A.  

Use TimeBasedLinear in appspec.yaml with defined percentage and interval.

B.  

Use AllAtOnce deployment configuration.

C.  

Use TimeBasedCanary.

D.  

Configure weighted routing on ALB manually.

A.  

Increase the retry attempts

B.  

Configure the setting to split the batch when an error occurs

C.  

Increase the concurrent batches per shard

D.  

Decrease the maximum age of record

A.  

Create an IAM user for the developer in the organization’s management account. Configure a cross-account role in the development account for the developer to use. Limit the scope of the cross-account role to common services.

B.  

Add the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM group. Enforce multi-factor authentication (MFA) on the user account.

C.  

Add an SCP to the development account in Organizations. Configure the SCP with a Deny rule for iam:* to limit the developer’s access.

D.  

Create an IAM role that has the necessary IAM access to allow the developer to create policies and roles. Create and attach a permissions boundary to the role. Grant the developer access to assume the role.

A.  

Enable AWS CloudTrail for control plane logging and deploy Logstash on nodes.

B.  

Enable control plane logging to CloudWatch and use CloudWatch Container Insights for node and pod metrics.

C.  

Enable API server logging to S3 and deploy Kubernetes Event Exporter to nodes.

D.  

Use AWS Distro for OpenTelemetry and stream logs to Amazon Redshift.

A.  

Create a data stream consumer with enhanced fan-out. Set the Lambda function that processes the logs as the consumer.

B.  

Increase the ParallelizationFactor setting in the Lambda event source mapping.

C.  

Configure reserved concurrency for the Lambda function that processes the logs.

D.  

Increase the batch size in the Kinesis data stream.

E.  

Turn off the ReportBatchltemFailures setting in the Lambda event source mapping.

F.  

Increase the number of shards in the Kinesis data stream.

A.  

Create encrypted backup vaults and customer managed AWS KMS keys in both accounts. Configure AWS Backup to create full EC2 backups as AMIs. Copy the backups to the centralized vault.

B.  

Create encrypted vaults in both accounts by using the source account ' s AWS KMS key. Configure AWS Backup to create EC2 AMIs. Copy the AMIs to the centralized vault.

C.  

Create backup vaults in both accounts. Use AWS managed keys for encryption. Configure AWS Backup to create EC2 AMIs. Copy the AMIs to the centralized vault.

D.  

Create encrypted vaults in both accounts. Use a customer managed KMS key in the source account. Use an AWS managed key in the centralized account. Configure AWS Backup to create EC2 AMIs. Copy the AMIs to the centralized vault.

A.  

Use AWS Systems Manager to create a new patch baseline including the custom repository. Run the AWS-RunPatchBaseline document using the run command to verify and install patches.

B.  

Use AWS Direct Connect to integrate the corporate repository and deploy the patches using Amazon CloudWatch scheduled events, then use the CloudWatch dashboard to create reports.

C.  

Use yum-config-manager to add the custom repository under /etc/yum.repos.d and run yum-config-manager-enable to activate the repository.

D.  

Use AWS Systems Manager to create a new patch baseline including the corporate repository. Run the AWS-AmazonLinuxDefaultPatchBaseline document using the run command to verify and install patches.

A.  

Create a domain in each application team ' s account. Grant each application team ' s account lull read access and write access to the application team ' s domain

B.  

Create a domain in the shared services account Grant the organization read access and CreateRepository access.

C.  

Create a repository in each application team ' s account. Grant each application team ' s account lull read access and write access to its own repository.

D.  

Create a repository in the shared services account. Grant the organization read access to the repository in the shared services account. Set the repository as the upstream repository in each application team ' s repository.

E.  

For teams that require shared packages, create resource-based policies that allow read access to the repository from other application teams ' accounts.

F.  

Set the other application teams ' repositories as upstream repositories.

A.  

The networking configuration does not allow the EC2 instances to reach the internet via a NAT gateway or internet gateway and the CodeDeploy endpoint cannot be reached.

B.  

The IAM user who triggered the application deployment does not have permission to interact with the CodeDeploy endpoint.

C.  

The target EC2 instances were not properly registered with the CodeDeploy endpoint.

D.  

An instance profile with proper permissions was not attached to the target EC2 instances.

E.  

The appspec. yml file was not included in the application revision.

A.  

Use Account Factory Customization (AFC) blueprints for baseline setup.

B.  

Use Account Factory + StackSets post-setup.

C.  

Use Organizations with Lambda applying baseline via access role.

D.  

Use Organizations + StackSets manually.

A.  

Create an AWS CloudFormation template for each required guardrail. Store the templates in an AWS CodeConnections compatible Git repository. Create an AWS::ControlTower::EnableControl logical resource in the template for each OU in the organization. Configure an AWS CodeBuild project that clones the Git repository and applies the template.

B.  

Create an individual AWS CloudFormation template for each required guardrail. Store the templates in an AWS CodeConnections compatible Git repository. Create an AWS::ControlTower::EnableControl logical resource in the template for each account in the organization. Configure a pipeline in AWS CodePipeline in the security team ' s account. Ensure that the security team manually invokes the pipeline and specifies the guardrail parameters when

C.  

Create an individual AWS CloudFormation template for required guardrail. Store the templates in an AWS CodeConnections compatible Git repository. Create an AWS::ControlTower::EnableControl logical resource in the template for each OU in the organization. Configure a pipeline in AWS CodePipeline in the security team ' s account. Configure an Amazon EventBridge rule to initiate the pipeline in response to merges to the security team ' s Git r

D.  

Create a pipeline in AWS CodePipeline in the security team ' s account. Add an Amazon EventBridge rule to the pipeline that matches on PutObject events to an Amazon S3 bucket. Create an individual AWS CloudFormation template for each required guardrail. Store the templates in the S3 bucket. Create an AWS::ControlTower::EnableControl logical resource in the template for each OU in the organization.

A.  

Migrate from Amazon RDS to Amazon DynamoDB. Add an Amazon CloudFront distribution in front of the API Gateway REST API.

B.  

Add a proxy from Amazon RDS Proxy in front of the RDS DB cluster. Enable API caching in API Gateway.

C.  

Add an Amazon RDS Proxy in front of the RDS database cluster. Provision an Amazon ElastiCache (Redis OSS) cluster.

D.  

Migrate from Amazon RDS to Amazon DynamoDB. Enable API caching in API Gateway.

A.  

Enable smart sessions on the load balancer and modify the application to check tor an existing session.

B.  

Enable session sharing on the toad balancer and modify the application to read from the session store.

C.  

Store user session information in an Amazon S3 bucket and modify the application to read session information from the bucket.

D.  

Modify the application to store user session information in an Amazon ElastiCache cluster.

A.  

Use AWS CloudFormation StackSets to provision IAM policies in each account to deny access to restricted AWS services. In each account configure AWS Config rules that ensure that the policies are attached to IAM principals in the account.

B.  

Use AWS Control Tower to provision the accounts into OUs within the organization Configure AWS Control Tower to enable AWS IAM identity Center (AWS Single Sign-On). Configure 1AM Identity Center to provide administrative access Include deny policies on user roles for restricted AWS services.

C.  

Place all the accounts under a new top-level OU within the organization Create an SCP that denies access to restricted AWS services Attach the SCP to the OU.

D.  

Create an SCP that allows access to only approved AWS services. Attach the SCP to the root OU of the organization. Remove the FullAWSAccess SCP from the root OU of the organization.

A.  

Create an AWS Config conformance pack that includes the s3-bucket-server-side-encryption-enabled rule. Deploy the conformance pack to the accounts. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic.

B.  

Create an SCP that includes a deny statement for the s3:createBucket action and a condition statement where s3:x-amz-server-side-encryption is not aws:kms. Attach the SCP to the root of the organization.

C.  

Create an AWS CloudFormation stack set to enable an AWS CloudTrail trail to capture S3 data events for the organization. In the stack set, create an Amazon EventBridge rule to match S3 PutObject events that do not use AWS KMS encryption. Configure the rule to target an Amazon Simple Notification Service (Amazon SNS) topic.

D.  

Create an SCP that includes a deny statement for the s3:putObject action and a condition where s3:x-amz-server-side-encryption is not aws:kms. Attach the SCP to the root of the organization.

A.  

Update the status of the affected CodeArtifact package version to unlisted

B.  

Update the status of the affected CodeArtifact package version to deleted

C.  

Update the status of the affected CodeArtifact package version to archived.

D.  

Update the CodeArtifact package origin control settings to allow direct publishing and to block upstream operations

E.  

Update the CodeArtifact package origin control settings to block direct publishing and to allow upstream operations.

A.  

Create a stack export from the database CloudFormation template and import those references into the web application CloudFormation template

B.  

Create a CloudFormation nested stack to make cross-stack resource references and parameters available in both stacks.

C.  

Create a CloudFormation stack set to make cross-stack resource references and parameters available in both stacks.

D.  

Create input parameters in the web application CloudFormation template and pass resource names and IDs from the database stack.

A.  

Configure log retention of 30 days and export to S3 via Kinesis Data Streams. Use S3 Lifecycle policies.

B.  

Configure retention of 30 days and stream to S3 via Kinesis Data Firehose. Transition to S3 One Zone-IA and Glacier Flexible Retrieval.

C.  

Configure retention of 30 days and stream via Kinesis Data Streams, then store in S3 Standard-IA and Glacier Instant Retrieval.

D.  

Configure retention of 30 days and stream via Kinesis Data Firehose to S3. Transition to S3 Standard-IA (90 days) and Glacier Deep Archive (180 days).

A.  

Create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.

B.  

Enable Amazon GuardDuty and check the findings for security groups in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.

C.  

Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

D.  

Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion hosts. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

A.  

Basic scanning with EventBridge for Inspector findings and Lambda to reject manual approval if critical vulnerabilities found.

B.  

Enhanced scanning, Lambda invokes Inspector for SBOM, exports to S3, Athena queries SBOM, rejects manual approval on critical findings.

C.  

Enhanced scanning, EventBridge listens to Detective scan findings, Lambda rejects manual approval on critical vulnerabilities.

D.  

Enhanced scanning, EventBridge listens to Inspector scan findings, Lambda rejects manual approval on critical vulnerabilities.

A.  

Configure a nightly Amazon EventBridge event to invoke an AWS Lambda function to run the RefreshCache command for Storage Gateway.

B.  

Instruct the third party to put data into the S3 bucket using AWS Transfer for SFTP.

C.  

Modify Storage Gateway to run in volume gateway mode.

D.  

Use S3 Same-Region Replication to replicate any changes made directly in the S3 bucket to Storage Gateway.

A.  

Use RDS Multi-AZ DB cluster with cross-Region read replicas. Automate failover via Route 53.

B.  

Use Multi-AZ cluster with snapshots copied cross-Region.

C.  

Use single-AZ RDS + DMS continuous replication.

D.  

Use single-AZ with Backup and restore.

A.  

Create a new data protection policy on the log group. Add an Emp-\d{6} custom data identifier configuration. Create an IAM policy that has a Deny action for the " Action " : " logs:Unmask " permission on the resource. Attach the policy to the engineering accounts.

B.  

Create a new data protection policy on the log group. Add managed data identifiers for the personal data category. Create an IAM policy that has a Deny action for the " NotAction " : " logs:Unmask " permission on the resource. Attach the policy to the engineering accounts.

C.  

Create an AWS Lambda function to parse a log file entry, remove the employee ID, and write the results to a new log file. Create a Lambda subscription filter on the log group and select the Lambda function. Grant the lambda:InvokeFunction permission to the log group.

D.  

Create an Amazon Data Firehose delivery stream that has an Amazon S3 bucket as the destination. Create a Firehose subscription filter on the log group that uses the Firehose delivery stream. Remove the " logs:* " permission on the engineering accounts. Create an Amazon Macie job on the S3 bucket that has an Emp-\d{6} custom identifier.

A.  

Filter the data through AWS X-Ray to visualize the data.

B.  

Filter the data through Amazon QuickSight to visualize the data.

C.  

Query the data with Amazon Athena.

D.  

Use the AWS Glue Data Catalog as the persistent metadata store.

E.  

Use Amazon DynamoDB as the persistent metadata store.

F.  

Query the data with Amazon Redshift.

A.  

Update the SAML assertion to pass the user ' s team name. Update the IAM role ' s trust policy to add an access-team session tag that has the team name.

B.  

Create an approval rule template for each team in the Organizations management account. Associate the template with all the repositories. Add the developer role ARN as an approver.

C.  

Create an approval rule template for each account. Associate the template with all repositories. Add the " aws:ResourceTag/access-team " : " $ ;{aws:PrincipaITag/access-team} " condition to the approval rule template.

D.  

For each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.

E.  

Attach an SCP to the accounts. Include the following statement:

F.  

Create an IAM permissions boundary in each account. Include the following statement:

A.  

Introduce changes as a separate environment parallel to the existing one Configure API Gateway to use a canary release deployment to send a small subset of user traffic to the new environment.

B.  

Introduce changes as a separate environment parallel to the existing one Update the application ' s DNS alias records to point to the new environment.

C.  

Introduce changes as a separate target group behind the existing Application Load Balancer Configure API Gateway to route user traffic to the new target group in steps.

D.  

Introduce changes as a separate target group behind the existing Application Load Balancer Configure API Gateway to route all traffic to the Application Load Balancer which then sends the traffic to the new target group.

A.  

Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.

B.  

Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.

C.  

Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.

D.  

Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.

A.  

Use an AWS Config conformance pack to deploy the account-part-of-organizations AWS Config rule and to automatically remediate any noncompliant accounts.

B.  

Create an AWS Lambda function to create a ticket for AWS Support to add the account to the Enterprise Support plan. Grant the Lambda function the support:ResolveCase permission.

C.  

Add an additional value to the control_tower_parameters input to set the AWSEnterpriseSupport parameter as the organization ' s management account number.

D.  

Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. Redeploy AFT and apply the changes.

A.  

Create an SNS topic and subscribe the DevOps lead via email. Create an AWS Config managed rule with CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an EventBridge rule on NON_COMPLIANT resources and set SNS as target.

B.  

Tag all CloudFormation resources, create a custom AWS Config rule via SDK that flags manual changes as NON_COMPLIANT, create an EventBridge rule and Lambda to send email notifications.

C.  

Create an SNS topic, subscribe the DevOps lead, create a Config managed rule CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an EventBridge rule on COMPLIANT resources, set SNS as target.

D.  

Create an AWS Config managed rule CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an EventBridge rule on NON_COMPLIANT resources, and a Lambda to send email notifications.

A.  

Use AWS CloudFormalion to create an AWS Step Functions state machine and Auto Scaling hfecycle hooks to move to one instance at a time into a wait state Use AWS Systems Manager automation to deploy the update to each instance and move it back into the Auto Scaling group using the heartbeat timeout

B.  

Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to the CPU utilization metric. Use the CodeDeployDefault OneAtAtime configuration as a deployment strategy Configure automatic rollbacks within the deployment group to roll back the deployment if the alarm thresholds are breached

C.  

Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling Configure an alarm tied to the CPU utilization metric Configure rolling deployments with a fixed batch size of one instance Enable enhanced health to monitor the status of the deployment and roll back based on the alarm previously created.

D.  

Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2 Auto Scaling Configure an alarm tied to the CPU utilization metric Deploy updates one at a time Configure automatic rollbacks within the Auto Scaling group to roll back the deployment if the alarm thresholds are breached

A.  

Create an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval Configure the Lambda function to publish a notification to the SNS topic when the applications return errors.

B.  

Create an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interval. Configure the canary to use the SNS topic when the applications return errors.

C.  

Create an Amazon CloudWatch alarm that uses the AWS/AppljcabonELB namespace RequestCountPerTarget metric Configure the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports Configure the CloudWatch alarm to use the SNS topic.

D.  

Create an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric Configure the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports Configure the CloudWatch alarm to use the SNS topic

A.  

Deploy the application on AWS Elastic Beanstalk. Deploy an Amazon RDS for MySQL DB instance as part of the Elastic Beanstalk configuration.

B.  

Deploy the application on AWS Elastic Beanstalk. Deploy a separate Amazon RDS for MySQL DB instance outside of Elastic Beanstalk.

C.  

Configure a notification email address that alerts the application team in the AWS Elastic Beanstalk configuration.

D.  

Configure an Amazon EventBridge rule to monitor AWS Health events. Use an Amazon Simple Notification Service (Amazon SNS) topic as a target to alert the application team.

E.  

Use the immutable deployment method to deploy new application versions.

F.  

Use the rolling deployment method to deploy new application versions.

A.  

Update CodeBuild build commands to run tests then deploy, set OnFailure to ABORT.

B.  

Update CodeBuild commands to run tests then deploy, add --rollback true to cdk deploy.

C.  

Update CodeBuild commands to run tests then deploy, add --require-approval any-change flag.

D.  

Create tests with AWS CDK assertions module, using template.hasResourceProperties assertions.

E.  

Create tests that use cdk diff and fail if any resource changes are detected.

A.  

Add an IAM trust policy to the IAM role that establishes Amazon ECS as a trusted service.

B.  

Add the logs:PutDestination permission to the policy applied to the IAM role.

C.  

Remove the logs:CreateLogStream permission from the policy applied to the IAM role.

D.  

Add an IAM trust policy to the IAM role that establishes CloudWatch as a trusted service.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

A.  

Delete all objects, including previous versions, from the S3 bucket that contains the static website content.

B.  

Update the weighted DNS record entry that points to the S3 bucket. Apply a weight of 0. Specify the domain reset option to propagate changes immediately.

C.  

Configure webpage redirect requests on the S3 bucket with a hostname that redirects to the ALB.

D.  

Remove the weighted DNS record entry that points to the S3 bucket from the example.com hosted zone. Wait for DNS propagation to become complete.

A.  

The config.txt file will be deployed to only /var/www/html/config/config txt

B.  

The config.txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/config/config txt.

C.  

The config.txt file will be deployed to only /usr/local/src/config txt

D.  

The config txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/application/web/config txt

A.  

Create a CloudWatch Contributor Insights rule that groups logs from the CloudWatch application logs based on instance ID and errors.

B.  

Create a resource group in AWS Resource Groups. Use the CloudFormation stack to group the resources for the application. Add the application to CloudWatch Application Insights. Use the resource group to identify the application.

C.  

Create a metric filter for the application logs to count the occurrence of the term " Error. " Create a CloudWatch alarm that uses the METRIC_COUNT function to determine whether errors have occurred. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic to notify the DevOps team.

D.  

Create a CloudWatch alarm that uses the INSIGHT_RULE_METRIC function to determine whether a specific instance is responsible for more than half of all errors reported by EC2 instances. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic to notify the DevOps team.

E.  

Create a CloudWatch subscription filter for the application logs that filters for errors and invokes an AWS Lambda function. Configure the Lambda function to send the instance ID and error in a notification to an Amazon Simple Notification Service (Amazon SNS) topic to notify the DevOps team.

A.  

Modify the Lambda function ' s resource policy to grant AWS Config permission to invoke the function.

B.  

Modify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.

C.  

Modify the Lambda function ' s execution role to include configuration changes for custom AWS Config rules.

D.  

Modify all the ECR repository policies to grant AWS Config access to the necessary ECR API actions.

A.  

The IAM role that is attached to the EKS cluster does not have access to retrieve the secrets from Secrets Manager.

B.  

The key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key.

C.  

The key policy for the customer managed key does not allow the EKS cluster IAM role to use the key.

D.  

The IAM role that is assumed by the Kubernetes service account does not have permission to access the EKS cluster.

A.  

Create a web application to write records to Amazon S3 Use S3 Event Notifications to publish to an Amazon Simple Notification Service (Amazon SNS) topic Use an EC2 instance to poll Amazon SNS and start processing Save intermediate results to Amazon S3 to pass on to the next step

B.  

Perform the processing steps by using logic in the application. Convert the application code to run in a container. Use AWS Fargate to manage the container Instances. Configure the container to invoke itself to pass the state from one step to the next.

C.  

Create a web application to pass records to an Amazon Kinesis data stream. Decouple the processing by using the Kinesis data stream and AWS Lambda functions.

D.  

Create a web application to pass records to AWS Step Functions. Decouple the processing into Step Functions tasks and AWS Lambda functions.

A.  

Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an AWS Lambda function to attach the default instance profile to the EC2 instances.

B.  

Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

C.  

Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API calls. Configure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

D.  

Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.

A.  

Ensure that the EKS cluster ' s VPC subnets do not overlap with the 172.17.0.0/16 CIDR range.

B.  

Use kubectl to update the kubeconfig file to use the credentials that created the cluster.

C.  

Run the AWSSupport-TroubleshootEKSWorkerNode runbook.

D.  

Create an AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider for the cluster.

A.  

" Condition " : {

" ForAllValues:StringEquals " : {

" aws:TagKeys " : [ " department " ]

}

}

B.  

" Condition " : {

" StringEquals " : {

" aws:PrincipalTag/department " : " ${aws:ResourceTag/department} "

}

}

C.  

" Condition " : {

" StringEquals " : {

" ec2:ResourceTag/department " : " ${aws:PrincipalTag/department} "

}

}

D.  

" Condition " : {

" ForAllValues:StringEquals " : {

" ec2:ResourceTag/department " : [ " d1 " , " d2 " , " d3 " ]

}

}

A.  

Implement two-way S3 bucket replication between the primary Region ' s S3 buckets and the secondary Region ' s S3 buckets. Convert the DynamoDB tables into global tables. Set the secondary Region as the additional Region.

B.  

Implement S3 Batch Operations copy jobs between the primary Region and the secondary Region for all S3 buckets. Convert the DynamoDB tables into global tables. Set the secondary Region as the additional Region.

C.  

Implement two-way S3 bucket replication between the primary Region ' s S3 buckets and the secondary Region ' s S3 buckets. Enable DynamoDB streams on the DynamoDB tables in both Regions. In each Region, create an AWS Lambda function that subscribes to the DynamoDB streams. Configure the Lambda function to copy new records to the DynamoDB tables in the other Region.

D.  

Implement S3 Batch Operations copy jobs between the primary Region and the secondary Region for all S3 buckets. Enable DynamoDB streams on the DynamoDB tables in both Regions. In each Region, create an AWS Lambda function that subscribes to the DynamoDB streams. Configure the Lambda function to copy new records to the DynamoDB tables in the other Region.

A.  

In the management account, grant the DevOps engineer ' s IAM user permission to assume the OrganzatlonAccountAccessR01e IAM role in the new member account.

B.  

In the management account, create a new SCR In the SCP, grant the DevOps engineer ' s IAM user full access to all resources in the new member account. Attach the SCP to the OU that contains the new member account,

C.  

In the new member account, create a new IAM role that is named OrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy to the role. In the role ' s trust policy, grant the management account permission to assume the role.

D.  

In the new member account edit the trust policy for the Organ zationAccountAccessRole IAM role. Grant the management account permission to assume the role.

A.  

Create a new AWS account in AWS Organizations Create a VPC in this account and use AWS Resource Access Manager to share the private subnets of this VPC with the organization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names for communication between microservices.

B.  

Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWS PrivateLink to create VPC endpoints in each AWS account for the NLBs Create subscriptions to each VPC endpoint in each of the other AWS accounts Use the VPC endpoint DNS names for communication between microservices.

C.  

Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPC peering connections between each of the microservice VPCs Update the route tables for each VPC to use the peering links Use the NLB DNS names for communication between microservices.

D.  

Create a new AWS account in AWS Organizations Create a transit gateway in this account and use AWS Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs. create a transit gateway attachment to the shared transit gateway Update the route tables of each VPC to use the transit gateway Create a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLB DNS names for communicat

A.  

Configure a new stage in the pipeline that includes an AWS FIS action. Configure the action to reference the AWS FIS experiment template. Grant the pipeline access to start the experiment.

B.  

Create an Amazon EventBridge scheduler. Grant the scheduler permission to start the AWS FIS experiment. Configure a new stage in the pipeline that includes an action to invoke the EventBridge scheduler.

C.  

Create an AWS Lambda function to start the AWS FIS experiment. Grant the Lambda function permission to start the experiment. Create a new stage in the pipeline that has a Lambda action. Set the action to invoke the Lambda function.

D.  

Export the AWS FIS experiment template to an Amazon S3 bucket. Create an AWS CodeBuild unit test project that has a buildspec that starts the AWS FIS experiment. Grant the CodeBuild project access to start the experiment. Configure a new stage in the pipeline that includes an action to run the CodeBuild unit test project.

A.  

Fitter the data through AWS X-Ray to visualize the data.

B.  

Filter the data through Amazon QuickSight to visualize the data.

C.  

Query the data with Amazon Athena.

D.  

Query the data with Amazon Redshift.

E.  

Use the AWS Glue Data Catalog as the persistent metadata store.

F.  

Use Amazon DynamoDB as the persistent metadata store.

A.  

The 53 bucket default encryption is enabled.

B.  

There is an error in the S3 bucket policy.

C.  

The object has been moved to S3 Glacier.

D.  

There is an error in the IAM role configuration.

E.  

S3 Versioning is enabled.

A.  

Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations.

B.  

Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager.

C.  

Create IAM access keys for the on-premises machines to interact with AWS Systems Manager.

D.  

Run an AWS Systems Manager Automation document to patch the systems every hour.

E.  

Use Amazon EventBridge scheduled events to schedule a patch window.

F.  

Use AWS Systems Manager Maintenance Windows to schedule a patch window.

A.  

Configure CloudWatch dashboards using default EKS service metrics.

B.  

Configure AWS CloudTrail for the EKS cluster.

C.  

Configure CloudTrail Insights for the EKS cluster.

D.  

Configure Amazon CloudWatch Container Insights for the EKS cluster by enabling the CloudWatch Observability add-on.

A.  

Configure VPC Flow Logs to monitor network traffic. Use Amazon Inspector to detect non-network deployment issues. Use Amazon Detective to analyze the findings.

B.  

Enable detailed monitoring on the EC2 instances. Use AWS Systems Manager Run Command to run troubleshooting scripts on all the EC2 instances simultaneously. Analyze the results in AWS CloudTrail logs.

C.  

Use Amazon CloudWatch Logs to review application logs. Analyze CodeDeploy deployment logs in the /opt/codedeploy-agent/deployment-root/ directory on the EC2 instances. Use AWS X-Ray to trace requests through the application components.

D.  

Examine AWS Trusted Advisor checks for the CodeDeploy deployments. Use the AWS Health Dashboard to monitor application health. Analyze performance metrics in Amazon CloudWatch dashboards.

A.  

Copy the CloudFormation templates and the Dockerfile to an Amazon S3 bucket in the DR Region Use AWS Backup to configure automated Aurora cross-Region hourly snapshots In case of DR, build the most recent Docker image and upload the Docker image to an ECR repository in the DR Region Use the CloudFormation template that has the most recent Aurora snapshot and the Docker image from the ECR repository to launch a new CloudFormation stack in th

B.  

Copy the CloudFormation templates to an Amazon S3 bucket in the DR Region Configure Aurora automated backup Cross-Region Replication Configure ECR Cross-Region Replication. In case of DR use the CloudFormation template with the most recent Aurora snapshot and the Docker image from the local ECR repository to launch a new CloudFormation stack in the DR Region Update the application DNS records to point to the new ALB

C.  

Copy the CloudFormation templates to an Amazon S3 bucket in the DR Region. Use Amazon EventBridge to schedule an AWS Lambda function to take an hourly snapshot of the Aurora database and of the most recent Docker image in the ECR repository. Copy the snapshot and the Docker image to the DR Region in case of DR, use the CloudFormation template with the most recent Aurora snapshot and the Docker image from the local ECR repository to launch a

D.  

Copy the CloudFormation templates to an Amazon S3 bucket in the DR Region. Deploy a second application CloudFormation stack in the DR Region. Reconfigure Aurora to be a global database Update both CloudFormation stacks when a new application release in the current Region is needed. In case of DR. update, the application DNS records to point to the new ALB.

A.  

Option A

B.  

option B

C.  

option C

D.  

option D

E.  

Option E

F.  

Option F

A.  

Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.

B.  

Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OIJ. Attach the new SCP to the new OU.

C.  

Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization ' s root.

D.  

Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.

A.  

Configure provisioned concurrency on the Lambda function with a concurrency value of 1. Delete the DAX cluster for the DynamoDB table.

B.  

Configure reserved concurrency on the Lambda function with a concurrency value of 0.

C.  

Configure provisioned concurrency on the Lambda function. Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.

D.  

Configure reserved concurrency on the Lambda function. Configure AWS Application Auto Scaling on the API Gateway API with a reserved concurrency maximum value of 100.

A.  

Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treat missing data as breaching the threshold. Add an AWS Systems Manager action to stop the instance when the alarm enters the ALARM state.

B.  

Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treat missing data as not breaching the threshold. Add an EC2 action to stop the instance when the alarm enters the ALARM state.

C.  

Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treat missing data as breaching the threshold. Add an EC2 action to stop the instance when the alarm enters the ALARM state.

D.  

Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treat missing data as not breaching the threshold. Add an AWS Systems Manager action to stop the instance when the alarm enters the ALARM state.

A.  

Change the current single tag group to include only the Environment=Production tag Add another single tag group that includes only the Name=ApplicationA tag.

B.  

Change the current single tag group to include the Department=Marketmg Environment=Production and Name=ApplicationAtags

C.  

Add another single tag group that includes only the Department=Marketing tag. Keep the Environment=Production and Name=ApplicationA tags with the current single tag group

D.  

Change the current single tag group to include only the Environment=Production tag Add another single tag group that includes only the Department=Marketing tag

A.  

Enable Amazon DevOps Guru in the AWS account. Determine the coverage for DevOps Guru for all supported AWS resources in the account. Use the DevOps Guru dashboard to find the analysis, recommendations, and related metrics.

B.  

Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure Amazon DevOps Guru to send notifications about important events to the company when anomalies are identified.

C.  

Create an Amazon S3 bucket. Store Amazon CloudWatch logs, AWS CloudTrail data, and AWS Config data in the S3 bucket. Use Amazon Athena to generate insights on the data. Create a dashboard by using Amazon QuickSight.

D.  

Configure email message reports for an Amazon QuickSight dashboard. Schedule and send the email reports to the company.

E.  

Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure Amazon Athena to send query results about important events to the company when anomalies are identified.

A.  

Create an SCP in the organization to deny users the ability to create and modify IAM users. Attach the SCP to the root of the organization. Attach the CreateAndManageUsers role to developers.

B.  

Create an SCP in the organization to grant users that have the DeveloperBoundary policy attached the ability to create new IAM users and to modify IAM users. Configure the SCP to require users to attach the PermissionBoundaries policy to any new IAM user. Attach the SCP to the root of the organization.

C.  

Create an IAM permissions policy named PermissionBoundaries within each account. Configure the PermissionBoundaries policy to specify the maximum permissions that a developer can grant to a new IAM user.

D.  

Create an IAM permissions policy named PermissionBoundaries within each account. Configure PermissionsBoundaries to allow users who have the PermissionBoundaries policy to create new IAM users.

E.  

Create an IAM permissions policy named DeveloperBoundary within each account. Configure the DeveloperBoundary policy to allow developers to create IAM users and to assign policies to IAM users only if the developer includes the PermissionBoundaries policy as the permissions boundary. Attach the DeveloperBoundary policy to the CreateAndManageUsers role within each account.

A.  

Create a second CloudFront distribution that has the secondary ALB as the default origin. Create Amazon Route 53 alias records that have a failover policy and Evaluate Target Health set to Yes for both CloudFront distributions. Update the application to use the new record set.

B.  

Create a new origin on the distribution for the secondary AL

B.  

C.  

Create Amazon Route 53 alias records that have a failover policy and Evaluate Target Health set to Yes for both ALBs. Set the TTL of both records to 0. Update the distribution ' s origin to use the new record set.

D.  

Create a CloudFront function that detects HTTP 5xx status codes. Configure the function to return a 307 Temporary Redirect error response to the secondary ALB if the function detects 5xx status codes. Update the distribution ' s default behavior to send origin responses to the function.

A.  

Check that an Amazon EventBridge rule has been created for the main branch to trigger the pipeline.

B.  

Check that the CodePipeline service role has permission to access the CodeCommit repository.

C.  

Check that the developer’s IAM role has permission to push to the CodeCommit repository.

D.  

Check to see if the pipeline failed to start because of CodeCommit errors in Amazon CloudWatch Logs.

A.  

Create a SysAdmin role in the operations account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the workload accounts.

B.  

Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.

C.  

Create an Amazon Cognito identity pool in the operations account. Attach the SysAdmin role as an authenticated role.

D.  

In the operations account, create an IAM user for each operations team member.

E.  

In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group.

F.  

Create an Amazon Cognito user pool in the operations account. Create an Amazon Cognito user for each operations team member.

A.  

Use Amazon ECR basic scanning.

B.  

Use Amazon ECR enhanced scanning.

C.  

Configure Amazon ECR to submit a Rejected status to the CI/CD pipeline when the image scan returns CRITICAL or HIGH findings.

D.  

Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Amazon Inspector scan status and to submit an Approved or Rejected status to the CI/CD pipeline.

E.  

Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Clair scan status and to submit an Approved or Rejected status to the CI/CD pipeline.

A.  

Configure a statement to deny the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is not equal to t3.small. Configure another statement to deny the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is not equal to us-.

B.  

Configure a statement to allow the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is not equal to t3.small. Configure another statement to allow the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is not equal to us-.

C.  

Configure a statement to deny the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is equal to t3.small. Configure another statement to deny the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is equal to us-.

D.  

Configure a statement to allow the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is equal to t3.small. Configure another statement to allow the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is equal to us-.

A.  

Configure a latency-based Amazon Route 53 CNAME with health checks so it points to both the primary and replica endpoints. Subscribe an Amazon SNS topic to Amazon RDS failure notifications from AWS CloudTrail and use that topic to invoke an AWS Lambda function that will promote the replica instance as the primary.

B.  

Create an Aurora custom endpoint to point to the primary database instance. Configure the application to use this endpoint. Configure AWS CloudTrail to run an AWS Lambda function to promote the replica instance and modify the custom endpoint to point to the newly promoted instance.

C.  

Create an AWS Lambda function to modify the application ' s AWS CloudFormation template to promote the replica, apply the template to update the stack, and point the application to the newly promoted instance. Create an Amazon CloudWatch alarm to invoke this Lambda function after the failure event occurs.

D.  

Store the Aurora endpoint in AWS Systems Manager Parameter Store. Create an Amazon EventBridge event that detects the database failure and runs an AWS Lambda function to promote the replica instance and update the endpoint URL stored in AWS Systems Manager Parameter Store. Code the application to reload the endpoint from Parameter Store if a database connection fails.

A.  

Create a new staging S3 bucket. Generate all files in the new staging bucket. Create an Amazon Macie custom data identifier to identify product IDs in the new bucket that begin with the specific UUID. Launch an Amazon Macie sensitive data discovery job with the custom data identifier. Copy all files that do not have a Macie finding to the production S3 bucket.

B.  

Create an Amazon Macie custom data identifier to identify product IDs in the production bucket that begin with the specific UUID. Launch an Amazon Macie sensitive data discovery job with the custom data identifier. Remove all files that have a Macie finding from the production S3 bucket.

C.  

Create a new staging S3 bucket. Generate all files in the new staging bucket. Launch an Amazon Macie sensitive data discovery job with a managed data identifier. Copy all files that do not have a Macie finding to the production S3 bucket.

D.  

Create an Amazon Macie sensitive data discovery job with a managed data identifier. Remove all files that have a Macie finding from the production S3 bucket.

A.  

Enable S3 Replication Time Control (RTC) for each replication rule.

B.  

Create S3 Multi-Region Access Point (active/passive).

C.  

Call SubmitMultiRegionAccessPointRoutes during failover.

D.  

Enable S3 Transfer Acceleration.

E.  

Use Route 53 ARC routing control.

F.  

Use Route 53 ARC to shift traffic during failover.

A.  

Create a replication IAM role in the source account

B.  

Create a replication I AM role in the target account.

C.  

Add statements to the source bucket policy allowing the replication IAM role to replicate objects.

D.  

Add statements to the target bucket policy allowing the replication IAM role to replicate objects.

E.  

Create a replication rule in the source bucket to enable the replication.

F.  

Create a replication rule in the target bucket to enable the replication.

A.  

Verify that AWS Systems Manager Agent is installed and is running on the EC2 instances that Amazon Inspector is not scanning.

B.  

Associate the target EC2 instances with security groups that allow outbound communication on port 443 to the AWS Systems Manager service endpoint.

C.  

Grant inspector: StartAssessmentRun permissions to the IAM role that the DevOps engineer is using.

D.  

Configure EC2 Instance Connect for the EC2 instances that Amazon Inspector is not scanning.

E.  

Associate the target EC2 instances with instance profiles that grant permissions to communicate with AWS Systems Manager.

F.  

Create a managed-instance activation. Use the Activation Code and the Activation ID to register the EC2 instances.

A.  

The appspec. yml file contains an invalid script that runs in the AllowTraffic lifecycle hook.

B.  

The user who initiated the deployment does not have the necessary permissions to interact with the AL

B.  

C.  

The health checks specified for the ALB target group are misconfigured.

D.  

The CodeDeploy agent was not installed in the EC2 instances that are pad of the ALB target group.

A.  

Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentication token. Update the docker login command to use the authentication token to access the ECR repository.

B.  

Add an environment variable of type SECRETS_MANAGER to the CodeBuild project. In the environment variable, include the ARN of the CodeBuild project ' s lAM service role. Update the buildspec.yml file to use the new environment variable to log in with the docker login command to access the ECR repository.

C.  

Update the ECR repository to be a public image repository. Add an ECR repository policy that allows the 1AM service role to have access.

D.  

Update the buildspec.yml file to use the AWS CLI to assume the 1AM service role for ECR operations. Add an ECR repository policy that allows the 1AM service role to have access.

A.  

Update the default KMS key for Secrets Manager to allow only the Lambda function ' s execution role to decrypt.

B.  

Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function ' s execution role to decrypt. Update Secrets Manager to use the new customer managed key.

C.  

Create a KMS customer managed key that trusts Secrets Manager and allows the account ' s :root principal to decrypt. Update Secrets Manager to use the new customer managed key.

D.  

Ensure that the Lambda function ' s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret.

E.  

Remove all KMS permissions from the Lambda function ' s execution role.

A.  

Create the secret in Secrets Manager with managed rotation (60 days). Reference via Parameter Store path.

B.  

Create the secret in Parameter Store with automatic rotation (unsupported).

C.  

Create the secret in Parameter Store and Lambda rotation (manual).

D.  

Create the secret in Secrets Manager with Lambda rotation using Redis rotation template and 60-day schedule. Reference via Parameter Store path.

A.  

Create an AWS CloudFormation template for the application. Define each Lambda function in the template by using the AWS::Lambda::Function resource type. In the template, include a version for the Lambda function by using the AWS::Lambda::Version resource type. Declare the CodeSha256 property. Configure an AWS::Lambda::Alias resource that references the latest version of the Lambda function.

B.  

Create an AWS Serverless Application Model (AWS SAM) template for the application. Define each Lambda function in the template by using the AWS::Serverless::Function resource type. For each function, include configurations for the AutoPublishAlias property and the DeploymentPreference property. Configure the deployment configuration type to LambdaCanary10Percent10Minutes.

C.  

Create an AWS CodeCommit repository. Create an AWS CodePipeline pipeline. Use the CodeCommit repository in a new source stage that starts the pipeline. Create an AWS CodeBuild project to deploy the AWS Serverless Application Model (AWS SAM) template. Upload the template and source code to the CodeCommit repository. In the CodeCommit repository, create a buildspec.yml file that includes the commands to build and deploy the SAM application.