121-140 Flashcards
121
A developer is creating an AWS CloudFormation template for an application. The application includes an Amazon RDS database. The password to be set for the resource’s MasterUserPassword property is already stored in AWS Secrets Manager. How can the developer reference the value of the password in the CloudFormation template?
A. Use a parameter in the CloudFormation template with the same name of the secret.
B. Use the ssm dynamic reference by specifying the name of the secret and its version.
C. Use the secretsmanager dynamic reference by specifying the appropriate reference-key segment.
D. Use the ssm-secure dynamic reference by specifying the name of the secret and its version.
C. Use the secretsmanager dynamic reference by specifying the appropriate reference-key segment.
122
An application is using Amazon DynamoDB as its data store, and should be able to read 100 items per second as strongly consistent reads. Each item is 5 KB in size. To what value should the table’s provisioned read throughput be set?
A. 50 read capacity units
B. 100 read capacity units
C. 200 read capacity units
D. 500 read capacity units
B. 100 read capacity units
123
A developer created a Lambda function for a web application backend. When testing the Lambda function from the AWS Lambda console, the developer can see that the function is being run, but there is no log data being generated in Amazon CloudWatch Logs, even after several minutes. What could cause this situation?
A. The Lambda function does not have any explicit log statements for the log data to send it to CloudWatch Logs.
B. The Lambda function is missing CloudWatch Logs as a source trigger to send log data.
C. The execution role for the Lambda function is missing permissions to write log data to the CloudWatch Logs.
D. The Lambda function is missing a target CloudWatch Log group.
C. The execution role for the Lambda function is missing permissions to write log data to the CloudWatch Logs.
124
A developer has written code for an application and wants to share it with other developers on the team to receive feedback. The shared application code needs to be stored long-term with multiple versions and batch change tracking. Which AWS service should the developer use?
A. AWS CodeBuild
B. Amazon S3
C. AWS CodeCommit
D. AWS Cloud9
C. AWS CodeCommit
125
A developer has created a new IAM user that has the s3:PutObject permission to write to a specific Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) as the default encryption. When an application uses the access key and secret key of the IAM user to call the PutObject API operation, the application receives an access denied error. What should the developer do to resolve this error?
A. Update the policy of the IAM user to allow the s3:EncryptionConfiguration action.
B. Update the bucket policy of the S3 bucket to allow the IAM user to upload objects.
C. Update the policy of the IAM user to allow the kms:GenerateDataKey action.
D. Update the ACL of the S3 bucket to allow the IAM user to upload objects.
C. Update the policy of the IAM user to allow the kms:GenerateDataKey action.
126
A static website is hosted in an Amazon S3 bucket. Several HTML pages on the site use JavaScript to download images from another Amazon S3 bucket. These images are not displayed when users browse the site. What is the possible cause for the issue?
A. The referenced Amazon S3 bucket is in another region.
B. The images must be stored in the same Amazon S3 bucket.
C. Port 80 must be opened on the security group in which the Amazon S3 bucket is located.
D. Cross Origin Resource Sharing must be enabled on the Amazon S3 bucket.
D. Cross Origin Resource Sharing must be enabled on the Amazon S3 bucket.
127
An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center, and the encryption is handled by
S3. Which type of encryption should be used?
A. Use server-side encryption with Amazon S3-managed keys.
B. Use server-side encryption with AWS KMS-managed keys.
C. Use client-side encryption with AWS KMS-managed keys.
D. Use server-side encryption with customer-provided keys.
D. Use server-side encryption with customer-provided keys.
128
A developer is building a serverless application that is based on AWS Lambda. The developer initializes the AWS software development kit (SDK) outside of the Lambda handler function. What is the PRIMARY benefit of this action?
A. Improves legibility and stylistic convention
B. Takes advantage of runtime environment reuse
C. Provides better error handling
D. Creates a new SDK instance for each invocation
B. Takes advantage of runtime environment reuse
129
A developer is testing a Docker-based application that uses the AWS SDK to interact with Amazon DynamoDB. In the local development environment, the application has used IAM access keys. The application is now ready for deployment onto an ECS cluster. How should the application authenticate with AWS services in production?
A. Configure an ECS task IAM role for the application to use.
B. Refactor the application to call AWS STS AssumeRole based on an instance role.
C. Configure AWS access key/secret access key environment variables with new credentials.
D. Configure the credentials file with a new access key/secret access key.
A. Configure an ECS task IAM role for the application to use.
130
A developer has created an AWS Lambda function to provide notification through Amazon Simple Notification Service (Amazon SNS) whenever a file is uploaded to Amazon S3 that is larger than 50 MB. The developer has deployed and tested the Lambda function by using the CLI. However, when the event notification is added to the S3 bucket and a 3,000 MB file is uploaded, the Lambda function does not launch. Which of the following is a possible reason for the Lambda function’s inability to launch?
A. The S3 event notification does not activate for files that are larger than 1,000 MB.
B. The resource-based policy for the Lambda function does not have the required permissions to be invoked by Amazon S3.
C. Lambda functions cannot be invoked directly from an S3 event.
D. The S3 bucket needs to be made public.
B. The resource-based policy for the Lambda function does not have the required permissions to be invoked by Amazon S3.
131
A company stores documents in Amazon S3 with default settings. A new regulation requires the company to encrypt the documents at rest, rotate the encryption keys annually, and keep a record of when the encryption keys were rotated. The company does not want to manage the encryption keys outside of AWS. Which solution will meet these requirements?
A. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
B. Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
C. Use server-side encryption with customer-provided encryption keys (SSE-C).
D. Use client-side encryption before sending the data to Amazon S3.
B. Use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
132
A developer has discovered that an application responsible for processing messages in an Amazon SQS queue is routinely falling behind. The application is capable of processing multiple messages in one invocation, but is only receiving one message at a time. What should the developer do to increase the number of messages the application receives?
A. Call the ChangeMessageVisibility API for the queue and set MaxNumberOfMessages to a value greater than the default of 1.
B. Call the AddPermission API to set MaxNumberOfMessages for the ReceiveMessage action to a value greater than the default of 1.
C. Call the ReceiveMessage API to set MaxNumberOfMessages to a value greater than the default of 1.
D. Call the SetQueueAttributes API for the queue and set MaxNumberOfMessages to a value greater than the default of 1.
C. Call the ReceiveMessage API to set MaxNumberOfMessages to a value greater than the default of 1.
133
A developer is using an Amazon Kinesis Data Firehose delivery stream to store data in Amazon S3. Before storing the data in Amazon S3, the developer wants to enrich the data by combining the data with data from an Amazon DynamoDB table. How can the developer implement the data enrichment?
A. Create a Kinesis Data Firehose data transformation by using an Amazon EC2 instance.
B. Configure the Kinesis Data Firehose delivery stream to send data to a Kinesis data stream. Enrich the data by using an AWS Lambda function.
C. Configure the Kinesis Data Firehose delivery stream to store data in the DynamoDB table. Export the table to Amazon S3.
D. Create a Kinesis Data Firehose data transformation by using an AWS Lambda function.
D. Create a Kinesis Data Firehose data transformation by using an AWS Lambda function.
134
A company created an application to consume and process data. The application uses Amazon Simple Queue Service (Amazon SQS) and AWS Lambda functions. The application is currently working as expected, but it occasionally receives several messages that it cannot process properly. The company needs to clear these messages to prevent the queue from becoming blocked.
A developer must implement a solution that makes queue processing always operational. The solution must give the company the ability to defer the messages with errors and save these messages for further analysis. What is the MOST operationally efficient solution that meets these requirements?
A. Configure Amazon CloudWatch Logs to save the error messages to a separate log stream.
B. Create a new SQS queue. Set the new queue as a dead-letter queue for the application queue. Configure the Maximum Receives setting.
C. Change the SQS queue to a FIFO queue. Configure the message retention period to 0 seconds.
D. Configure an Amazon CloudWatch alarm for Lambda function errors. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic to notify administrator users.
B. Create a new SQS queue. Set the new queue as a dead-letter queue for the application queue. Configure the Maximum Receives setting.
135
A company has a website that is developed in PHP and is launched using AWS Elastic Beanstalk. There is a new version of the website that needs to be deployed in the Elastic Beanstalk environment. The company cannot tolerate having the website offline if an update fails. Deployments must have minimal impact and rollback as soon as possible. What deployment method should be used?
A. All at once
B. Rolling
C. Snapshots
D. Immutable
D. Immutable
136
An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS queue. A requirement for the application is that all messages must be encrypted at rest. Developers are instructed to use methods that allow for centralized key management and minimize possible support requirements whenever possible. Which of the following solutions supports these requirements?
A. Encrypt individual messages by using client-side encryption with customer managed keys, then write to the SQS queue.
B. Encrypt individual messages by using SQS Extended Client and the Amazon S3 encryption client.
C. Create an SQS queue, and encrypt the queue by using server-side encryption with AWS KMS.
D. Create an SQS queue, and encrypt the queue by using client-side encryption.
C. Create an SQS queue, and encrypt the queue by using server-side encryption with AWS KMS.
137
A company is running a web application that is using Amazon Cognito for authentication. The company does not want to use multi-factor authentication (MFA) for all the visitors every time, but the company’s security team has concerns about compromised credentials. The development team needs to configure mandatory MFA only when suspicious sign-in attempts are detected. Which Amazon Cognito feature will meet these requirements?
A. Short message service (SMS) text message MFA
B. Advanced security metrics
C. Time-based one-time password (TOTP) software token MFA
D. Adaptive authentication
D. Adaptive authentication
138
A company has a two-tier application running on an Amazon EC2 server that handles all of its AWS based e-commerce activity. During peak times, the backend servers that process orders are overloaded with requests. This results in some orders failing to process. A developer needs to create a solution that will re-factor the application. Which steps will allow for more flexibility during peak times, while still remaining cost-effective? (Choose two.)
A. Increase the backend T2 EC2 instance sizes to x1 to handle the largest possible load throughout the year.
B. Implement an Amazon SQS queue to decouple the front-end and backend servers.
C. Use an Amazon SNS queue to decouple the front-end and backend servers.
D. Migrate the backend servers to on-premises and pull from an Amazon SNS queue.
E. Modify the backend servers to pull from an Amazon SQS queue.
B. Implement an Amazon SQS queue to decouple the front-end and backend servers.
E. Modify the backend servers to pull from an Amazon SQS queue.
139
A developer is creating an AWS Lambda function that generates a new file each time it runs. Each new file must be checked into an AWS CodeCommit repository hosted in the same AWS account. How should the developer accomplish this?
A. When the Lambda function starts, use the Git CLI to clone the repository. Check the new file into the cloned repository and push the change.
B. After the new file is created in Lambda, use cURL to invoke the CodeCommit API. Send the file to the repository.
C. Use an AWS SDK to instantiate a CodeCommit client. Invoke the putjile method to add the file to the repository.
D. Upload the new file to an Amazon S3 bucket. Create an AWS Step Function to accept S3 events. In the Step Function, add the new file to the repository.
C. Use an AWS SDK to instantiate a CodeCommit client. Invoke the putjile method to add the file to the repository.
140
A developer is designing an Amazon DynamoDB table for an application. The application will store user information that includes a unique identifier and an email address for each user. The application must be able to query the table by using either the unique identifier or the email address. How should the developer design the DynamoDB table to meet these requirements?
A. For the primary key of the table, specify the unique identifier as the partition key and specify the email address as the sort key.
B. For the primary key of the table, specify the unique identifier as the partition key. Create a local secondary index (LSI) based on the email address.
C. For the primary key of the table, specify the email address as the partition key and specify the unique identifier as the sort key.
D. For the primary key of the table, specify the unique identifier as the partition key. Create a global secondary index (GSI) based on the email address.
D. For the primary key of the table, specify the unique identifier as the partition key. Create a global secondary index (GSI) based on the email address.
