A developer maintains an Amazon API Gateway REST API. Customers use the API through a frontend UI and Amazon Cognito authentication.
The developer has a new version of the API that contains new endpoints and backward-incompatible interface changes. The developer needs to provide beta access to other developers on the team without affecting customers.
Which solution will meet these requirements with the LEAST operational overhead?

A. Define a development stage on the API Gateway API. Instruct the other developers to point the endpoints to the development stage.

B. Define a new API Gateway API that points to the new API application code. Instruct the other developers to point the endpoints to the new API.

C. Implement a query parameter in the API application code that determines which code version to call.

D. Specify new API Gateway endpoints for the API endpoints that the developer wants to add.

A developer is writing a mobile application that allows users to view images from an S3 bucket. The users must be able to log in with their Amazon login, as well as supported social media accounts.
How can the developer provide this authentication functionality?

A. Use Amazon Cognito with web identity federation.

B. Use Amazon Cognito with SAML-based identity federation.

C. Use IAM access keys and secret keys in the application code to allow Get* on the S3 bucket.

D. Use AWS STS AssumeRole in the application code and assume a role with Get* permissions on the S3 bucket.

A software company is using AWS CodeBuild to build an application. The buildspec runs the application build and creates a Docker image that contains the application. The company needs to push the Docker image to Amazon Elastic Container Registry (Amazon ECR) only upon the completion of each successful build.
Which solution meets these requirements?

A. Change the buildspec by adding a post_build phase that uses the commands block to push the Docker image.

B. Change the buildspec by adding a post_build phase that uses the finally block to push the Docker image.

C. Specify the Docker image in the buildspec’s artifacts sequence with an action to push the image.

D. Use a batch build to define a build matrix. Use the batch build to push the Docker image.

A developer is building a serverless application that is based on AWS Lambda. The developer initializes the AWS software development kit (SDK) outside of the
Lambda handler function.
What is the PRIMARY benefit of this action?

A. Improves legibility and stylistic convention

B. Takes advantage of runtime environment reuse

C. Provides better error handling

D. Creates a new SDK instance for each invocation

When a Developer tries to run an AWS CodeBuild project, it raises an error because the length of all environment variables exceeds the limit for the combined maximum of characters.
What is the recommended solution?

A. Add the export LC_ALL=ג€en_US.utf8ג€ command to the pre_build section to ensure POSIX localization.

B. Use Amazon Cognito to store key-value pairs for large numbers of environment variables.

C. Update the settings for the build project to use an Amazon S3 bucket for large numbers of environment variables.

D. Use AWS Systems Manager Parameter Store to store large numbers of environment variables.

A company has a two-tier application that consists of a frontend application and an Amazon RDS for MySQL database. The frontend application retrieves data from the database. The data consists of postal codes and their associated geographic coordinates The application performs many more database reads than writes. The application retrieves each postal code from the database thousands of times each day.
A developer must improve the performance of the application to decrease latency.
Which change should the developer make to the application to meet these requirements?

A. Modify the application to use a lazy loading caching strategy with a small TTL value.

B. Modify the application to use a write-behind caching strategy.

C. Modify the application to use a write-through caching strategy.

D. Modify the application to use a lazy loading caching strategy with a large TTL value.

A developer is implementing an AWS Lambda function that will be invoked when an object is uploaded to Amazon S3. The developer wants to test the Lambda function in a local development machine before publishing the function to a production AWS account.
Which solution will meet these requirements with the LEAST operational overhead?

A. Upload an object to Amazon S3 by using the aws s3api put-object CLI command. Wait for the local Lambda invocation from the S3 event.

B. Create a sample JSON text file for a put object S3 event. Invoke the Lambda function locally. Use the aws lambda invoke CLI command with the JSON file and Lambda function name as arguments.

C. Use the sam local start-lambda CLI command to start Lambda. Use the sam local generate-event s3 put CLI command to create the Lambda test JSON file. Use the sam local invoke CLI command with the JSON file as the argument to invoke the Lambda function.

D. Create a JSON string for the put object S3 event. In the AWS Management Console, use the JSON string to create a test event for the local Lambda function. Perform the test.

A company’s social media application stores image files in an Amazon S3 bucket. All the images are stored in S3 Standard storage. Users access images frequently during the first week after images are uploaded. Users rarely access images that were uploaded more than 1 week ago.
The company needs a solution to reduce the application’s storage cost. Users must be able to access all images in the same amount of time, regardless of when the images were uploaded.
Which solution will meet these requirements with the LEAST amount of effort?

A. Modify the application to use S3 Intelligent-Tiering for all the images.

B. Modify the application to use S3 One Zone-Infrequent Access (S3 One Zone-IA) for all the images.

C. Use an S3 Lifecycle policy to move images that were uploaded more than 1 week ago to S3 Glacier Deep Archive.

D. Use an S3 Lifecycle policy to move images that were uploaded more than 1 week ago to S3 Glacier Flexible Retrieval.

A developer is building a web and mobile application for two types of users: regular users and guest users. Regular users are required to log in, but guest users do not log in. Users should see only their data, regardless of whether they authenticate. Users need AWS credentials before they can access AWS resources.
What is the MOST secure solution that the developer can implement to allow access for guest users?

A. Use an Amazon Cognito credentials provider to issue temporary credentials that are linked to an unauthenticated role that has access to the required resources.

B. Set up an IAM user that has permissions to the required resources. Hardcode the IAM credentials in the web and mobile application.

C. Generate temporary keys that are stored in AWS Key Management Service (AWS KMS). Use the temporary keys to access the required resources.

D. Generate temporary credentials. Store the temporary credentials in AWS Secrets Manager. Use the temporary credentials to access the required resources.

A developer is deploying on application on Amazon EC2 instances that run in Account A. In certain cases, this application needs to read data from a private
Amazon S3 bucket in Account B. The developer must provide the application access to the S3 bucket without exposing the S3 bucket to anyone else.
Which combination of actions should the developer take to meet these requirements? (Choose two.)

A. Create an IAM role with S3 read permissions in Account B.

B. Update the instance profile IAM role in Account A with S3 read permissions.

C. Make the S3 bucket public with limited access for Account A.

D. Configure the bucket policy in Account B to grant permissions to the instance profile role.

E. Add a trust policy that allows s3:Get* permissions to the IAM rote in Account B.

A banking application processes thousands of transactions each second. Each transaction payload must have end-to-end encryption. The application encrypts each transaction locally by using the AWS Key Management Service (AWS KMS) GenerateDataKey operation. A developer is testing the application and receives a ThrottlingException error.
Which actions are best practices to resolve this error? (Choose two.)

A. Use the LocalCryptoMatenalsCache feature of the AWS Encryption SDK encryption library.

B. Call the AWS KMS Encrypt operation directly to allow AWS KMS to encrypt the data.

C. Create a case in the AWS Support Center to increase the quota for the account.

D. Use Amazon Simple Queue Service (Amazon SQS) to queue the requests to AWS KMS.

E. Switch to an AWS KMS custom key store.

A company's developer is creating an AWS Lambda function that will read data from an Amazon RDS database. The company's security policies require the database credentials to be encrypted at rest by AWS Key Management Service (AWS KMS) keys. The database credentials must also be automatically rotated. The Lambda function needs to be able to read the database credentials securely.
Which solution will meet these requirements?

A. Create an AWS Secrets Manager secret for the database credentials encrypted with a KMS key. Modify the Lambda function to retrieve the secret from Secrets Manager. Attach a custom IAM policy to the Lambda function execution role to allow access to secretsmanager:GetSecretValue from the secret’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

B. Create an Amazon S3 bucket for the database credentials. Encrypt the database credentials with server-side encryption with KMS keys (SSE-KMS). Modify the Lambda function to retrieve the database credentials from the S3 bucket. Attach a custom IAM policy to the Lambda function execution role to allow access to S3:GetObject from the S3 bucket’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

C. Create SecureString parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

D. Create String parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.

A developer is using an AWS CodeCommit repository to store source code for an application. The developer is using an AWS CodePipeline pipeline to deploy the application. The pipeline does not start automatically and must be started manually when a deployment is needed.
The developer needs to configure the pipeline to start automatically.
Which solution meets this requirement with the LEAST delay?

A. Create a webhook in the CodeCommit repository to directly call the CodePipeline API to start the pipeline.

B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to start the pipeline upon the detection of changes in the CodeCommit repository.

C. Configure the pipeline to poll the CodeCommit repository for changes and to start automatically when changes are detected.

D. Create a CodeCommit trigger for an Amazon Simple Notification Service (Amazon SNS) topic. Configure the SNS topic to post to the CodePipeline API to start the pipeline.

A developer is creating an application that will give users the ability to store photos from their cellphones in the cloud. The application needs to support tens of thousands of users. The application uses an Amazon API Gateway REST API that is integrated with AWS Lambda functions to process the photos. The application stores details about the photos in Amazon DynamoDB.
Users need to create an account to access the application. In the application, users must be able to upload photos and retrieve previously uploaded photos. The photos will range in size from 300 KB to 5 MB.
Which solution will meet these requirements with the LEAST operational overhead?

A. Use Amazon Cognito user pools to manage user accounts. Create an Amazon Cognito user pool authorizer in API Gateway to control access to the API. Use the Lambda function to store the photos and details in the DynamoDB table. Retrieve previously uploaded photos directly from the DynamoDB table.

B. Use Amazon Cognito user pools to manage user accounts. Create an Amazon Cognito user pool authorizer in API Gateway to control access to the API. Use the Lambda function to store the photos in Amazon S3. Store the object’s S3 key as part of the photo details in the DynamoDB table. Retrieve previously uploaded photos by querying DynamoDB for the S3 key.

C. Create an IAM user for each user of the application during the sign-up process. Use IAM authentication to access the API Gateway API. Use the Lambda function to store the photos in Amazon S3. Store the object’s S3 key as part of the photo details in the DynamoDB table. Retrieve previously uploaded photos by querying DynamoDB for the S3 key.

D. Create a user’s table in DynamoDB. Use the table to manage user accounts. Create a Lambda authorizer that validates user credentials against the users table. Integrate the Lambda authorizer with API Gateway to control access to the API. Use the Lambda function to store the photos in Amazon S3. Store the object’s S3 key as part of the photo details in the DynamoDB table. Retrieve previously uploaded photos by querying DynamoDB for the S3 key.

A company uses the AWS SDK for JavaScript in the Browser to build a web application and then hosts the application on Amazon S3. The company wants the application to support 10,000 users concurrently. The company selects Amazon DynamoDB to store user preferences in a table. There is a requirement to uniquely identify users at any scale.
Which solution will meet these requirements?

A. Create a user cookie. Attach an 1AM role to the S3 bucket that hosts the application.

B. Deploy an Amazon CloudFront distribution with an origin access identity (OAI) to access the S3 bucket.

C. Configure and use Amazon Cognito. Access DynamoDB with the authenticated users.

D. Create an IAM user for each user. Use fine-grained access control on the DynamoDB table to control access.

A developer is building a web application that uses Amazon API Gateway to expose an AWS Lambda function to process requests from clients. During testing, the developer notices that the API Gateway times out even though the Lambda function finishes under the set time limit.
Which of the following API Gateway metrics in Amazon CloudWatch can help the developer troubleshoot the issue? (Choose two.)

A. CacheHitCount

B. IntegrationLatency

C. CacheMissCount

D. Latency

E. Count

An open-source map application gathers data from several geolocation APIs. The application's source code repository is public and can be used by anyone, but the geolocation APIs must not be directly accessible.
A developer must implement a solution to prevent the credentials that are used to access the APIs from becoming public. The solution also must ensure that the application still functions properly.
Which solution will meet these requirements MOST cost-effectively?

A. Store the credentials in AWS Secrets Manager. Retrieve the credentials by using the GetSecretValue API operation.

B. Store the credentials in AWS Key Management Service (AWS KMS). Retrieve the credentials by using the GetPublicKey API operation.

C. Store the credentials in AWS Security Token Service (AWS STS). Retrieve the credentials by using the GetCallerldentity API operation.

D. Store the credentials in AWS Systems Manager Parameter Store. Retrieve the credentials by using the GetParameter API operation.

A developer has a legacy application that is hosted on-premises. Other applications hosted on AWS depend on the on-premises application for proper functioning.
In case of any application errors, the developer wants to be able to use Amazon CloudWatch to monitor and troubleshoot all applications from one place.
How can the developer accomplish this?

A. Install an AWS SDK on the on-premises server to automatically send logs to CloudWatch.

B. Download the CloudWatch agent to the on-premises server. Configure the agent to use IAM user credentials with permissions for CloudWatch.

C. Upload log files from the on-premises server to Amazon S3 and have CloudWatch read the files.

D. Upload log files from the on-premises server to an Amazon EC2 instance and have the instance forward the logs to CloudWatch.

An ecommerce application is running behind an Application Load Balancer. A developer observes some unexpected load on the application during non-peak hours. The developer wants to analyze patterns for the client IP addresses that use the application.
Which HTTP header should the developer use for this analysis?

A. The X-Forwarded-Proto header

B. The X-Forwarded-Host header

C. The X-Forwarded-For header

D. The X-Forwarded-Port header

A developer created a web API that receives requests by using an internet-facing Application Load Balancer (ALB) with an HTTPS listener. The developer configures an Amazon Cognito user pool and wants to ensure that every request to the API is authenticated through Amazon Cognito.
What should the developer do to meet this requirement?

A. Add a listener rule to the listener to return a fixed response if the Authorization header is missing. Set the fixed response to 401 Unauthorized.

B. Create an authentication action for the listener rules of the ALSet the rule action type to authenticate-cognito. Set the OnUnauthenticatedRequest field to “deny.”

C. Create an Amazon API Gateway API. Configure all API methods to be forwarded to the ALB endpoint. Create an authorizer of the COGNITO_USER_POOLS type. Configure every API method to use that authorizer.

D. Create a new target group that includes an AWS Lambda function target that validates the Authorization header by using Amazon Cognito. Associate the target group with the listener.

A software engineer developed an AWS Lambda function in Node.js to do some CPU-intensive data processing. With the default settings, the Lambda function takes about 5 minutes to complete.
Which approach should a developer take to increase the speed of completion?

A. Instead of using Node.js. rewrite the Lambda function using Python.

B. Instead of packaging the libraries in the ZIP file with the function, move them to a Lambda layer and use the layer with the function.

C. Allocate the maximum available CPU units to the function.

D. Increase the available memory to the function.

A company has moved a legacy on-premises application to AWS by performing a lift and shift. The application exposes a REST API that can be used to retrieve billing information. The application is running on a single Amazon EC2 instance. The application code cannot support concurrent invocations. Many clients access the API, and the company adds new clients all the time.
A developer is concerned that the application might become overwhelmed by too many requests. The developer needs to limit the number of requests to the API for all current and future clients. The developer must not change the API, the application, or the client code.
What should the developer do to meet these requirements?

A. Place the API behind an Amazon API Gateway API. Set the server-side throttling limits.

B. Place the API behind a Network Load Balancer. Set the target group throttling limits.

C. Place the API behind an Application Load Balancer. Set the target group throttling limits.

D. Place the API behind an Amazon API Gateway API. Set the per-client throttling limits.

A static website is hosted in an Amazon S3 bucket. Several HTML pages on the site use JavaScript to download images from another Amazon S3 bucket. These images are not displayed when users browse the site.
What is the possible cause for the issue?

A. The referenced Amazon S3 bucket is in another region.

B. The images must be stored in the same Amazon S3 bucket.

C. Port 80 must be opened on the security group in which the Amazon S3 bucket is located.

D. Cross Origin Resource Sharing must be enabled on the Amazon S3 bucket.

A developer supports an application that accesses data in an Amazon DynamoDB table. One of the item attributes is expiration Date in the timestamp format. The application uses this attribute to find items, archive them, and remove them from the table based on the timestamp value.
The application will be decommissioned soon, and the developer must find another way to implement this functionality. The developer needs a solution that will require the least amount of code to write.
Which solution will meet these requirements?

A. Enable TTL on the expirationDate attribute in the table. Create a DynamoDB stream. Create an AWS Lambda function to process the deleted items. Create a DynamoDB trigger for the Lambda function.

B. Create two AWS Lambda functions: one to delete the items and one to process the items. Create a DynamoDB stream. Use the DeleteItem API operation to delete the items based on the expirationDate attribute. Use the GetRecords API operation to get the items from the DynamoDB stream and process them.

C. Create two AWS Lambda functions: one to delete the items and one to process the items. Create an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to invoke the Lambda functions. Use the DeleteItem API operation to delete the items based on the expirationDate attribute. Use the GetRecords API operation to get the items from the DynamoDB table and process them.

D. Enable TTL on the expirationDate attribute in the table. Specify an Amazon Simple Queue Service (Amazon SQS) dead-letter queue as the target to delete the items. Create an AWS Lambda function to process the items.

A team of developers must migrate an application running inside an AWS Elastic Beanstalk environment from a Classic Load Balancer to an Application Load Balancer.
Which steps should be taken to accomplish the task using the AWS Management Console?

A. 1. Update the application code in the existing deployment.2. Select a new load balancer type before running the deployment3. Deploy the new version of the application code to the environment

B. 1. Create a new environment with the same configurations except for the load balancer type.2. Deploy the same application version as used in the original environment.3. Run the swap-environment-cnames action

C. 1. Clone the existing environment, changing the associated load balancer type.2. Deploy the same application version as used in the original environment.3. Run the swap-environment-cnames action

D. 1. Edit the environment definitions in the existing deployment.2. Change the associated load balancer type according to the requirements.3. Rebuild the environment with the new load balancer type.

A developer is writing an application in AWS Lambda. To simplify testing and deployments, the developer needs the database connection string to be easily changed without modifying the Lambda code.
How can this requirement be met?

A. Store the connection string as a secret in AWS Secrets Manager.

B. Store the connection string in an IAM user account.

C. Store the connection string in AWS KMS.

D. Store the connection string as a Lambda layer.

A developer is working on an application that is deployed on an Amazon EC2 instance. The application needs to transfer a file to an Amazon S3 bucket.
What should the developer do to authenticate the application's access to the S3 bucket in the MOST secure way?

A. Create an access key for an IAM user. Store the access key in the application’s environment variables.

B. Create an IAM role. Create an access key for the role. Store the access key in the application’s environment variables.

C. Associate an IAM role with the EC2 instance. Use the instance metadata service to retrieve the credentials.

D. Configure a bucket policy for the S3 bucket. Allow access from the EC2 instance ID in the bucket policy.

A company has an application where reading objects from Amazon S3 is based on the type of user. The user types are registered user and guest user. The company has 25,000 users and is growing. Information is pulled from an S3 bucket depending on the user type.
Which approaches are recommended to provide access to both user types? (Choose two.)

A. Provide a different access key and secret access key in the application code for registered users and guest users to provide read access to the objects.

B. Use S3 bucket policies to restrict read access to specific IAM users.

C. Use Amazon Cognito to provide access using authenticated and unauthenticated roles.

D. Create a new IAM user for each user and grant read access.

E. Use the AWS IAM service and let the application assume the different roles using the AWS Security Token Service (AWS STS) AssumeRole action depending on the type of user and provide read access to Amazon S3 using the assumed role.

A developer is storing JSON files in an Amazon S3 bucket. The developer wants to securely share an object with a specific group of people.
How can the developer securely provide temporary access to the objects that are stored in the S3 bucket?

A. Set object retention on the files. Use the AWS software development kit (SDK) to restore the object before subsequent requests. Provide the bucket’s S3 URL.

B. Use the AWS software development kit (SDK) to generate a presigned URL. Provide the presigned URL.

C. Set a bucket policy that restricts access after a period of time. Provide the bucket’s S3 URL.

D. Configure static web hosting on the S3 bucket. Provide the bucket’s web URL.

A 3D printing company has developed a proof-of-concept application that is running on AWS Elastic Beanstalk. The application displays a list of products that are available for 3D printing, in addition to any available customizations. When the company deploys new versions of the application, the company wants to ensure that there is no application downtime. Additionally, the application must remain at the same level of server capacity throughout the deployment.
Which deployment strategies will meet these requirements? (Choose two.)

A. All-at-once

B. Rolling

C. Rolling with additional batch

D. Immutable

E. All-at-once with additional batch

A developer is deploying a company's application to Amazon EC2 instances. The application generates gigabytes of data files each day. The files are rarely accessed, but the files must be available to the application’s users within minutes of a request during the first year of storage. The company must retain the files for 7 years.
How can the developer implement the application to meet these requirements MOST cost-effectively?

A. Store the files in an Amazon S3 bucket Use the S3 Glacier Instant Retrieval storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Deep Archive storage class after 1 year.

B. Store the files in an Amazon S3 bucket. Use the S3 Standard storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Flexible Retrieval storage class after 1 year.

C. Store the files on an Amazon Elastic Block Store (Amazon EBS) volume. Use Amazon Data Lifecycle Manager (Amazon DLM) to create snapshots of the EBS volumes and to store those snapshots in Amazon S3.

D. Store the files on an Amazon Elastic File System (Amazon EFS) mount. Configure EFS lifecycle management to transition the files to the EFS Standard-Infrequent Access (Standard-IA) storage class after 1 year.

A developer is building a three-tier application with an Application Load Balancer (ALB), Amazon EC2 instances, and Amazon RDS. There is an alias record in Amazon Route 53 that points to the ALB. When the developer tries to access the ALB from a laptop, the request times out.
Which logs should the developer investigate to verify that the request is reaching the AWS network?

A. VPC Flow Logs

B. Amazon Route 53 logs

C. AWS Systems Manager Agent logs

D. Amazon CloudWatch agent logs

A company has deployed an application on AWS Elastic Beanstalk. The company has configured the Auto Scaling group that is associated with the Elastic Beanstalk environment to have five Amazon EC2 instances. If the capacity is fewer than four EC2 instances during the deployment, application performance degrades. The company is using the all-at-once deployment policy.
What is the MOST cost-effective way to solve the deployment issue?

A. Change the Auto Scaling group to six desired instances.

B. Change the deployment policy to traffic splitting. Specify an evaluation time of 1 hour.

C. Change the deployment policy to rolling with additional batch. Specify a batch size of 1.

D. Change the deployment policy to rolling. Specify a batch size of 2.

A developer is automating a new application deployment with AWS Serverless Application Model (AWS SAM). The new application has one AWS Lambda function and one Amazon S3 bucket. The Lambda function must access the S3 bucket to only read objects.
How should the developer configure AWS SAM to grant the necessary read privilege to the S3 bucket?

A. Reference a second Lambda authorizer function.

B. Add a custom S3 bucket policy to the Lambda function.

C. Create an Amazon Simple Queue Service (SQS) topic for only S3 object reads Reference the topic in the template.

D. Add the S3ReadPolicy template to the Lambda function’s execution role.

A development team has been using a builder server that is hosted on an Amazon EC2 instance to perform builds and deployments for the last 3 months. The
EC2 instance's instance profile uses an IAM role that contains the Administrator Access managed policy. The development team must replace that policy with a policy that provides only the required permissions.
What is the FASTEST way to create a custom 1AM policy for the EC2 instance to meet this requirement?

A. Create a new IAM policy based on services that the build server deployed or updated in the last 3 months.

B. Create a new IAM policy that includes all actions that AWS CloudTrail recorded for the IAM role in the last 3 months.

C. Create a new permissions boundary policy that denies all access. Associate the permissions boundaries with the IAM role.

D. Create a new IAM policy by using Amazon Athena to query an Amazon S3 bucket that contains AWS CloudTrail events that the IAM role performed in the last 3 months.

A developer is configuring an Amazon CloudFront distribution for a new application to provide encryption in transit. The application is running in the eu-west-1
Region. The developer creates a new certificate in AWS Certificate Manager (ACM) in eu-west-1, but the certificate is not visible in the CloudFront distribution settings.
What should the developer do to fix this problem?

A. Create the certificate for the domain in the same Region as the application. Ensure that the alternate domain name (CNAME) in the distribution settings matches the domain name in the certificate.

B. Create the certificate in the eu-west-1 Region. Ensure that the alternate domain name (CNAME) in the distribution settings matches the domain name in the certificate.

C. Recreate the CloudFront distribution in the same Region as the certificate.

D. Specify the ACM certificate name as the default root object of the CloudFront distribution.

An application is using Amazon DynamoDB as its data store, and should be able to read 100 items per second as strongly consistent reads. Each item is 5 KB in size.
To what value should the table's provisioned read throughput be set?

A. 50 read capacity units

B. 100 read capacity units

C. 200 read capacity units

D. 500 read capacity units

A company maintains a REST service using Amazon API Gateway and the API Gateway native API key validation. The company recently launched a new registration page, which allows users to sign up for the service. The registration page creates a new API key using CreateApiKey and sends the new key to the user. When the user attempts to call the API using this key, the user receives a 403 Forbidden error. Existing users are unaffected and can still call the API.
What code updates will grant these new users access to the API?

A. The createDeployment method must be called so the API can be redeployed to include the newly created API key.

B. The updateAuthorizer method must be called to update the API’s authorizer to include the newly created API key.

C. The importApiKeys method must be called to import all newly created API keys into the current stage of the API.

D. The createUsagePlanKey method must be called to associate the newly created API key with the correct usage plan.

A company wants to migrate applications from its on-premises servers to AWS. As a first step, the company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The application will store information in an Amazon S3 bucket. The company needs to follow security best practices when deploying the application on AWS.
Which approach should the company take to allow the application to interact with Amazon S3?

A. Create an IAM role that has administrative access to AWS. Attach the role to the EC2 instance.

B. Create an IAM user. Attach the AdministratorAccess policy. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3.

C. Create an IAM role that has the necessary access to Amazon S3. Attach the role to the EC2 instance.

D. Create an IAM user. Attach a policy that provides the necessary access to Amazon S3. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3.

An application that is deployed to Amazon EC2 is using Amazon DynamoDB. The application calls the DynamoDB REST API. Periodically, the application receives a ProvisionedThroughputExceededException error when the application writes to a DynamoDB table.
Which solutions will mitigate this error MOST cost-effectively? (Choose two.)

A. Modify the application code to perform exponential backoff when the error is received.

B. Modify the application to use the AWS SDKs for DynamoDB.

C. Increase the read and write throughput of the DynamoDB table.

D. Create a DynamoDB Accelerator (DAX) cluster for the DynamoDB table.

E. Create a second DynamoDB table. Distribute the reads and writes between the two tables.

A developer is using an Amazon Kinesis Data Firehose delivery stream to store data in Amazon S3. Before storing the data in Amazon S3, the developer wants to enrich the data by combining the data with data from an Amazon DynamoDB table.
How can the developer implement the data enrichment?

A. Create a Kinesis Data Firehose data transformation by using an Amazon EC2 instance.

B. Configure the Kinesis Data Firehose delivery stream to send data to a Kinesis data stream. Enrich the data by using an AWS Lambda function.

C. Configure the Kinesis Data Firehose delivery stream to store data in the DynamoDB table. Export the table to Amazon S3.

D. Create a Kinesis Data Firehose data transformation by using an AWS Lambda function.

A developer is writing a serverless application that requires an AWS Lambda function to be invoked every 10 minutes.
What is an automated and serverless way to invoke the function?

A. Deploy an Amazon EC2 instance based on Linux, and edit its /etc/crontab file by adding a command to periodically invoke the Lambda function.

B. Configure an environment variable named PERIOD for the Lambda function. Set the value to 600.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs on a regular schedule to invoke the Lambda function.

D. Create an Amazon Simple Notification Service (Amazon SNS) topic that has a subscription to the Lambda function with a 600-second timer.

A developer is building an application that runs behind an Application Load Balancer (ALB). The ALB is configured as the origin for an Amazon CloudFront distribution. Users will log in to the application by using their social media accounts.
How can the developer authenticate users?

A. Validate the users by inspecting the tokens in an AWS Lambda authorizer on the ALB.

B. Configure the ALB to use Amazon Cognito as one of the authentication providers.

C. Configure CloudFront to use Amazon Cognito as one of the authentication providers.

D. Validate the users by calling the Amazon Cognito API in an AWS Lambda authorizer on the ALB.

A company is expanding the compatibility of its photo-sharing mobile app to hundreds of additional devices with unique screen dimensions and resolutions. Photos are stored in Amazon S3 in their original format and resolution. The company uses an Amazon CloudFront distribution to serve the photos. The app includes the dimension and resolution of the display as GET parameters with every request.
A developer needs to implement a solution that optimizes the photos that are served to each device to reduce load time and increase photo quality.
Which solution will meet these requirements MOST cost-effectively?

A. Use S3 Batch Operations to invoke an AWS Lambda function to create new variants of the photos with the required dimensions and resolutions. Create a dynamic CloudFront origin that automatically maps the request of each device to the corresponding photo variant.

B. Use S3 Batch Operations to invoke an AWS Lambda function to create new variants of the photos with the required dimensions and resolutions. Create a Lambda@Edge function to route requests to the corresponding photo variant by using request headers.

C. Create a Lambda@Edge function that optimizes the photos upon request and returns the photos as a response. Change the CloudFront TTL cache policy to the maximum value possible.

D. Create a Lambda@Edge function that optimizes the photos upon request and returns the photos as a response. In the same function, store a copy of the processed photos on Amazon S3 for subsequent requests.

How would a developer notify users when a new item is written to a DynamoDB table without affecting the provisioned throughput?

A. Set up a DynamoDB stream to trigger a Lambda function that sends an SNS notification to users.

B. Schedule an Amazon CloudWatch event to regularly trigger a Lambda function that scans the DynamoDB table.

C. Run a polling application that queries the DynamoDB table at one-second intervals and send SNS notification to users.

D. Embed a Lambda notification function in DynamoDB and configure DynamoDB to trigger the embedded Lambda function when changes are made.

A website allows users to upload photos to Amazon S3. An S3 event invokes an AWS Lambda function that uses the Amazon Rekognition DetectLabels operation to detect real-world objects within a photo. The website needs to store this data in a search index to allow users to quickly locate all photos associated with a label.
Which solution will meet these requirements?

A. Store username and label values as S3 object tags. Retrieve and index the objects based on the tag by calling the describe-tags API with the username and label value.

B. Store username and label values as S3 object metadata keys. Include the “x-amz-meta-” prefix for each key. Search by metadata to find all the objects that share the username and label value.

C. Insert an item for each S3 key, label, and user combination into an Amazon DynamoDB table. Create a global secondary index with the username as the partition key and the label as the sort key. Call the QueryItem API on the index to find all the objects that share the username and label value

D. Insert an item for each S3 key, label, and user combination into an Amazon DynamoDB global secondary index. Define the username as the partition key. Define the label as the sort key. Call the QueryItem API on the index to find all the objects that share the username and label value.

A developer designed an application on an Amazon EC2 instance. The application makes API requests to objects in an Amazon S3 bucket.
Which combination of steps will ensure that the application makes the API requests in the MOST secure manner? (Choose two.)

A. Create an IAM user that has permissions to the S3 bucket. Add the user to an IAM group.

B. Create an IAM role that has permissions to the S3 bucket.

C. Add the IAM role to an instance profile. Attach the instance profile to the EC2 instance.

D. Create an IAM role that has permissions to the S3 bucket. Assign the role to an 1AM group.

E. Store the credentials of the IAM user in the environment variables on the EC2 instance.

A company created an application to consume and process data. The application uses Amazon Simple Queue Service (Amazon SQS) and AWS Lambda functions. The application is currently working as expected, but it occasionally receives several messages that it cannot process properly. The company needs to clear these messages to prevent the queue from becoming blocked.
A developer must implement a solution that makes queue processing always operational. The solution must give the company the ability to defer the messages with errors and save these messages for further analysis.
What is the MOST operationally efficient solution that meets these requirements?

A. Configure Amazon CloudWatch Logs to save the error messages to a separate log stream.

B. Create a new SQS queue. Set the new queue as a dead-letter queue for the application queue. Configure the Maximum Receives setting.

C. Change the SQS queue to a FIFO queue. Configure the message retention period to 0 seconds.

D. Configure an Amazon CloudWatch alarm for Lambda function errors. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic to notify administrator users.

A developer is writing a new AWS Serverless Application Model (AWS SAM) template with a new AWS Lambda function. The Lambda function runs complex code. The developer wants to test the Lambda function with more CPU power.
What should the developer do to meet this requirement?

A. Increase the runtime engine version.

B. Increase the timeout.

C. Increase the number of Lambda layers.

D. Increase the memory.

A company is using Amazon OpenSearch Service to implement an audit monitoring system. A developer needs to create an AWS CloudFormation custom resource that is associated with an AWS Lambda function to configure the OpenSearch Service domain. The Lambda function must access the OpenSearch Service domain by using OpenSearch Service internal master user credentials.
What is the MOST secure way to pass these credentials to the Lambda function?

A. Use a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain’s MasterUserOptions and the Lambda function’s environment variable. Set the NoEcho attribute to true.

B. Use a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain’s MasterUserOptions and to create a parameter in AWS Systems Manager Parameter Store. Set the NoEcho attribute to true. Create an IAM role that has the ssm GetParameter permission. Assign the role to the Lambda function. Store the parameter name as the Lambda function’s environment variable. Resolve the parameter’s value at runtime

C. Use a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain’s MasterUserOptions and the Lambda function’s environment variable. Encrypt the parameter’s value by using the AWS Key Management Service (AWS KMS) encrypt command.

D. Use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime.