141-160 Flashcards
141
A developer has an application that asynchronously invokes an AWS Lambda function. The developer wants to store messages that resulted in failed invocations of the Lambda function so that the application can retry the call later. What should the developer do to accomplish this goal with the LEAST operational overhead?
A. Set up Amazon CloudWatch Logs log groups to filter and store the messages in an Amazon S3 bucket. Import the messages in Lambda. Run the Lambda function again.
B. Configure Amazon EventBridge (Amazon CloudWatch Events) to send the messages to Amazon Simple Notification Service (Amazon SNS) to initiate the Lambda function again.
C. Implement a dead-letter queue for discarded messages. Set the dead-letter queue as an event source for the Lambda function.
D. Send Amazon EventBridge (Amazon CloudWatch Events) events to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the Lambda function to pull messages from the SQS queue. Run the Lambda function again.
C. Implement a dead-letter queue for discarded messages. Set the dead-letter queue as an event source for the Lambda function.
142
A developer is writing an application in Python. The application runs on AWS Lambda. The application generates a file and needs to upload this file to Amazon S3. The developer must implement this upload functionality with the least possible change to the application code. Which solution meets these requirements?
A. Make an HTTP request directly to the S3 API to upload the file.
B. Include the AWS SDK for Python in the Lambda function. Use the SDK to upload the file.
C. Use the AWS SDK for Python that is installed in the Lambda environment to upload the file.
D. Use the AWS CLI that is installed in the Lambda environment to upload the file.
C. Use the AWS SDK for Python that is installed in the Lambda environment to upload the file.
143
An application that is hosted on an Amazon EC2 instance needs access to files that are stored in an Amazon S3 bucket. The application lists the objects that are stored in the S3 bucket and displays a table to the user. During testing, a developer discovers that the application does not show any objects in the list. What is the MOST secure way to resolve this issue?
A. Update the IAM instance profile that is attached to the EC2 instance to include the S3:’ permission for the S3 bucket.
B. Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket.
C. Update the developer’s user permissions to include the S3:ListBucket permission for the S3 bucket.
D. Update the S3 bucket policy by including the S3:ListBucket permission and by setting the Principal element to specify the account number of the EC2 instance.
B. Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket.
144
A developer needs to implement a cache to store data that an application frequently queries from an Amazon RDS for MySQL database. The data structures that will be cached include sets and sorted sets. How should the developer implement the cache to achieve the LOWEST latency?
A. Create an Amazon ElastiCache for Memcached instance. Serialize the data as JSON before caching the data.
B. Create an Amazon ElastiCache for Redis instance. Use a Redis client library to cache the data.
C. Create an Amazon DynamoDB table. Serialize the data as JSON before caching the data.
D. Create an Amazon ElastiCache for Memcached instance. Use a Memcached client library to cache the data.
B. Create an Amazon ElastiCache for Redis instance. Use a Redis client library to cache the data.
145
A developer creates an AWS Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. All message content must be encrypted in transit and at rest between Lambda and Amazon SNS. A part of the Lambda execution role is as follows:
"Effect": "Allow" "Action": "SNS: Publish" "Resource": "arn:aws:sns:us-east-1:1234567890:secure-topic"
Which combination of steps should the developer take to meet these requirements? (Choose two.)
A. Enable server-side encryption on the SNS topic.
B. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify “aws:SecureTransport”: “true” as the condition.
C. Create a VPC endpoint for Amazon SNS.
D. Add a StringEquals condition of “sns:Protocol”: “https” to the Lambda execution role.
E. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify “aws:SecureTransport”: “false” as the condition.
A. Enable server-side encryption on the SNS topic.
E. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify “aws:SecureTransport”: “false” as the condition.
146
A developer is using an AWS Key Management Service (AWS KMS) customer master key (CMK) with imported key material to encrypt data in Amazon S3. The developer accidentally deletes the key material of the CMK and is unable to decrypt the data. How can the developer decrypt the data that was encrypted by the CMK?
A. Request support from AWS to recover the deleted key material.
B. Create a new CMK. Use the new CMK to decrypt the data.
C. Use the CMK without the key material.
D. Reimport the same key material to the CMK.
D. Reimport the same key material to the CMK.
147
A developer needs to launch a new Amazon EC2 instance by using the AWS CLI. Which AWS CLI command should the developer use to meet this requirement?
A. aws ec2 bundle-instance
B. aws ec2 start-instances
C. aws ec2 confirm-product-instance
D. aws ec2 run instances
D. aws ec2 run instances
148
A development team uses AWS Elastic Beanstalk for application deployment. The development team has configured the application version lifecycle policy to limit the number of application versions to 25. However, even with the application version lifecycle policy, the source bundle is deleted from the Amazon S3 source bucket. What should the development team do in the Elastic Beanstalk application version lifecycle settings to retain the source code in the S3 bucket?
A. Enable versioning on the source bundle S3 bucket.
B. Disable the S3 bucket lifecycle policy to avoid the archiving of the source bundle.
C. Update the Elastic Beanstalk application version lifecycle policy to increase the version quota to 50.
D. Update the Elastic Beanstalk application version lifecycle policy to retain the source bundle in Amazon S3.
D. Update the Elastic Beanstalk application version lifecycle policy to retain the source bundle in Amazon S3.
149
A development team is building a new application that will run on Amazon EC2 and use Amazon DynamoDB as a storage layer. The developers all have assigned IAM user accounts in the same IAM group. The developers currently can launch EC2 instances, and they need to be able to launch EC2 instances with an instance role allowing access to Amazon DynamoDB. Which AWS IAM changes are needed when creating an instance role to provide this functionality?
A. Create an IAM permission policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole and iam:PassRole permissions for the role.
B. Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.
C. Create an IAM permission policy attached to the role that allows access to Amazon EC2. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.
D. Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole permission for the role.
B. Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.
150
A banking application processes thousands of transactions each second. Each transaction payload must have end-to-end encryption. The application encrypts each transaction locally by using the AWS Key Management Service (AWS KMS) GenerateDataKey operation. A developer is testing the application and receives a ThrottlingException error. Which actions are best practices to resolve this error? (Choose two.)
A. Use the LocalCryptoMatenalsCache feature of the AWS Encryption SDK encryption library.
B. Call the AWS KMS Encrypt operation directly to allow AWS KMS to encrypt the data.
C. Create a case in the AWS Support Center to increase the quota for the account.
D. Use Amazon Simple Queue Service (Amazon SQS) to queue the requests to AWS KMS.
E. Switch to an AWS KMS custom key store.
A. Use the LocalCryptoMatenalsCache feature of the AWS Encryption SDK encryption library.
C. Create a case in the AWS Support Center to increase the quota for the account.
151
A developer has code that is stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function across multiple accounts in the same AWS Region as the S3 bucket. An AWS CloudFormation template that runs for each account will deploy the Lambda function. What is the MOST secure way to allow CloudFormation to access the Lambda code in the S3 bucket?
A. Grant the CloudFormation service role the S3 ListBucket and GetObject permissions. Add a bucket policy to Amazon S3 with the pnncipal of “AWS”: [account numbers].
B. Grant the CloudFormation service role the S3 GetObject permission. Add a bucket policy to Amazon S3 with the principal of “*”.
C. Use a service-based link to grant the Lambda function the S3 ListBucket and GetObject permissions by explicitly adding the S3 bucket’s account number in the resource.
D. Use a service-based link to grant the Lambda function the S3 GetObject permission. Add a resource of “*” to allow access to the S3 bucket.
A. Grant the CloudFormation service role the S3 ListBucket and GetObject permissions. Add a bucket policy to Amazon S3 with the pnncipal of “AWS”: [account numbers].
152
A company is migrating a legacy application to a serverless application on AWS. The legacy application consists of a set of web services that are exposed by an Amazon API Gateway API. A developer needs to replace the existing implementation of web services with AWS Lambda functions. The developer needs to test a new version of the API that uses the functions in production. The developer must minimize the impact of the testing on the application’s users. Which solution will meet these requirements?
A. Create a beta stage for the new version of the API. Send the updated endpoint to the users.
B. Create a development stage for the new version of the API. Use a canary deployment.
C. Create a development stage for the new version of the API. Promote a canary release.
D. Create a deployment stage. Enable mutual TLS for the new version of the API.
B. Create a development stage for the new version of the API. Use a canary deployment.
153
A developer needs to modify an application architecture to meet new functional requirements. Application data is stored in Amazon DynamoDB and processed for analysis in a nightly batch. The system analysts do not want to wait until the next day to view the processed data and have asked to have it available in near-real time. Which application architecture pattern would enable the data to be processed as it is received?
A. Event driven
B. Client-server driven
C. Fan-out driven
D. Schedule driven
A. Event driven
154
A company is migrating a web application from on premises to AWS. The company needs to move session storage from the application code to a shared service as part of the migration. The session storage data must be encrypted at rest. Which AWS services meet these requirements? (Choose two.)
A. Amazon ElastiCache for Redis
B. Amazon ElastiCache for Memcached
C. Amazon CloudWatch
D. AWS CloudTrail
E. Amazon DynamoDB
A. Amazon ElastiCache for Redis
E. Amazon DynamoDB
155
A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes user_id, user_name, user_score and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation. Which set of conditions should be added in the policy attached to the role for the dynamodb:PutItem API call?
A
"Condition": { "ForAllValues: StringEquals": { "dynamodb: LeadingKeys": [ "${www.amazon.com:user_id} ], "dynamodb: Attributes" : ["user_name"] }
B
"Condition": { "ForAllValues: StringEquals": { "dynamodb: LeadingKeys": [ "${www.amazon.com:user_name} ], "dynamodb: Attributes" : ["user_id"] }
C
"Condition": { "ForAllValues: StringEquals": { "dynamodb: LeadingKeys": [ "${www.amazon.com:user_id} ], "dynamodb: Attributes" : ["user_id, user_name"] }
D
"Condition": { "ForAllValues: StringEquals": { "dynamodb: LeadingKeys": [ "${www.amazon.com:user_name} ], "dynamodb: Attributes" : ["user_id, user_name"] }
A
"Condition": { "ForAllValues: StringEquals": { "dynamodb: LeadingKeys": [ "${www.amazon.com:user_id} ], "dynamodb: Attributes" : ["user_name"] }