account is unsuccessful and returns a NoSuchBucket error.
Which command should the developer run before redeployment to resolve this error?

A. cdk synth

B. cdk bootstrap

C. cdk init

D. cdk destroy

A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in.
What is the MOST operationally efficient solution that meets this requirement?

A. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon API Gateway API to invoke the function. Call the API from the client side when login confirmation is received.

B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function.

C. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Create an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status.

D. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose. Create an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user.

A developer is building a web application that processes and tracks votes. A voting device submits the votes to an Amazon S3 bucket named DOC-EXAMPLE-BUCKET. The application needs to record the votes to an Amazon DynamoDB table named Example. The developer writes an AWS Lambda function to process the objects. The developer writes the following policy for the execution role of the Lambda function:
 
The developer ran a successful test on the Lambda function. However, the developer could not find a record of the invocation in the logs.
What should the developer do to record invocations of this function in the logs?

A. Modify the Lambda function resource configuration in the AWS Management Console to log Lambda function invocations to Amazon CloudWatch Logs.

B. Modify the Lambda code to produce event log output. Send the event log output to stdout. Redirect the stdout to Amazon CloudWatch Logs.

C. Modify the Lambda execution role to have permissions to a create log groups, log streams, and log events in Amazon CloudWatch Logs.

D. Modify the Lambda invocation permissions to allow DynamoDB and Amazon S3 to log Lambda actions to Amazon CloudWatch Logs.

A developer is implementing an AWS Lambda function that will be invoked when an object is uploaded to Amazon S3. The developer wants to test the Lambda function in a local development machine before publishing the function to a production AWS account.
Which solution will meet these requirements with the LEAST operational overhead?

A. Upload an object to Amazon S3 by using the aws s3api put-object CLI command. Wait for the local Lambda invocation from the S3 event.

B. Create a sample JSON text file for a put object S3 event. Invoke the Lambda function locally. Use the aws lambda invoke CLI command with the JSON file and Lambda function name as arguments.

C. Use the sam local start-lambda CLI command to start Lambda. Use the sam local generate-event s3 put CLI command to create the Lambda test JSON file. Use the sam local invoke CLI command with the JSON file as the argument to invoke the Lambda function.

D. Create a JSON string for the put object S3 event. In the AWS Management Console, use the JSON string to create a test event for the local Lambda function. Perform the test.

A company has deployed an application on AWS Elastic Beanstalk. The company has configured the Auto Scaling group that is associated with the Elastic Beanstalk environment to have five Amazon EC2 instances. If the capacity is fewer than four EC2 instances during the deployment, application performance degrades. The company is using the all-at-once deployment policy.
What is the MOST cost-effective way to solve the deployment issue?

A. Change the Auto Scaling group to six desired instances.

B. Change the deployment policy to traffic splitting. Specify an evaluation time of 1 hour.

C. Change the deployment policy to rolling with additional batch. Specify a batch size of 1.

D. Change the deployment policy to rolling. Specify a batch size of 2.

A developer is migrating an on-premises web application to AWS. The web application allows users to log in and modify their user profiles. The web application consists of a web server and a relational database. The developer has created an Amazon Machine Image (AMI) that will be used to launch Amazon EC2 instances to provide the web server. The developer also has created a database in Amazon RDS.
As part of the migration, the developer wants to create an Amazon EC2 Auto Scaling group to launch the web server instances behind an Application Load Balancer. The launch configuration for the Auto Scaling group will specify the AMI for the web server.
Which additional step should the developer take to give the web application the ability to automatically scale?

A. Select an EC2 instance type that is large enough to handle increased demand.

B. Create an Amazon ElastiCache cluster. Configure the web application to store session state in the cluster.

C. Install the database on one of the EC2 instances. Recreate the AMI from that EC2 instance.

D. Create an RDS read replica. Configure the web application to use the read replica for all read operations.

A developer runs an application that uses an Amazon API Gateway REST API. The developer needs to implement a solution to proactively monitor the health of both API responses and latencies in case a deployment causes a service disruption despite passing deployment pipeline tests. The solution also must check for endpoint vulnerability and unauthorized changes to APIs, URLs, and website content.
Which solution will meet these requirements?

A. Use the Amazon CloudWatch Synthetics canary functionality to call the API and check the responses and duration of the request.

B. Use a custom health check in the API that queries hosts to check the duration of the request.

C. Implement a custom AWS Lambda function with an Amazon EventBridge event to periodically call the API and check the responses and duration of the request.

D. Use the built-in API Gateway metrics to monitor the average duration of the API response.

A company hosts a web application that writes to an Amazon DynamoDB table. Application users frequently observe and report errors. The development team examines Amazon CloudWatch logs and frequently sees the following error:
400 Bad Request ProvisionedThroughputExceededException
What is the cause of this error?

A. The application does not have the required permissions for the DynamoDB table.

B. The item that the application is placing on the table exceeds the item size limit.

C. The development team has not allocated enough space for the table and its indexes.

D. The development team has not allocated enough write capacity units (WCU) for the table and Its indexes.

A company is planning to use AWS CodeDeploy to deploy an application to Amazon Elastic Container Service (Amazon ECS). During the deployment of a new version of the application, the company initially must expose only 10% of live traffic to the new version of the deployed application. Then, after 15 minutes elapse, the company must route all the remaining live traffic to the new version of the deployed application.
Which CodeDeploy predefined configuration will meet these requirements?

A. CodeDeployDefault.ECSCanary10Percent15Minutes

B. CodeDeployDefault.LambdaCanary10Percent5Minutes

C. CodeDeployDefault.LambdaCanary10Percent15Minutes

D. CodeDeployDefault.ECSLinear10PercentEvery1 Minutes

A developer needs to create an application that supports Security Assertion Markup Language (SAML) and authentication with social media providers. It must also allow access to AWS services, such as Amazon DynamoDB.
Which AWS service or feature will meet these requirements with the LEAST amount of additional coding?

A. AWS AppSync

B. Amazon Cognito identity pools

C. Amazon Cognito user pools

D. Amazon Lambda@Edge

A company is developing a microservice that will manage customer account data in an Amazon DynamoDB table. Insert, update, and delete requests will be rare. Read traffic will be heavy. The company must have the ability to access customer data quickly by using a customer ID. The microservice can tolerate stale data.
Which solution will meet these requirements with the FEWEST possible read capacity units (RCUs)?

A. Read the table by using eventually consistent reads.

B. Read the table by using strongly consistent reads.

C. Read the table by using transactional reads.

D. Read the table by using strongly consistent PartiQL queries.

A company hosts a microservices application that uses Amazon API Gateway. AWS Lambda, Amazon Simple Queue Service (Amazon SQS), and Amazon
DynamoDB. One of the Lambda functions adds messages to an SQS FIFO queue.
When a developer checks the application logs, the developer finds a few duplicated items in a DynamoDB table. The items were inserted by another polling function that processes messages from the queue.
What is the MOST likely cause of this issue?

A. Write operations on the DynamoDB table are being throttled.

B. The SQS queue delivered the message to the function more than once.

C. API Gateway duplicated the message in the SQS queue.

D. The polling function timeout is greater than the queue visibility timeout.

An application reads data from an Amazon DynamoDB table. Several times a day, for a period of 15 seconds, me application receives multiple ProvisionedThroughputExceeded errors.
How should this exception be handled?

A. Create a new global secondary index for the table to help with the additional requests.

B. Retry the failed read requests with exponential backoff.

C. Immediately retry the failed read requests.

D. Use the DynamoDB “UpdateItem” API to increase the provisioned throughput capacity of the table.

A company’s mock data from development environments has been appearing in the production environment. The company wants a member of the Admin IAM user group to manually approve all promotions to production in the company’s AWS CodePipeline pipeline before the promotions can proceed.
Which combination of steps will meet these requirements? (Choose two.)

A. Add an approval action to the pipeline. Set the Provider field to Group and the Owner field to the name of the IAM user group. Set the approval action to run before the production deploy action.

B. Add an approval action to the pipeline. Set the Provider field to Manual and the Owner field to AWS. Set the approval action to run before the production deploy action.

C. Add an approval action to the pipeline. Set the Provider field to Manual and the Owner field to the name of the IAM user group. Set the approval action to run before the production deploy action.

D. Add an inline policy to the Admin IAM user group to allow the codepipeline:GetPipeline* action and the codepipeline:PutApprovalResult action. Set the pipeline as the resource for the policy.

E. Add an inline policy to the Admin IAM user group to allow the codepipeline:GetPipeline* action. Set the pipeline as the resource for the policy. Add a second inline policy to allow the codepipeline:PutApprovalResult action. Set the approval action as the resource for the policy.

A development team sets up a project's file directory structure in AWS CodeCommit. The team plans to use AWS CodeBuild and AWS CodeDeploy. The team creates the necessary configuration files for CodeBuild and CodeDeploy. The team wants to name and place these files according to service defaults.
Where should the team place the CodeBuild and CodeDeploy files?

A. A directory named “aws” under the route source directory

B. A directory named “deploy” under the root source directory

C. A directory named “scripts” under the root source directory

D. The root of the source directory

A developer needs to write an AWS CloudFormation template on a local machine and deploy a CloudFormation stack to AWS.
What must the developer do to complete these tasks?

A. Install the AWS CLI. Configure the AWS CLI by using an IAM user name and password.

B. Install the AWS CLI. Configure the AWS CLI by using an SSH key.

C. Install the AWS CLI. Configure the AWS CLI by using an IAM user access key and secret key.

D. Install an AWS software development kit (SDK). Configure the SDK by using an X.509 certificate.

A company configures an Amazon S3 bucket to deliver S3 object events to Amazon EventBridge (Amazon CloudWatch Events). An EventBridge rule invokes an AWS Lambda function for each object event that is received from the S3 bucket.
A developer is working on a new version of the Lambda function. To ensure that the new Lambda function works as expected, the developer must run a repeatable test that uses realistic S3 bucket object events. The developer must minimize the amount of code and infrastructure that are required to support the test.
Which solution will meet these requirements?

A. Create another S3 bucket that can deliver object events to EventBridge. Add another EventBridge rule to deliver data events from the new S3 bucket to the new Lambda function Develop a tool to update objects in the new S3 bucket to produce the test S3 object events.

B. Add the new Lambda function as an additional target of the existing EventBridge rule. Deliver the S3 object events to the existing Lambda function and the new Lambda function simultaneously.

C. Use EventBridge to archive and replay production S3 object events. Set up a new EventBridge rule to deliver replayed S3 object events to the new Lambda function.

D. Develop a tool that uses the EventBridge PutEvents API operation to publish aws.s3 data events. Add a new EventBridge rule that delivers the aws.s3 events to the new Lambda function.

A developer is creating a serverless application that uses an AWS Lambda function The developer will use AWS CloudFormation to deploy the application The application will write logs to Amazon CloudWatch Logs. The developer has created a log group in a CloudFormation template for the application to use. The developer needs to modify the CloudFormation template to make the name of the log group available to the application at runtime.
Which solution will meet this requirement?

A. Use the AWS::Include transform in CloudFormation to provide the log group’s name to the application.

B. Pass the log group’s name to the application in the user data section of the CloudFormation template

C. Use the CloudFormation template’s Mappings section to specify the log group’s name for the application.

D. Pass the log group’s Amazon Resource Name (ARN) as an environment variable to the Lambda function.

A company uses a custom root certificate authority certificate chain (Root CA Cert) that is 10 KB in size to generate SSL certificates for its on-premises HTTPS endpoints. One of the company’s cloud-based applications has hundreds of AWS Lambda functions that pull data from these endpoints. A developer updated the trust store of the Lambda execution environment to use the Root CA Cert when the Lambda execution environment is initialized. The developer bundled the Root CA Cert as a text file in the Lambda deployment bundle.
After 3 months of development, the Root CA Cert is no longer valid and must be updated. The developer needs a more efficient solution to update the Root CA Cert for all deployed Lambda functions. The solution must not include rebuilding or updating all Lambda functions that use the Root CA Cert. The solution must also work for all development, testing, and production environments. Each environment is managed in a separate AWS account.
Which combination of steps should the developer take to meet these requirements MOST cost-effectively? (Choose two.)

A. Store the Root CA Cert as a secret in AWS Secrets Manager. Create a resource-based policy. Add IAM users to allow access to the secret.

B. Store the Root CA Cert as a SecureString parameter in AWS Systems Manager Parameter Store. Create a resource-based policy. Add IAM users to allow access to the policy.

C. Store the Root CA Cert in an Amazon S3 bucket. Create a resource-based policy to allow access to the bucket.

D. Refactor the Lambda code to load the Root CA Cert from the Root CA Cert’s location. Modify the runtime trust store inside the Lambda function handler.

E. Refactor the Lambda code to load the Root CA Cert from the Root CA Cert’s location. Modify the runtime trust store outside the Lambda function handler.

A developer creates an AWS Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. All message content must be encrypted in transit and at rest between Lambda and Amazon SNS.
A part of the Lambda execution role is as follows:
 
Which combination of steps should the developer take to meet these requirements? (Choose two.)

A. Enable server-side encryption on the SNS topic.

B. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify “aws:SecureTransport”: “trueג€ as the condition.

C. Create a VPC endpoint for Amazon SNS.

D. Add a StringEquals condition of “sns:Protocol”: “https” to the Lambda execution role.

E. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify “aws:SecureTransport”: “false” as the condition.

A company has a multi-node Windows legacy application that runs on premises. The application uses a network shared folder as a centralized configuration repository to store configuration files in .xml format. The company is migrating the application to Amazon EC2 instances. As part of the migration to AWS, a developer must identify a solution that provides high availability for the repository.
Which solution will meet this requirement MOST cost-effectively?

A. Mount an Amazon Elastic Block Store (Amazon EBS) volume onto one of the EC2 instances. Deploy a file system on the EBS volume. Use the host operating system to share a folder. Update the application code to read and write configuration files from the shared folder.

B. Deploy a micro EC2 instance with an instance store volume. Use the host operating system to share a folder. Update the application code to read and write configuration files from the shared folder.

C. Create an Amazon S3 bucket to host the repository. Migrate the existing .xml files to the S3 bucket. Update the application code to use the AWS SDK to read and write configuration files from Amazon S3.

D. Create an Amazon S3 bucket to host the repository. Migrate the existing xml files to the S3 bucket. Mount the S3 bucket to the EC2 instances as a local volume. Update the application code to read and write configuration files from the disk.

A company is using AWS CloudFormation to deploy a two-tier application. The application will use Amazon RDS as its backend database. The company wants a solution that will randomly generate the database password during deployment. The solution also must automatically rotate the database password without requiring changes to the application.
What is the MOST operationally efficient solution that meets these requirements?

A. Use an AWS Lambda function as a CloudFormation custom resource to generate and rotate the password.

B. Use an AWS Systems Manager Parameter Store resource with the SecureString data type to generate and rotate the password.

C. Use a cron daemon on the application’s host to generate and relate the password.

D. Use an AWS Secrets Manager resource to generate and rotate the password.

An application runs on multiple EC2 instances behind an ELB.
Where is the session data best written so that it can be served reliably across multiple requests?

A. Write data to Amazon ElastiCache.

B. Write data to Amazon Elastic Block Store.

C. Write data to Amazon EC2 Instance Store.

D. Write data to the root filesystem.

An ecommerce company wants to redirect users to a country-specific website when they enter the example.com website. For example, the company wants to redirect United States users to example.com/us/ and wants to redirect French users to example.com/fr/. The web application is using Amazon CloudFront and an
Application Load Balancer with an Amazon Elastic Container Service (Amazon ECS) cluster. The application's domain name resolution is configured in an
Amazon Route 53 public hosted zone.
Which solution will meet these requirements with the LEAST operational effort?

A. Update the routing policy for the application’s Route 53 record to specify geolocation routing. Configure listener rules based on a unique alias location to redirect requests to the correct URLs by country.

B. Create a CloudFront function to inspect the CloudFront-Viewer-Country header and return redirect responses to different URLs based on user location.

C. On the ECS web server configuration, use a GeoIP database to look up the requested IP address and redirect requests to the correct URLs by country.

D. Use AWS WAF to determine the country of origin. Create an AWS WAF custom rule with a geographic match condition to redirect traffic from each country to the correct URL.

A developer is monitoring an application that runs on an Amazon EC2 instance. The developer has configured a custom Amazon CloudWatch metric with data granularity of 1 second. If any issues occur, the developer wants to be notified within 30 seconds by Amazon Simple Notification Service (Amazon SNS).
What should the developer do to meet this requirement?

A. Configure a high-resolution CloudWatch alarm.

B. Set up a custom CloudWatch dashboard.

C. Use Amazon CloudWatch Logs Insights.

D. Change to a default CloudWatch metric.

A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes user_id, user_name, user_score and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation.
Which set of conditions should be added in the policy attached to the role for the dynamodb:PutItem API call?

A.

B.

C.

D.

An AWS Lambda function requires read access to an Amazon S3 bucket and requires read/write access to an Amazon DynamoDB table. The correct IAM policy already exists.
What is the MOST secure way to grant the Lambda function access to the S3 bucket and the DynamoDB table?

A. Attach the existing IAM policy to the Lambda function.

B. Create an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the role to the Lambda function.

C. Create an IAM user with programmatic access. Attach the existing IAM policy to the user. Add the user access key ID and secret access key as environment variables in the Lambda function.

D. Add the AWS account root user access key ID and secret access key as encrypted environment variables in the Lambda function.

A company stores the photographs in an Amazon S3 bucket. The company wants to resize the photographs automatically after writing the photographs to the S3 bucket. The company creates an AWS Lambda function to resize the photographs.
Which solution will meet these requirements?

A. Configure S3 Event Notifications to invoke the Lambda function

B. Configure an S3 Lifecycle rule to invoke the Lambda function.

C. Configure S3 Select on a schedule to invoke the Lambda function.

D. Configure S3 Storage Lens to invoke the Lambda function.

A developer is writing a new serverless application for a company. Several other developers must collaborate on the code for this application, and the company expects frequent changes to the code. The developer needs to deploy the code from source control to AWS Lambda with the fewest number of manual steps.
Which strategy for the build and deployment should the developer use to meet these requirements?

A. Build the code locally, and then upload the code into the source control system. When a release is needed, run AWS CodePipeline to extract the uploaded build and deploy the resources.

B. Use the AWS Serverless Application Model (AWS SAM) CLI to build and deploy the application from the developer’s local machine with the latest version checked out locally.

C. Use AWS CodeBuild and AWS CodePipeline to invoke builds and corresponding deployments when configured source controlled branches have pull requests merged into them

D. Use the Lambda console to upload a .zip file of the application that is created by the AWS Serverless Application Model (AWS SAM) CLI build command.

A front-end web application is using Amazon Cognito user pools to handle the user authentication flow. A developer is integrating Amazon DynamoDB into the application using the AWS SDK for JavaScript.
How would the developer securely call the API without exposing the access or secret keys?

A. Configure Amazon Cognito identity pools and exchange the JSON Web Token (JWT) for temporary credentials.

B. Run the web application in an Amazon EC2 instance with the instance profile configured.

C. Hardcore the credentials, use Amazon S3 to host the web application, and enable server-side encryption.

D. Use Amazon Cognito user pool JSON Web Tokens (JWITs) to access the DynamoDB APIs.

A company's developer is creating an AWS Lambda function that will read data from an Amazon RDS database. The company's security policies require the database credentials to be encrypted at rest by AWS Key Management Service (AWS KMS) keys. The database credentials must also be automatically rotated. The Lambda function needs to be able to read the database credentials securely.
Which solution will meet these requirements?

A. Create an AWS Secrets Manager secret for the database credentials encrypted with a KMS key. Modify the Lambda function to retrieve the secret from Secrets Manager. Attach a custom IAM policy to the Lambda function execution role to allow access to secretsmanager:GetSecretValue from the secret’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

B. Create an Amazon S3 bucket for the database credentials. Encrypt the database credentials with server-side encryption with KMS keys (SSE-KMS). Modify the Lambda function to retrieve the database credentials from the S3 bucket. Attach a custom IAM policy to the Lambda function execution role to allow access to S3:GetObject from the S3 bucket’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

C. Create SecureString parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

D. Create String parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

An application on AWS is using third-party APIs. A developer needs to monitor API errors in the code. The developer needs to receive notifications if failures reach a set threshold value.
How can the developer meet these requirements?

A. Publish a custom metric to Amazon CloudWatch. Create a metric alarm. Use Amazon Simple Email Service (Amazon SES) for notification.

B. Use an Amazon CloudWatch API error metric. Use Amazon Simple Notification Service (Amazon SNS) for notification.

C. Use an Amazon CloudWatch API error metric. Use Amazon Simple Email Service (Amazon SES) for notification.

D. Publish a custom metric to Amazon CloudWatch. Create a metric alarm. Use Amazon Simple Notification Service (Amazon SNS) for notification.

A company is hosting an Amazon API Gateway REST API that calls a single AWS Lambda function. The function is infrequently invoked by multiple clients at the same time. The code performance is optimal, but the company wants to optimize the startup time of the function.
What can a developer do to optimize the initialization of the function?

A. Enable API Gateway caching for the REST API.

B. Configure provisioned concurrency for the Lambda function.

C. Use Lambda proxy integration for the REST API.

D. Configure AWS Global Accelerator for the Lambda function.

A developer is testing an AWS Lambda function by using the AWS Serverless Application Model (AWS SAM) local CLI. The application that is implemented by the
Lambda function makes several AWS API calls by using the AWS software development kit (SDK). The developer wants to allow the function to make AWS API calls in a test AWS account from the developer's laptop.
What should the developer do to meet these requirements?

A. Edit the template.yml file. Add the AWS_ACCESS_KEY_ID property and the AWS_SECRET_ACCESS_KEY property in the Globals section.

B. Add a test profile by using the aws configure command with the –profile option. Run AWS SAM by using the sam local invoke command with the -profile option.

C. Edit the template.yml tile. For the AWS::Serverless::Function resource, set the role to an IAM role in the AWS account.

D. Run the function by using the sam local invoke command. Override the AWS_ACCESS_KEY_ID parameter and the AWS_SECRET_ACCESS_KEY parameter by specifying the –parameter-overrides option.

A development team is working on a mobile app that allows users to upload pictures to Amazon S3. The team expects the app will be used by hundreds of thousands of users during a single event simultaneously. Once the pictures are uploaded, the backend service will scan and parse the pictures for inappropriate content.
Which approach is the MOST resilient way to achieve this goal, which also smooths out temporary volume spikes for the backend service?

A. Develop an AWS Lambda function to check the upload folder in the S3 bucket. If new uploaded pictures are detected, the Lambda function will scan and parse them.

B. Once a picture is uploaded to Amazon S3, publish the event to an Amazon SQS queue. Use the queue as an event source to trigger an AWS Lambda function. In the Lambda function, scan and parse the picture.

C. When the user uploads a picture. invoke an API hosted in Amazon API Gateway. The API will invoke an AWS Lambda function to scan and parse the picture.

D. Create a state machine in AWS Step Functions to check the upload folder in the S3 bucket. If a new picture is detected, invoke an AWS Lambda function to scan and parse it.

A company has developed a new serverless application using AWS Lambda functions that will be deployed using the AWS Serverless Application Model (AWS SAM) CLI.
Which step should the developer complete prior to deploying the application?

A. Compress the application to a .zip file and upload it into AWS Lambda.

B. Test the new AWS Lambda function by first tracing it in AWS X-Ray.

C. Bundle the serverless application using a SAM package.

D. Create the application environment using the eb create my-env command.

A developer is deploying an application that will store files in an Amazon S3 bucket. The files must be encrypted at rest. The developer wants to automatically replicate the files to an S3 bucket in a different AWS Region for disaster recovery.
How can the developer accomplish this task with the LEAST amount of configuration?

A. Encrypt the files by using server-side encryption with S3 managed encryption keys (SSE-S3). Enable S3 bucket replication.

B. Encrypt the files by using server-side encryption (SSE) with an AWS Key Management Service (AWS KMS) customer master key (CMK). Enable S3 bucket replication.

C. Use the s3 sync command to sync the files to the S3 bucket in the other Region.

D. Configure an S3 Lifecycle configuration to automatically transfer files to the S3 bucket in the other Region.

A team of developers is using an AWS CodePipeline pipeline as a continuous integration and continuous delivery (CI/CD) mechanism for a web application. A developer has written unit tests to programmatically test the functionality of the application code. The unit tests produce a test report that shows the results of each individual check. The developer now wants to run these tests automatically during the CI/CD process.
Which solution will meet this requirement with the LEAST operational effort?

A. Write a Git pre-commit hook that runs the tests before every commit. Ensure that each developer who is working on the project has the pre-commit hook installed locally. Review the test report and resolve any issues before pushing changes to AWS CodeCommit.

B. Add a new stage to the pipeline. Use AWS CodeBuild as the provider. Add the new stage after the stage that deploys code revisions to the test environment. Write a buildspec that fails the CodeBuild stage if any test does not pass. Use the test reports feature of CodeBuild to integrate the report with the CodeBuild console. View the test results in CodeBuild. Resolve any issues.

C. Add a new stage to the pipeline. Use AWS CodeBuild as the provider. Add the new stage before the stage that deploys code revisions to the test environment. Write a buildspec that fails the CodeBuild stage if any test does not pass. Use the test reports feature of CodeBuild to integrate the report with the CodeBuild console. View the test results in CodeBuild. Resolve any issues.

D. Add a new stage to the pipeline. Use Jenkins as the provider. Configure CodePipeline to use Jenkins to run the unit tests. Write a Jenkinsfile that fails the stage if any test does not pass. Use the test report plugin for Jenkins to integrate the report with the Jenkins dashboard. View the test results in Jenkins. Resolve any issues.

A research company has a website that is used once each day to perform scientific calculations based on inputs that are submitted through a webpage. The calculations are CPU intensive. An AWS Lambda function performs the calculations once each day. Users occasionally receive errors because of Lambda function timeouts.
Which change will reduce the Lambda function's runtime duration?

A. Configure Lambda to run the function on an Amazon EC2 burstable instance type.

B. Configure Lambda to run the function on an Amazon EC2 instance type that is recommended for high performance computing (HPC) workloads.

C. Configure Lambda to run the function with a larger reserved concurrency value.

D. Configure Lambda to run the function with a larger memory value.

A company has hundreds of AWS Lambda functions that the company's QA team needs to test by using the Lambda function URLs. A developer needs to configure the authentication of the Lambda functions to allow access so that the QA IAM group can invoke the Lambda functions by using the public URLs.
Which solution will meet these requirements?

A. Create a CLI script that loops on the Lambda functions to add a Lambda function URL with the AWS_IAM auth type. Run another script to create an IAM identity-based policy that allows the lambda:InvokeFunctionUrl action to all the Lambda function Amazon Resource Names (ARNs). Attach the policy to the QA IAM group.

B. Create a CLI script that loops on the Lambda functions to add a Lambda function URL with the NONE auth type. Run another script to create an IAM resource-based policy that allows the lambdainvokeFunctionUrl action to all the Lambda function Amazon Resource Names (ARNs). Attach the policy to the QA IAM group.

C. Create a CLI script that loops on the Lambda functions to add a Lambda function URL with the AWS_IAM auth type. Run another script to loop on the Lambda functions to create an IAM identity-based policy that allows the lambdainvokeFunctionUrl action from the QA IAM group’s Amazon Resource Name (ARN).

D. Create a CLI script that loops on the Lambda functions to add a Lambda function URL with the NONE auth type. Run another script to loop on the Lambda functions to create an IAM resource-based policy that allows the lambdainvokeFunctionUrl action from the QA IAM group’s Amazon Resource Name (ARN).

A developer migrated a legacy application to an AWS Lambda function. The function uses a third-party service to pull data with a series of API calls at the end of each month. The function then processes the data to generate the monthly reports. The function has been working with no issues so far.
The third-party service recently issued a restriction to allow a fixed number of API calls each minute and each day. If the API calls exceed the limit for each minute or each day, then the service will produce errors. The API also provides the minute limit and daily limit in the response header. This restriction might extend the overall process to multiple days because the process is consuming more API calls than the available limit.
What is the MOST operationally efficient way to refactor the serverless application to accommodate this change?

A. Use an AWS Step Functions state machine to monitor API failures. Use the Wait state to delay calling the Lambda function.

B. Use an Amazon Simple Queue Service (Amazon SQS) queue to hold the API calls. Configure the Lambda function to poll the queue within the API threshold limits.

C. Use an Amazon CloudWatch Logs metric to count the number of API calls. Configure an Amazon CloudWatch alarm that stops the currently running instance of the Lambda function when the metric exceeds the API threshold limits.

D. Use Amazon Kinesis Data Firehose to batch the API calls and deliver them to an Amazon S3 bucket with an event notification to invoke the Lambda function.

A company's website runs on an Amazon EC2 instance and uses Auto Scaling to scale the environment during peak times. Website users across the world are experiencing high latency due to static content on the EC2 instance, even during non-peak hours.
Which combination of steps will resolve the latency issue? (Choose two.)

A. Double the Auto Scaling group’s maximum number of servers.

B. Host the application code on AWS Lambda.

C. Scale vertically by resizing the EC2 instances.

D. Create an Amazon CloudFront distribution to cache the static content.

E. Store the application’s static content in Amazon S3.

A company is running its application on the most recent generation of hare metal Amazon EC2 instances. A developer is adding a low-latency computation feature to the application. The feature depends on highly sensitive personally identifiable information (PII). When computation occurs on unencrypted data, the feature needs to run in an isolated environment that provides CPU and memory isolation.
Which solution will meet these requirements?

A. Build and deploy the feature on the original EC2 instance store.

B. Add the now feature in the original application. Deploy the application on a Dedicated Host.

C. Package the now feature and deploy the now feature on AWS Lambda. Use AWS Key Management Service (AWS KMS) to encrypt and decrypt the PII.

D. Build and deploy the now feature as part of the original application. Run the feature on AWS Nitro Enclaves.

A developer wants to debug an application by searching and filtering log data. The application logs are stored in Amazon CloudWatch Logs. The developer creates a new metric filter to count exceptions in the application logs. However, no results are returned from the logs.
What is the reason that no filtered results are being returned?

A. A setup of the Amazon CloudWatch interface VPC endpoint is required for filtering the CloudWatch Logs in the VPC.

B. CloudWatch Logs only publishes metric data for events that happen after the filter is created.

C. The log group for CloudWatch Logs should be first streamed to Amazon OpenSearch Service before metric filtering returns the results.

D. Metric data points for logs groups can be filtered only after they are exported to an Amazon S3 bucket.

A company is using Amazon RDS as the backend database for its application. After a recent marketing campaign, a surge of read requests to the database increased the latency of data retrieval from the database.
The company has decided to implement a caching layer in front of the database. The cached content must be encrypted and must be highly available.
Which solution will meet these requirements?

A. Amazon CloudFront

B. Amazon ElastiCache for Memcached

C. Amazon ElastiCache for Redis in cluster mode

D. Amazon DynamoDB Accelerator (DAX)

What does an Amazon SQS delay queue accomplish?

A. Messages are hidden for a configurable amount of time when they are first added to the queue.

B. Messages are hidden for a configurable amount of time after they are consumed from the queue.

C. The consumer can poll the queue for a configurable amount of time before retrieving a message.

D. Messages cannot be deleted for a configurable amount of time after they are consumed from the queue.