AWS DevOps Professional Exam Flashcards
_______ is a process methodology around deploying and managing environments.
DevOps
What are the 4 deployment methods?
All at once
Rolling
Blue/Green
Immutable
What is the “all at once” deployment method?
All at once deployment method deploys all instances at the same time
What is the impact of a failed “all at once” deployment?
Downtime
Rollback requires re-deploy
What is the benefit of an “all at once” deployment?
Faster than any other deployment method
Does “all at once” deployment require a dns change?
No
What is the “rolling” deployment method?
Rolling deployment deploys a specific number of instances at a time
What is the impact of a failed “rolling” deployment?
- No downtime - Only updated instance batch affected
- Rollback the affected instances
How long does the “rolling” deployment method take to deploy?
A little bit more time than “all at once”
Does the “rolling” deployment require a dns change?
No
What is the “blue/green” deployment method?
The “blue/green” method deploys two identical stacks running in a separate environment
What is the impact of a failed “blue/green” deployment?
No downtime - Only the updated environment is affected
How long does the “blue/green” deployment method take to deploy?
Takes longest due to spinning up more resources and can also cost more
Does a “blue/green” deployment require a DNS change?
Yes if using Elastic Beanstalk, but not always necessary
______ is an alternative to a rolling deployment where we deploy a new environment instead of existing resources.
Immutable
What is the impact of a failed immutable deployment?
No downtime - only the updated environment is affected
How long does an immutable environment take to deploy?
Takes longer to spin up more resources and can cost more
Does immutable deployment strategy require a DNS change?
No
What are the two types of methods of deployment?
In-place
Disposable
_______ method of deployment involves performing application updates on existing instances.
In-place
______ method of deployment involves rolling out new instances and terminating older ones.
Disposable
Can you modify a launch configuration after the fact?
No
Your team is developing an application for a government project. For continuous deployment, you have built a CloudFormation stack to deploy EC2 instances. A third party software is installed in the instances and its license requires that the software should be bound to dedicated virtual machines. Whenever the CloudFormation stack is redeployed, the software should be installed in the same physical hosts. Which method would you select to achieve this requirement?
Allocate dedicated hosts for this application which allow you to reliably launch EC2 instances on the same physical servers. In the CloudFormation template, specify the allocated HostID and configure the tenancy type to be dedicated host.
Your team has created a new deployment in AWS CodeDeploy service. It automates the deployments for a new Node.js application to Amazon EC2 instances. In order to pass a notification to a Slack channel whenever deployments fail, a DevOps engineer configured a CloudWatch Event rule as follows:
{
“source”: [
“aws.codedeploy”
],
“detail-type”: [
“CodeDeploy Instance State-change Notification”
],
“detail”: {
“state”: [
“FAILURE”
]
}
}
The Event rule uses a Lambda function as the target to send notifications. However, the Slack channel does not receive notifications when deployments have failed. The DevOps engineer asks you for help. How would you resolve the issue?
Modify the detail-type to be “CodeDeploy Deployment State-change Notification” in the CloudWatch Event rule.
You are a DevOps engineer in a company. An AWS Organization is configured to manage a large number of AWS accounts and the Organization uses several Organizational Units (OUs) to help group AWS accounts together. You need to deploy a CloudFormation stack to enable customized AWS Config rules for all AWS accounts under one Organizational Unit. Which approach would you choose to provision the stack?
Configure a CloudFormation StackSet using the CloudFormation template. Choose the Organization Unit in the StackSet and specify the regions to deploy the stack.
You have a Jenkins pipeline to update a CloudFormation stack. The pipeline uses AWS CloudFormation CLI update-stack. Sometimes when the Jenkins job runs, certain AWS resources are recreated, which is not as expected. Your manager asks you to add a step in the pipeline to list the changes that will be applied to the stack. The Jenkins job continues only after the changes are reviewed. How would you modify the Jenkins pipeline?
In the new step, use CloudFormation CLI create-change-set to generate the list of changes that will be applied in the stack. Review the changes before continuing the Jenkins job.
Your team is working on a migration project in AWS platform. An Application Load Balancer is configured to route traffic to backend EC2 instances. A security group is attached in the load balancer which allows the ingress traffic from a custom TCP port. Recently, due to some project requirements, the Application Load Balancer needs to be replaced by a Network Load Balancer. Existing configurations of the load balancer should be kept if possible. How would you configure the security group in the new Network Load Balancer?
As Network Load Balancers do not have associated security groups, update the security group in the target EC2 instances.
You just join a company as a DevOps engineer and you need to manage an AWS account. A big number of AWS resources are deployed in the account such as Auto Scaling groups, S3 buckets, etc. In order to better understand the cost spent in the account, every department starts to attach a user-defined tag CostCenter:xxxx to its AWS resources. You also configured the AWS Cost and Usage Reports and used an S3 bucket to save the reports. After several days, you check the reports in the S3 bucket and find that the reports do not use the CostCenter tag to organize the resources or track the AWS costs. Which step do you miss?
Activate the CostCenter tag in the Billing and Cost Management console then the usage and costs will be grouped by the tag.
You are working on a small project for your personal usage. The application is hosted in an Auto Scaling group. There is only 1 instance in the ASG and the EC2 instance may be terminated and recreated from time to time. The EC2 DNS name and IP are changed when a new instance is launched in the ASG. You own a hosted zone in Route 53 and plan to create a record set to route the traffic to the instance. You have very limited budget. Which method is the most cost-efficient to update the record set dynamically?
Configure a CloudWatch Event rule to monitor the Auto Scaling events. The CloudWatch Event rule triggers a Lambda function to point the CNAME of the record set to the DNS of the new EC2 instance.
A company has a Node.js application deployed in an Elastic Beanstalk environment. At the moment the environment uses an “All at once” deployment strategy. The new versions are deployed in all instances simultaneously and there is an outage for a short time. If there is a problem with the new version, another deployment is required to perform a rollback. Your manager asks you to use another method that deploys newer versions to a fresh group of instances and the new instances should serve traffic only after the health check has passed. In the meantime, you do not want to maintain two environments in Elastic Beanstalk. Which deployment strategy should you select?
Configure an Immutable deployment strategy in the Elastic Beanstalk environment.
A team is developing an application and the code is managed in a repository in AWS CodeCommit. The developers push code in their own branches. When the code is ready for release, only a senior team member is allowed to merge the other branches into master. The merging event then triggers a pipeline for the deployment in production. You need to make sure that the team members are allowed to push or merge code to all the branches except the master branch. Which option describes the correct method?
Create an IAM group that includes the team members and attach the below policy:
{ “Effect”: “Allow”,
“Action”: [
“codecommit:GitPush”,
“codecommit:Merge” ],
“Resource”: [ “arn:aws:codecommit::*:the-repo-name” ],
“Condition”: {
“StringNotEquals”: {
“codecommit:References”: [ “refs/heads/master” ] }
}
}
You have an on-premise virtual machine and you create a replication job in AWS Server Migration Service (SMS) to migrate the VM to AWS. Whenever an AMI is created from the SMS job, you need to launch an EC2 instance with the AMI and trigger a Jenkins job to perform the automation testing. The instance will be terminated after the testing is finished. Which method would you use to create the EC2 instance automatically for the testing?
Create a CloudWatch Event rule to monitor the AWS SMS job state changes. Use a Lambda function to get the new AMI ID and launch an EC2 instance.
The CloudWatch Event rule can monitor the following SMS events:
{
“source”: [
“aws.sms”
],
“detail-type”: [
“Server Migration Job State Change”
]
}
Then the Lambda function is triggered to launch a new instance using the AMI.
To meet security compliance of the company, your manager asks you to configure VPC Flow Logs in all AWS accounts. You create the flow logs in VPCs and use an S3 bucket to store the logs. You also set up a Sumo Logic dashboard to help analyze the log data. What information can you get from the VPC Flow Logs?
The time of the day when your EC2 hosted web application experiences the heaviest load.
The geographic region that has the most users for your application.
Your team is working on an IoT application. The data generated from the application is saved in S3 buckets and a Redshift data warehouse. You need to design interactive dashboards to analyze the data and share with other team members every day. With the dashboards, the team can explore the data further and get more insights. You have a limited budget on this assignment. Which solution is the most cost-effective?
Enable QuickSight in AWS. Use it to analyze the data, visualize the data and publish interactive dashboards that include machine learning insights.
You have an application running on an Amazon EC2 instance and you are using IAM roles to securely access AWS Service APIs. How can you configure your application running on that instance to retrieve the API keys for use with the AWS SDKs?
When using AWS SDKs in Amazon EC2 instances, you do not have to explicitly retrieve API keys. The SDKs assume the IAM roles attached in the instances and get temporary credentials by interacting with the AWS STS service
IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles.
What’s the role of buildspec.yml file in CodeBuild?
A buildspec is a collection of build commands and related settings, in YAML format, that CodeBuild uses to run a build. Without a build spec, CodeBuild cannot successfully convert your build input into build output
A company wants to migrate its content sharing web application hosted on Amazon EC2 to a serverless architecture. The company currently deploys changes to its application by creating a new Auto Scaling group of EC2 instances and a new Elastic Load Balancer, and then shifting the traffic away using an Amazon Route
53 weighted routing policy.
For its new serverless application, the company is planning to use Amazon API Gateway and AWS Lambda. The company will need to update its deployment processes to work with the new application. It will also need to retain the ability to test new features on a small number of users before rolling the features out to the entire user base.
Which deployment strategy will meet these requirements?
Use AWS CloudFormation to deploy API Gateway and Lambda functions using Lambda function versions. When code needs to be changed, update the CloudFormation stack with the new Lambda code and update the API versions using a canary release strategy. Promote the new version when testing is complete.
A company’s application is currently deployed to a single AWS Region. Recently, the company opened a new office on a different continent. The users in the new office are experiencing high latency. The company’s application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon DynamoDB as the database layer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. A DevOps Engineer is tasked with minimizing application response times and improving availability for users in both Regions.
Which combination of actions should be taken to address the latency issues?
- Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group.
- Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB.
- Convert the DynamoDB table to a global table.
What are AWS DynamoDB Global Tables?
Global tables build on the global Amazon DynamoDB footprint to provide you with a fully managed, multi-Region, and multi-active database that delivers fast, local, read and write performance for massively scaled, global applications. Global tables replicate your DynamoDB tables automatically across your choice of AWS Regions.
A DevOps engineer used an AWS CloudFormation custom resource to set up AD Connector. The AWS Lambda function executed and created AD Connector, but
CloudFormation is not transitioning from CREATE_IN_PROGRESS to CREATE_COMPLETE.
Which action should the engineer take to resolve this issue?
Ensure the Lambda function code returns a response to the pre-signed URL.
Cloudformation expect the Lambda function invoked using a custom resource to call back at the signed URL
A company plans to stop using Amazon EC2 key pairs for SSH access, and instead plans to use AWS Systems Manager Session Manager. To further enhance security, access to Session Manager must take place over a private network only.
Which combinations of actions will accomplish this?
- Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile
- Create a VPC endpoint for Systems Manager in the desired Region.
A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps Engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours.
Which combination of actions will meet these requirements?
- Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations.
- Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager.
- Use AWS Systems Manager Maintenance Windows to schedule a patch window.
A company has many applications. Different teams in the company developed the applications by using multiple languages and frameworks. The applications run on premises and on different servers with different operating systems. Each team has its own release protocol and process. The company wants to reduce the complexity of the release and maintenance of these applications.
The company is migrating its technology stacks, including these applications, to AWS. The company wants centralized control of source code, a consistent and automatic delivery pipeline, and as few maintenance tasks as possible on the underlying infrastructure.
What should a DevOps engineer do to meet these requirements?
Create one AWS CodeCommit repository for each of the applications. Use AWS CodeBuild to build one Docker image for each application in Amazon Elastic Container Registry (Amazon ECR). Use AWS CodeDeploy to deploy the applications to Amazon Elastic Container Service (Amazon ECS) on infrastructure that AWS Fargate manages.
A DevOps engineer is developing an application for a company. The application needs to persist files to Amazon S3. The application needs to upload files with different security classifications that the company defines. These classifications include confidential, private, and public. Files that have a confidential classification must not be viewable by anyone other than the user who uploaded them. The application uses the IAM role of the user to call the S3 API operations.
The DevOps engineer has modified the application to add a DataClassification tag with the value of confidential and an Owner tag with the uploading user’s ID to each confidential object that is uploaded to Amazon S3.
Which set of additional steps must the DevOps engineer take to meet the company’s requirements?
Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.
A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline.
A DevOps Engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation, the DevOps
Engineer believes the failures are due to database changes not having fully propagated before the Lambda function begins executing.
How should the DevOps Engineer overcome this?
Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function
A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline.
A DevOps Engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation, the DevOps
Engineer believes the failures are due to database changes not having fully propagated before the Lambda function begins executing.
How should the DevOps Engineer overcome this?
Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function
Your company is developing a microservices-based application on AWS, and you are responsible for designing the deployment pipeline. The application consists of multiple services that communicate with each other over HTTP. You want to ensure that changes to one service do not affect the availability or performance of other services. What is the best way to achieve this?
Deploy each service in its own AWS Fargate cluster, and use Amazon API Gateway to handle inter-service communication.
Your company has a microservices-based application deployed on AWS using Amazon ECS. The application is experiencing issues with performance and scaling, and you have been tasked with optimizing it. Which solution would you recommend?
Use Amazon EKS instead of Amazon ECS to manage the containers, and use Amazon Route 53 for service discovery and load balancing.
Amazon EKS provides a managed Kubernetes service that can help optimize the performance and scalability of containerized applications. By using EKS, you can take advantage of Kubernetes’ powerful orchestration capabilities, which can improve the availability and scalability of the application. Additionally, using Route 53 for service discovery and load balancing can help optimize the application’s performance.
Your company is developing a web application that uses AWS Lambda functions to process user requests. You want to ensure that your Lambda functions are performing optimally and meeting the required service level objectives (SLOs). Which metrics should you monitor to achieve this goal?
Memory utilization, average duration, and error rate.
You are building an application that requires automatic scaling to handle changes in traffic. You want to ensure that your application scales quickly and efficiently while also minimizing costs. Which autoscaling policies would be most appropriate for your application?
Target tracking scaling policy
With a target tracking policy, you set a target value for a specific metric, such as CPU utilization or request latency, and the autoscaling group adjusts the number of instances as needed to maintain the target value.
You are managing a highly available web application in AWS using an autoscaling group. You want to ensure that new instances launched by the autoscaling group are automatically configured with the latest version of your application code. Which AWS service can you use to achieve this?
AWS CodeDeploy
On which EC2 instances is Configure receipe executed in OpsWorks?
In AWS OpsWorks, Configure recipes are executed on every instance that belongs to a layer with the “Use OpsWorks Chef cookbooks” option enabled.
A company is deploying a new application on AWS using the following components: Elastic Load Balancer (ELB), Auto Scaling group, and Amazon RDS. The company wants to monitor the application’s performance and availability. Which AWS service can be used to accomplish this?
Amazon CloudWatch
A company has an application running on AWS that uses Amazon RDS for database storage. The company wants to ensure that the database is automatically backed up every day, and that backups are retained for 30 days. What AWS service can be used to accomplish this?
AWS Backup
A company is building a real-time analytics solution using Amazon Kinesis. The solution should be able to process incoming data at a rate of 10,000 records per second, and should be able to analyze the data in real-time. Which Kinesis service can be used to meet these requirements?
Amazon Kinesis Data Streams
A company is using AWS CodePipeline to automate the deployment of its web application to multiple environments. The company wants to ensure that each deployment is tested and approved before it is promoted to the next environment. Which AWS service can be used to accomplish this?
AWS CodePipeline
A company is deploying a new application on AWS using Amazon ECS. The company wants to ensure that the application can be deployed across multiple AWS accounts and that each environment is isolated from the others. Which AWS service can be used to accomplish this?
AWS Organizations
A company has a mobile application that makes HTTP API calls to an Application Load Balancer (ALB). The ALB routes requests to an AWS Lambda function. Many different versions of the application are in use at any given time, including versions that are in testing by a subset of users. The version of the application is defined in the user-agent header that is sent with all requests to the API.
After a series of recent changes to the API, the company has observed issues with the application. The company needs to gather a metric for each API operation by response code for each version of the application that is in use. A DevOps engineer has modified the Lambda function to extract the API operation name, version information from the user-agent header and response code.
Which additional set of actions should the DevOps engineer take to gather the required metrics?
Modify the Lambda function to write the API operation name, response code, and version number as a log line to an Amazon CloudWatch Logs log group. Configure a CloudWatch Logs metric filter that increments a metric for each API operation name. Specify response code and application version as dimensions for the metric.
A company provides an application to customers. The application has an Amazon API Gateway REST API that invokes an AWS Lambda function. On initialization, the Lambda function loads a large amount of data from an Amazon DynamoDB table. The data load process results in long cold-start times of 8-10 seconds. The DynamoDB table has DynamoDB Accelerator (DAX) configured.
Customers report that the application intermittently takes a long time to respond to requests. The application receives thousands of requests throughout the day. In the middle of the day, the application experiences 10 times more requests than at any other time of the day. Near the end of the day, the application’s request volume decreases to 10% of its normal total.
A DevOps engineer needs to reduce the latency of the Lambda function at all times of the day.
Which solution will meet these requirements?
Configure provisioned concurrency on the Lambda function. Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.
A company is adopting AWS CodeDeploy to automate its application deployments for a Java-Apache Tomcat application with an Apache Webserver. The development team started with a proof of concept, created a deployment group for a developer environment, and performed functional tests within the application. After completion, the team will create additional deployment groups for staging and production.
The current log level is configured within the Apache settings, but the team wants to change this configuration dynamically when the deployment occurs, so that they can set different log level configurations depending on the deployment group without having a different application revision for each group.
How can these requirements be met with the LEAST management overhead and without requiring different script versions for each deployment group?
Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP NAME to identify which deployment group the instance is part of. Use this information to configure the log level settings. Reference this script as part of the BeforeInstall lifecycle hook in the appspec.yml file.
A company requires its developers to tag all Amazon Elastic Block Store (Amazon EBS) volumes in an account to indicate a desired backup frequency. This requirement Includes EBS volumes that do not require backups. The company uses custom tags named Backup_Frequency that have values of none, dally, or weekly that correspond to the desired backup frequency. An audit finds that developers are occasionally not tagging the EBS volumes.
A DevOps engineer needs to ensure that all EBS volumes always have the Backup_Frequency tag so that the company can perform backups at least weekly unless a different value is specified.
Which solution will meet these requirements?
Set up AWS Config in the account. Use a managed rule that returns a compliance failure for EC2::Volume resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.
A company is using an Amazon Aurora cluster as the data store for its application. The Aurora cluster is configured with a single DB instance. The application performs read and write operations on the database by using the cluster’s instance endpoint.
The company has scheduled an update to be applied to the cluster during an upcoming maintenance window. The cluster must remain available with the least possible interruption during the maintenance window.
What should a DevOps engineer do to meet these requirements?
Turn on the Multi-AZ option on the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster’s reader endpoint for reads.
A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account.
The company has created an AWS Key Management Service (AWS KMS) key in the source account.
Which additional steps should the DevOps engineer perform to meet the requirements?
In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.
In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role.
In the source account, share the encrypted AMI with the target account.
The engineering team at a multi-national retail company is deploying its flagship web application onto an Auto Scaling Group using CodeDeploy. The team has chosen a strategy of a rolling update so that instances are updated in small batches in the ASG. The ASG has five instances running. At the end of the deployment, it seems that three instances are running the new version of the application, while the other two are running the old version. CodeDeploy is reporting a successful deployment.
As a DevOps Engineer, what is the most likely reason that you would attribute for this issue?
Two new instances were created during the deployment
A retail company is storing the users’ information along with their purchase history in a DynamoDB table and it has also enabled the DynamoDB Streams. Three use cases are implemented for this table: a Lambda function reads the stream to send emails for new users subscriptions, another Lambda function which sends an email after a user has done their first purchase and finally the last Lambda function which awards discounts to users every 10 purchase. When there is a high volume of data on your DynamoDB table, the Lambda functions are experiencing a throttling issue. As you plan on adding future Lambda functions to read from that stream, you need to update the existing solution.
As a DevOps Engineer, which option would you recommend?
Create a new Lambda function that will read from the stream and pass on the payload to SNS. Have the other three and upcoming Lambda functions directly read from the SNS topic
As part of the CICD pipeline, the DevOps team at a retail company wants to deploy the latest application code to a staging environment and the team also wants to ensure it can execute an automated functional test suite before deploying to production. The code is managed via CodeCommit. Usually, the functional test suite runs for over two hours. The company has hired you as an AWS Certified DevOps Engineer Professional to build a solution for this requirement.
How would you create the CICD pipeline to run your test suite in the most efficient way?
Create a CodePipeline pointing to the master branch of your CodeCommit repository and automatically deploy to a staging environment using CodeDeploy. After that stage, invoke a CodeBuild build that will run the test suite. If the stage doesn’t fail, the last stage will deploy the application to production
A global health-care company has an EFS filesystem being used in eu-west-1. The company would like to plan for a disaster recovery strategy and backup that EFS file system in ap-southeast-2. It needs to have a hot copy of the data so that the applications can be re-deployed in ap-southeast-2 with a minimum RPO and RTO. The VPCs in each region are not peered with each other.
How should a DevOps engineer implement a solution for this use-case?
Create a replication cluster managed by EC2 with Auto Scaling in eu-west-1. Scale according to a Custom Metric you would publish with the application representing the lag in file reads. Replicate the data into Amazon S3 in ap-southeast-2. Create another replication cluster in ap-southeast-2 that reads from Amazon S3 and copies the files into a standby EFS cluster
An IT company is deploying a Python Flask based application and would like to ensure that it has a base AMI that contains the necessary Python runtime, as well as OS patches. That AMI must be used able to be referenced programmatically from across all regions in your account in a scalable way. The company has hired you as an AWS Certified DevOps Engineer Professional to build a solution to address this requirement.
Which options would you recommend for this use-case?
- Create an SSM Automation document to create the AMI in a repeatable manner
- Store the AMI ID in the SSM parameter store in one region, and have a Lambda function that copies the AMI across all the other regions, and stores the corresponding AMI ID in SSM. Use the same parameter store name so it can be re-used across regions
The DevOps team at a leading travel-booking services company is using a CloudFormation template to deploy a Lambda function. The Lambda function code is uploaded into S3 into a file named s3://my-bucket/my-lambda-code.zip by CodePipeline after having passed all the required build checks. CodePipeline then invokes the CloudFormation template to deploy the new code. The team has found that although the CloudFormation template successfully runs, the Lambda function is not updated.
As a DevOps Engineer, what can you do to quickly fix this issue?
- Upload the code every time to a new S3 bucket
- Upload the code every time with a new filename in the same bucket
- Enable S3 versioning and provide an S3ObjectVersion key
CloudFormation does not detect a new file has been uploaded to S3 unless one of these parameters change: - S3Bucket - S3Key - S3ObjectVersion
A multi-national retail company is operating a multi-account strategy using AWS Organizations. Each account produces logs to CloudWatch Logs and the company would like to aggregate these logs under a single centralized account for archiving purposes. It needs the solution to be secure and centralized. The target destination for the logs should have little to no provisioning on the storage side.
As a DevOps Engineer, how would you implement a solution to meet these requirements?
Create a log destination in the centralized account, and create a log subscription on that destination. Create a Kinesis Firehose delivery stream and subscribe it to the log destination. The target of Kinesis Firehose should be Amazon S3
A Big Data analytics company has deployed a stream processing application using KCL to read records from Kinesis Data Streams configured with multiple shards. The application is running on one EC2 instance. It seems that the consuming application is lagging under a large load and therefore records are not processed in time and eventually dropped from the stream.
As a DevOps Engineer, you have been tasked with improving the reliability of this application with minimal changes, what should you do?
- Run the application in an Auto Scaling Group and scale based on the CloudWatch Metric MillisBehindLatest
- Increase the stream data retention period
The DevOps team at a business travel solutions company wants to use CodeDeploy to ensure zero downtime during deployments through rolling updates. The team wants to deploy the company’s flagship web application on a set of 5 EC2 instances running behind an Application Load Balancer. The team would like the deployment to be gradual and to automatically rollback in case of a failed deployment, which is determined by the application not being able to pass health checks.
As a DevOps Engineer, which options would you recommend for the given use-case?
In the ValidateService hook in appspec.yml, verify the service is properly running. Configure CodeDeploy to rollback on deployment failures. In case the hook fails, then CodeDeploy will rollback
The DevOps team at an auditing firm has deployed its flagship application on Elastic Beanstalk that processes invoices uploaded by customers in CSV form. The invoices can be quite big, with up to 10MB and 1,000,000 records total. Processing is CPU intensive which results in slowing down the application. Customers are sent an email when the processing is done, through the use of a cron job. The auditing firm has hired you as an AWS Certified DevOps Engineer Professional to build a solution for this requirement.
What do you recommend for the application to ensure a good performance and address scalability requirements?
Create a separate Beanstalk environment that’s a worker environment and processes invoices through an SQS queue. The invoices are uploaded into S3 and a reference to it is sent to the SQS by the web tier. The worker tier processes these files. A cron job defined using the cron.yml file will send out the emails
A company uses AWS CodePipeline pipelines to automate releases of its application A typical pipeline consists of three stages build, test, and deployment. The company has been using a separate AWS CodeBuild project to run scripts for each stage. However, the company now wants to use AWS CodeDeploy to handle the deployment stage of the pipelines.
The company has packaged the application as an RPM package and must deploy the application to a fleet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI.
Which combination of steps should a DevOps engineer perform to meet these requirements?
- Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.
- Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.
A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs.
Which combination of steps should a DevOps engineer take to prevent future violations?
- Delegate AWS Firewall Manager to a security account.
- Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days.
Which solution will accomplish this?
Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
A security review has identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project.
How can this issue be corrected in the MOST secure manner?
Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.
An ecommerce company has chosen AWS to host its new platform. The company’s DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team’s own resources.
Which combination of steps will meet these requirements?
- Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
- Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
- Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.
An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity.
Which actions should a DevOps engineer take to resolve this delay?
- Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.
- Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table’s scaling policy.
company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company’s security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?
Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
A DevOps engineer is building a continuous deployment pipeline for a serverless application that uses AWS Lambda functions. The company wants to reduce the customer impact of an unsuccessful deployment. The company also wants to monitor for issues.
Which deploy stage configuration will meet these requirements?
Use an AWS Serverless Application Model (AWS SAM) template to define the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions.
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which option will successfully install the application while complying with the new rule?
Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
A development team is using AWS CodeCommit to version control application code and AWS CodePipeline to orchestrate software deployments. The team has decided to use a remote main branch as the trigger for the pipeline to integrate code changes. A developer has pushed code changes to the CodeCommit repository, but noticed that the pipeline had no reaction, even after 10 minutes.
Which action should be taken to troubleshoot this issue?
Check that the CodePipeline service role has permission to access the CodeCommit repository.
A company’s developers use Amazon EC2 instances as remote workstations. The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.
A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules. The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team. The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS).
What should the DevOps engineer do next to meet the requirements?
Create an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.
A DevOps engineer is creating an AWS CloudFormation template to deploy a web service. The web service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). The DevOps engineer must ensure that the service can accept requests from clients that have IPv6 addresses.
What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can access the web service?
Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443. and specify the dualstack IP address type on the ALB. Create a target group, and add the EC2 instances as targets. Associate the target group with the ALB.
A company uses AWS Organizations and AWS Control Tower to manage all the company’s AWS accounts. The company uses the Enterprise Support plan.
A DevOps engineer is using Account Factory for Terraform (AFT) to provision new accounts. When new accounts are provisioned, the DevOps engineer notices that the support plan for the new accounts is set to the Basic Support plan. The DevOps engineer needs to implement a solution to provision the new accounts with the Enterprise Support plan.
Which solution will meet these requirements?
Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. Redeploy AFT and apply the changes.
A company’s DevOps engineer uses AWS Systems Manager to perform maintenance tasks during maintenance windows. The company has a few Amazon EC2 instances that require a restart after notifications from AWS Health. The DevOps engineer needs to implement an automated solution to remediate these notifications. The DevOps engineer creates an Amazon EventBridge rule.
How should the DevOps engineer configure the EventBridge rule to meet these requirements?
Configure an event source of AWS Health, a service of EC2. and an event type that indicates instance maintenance. Target a Systems Manager document to restart the EC2 instance.
A company has containerized all of its in-house quality control applications. The company is running Jenkins on Amazon EC2 instances, which require patching and upgrading. The compliance officer has requested a DevOps engineer begin encrypting build artifacts since they contain company intellectual property.
What should the DevOps engineer do to accomplish this in the MOST maintainable manner?
Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
An IT team has built an AWS CloudFormation template so others in the company can quickly and reliably deploy and terminate an application. The template creates an Amazon EC2 instance with a user data script to install the application and an Amazon S3 bucket that the application uses to serve static webpages while it is running.
All resources should be removed when the CloudFormation stack is deleted. However, the team observes that CloudFormation reports an error during stack deletion, and the S3 bucket created by the stack is not deleted.
How can the team resolve the error in the MOST efficient manner to ensure that all resources are deleted without errors?
Add a custom resource with an AWS Lambda function with the DependsOn attribute specifying the S3 bucket, and an IAM role. Write the Lambda function to delete all objects from the bucket when RequestType is Delete.
A company runs an application on one Amazon EC2 instance. Application metadata is stored in Amazon S3 and must be retrieved if the instance is restarted. The instance must restart or relaunch automatically if the instance becomes unresponsive.
Which solution will meet these requirements?
Configure AWS OpsWorks, and use the auto healing feature to stop and start the instance. Use a lifecycle event in OpsWorks to pull the metadata from Amazon S3 and update it on the instance.
A company has multiple AWS accounts. The company uses AWS IAM Identity Center (AWS Single Sign-On) that is integrated with AWS Toolkit for Microsoft Azure DevOps. The attributes for access control feature is enabled in IAM Identity Center.
The attribute mapping list contains two entries. The department key is mapped to ${path:enterprise.department}. The costCenter key is mapped to ${path:enterprise.costCenter}.
All existing Amazon EC2 instances have a department tag that corresponds to three company departments (d1, d2, d3). A DevOps engineer must create policies based on the matching attributes. The policies must minimize administrative effort and must grant each Azure AD user access to only the EC2 instances that are tagged with the user’s respective department name.
Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?
“Condition”: {
“StringEquals”: {
“ec2: ResourceTag/department”:
“$ (aws: PrincipalTag/department)
}
}
A company hosts a security auditing application in an AWS account. The auditing application uses an IAM role to access other AWS accounts. All the accounts are in the same organization in AWS Organizations.
A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application’s IAM role. The company needs to prevent any modification to the auditing application’s IAM role by any entity other than a trusted administrator IAM role.
Which solution will meet these requirements?
Create an SCP that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.
A company has an on-premises application that is written in Go. A DevOps engineer must move the application to AWS. The company’s development team wants to enable blue/green deployments and perform A/B testing.
Which solution will meet these requirements?
Use AWS Elastic Beanstalk to host the application. Store a zipped version of the application in Amazon S3. Use that location to deploy new versions of the application. Use Elastic Beanstalk to manage the deployment options.
A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated.
How can log collection be automated?
Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an AWS Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
A company has an organization in AWS Organizations. The organization includes workload accounts that contain enterprise applications. The company centrally manages users from an operations account. No users can be created in the workload accounts. The company recently added an operations team and must provide the operations team members with administrator access to each workload account.
Which combination of actions will provide this access?
- In the operations account, create an IAM user for each operations team member.
- In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group.
- Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.
A company has multiple accounts in an organization in AWS Organizations. The company’s SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS) notification if any account in the organization turns off the Block Public Access feature on an Amazon S3 bucket. A DevOps engineer must implement this change without affecting the operation of any AWS accounts. The implementation must ensure that individual member accounts in the organization cannot turn off the notification.
Which solution will meet these requirements?
Turn on AWS Config across the organization. In the delegated administrator account, create an SNS topic. Subscribe the SecOps team’s email address to the SNS topic. Deploy a conformance pack that uses the s3-bucket-level-public-access-prohibited AWS Config managed rule in each account and uses an AWS Systems Manager document to publish an event to the SNS topic to notify the SecOps team.
A company has migrated its container-based applications to Amazon EKS and want to establish automated email notifications. The notifications sent to each email address are for specific activities related to EKS components. The solution will include Amazon SNS topics and an AWS Lambda function to evaluate incoming log events and publish messages to the correct SNS topic.
Which logging solution will support these requirements?
Enable Amazon CloudWatch Logs to log the EKS components. Create a CloudWatch subscription filter for each component with Lambda as the subscription feed destination.
A company is implementing an Amazon Elastic Container Service (Amazon ECS) cluster to run its workload. The company architecture will run multiple ECS services on the cluster. The architecture includes an Application Load Balancer on the front end and uses multiple target groups to route traffic.
A DevOps engineer must collect application and access logs. The DevOps engineer then needs to send the logs to an Amazon S3 bucket for near-real-time analysis.
Which combination of steps must the DevOps engineer take to meet these requirements?
- Install the Amazon CloudWatch Logs agent on the ECS instances. Change the logging driver in the ECS task definition to awslogs.
- Activate access logging on the ALB. Then point the ALB directly to the logging S3 bucket.
- Create an Amazon Kinesis Data Firehose delivery stream that has a destination of the logging S3 bucket. Then create an Amazon CloudWatch Logs subscription filter for Kinesis Data Firehose.
A company that uses electronic health records is running a fleet of Amazon EC2 instances with an Amazon Linux operating system. As part of patient privacy requirements, the company must ensure continuous compliance for patches for operating system and applications running on the EC2 instances.
How can the deployments of the operating system and application patches be automated using a default and custom repository?
Use AWS Systems Manager to create a new patch baseline including the custom repository. Run the AWS-RunPatchBaseline document using the run command to verify and install patches.
A company is using AWS CodePipeline to automate its release pipeline. AWS CodeDeploy is being used in the pipeline to deploy an application to Amazon Elastic Container Service (Amazon ECS) using the blue/green deployment model. The company wants to implement scripts to test the green version of the application before shifting traffic. These scripts will complete in 5 minutes or less. If errors are discovered during these tests, the application must be rolled back.
Which strategy will meet these requirements?
Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTestTraffic lifecycle event to invoke an AWS Lambda function to run the test scripts. If errors are found, exit the Lambda function with an error to initiate rollback.
A company uses AWS Storage Gateway in file gateway mode in front of an Amazon S3 bucket that is used by multiple resources. In the morning when business begins, users do not see the objects processed by a third party the previous evening. When a DevOps engineer looks directly at the S3 bucket, the data is there, but it is missing in Storage Gateway.
Which solution ensures that all the updated third-party files are available in the morning?
Configure a nightly Amazon EventBridge event to invoke an AWS Lambda function to run the RefreshCache command for Storage Gateway.
A DevOps engineer needs to back up sensitive Amazon S3 objects that are stored within an S3 bucket with a private bucket policy using S3 cross-Region replication functionality. The objects need to be copied to a target bucket in a different AWS Region and account.
Which combination of actions should be performed to enable this replication?
- Create a replication IAM role in the source account
- Create a replication rule in the source bucket to enable the replication.
- Add statements to the target bucket policy allowing the replication IAM role to replicate objects.
A company has multiple member accounts that are part of an organization in AWS Organizations. The security team needs to review every Amazon EC2 security group and their inbound and outbound rules. The security team wants to programmatically retrieve this information from the member accounts using an AWS Lambda function in the management account of the organization.
Which combination of access changes will meet these requirements?
- Create a trust relationship that allows users in the management account to assume the IAM roles of the member accounts.
- Create an IAM role in each member account that has access to the AmazonEC2ReadOnlyAccess managed policy.
- Create an I AM role in the management account that allows the sts:AssumeRole action against the member account IAM role’s ARN.
A space exploration company receives telemetry data from multiple satellites. Small packets of data are received through Amazon API Gateway and are placed directly into an Amazon Simple Queue Service (Amazon SQS) standard queue. A custom application is subscribed to the queue and transforms the data into a standard format.
Because of inconsistencies in the data that the satellites produce, the application is occasionally unable to transform the data. In these cases, the messages remain in the SQS queue. A DevOps engineer must develop a solution that retains the failed messages and makes them available to scientists for review and future processing.
Which solution will meet these requirements?
Create an SQS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.
A company wants to use AWS CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions. Developers will need to deploy multiple versions of the same application.
Which solution ensures resources are deployed in accordance with company policy?
Create CloudFormation StackSets with approved CloudFormation templates.
A company requires that its internally facing web application be highly available. The architecture is made up of one Amazon EC2 web server instance and one NAT instance that provides outbound internet access for updates and accessing public data.
Which combination of architecture adjustments should the company implement to achieve high availability?
- Create additional EC2 instances spanning multiple Availability Zones. Add an Application Load Balancer to split the load between them.
- Replace the NAT instance with a NAT gateway in each Availability Zone. Update the route tables.
A DevOps engineer is building a multistage pipeline with AWS CodePipeline to build, verify, stage, test, and deploy an application. A manual approval stage is required between the test stage and the deploy stage. The development team uses a custom chat tool with webhook support that requires near-real-time notifications.
How should the DevOps engineer configure status updates for pipeline activity and approval requests to post to the chat tool?
Create an Amazon EventBridge rule that filters on CodePipeline Pipeline Execution State Change. Publish the events to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function that sends event details to the chat webhook URL. Subscribe the function to the SNS topic.
A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts. Inbound SSH access to the bastion hosts is restricted to specific IP addresses, as defined in the associated security groups. The company’s security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address.
What should a DevOps engineer do to meet this requirement?
Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
A DevOps team manages an API running on-premises that serves as a backend for an Amazon API Gateway endpoint. Customers have been complaining about high response latencies, which the development team has verified using the API Gateway latency metrics in Amazon CloudWatch. To identify the cause, the team needs to collect relevant data without introducing additional latency.
Which actions should be taken to accomplish this?
- Install the CloudWatch agent server side and configure the agent to upload relevant logs to CloudWatch.
- Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and use the X-Ray daemon to upload segments to X-Ray.
A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure.
Which solution will accomplish this?
Store the Aurora endpoint in AWS Systems Manager Parameter Store. Create an Amazon EventBridge event that detects the database failure and runs an AWS Lambda function to promote the replica instance and update the endpoint URL stored in AWS Systems Manager Parameter Store. Code the application to reload the endpoint from Parameter Store if a database connection fails.
A company hosts its staging website using an Amazon EC2 instance backed with Amazon EBS storage. The company wants to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance.
Which solution will meet these requirements?
Create an Amazon CloudWatch alarm for the StatusCheckFailed System metric and select the EC2 action to recover the instance.
A company wants to use AWS development tools to replace its current bash deployment scripts. The company currently deploys a LAMP application to a group of Amazon EC2 instances behind an Application Load Balancer (ALB). During the deployments, the company unit tests the committed application, stops and starts services, unregisters and re-registers instances with the load balancer, and updates file permissions. The company wants to maintain the same deployment functionality through the shift to using AWS services.
Which solution will meet these requirements?
Use AWS CodePipeline to trigger AWS CodeBuild to test the application. Use bash scripts invoked by AWS CodeDeploy’s appspec.yml file to restart services. Unregister and re-register the instances in the AWS CodeDeploy deployment group with the ALB. Update the appspec.yml file to update file permissions without a custom script.
A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours.
Which combination of actions will meet these requirements?
- Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations.
- Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager.
- Use AWS Systems Manager Maintenance Windows to schedule a patch window.
A company has chosen AWS to host a new application. The company needs to implement a multi-account strategy. A DevOps engineer creates a new AWS account and an organization in AWS Organizations. The DevOps engineer also creates the OU structure for the organization and sets up a landing zone by using AWS Control Tower.
The DevOps engineer must implement a solution that automatically deploys resources for new accounts that users create through AWS Control Tower Account Factory. When a user creates a new account, the solution must apply AWS CloudFormation templates and SCPs that are customized for the OU or the account to automatically deploy all the resources that are attached to the account. All the OUs are enrolled in AWS Control Tower.
Which solution will meet these requirements in the MOST automated way?
Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.
An online retail company based in the United States plans to expand its operations to Europe and Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora database instance.
When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and purchases must be kept in each region.
How should the company meet these requirements with the LEAST amount of application changes?
Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.
A company is implementing a well-architected design for its globally accessible API stack. The design needs to ensure both high reliability and fast response times for users located in North America and Europe.
The API stack contains the following three tiers:
Amazon API Gateway -
AWS Lambda -
Amazon DynamoDB -
Which solution will meet the requirements?
Configure Amazon Route 53 to point to API Gateway APIs in North America and Europe using latency-based routing and health checks. Configure the APIs to forward requests to a Lambda function in that Region. Configure the Lambda functions to retrieve and update the data in a DynamoDB global table.
A rapidly growing company wants to scale for developer demand for AWS development environments. Development environments are created manually in the AWS Management Console. The networking team uses AWS CloudFormation to manage the networking infrastructure, exporting stack output values for the Amazon VPC and all subnets. The development environments have common standards, such as Application Load Balancers, Amazon EC2 Auto Scaling groups, security groups, and Amazon DynamoDB tables.
To keep up with demand, the DevOps engineer wants to automate the creation of development environments. Because the infrastructure required to support the application is expected to grow, there must be a way to easily update the deployed infrastructure. CloudFormation will be used to create a template for the development environments.
Which approach will meet these requirements and quickly provide consistent AWS environments for developers?
Use nested stacks to define common infrastructure components. Use Fn::ImportValue intrinsic functions with the resources of the nested stack to retrieve Virtual Private Cloud (VPC) and subnet values. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.
A company uses AWS Organizations to manage multiple accounts. Information security policies require that all unencrypted Amazon EBS volumes be marked as non-compliant. A DevOps engineer needs to automatically deploy the solution and ensure that this compliance check is always present.
Which solution will accomplish this?
Create an AWS Config organizational rule to check whether EBS encryption is enabled and deploy the rule using the AWS CLI. Create and apply an SCP to prohibit stopping and deleting AWS Config across the organization.
A company is performing vulnerability scanning for all Amazon EC2 instances across many accounts. The accounts are in an organization in AWS Organizations. Each account’s VPCs are attached to a shared transit gateway. The VPCs send traffic to the internet through a central egress VPC. The company has enabled Amazon Inspector in a delegated administrator account and has enabled scanning for all member accounts.
A DevOps engineer discovers that some EC2 instances are listed in the “not scanning” tab in Amazon Inspector.
Which combination of actions should the DevOps engineer take to resolve this issue?
- Verify that AWS Systems Manager Agent is installed and is running on the EC2 instances that Amazon Inspector is not scanning.
- Associate the target EC2 instances with security groups that allow outbound communication on port 443 to the AWS Systems Manager service endpoint.
- Associate the target EC2 instances with instance profiles that grant permissions to communicate with AWS Systems Manager.
A development team uses AWS CodeCommit for version control for applications. The development team uses AWS CodePipeline, AWS CodeBuild. and AWS CodeDeploy for CI/CD infrastructure. In CodeCommit, the development team recently merged pull requests that did not pass long-running tests in the code base. The development team needed to perform rollbacks to branches in the codebase, resulting in lost time and wasted effort.
A DevOps engineer must automate testing of pull requests in CodeCommit to ensure that reviewers more easily see the results of automated tests as part of the pull request review.
What should the DevOps engineer do to meet this requirement?
Create an Amazon EventBridge rule that reacts to pullRequestCreated and pullRequestSourceBranchUpdated events. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild badge as a comment on the pull request so that developers will see the badge in their code review.
A company has deployed an application in a production VPC in a single AWS account. The application is popular and is experiencing heavy usage. The company’s security team wants to add additional security, such as AWS WAF, to the application deployment. However, the application’s product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.
The security team believes that some of the application’s demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?
Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
A DevOps engineer has automated a web service deployment by using AWS CodePipeline with the following steps:
1. An AWS CodeBuild project compiles the deployment artifact and runs unit tests.
2. An AWS CodeDeploy deployment group deploys the web service to Amazon EC2 instances in the staging environment.
3. A CodeDeploy deployment group deploys the web service to EC2 instances in the production environment.
The quality assurance (QA) team requests permission to inspect the build artifact before the deployment to the production environment occurs. The QA team wants to run an internal penetration testing tool to conduct manual tests. The tool will be invoked by a REST API call.
Which combination of actions should the DevOps engineer take to fulfill this request?
- Insert a manual approval action between the test actions and deployment actions of the pipeline.
- Update the pipeline to invoke an AWS Lambda function that calls the REST API for the penetration testing tool.
A company is hosting a web application in an AWS Region. For disaster recovery purposes, a second region is being used as a standby. Disaster recovery requirements state that session data must be replicated between regions in near-real time and 1% of requests should route to the secondary region to continuously verify system functionality. Additionally, if there is a disruption in service in the main region, traffic should be automatically routed to the secondary region, and the secondary region must be able to scale up to handle all traffic.
How should a DevOps engineer meet these requirements?
In both regions, deploy the application on AWS Elastic Beanstalk and use Amazon DynamoDB global tables for session data. Use an Amazon Route 53 weighted routing policy with health checks to distribute the traffic across the regions.
A company runs an application on Amazon EC2 instances. The company uses a series of AWS CloudFormation stacks to define the application resources. A developer performs updates by building and testing the application on a laptop and then uploading the build output and CloudFormation stack templates to Amazon S3. The developer’s peers review the changes before the developer performs the CloudFormation stack update and installs a new version of the application onto the EC2 instances.
The deployment process is prone to errors and is time-consuming when the developer updates each EC2 instance with the new application. The company wants to automate as much of the application deployment process as possible while retaining a final manual approval step before the modification of the application or resources.
The company already has moved the source code for the application and the CloudFormation templates to AWS CodeCommit. The company also has created an AWS CodeBuild project to build and test the application.
Which combination of steps will meet the company’s requirements?
- Create an application group and a deployment group in AWS CodeDeploy. Install the CodeDeploy agent on the EC2 instances.
- Use AWS CodePipeline to invoke the CodeBuild job, create CloudFormation change sets for each of the application stacks, and pause for a manual approval step. After approval, run the CloudFormation change sets and start the AWS CodeDeploy deployment.
A DevOps engineer manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The engineer needs to implement a deployment strategy that:
Launches a second fleet of instances with the same capacity as the original fleet.
Maintains the original fleet unchanged while the second fleet is launched.
Transitions traffic to the second fleet when the second fleet is fully deployed.
Terminates the original fleet automatically 1 hour after transition.
Which solution will satisfy these requirements?
Use AWS CodeDeploy with a deployment group configured with a blue/green deployment configuration Select the option Terminate the original instances in the deployment group with a waiting period of 1 hour.
A video-sharing company stores its videos in Amazon S3. The company has observed a sudden increase in video access requests, but the company does not know which videos are most popular. The company needs to identify the general access pattern for the video files. This pattern includes the number of users who access a certain file on a given day, as well as the number of pull requests for certain files.
How can the company meet these requirements with the LEAST amount of effort?
Activate S3 server access logging. Use Amazon Athena to create an external table with the log files. Use Athena to create a SQL query to analyze the access patterns.
A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege.
Which solution will meet these requirements?
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.
A production account has a requirement that any Amazon EC2 instance that has been logged in to manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with the Amazon CloudWatch Logs agent configured.
How can this process be automated?
Create a CloudWatch Logs subscription to an AWS Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a daily Lambda function that terminates all instances with this tag.
A company has enabled all features for its organization in AWS Organizations. The organization contains 10 AWS accounts. The company has turned on AWS CloudTrail in all the accounts. The company expects the number of AWS accounts in the organization to increase to 500 during the next year. The company plans to use multiple OUs for these accounts.
The company has enabled AWS Config in each existing AWS account in the organization. A DevOps engineer must implement a solution that enables AWS Config automatically for all future AWS accounts that are created in the organization.
Which solution will meet this requirement?
In the organization’s management account, create an AWS CloudFormation stack set to enable AWS Config. Configure the stack set to deploy automatically when an account is created through Organizations.
A company has many applications. Different teams in the company developed the applications by using multiple languages and frameworks. The applications run on premises and on different servers with different operating systems. Each team has its own release protocol and process. The company wants to reduce the complexity of the release and maintenance of these applications.
The company is migrating its technology stacks, including these applications, to AWS. The company wants centralized control of source code, a consistent and automatic delivery pipeline, and as few maintenance tasks as possible on the underlying infrastructure.
What should a DevOps engineer do to meet these requirements?
Create one AWS CodeCommit repository for each of the applications. Use AWS CodeBuild to build one Docker image for each application in Amazon Elastic Container Registry (Amazon ECR). Use AWS CodeDeploy to deploy the applications to Amazon Elastic Container Service (Amazon ECS) on infrastructure that AWS Fargate manages.
You are working in a large company. The company is building new serverless applications with the AWS Serverless Application Model (AWS SAM) framework. The serverless applications include resources such as API Gateways, Lambda functions, DynamoDB tables, Step functions, etc. For the serverless AWS resources to interact with one another, proper access and permissions need to be set up between the resources. For example, a Lambda function needs suitable permission to write new items in a DynamoDB table. What is the most appropriate way for you to manage these permissions using AWS SAM?
Use SAM connectors (AWS::Serverless::Connector) to provide simple and well-scoped permissions between the resources. For unsupported resource types for SAM connectors, use CloudFormation mechanisms to configure IAM users, roles, and policies
SAM connectors are designed to help provision permissions between SAM serverless resources.
You are working as a DevOps engineer. Your company owns an online shopping application. The application publishes application logs (i.e. clickstream logs) to a CloudWatch log group. In order to perform log analysis and application monitoring, you have also configured an Amazon OpenSearch Service cluster as the search and analytics engine. Now you want to stream the CloudWatch Logs data to the Amazon OpenSearch Service cluster in near real-time. Which method is the most appropriate one?
Select the CloudWatch log group, create an Amazon OpenSearch Service subscription filter, and stream the selected logs to the OpenSearch Service cluster
CloudWatch Logs subscription filters can stream logs to other services in near real-time. Users can create an Amazon OpenSearch Service subscription filter to deliver log data to OpenSearch.
You are working as a DevOps engineer. Your company owns an online shopping application. The application publishes application logs (i.e. clickstream logs) to a CloudWatch log group. In order to perform log analysis and application monitoring, you have also configured an Amazon OpenSearch Service cluster as the search and analytics engine. Now you want to stream the CloudWatch Logs data to the Amazon OpenSearch Service cluster in near real-time. Which method is the most appropriate one?
Select the CloudWatch log group, create an Amazon OpenSearch Service subscription filter, and stream the selected logs to the OpenSearch Service cluster
CloudWatch Logs subscription filters can stream logs to other services in near real-time. Users can create an Amazon OpenSearch Service subscription filter to deliver log data to OpenSearch.
You are an AWS cloud engineer. Your company owns an AWS Organization with dozens of AWS accounts. In the AWS Organization administrator account, you have created a CloudFormation StackSet to manage AWS resources in multiple AWS accounts across specified AWS Regions. In the StackSet, the self-managed permissions method has been used to establish the trust relationship between the administrator and target accounts. One day, when you try to update the StackSet with an updated template, the operation failed and one stack instance status became OUTDATED. Which option will NOT cause this issue?
In the AWS Organization, the trusted access between the AWS Organization’s management account and target (member) accounts has been disabled
the trusted access with the AWS Organization is not used by the self-managed permissions method.
A company owns an AWS OpsWorks stack for a web application. As most of the existing AWS resources are managed by AWS Systems Manager, you want to migrate the OpsWorks Stack application to Application Manager in AWS Systems Manager. The migration enables you to monitor the instances in the Application Manager page and also use some AWS features that are unavailable in OpsWorks such as the integrations with Auto Scaling group and application load balancers. How would you perform the migration in the most suitable way?
Use the AWS provided migration script to generate a CloudFormation template based on the existing OpsWorks layers. Customize the template and provision the CloudFormation stack. View the provisioned resources in the custom application of Application Manager
As a DevOps engineer, you are using a CloudFormation stack to maintain an AWS Auto Scaling group resource (AWS::AutoScaling::AutoScalingGroup). You want to use a suitable CloudFormation update policy to control how AWS CloudFormation handles updates for the Auto Scaling group resource. During the update, CloudFormation should only replace the instances in the existing Auto Scaling group instead of replacing the Auto Scaling group. The maximum number of instances that CloudFormation updates at any time should be 1 and at least 1 instance should be in service when old instances are being updated. Which UpdatePolicy is the most accurate in the CloudFormation template?
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: ‘1’
MaxBatchSize: ‘1’
WaitOnResourceSignals: ‘true’
PauseTime: PT10M
You need to create a new AWS OpsWorks Chef 12 stack with custom cookbooks. The OpsWorks stack will run in a new VPC with private and public subnets. There will be an Elastic Load Balancer resource in the public subnets. All these AWS resources need to be maintained by a CloudFormation template. To achieve better security, the requirement is that the OpsWorks instances must be put in the private subnets and only allow the incoming traffic routed through the Elastic Load Balancer. Which of the following resources are required to achieve this requirement in the CloudFormation template?
“ELBAttachment”: {
“Type”: “AWS::OpsWorks::ElasticLoadBalancerAttachment”,
“Properties”: {
“ElasticLoadBalancerName”: { “Ref”: “ELB” },
“LayerId”: { “Ref”: “OpsWorksLayer” }
}
}
"OpsWorksSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"SecurityGroupIngress": [
{ "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceSecurityGroupId": { "Ref": "ELBSecurityGroup" } }
]
} }
Your company has used the SAP service to manage business operations and customer relations. In order to monitor the SAP data and perform further analysis, you want to build up AWS services to automatically transfer data from SAP to an S3 bucket. The data transfer needs to be based on the SAP Open Data Protocol (OData) and the generated data in S3 should be in JSON format. All the data should be encrypted both at rest and in transit. The frequency of the transfer should be every 2 minutes. Which of the following methods is the most accurate and easiest one that you should choose?
In Amazon AppFlow, create a connection for the SAP OData service. Create a flow in AppFlow. Select the SAP OData connection as the source and the S3 bucket as the destination. Choose to run the flow every two minutes
As a DevOps engineer, you are helping the team to configure a new in-memory database in Amazon MemoryDB for Redis. This high performance and durable MemoryDB database is built for microservices applications. Applications will be deployed in EC2 instances in several private subnets of a VPC. The MemoryDB database cluster will be deployed in the same private subnets as the EC2 instances. To ensure the security of the data transferred between the applications and the MemoryDB database, how would you manage access between the EC2 instances and the MemoryDB cluster in the most suitable way?
Create a VPC security group for the MemoryDB cluster and configure a custom inbound rule to only allow the incoming traffic from the EC2 security group on port 6379
You are working in a company as a DevOps engineer. Your team needs to build applications for several proof-of-concept projects. Your manager asks you to use AWS App Runner to deploy from the source code in GitHub repositories directly to the web applications in the AWS cloud. Through AWS App Runner, you can quickly build up the continuous integration and deployment (CI/CD) pipelines to perform automatic deployments whenever developers push new commits to the code repositories. When creating the AWS App Runner service, which of the following configurations would you need to set up?
Create IAM identity-based policies and apply them to IAM entities. Specify if the IAM entities can access the AWS App Runner console and manage the App Runner service
You are working in a bank as a cloud engineer. For a new web application, you need to configure a service that can automatically create and manage custom Ubuntu 20 AMI images. The images will be used by EC2 Auto Scaling groups. As the web application processes sensitive customer data, the images need to be compliant with STIG (Security Technical Implementation Guides) standards which are created by the Defense Information Systems Agency (DISA) to secure information systems and software. How would you use EC2 Image Builder to automate the image-building process?
In EC2 Image Builder, create an image recipe that contains the STIG component together with other necessary build components. Create an image pipeline with the recipe to automate the image build process
Your company owns several legacy Java applications in the on-premises data centers. The applications are running on the IBM WebSphere application server on Ubuntu. As a DevOps engineer, you plan to use the AWS App2Container (A2C) commander line tool to lift and shift the legacy Java applications to the AWS platform. Through App2Container, you would like to first analyze the applications and then generate Dockerfiles to deploy them as containerized workloads on AWS. Which of the following options is NOT supported by App2Container?
Use App2Container to create an ECR repository to store the application Docker images. Create an Elastic Beanstalk application to deploy the Docker containers
You are a DevOps engineer. In your team, developers start to use the AWS Copilot CLI tool to deploy microservices in Amazon ECS Fargate. The application source code and Dockerfiles are pushed into a GitHub repository. The developers use Copilot to manage several environments (i.e. Dev, QA, Production) and use the “copilot svc deploy” CLI command to deploy the services to various environments manually. Now you need to build centralized, automated pipelines for the applications, which automatically build and push the applications on Git push. Developers can also use Copilot to monitor the pipelines. How would you achieve these requirements?
Use “copilot pipeline” CLI commands to generate CodePipeline manifest files and deploy pipelines in AWS CodePipeline. Use the “copilot pipeline status” command to monitor the pipeline status
Your team is helping developers to build up AWS resources for a new project through CloudFormation StackSets. The project requires an Aurora database in the private subnets of a VPC. As the workload of the application may have sudden and unpredictable increases in activity, your team suggests using Aurora Serverless to manage the database capacities. One colleague has drafted the CloudFormation template and asked you to review it. In the CloudFormation template, you find that Aurora Serverless v1 is being used and you are suggesting using Aurora Serverless v2. Which option is NOT a benefit of using AWS Aurora Serverless v2 compared with v1?
With Aurora Serverless v2, you can seamlessly scale both the compute and memory capacities as needed with no disruption to client connections
What is API Gateway throttling account limit?
10.000 rps across all API
What is a API Gateway throttling response code?
429 - Too many requests
What code are API GW Client Errors?
4XX
What code are API GW Server Errors?
5XX
The Main difference between ECS and Fargate
In ECS, you need to provision and manage the underlying EC2 instances. Fargate is a serverless, yoiu don’t need to manage any servers - AWS handles the infrastructure provisioning and scaling automatically.
A company has a large development team who run many projects in a single shared AWS account. The company wants to optimize costs by automatically stopping EBS-backed Amazon EC2 instances if resources are idle.
Which solution will meet these requirements?
Use a scheduled Amazon CloudWatch Events rule to target a custom AWS Lambda function that runs AWS Trusted Advisor checks. Create a second CloudWatch Events rule to filter events from Trusted Advisor to trigger a Lambda function to stop the idle instances
A DevOps engineer must deploy a serverless website on AWS. The website will host content that includes HTML files, images, videos, and JavaScript (client-side scripts). The website must be optimized for global performance and be protected against web exploits.
Which actions should the engineer take?
Deploy the website using a static website running on Amazon S3. Create an Amazon CloudFront distribution and an AWS WAF web ACL
A company has deployed AWS Single Sign-On (AWS SSO) and needs to ensure that user accounts are not created within AWS Identity and Access Management (AWS IAM). A DevOps engineer must create an automated solution for immediately disabling credentials of any new IAM user that is created. The security team must be notified when user creation events take place.
Which combination of steps should the DevOps engineer take to meet these requirements?
- Create an Amazon EventBridge rule that is triggered by IAM CreateUser API calls in AWS CloudTrail
- reate an AWS Lambda function that disables the access keys and deletes the login profiles associated with new IAM users. Configure the function as a target of the EventBridge rule
- Create an Amazon SNS topic that is a target of the EventBridge rule. Subscribe the security team’s group email address to the topic
A DevOps engineer is building a web application that will use federated access to a SAML identity provider (IdP). The web application requires sign up and sign in functionality using a custom webpage with authenticated access to AWS services.
Which steps should the DevOps engineer take to implement the authentication and access control solution for the web application?
Use Amazon Cognito and create a user pool for federated sign-in. Add a SAML IdP and enter identifiers to map the sign-in email addresses to the relevant provider. Generate access tokens and exchange them for temporary security credentials providing access to the appropriate AWS services
An application is being deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team requires that the traffic is secured with SSL/TLS certificates. Protection against common web exploits must also be implemented. The solution should not have a performance impact on the EC2 instances.
What steps should be taken to secure the web application?
- Add an SSL/TLS certificate to a secure listener on the ALB
- Create an AWS WAF web ACL and attach it to the ALB
A DevOps engineer manages an application that stores logs in Amazon CloudWatch Logs. The engineer needs to archive the logs in an Amazon S3 bucket. The log files are rarely accessed after 90 days and for compliance reasons must be retained for 10 years. The solution should run in an automated fashion.
Which combination of steps should the DevOps engineer take to meet the requirements?
- Create a CloudWatch Logs subscription filter that uses Amazon Kinesis Data Firehose to stream all logs to an S3 bucket
- Create an S3 bucket lifecycle policy that transitions the log files to S3 Glacier after 90 days and expires the log files after 3,650 days”
A company plans to deploy a high-performance computing (HPC) workload on Amazon EC2 instances in a shared Amazon VPC. Developers in multiple participant accounts must be granted access to the cluster to perform analytics. The cluster requires a shared file system that supports file-based access to objects stored in Amazon S3 buckets.
Which deployment steps should be implemented to support the required features and access control?
Deploy an Amazon FSx for Lustre file system. Create an IAM role that can be assumed by members of the participant accounts and provide permissions through an identity based policy assigned to the role. Use security groups to enable file system access
A legacy application uses IAM user credentials to access resources in the company’s AWS Organizations organization. It should not be possible to create IAM users unless the user account making the requires is specific on an exception list. A DevOps engineer must apply these restrictions.
Which solution will meet these requirements?
Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringNotLike for aws:username with a value of the exception list
A company requires an automated solution that terminates Amazon EC2 instances that have been logged into manually within 24 hours of the login event. The applications running in the account are launched using Auto Scaling groups and the CloudWatch Logs agent is configured on all instances.
How should a DevOps engineer build the automation?
Create a CloudWatch Logs subscription filter that delivers logs to an AWS Lambda function. Configure the function to tag the resources that produced the login event. Create a CloudWatch Events rule that triggers another Lambda function daily that terminates all instances that were tagged
A development team run a fleet of Amazon EC2 instances in a dev/test environment. A manager is concerned about the costs of the workloads. While the developers are unable to determine the exact resource requirements for each workload, they also cannot terminate any instances as all are currently in operational use.
What is the best way to ensure the most efficient use of the underlying hardware?
Use AWS Computer Optimizer to report on resource utilization on EC2 instances and use the recommendations to manually reconfigure resources for improved utilization
A company runs a Java application in an on-premises data center. The application is not currently containerized but the company plans to migrate it to the AWS Cloud and modernize the application into a containerized deployment. A CI/CD pipeline should also be created to automate application updates.
Which solution can a DevOps engineer use to meet all these requirements?
Use AWS App2Container (A2C) to analyze and inventory the on-premises application and then containerize it on Amazon ECS. Configure A2C to build a CI/CD pipeline using CodeBuild and CodeDeploy
A company runs a Java application in an on-premises data center. The application is not currently containerized but the company plans to migrate it to the AWS Cloud and modernize the application into a containerized deployment. A CI/CD pipeline should also be created to automate application updates.
Which solution can a DevOps engineer use to meet all these requirements?
Use AWS App2Container (A2C) to analyze and inventory the on-premises application and then containerize it on Amazon ECS. Configure A2C to build a CI/CD pipeline using CodeBuild and CodeDeploy
A company runs many different workloads across hundreds of Amazon EC2 instances. The DevOps team requires that all instances have standard configurations. These configurations include standard logging, metrics, security assessments, and weekly patching.
Which combination of actions meets these requirements with the most operational efficiency?
- Use AWS Systems Manager to install and manage Amazon Inspector, Systems Manager Patch Manager, and the Amazon CloudWatch agent on all instances
- Use AWS Systems Manager maintenance windows with Systems Manager Run Command to schedule Systems Manager Patch Manager tasks. Use Amazon EventBridge to schedule Amazon Inspector assessment runs
critical production application running on AWS uses automatic scaling. The operations team must run updates on the application that affect only one instance at a time. The deployment process must ensure all remaining instances continue to serve traffic. The deployment must roll back if the update causes the CPU utilization of the updated instance to exceed 85%.
Which solution will meet these requirements?
Configure AWS CodeDeploy with Amazon EC2 Auto Scaling. Create an alarm based on the CPU utilization metric. Use the CodeDeployDefault.OneAtAtime configuration for deployment. Configure automatic rollbacks to roll back the deployment if the alarm thresholds are exceeded
A data intelligence and analytics company has implemented a CI/CD pipeline using AWS CodePipeline which takes code from an AWS CodeCommit repository and then builds it using AWS CodeBuild. During the deploy stage, the application is deployed onto an Amazon ECS cluster. During deployment, the application is only partly updated on some ECS tasks which are running an older version of the image.
A DevOps engineer investigated and found that terminating the task or clearing the local Docker cache fixes the issue, but a more robust solution is required that provides visibility and identification to track where container images are deployed. Also, the start-up time of the containers needs to be optimized.
Which actions should the DevOps engineer take to achieve these requirements?
- Move all the dependencies into a single image and pull them from a single container registry
- When creating a new task definition for the ECS service, ensure to add the sha256 hash in the full image name so that ECS pulls the correct image every time
A company uses a single AWS account and Region for development activities with multiple teams working on independent projects. A DevOps engineer must implement a mechanism to notify the operations manager when the creation of resources approaches the service limits for the AWS account.
Which solution will accomplish this with the LEAST amount of development effort?
Create an AWS Lambda function that refreshes AWS Trusted Advisor checks and use an Amazon EventBridge rule to run the Lambda function regularly. Create another EventBridge rule with an event pattern matching Trusted Advisor checks and configure an Amazon SNS topic that notifies the operations manager
The launch template that is used by an Auto Scaling group has been modified to use a new instance type and AMI. The Auto Scaling group is deployed using AWS CloudFormation. There are 8 production EC2 instances running in the Auto Scaling group.
A DevOps engineer needs to modify the Auto Scaling group to use the new template version without causing any interruption to the application and must ensure that at least 4 instances are always running.
Use the AutoScalingRollingUpdate attribute with the MinInstancesInService property
A DevOps engineer is deploying a three-tier application on AWS that includes an Application Load Balancer in front of the Amazon ECS web tier, an Amazon ECS application tier, and an Amazon RDS database. The load balancer should only distribute traffic to the web tier if the web tier can successfully communicate with the application and database tiers.
How can this validation be implemented?
Create a health check endpoint in the web application that tests connectivity to the application and database tiers. Configure the endpoint as the health check URL for the target group
A DevOps engineer launched an Amazon EC2 instance in an Amazon VPC. The instance must download an object from a restricted Amazon S3 bucket. When trying to download the object, a 403 Access Denied error was received.
What are two possible causes for this error?
- The bucket policy does not grant permission
- There is an issue with the IAM role configuration
A development team is running a project that will involve deploying applications across several Amazon VPCs. The applications will require fully meshed network connectivity to enable transitive routing between VPCs. The development lead is concerned about security and has requested centralized control over network access controls.
Which deployment will satisfy the requirements with the most operational efficiency?
Deploy AWS Transit Gateway to create a fully meshed network topology with transitive routing. Use AWS Network Firewall to centrally deploy and manage security policies across the VPCs
An eCommerce company has operations in several countries around the world. The company runs an application in co-location facilities that uses Linux servers and a relational database running on MySQL. The application will be migrated to AWS and will include Amazon EC2 instances behind an Application Load Balancer in multiple AWS Regions. The database configuration has not yet been finalized.
A DevOps engineer has been asked to assist with determining the best solution for the database. The data includes product catalog information which must be served with low latency and customer purchase information which should be kept within each Region for compliance purposes.
Which database solution should the DevOps engineer recommend to meet these requirements with the LEAST changes to the application?
Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer purchase data
A law firm is planning to migrate existing applications to AWS. These applications are hosted in an on-premises data center and are complex in nature. The applications could take many months to migrate. While the migration is underway, the application development team implemented a tactical solution using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application.
The ad-hoc solution worked for several weeks; however, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header “X-Cache: Error from CloudFront”. Network monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests.
Which option could be the reason for the error and how can it be solved?
The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server
An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). Users on the internet have reported performance issues with the application. A DevOps engineer must investigate the reports and identify the processing latencies for requests.
How can the engineer obtain this information?
Enable access logs on the load balancer
A web application runs on Amazon EC2 instances in an EC2 Auto Scaling group behind an Application Load Balancer (ALB). A DevOps engineer needs to implement a strategy for deploying updates that meets the following requirements:
· Automatically launches the new version of the application on a second set of instances with the same capacity as the old version of the application.
· Maintains the old version unchanged while the new version is launched.
· Shifts traffic to the new version when the instances are fully deployed.
· Terminates the old fleet of instances automatically 1 hour after shifting traffic.
Which solution will satisfy these requirements?
Use AWS CodeDeploy and create a deployment group that uses a blue/green deployment configuration. Use the BlueInstanceTerminationOption to terminate the instances in the blue environment after 1 hour
A company manages several legacy applications that all generate different log formats. The logs need to be standardized so they can be queried and analyzed. A DevOps engineer needs a solution for standardizing the log formats before writing them to
an Amazon S3 bucket.
How can this requirement be met at the LOWEST cost?
Configure the Amazon Kinesis Agent to upload the logs to Amazon Kinesis Data Firehose and use an AWS Lambda function to normalize the log files before they are loaded to Amazon S3
The DevOps team at a global retail company wants to deploy the latest application code to through build, staging, beta & prod environments. While doing the staging deployment, an automated functional test suite needs to be executed which runs for approximately two hours to complete regression testing. The code is managed via AWS CodeCommit.
How can a DevOps engineer optimize the configuration and automate the pipeline?
Create a CodePipeline pointing to the master branch of the CodeCommit repository and automatically deploy to a staging environment using CodeDeploy. After that stage, invoke a CodeBuild build that will run the test suite. If the stage doesn’t fail, the last stage will deploy the application to production
The information security policy of a company has been updated and now requires that all Amazon EBS volumes must be encrypted. Any volumes that are not encrypted should be marked as non-compliant. The company uses AWS Organizations to manage multiple accounts. A DevOps engineer needs to automatically deploy the solution and ensure that this compliance check is applied.
Which solution will accomplish this MOST efficiently?
Create an AWS Config rule at the AWS organization level to check whether EBS encryption is enabled. Create and apply an SCP to prohibit stopping and deleting AWS Config across the organization
