PDF Only

$49.00 Free Updates Upto 90 Days
- DOP-C02 Dumps PDF
- 250 Questions
- Updated On February 04, 2025
PDF + Test Engine

$69.00 Free Updates Upto 90 Days
- DOP-C02 Question Answers
- 250 Questions
- Updated On February 04, 2025
Test Engine

$59.00 Free Updates Upto 90 Days
- DOP-C02 Practice Questions
- 250 Questions
- Updated On February 04, 2025
How to pass Amazon DOP-C02 exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Amazon DOP-C02 Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know Amazon DOP-C02 Dumps are Worth it?
Did we mention our latest DOP-C02 Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Amazon Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our AWS Certified DevOps Engineer - Professional Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using AWS Certified DevOps Engineer - Professional Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get DOP-C02 Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the DOP-C02 exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
Frequently Asked Questions
Question # 1
A company has microservices running in AWS Lambda that read data from AmazonDynamoDB. The Lambda code is manually deployed by developers after successful testingThe company now needs the tests and deployments be automated and run in the cloudAdditionally, traffic to the new versions of each microservice should be incrementallyshifted over time after deployment.What solution meets all the requirements, ensuring the MOST developer velocity?
A. Create an AWS CodePipelme configuration and set up a post-commit hook to trigger thepipeline after tests have passed Use AWS CodeDeploy and create a Canary deploymentconfiguration that specifies the percentage of traffic and interval
B. Create an AWS CodeBuild configuration that triggers when the test code is pushed UseAWS CloudFormation to trigger an AWS CodePipelme configuration that deploys the newLambda versions and specifies the traffic shift percentage and interval
C. Create an AWS CodePipelme configuration and set up the source code step to triggerwhen code is pushed. Set up the build step to use AWS CodeBuild to run the tests Set upan AWS CodeDeploy configuration to deploy, then select theCodeDeployDefault.LambdaLinearlDPercentEvery3Minut.es Option.
D. Use the AWS CLI to set up a post-commit hook that uploads the code to an Amazon S3bucket after tests have passed. Set up an S3 event trigger that runs a Lambda function thatdeploys the new version. Use an interval in the Lambda function to deploy the code overtime at the required percentage
Question # 2
A company has a fleet of Amazon EC2 instances that run Linux in a single AWS account.The company is using an AWS Systems Manager Automation task across the EC2 instances.During the most recent patch cycle, several EC2 instances went into an error statebecause of insufficient available disk space. A DevOps engineer needs to ensure that the EC2 instances have sufficient available disk space during the patching process in the future.Which combination of steps will meet these requirements? {Select TWO.)
A. Ensure that the Amazon CloudWatch agent is installed on all EC2 instances
B. Create a cron job that is installed on each EC2 instance to periodically delete temporary files.
C. Create an Amazon CloudWatch log group for the EC2 instances. Configure a cron jobthat is installed on each EC2 instance to write the available disk space to a CloudWatch logstream for the relevant EC2 instance.
D. Create an Amazon CloudWatch alarm to monitor available disk space on all EC2instances Add the alarm as a safety control to the Systems Manager Automation task.
E. Create an AWS Lambda function to periodically check for sufficient available disk spaceon all EC2 instances by evaluating each EC2 instance's respective Amazon CloudWatchlog stream.
Question # 3
A company uses Amazon EC2 as its primary compute platform. A DevOps team wants toaudit the company's EC2 instances to check whether any prohibited applications havebeen installed on the EC2 instances.Which solution will meet these requirements with the MOST operational efficiency?
A. Configure AWS Systems Manager on each instance Use AWS Systems ManagerInventory Use Systems Manager resource data sync to synchronize and store findings inan Amazon S3 bucket Create an AWS Lambda function that runs when new objects areadded to the S3 bucket. Configure the Lambda function to identify prohibited applications.
B. Configure AWS Systems Manager on each instance Use Systems Manager InventoryCreate AWS Config rules that monitor changes from Systems Manager Inventory to identifyprohibited applications.
C. Configure AWS Systems Manager on each instance. Use Systems Manager Inventory.Filter a trail in AWS CloudTrail for Systems Manager Inventory events to identify prohibitedapplications.
D. Designate Amazon CloudWatch Logs as the log destination for all application instancesRun an automated script across all instances to create an inventory of installed applicationsConfigure the script to forward the results to CloudWatch Logs Create a CloudWatch alarmthat uses filter patterns to search log data to identify prohibited applications.
Question # 4
A company uses an Amazon API Gateway regional REST API to host its application API.The REST API has a custom domain. The REST API's default endpoint is deactivated.The company's internal teams consume the API. The company wants to use mutual TLSbetween the API and the internal teams as an additional layer of authentication.Which combination of steps will meet these requirements? (Select TWO.)
A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA).Provision a client certificate that is signed by the private CA.
B. Provision a client certificate that is signed by a public certificate authority (CA). Importthe certificate into AWS Certificate Manager (ACM).
C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the APIGateway mutual TLS to use the client certificate that is stored in the S3 bucket as the truststore.
D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configurethe API Gateway mutual TLS to use the private key that is stored in the S3 bucket as thetrust store.
E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket.Configure the API Gateway mutual TLS to use the private CA certificate that is stored in theS3 bucket as the trust store.
Question # 5
A company has an application that runs on Amazon EC2 instances behind an ApplicationLoad Balancer (ALB) The EC2 Instances are in multiple Availability Zones The applicationwas misconfigured in a single Availability Zone, which caused a partial outage of theapplication.A DevOps engineer made changes to ensure that the unhealthy EC2 instances in oneAvailability Zone do not affect the healthy EC2 instances in the other Availability Zones.The DevOps engineer needs to test the application's failover and shift where the ALBsends traffic During failover. the ALB must avoid sending traffic to the Availability Zonewhere the failure has occurred. Which solution will meet these requirements?
A. Turn off cross-zone load balancing on the ALB Use Amazon Route 53 ApplicationRecovery Controller to start a zonal shift away from the Availability Zone
B. Turn off cross-zone load balancing on the ALB's target group Use Amazon Route 53Application Recovery Controller to start a zonal shift away from the Availability Zone
C. Create an Amazon Route 53 Application Recovery Controller resource set that uses theDNS hostname of the ALB Start a zonal shift for the resource set away from the AvailabilityZone
D. Create an Amazon Route 53 Application Recovery Controller resource set that uses theARN of the ALB's target group Create a readiness check that uses theElbV2TargetGroupsCanServeTraffic rule
Question # 6
A DevOps engineer needs to implement integration tests into an existing AWSCodePipelme CI/CD workflow for an Amazon Elastic Container Service (Amazon ECS)service. The CI/CD workflow retrieves new application code from an AWS CodeCommitrepository and builds a container image. The CI/CD workflow then uploads the containerimage to Amazon Elastic Container Registry (Amazon ECR) with a new image tag version.The integration tests must ensure that new versions of the service endpoint are reachableand that vanous API methods return successful response data The DevOps engineer hasalready created an ECS cluster to test the serviceWhich combination of steps will meet these requirements with the LEAST managementoverhead? (Select THREE.
A. Add a deploy stage to the pipeline Configure Amazon ECS as the action provider
B. Add a deploy stage to the pipeline Configure AWS CodeDeploy as the action provider
C. Add an appspec.yml file to the CodeCommit repository
D. Update the image build pipeline stage to output an imagedefinitions json file thatreferences the new image tag.
E. Create an AWS Lambda function that runs connectivity checks and API calls against theservice. Integrate the Lambda function with CodePipeline by using aLambda action stage
F. Write a script that runs integration tests against the service. Upload the script to anAmazon S3 bucket. Integrate the script in the S3 bucket with CodePipeline by using an S3action stage.
Question # 7
A company uses Amazon RDS for all databases in Its AWS accounts The company usesAWS Control Tower to build a landing zone that has an audit and logging account Alldatabases must be encrypted at rest for compliance reasons. The company's securityengineer needs to receive notification about any noncompliant databases that are in thecompany's accountsWhich solution will meet these requirements with the MOST operational efficiency?
A. Use AWS Control Tower to activate the optional detective control (guardrail) todetermine whether the RDS storage is encrypted Create an Amazon Simple NotificationService (Amazon SNS) topic in the company's audit account. Create an AmazonEventBridge rule to filter noncompliant events from the AWS Control Tower control(guardrail) to notify the SNS topic. Subscribe the security engineer's email address to theSNS topic
B. Use AWS Cloud Formation StackSets to deploy AWS Lambda functions to everyaccount. Write the Lambda function code to determine whether the RDS storage isencrypted in the account the function is deployed to Send the findings as an AmazonCloudWatch metric to the management account Create an Amazon Simple NotificationService (Amazon SNS) topic. Create a CloudWatch alarm that notifies the SNS topic whenmetric thresholds are met. Subscribe the security engineer's email address to the SNStopic.
C. Create a custom AWS Config rule in every account to determine whether the RDSstorage is encrypted Create an Amazon Simple Notification Service (Amazon SNS) topic inthe audit account Create an Amazon EventBridge rule to filter noncompliant events fromthe AWS Control Tower control (guardrail) to notify the SNS topic. Subscribe the securityengineer's email address to the SNS topic
D. Launch an Amazon EC2 instance. Run an hourly cron job by using the AWS CLI todetermine whether the RDS storage is encrypted in each AWS account Store the results inan RDS database. Notify the security engineer by sending email messages from the EC2instance when noncompliance is detected
Question # 8
A company is migrating from its on-premises data center to AWS. The company currentlyuses a custom on-premises CI/CD pipeline solution to build and package software.The company wants its software packages and dependent public repositories to beavailable in AWS CodeArtifact to facilitate the creation of application-specific pipelines.Which combination of steps should the company take to update the CI/CD pipeline solutionand to configure CodeArtifact with the LEAST operational overhead? (Select TWO.)
A. Update the CI/CD pipeline to create a VM image that contains newly packaged softwareUse AWS Import/Export to make the VM image available as anAmazon EC2 AMI. Launch the AMI with an attached 1AM instance profile that allowsCodeArtifact actions. Use AWS CLI commands to publish the packages to a CodeArtifactrepository.
B. Create an AWS Identity and Access Management Roles Anywhere trust anchor Createan 1AM role that allows CodeArtifact actions and that has a trust relationship on the trustanchor. Update the on-premises CI/CD pipeline to assume the new 1AM role and topublish the packages to CodeArtifact.
C. Create a new Amazon S3 bucket. Generate a presigned URL that allows the PutObjectrequest. Update the on-premises CI/CD pipeline to use thepresigned URL to publish the packages from the on-premises location to the S3 bucket.Create an AWS Lambda function that runs when packages are created in the bucketthrough a put command Configure the Lambda function to publish the packages toCodeArtifact
D. For each public repository, create a CodeArtifact repository that is configured with anexternal connection Configure the dependent repositories as upstream public repositories.
E. Create a CodeArtifact repository that is configured with a set of external connections tothe public repositories. Configure the external connections to be downstream of therepository
Question # 9
A company is running a custom-built application that processes records. All thecomponents run on Amazon EC2 instances that run in an Auto Scaling group. Eachrecord's processing is a multistep sequential action that is compute-intensive. Each step isalways completed in 5 minutes or less.A limitation of the current system is that if any steps fail, the application has to reprocessthe record from the beginning The company wants to update the architecture so that theapplication must reprocess only the failed steps.What is the MOST operationally efficient solution that meets these requirements?
A. Create a web application to write records to Amazon S3 Use S3 Event Notifications topublish to an Amazon Simple Notification Service (Amazon SNS) topic Use an EC2instance to poll Amazon SNS and start processing Save intermediate results to Amazon S3to pass on to the next step
B. Perform the processing steps by using logic in the application. Convert the applicationcode to run in a container. Use AWS Fargate to manage the container Instances. Configurethe container to invoke itself to pass the state from one step to the next.
C. Create a web application to pass records to an Amazon Kinesis data stream. Decouplethe processing by using the Kinesis data stream and AWS Lambda functions.
D. Create a web application to pass records to AWS Step Functions. Decouple theprocessing into Step Functions tasks and AWS Lambda functions.
Question # 10
A company is developing an application that will generate log events. The log eventsconsist of five distinct metrics every one tenth of a second and produce a large amount of data The company needs to configure the application to write the logs to Amazon Timestream The company will configure a daily query against the Timestream table.Which combination of steps will meet these requirements with the FASTEST queryperformance? (Select THREE.)
A. Use batch writes to write multiple log events in a Single write operation
B. Write each log event as a single write operation
C. Treat each log as a single-measure record
D. Treat each log as a multi-measure record
E. Configure the memory store retention period to be longer than the magnetic storeretention period
F. Configure the memory store retention period to be shorter than the magnetic storeretention period
Question # 11
A company has an application that stores data that includes personally IdentifiableInformation (Pll) In an Amazon S3 bucket All data Is encrypted with AWS Key ManagementService (AWS KMS) customer managed keys. All AWS resources are deployed from anAWS Cloud Formation template.A DevOps engineer needs to set up a development environment for the application in adifferent AWS account The data in the development environment's S3 bucket needs to beupdated once a week from the production environment's S3 bucket.The company must not move Pll from the production environment without anonymizmg thePll first The data in each environment must be encrypted with different KMS customermanaged keys.Which combination of steps should the DevOps engineer take to meet these requirements?(Select TWO )
A. Activate Amazon Macie on the S3 bucket In the production account Create an AWSStep Functions state machine to initiate a discovery job and redact all Pll before copyingfiles to the S3 bucket in the development account. Give the state machine tasks decryptpermissions on the KMS key in the production account. Give the state machine tasks encrypt permissions on the KMS key in the development account
B. Set up S3 replication between the production S3 bucket and the development S3 bucketActivate Amazon Macie on the development S3 bucket Create an AWS Step Functionsstate machine to initiate a discovery job and redact all Pll as the files are copied to thedevelopment S3 bucket. Give the state machine tasks encrypt and decrypt permissions onthe KMS key in the development account.
C. Set up an S3 Batch Operations job to copy files from the production S3 bucket to thedevelopment S3 bucket. In the development account, configure anAWS Lambda function to redact all Pll. Configure S3 Object Lambda to use the Lambdafunction for S3 GET requests Give the Lambda function's 1AM role encrypt and decryptpermissions on the KMS key in the development account.
D. Create a development environment from the CloudFormatlon template in thedevelopment account. Schedule an Amazon EventBridge rule to start the AWS StepFunctions state machine once a week
E. Create a development environment from the CloudFormation template in thedevelopment account. Schedule a cron job on an Amazon EC2 instance to run once aweek to start the S3 Batch Operations job.
Question # 12
A company uses AWS Organizations to manage its AWS accounts. The organization roothas a child OU that is named Department. The Department OU has a child OU that isnamed Engineering. The default FullAWSAccess policy is attached to the root, theDepartment OU. and the Engineering OU.The company has many AWS accounts in the Engineering OU. Each account has anadministrative 1AM role with the AdmmistratorAccess 1AM policy attached. The defaultFullAWSAccessPolicy is also attached to each account.A DevOps engineer plans to remove the FullAWSAccess policy from the Department OUThe DevOps engineer will replace the policy with a policy that contains an Allow statementfor all Amazon EC2 API operations.What will happen to the permissions of the administrative 1AM roles as a result of thischange'?
A. All API actions on all resources will be allowed
B. All API actions on EC2 resources will be allowed. All other API actions will be denied.
C. All API actions on all resources will be denied
D. All API actions on EC2 resources will be denied. All other API actions will be allowed.
Question # 13
A company uses containers for its applications The company learns that some containerImages are missing required security configurationsA DevOps engineer needs to implement a solution to create a standard base image The solution must publish the base image weekly to the us-west-2 Region, us-east-2 Region,and eu-central-1 Region.Which solution will meet these requirements?
A. Create an EC2 Image Builder pipeline that uses a container recipe to build the image.Configure the pipeline to distribute the image to an Amazon Elastic Container Registry(Amazon ECR) repository in us-west-2. Configure ECR replication from us-west-2 to useast-2 and from us-east-2 to eu-central-1 Configure the pipeline to run weekly
B. Create an AWS CodePipeline pipeline that uses an AWS CodeBuild project to build theimage Use AWS CodeOeploy to publish the image to an Amazon Elastic ContainerRegistry (Amazon ECR) repository in us-west-2 Configure ECR replication from us-west-2to us-east-2 and from us-east-2 to eu-central-1 Configure the pipeline to run weekly
C. Create an EC2 Image Builder pipeline that uses a container recipe to build the ImageConfigure the pipeline to distribute the image to Amazon Elastic Container Registry(Amazon ECR) repositories in all three Regions. Configure the pipeline to run weekly.
D. Create an AWS CodePipeline pipeline that uses an AWS CodeBuild project to build theimage Use AWS CodeDeploy to publish the image to Amazon Elastic Container Registry(Amazon ECR) repositories in all three Regions. Configure the pipeline to run weekly.
Question # 14
A company's DevOps team manages a set of AWS accounts that are in an organization inAWS OrganizationsThe company needs a solution that ensures that all Amazon EC2 instances use approvedAMIs that the DevOps team manages. The solution also must remediate the usage of AMIsthat are not approved The individual account administrators must not be able to remove therestriction to use approved AMIs.Which solution will meet these requirements?
A. Use AWS CloudFormation StackSets to deploy an Amazon EventBridge rule to eachaccount. Configure the rule to react to AWS CloudTrail events for Amazon EC2 and tosend a notification to an Amazon Simple Notification Service (Amazon SNS) topic.Subscribe the DevOps team to the SNS topic
B. Use AWS CloudFormation StackSets to deploy the approved-amis-by-id AWS Configmanaged rule to each account. Configure the rule with the list of approved AMIs. Configurethe rule to run the the AWS-StopEC2lnstance AWS Systems Manager Automation runbookfor the noncompliant EC2 instances.
C. Create an AWS Lambda function that processes AWS CloudTrail events for AmazonEC2 Configure the Lambda function to send a notification to an Amazon Simple NotificationService (Amazon SNS) topic. Subscribe the DevOps team to the SNS topic. Deploy theLambda function in each account in the organization Create an Amazon EventBridge rulein each account Configure the EventBridge rules to react to AWS CloudTrail events forAmazon EC2 and to invoke the Lambda function.
D. Enable AWS Config across the organization Create a conformance pack that uses theapproved -amis-by-id AWS Config managed rule with the list of approved AMIs. Deploy theconformance pack across the organization. Configure the rule to run the AWSStopEC2lnstanceAWS Systems Manager Automation runbook for the noncompliant EC2instances.
Question # 15
A company has set up AWS CodeArtifact repositories with public upstream repositoriesThe company's development team consumes open source dependencies from therepositories in the company's internal network.The company's security team recently discovered a critical vulnerability in the most recentversion of a package that the development team consumes. The security team hasproduced a patched version to fix the vulnerability. The company needs to prevent thevulnerable version from being downloaded. The company also needs to allow the securityteam to publish the patched version.Which combination of steps will meet these requirements? {Select TWO.)
A. Update the status of the affected CodeArtifact package version to unlisted
B. Update the status of the affected CodeArtifact package version to deleted
C. Update the status of the affected CodeArtifact package version to archived.
D. Update the CodeArtifact package origin control settings to allow direct publishing and toblock upstream operations
E. Update the CodeArtifact package origin control settings to block direct publishing and toallow upstream operations.
Question # 16
AnyCompany is using AWS Organizations to create and manage multiple AWS accountsAnyCompany recently acquired a smaller company, Example Corp. During the acquisitionprocess, Example Corp's single AWS account joined AnyCompany's management accountthrough an Organizations invitation. AnyCompany moved the new member account underan OU that is dedicated to Example Corp.AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is namedOrganizationAccountAccessRole to access member accounts. This role is configured witha full access policy When the DevOps engineer tries to use the AWS Management Consoleto assume the role in Example Corp's new member account, the DevOps engineerreceives the following error message "Invalid information in one or more fields. Check yourinformation or contact your administrator." Which solution will give the DevOps engineer access to the new member account?
A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account.
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account,
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role.
Question # 17
A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWSRegions can be used, and ensure an alert is sent as soon as possible if any activity outsidethe governance policy takes place. The controls should be automatically enabled on anynew Region outside the United States (US).Which combination of actions will meet these requirements? (Select TWO.)
A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.
B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it forall Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity innon-US Regions.
C. Use an AWS Lambda function that checks for AWS service activity and deploy it to allRegions. Write an Amazon EventBridge rule that runs the Lambda function every hour,sending an alert if activity is found in a non-US Region.
D. Use an AWS Lambda function to query Amazon Inspector to look for service activity innon-US Regions and send alerts if any activity is found.
E. Write an SCP using the aws: RequestedRegion condition key limiting access to USRegions. Apply the policy to all users, groups, and roles
Question # 18
A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWSRegions can be used, and ensure an alert is sent as soon as possible if any activity outsidethe governance policy takes place. The controls should be automatically enabled on anynew Region outside the United States (US).Which combination of actions will meet these requirements? (Select TWO.)
A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.
B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it forall Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity innon-US Regions.
C. Use an AWS Lambda function that checks for AWS service activity and deploy it to allRegions. Write an Amazon EventBridge rule that runs the Lambda function every hour,sending an alert if activity is found in a non-US Region.
D. Use an AWS Lambda function to query Amazon Inspector to look for service activity innon-US Regions and send alerts if any activity is found.
E. Write an SCP using the aws: RequestedRegion condition key limiting access to USRegions. Apply the policy to all users, groups, and roles
Question # 19
A software team is using AWS CodePipeline to automate its Java application releasepipeline The pipeline consists of a source stage, then a build stage, and then a deploystage. Each stage contains a single action that has a runOrder value of 1.The team wants to integrate unit tests into the existing release pipeline. The team needs asolution that deploys only the code changes that pass all unit tests.Which solution will meet these requirements?
A. Modify the build stage. Add a test action that has a runOrder value of 1. Use AWSCodeDeploy as the action provider to run unit tests.
B. Modify the build stage Add a test action that has a runOrder value of 2 Use AWSCodeBuild as the action provider to run unit tests
C. Modify the deploy stage Add a test action that has a runOrder value of 1 Use AWSCodeDeploy as the action provider to run unit tests
D. Modify the deploy stage Add a test action that has a runOrder value of 2 Use AWSCodeBuild as the action provider to run unit tests
Question # 20
A company has a new AWS account that teams will use to deploy various applications. Theteams will create many Amazon S3 buckets for application- specific purposes and to storeAWS CloudTrail logs. The company has enabled Amazon Macie for the account.A DevOps engineer needs to optimize the Macie costs for the account withoutcompromising the account's functionality.Which solutions will meet these requirements? (Select TWO.)
A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
B. Exclude S3 buckets that have public read access from automated discovery.
C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
D. Configure discovery jobs to include S3 objects based on the last modified criterion.
E. Configure discovery jobs to include S3 objects that are tagged as production only.
Question # 21
A company has a new AWS account that teams will use to deploy various applications. Theteams will create many Amazon S3 buckets for application- specific purposes and to storeAWS CloudTrail logs. The company has enabled Amazon Macie for the account.A DevOps engineer needs to optimize the Macie costs for the account withoutcompromising the account's functionality.Which solutions will meet these requirements? (Select TWO.)
A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
B. Exclude S3 buckets that have public read access from automated discovery.
C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
D. Configure discovery jobs to include S3 objects based on the last modified criterion.
E. Configure discovery jobs to include S3 objects that are tagged as production only.
Question # 22
A company hired a penetration tester to simulate an internal security breach The testerperformed port scans on the company's Amazon EC2 instances. The company's securitymeasures did not detect the port scans.The company needs a solution that automatically provides notification when port scans areperformed on EC2 instances. The company creates and subscribes to an Amazon SimpleNotification Service (Amazon SNS) topic.What should the company do next to meet the requirement?
A. Ensure that Amazon GuardDuty is enabled Create an Amazon CloudWatch alarm fordetected EC2 and port scan findings. Connect the alarm to the SNS topic.
B. Ensure that Amazon Inspector is enabled Create an Amazon EventBridge event fordetected network reachability findings that indicate port scans Connect the event to theSNS topic.
C. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event fordetected CVEs that cause open port vulnerabilities. Connect the event to the SNS topic
D. Ensure that AWS CloudTrail is enabled Create an AWS Lambda function to analyze theCloudTrail logs for unusual amounts of traffic from an IP address range Connect theLambda function to the SNS topic.
Question # 23
A company is developing a web application's infrastructure using AWS CloudFormationThe database engineering team maintains the database resources in a Cloud Formationtemplate, and the software development team maintains the web application resources in aseparate CloudFormation template. As the scope of the application grows, the softwaredevelopment team needs to use resources maintained by the database engineering teamHowever, both teams have their own review and lifecycle management processes that theywant to keep. Both teams also require resource-level change-set reviews. The softwaredevelopment team would like to deploy changes to this template using their Cl/CD pipeline.Which solution will meet these requirements?
A. Create a stack export from the database CloudFormation template and import thosereferences into the web application CloudFormation template
B. Create a CloudFormation nested stack to make cross-stack resource references andparameters available in both stacks.
C. Create a CloudFormation stack set to make cross-stack resource references andparameters available in both stacks.
D. Create input parameters in the web application CloudFormation template and passresource names and IDs from the database stack.
Question # 24
A company wants to use AWS Systems Manager documents to bootstrap physical laptopsfor developers The bootstrap code Is stored in GitHub A DevOps engineer has alreadycreated a Systems Manager activation, installed the Systems Manager agent with theregistration code, and installed an activation ID on all the laptops.Which set of steps should be taken next?
A. Configure the Systems Manager document to use the AWS-RunShellScnpt command tocopy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with asourceType of S3
B. Configure the Systems Manager document to use the aws-configurePackage plugin withan install action and point to the Git repository
C. Configure the Systems Manager document to use the aws-downloadContent plugin witha sourceType of GitHub and sourcelnfo with the repository details.
D. Configure the Systems Manager document to use the aws:softwarelnventory plugin andrun the script from the Git repository
Question # 25
A company has a mission-critical application on AWS that uses automatic scaling Thecompany wants the deployment lilecycle to meet the following parameters.• The application must be deployed one instance at a time to ensure the remaining fleetcontinues to serve traffic• The application is CPU intensive and must be closely monitored• The deployment must automatically roll back if the CPU utilization of the deploymentinstance exceeds 85%. Which solution will meet these requirements?
A. Use AWS CloudFormalion to create an AWS Step Functions state machine and AutoScaling hfecycle hooks to move to one instance at a time into a wait state Use AWSSystems Manager automation to deploy the update to each instance and move it back intothe Auto Scaling group using the heartbeat timeout
B. Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to theCPU utilization metric. Use the CodeDeployDefault OneAtAtime configuration as adeployment strategy Configure automatic rollbacks within the deployment group to roll backthe deployment if the alarm thresholds are breached
C. Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling Configure analarm tied to the CPU utilization metric Configure rolling deployments with a fixed batchsize of one instance Enable enhanced health to monitor the status of the deployment androll back based on the alarm previously created.
D. Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2Auto Scaling Configure an alarm tied to the CPU utilization metric Deploy updates one at atime Configure automatic rollbacks within the Auto Scaling group to roll back thedeployment if the alarm thresholds are breached
Question # 26
A company has 20 service learns Each service team is responsible for its ownmicroservice. Each service team uses a separate AWS account for its microservice and aVPC with the 192 168 0 0/22 CIDR block. The company manages the AWS accounts withAWS Organizations.Each service team hosts its microservice on multiple Amazon EC2 instances behind anApplication Load Balancer. The microservices communicate with each other across thepublic internet. The company's security team has issued a new guideline that allcommunication between microservices must use HTTPS over private network connectionsand cannot traverse the public internet.A DevOps engineer must implement a solution that fulfills these obligations and minimizesthe number of changes for each service team.Which solution will meet these requirements?
A. Create a new AWS account in AWS Organizations Create a VPC in this account anduse AWS Resource Access Manager to share the private subnets of this VPC with theorganization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names forcommunication between microservices.
B. Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWSPrivateLink to create VPC endpoints in each AWS account for the NLBs Createsubscriptions to each VPC endpoint in each of the other AWS accounts Use the VPCendpoint DNS names for communication between microservices.
C. Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPCpeering connections between each of the microservice VPCs Update the route tables foreach VPC to use the peering links Use the NLB DNS names for communication betweenmicroservices.
D. Create a new AWS account in AWS Organizations Create a transit gateway in thisaccount and use AWS Resource Access Manager to share the transit gateway with theorganization. In each of the microservice VPCs. create a transit gateway attachment to theshared transit gateway Update the route tables of each VPC to use the transit gatewayCreate a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLBDNS names for communication between microservices.
Question # 27
A security team is concerned that a developer can unintentionally attach an Elastic IPaddress to an Amazon EC2 instance in production. No developer should be allowed toattach an Elastic IP address to an instance. The security team must be notified if anyproduction server has an Elastic IP address at any timeHow can this task be automated'?
A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-addressattempts Create an AWS Lambda function to disassociate the Elastic IP address from theinstance, and alert the security team.
B. Attach an 1AM policy to the developers' 1AM group to deny associate-addresspermissions Create a custom AWS Config rule to check whether an Elastic IP address isassociated with any instance tagged as production, and alert the security team
C. Ensure that all 1AM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IPaddress is associated with any instance tagged as production, and alert the secunty team ifan instance has an Elastic IP address associated with it
D. Create an AWS Config rule to check that all production instances have EC2 1AM rolesthat include deny associate-address permissions Verify whether there is an Elastic IPaddress associated with any instance, and alert the security team if an instance has anElastic IP address associated with it.
Question # 28
A company is using AWS CodePipeline to deploy an application. According to a newguideline, a member of the company's security team must sign off on any applicationchanges before the changes are deployed into production. The approval must be recordedand retained.Which combination of actions will meet these requirements? (Select TWO.)
A. Configure CodePipeline to write actions to Amazon CloudWatch Logs.
B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of eachpipeline stage.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3.
D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval.Create a policy that gives the security team access to manage CodePipeline customactions.
E. Create a CodePipeline manual approval action before the deployment step. Create apolicy that grants the security team access to approve manual approval stages.
Question # 29
A company has an AWS CodeDeploy application. The application has a deployment groupthat uses a single tag group to identify instances for the deployment of ApplicationA. Thesingle tag group configuration identifies instances that have Environment=Production andName=ApplicattonA tags for the deployment of ApplicationA.The company launches an additional Amazon EC2 instance with Department=MarketingEnvironment^Production. and Name=ApplicationB tags. On the next CodeDeploydeployment of ApplicationA. the additional instance has ApplicationA installed on it. ADevOps engineer needs to configure the existing deployment group to preventApplicationA from being installed on the additional instanceWhich solution will meet these requirements?
A. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Name=ApplicationA tag.
B. Change the current single tag group to include the Department=MarketmgEnvironment=Production and Name=ApplicationAtags
C. Add another single tag group that includes only the Department=Marketing tag. Keepthe Environment=Production and Name=ApplicationA tags with the current single tag group
D. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Department=Marketing tag
Question # 30
A company uses an organization in AWS Organizations to manage its AWS accounts. Thecompany recently acquired another company that has standalone AWS accounts. Theacquiring company's DevOps team needs to consolidate the administration of the AWSaccounts for both companies and retain full administrative control of the accounts. TheDevOps team also needs to collect and group findings across all the accounts to implementand maintain a security posture.Which combination of steps should the DevOps team take to meet these requirements?(Select TWO.)
A. Invite the acquired company's AWS accounts to join the organization. Create an SCPthat has full administrative privileges. Attach the SCP to the management account.
B. Invite the acquired company's AWS accounts to join the organization. Create theOrganizationAccountAccessRole 1AM role in the invited accounts. Grant permission to themanagement account to assume the role.
C. Use AWS Security Hub to collect and group findings across all accounts. Use SecurityHub to automatically detect new accounts as the accounts are added to the organization.
D. Use AWS Firewall Manager to collect and group findings across all accounts. Enable allfeatures for the organization. Designate an account in the organization as the delegatedadministrator account for Firewall Manager.
E. Use Amazon Inspector to collect and group findings across all accounts. Designate anaccount in the organization as the delegated administrator account for Amazon Inspector.
Question # 31
A company is reviewing its 1AM policies. One policy written by the DevOps engineer hasbeen (lagged as too permissive. The policy is used by an AWS Lambda function thatissues a stop command to Amazon EC2 instances tagged with Environment:NonProduccion over the weekend. The current policy is:
A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
F. Option F
Question # 32
A company's application teams use AWS CodeCommit repositories for their applications.The application teams have repositories in multiple AWSaccounts. All accounts are in an organization in AWS Organizations.Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configuredwith an external IdP to assume a developer IAM role. The developer role allows theapplication teams to use Git to work with the code in the repositories.A security audit reveals that the application teams can modify the main branch in anyrepository. A DevOps engineer must implement a solution thatallows the application teams to modify the main branch of only the repositories that theymanage.Which combination of steps will meet these requirements? (Select THREE.)
A. Update the SAML assertion to pass the user's team name. Update the IAM role's trustpolicy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations managementaccount. Associate the template with all the repositories. Add the developer role ARN as anapprover.
C. Create an approval rule template for each account. Associate the template with allrepositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}"condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to thename of the associated team.
E. Attach an SCP to the accounts. Include the following statement:
F. Create an IAM permissions boundary in each account. Include the following statement:
A computerscreen shot of textDescription automatically generated
Question # 33
A company has an application and a CI/CD pipeline. The CI/CD pipeline consists of anAWS CodePipeline pipeline and an AWS CodeBuild project. The CodeBuild project runstests against the application as part of the build process and outputs a test report. Thecompany must keep the test reports for 90 days.Which solution will meet these requirements?
A. Add a new stage in the CodePipeline pipeline after the stage that contains theCodeBuild project. Create an Amazon S3 bucket to store the reports. Configure an S3deploy action type in the new CodePipeline stage with the appropriate path and format forthe reports.
B. Add a report group in the CodeBuild project buildspec file with the appropriate path andformat for the reports. Create an Amazon S3 bucket to store the reports. Configure anAmazon EventBridge rule that invokes an AWS Lambda function to copy the reports to theS3 bucket when a build is completed. Create an S3 Lifecycle rule to expire the objects after90 days.
C. Add a new stage in the CodePipeline pipeline. Configure a test action type with theappropriate path and format for the reports. Configure the report expiration time to be 90days in the CodeBuild project buildspec file.
D. Add a report group in the CodeBuild project buildspec file with the appropriate path andformat for the reports. Create an Amazon S3 bucket to store the reports. Configure thereport group as an artifact in the CodeBuild project buildspec file. Configure the S3 bucketas the artifact destination. Set the object expiration to 90 days.
Question # 34
An ecommerce company uses a large number of Amazon Elastic Block Store (AmazonEBS) backed Amazon EC2 instances. To decrease manual work across all the instances, aDevOps engineer is tasked with automating restart actions when EC2 instance retirementevents are scheduled.How can this be accomplished?
A. Create a scheduled Amazon EventBridge rule to run an AWS Systems Manager Automation runbook that checks if any EC2 instances are scheduled for retirement once aweek If the instance is scheduled for retirement the runbook will hibernate the instance
B. Enable EC2Auto Recovery on all of the instances. Create an AWS Config rule to limitthe recovery to occur during a maintenance window only
C. Reboot all EC2 instances during an approved maintenance window that is outside ofstandard business hours Set up Amazon CloudWatch alarms to send a notification in caseany instance is failing EC2 instance status checks
D. Set up an AWS Health Amazon EventBridge rule to run AWS Systems ManagerAutomation runbooks that stop and start the EC2 instance when a retirement scheduledevent occurs.
Question # 35
A DevOps engineer is using AWS CodeDeploy across a fleet of Amazon EC2 instances inan EC2 Auto Scaling group. The associated CodeDeploy deployment group, which isintegrated with EC2 Auto Scaling, is configured to perform in-place deployments withcodeDeployDefault.oneAtATime During an ongoing new deployment, the engineerdiscovers that, although the overall deployment finished successfully, two out of fiveinstances have the previous application revision deployed. The other three instances havethe newest application revisionWhat is likely causing this issue?
A. The two affected instances failed to fetch the new deployment.
B. A failed Afterinstall lifecycle event hook caused the CodeDeploy agent to roll back to theprevious version on the affected instances
C. The CodeDeploy agent was not installed in two affected instances.
D. EC2 Auto Scaling launched two new instances while the new deployment had not yetfinished, causing the previous version to be deployed on the affected instances.
Question # 36
A company is examining its disaster recovery capability and wants the ability to switch over its daily operations to a secondary AWS Region. The company uses AWS CodeCommit asa source control tool in the primary Region.A DevOps engineer must provide the capability for the company to develop code in thesecondary Region. If the company needs to use the secondary Region, developers canadd an additional remote URL to their local Git configuration.Which solution will meet these requirements?
A. Create a CodeCommit repository in the secondary Region. Create an AWS CodeBuildproject to perform a Git mirror operation of the primary Region's CodeCommit repository tothe secondary Region's CodeCommit repository. Create an AWS Lambda function thatinvokes the CodeBuild project. Create an Amazon EventBridge rule that reacts to mergeevents in the primary Region's CodeCommit repository. Configure the EventBridge rule toinvoke the Lambda function.
B. Create an Amazon S3 bucket in the secondary Region. Create an AWS Fargate task toperform a Git mirror operation of the primary Region's CodeCommit repository and copythe result to the S3 bucket. Create an AWS Lambda function that initiates the Fargate task.Create an Amazon EventBridge rule that reacts to merge events in the CodeCommitrepository. Configure the EventBridge rule to invoke the Lambda function.
C. Create an AWS CodeArtifact repository in the secondary Region. Create an AWSCodePipeline pipeline that uses the primary Region's CodeCommit repository for thesource action. Create a Cross-Region stage in the pipeline that packages the CodeCommitrepository contents and stores the contents in the CodeArtifact repository when a pullrequest is merged into the CodeCommit repository.
D. Create an AWS Cloud9 environment and a CodeCommit repository in the secondaryRegion. Configure the primary Region's CodeCommit repository as a remote repository inthe AWS Cloud9 environment. Connect the secondary Region's CodeCommit repository tothe AWS Cloud9 environment.
Question # 37
A company has a single developer writing code for an automated deployment pipeline. Thedeveloper is storing source code in an Amazon S3 bucket for each project. The companywants to add more developers to the team but is concerned about code conflicts and lostwork The company also wants to build a test environment to deploy newer versions of codefor testing and allow developers to automatically deploy to both environments when code ischanged in the repository.What is the MOST efficient way to meet these requirements?
A. Create an AWS CodeCommit repository tor each project, use the mam branch forproduction code: and create a testing branch for code deployed to testing Use featurebranches to develop new features and pull requests to merge code to testing and mainbranches.
B. Create another S3 bucket for each project for testing code, and use an AWS Lambdafunction to promote code changes between testing and production buckets Enableversioning on all buckets to prevent code conflicts.
C. Create an AWS CodeCommit repository for each project, and use the main branch forproduction and test code with different deployment pipelines for each environment Usefeature branches to develop new features.
D. Enable versioning and branching on each S3 bucket, use the main branch for productioncode, and create a testing branch for code deployed to testing. Have developers use eachbranch for developing in each environment.
Question # 38
A company is using AWS to run digital workloads. Each application team in the companyhas its own AWS account for application hosting. The accounts are consolidated in anorganization in AWS Organizations.The company wants to enforce security standards across the entire organization. To avoidnoncompliance because of security misconfiguration, the company has enforced the use ofAWS CloudFormation. A production support team can modify resources in the productionenvironment by using the AWS Management Console to troubleshoot and resolve application-related issues.A DevOps engineer must implement a solution to identify in near real time any AWSservice misconfiguration that results in noncompliance. The solution must automaticallyremediate the issue within 15 minutes of identification. The solution also must tracknoncompliant resources and events in a centralized dashboard with accurate timestamps.Which solution will meet these requirements with the LEAST development overhead?
A. Use CloudFormation drift detection to identify noncompliant resources. Use driftdetection events from CloudFormation to invoke an AWS Lambda function for remediation.Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group.Configure an Amazon CloudWatch dashboard to use the log group for tracking.
B. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by usingAmazon Athena to identify noncompliant resources. Use AWS Step Functions to trackquery results on Athena for drift detection and to invoke an AWS Lambda function forremediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena asthe data source.
C. Turn on the configuration recorder in AWS Config in all the AWS accounts to identifynoncompliant resources. Enable AWS Security Hub with the ~no-enable-default-standardsoption in all the AWS accounts. Set up AWS Config managed rules and custom rules. Setup automatic remediation by using AWS Config conformance packs. For tracking, set up adashboard on Security Hub in a designated Security Hub administrator account.
D. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by usingAmazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logsfilters for drift detection. Use Amazon EventBridge to invoke the Lambda function forremediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up adashboard on OpenSearch Service for tracking.
Question # 39
A DevOps engineer manages a company's Amazon Elastic Container Service (AmazonECS) cluster. The cluster runs on several Amazon EC2 instances that are in an AutoScaling group. The DevOpsengineer must implement a solution that logs and reviews all stopped tasks for errors.Which solution will meet these requirements?
A. Create an Amazon EventBridge rule to capture task state changes. Send the event to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to investigate stopped tasks.
B. Configure tasks to write log data in the embedded metric format. Store the logs inAmazon CloudWatch Logs. Monitor the ContainerInstanceCount metric for changes.
C. Configure the EC2 instances to store logs in Amazon CloudWatch Logs. Create aCloudWatch Contributor Insights rule that uses the EC2 instance log data. Use theContributor Insights rule to investigate stopped tasks.
D. Configure an EC2 Auto Scaling lifecycle hook for the EC2_INSTANCE_TERMINATINGscale-in event. Write the SystemEventLog file to Amazon S3. Use Amazon Athena to querythe log file for errors.
Question # 40
A company has deployed a critical application in two AWS Regions. The application usesan Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53alias DNS records for both ALBs.The company uses Amazon Route 53 Application Recovery Controller to ensure that theapplication can fail over between the two Regions. The Route 53 ARC configurationincludes a routing control for both Regions. The company uses Route 53 ARC to performquarterly disaster recovery (DR) tests.During the most recent DR test, a DevOps engineer accidentally turned off both routingcontrols. The company needs to ensure that at least one routing control is turned on at alltimes.Which solution will meet these requirements?
A. In Route 53 ARC. create a new assertion safety rule. Apply the assertion safety rule tothe two routing controls. Configure the rule with the ATLEAST type with a threshold of 1.
B. In Route 53 ARC, create a new gating safety rule. Apply the assertion safety rule to thetwo routing controls. Configure the rule with the OR type with a threshold of 1.
C. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS:Route53: HealthCheck resource type. Specify the ARNs of the two routing controls as thetarget resource. Create a new readiness check for the resource set.
D. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS:Route53RecoveryReadiness: DNSTargetResource resource type. Add the domain namesof the two Route 53 alias DNS records as the target resource. Create a new readinesscheck for the resource set.
Question # 41
A company manages a multi-tenant environment in its VPC and has configured AmazonGuardDuty for the corresponding AWS account. The company sends all GuardDutyfindings to AWS Security Hub.Traffic from suspicious sources is generating a large number of findings. A DevOpsengineer needs to implement a solution to automatically deny traffic across the entire VPCwhen GuardDuty discovers a new suspicious source.Which solution will meet these requirements?
A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create anAWS Lambda function that will update the threat list Configure the Lambda function to runin response to new Security Hub findings that come from GuardDuty.
B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWSLambda function that will create a block rule in the custom rule group Configure theLambda function to run in response to new Security Hub findings that come from GuardDuty
C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that willcreate a Drop action rule in the firewall policy Configure the Lambda function to run inresponse to new Security Hub findings that come from GuardDuty
D. Create an AWS Lambda function that will create a GuardDuty suppression rule.Configure the Lambda function to run in response to new Security Hub findings that comefrom GuardDuty.
Question # 42
A company recently deployed its web application on AWS. The company is preparing for alarge-scale sales event and must ensure that the web application can scale to meet thedemandThe application's frontend infrastructure includes an Amazon CloudFront distribution thathas an Amazon S3 bucket as an origin. The backend infrastructure includes an AmazonAPI Gateway API. several AWS Lambda functions, and an Amazon Aurora DB clusterThe company's DevOps engineer conducts a load test and identifies that the Lambdafunctions can fulfill the peak number of requests However, the DevOps engineer noticesrequest latency during the initial burst of requests Most of the requests to the Lambdafunctions produce queries to the database A large portion of the invocation time is used toestablish database connectionsWhich combination of steps will provide the application with the required scalability? (SelectTWO)
A. Configure a higher reserved concurrency for the Lambda functions.
B. Configure a higher provisioned concurrency for the Lambda functions
C. Convert the DB cluster to an Aurora global database Add additional Aurora Replicas inAWS Regions based on the locations of the company's customers.
D. Refactor the Lambda Functions Move the code blocks that initialize databaseconnections into the function handlers.
E. Use Amazon RDS Proxy to create a proxy for the Aurora database Update the Lambdafunctions to use the proxy endpoints for database connections.
Question # 43
A company's security policies require the use of security hardened AMIS in productionenvironments. A DevOps engineer has used EC2 Image Builder to create a pipeline thatbuilds the AMIs on a recurring schedule.The DevOps engineer needs to update the launch templates of the companys Auto Scalinggroups. The Auto Scaling groups must use the newest AMIS during the launch of AmazonEC2 instances.Which solution will meet these requirements with the MOST operational efficiency?
A. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Systems Manager Run Command document that updates the launchtemplates of the Auto Scaling groups with the newest AMI ID.
B. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Lambda function that updates the launch templates of the Auto Scalinggroups with the newest AMI ID.
C. Configure the launch template to use a value from AWS Systems Manager ParameterStore for the AMI ID. Configure the Image Builder pipeline to update the Parameter Storevalue with the newest AMI ID.
D. Configure the Image Builder distribution settings to update the launch templates with thenewest AMI ID. Configure the Auto Scaling groups to use the newest version of the launch template.
Question # 44
A company requires its internal business teams to launch resources through pre-approvedAWS CloudFormation templates only. The security team requires automated monitoringwhen resources drift from their expected state.Which strategy should be used to meet these requirements?
A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use CloudFormation drift detection to detect when resources have drifted from theirexpected state.
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use AWS Config rules to detect when resources have drifted from their expected state.
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a launch constraint. Use AWS Config rules to detect when resources havedrifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a template constraint. Use Amazon EventBridge notifications to detect whenresources have drifted from their expected state.
Question # 45
A company is building a web and mobile application that uses a serverless architecturepowered by AWS Lambda and Amazon API Gateway The company wants to fullyautomate the backend Lambda deployment based on code that is pushed to theappropriate environment branch in an AWS CodeCommit repositoryThe deployment must have the following:• Separate environment pipelines for testing and production• Automatic deployment that occurs for test environments onlyWhich steps should be taken to meet these requirements'?
A. Configure a new AWS CodePipelme service Create a CodeCommit repository for eachenvironment Set up CodePipeline to retrieve the source code from the appropriaterepository Set up the deployment step to deploy the Lambda functions with AWSCloudFormation.
B. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step Create aCodeCommit repository for each environment Set up each CodePipeline to retrieve thesource code from the appropriate repository Set up the deployment step to deploy theLambda functions with AWS CloudFormation.
C. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step. Create oneCodeCommit repository with a branch for each environment Set up each CodePipeline toretrieve the source code from the appropriate branch in the repository. Set up thedeployment step to deploy the Lambda functions with AWS CloudFormation
D. Create an AWS CodeBuild configuration for test and production environments Configurethe production pipeline to have a manual approval step. Create one CodeCommitrepository with a branch for each environment Push the Lambda function code to anAmazon S3 bucket Set up the deployment step to deploy the Lambda functions from theS3 bucket.
Question # 46
A healthcare services company is concerned about the growing costs of software licensingfor an application for monitoring patient wellness. The company wants to create an auditprocess to ensure that the application is running exclusively on Amazon EC2 DedicatedHosts. A DevOps engineer must create a workflow to audit the application to ensurecompliance.What steps should the engineer take to meet this requirement with the LEASTadministrative overhead?
A. Use AWS Systems Manager Configuration Compliance. Use calls to the putcompliance-items API action to scan and build a database of noncompliant EC2 instancesbased on their host placement configuration. Use an Amazon DynamoDB table to storethese instance IDs for fast access. Generate a report through Systems Manager by callingthe list-compliance-summaries API action.
B. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for theinstance depending on the number of instances to be checked. Send the list ofnoncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instanceto process instance IDs from the SQS queue and write them to Amazon DynamoDB. Usean AWS Lambda function to terminate noncompliant instance IDs obtained from the queue,and send them to an Amazon SNS email topic for distribution.
C. Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recordingon all Amazon EC2 resources for the region. Create a custom AWS Config rule thattriggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint. Modify the LambdaevaluateCompliance () function to verify host placement to return a NON_COMPLIANTresult if the instance is not running on an EC2 Dedicated Host. Use the AWS Config reportto address noncompliant instances.
D. Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls tothe EC2 RunCommand API action. Invoke a AWS Lambda function that analyzes the hostplacement of the instance. Store the EC2 instance ID of noncompliant resources in anAmazon RDS for MySQL DB instance. Generate a report by querying the RDS instanceand exporting the query results to a CSV text file.
Question # 47
A company's application runs on Amazon EC2 instances. The application writes to a log filethat records the username, date, time: and source IP address of the login. The log ispublished to a log group in Amazon CloudWatch LogsThe company is performing a root cause analysis for an event that occurred on theprevious day The company needs to know the number of logins for a specific user from thepast 7 daysWhich solution will provide this information'?
A. Create a CloudWatch Logs metric filter on the log group Use a filter pattern that matchesthe username. Publish a CloudWatch metric that sums the number of logins over the past 7days.
B. Create a CloudWatch Logs subscription on the log group Use a filter pattern thatmatches the username Publish a CloudWatch metric that sums the number of logins overthe past 7 days
C. Create a CloudWatch Logs Insights query that uses an aggregation function to count thenumber of logins for the username over the past 7 days. Run the query against the loggroup
D. Create a CloudWatch dashboard. Add a number widget that has a filter pattern thatcounts the number of logins for the username over the past 7 days directly from the loggroup
Question # 48
AnyCompany is using AWS Organizations to create and manage multiple AWS accountsAnyCompany recently acquired a smaller company, Example Corp. During the acquisitionprocess, Example Corp's single AWS account joined AnyCompany's management accountthrough an Organizations invitation. AnyCompany moved the new member account underan OU that is dedicated to Example Corp.AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is namedOrganizationAccountAccessRole to access member accounts. This role is configured witha full access policy When the DevOps engineer tries to use the AWS Management Consoleto assume the role in Example Corp's new member account, the DevOps engineerreceives the following error message "Invalid information in one or more fields. Check yourinformation or contact your administrator."Which solution will give the DevOps engineer access to the new member account?
A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account.
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account,
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role.
Question # 49
A company has an application that includes AWS Lambda functions. The Lambda functionsrun Python code that is stored in an AWS CodeCommit repository. The company hasrecently experienced failures in the production environment because of an error in thePython code. An engineer has written unit tests for the Lambda functions to help avoidreleasing any future defects into the production environment.The company's DevOps team needs to implement a solution to integrate the unit tests intoan existing AWS CodePipeline pipeline. The solution must produce reports about the unittests for the company to view.Which solution will meet these requirements?
A. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Create a newAWS CodeBuild project. In the CodePipeline pipeline, configure a test stage that uses thenew CodeBuild project. Create a buildspec.yml file in the CodeCommit repository. In thebuildspec.yml file, define the actions to run a CodeGuru review.
B. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a CodeBuild report group. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of JUNITXML in the build phase section.Configure the test reports to be uploaded to the new CodeBuild report group.
C. Create a new AWS CodeArtifact repository. Create a new AWS CodeBuild project. Inthe CodePipeline pipeline, configure a test stage that uses the new CodeBuild project.Create an appspec.yml file in the original CodeCommit repository. In the appspec.yml file,define the actions to run the unit tests with an output of CUCUMBERJSON in the buildphase section. Configure the tests reports to be sent to the new CodeArtifact repository.
D. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a new Amazon S3 bucket. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of HTML in the phases section. In the reportssection, upload the test reports to the S3 bucket.
Question # 50
A DevOps engineer is setting up a container-based architecture. The engineer has decidedto use AWS CloudFormation to automatically provision an Amazon ECS cluster and anAmazon EC2 Auto Scaling group to launch the EC2 container instances. After successfullycreating the CloudFormation stack, the engineer noticed that, even though the ECS clusterand the EC2 instances were created successfully and the stack finished the creation, theEC2 instances were associating with a different cluster.How should the DevOps engineer update the CloudFormation template to resolve thisissue?
A. Reference the EC2 instances in the AWS: ECS: Cluster resource and reference theECS cluster in the AWS: ECS: Service resource.
B. Reference the ECS cluster in the AWS: AutoScaling: LaunchConfiguration resource ofthe UserData property.
C. Reference the ECS cluster in the AWS:EC2: lnstance resource of the UserDataproperty.
D. Reference the ECS cluster in the AWS: CloudFormation: CustomResource resource to trigger an AWS Lambda function that registers the EC2 instances with the appropriate ECScluster.
Leave a comment
Your email address will not be published. Required fields are marked *