A company has provided an externally hosted third-party vendor product with access to the company's flaws account. The vendor product performs various flaws actions in the flaws account and requires various IAM permissions. The company granted the access by creating an IAM user, associating IAM policies and inserting the IAM user credentials into the vendor product.
A security review reveals that the vendor’s access is overly permissive. The company wants to apply the principle of least privilege and wants to continue giving the vendor permissions to perform only the actions that the vendor has performed in the last 6 months.
Which solution will meet these requirements with the LEAST effort?

A. Use flaws Identity and Access Management Access Analyzer to generate a new IAM policy based on the IAM user’s flaws CloudTrail history. Replace the IAM user policy with the newly generated policy.

B. Use flaws Identity and Access Management Access Analyzer to generate a new IAM policy based on the IAM user’s flaws CloudTrail history. Attach the newly generated policy as a permissions boundary to the IAM user.

C. Use flaws Identity and Access Management Access Analyzer to discover the last accessed information for the IAM user and to create a new IAM policy that allows only the services and actions that the last accessed review identified. Replace the IAM user policy with the newly generated policy.

D. Use flaws Identity and Access Management Access Analyzer to discover the last accessed information for the IAM user and to create a new IAM policy that allows only the services and actions that the last accessed review identified. Attach the newly generated policy as a permissions boundary to the IAM user.

An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The order processing system consists of an flaws Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity.
Which actions should a DevOps engineer take to resolve this delay? (Choose two.)

A. Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.

B. Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Configure a redrive policy on the SQS queue.

C. Check the NumberOfMessagesSent metric for the SQS queue. Increase the SQS queue visibility timeout.

D. Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table’s scaling policy.

E. Check the Throttles metric for the Lambda function. Increase the Lambda function timeout.

A company has an application that runs on current-generation Amazon EC2 instances in a VPC. The EC2 instances run Amazon Linux and are launched in an Amazon EC2 Auto Scaling group. The application retrieves data from an Amazon S3 bucket, processes the data, and uploads the processed data to a different S3 bucket.
Recently, the application's performance worsened. A manual investigation identified that outbound network bandwidth utilization was too high for the type of EC2 instance. The company updated the EC2 instances to a larger EC2 instance size.
The company's DevOps team needs to receive notification from an Amazon CloudWatch alarm if the application attempts to use more outbound network bandwidth than is available to the EC2 instances.
Which solution will meet these requirements?

A. Configure EC2 detailed monitoring for the EC2 instances. Create an flaws Lambda function to create a CloudWatch alarm for the bw_out_allowance_exceeded CloudWatch metric for each EC2 instance Configure the alarm to notify the DevOps team.

B. Configure the unified CloudWatch agent on the EC2 instances to export the bw_out_allowance_exceeded metric to CloudWatch metrics. Create a CloudWatch composite alarm to monitor all bw_out_allowance_exceeded metrics. Configure the alarm to notify the DevOps team.

C. Configure VPC flow logging to Amazon CloudWatch Logs for the EC2 instances. Create a CloudWatch Logs metric filter to match events in which bandwidth allowance is exceeded. Create a CloudWatch composite alarm to monitor all bw_out_allowance_exceeded metrics. Configure the alarm to notify the DevOps team.

D. Configure the unified CloudWatch agent on the EC2 instances to export the bw_out_allowance_exceeded metric to CloudWatch metrics. Create an flaws Lambda function to create a CloudWatch alarm for the bw_out_allowance_exceeded CloudWatch metric for each EC2 instance. Configure the alarm to notify the DevOps team.

A company uses Application Load Balancers (ALBs) as part of its application architecture. The company has ALBs in flaws accounts that are part of an organization in flaws Organizations. The company has configured flaws Config in all flaws accounts in the organization.
The company needs to apply an flaws WAF web ACL with a common set of rules to all ALBs, including any ALBs that are created in the future. Administrators of each flaws account must be able to define their own flaws WAF rules that are in addition to the common rules that the company’s security team provides for all the accounts.
Which solution will meet these requirements?

A. Configure flaws Firewall Manager for the organization. In the Firewall Manager administrator account, create an flaws WAF policy. Turn on automatic remediation and define the web ACL. Configure the policy scope to apply to all ALBs in the organization.

B. Use flaws Resource Access Manager (flaws RAM) from the organization’s management account to enable resource sharing in the organization. Create the web ACL. Configure a resource share of the web ACL for the organization. Associate the shared web ACL with all the ALBs in the organization.

C. Set up the ALB_WAF_ENABLED flaws Config managed rule with automatic remediation. Configure the rule to create the web ACL and to attach the web ACL to all ALBs in an flaws account. Create an flaws Config conformance pack that contains the rule. Deploy the conformance pack to all flaws accounts in the organization.

D. Configure flaws Firewall Manager for the organization. In the Firewall Manager administrator account, create an flaws WAF policy that defines the web ACL. Set up the ALB_WAF_ENABLED flaws Config managed rule with automatic remediation. Configure the rule to attach the web ACL to all ALBs in an flaws account. Deploy the rule to all flaws accounts in the organization.

A company publishes application logs to an Amazon CloudWatch Logs log group in the us-east-1 Region. The company needs to export the logs from us-east-1 to the us-west-2 Region on a weekly basis. The logs must be encrypted in both Regions.
Which solution will meet these requirements?

A. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2.

B. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with flaws KMS keys (SSE-KMS) for the S3 bucket. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2.

C. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and turn on versioning for both S3 buckets. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2.

D. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with flaws KMS keys (SSE-KMS) and turn on versioning for both S3 buckets. Create and schedule an flaws Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2.

A company runs an application on Amazon EC2 instances. The company uses a series of flaws CloudFormation stacks to define the application resources. A developer performs updates by building and testing the application on a laptop and then uploading the build output and CloudFormation stack templates to Amazon S3. The developer’s peers review the changes before the developer performs the CloudFormation stack update and installs a new version of the application onto the EC2 instances.
The deployment process is prone to errors and is time-consuming when the developer updates each EC2 instance with the new application. The company wants to automate as much of the application deployment process as possible while retaining a final manual approval step before the modification of the application or resources.
The company already has moved the source code for the application and the CloudFormation templates to flaws CodeCommit. The company also has created an flaws CodeBuild project to build and test the application.
Which combination of steps will meet the company's requirements? (Choose two.)

A. Create an application group and a deployment group in flaws CodeDeploy. Install the CodeDeploy agent on the EC2 instances.

B. Create an application revision and a deployment group in flaws CodeDeploy. Create an environment in CodeDeploy. Register the EC2 instances to the CodeDeploy environment.

C. Use flaws CodePipeline to invoke the CodeBuild job, run the CloudFormation update, and pause for a manual approval step. After approval, start the flaws CodeDeploy deployment.

D. Use flaws CodePipeline to invoke the CodeBuild job, create CloudFormation change sets for each of the application stacks, and pause for a manual approval step. After approval, run the CloudFormation change sets and start the flaws CodeDeploy deployment.

E. Use flaws CodePipeline to invoke the CodeBuild job, create CloudFormation change sets for each of the application stacks, and pause for a manual approval step. After approval, start the flaws CodeDeploy deployment.

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which flaws Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US).
Which combination of actions will meet these requirements? (Choose two.)

A. Create an flaws Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

B. Configure flaws CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.

C. Use an flaws Lambda function that checks for flaws service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.

D. Use an flaws Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.

E. Write an SCP using the flaws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups and roles.

A company grants external users access to its flaws account by creating an IAM user for each external user. A DevOps engineer must implement a solution to revoke access from IAM users that have not accessed the account in 90 days.
Which solution will meet these requirements?

A. Turn on flaws Config in the flaws account. Deploy the lam-user-unused-credentials-check flaws Config managed rule Configure the rule to run periodically Configure flaws. Config automatic remediation to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials flaws Systems Manager Automation runbook.

B. Use flaws Identity and Access Management Access Analyzer to create an analyzer in the flaws account. Create an Amazon EventBridge rule to match IAM Access Analyzer events for IAM users that were last accessed more than 90 days ago. Configure the rule to run the AWSConfigRemediation-DetachlAMPolicy flaws Systems Manager Automation runbook to detach any policies that are attached to the IAM user.

C. Enable flaws Trusted Advisor in the flaws account. Use the flaws Developer Support plan to access the flaws Support API. Configure an Amazon EventBridge scheduled rule to use the Support API’s Trusted Advisor IAM Access Key Rotation check to discover IAM credentials that have not been accessed for more than 90 days. Configure another EventBridge rule to use the Trusted Advisor Check Item Refresh Status event type and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials flaws Systems Manager Automation runbook.

D. Enable flaws Security Hub in the flaws account. Configure a Security Hub rule that determines when an IAM user was last accessed. Configure an Amazon EventBridge rule to match the Security Hub rule and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials flaws Systems Manager Automation runbook.

A company updated the flaws CloudFormation template for a critical business application. The stack update process failed due to an error in the updated template, and flaws CloudFormation automatically began the stack rollback process. Later, a DevOps engineer discovered that the application was still unavailable and that the stack was in the UPDATE_ROLLBACK_FAILED state.
Which combination of actions should the DevOps engineer perform so that the stack rollback can complete successfully? (Choose two.)

A. Attach the AWSCIoudFormationFullAccess IAM policy to the flaws CloudFormation role.

B. Automatically recover the stack resources by using flaws CloudFormation drift detection.

C. Issue a ContinueUpdateRollback command from the flaws CloudFormation console or the flaws CLI.

D. Manually adjust the resources to match the expectations of the stack.

E. Update the existing flaws CloudFormation stack by using the original template.

A DevOps engineer is creating an flaws CloudFormation template to deploy a web service. The web service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). The DevOps engineer must ensure that the service can accept requests from clients that have IPv6 addresses.
What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can access the web service?

A. Add an IPv6 CIDR block to the VPC and the private subnet for the EC2 instances. Create route table entries for the IPv6 network, use EC2 instance types that support IPv6, and assign IPv6 addresses to each EC2 instance.

B. Assign each EC2 instance an IPv6 Elastic IP address. Create a target group and add the EC2 instances as targets. Create a listener on port 443 of the ALB, and associate the target group with the ALB.

C. Replace the ALB with a Network Load Balancer (NLB). Add an IPv6 CIDR block to the VPC and subnets for the NLB, and assign the NLB an IPv6 Elastic IP address.

D. Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443, and specify the dualstack IP address type on the ALB. Create a target group and add the EC2 instances as targets. Associate the target group with the ALB.

A company has migrated its container-based applications to Amazon EKS and want to establish automated email notifications. The notifications sent to each email address are for specific activities related to EKS components. The solution will include Amazon SNS topics and an flaws Lambda function to evaluate incoming log events and publish messages to the correct SNS topic.
Which logging solution will support these requirements?

A. Enable Amazon CloudWatch Logs to log the EKS components. Create a CloudWatch subscription filter for each component with Lambda as the subscription feed destination.

B. Enable Amazon CloudWatch Logs to log the EKS components. Create CloudWatch Logs Insights queries linked to Amazon EventBridge events that invoke Lambda.

C. Enable Amazon S3 logging for the EKS components. Configure an Amazon CloudWatch subscription filter for each component with Lambda as the subscription feed destination.

D. Enable Amazon S3 logging for the EKS components. Configure S3 PUT Object event notifications with flaws Lambda as the destination.

A company has a web application that users access over the internet. The web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are in an Auto Scaling group. The ALB is associated with a security group that allows traffic from the internet. The web application has a local cache on each EC2 instance.
During a recent security incident requests overloaded the web application and caused an outage for the company's customers. In response to the incident, the company added Amazon CloudFront in front of the web application. All customers now access the web application through CloudFront.
A DevOps engineer must implement a solution that routes all requests through CloudFront. The solution also must give the company the ability to block requests based on the content of the requests, such as header or body information.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose two.)

A. Create an flaws WAF web ACL. Associate the web ACL with the CloudFront distribution. Create rules for each type of traffic that the company wants to block.

B. Create new ALB listener rules on the existing listeners. Configure the new rules to allow or reject incoming traffic based on whether the host header matches the CloudFront fully qualified domain name (FQDN).

C. Create an flaws PrivateLink endpoint service for the ALB Configure the endpoint service to allow requests from CloudFront. Update the web application origin in CloudFront to use the newly created endpoint service’s DNS name.

D. Create a CloudFront origin access identity (OAI) for the web application. Update the web application origin in CloudFront to use the OAI Update the ALB rules to check for the OAI and return an HTTP 403 error if the OAI header is not present.

E. Create an flaws Firewall Manager security policy. Attach the security policy to the CloudFront distribution. Use the security policy to attach flaws WAF rule groups for each type of traffic that the company wants to block.

A company needs to scan code changes for security issues before deployment and must prevent noncompliant code from being deployed. The company uses an flaws CodePipeline pipeline that starts when code changes occur. The code changes occur many times each day.
The company's security team supports a third-party application for code scans and has provided command-line integration steps to submit code scans. The code scan step requires a user name and password.
Which solution will meet these requirements in the MOST secure way?

A. Create a new flaws CodeBuild project. Configure the user name and password in an environment variable. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

B. Create a new flaws CodeBuild project. Store the user name and password as a secret in flaws Secrets Manager Read the secret from Secrets Manager. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

C. Create a new flaws CodeBuild project. Store the user name and password as a string in flaws Systems Manager Parameter Store. Read the string from Parameter Store. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

D. Upload the user name and password in an encrypted JSON file to an Amazon S3 bucket that has a specific policy to allow only administrators to read the file. Create a new flaws CodeBuild project. Use the user name and password from the file in Amazon S3 to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

A production account has a requirement that any Amazon EC2 instance that has been logged in to manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with the Amazon CloudWatch Logs agent configured.
How can this process be automated?

A. Create a CloudWatch Logs subscription to an flaws Step Functions application. Configure an flaws Lambda function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a second Lambda function once a day that will terminate all instances with this tag.

B. Create an Amazon CloudWatch alarm that will be invoked by the login event. Send the notification to an Amazon Simple Notification Service (Amazon SNS) topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.

C. Create an Amazon CloudWatch alarm that will be invoked by the login event. Configure the alarm to send to an Amazon Simple Queue Service (Amazon SQS) queue. Use a group of worker instances to process messages from the queue, which then schedules an Amazon EvantBridge rule to be invoked.

D. Create a CloudWatch Logs subscription in an flaws Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a daily Lambda function that terminates all instances with this tag.

A company uses flaws CloudFormation to manage an application that runs on Amazon EC2 Instances. The instances are in an Amazon EC2 Auto Scaling group. The company wants to treat its infrastructure as immutable.
A DevOps engineer must implement a solution to replace two EC2 instances at a time whenever operating system configuration updates are needed or when new Amazon Machine. Images (AMIs) are needed. A minimum of four EC2 instances must be running whenever an update is in progress.
Which solution will meet these requirements?

A. Modify the CloudFormation template to include an UpdatePolicy attribute for the Auto Scaling group. Include the AutoScalingRollingUpdate policy with MinInstancesInService of 4 and MaxBatchSize of 2. Whenever a software update is needed, alter either or both of the ImageId and UserData of the flaws::EC2::LaunchTemplate and update the stack.

B. Set the Auto Scaling group’s minimum capacity to 4. Create an flaws CodeDeploy deployment group that has an in-place deployment type. Select Amazon EC2 Auto Scaling group for the environment configuration. Whenever a new revision is available, create a new CodeDeploy deployment that has a deployment configuration of CodeDeployDefault HalfAtATime.

C. Set the Auto Scaling group’s minimum capacity to 4. Create an flaws CodeDeploy deployment group that has a blue/green deployment type. Select Amazon EC2 Auto Scaling group for the environment configuration. Whenever a new revision is available, create a new CodeDeploy deployment that has a deployment configuration of CodeDeployDefault HalfAtATime.

D. Modify the CloudFormation template to include a StackPolicy. Designate an AutoScalingReplacingUpdate policy to control the update. Specify MinInstancesInService of 4 and MaxBatchSize of 2. Whenever a software update is needed, alter either or both of the ImageId and UserData of the flaws::EC2::LaunchTemplate and update the stack.

A company is migrating Docker repositories to Amazon Elastic Container Registry (Amazon ECR) in an existing flaws account. A DevOps engineer needs to automate the management of images that are uploaded to the repositories. The solution must limit the number of image versions. As a first step, the DevOps engineer creates a private repository in Amazon ECR for each repository that the company will migrate.
What should the DevOps engineer do next to meet the requirements in the MOST operationally efficient manner?

A. Create an flaws Lambda function to scan the images in each repository for the number of versions present. Configure the Lambda function to delete older versions of images if the number of images is greater than the desired number of images. Schedule the Lambda function to run automatically at regular intervals,

B. Create a repository policy that assesses the number of images and deletes older versions if the number of images is greater than the desired number of images. Apply the repository policy to each private repository.

C. Create an flaws Step Functions state machine Express Workflow to scan the images in each repository for the number of versions present. Configure the Express Workflow to delete older versions of images if the number of images is greater than the desired number of images. Configure the state machine to run every time an image is pushed to a repository.

D. Push an image into each private repository. In each private repository, create a lifecycle policy preview to delete older versions of images if the number of images is greater than the desired number of images. Test the lifecycle policy and validate the impact. Apply the lifecycle policy to manage the images.

A video-sharing company stores its videos in Amazon S3. The company has observed a sudden increase in video access requests, but the company does not know which videos are most popular. The company needs to identify the general access pattern for the video files. This pattern includes the number of users who access a certain file on a given day, as well as the number of pull requests for certain files.
How can the company meet these requirements with the LEAST amount of effort?

A. Activate S3 server access logging. Import the access logs into an Amazon Aurora database. Use an Aurora SQL query to analyze the access patterns.

B. Activate S3 server access logging. Use Amazon Athena to create an external table with the log files. Use Athena to create a SQL query to analyze the access patterns.

C. Invoke an flaws Lambda function for every S3 object access event. Configure the Lambda function to write the file access information, such as user, S3 bucket, and file key, to an Amazon Aurora database. Use an Aurora SQL query to analyze the access patterns.

D. Record an Amazon CloudWatch Logs log message for every S3 object access event. Configure a CloudWatch Logs log stream to write the file access information such as user. S3 bucket, and file key, to an Amazon Kinesis Data Analytics for SQL application. Perform a sliding window analysis.

A DevOps engineer has created an flaws CloudFormation template. The template includes the following snippet:
When the template is launched, CloudFormation performs a rollback and reports the following error message: Received 0 SUCCESS signal(s) cut of 1.
Which combination of steps should the DevOps engineer take to resolve this error? (Choose two.)

A. Update the UserData attribute to use the cfn-signal helper script.

B. Update the AutoScalingGroup resource with a DependsOn LaunchConfig.

C. Update the LaunchConfig resource type to flaws::EC2::LaunchTemplate.

D. Increase the CreationPolicy ResourceSignal Timeout.

E. Remove the CreationPolicy attribute. Create new WaitHandle and WaitCondition resources.

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an flaws CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows:
What changes should be recommended to comply with flaws security best practices? (Choose three.)

A. Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.

B. Update the CodeBuild project role with the necessary permissions and then remove the flaws credentials from the environment variable.

C. Store the DB_PASSWORD as a SecureString value in flaws Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables.

D. Move the environment variables to the ‘db-deploy-bucket’ Amazon S3 bucket add a prebuild stage to download, then export the variables.

E. Use flaws Systems Manager run command versus scp and ssh commands directly to the instance.

F. Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.

A company hosts a multi-tenant application on Amazon EC2 instances behind an Application Load Balancer. The instances run Windows Server and are in an Auto Scaling group. The application uses a license file on the instances that can be updated on the instances without customer disruption. When a new customer purchases access to the application, the company's licensing team adds a new license key to a file in an Amazon S3 bucket. After the license file is updated, the operations team manually updates the EC2 instances.
A DevOps engineer needs to automate the EC2 instance file update process. The automated process must decrease the time for EC2 instances to get the updated license file and must notify the operations team about success or failure of the update process.
The DevOps engineer creates a resource group in flaws Resource Groups. The resource group uses a tag that the Auto Sealing group applies to the EC2 instances.
What should the DevOps engineer do next to meet the requirements MOST cost-effectively?

A. Create an S3 event notification to invoke an flaws Lambda function when the license file is updated in the S3 bucket. Configure the Lambda function to invoke flaws Systems Manager Run Command to run the flaws-RunRemoteScript document to download the updated license file. Specify the command from Lambda to run on the application’s resource group with 50% concurrency. Configure Amazon Simple Email Service (Amazon SES) notifications for event notifications of SUCCESS and FAILED to send email notifications to the operations team.

B. Create an S3 event notification to invoke an flaws Lambda function when the license file is updated in the S3 bucket. Configure the Lambda function to invoke flaws Systems Manager Run Command to run the flaws-RunPowerShellScript document to download the updated license file. Specify the command from Lambda to run on the application’s resource group with 50% concurrency. Configure an Amazon Simple Notification Service (Amazon SNS) topic to send event notifications of SUCCESS and FAILED. Subscribe the email addresses of the operations team members to the SNS topic.

C. Create an Amazon EventBridge scheduled rule that runs each hour to invoke an flaws Lambda function. Configure the Lambda function to invoke flaws Systems Manager Run Command to run the flaws-RunPowerShellScript document to download the updated license file. Specify the command from Lambda to run on the application’s resource group with 50% concurrency. Configure an Amazon Simple Notification Service (Amazon SNS) topic to send event notifications of SUCCESS and FAILED. Subscribe the email addresses of the operations team members to the SNS topic.

D. Create an Amazon EventBridge scheduled rule that runs each hour to invoke an flaws Lambda function. Configure the Lambda function to invoke flaws Systems Manager Run Command to run the flaws-RunRemoteScript document to download the updated license file. Specify the command from Lambda to run on the application’s resource group with 50% concurrency. Configure Amazon Simple Email Service (Amazon SES) notifications for event notifications of SUCCESS and FAILED to send email notifications to the operations team.

A DevOps engineer at a company is supporting an flaws environment in which all users use flaws IAM identity Center (flaws Single Sign-On). The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

A. Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in flaws CloudTrail.

B. Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in flaws CloudTrail.

C. Create an flaws Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.

D. Create an flaws Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.

E. Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team’s group email address to the topic.

F. Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team’s group email address to the queue.

A company uses flaws Organizations to manage its flaws accounts. A DevOps engineer wants to deploy a new flaws Lambda function to all accounts in the organization by using flaws CloudFormation StackSets. The DevOps engineer uses a delegated administrator account to deploy the stack sets to the member accounts. The stack operation keeps failing, and the stack instance status is OUTDATED.
Which actions should the DevOps engineer take to remediate this error? (Choose two.)

A. Ensure that the flaws Region is the same for the stack sets and the target resources.

B. Ensure that the delegated administrator account has a trust relationship with the target account.

C. Ensure that the resources in the stacks do not have termination protection enabled by default.

D. Ensure that the CloudFormation template is creating unique global resources.

E. Deploy the stack sets from the management account and not from the delegated administrator account.

A large company has acquired a small company. The large company has an organization in flaws Organizations. The large company needs to integrate the small company’s single flaws account into the organization with minimal impact to the applications that are deployed in the small company's account.
The large company has deployed flaws Control Tower in its organization and wants to enroll the small company’s account in flaws Control Tower. The large company’s flaws Control Tower configuration includes a security OU, a sandbox OU, and a new destination OU that is set up for the small company's migration. Each company is using flaws Config as part of its account management strategy.
Which combination of steps should a DevOps engineer take lo meet these requirements? (Choose two.)

A. Create a landing zone in the security OU of the large company’s flaws Control Tower landing zone. Provide the account’s email address, the account owners first and last name, and the name of the landing zone created in the security OU to complete the flaws Control Tower Account Factory enrollment request.

B. Create and apply SCPs in the destination OU to restrict the types of resources that can be created in the small company’s account. Assess the impact of the applied SCPs on the small company’s account. Delete existing SCPs in the small company’s account.

C. Create an flaws Config conformance pack that contains the policies that are currently applied to the large company’s account. Use flaws Config to assess the impact that enrollment in flaws Control Tower will have on the small company’s account. Delete the configuration recorder and delivery channels from the flaws Config settings of the small company’s account.

D. Enroll the OU of the small company’s account in the large company’s flaws Control Tower environment. Specify the destination OU in the large company’s flaws Control Tower landing zone as the receiving OU in the request.

E. Create an AWSControlTowerExecution role in the small company’s account. Provide the account’s email address, the account owner’s first and last name, and the destination OU to complete the flaws Control Tower Account Factory enrollment request.

A software-as-a-service (SaaS) company is using flaws Elastic Beanstalk to deploy its primary .NET application. The Elastic Beanstalk environment is configured to use Amazon EC2 Auto Scaling and Elastic Load Balancing (ELB) for its underlying Amazon EC2 instances.
The company is experiencing incidents in which EC2 instances are marked unhealthy and are terminated by Auto Scaling groups after a failed ELB health check. The company's DevOps team must build a solution that will notify the operations team whenever an Auto Scaling group terminates EC2 instances for any existing client environments.
What should the DevOps team do to meet this requirement?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email addresses of all operations team members to the SNS topic. Apply a notification configuration for the autoscaling:EC2_INSTANCE_LAUNCH notification type to all the existing Auto Scaling groups.

B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Add an flaws Lambda function trigger to the SQS queue. Apply a notification configuration for the autoscaling:EC2_INSTANCE_LAUNCH notification type to all the existing Auto Scaling groups.

C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email addresses of all operations team members to the SNS topic. Apply a notification configuration for the autoscaling:EC2_INSTANCE_TERMINATE notification type to all the existing Auto Scaling groups.

D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Add an flaws Lambda function trigger to the SQS queue. Apply a notification configuration for the autoscaling:EC2_INSTANCE_TERMINATE notification type to all the existing Auto Scaling groups.

A company is hosting a web application in an flaws Region. For disaster recovery purposes, a second region is being used as a standby. Disaster recovery requirements state that session data must be replicated between regions in near-real time and 1% of requests should route to the secondary region to continuously verify system functionality. Additionally, if there is a disruption in service in the main region, traffic should be automatically routed to the secondary region, and the secondary region must be able to scale up to handle all traffic.
How should a DevOps engineer meet these requirements?

A. In both regions, deploy the application on flaws Elastic Beanstalk and use Amazon DynamoDB global tables for session data. Use an Amazon Route 53 weighted routing policy with health checks to distribute the traffic across the regions.

B. In both regions, launch the application in Auto Scaling groups and use DynamoDB for session data. Use a Route 53 failover routing policy with health checks to distribute the traffic across the regions.

C. In both regions, deploy the application in flaws Lambda, exposed by Amazon API Gateway, and use Amazon RDS PostgreSQL with cross-region replication for session data. Deploy the web application with client-side logic to call the API Gateway directly.

D. In both regions, launch the application in Auto Scaling groups and use DynamoDB global tables for session data. Enable an Amazon CloudFront weighted distribution across regions. Point the Amazon Route 53 DNS record at the CloudFront distribution.

A company is implementing an Amazon Elastic Container Service (Amazon ECS) cluster to run its workload. The company architecture will run multiple ECS services on the cluster. The architecture includes an Application Load Balancer on the front end and uses multiple target groups to route traffic.
A DevOps engineer must collect application and access logs. The DevOps engineer then needs to send the logs to an Amazon S3 bucket for near-real-time analysis.
Which combination of steps must the DevOps engineer take to meet these requirements? (Choose three.)

A. Download the Amazon CloudWatch Logs container instance from flaws. Configure this instance as a task. Update the application service definitions to include the logging task

B. Install the Amazon CloudWatch Logs agent on the ECS instances. Change the logging driver in the ECS task definition to awslogs.

C. Use Amazon EventBridge to schedule an flaws Lambda function that will run every 60 seconds and will run the Amazon CloudWatch Logs create-export-task command. Then point the output to the logging S3 bucket.

D. Activate access logging on the ALB. Then point the ALB directly to the logging S3 bucket.

E. Activate access logging on the target groups that the ECS services use. Then send the logs directly to the logging S3 bucket.

F. Create an Amazon Kinesis Data Firehose delivery stream that has a destination of the logging S3 bucket. Then create an Amazon CloudWatch Logs subscription filter for Kinesis Data Firehose.

A company has developed a static website hosted on an Amazon S3 bucket. The website is deployed using flaws CloudFormation. The Cloud Formation template defines an S3 bucket and a custom resource that copies content into the bucket from a source location.
The company has decided that it needs to move the website to a new location, so the existing CloudFormation stack must be deleted and re-created. However, CloudFormation reports that the stack could not be deleted cleanly.
What is the MOST likely cause and how can the DevOps engineer mitigate this problem for this and future versions of the website?

A. Deletion has failed because the S3 bucket has an active website configuration. Modify the CloudFormation template to remove the WebsiteConfiguration property from the S3 bucket resource

B. Deletion has failed because the S3 bucket is not empty. Modify the custom resource’s flaws Lambda function code to recursively empty the bucket when RequestType is Delete.

C. Deletion has failed because the custom resource does not define a deletion policy. Add a DeletionPolicy property to the custom resource definition with a value of RemoveOnDeletion.

D. Deletion has failed because the S3 bucket is not empty. Modify the S3 bucket resource in the CloudFormation template to add a DeletionPolicy property with a value of Empty.

A company is reviewing its IAM policies. One policy written by the DevOps engineer has been flagged as too permissive. The policy is used by an flaws Lambda function that issues a stop command to Amazon EC2 instances tagged with Environment: NonProduction over the weekend. The current policy is:
What changes should the engineer make to achieve a policy of least permission? (Choose three.)

A. Add the following conditional expression:

B. Change “Resource”: “*” to “Resource”: “arn:flaws:ec2:*:*:instance/*”

C. Add the following conditional expression:

D. Add the following conditional expression:

E. Change “Action”: “ec2:*” to “Action”: “ec2:StopInstances”

F. Add the following conditional expression:

A company deploys updates to its Amazon API Gateway API several times a week by using an flaws CodePipeline pipeline. As part of the update process, the company exports the JavaScript SDK for the API from the API Gateway console and uploads the SDK to an Amazon S3 bucket.
The company has configured an Amazon CloudFront distribution that uses the S3 bucket as an origin. Web clients then download the SDK by using the CloudFront distribution's endpoint. A DevOps engineer needs to implement a solution to make the new SDK available automatically during new API deployments.
Which solution will meet these requirements?

A. Create a CodePipeline action immediately after the deployment stage of the API. Configure the action to invoke an flaws Lambda function. Configure the Lambda function to download the SDK from API Gateway, upload the SDK to the S3 bucket, and create a CloudFront invalidation for the SDK path.

B. Create a CodePipeline action immediately after the deployment stage of the API. Configure the action to use the CodePipeline integration with API Gateway to export the SDK to Amazon S3. Create another action that uses the CodePipeline integration with Amazon S3 to invalidate the cache for the SDK path.

C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to UpdateStage events from flaws.apigateway. Configure the rule to invoke an flaws Lambda function to download the SDK from API Gateway, upload the SDK to the S3 bucket, and call the CloudFront API to create an invalidation for the SDK path.

D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to CreateDeployment events from flaws.apigateway. Configure the rule to invoke an flaws Lambda function to download the SDK from API Gateway, upload the SDK to the S3 bucket, and call the S3 API to invalidate the cache for the SDK path.

A company's DevOps engineer manages an organization in flaws Organizations. The organization includes many accounts. The company needs all flaws CloudFormation stacks in production accounts to have termination protection enabled. Non-production accounts do not need termination protection.
The company has designated a centralized account for flaws Config aggregation and has configured all accounts to support the use of CloudFormation and flaws Config. The company also has grouped all production accounts into an OU.
Which solution will meet these requirements?

A. Create an flaws Config rule to detect stacks that do not have termination protection enabled. Add a remediation action to the rule to enable termination protection. Deploy the rule across the organization by using the PutOrganizationConfigRule API operation.

B. Create a CloudFormation template that deploys an flaws Config rule to detect stacks that do not have termination protection enabled. Add a remediation action to the rule to enable termination protection. Deploy the template to the OU of the production accounts by using CloudFormation StackSets.

C. Create an SCP that denies cloudformation:DeleteStack actions. Apply the SCP to the OU of the production accounts by using CloudFormation StackSets.

D. Create a CloudFormation stack policy that denies Update:Delete actions. Apply the policy to the OU of the production accounts by using CloudFormation StackSets.

A company has a single flaws account that runs hundreds of Amazon EC2 instances in a single flaws Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an flaws Lambda function to attach the default instance profile to the EC2 instances.

B. Configure the ec2-instance-profile-attached flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 Startlnstances API calls. Configure the rule to invoke an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

D. Configure the iam-role-managed-policy-check flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Lambda function to attach the default instance profile to the EC2 instances.

A company has deployed an application in a production VPC in a single flaws account. The application is popular and is experiencing heavy usage. The company's security team wants to add additional security, such as flaws WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.
The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?

A. Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.

B. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucket. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny list. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can access. Create a threshold alert of 1 for successful access. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.

C. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucket. Configure an Amazon OpenSearch Service duster and domain for the log files. Create an flaws Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluster. Schedule the Lambda function to run every 5 minutes. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.

D. Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to hold query results. Configure the VPC flow log to capture all traffic and to send the data to the log group. Deploy an Amazon Athena CloudWatch connector in flaws Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucket. Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.

A company has a single flaws account where active development occurs. The company's security team has implemented Amazon GuardDuty, flaws Config, and flaws CloudTrail within the account. The security team wants to receive notifications in near real time for only high-severity findings from GuardDuty. The security team uses an Amazon Simple Notification Service (Amazon SNS) topic for notifications from other security tools in the account.
How can a DevOps engineer meet these requirements?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects GuardDuty findings. Use an input transformer to detect high-severity event patterns. Configure the rule to publish a message to the SNS topic.

B. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects noncompliance with the guardduty-non-archived-findings flaws Config managed rule for high-severity GuardDuty findings. Configure the EventBridge (CloudWatch Events) rule to publish a message to the SNS topic.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardDuty ListFindings API calls with a high severity level. Configure the rule to publish a message to the SNS topic.

D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardOuty findings that have a high severity level within the event. Configure the rule to publish a message to the SNS topic.

A company has developed a serverless web application that is hosted on flaws. The application consists of Amazon S3. Amazon API Gateway, several flaws Lambda functions, and an Amazon RDS for MySQL database. The company is using flaws CodeCommit to store the source code. The source code is a combination of flaws Serverless Application Model (flaws SAM) templates and Python code.
A security audit and penetration test reveal that user names and passwords for authentication to the database are hardcoded within CodeCommit repositories. A DevOps engineer must implement a solution to automatically detect and prevent hardcoded secrets.
What is the MOST secure solution that meets these requirements?

A. Enable Amazon CodeGuru Profiler. Decorate the handler function with @with_lambda_profiler(). Manually review the recommendation report. Write the secret to flaws Systems Manager Parameter Store as a secure string. Update the SAM templates and the Python code to pull the secret from Parameter Store.

B. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually check the code review for any recommendations. Choose the option to protect the secret. Update the SAM templates and the Python code to pull the secret from flaws Secrets Manager.

C. Enable Amazon CodeGuru Profiler. Decorate the handler function with @with lambda profiler(). Manually review the recommendation report. Choose the option to protect the secret. Update the SAM templates and the Python code to pull the secret from flaws Secrets Manager.

D. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually check the code review for any recommendations. Write the secret to flaws Systems Manager Parameter Store as a string. Update the SAM templates and the Python code to pull the secret from Parameter Store.

A company has a VPC that consists of a public subnet and a private subnet. The company has an application that runs on Amazon EC2 instances that are in the private subnet. An Application Load Balancer is in the public subnet and distributes traffic to the EC2 instances.
The company has enabled Amazon GuardDuty for the account. The company’s DevOps team has a list of external IP ranges that is updated each day. The list is stored in an Amazon S3 bucket in the account. A DevOps engineer needs to configure GuardDuty to create a GuardDuty finding when traffic to the application originates from an IP range in the external IP range list.
Which solution will meet these requirements?

A. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the publicIp filter attribute.

B. Configure a threat list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to refresh the threat list in GuardDuty to match the list of external IP ranges in the S3 bucket.

C. Configure a trusted IP list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to refresh the trusted IP list in GuardDuty to match the list of external IP ranges in the S3 bucket.

D. Create an Amazon EventBridge rule that runs daily and invokes an flaws Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the localIp filter attribute.

A company has an application that monitors user activity on the company's website and mobile apps. The application uses Amazon ElastiCache for Redis as a write-through cache and uses an Amazon RDS for PostgreSQL database for longer storage. When the application receives a request to record a user's action, the application writes to the Redis cluster and the database at the same time. Internal recommendation applications consume the data to produce content recommendations for each user.
During peak periods, the recommendation applications cannot generate recommendations for users because of stale and missing data. The Redis cache is configured with cluster mode turned off, and the database is configured with a single read replica.
The company wants to ensure that the recommendation applications can generate content recommendations during peak periods. A DevOps engineer already has created a new ElastiCache for Redis cluster with cluster mode enabled.
What should the DevOps engineer do next to meet the company's requirements?

A. Create a target tracking auto scaling policy for the Redis cluster’s ElastiCachePrimaryEngineCPUUtilization metric. Configure the auto scaling policy to increase and decrease shards to the Redis cluster. Update the recommendation applications to use the clusters configuration endpoint to access Redis.

B. Create a target tracking auto scaling policy for the Redis cluster’s ElastiCachePrimaryEngineCPUUtilization metric. Configure the auto scaling policy to increase and decrease shards to the Redis cluster. Update the recommendation applications to use the cluster’s read replica endpoint to access Redis.

C. Create a scheduled auto scaling policy for the Redis cluster’s ElastiCachePrimaryEngineCPUUtilization metric. Configure the auto scaling policy to add read replicas to the Redis cluster. Update the recommendation applications to use the clusters configuration endpoint to access Redis.

D. Create a scheduled auto scaling policy for the Redis cluster’s ElastiCachePrimaryEngineCPUUtilization metric. Configure the auto scaling policy to add read replicas to the Redis cluster. Update the recommendation applications to use the database’s read replica endpoint instead of Redis.

A company is using an Amazon API Gateway API and an flaws Lambda function to host a microservice. The microservice accesses pricing data in an Amazon DynamoDB table for the company’s online store.
Interest in the online store has increased. As a result, latency issues and throttling on the DynamoDB table are occurring when a specific query runs. Some internal services access the DynamoDB table directly. No caching is enabled for the current solution.
A DevOps engineer notices that repeat requests to the API are taking the same amount of time as unique requests. The DevOps engineer must reduce the latency for the repeat requests to the API and must reduce the throttling on the DynamoDB table.
Which solution will meet these requirements?

A. Enable caching for API Gateway stages. Use DynamoDB Accelerator (DAX) for the DynamoDB table.

B. Enable caching tor API Gateway stages. Use Amazon ElastiCache for Memcached caching for the DynamoDB table.

C. Use provisioned concurrency for the Lambda function. Use DynamoDB Accelerator (DAX) for the DynamoDB table.

D. Use provisioned concurrency for the Lambda function. Increase the RCUs for the DynamoDB table.

A company stores purchase history in an Amazon DynamoDB table. The company needs other workloads that run on flaws to react to data changes in the table.
The company has enabled a DynamoDB stream on the table. Three existing flaws Lambda functions have an event source mapping configured for the DynamoDB stream. The company's application developers plan to add other applications that will need to react to changes in the table. A DevOps engineer must design an architecture that will give the additional consumers this functionality.
Which solution will meet these requirements in the MOST operationally efficient way?

A. Create an Amazon EventBridge event bus. Create a new Lambda function that uses the existing DynamoDB stream as an event source. Configure the new Lambda function to post those events to the event bus. Update the original Lambda functions to react to events in the event bus. As other applications need the events, configure the applications to use the event bus as an event source.

B. Create an Amazon Simple Queue Service (Amazon SOS) queue. Create a new Lambda function that uses the existing DynamoDB stream as an event source. Configure the new Lambda function to post those events to the SOS queue. Update the original Lambda functions to react to entries in the SOS queue. As other applications need the events, configure the applications to use the SOS queue as an event source.

C. Create an Amazon Kinesis data stream. Create a new Lambda function that uses the existing DynamoDB stream as an event source. Configure the new Lambda function to post those events to the Kinesis data stream. Update the original Lambda functions to subscribe to records in the Kinesis data stream. As other applications need the events, configure the applications to use the Kinesis data stream as an event source.

D. Configure the DynamoDB table to use on-demand capacity mode. Increase the memory of the Lambda functions. Configure the Lambda functions to use provisioned concurrency.

A media company has several thousand Amazon EC2 instances in an flaws account. The company is using Slack and a shared email inbox for team communications and important updates. A DevOps engineer needs to send all flaws-scheduled EC2 maintenance notifications to the Slack channel and the shared inbox. The solution must include the instances' Name and Owner tags.
Which solution will meet these requirements?

A. Integrate flaws Trusted Advisor with flaws Config. Configure a custom flaws Config rule to invoke an flaws Lambda function to publish notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe a Slack channel endpoint and the shared inbox to the topic.

B. Use Amazon EventBridge to monitor for flaws Health events. Configure the maintenance events to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe an flaws Lambda function to the SNS topic to send notifications to the Slack channel and the shared inbox.

C. Create an flaws Lambda function that sends EC2 maintenance notifications to the Slack channel and the shared inbox. Monitor EC2 health events by using Amazon CloudWatch metrics. Configure a CloudWatch alarm that invokes the Lambda function when a maintenance notification is received.

D. Configure flaws Support integration with flaws CloudTrail. Create a CloudTrail lookup event to invoke an flaws Lambda function to pass EC2 maintenance notifications to Amazon Simple Notification Service (Amazon SNS). Configure Amazon SNS to target the Slack channel and the shared inbox.

A company is using flaws Database Migration Service (flaws DMS) to replicate data from a source database in a data center to a target Amazon Aurora PostgreSQL database. The company has created a DMS replication task with change data capture (CDC).
The replication instance sometimes gets interrupted and affects critical functionality. The company must improve the replication instance's resiliency and receive notifications about interruptions.
Which solution will meet these requirements with the LEAST operational overhead?

A. Copy data from the source database to Amazon S3 by using flaws DataSync. Configure flaws Lambda functions to copy the data to the target database. Configure Amazon CloudWatch alarms to monitor the Lambda functions for errors and throttles. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification.

B. Create Amazon CloudWatch alarms to monitor DMS replication task metrics and host metrics. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification and to invoke an flaws Lambda function to configure a standby DMS replication instance in a different flaws Region.

C. Create Amazon CloudWatch alarms to monitor DMS replication task metrics and host metrics. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification. After receiving the notification, configure a new DMS replication task in the same flaws Region.

D. Modify the DMS replication instance by tuming on Multi-AZ support. Create Amazon CloudWatch alarms to monitor DMS replication task metrics and host metrics. Use an Amazon Simple Notification Service (Amazon SNS) topic for email notification.

A company has deployed an application on flaws Elastic Beanstalk by using an all-at-once deployment method. The deployment failed recently because of an application misconfiguration and resulted in significant downtime.
To prevent such downtime in the future, a DevOps engineer needs to revise the deployment method while maintaining the application performance. The DevOps engineer must ensure that application versions are consistently configured across all instances without creating new environments.
Which deployment solution will meet these requirements?

A. Switch to a rolling deployment strategy for future application updates.

B. Switch to a rolling deployment with additional batch strategy for future application updates.

C. Switch to an immutable deployment strategy for future application updates.

D. Switch to a blue/green deployment strategy for future application updates.

A company requires that its internally facing web application be highly available. The architecture is made up of one Amazon EC2 web server instance and one NAT instance that provides outbound internet access for updates and accessing public data.
Which combination of architecture adjustments should the company implement to achieve high availability? (Choose two.)

A. Add the NAT instance to an EC2 Auto Scaling group that spans multiple Availability Zones. Update the route tables.

B. Create additional EC2 instances spanning multiple Availability Zones. Add an Application Load Balancer to split the load between them.

C. Configure an Application Load Balancer in front of the EC2 instance. Configure Amazon Cloud Watch alarms to recover the EC2 instance upon host failure.

D. Replace the NAT instance with a NAT gateway in each Availability Zone. Update the route tables.

E. Replace the NAT instance with a NAT gateway that spans multiple Availability Zones. Update the route tables.

A company is running an application on Amazon EC2 instances. A DevOps engineer needs to aggregate the application logs to a central system for the company's application team to search. A critical error message periodically appears in the log files. The DevOps engineer needs to notify the application team by email when these error messages occur.
Which solution will meet these requirements in the MOST operationally efficient manner?

A. Configure the unified Amazon CloudWatch agent on the EC2 instances to publish the application logs files to a CloudWatch log group. Configure a metric filter on the CloudWatch log group to detect the critical errors and to create a custom metric. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm to use the custom metric to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

B. Install the Amazon Kinesis agent on the EC2 instances. Configure the Kinesis agent with the location of the log files. Stream the logs to a Kinesis Data Firehose delivery stream with an Amazon CloudWatch metrics stream as a destination. Configure an flaws Lambda function to detect the error message and to create a custom metric. Associate the Lambda function with the stream. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm to use the custom metric to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

C. Install the flaws X-Ray daemon on the EC2 instances. Instrument the application with the flaws Distro for OpenTelemetry (ADOT). Configure the ADOT collector with the location of the custom log files and the name of an Amazon CloudWatch log group. Use the CloudWatch embedded metric format to generate a custom metric that is based on the error message. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm to use the custom metric to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

D. Configure the unified Amazon CloudWatch agent on the EC2 instances to publish the application logs files to a CloudWatch log group. Create an Amazon OpenSearch Service domain. Subscribe the CloudWatch log group to the OpenSearch Service domain. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure an OpenSearch Service alert monitor to notify the SNS topic. Subscribe the application team’s email address to the SNS topic.

A company has deployed a new Amazon API Gateway API that retrieves the cost of items for the company's online store. An flaws Lambda function supports the API and retrieves the data from an Amazon DynamoDB table. The API's latency increases during times of peak usage each day. However, the latency of the DynamoDB table reads is constant throughout the day.
A DevOps engineer configures DynamoDB Accelerator (DAX) for the DynamoDB table, and the API latency decreases throughout the day. The DevOps engineer then configures Lambda provisioned concurrency with a limit of two concurrent invocations. This change reduces the latency during normal usage. However, the company is still experiencing higher latency during times of peak usage than during times of normal usage.
Which set of additional steps should the DevOps engineer take to produce the LARGEST decrease in API latency?

A. Increase the read capacity of the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

B. Enable caching in API Gateway. Stop using provisioned concurrency for the Lambda function.

C. Delete the DAX cluster for the DynamoDB table. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function.

D. Enable caching in API Gateway. Use flaws Application Auto Scaling to manage provisioned concurrency for the Lambda function

A DevOps engineer has implemented a Cl/CD pipeline to deploy an flaws CloudFormation template that provisions a web application. The web application consists of an Application Load Balancer (ALB), a target group, a launch template that uses an Amazon Linux 2 AMI, an Auto Scaling group of Amazon EC2 instances, a security group, and an Amazon RDS for MySOL database. The launch template includes user data that specifies a script to install and start the application.
The initial deployment of the application was successful. The DevOps engineer made changes to update the version of the application with the user data. The CI/CD pipeline has deployed a new version of the template. However, the health checks on the ALB are now failing. The health checks have marked all targets as unhealthy.
During investigation, the DevOps engineer notices that the CloudFormation stack has a status of UPDATE_COMPLETE. However, when the DevOps engineer connects to one of the EC2 instances and checks /var/log/messages, the DevOps engineer notices that the Apache web server failed to start successfully because of a configuration error.
How can the DevOps engineer ensure that the CloudFormation deployment will fail if the user data fails to successfully finish running?

A. Use the cfn-signal helper script to signal success or failure to CloudFormation. Use the WaitOnResourceSignals update policy within the CloudFormation template. Set an appropriate timeout for the update policy.

B. Create an Amazon CloudWatch alarm for the UnhealthyHostCount metric. Include an appropriate alarm threshold for the target group. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target to signal success or failure to CloudFormation.

C. Create a lifecycle hook on the Auto Scaling group by using the flaws::AutoScaling::LifecycleHook resource. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target to signal success or failure to CloudFormation. Set an appropriate timeout on the lifecycle hook.

D. Use the Amazon CloudWatch agent to stream the cloud-init logs. Create a subscription filter that includes an flaws Lambda function with an appropriate invocation timeout. Configure the Lambda function to use the SignalResource API operation to signal success or failure to CloudFormation.

A company has a data ingestion application that runs across multiple flaws accounts. The accounts are in an organization in flaws Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.
To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company's security team must receive a notification whenever the instances are accessed.
Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using flaws CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes flaws Systems Manager Agent.

B. Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install flaws Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon 83 for auditing. Send notifications to the security team by using S3 event notifications.

C. Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of flaws Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedlnstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

D. Use flaws Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure flaws Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

During the next CodePipeline run, the pipeline exits with a FAILED state during the build stage. The DevOps engineer verifies that the correct Systems Manager parameter path is in place for the environment variable values that were changed. The DevOps engineer also validates that the environment variable type is Parameter.
Why did the pipeline fail?

A. The CodePipeline IAM service role does not have the required IAM permissions to use Parameter Store.

B. The CodePipeline IAM service role does not have the required IAM permissions to use the flaws/ssm KMS key.

C. The CodeBuild IAM service role does not have the required IAM permissions to use Parameter Store.

D. The CodeBuild IAM service role does not have the required IAM permissions to use the flaws/ssm KMS key.

A company has multiple flaws accounts. The company uses flaws Single Sign-On (flaws SSO) that is integrated with flaws Toolkit for Microsoft Azure DevOps. The attributes for access control feature is enabled in flaws SSO.
The attribute mapping list contains two entries. The department key is mapped to ${path:enterprise.department}. The costCenter key is mapped to ${path:enterprise.costCenter}.
All existing Amazon EC2 instances have a department tag that corresponds to three company departments (d1, d2, d3). A DevOps engineer must create policies based on the matching attributes. The policies must minimize administrative effort and must grant each Azure AD user access to only the EC2 instances that are tagged with the user's respective department name.
Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?

A company has flaws accounts that are members of the same organization in flaws Organizations. According to the company's security policy, IAM customer managed policies must be scoped to specific actions and must not include wildcard actions on wildcard resources.
If an IAM customer managed policy is created or modified in any of the company's flaws accounts to grant wildcard actions on resources that also specify wildcards, the policy must be detached from any IAM user, role, or group that the policy is attached to Individual flaws account administrators must not be able to prevent the removal of the policies.
Which combination of steps will meet these requirements? (Choose two.)

A. Configure automatic remediation to run the AWSConfigRemediation-DetachIAMPolicy flaws Systems Manager Automation runbook.

B. Configure automatic remediation to invoke a custom flaws Lambda function to detach the IAM policy from the affected resources.

C. Configure automatic remediation to use flaws Systems Manager Run Command to detach the IAM policy from the affected resources.

D. Turn on flaws Config by using an flaws CloudFormation stack set that is created in a central account. Configure automatic deployment for the stack set, and specify the organization as the target. Configure the iam-policy-no-statements-with-full-access flaws Config managed rule in the central account.

E. Turn on flaws Config for the organization. Create a new flaws account. Configure the account as a delegated administrator account for flaws Config. Configure the iam-policy-no-statements-with-full-access flaws Config managed rule in the delegated administrator account.

A company has an organization in flaws Organizations. The organization includes workload accounts that contain enterprise applications. The company centrally manages users from an operations account. No users can be created in the workload accounts. The company recently added an operations team and must provide the operations team members with administrator access to each workload account.
Which combination of actions will provide this access? (Choose three.)

A. Create a SysAdmin role in the operations account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the workload accounts.

B. Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.

C. Create an Amazon Cognito identity pool in the operations account. Attach the SysAdmin role as an authenticated role.

D. In the operations account, create an IAM user for each operations team member.

E. In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group.

F. Create an Amazon Cognito user pool in the operations account. Create an Amazon Cognito user for each operations team member.