Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS DevOps Professional Exam > AWS DevOps Professional Exam > Flashcards

AWS DevOps Professional Exam Flashcards

1
Q

_______ is a process methodology around deploying and managing environments.

A

DevOps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 4 deployment methods?

A

All at once
Rolling
Blue/Green
Immutable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the “all at once” deployment method?

A

All at once deployment method deploys all instances at the same time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the impact of a failed “all at once” deployment?

A

Downtime

Rollback requires re-deploy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the benefit of an “all at once” deployment?

A

Faster than any other deployment method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Does “all at once” deployment require a dns change?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the “rolling” deployment method?

A

Rolling deployment deploys a specific number of instances at a time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the impact of a failed “rolling” deployment?

A
  1. No downtime - Only updated instance batch affected
  2. Rollback the affected instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How long does the “rolling” deployment method take to deploy?

A

A little bit more time than “all at once”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Does the “rolling” deployment require a dns change?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the “blue/green” deployment method?

A

The “blue/green” method deploys two identical stacks running in a separate environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the impact of a failed “blue/green” deployment?

A

No downtime - Only the updated environment is affected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How long does the “blue/green” deployment method take to deploy?

A

Takes longest due to spinning up more resources and can also cost more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Does a “blue/green” deployment require a DNS change?

A

Yes if using Elastic Beanstalk, but not always necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

______ is an alternative to a rolling deployment where we deploy a new environment instead of existing resources.

A

Immutable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the impact of a failed immutable deployment?

A

No downtime - only the updated environment is affected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How long does an immutable environment take to deploy?

A

Takes longer to spin up more resources and can cost more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Does immutable deployment strategy require a DNS change?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the two types of methods of deployment?

A

In-place
Disposable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

_______ method of deployment involves performing application updates on existing instances.

A

In-place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

______ method of deployment involves rolling out new instances and terminating older ones.

A

Disposable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Can you modify a launch configuration after the fact?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Your team is developing an application for a government project. For continuous deployment, you have built a CloudFormation stack to deploy EC2 instances. A third party software is installed in the instances and its license requires that the software should be bound to dedicated virtual machines. Whenever the CloudFormation stack is redeployed, the software should be installed in the same physical hosts. Which method would you select to achieve this requirement?

A

Allocate dedicated hosts for this application which allow you to reliably launch EC2 instances on the same physical servers. In the CloudFormation template, specify the allocated HostID and configure the tenancy type to be dedicated host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Your team has created a new deployment in AWS CodeDeploy service. It automates the deployments for a new Node.js application to Amazon EC2 instances. In order to pass a notification to a Slack channel whenever deployments fail, a DevOps engineer configured a CloudWatch Event rule as follows:

{
“source”: [
“aws.codedeploy”
],
“detail-type”: [
“CodeDeploy Instance State-change Notification”
],
“detail”: {
“state”: [
“FAILURE”
]
}
}

The Event rule uses a Lambda function as the target to send notifications. However, the Slack channel does not receive notifications when deployments have failed. The DevOps engineer asks you for help. How would you resolve the issue?

A

Modify the detail-type to be “CodeDeploy Deployment State-change Notification” in the CloudWatch Event rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
You are a DevOps engineer in a company. An AWS Organization is configured to manage a large number of AWS accounts and the Organization uses several Organizational Units (OUs) to help group AWS accounts together. You need to deploy a CloudFormation stack to enable customized AWS Config rules for all AWS accounts under one Organizational Unit. Which approach would you choose to provision the stack?
Configure a CloudFormation StackSet using the CloudFormation template. Choose the Organization Unit in the StackSet and specify the regions to deploy the stack.
26
You have a Jenkins pipeline to update a CloudFormation stack. The pipeline uses AWS CloudFormation CLI update-stack. Sometimes when the Jenkins job runs, certain AWS resources are recreated, which is not as expected. Your manager asks you to add a step in the pipeline to list the changes that will be applied to the stack. The Jenkins job continues only after the changes are reviewed. How would you modify the Jenkins pipeline?
In the new step, use CloudFormation CLI create-change-set to generate the list of changes that will be applied in the stack. Review the changes before continuing the Jenkins job.
27
Your team is working on a migration project in AWS platform. An Application Load Balancer is configured to route traffic to backend EC2 instances. A security group is attached in the load balancer which allows the ingress traffic from a custom TCP port. Recently, due to some project requirements, the Application Load Balancer needs to be replaced by a Network Load Balancer. Existing configurations of the load balancer should be kept if possible. How would you configure the security group in the new Network Load Balancer?
As Network Load Balancers do not have associated security groups, update the security group in the target EC2 instances.
28
You just join a company as a DevOps engineer and you need to manage an AWS account. A big number of AWS resources are deployed in the account such as Auto Scaling groups, S3 buckets, etc. In order to better understand the cost spent in the account, every department starts to attach a user-defined tag CostCenter:xxxx to its AWS resources. You also configured the AWS Cost and Usage Reports and used an S3 bucket to save the reports. After several days, you check the reports in the S3 bucket and find that the reports do not use the CostCenter tag to organize the resources or track the AWS costs. Which step do you miss?
Activate the CostCenter tag in the Billing and Cost Management console then the usage and costs will be grouped by the tag.
29
You are working on a small project for your personal usage. The application is hosted in an Auto Scaling group. There is only 1 instance in the ASG and the EC2 instance may be terminated and recreated from time to time. The EC2 DNS name and IP are changed when a new instance is launched in the ASG. You own a hosted zone in Route 53 and plan to create a record set to route the traffic to the instance. You have very limited budget. Which method is the most cost-efficient to update the record set dynamically?
Configure a CloudWatch Event rule to monitor the Auto Scaling events. The CloudWatch Event rule triggers a Lambda function to point the CNAME of the record set to the DNS of the new EC2 instance.
30
A company has a Node.js application deployed in an Elastic Beanstalk environment. At the moment the environment uses an “All at once” deployment strategy. The new versions are deployed in all instances simultaneously and there is an outage for a short time. If there is a problem with the new version, another deployment is required to perform a rollback. Your manager asks you to use another method that deploys newer versions to a fresh group of instances and the new instances should serve traffic only after the health check has passed. In the meantime, you do not want to maintain two environments in Elastic Beanstalk. Which deployment strategy should you select?
Configure an Immutable deployment strategy in the Elastic Beanstalk environment.
31
A team is developing an application and the code is managed in a repository in AWS CodeCommit. The developers push code in their own branches. When the code is ready for release, only a senior team member is allowed to merge the other branches into master. The merging event then triggers a pipeline for the deployment in production. You need to make sure that the team members are allowed to push or merge code to all the branches except the master branch. Which option describes the correct method?
Create an IAM group that includes the team members and attach the below policy: { "Effect": "Allow", "Action": [ "codecommit:GitPush", "codecommit:Merge*" ], "Resource": [ "arn:aws:codecommit:*:*:the-repo-name" ], "Condition": { "StringNotEquals": { "codecommit:References": [ "refs/heads/master" ] } } }
32
You have an on-premise virtual machine and you create a replication job in AWS Server Migration Service (SMS) to migrate the VM to AWS. Whenever an AMI is created from the SMS job, you need to launch an EC2 instance with the AMI and trigger a Jenkins job to perform the automation testing. The instance will be terminated after the testing is finished. Which method would you use to create the EC2 instance automatically for the testing?
Create a CloudWatch Event rule to monitor the AWS SMS job state changes. Use a Lambda function to get the new AMI ID and launch an EC2 instance. ## Footnote The CloudWatch Event rule can monitor the following SMS events: { "source": [ "aws.sms" ], "detail-type": [ "Server Migration Job State Change" ] } Then the Lambda function is triggered to launch a new instance using the AMI.
33
To meet security compliance of the company, your manager asks you to configure VPC Flow Logs in all AWS accounts. You create the flow logs in VPCs and use an S3 bucket to store the logs. You also set up a Sumo Logic dashboard to help analyze the log data. What information can you get from the VPC Flow Logs?
The time of the day when your EC2 hosted web application experiences the heaviest load. The geographic region that has the most users for your application.
34
Your team is working on an IoT application. The data generated from the application is saved in S3 buckets and a Redshift data warehouse. You need to design interactive dashboards to analyze the data and share with other team members every day. With the dashboards, the team can explore the data further and get more insights. You have a limited budget on this assignment. Which solution is the most cost-effective?
Enable QuickSight in AWS. Use it to analyze the data, visualize the data and publish interactive dashboards that include machine learning insights.
35
You have an application running on an Amazon EC2 instance and you are using IAM roles to securely access AWS Service APIs. How can you configure your application running on that instance to retrieve the API keys for use with the AWS SDKs?
When using AWS SDKs in Amazon EC2 instances, you do not have to explicitly retrieve API keys. The SDKs assume the IAM roles attached in the instances and get temporary credentials by interacting with the AWS STS service ## Footnote IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles.
36
What's the role of buildspec.yml file in CodeBuild?
A buildspec is a collection of build commands and related settings, in YAML format, that CodeBuild uses to run a build. Without a build spec, CodeBuild cannot successfully convert your build input into build output
37
A company wants to migrate its content sharing web application hosted on Amazon EC2 to a serverless architecture. The company currently deploys changes to its application by creating a new Auto Scaling group of EC2 instances and a new Elastic Load Balancer, and then shifting the traffic away using an Amazon Route 53 weighted routing policy. For its new serverless application, the company is planning to use Amazon API Gateway and AWS Lambda. The company will need to update its deployment processes to work with the new application. It will also need to retain the ability to test new features on a small number of users before rolling the features out to the entire user base. Which deployment strategy will meet these requirements?
Use AWS CloudFormation to deploy API Gateway and Lambda functions using Lambda function versions. When code needs to be changed, update the CloudFormation stack with the new Lambda code and update the API versions using a canary release strategy. Promote the new version when testing is complete.
38
A company's application is currently deployed to a single AWS Region. Recently, the company opened a new office on a different continent. The users in the new office are experiencing high latency. The company's application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon DynamoDB as the database layer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. A DevOps Engineer is tasked with minimizing application response times and improving availability for users in both Regions. Which combination of actions should be taken to address the latency issues?
- Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group. - Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB. - Convert the DynamoDB table to a global table.
39
What are AWS DynamoDB Global Tables?
Global tables build on the global Amazon DynamoDB footprint to provide you with a fully managed, multi-Region, and multi-active database that delivers fast, local, read and write performance for massively scaled, global applications. Global tables replicate your DynamoDB tables automatically across your choice of AWS Regions.
40
A DevOps engineer used an AWS CloudFormation custom resource to set up AD Connector. The AWS Lambda function executed and created AD Connector, but CloudFormation is not transitioning from CREATE_IN_PROGRESS to CREATE_COMPLETE. Which action should the engineer take to resolve this issue?
Ensure the Lambda function code returns a response to the pre-signed URL. ## Footnote Cloudformation expect the Lambda function invoked using a custom resource to call back at the signed URL
41
A company plans to stop using Amazon EC2 key pairs for SSH access, and instead plans to use AWS Systems Manager Session Manager. To further enhance security, access to Session Manager must take place over a private network only. Which combinations of actions will accomplish this?
- Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile - Create a VPC endpoint for Systems Manager in the desired Region.
42
A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps Engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours. Which combination of actions will meet these requirements?
- Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations. - Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager. - Use AWS Systems Manager Maintenance Windows to schedule a patch window.
43
A company has many applications. Different teams in the company developed the applications by using multiple languages and frameworks. The applications run on premises and on different servers with different operating systems. Each team has its own release protocol and process. The company wants to reduce the complexity of the release and maintenance of these applications. The company is migrating its technology stacks, including these applications, to AWS. The company wants centralized control of source code, a consistent and automatic delivery pipeline, and as few maintenance tasks as possible on the underlying infrastructure. What should a DevOps engineer do to meet these requirements?
Create one AWS CodeCommit repository for each of the applications. Use AWS CodeBuild to build one Docker image for each application in Amazon Elastic Container Registry (Amazon ECR). Use AWS CodeDeploy to deploy the applications to Amazon Elastic Container Service (Amazon ECS) on infrastructure that AWS Fargate manages.
44
A DevOps engineer is developing an application for a company. The application needs to persist files to Amazon S3. The application needs to upload files with different security classifications that the company defines. These classifications include confidential, private, and public. Files that have a confidential classification must not be viewable by anyone other than the user who uploaded them. The application uses the IAM role of the user to call the S3 API operations. The DevOps engineer has modified the application to add a DataClassification tag with the value of confidential and an Owner tag with the uploading user's ID to each confidential object that is uploaded to Amazon S3. Which set of additional steps must the DevOps engineer take to meet the company's requirements?
Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.
45
A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline. A DevOps Engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation, the DevOps Engineer believes the failures are due to database changes not having fully propagated before the Lambda function begins executing. How should the DevOps Engineer overcome this?
Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function
46
A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline. A DevOps Engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation, the DevOps Engineer believes the failures are due to database changes not having fully propagated before the Lambda function begins executing. How should the DevOps Engineer overcome this?
Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function
47
Your company is developing a microservices-based application on AWS, and you are responsible for designing the deployment pipeline. The application consists of multiple services that communicate with each other over HTTP. You want to ensure that changes to one service do not affect the availability or performance of other services. What is the best way to achieve this?
Deploy each service in its own AWS Fargate cluster, and use Amazon API Gateway to handle inter-service communication.
48
Your company has a microservices-based application deployed on AWS using Amazon ECS. The application is experiencing issues with performance and scaling, and you have been tasked with optimizing it. Which solution would you recommend?
Use Amazon EKS instead of Amazon ECS to manage the containers, and use Amazon Route 53 for service discovery and load balancing. ## Footnote Amazon EKS provides a managed Kubernetes service that can help optimize the performance and scalability of containerized applications. By using EKS, you can take advantage of Kubernetes' powerful orchestration capabilities, which can improve the availability and scalability of the application. Additionally, using Route 53 for service discovery and load balancing can help optimize the application's performance.
49
Your company is developing a web application that uses AWS Lambda functions to process user requests. You want to ensure that your Lambda functions are performing optimally and meeting the required service level objectives (SLOs). Which metrics should you monitor to achieve this goal?
Memory utilization, average duration, and error rate.
50
You are building an application that requires automatic scaling to handle changes in traffic. You want to ensure that your application scales quickly and efficiently while also minimizing costs. Which autoscaling policies would be most appropriate for your application?
Target tracking scaling policy ## Footnote With a target tracking policy, you set a target value for a specific metric, such as CPU utilization or request latency, and the autoscaling group adjusts the number of instances as needed to maintain the target value.
51
You are managing a highly available web application in AWS using an autoscaling group. You want to ensure that new instances launched by the autoscaling group are automatically configured with the latest version of your application code. Which AWS service can you use to achieve this?
AWS CodeDeploy
52
On which EC2 instances is Configure receipe executed in OpsWorks?
In AWS OpsWorks, Configure recipes are executed on every instance that belongs to a layer with the "Use OpsWorks Chef cookbooks" option enabled.
53
A company is deploying a new application on AWS using the following components: Elastic Load Balancer (ELB), Auto Scaling group, and Amazon RDS. The company wants to monitor the application’s performance and availability. Which AWS service can be used to accomplish this?
Amazon CloudWatch
54
A company has an application running on AWS that uses Amazon RDS for database storage. The company wants to ensure that the database is automatically backed up every day, and that backups are retained for 30 days. What AWS service can be used to accomplish this?
AWS Backup
55
A company is building a real-time analytics solution using Amazon Kinesis. The solution should be able to process incoming data at a rate of 10,000 records per second, and should be able to analyze the data in real-time. Which Kinesis service can be used to meet these requirements?
Amazon Kinesis Data Streams
56
A company is using AWS CodePipeline to automate the deployment of its web application to multiple environments. The company wants to ensure that each deployment is tested and approved before it is promoted to the next environment. Which AWS service can be used to accomplish this?
AWS CodePipeline
57
A company is deploying a new application on AWS using Amazon ECS. The company wants to ensure that the application can be deployed across multiple AWS accounts and that each environment is isolated from the others. Which AWS service can be used to accomplish this?
AWS Organizations
58
A company has a mobile application that makes HTTP API calls to an Application Load Balancer (ALB). The ALB routes requests to an AWS Lambda function. Many different versions of the application are in use at any given time, including versions that are in testing by a subset of users. The version of the application is defined in the user-agent header that is sent with all requests to the API. After a series of recent changes to the API, the company has observed issues with the application. The company needs to gather a metric for each API operation by response code for each version of the application that is in use. A DevOps engineer has modified the Lambda function to extract the API operation name, version information from the user-agent header and response code. Which additional set of actions should the DevOps engineer take to gather the required metrics?
Modify the Lambda function to write the API operation name, response code, and version number as a log line to an Amazon CloudWatch Logs log group. Configure a CloudWatch Logs metric filter that increments a metric for each API operation name. Specify response code and application version as dimensions for the metric.
59
A company provides an application to customers. The application has an Amazon API Gateway REST API that invokes an AWS Lambda function. On initialization, the Lambda function loads a large amount of data from an Amazon DynamoDB table. The data load process results in long cold-start times of 8-10 seconds. The DynamoDB table has DynamoDB Accelerator (DAX) configured. Customers report that the application intermittently takes a long time to respond to requests. The application receives thousands of requests throughout the day. In the middle of the day, the application experiences 10 times more requests than at any other time of the day. Near the end of the day, the application's request volume decreases to 10% of its normal total. A DevOps engineer needs to reduce the latency of the Lambda function at all times of the day. Which solution will meet these requirements?
Configure provisioned concurrency on the Lambda function. Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.
60
A company is adopting AWS CodeDeploy to automate its application deployments for a Java-Apache Tomcat application with an Apache Webserver. The development team started with a proof of concept, created a deployment group for a developer environment, and performed functional tests within the application. After completion, the team will create additional deployment groups for staging and production. The current log level is configured within the Apache settings, but the team wants to change this configuration dynamically when the deployment occurs, so that they can set different log level configurations depending on the deployment group without having a different application revision for each group. How can these requirements be met with the LEAST management overhead and without requiring different script versions for each deployment group?
Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP NAME to identify which deployment group the instance is part of. Use this information to configure the log level settings. Reference this script as part of the BeforeInstall lifecycle hook in the appspec.yml file.
61
A company requires its developers to tag all Amazon Elastic Block Store (Amazon EBS) volumes in an account to indicate a desired backup frequency. This requirement Includes EBS volumes that do not require backups. The company uses custom tags named Backup_Frequency that have values of none, dally, or weekly that correspond to the desired backup frequency. An audit finds that developers are occasionally not tagging the EBS volumes. A DevOps engineer needs to ensure that all EBS volumes always have the Backup_Frequency tag so that the company can perform backups at least weekly unless a different value is specified. Which solution will meet these requirements?
Set up AWS Config in the account. Use a managed rule that returns a compliance failure for EC2::Volume resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.
62
A company is using an Amazon Aurora cluster as the data store for its application. The Aurora cluster is configured with a single DB instance. The application performs read and write operations on the database by using the cluster's instance endpoint. The company has scheduled an update to be applied to the cluster during an upcoming maintenance window. The cluster must remain available with the least possible interruption during the maintenance window. What should a DevOps engineer do to meet these requirements?
Turn on the Multi-AZ option on the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster’s reader endpoint for reads.
63
A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account. The company has created an AWS Key Management Service (AWS KMS) key in the source account. Which additional steps should the DevOps engineer perform to meet the requirements?
In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action. In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role. In the source account, share the encrypted AMI with the target account.
64
The engineering team at a multi-national retail company is deploying its flagship web application onto an Auto Scaling Group using CodeDeploy. The team has chosen a strategy of a rolling update so that instances are updated in small batches in the ASG. The ASG has five instances running. At the end of the deployment, it seems that three instances are running the new version of the application, while the other two are running the old version. CodeDeploy is reporting a successful deployment. As a DevOps Engineer, what is the most likely reason that you would attribute for this issue?
Two new instances were created during the deployment
65
A retail company is storing the users' information along with their purchase history in a DynamoDB table and it has also enabled the DynamoDB Streams. Three use cases are implemented for this table: a Lambda function reads the stream to send emails for new users subscriptions, another Lambda function which sends an email after a user has done their first purchase and finally the last Lambda function which awards discounts to users every 10 purchase. When there is a high volume of data on your DynamoDB table, the Lambda functions are experiencing a throttling issue. As you plan on adding future Lambda functions to read from that stream, you need to update the existing solution. As a DevOps Engineer, which option would you recommend?
Create a new Lambda function that will read from the stream and pass on the payload to SNS. Have the other three and upcoming Lambda functions directly read from the SNS topic
66
As part of the CICD pipeline, the DevOps team at a retail company wants to deploy the latest application code to a staging environment and the team also wants to ensure it can execute an automated functional test suite before deploying to production. The code is managed via CodeCommit. Usually, the functional test suite runs for over two hours. The company has hired you as an AWS Certified DevOps Engineer Professional to build a solution for this requirement. How would you create the CICD pipeline to run your test suite in the most efficient way?
Create a CodePipeline pointing to the master branch of your CodeCommit repository and automatically deploy to a staging environment using CodeDeploy. After that stage, invoke a CodeBuild build that will run the test suite. If the stage doesn't fail, the last stage will deploy the application to production
67
A global health-care company has an EFS filesystem being used in eu-west-1. The company would like to plan for a disaster recovery strategy and backup that EFS file system in ap-southeast-2. It needs to have a hot copy of the data so that the applications can be re-deployed in ap-southeast-2 with a minimum RPO and RTO. The VPCs in each region are not peered with each other. How should a DevOps engineer implement a solution for this use-case?
Create a replication cluster managed by EC2 with Auto Scaling in eu-west-1. Scale according to a Custom Metric you would publish with the application representing the lag in file reads. Replicate the data into Amazon S3 in ap-southeast-2. Create another replication cluster in ap-southeast-2 that reads from Amazon S3 and copies the files into a standby EFS cluster
68
An IT company is deploying a Python Flask based application and would like to ensure that it has a base AMI that contains the necessary Python runtime, as well as OS patches. That AMI must be used able to be referenced programmatically from across all regions in your account in a scalable way. The company has hired you as an AWS Certified DevOps Engineer Professional to build a solution to address this requirement. Which options would you recommend for this use-case?
- Create an SSM Automation document to create the AMI in a repeatable manner - Store the AMI ID in the SSM parameter store in one region, and have a Lambda function that copies the AMI across all the other regions, and stores the corresponding AMI ID in SSM. Use the same parameter store name so it can be re-used across regions
69
The DevOps team at a leading travel-booking services company is using a CloudFormation template to deploy a Lambda function. The Lambda function code is uploaded into S3 into a file named s3://my-bucket/my-lambda-code.zip by CodePipeline after having passed all the required build checks. CodePipeline then invokes the CloudFormation template to deploy the new code. The team has found that although the CloudFormation template successfully runs, the Lambda function is not updated. As a DevOps Engineer, what can you do to quickly fix this issue?
- Upload the code every time to a new S3 bucket - Upload the code every time with a new filename in the same bucket - Enable S3 versioning and provide an S3ObjectVersion key ## Footnote CloudFormation does not detect a new file has been uploaded to S3 unless one of these parameters change: - S3Bucket - S3Key - S3ObjectVersion
70
A multi-national retail company is operating a multi-account strategy using AWS Organizations. Each account produces logs to CloudWatch Logs and the company would like to aggregate these logs under a single centralized account for archiving purposes. It needs the solution to be secure and centralized. The target destination for the logs should have little to no provisioning on the storage side. As a DevOps Engineer, how would you implement a solution to meet these requirements?
Create a log destination in the centralized account, and create a log subscription on that destination. Create a Kinesis Firehose delivery stream and subscribe it to the log destination. The target of Kinesis Firehose should be Amazon S3
71
A Big Data analytics company has deployed a stream processing application using KCL to read records from Kinesis Data Streams configured with multiple shards. The application is running on one EC2 instance. It seems that the consuming application is lagging under a large load and therefore records are not processed in time and eventually dropped from the stream. As a DevOps Engineer, you have been tasked with improving the reliability of this application with minimal changes, what should you do?
- Run the application in an Auto Scaling Group and scale based on the CloudWatch Metric MillisBehindLatest - Increase the stream data retention period
72
The DevOps team at a business travel solutions company wants to use CodeDeploy to ensure zero downtime during deployments through rolling updates. The team wants to deploy the company's flagship web application on a set of 5 EC2 instances running behind an Application Load Balancer. The team would like the deployment to be gradual and to automatically rollback in case of a failed deployment, which is determined by the application not being able to pass health checks. As a DevOps Engineer, which options would you recommend for the given use-case?
In the ValidateService hook in appspec.yml, verify the service is properly running. Configure CodeDeploy to rollback on deployment failures. In case the hook fails, then CodeDeploy will rollback
73
The DevOps team at an auditing firm has deployed its flagship application on Elastic Beanstalk that processes invoices uploaded by customers in CSV form. The invoices can be quite big, with up to 10MB and 1,000,000 records total. Processing is CPU intensive which results in slowing down the application. Customers are sent an email when the processing is done, through the use of a cron job. The auditing firm has hired you as an AWS Certified DevOps Engineer Professional to build a solution for this requirement. What do you recommend for the application to ensure a good performance and address scalability requirements?
Create a separate Beanstalk environment that's a worker environment and processes invoices through an SQS queue. The invoices are uploaded into S3 and a reference to it is sent to the SQS by the web tier. The worker tier processes these files. A cron job defined using the cron.yml file will send out the emails
74
A company uses AWS CodePipeline pipelines to automate releases of its application A typical pipeline consists of three stages build, test, and deployment. The company has been using a separate AWS CodeBuild project to run scripts for each stage. However, the company now wants to use AWS CodeDeploy to handle the deployment stage of the pipelines. The company has packaged the application as an RPM package and must deploy the application to a fleet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI. Which combination of steps should a DevOps engineer perform to meet these requirements?
- Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy. - Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.
75
A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs. Which combination of steps should a DevOps engineer take to prevent future violations?
- Delegate AWS Firewall Manager to a security account. - Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
76
A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days. Which solution will accomplish this?
Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
77
A security review has identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project. How can this issue be corrected in the MOST secure manner?
Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.
78
An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0. The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources. Which combination of steps will meet these requirements?
- Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions. - Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center. - Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.
79
An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity. Which actions should a DevOps engineer take to resolve this delay?
- Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit. - Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table's scaling policy.
80
company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week. The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned. A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile. Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?
Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
81
A DevOps engineer is building a continuous deployment pipeline for a serverless application that uses AWS Lambda functions. The company wants to reduce the customer impact of an unsuccessful deployment. The company also wants to monitor for issues. Which deploy stage configuration will meet these requirements?
Use an AWS Serverless Application Model (AWS SAM) template to define the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions.
82
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed. Which option will successfully install the application while complying with the new rule?
Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
83
A development team is using AWS CodeCommit to version control application code and AWS CodePipeline to orchestrate software deployments. The team has decided to use a remote main branch as the trigger for the pipeline to integrate code changes. A developer has pushed code changes to the CodeCommit repository, but noticed that the pipeline had no reaction, even after 10 minutes. Which action should be taken to troubleshoot this issue?
Check that the CodePipeline service role has permission to access the CodeCommit repository.
84
A company's developers use Amazon EC2 instances as remote workstations. The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access. A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules. The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team. The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS). What should the DevOps engineer do next to meet the requirements?
Create an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.
85
A DevOps engineer is creating an AWS CloudFormation template to deploy a web service. The web service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). The DevOps engineer must ensure that the service can accept requests from clients that have IPv6 addresses. What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can access the web service?
Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443. and specify the dualstack IP address type on the ALB. Create a target group, and add the EC2 instances as targets. Associate the target group with the ALB.
86
A company uses AWS Organizations and AWS Control Tower to manage all the company's AWS accounts. The company uses the Enterprise Support plan. A DevOps engineer is using Account Factory for Terraform (AFT) to provision new accounts. When new accounts are provisioned, the DevOps engineer notices that the support plan for the new accounts is set to the Basic Support plan. The DevOps engineer needs to implement a solution to provision the new accounts with the Enterprise Support plan. Which solution will meet these requirements?
Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. Redeploy AFT and apply the changes.
87
A company's DevOps engineer uses AWS Systems Manager to perform maintenance tasks during maintenance windows. The company has a few Amazon EC2 instances that require a restart after notifications from AWS Health. The DevOps engineer needs to implement an automated solution to remediate these notifications. The DevOps engineer creates an Amazon EventBridge rule. How should the DevOps engineer configure the EventBridge rule to meet these requirements?
Configure an event source of AWS Health, a service of EC2. and an event type that indicates instance maintenance. Target a Systems Manager document to restart the EC2 instance.
88
A company has containerized all of its in-house quality control applications. The company is running Jenkins on Amazon EC2 instances, which require patching and upgrading. The compliance officer has requested a DevOps engineer begin encrypting build artifacts since they contain company intellectual property. What should the DevOps engineer do to accomplish this in the MOST maintainable manner?
Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
89
An IT team has built an AWS CloudFormation template so others in the company can quickly and reliably deploy and terminate an application. The template creates an Amazon EC2 instance with a user data script to install the application and an Amazon S3 bucket that the application uses to serve static webpages while it is running. All resources should be removed when the CloudFormation stack is deleted. However, the team observes that CloudFormation reports an error during stack deletion, and the S3 bucket created by the stack is not deleted. How can the team resolve the error in the MOST efficient manner to ensure that all resources are deleted without errors?
Add a custom resource with an AWS Lambda function with the DependsOn attribute specifying the S3 bucket, and an IAM role. Write the Lambda function to delete all objects from the bucket when RequestType is Delete.
90
A company runs an application on one Amazon EC2 instance. Application metadata is stored in Amazon S3 and must be retrieved if the instance is restarted. The instance must restart or relaunch automatically if the instance becomes unresponsive. Which solution will meet these requirements?
Configure AWS OpsWorks, and use the auto healing feature to stop and start the instance. Use a lifecycle event in OpsWorks to pull the metadata from Amazon S3 and update it on the instance.
91
A company has multiple AWS accounts. The company uses AWS IAM Identity Center (AWS Single Sign-On) that is integrated with AWS Toolkit for Microsoft Azure DevOps. The attributes for access control feature is enabled in IAM Identity Center. The attribute mapping list contains two entries. The department key is mapped to ${path:enterprise.department}. The costCenter key is mapped to ${path:enterprise.costCenter}. All existing Amazon EC2 instances have a department tag that corresponds to three company departments (d1, d2, d3). A DevOps engineer must create policies based on the matching attributes. The policies must minimize administrative effort and must grant each Azure AD user access to only the EC2 instances that are tagged with the user’s respective department name. Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?
"Condition": { "StringEquals": { "ec2: ResourceTag/department": "$ (aws: PrincipalTag/department) } }
92
A company hosts a security auditing application in an AWS account. The auditing application uses an IAM role to access other AWS accounts. All the accounts are in the same organization in AWS Organizations. A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application's IAM role. The company needs to prevent any modification to the auditing application's IAM role by any entity other than a trusted administrator IAM role. Which solution will meet these requirements?
Create an SCP that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.
93
A company has an on-premises application that is written in Go. A DevOps engineer must move the application to AWS. The company's development team wants to enable blue/green deployments and perform A/B testing. Which solution will meet these requirements?
Use AWS Elastic Beanstalk to host the application. Store a zipped version of the application in Amazon S3. Use that location to deploy new versions of the application. Use Elastic Beanstalk to manage the deployment options.
94
A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing. Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated. How can log collection be automated?
Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an AWS Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
95
A company has an organization in AWS Organizations. The organization includes workload accounts that contain enterprise applications. The company centrally manages users from an operations account. No users can be created in the workload accounts. The company recently added an operations team and must provide the operations team members with administrator access to each workload account. Which combination of actions will provide this access?
- In the operations account, create an IAM user for each operations team member. - In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group. - Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.
96
A company has multiple accounts in an organization in AWS Organizations. The company's SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS) notification if any account in the organization turns off the Block Public Access feature on an Amazon S3 bucket. A DevOps engineer must implement this change without affecting the operation of any AWS accounts. The implementation must ensure that individual member accounts in the organization cannot turn off the notification. Which solution will meet these requirements?
Turn on AWS Config across the organization. In the delegated administrator account, create an SNS topic. Subscribe the SecOps team's email address to the SNS topic. Deploy a conformance pack that uses the s3-bucket-level-public-access-prohibited AWS Config managed rule in each account and uses an AWS Systems Manager document to publish an event to the SNS topic to notify the SecOps team.
97
A company has migrated its container-based applications to Amazon EKS and want to establish automated email notifications. The notifications sent to each email address are for specific activities related to EKS components. The solution will include Amazon SNS topics and an AWS Lambda function to evaluate incoming log events and publish messages to the correct SNS topic. Which logging solution will support these requirements?
Enable Amazon CloudWatch Logs to log the EKS components. Create a CloudWatch subscription filter for each component with Lambda as the subscription feed destination.
98
A company is implementing an Amazon Elastic Container Service (Amazon ECS) cluster to run its workload. The company architecture will run multiple ECS services on the cluster. The architecture includes an Application Load Balancer on the front end and uses multiple target groups to route traffic. A DevOps engineer must collect application and access logs. The DevOps engineer then needs to send the logs to an Amazon S3 bucket for near-real-time analysis. Which combination of steps must the DevOps engineer take to meet these requirements?
- Install the Amazon CloudWatch Logs agent on the ECS instances. Change the logging driver in the ECS task definition to awslogs. - Activate access logging on the ALB. Then point the ALB directly to the logging S3 bucket. - Create an Amazon Kinesis Data Firehose delivery stream that has a destination of the logging S3 bucket. Then create an Amazon CloudWatch Logs subscription filter for Kinesis Data Firehose.
99
A company that uses electronic health records is running a fleet of Amazon EC2 instances with an Amazon Linux operating system. As part of patient privacy requirements, the company must ensure continuous compliance for patches for operating system and applications running on the EC2 instances. How can the deployments of the operating system and application patches be automated using a default and custom repository?
Use AWS Systems Manager to create a new patch baseline including the custom repository. Run the AWS-RunPatchBaseline document using the run command to verify and install patches.
100
A company is using AWS CodePipeline to automate its release pipeline. AWS CodeDeploy is being used in the pipeline to deploy an application to Amazon Elastic Container Service (Amazon ECS) using the blue/green deployment model. The company wants to implement scripts to test the green version of the application before shifting traffic. These scripts will complete in 5 minutes or less. If errors are discovered during these tests, the application must be rolled back. Which strategy will meet these requirements?
Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTestTraffic lifecycle event to invoke an AWS Lambda function to run the test scripts. If errors are found, exit the Lambda function with an error to initiate rollback.
101
A company uses AWS Storage Gateway in file gateway mode in front of an Amazon S3 bucket that is used by multiple resources. In the morning when business begins, users do not see the objects processed by a third party the previous evening. When a DevOps engineer looks directly at the S3 bucket, the data is there, but it is missing in Storage Gateway. Which solution ensures that all the updated third-party files are available in the morning?
Configure a nightly Amazon EventBridge event to invoke an AWS Lambda function to run the RefreshCache command for Storage Gateway.
102
A DevOps engineer needs to back up sensitive Amazon S3 objects that are stored within an S3 bucket with a private bucket policy using S3 cross-Region replication functionality. The objects need to be copied to a target bucket in a different AWS Region and account. Which combination of actions should be performed to enable this replication?
- Create a replication IAM role in the source account - Create a replication rule in the source bucket to enable the replication. - Add statements to the target bucket policy allowing the replication IAM role to replicate objects.
103
A company has multiple member accounts that are part of an organization in AWS Organizations. The security team needs to review every Amazon EC2 security group and their inbound and outbound rules. The security team wants to programmatically retrieve this information from the member accounts using an AWS Lambda function in the management account of the organization. Which combination of access changes will meet these requirements?
- Create a trust relationship that allows users in the management account to assume the IAM roles of the member accounts. - Create an IAM role in each member account that has access to the AmazonEC2ReadOnlyAccess managed policy. - Create an I AM role in the management account that allows the sts:AssumeRole action against the member account IAM role's ARN.
104
A space exploration company receives telemetry data from multiple satellites. Small packets of data are received through Amazon API Gateway and are placed directly into an Amazon Simple Queue Service (Amazon SQS) standard queue. A custom application is subscribed to the queue and transforms the data into a standard format. Because of inconsistencies in the data that the satellites produce, the application is occasionally unable to transform the data. In these cases, the messages remain in the SQS queue. A DevOps engineer must develop a solution that retains the failed messages and makes them available to scientists for review and future processing. Which solution will meet these requirements?
Create an SQS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.
105
A company wants to use AWS CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions. Developers will need to deploy multiple versions of the same application. Which solution ensures resources are deployed in accordance with company policy?
Create CloudFormation StackSets with approved CloudFormation templates.
106
A company requires that its internally facing web application be highly available. The architecture is made up of one Amazon EC2 web server instance and one NAT instance that provides outbound internet access for updates and accessing public data. Which combination of architecture adjustments should the company implement to achieve high availability?
- Create additional EC2 instances spanning multiple Availability Zones. Add an Application Load Balancer to split the load between them. - Replace the NAT instance with a NAT gateway in each Availability Zone. Update the route tables.
107
A DevOps engineer is building a multistage pipeline with AWS CodePipeline to build, verify, stage, test, and deploy an application. A manual approval stage is required between the test stage and the deploy stage. The development team uses a custom chat tool with webhook support that requires near-real-time notifications. How should the DevOps engineer configure status updates for pipeline activity and approval requests to post to the chat tool?
Create an Amazon EventBridge rule that filters on CodePipeline Pipeline Execution State Change. Publish the events to an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function that sends event details to the chat webhook URL. Subscribe the function to the SNS topic.
108
A company's application development team uses Linux-based Amazon EC2 instances as bastion hosts. Inbound SSH access to the bastion hosts is restricted to specific IP addresses, as defined in the associated security groups. The company's security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address. What should a DevOps engineer do to meet this requirement?
Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
109
A DevOps team manages an API running on-premises that serves as a backend for an Amazon API Gateway endpoint. Customers have been complaining about high response latencies, which the development team has verified using the API Gateway latency metrics in Amazon CloudWatch. To identify the cause, the team needs to collect relevant data without introducing additional latency. Which actions should be taken to accomplish this?
- Install the CloudWatch agent server side and configure the agent to upload relevant logs to CloudWatch. - Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and use the X-Ray daemon to upload segments to X-Ray.
110
A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure. Which solution will accomplish this?
Store the Aurora endpoint in AWS Systems Manager Parameter Store. Create an Amazon EventBridge event that detects the database failure and runs an AWS Lambda function to promote the replica instance and update the endpoint URL stored in AWS Systems Manager Parameter Store. Code the application to reload the endpoint from Parameter Store if a database connection fails.
111
A company hosts its staging website using an Amazon EC2 instance backed with Amazon EBS storage. The company wants to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance. Which solution will meet these requirements?
Create an Amazon CloudWatch alarm for the StatusCheckFailed System metric and select the EC2 action to recover the instance.
112
A company wants to use AWS development tools to replace its current bash deployment scripts. The company currently deploys a LAMP application to a group of Amazon EC2 instances behind an Application Load Balancer (ALB). During the deployments, the company unit tests the committed application, stops and starts services, unregisters and re-registers instances with the load balancer, and updates file permissions. The company wants to maintain the same deployment functionality through the shift to using AWS services. Which solution will meet these requirements?
Use AWS CodePipeline to trigger AWS CodeBuild to test the application. Use bash scripts invoked by AWS CodeDeploy's appspec.yml file to restart services. Unregister and re-register the instances in the AWS CodeDeploy deployment group with the ALB. Update the appspec.yml file to update file permissions without a custom script.
113
A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours. Which combination of actions will meet these requirements?
- Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations. - Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager. - Use AWS Systems Manager Maintenance Windows to schedule a patch window.
114
A company has chosen AWS to host a new application. The company needs to implement a multi-account strategy. A DevOps engineer creates a new AWS account and an organization in AWS Organizations. The DevOps engineer also creates the OU structure for the organization and sets up a landing zone by using AWS Control Tower. The DevOps engineer must implement a solution that automatically deploys resources for new accounts that users create through AWS Control Tower Account Factory. When a user creates a new account, the solution must apply AWS CloudFormation templates and SCPs that are customized for the OU or the account to automatically deploy all the resources that are attached to the account. All the OUs are enrolled in AWS Control Tower. Which solution will meet these requirements in the MOST automated way?
Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.
115
An online retail company based in the United States plans to expand its operations to Europe and Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora database instance. When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and purchases must be kept in each region. How should the company meet these requirements with the LEAST amount of application changes?
Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.
116
A company is implementing a well-architected design for its globally accessible API stack. The design needs to ensure both high reliability and fast response times for users located in North America and Europe. The API stack contains the following three tiers: Amazon API Gateway - AWS Lambda - Amazon DynamoDB - Which solution will meet the requirements?
Configure Amazon Route 53 to point to API Gateway APIs in North America and Europe using latency-based routing and health checks. Configure the APIs to forward requests to a Lambda function in that Region. Configure the Lambda functions to retrieve and update the data in a DynamoDB global table.
117
A rapidly growing company wants to scale for developer demand for AWS development environments. Development environments are created manually in the AWS Management Console. The networking team uses AWS CloudFormation to manage the networking infrastructure, exporting stack output values for the Amazon VPC and all subnets. The development environments have common standards, such as Application Load Balancers, Amazon EC2 Auto Scaling groups, security groups, and Amazon DynamoDB tables. To keep up with demand, the DevOps engineer wants to automate the creation of development environments. Because the infrastructure required to support the application is expected to grow, there must be a way to easily update the deployed infrastructure. CloudFormation will be used to create a template for the development environments. Which approach will meet these requirements and quickly provide consistent AWS environments for developers?
Use nested stacks to define common infrastructure components. Use Fn::ImportValue intrinsic functions with the resources of the nested stack to retrieve Virtual Private Cloud (VPC) and subnet values. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.
118
A company uses AWS Organizations to manage multiple accounts. Information security policies require that all unencrypted Amazon EBS volumes be marked as non-compliant. A DevOps engineer needs to automatically deploy the solution and ensure that this compliance check is always present. Which solution will accomplish this?
Create an AWS Config organizational rule to check whether EBS encryption is enabled and deploy the rule using the AWS CLI. Create and apply an SCP to prohibit stopping and deleting AWS Config across the organization.
119
A company is performing vulnerability scanning for all Amazon EC2 instances across many accounts. The accounts are in an organization in AWS Organizations. Each account's VPCs are attached to a shared transit gateway. The VPCs send traffic to the internet through a central egress VPC. The company has enabled Amazon Inspector in a delegated administrator account and has enabled scanning for all member accounts. A DevOps engineer discovers that some EC2 instances are listed in the "not scanning" tab in Amazon Inspector. Which combination of actions should the DevOps engineer take to resolve this issue?
- Verify that AWS Systems Manager Agent is installed and is running on the EC2 instances that Amazon Inspector is not scanning. - Associate the target EC2 instances with security groups that allow outbound communication on port 443 to the AWS Systems Manager service endpoint. - Associate the target EC2 instances with instance profiles that grant permissions to communicate with AWS Systems Manager.
120
A development team uses AWS CodeCommit for version control for applications. The development team uses AWS CodePipeline, AWS CodeBuild. and AWS CodeDeploy for CI/CD infrastructure. In CodeCommit, the development team recently merged pull requests that did not pass long-running tests in the code base. The development team needed to perform rollbacks to branches in the codebase, resulting in lost time and wasted effort. A DevOps engineer must automate testing of pull requests in CodeCommit to ensure that reviewers more easily see the results of automated tests as part of the pull request review. What should the DevOps engineer do to meet this requirement?
Create an Amazon EventBridge rule that reacts to pullRequestCreated and pullRequestSourceBranchUpdated events. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild badge as a comment on the pull request so that developers will see the badge in their code review.
121
A company has deployed an application in a production VPC in a single AWS account. The application is popular and is experiencing heavy usage. The company’s security team wants to add additional security, such as AWS WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary. The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC. Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?
Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
122
A DevOps engineer has automated a web service deployment by using AWS CodePipeline with the following steps: 1. An AWS CodeBuild project compiles the deployment artifact and runs unit tests. 2. An AWS CodeDeploy deployment group deploys the web service to Amazon EC2 instances in the staging environment. 3. A CodeDeploy deployment group deploys the web service to EC2 instances in the production environment. The quality assurance (QA) team requests permission to inspect the build artifact before the deployment to the production environment occurs. The QA team wants to run an internal penetration testing tool to conduct manual tests. The tool will be invoked by a REST API call. Which combination of actions should the DevOps engineer take to fulfill this request?
- Insert a manual approval action between the test actions and deployment actions of the pipeline. - Update the pipeline to invoke an AWS Lambda function that calls the REST API for the penetration testing tool.
123
A company is hosting a web application in an AWS Region. For disaster recovery purposes, a second region is being used as a standby. Disaster recovery requirements state that session data must be replicated between regions in near-real time and 1% of requests should route to the secondary region to continuously verify system functionality. Additionally, if there is a disruption in service in the main region, traffic should be automatically routed to the secondary region, and the secondary region must be able to scale up to handle all traffic. How should a DevOps engineer meet these requirements?
In both regions, deploy the application on AWS Elastic Beanstalk and use Amazon DynamoDB global tables for session data. Use an Amazon Route 53 weighted routing policy with health checks to distribute the traffic across the regions.
124
A company runs an application on Amazon EC2 instances. The company uses a series of AWS CloudFormation stacks to define the application resources. A developer performs updates by building and testing the application on a laptop and then uploading the build output and CloudFormation stack templates to Amazon S3. The developer's peers review the changes before the developer performs the CloudFormation stack update and installs a new version of the application onto the EC2 instances. The deployment process is prone to errors and is time-consuming when the developer updates each EC2 instance with the new application. The company wants to automate as much of the application deployment process as possible while retaining a final manual approval step before the modification of the application or resources. The company already has moved the source code for the application and the CloudFormation templates to AWS CodeCommit. The company also has created an AWS CodeBuild project to build and test the application. Which combination of steps will meet the company’s requirements?
- Create an application group and a deployment group in AWS CodeDeploy. Install the CodeDeploy agent on the EC2 instances. - Use AWS CodePipeline to invoke the CodeBuild job, create CloudFormation change sets for each of the application stacks, and pause for a manual approval step. After approval, run the CloudFormation change sets and start the AWS CodeDeploy deployment.
125
A DevOps engineer manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The engineer needs to implement a deployment strategy that: Launches a second fleet of instances with the same capacity as the original fleet. Maintains the original fleet unchanged while the second fleet is launched. Transitions traffic to the second fleet when the second fleet is fully deployed. Terminates the original fleet automatically 1 hour after transition. Which solution will satisfy these requirements?
Use AWS CodeDeploy with a deployment group configured with a blue/green deployment configuration Select the option Terminate the original instances in the deployment group with a waiting period of 1 hour.
126
A video-sharing company stores its videos in Amazon S3. The company has observed a sudden increase in video access requests, but the company does not know which videos are most popular. The company needs to identify the general access pattern for the video files. This pattern includes the number of users who access a certain file on a given day, as well as the number of pull requests for certain files. How can the company meet these requirements with the LEAST amount of effort?
Activate S3 server access logging. Use Amazon Athena to create an external table with the log files. Use Athena to create a SQL query to analyze the access patterns.
127
A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege. Which solution will meet these requirements?
Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.
128
A production account has a requirement that any Amazon EC2 instance that has been logged in to manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with the Amazon CloudWatch Logs agent configured. How can this process be automated?
Create a CloudWatch Logs subscription to an AWS Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a daily Lambda function that terminates all instances with this tag.
129
A company has enabled all features for its organization in AWS Organizations. The organization contains 10 AWS accounts. The company has turned on AWS CloudTrail in all the accounts. The company expects the number of AWS accounts in the organization to increase to 500 during the next year. The company plans to use multiple OUs for these accounts. The company has enabled AWS Config in each existing AWS account in the organization. A DevOps engineer must implement a solution that enables AWS Config automatically for all future AWS accounts that are created in the organization. Which solution will meet this requirement?
In the organization's management account, create an AWS CloudFormation stack set to enable AWS Config. Configure the stack set to deploy automatically when an account is created through Organizations.
130
A company has many applications. Different teams in the company developed the applications by using multiple languages and frameworks. The applications run on premises and on different servers with different operating systems. Each team has its own release protocol and process. The company wants to reduce the complexity of the release and maintenance of these applications. The company is migrating its technology stacks, including these applications, to AWS. The company wants centralized control of source code, a consistent and automatic delivery pipeline, and as few maintenance tasks as possible on the underlying infrastructure. What should a DevOps engineer do to meet these requirements?
Create one AWS CodeCommit repository for each of the applications. Use AWS CodeBuild to build one Docker image for each application in Amazon Elastic Container Registry (Amazon ECR). Use AWS CodeDeploy to deploy the applications to Amazon Elastic Container Service (Amazon ECS) on infrastructure that AWS Fargate manages.
131
You are working in a large company. The company is building new serverless applications with the AWS Serverless Application Model (AWS SAM) framework. The serverless applications include resources such as API Gateways, Lambda functions, DynamoDB tables, Step functions, etc. For the serverless AWS resources to interact with one another, proper access and permissions need to be set up between the resources. For example, a Lambda function needs suitable permission to write new items in a DynamoDB table. What is the most appropriate way for you to manage these permissions using AWS SAM?
Use SAM connectors (AWS::Serverless::Connector) to provide simple and well-scoped permissions between the resources. For unsupported resource types for SAM connectors, use CloudFormation mechanisms to configure IAM users, roles, and policies ## Footnote SAM connectors are designed to help provision permissions between SAM serverless resources.
132
You are working as a DevOps engineer. Your company owns an online shopping application. The application publishes application logs (i.e. clickstream logs) to a CloudWatch log group. In order to perform log analysis and application monitoring, you have also configured an Amazon OpenSearch Service cluster as the search and analytics engine. Now you want to stream the CloudWatch Logs data to the Amazon OpenSearch Service cluster in near real-time. Which method is the most appropriate one?
Select the CloudWatch log group, create an Amazon OpenSearch Service subscription filter, and stream the selected logs to the OpenSearch Service cluster ## Footnote CloudWatch Logs subscription filters can stream logs to other services in near real-time. Users can create an Amazon OpenSearch Service subscription filter to deliver log data to OpenSearch.
133
You are working as a DevOps engineer. Your company owns an online shopping application. The application publishes application logs (i.e. clickstream logs) to a CloudWatch log group. In order to perform log analysis and application monitoring, you have also configured an Amazon OpenSearch Service cluster as the search and analytics engine. Now you want to stream the CloudWatch Logs data to the Amazon OpenSearch Service cluster in near real-time. Which method is the most appropriate one?
Select the CloudWatch log group, create an Amazon OpenSearch Service subscription filter, and stream the selected logs to the OpenSearch Service cluster ## Footnote CloudWatch Logs subscription filters can stream logs to other services in near real-time. Users can create an Amazon OpenSearch Service subscription filter to deliver log data to OpenSearch.
134
You are an AWS cloud engineer. Your company owns an AWS Organization with dozens of AWS accounts. In the AWS Organization administrator account, you have created a CloudFormation StackSet to manage AWS resources in multiple AWS accounts across specified AWS Regions. In the StackSet, the self-managed permissions method has been used to establish the trust relationship between the administrator and target accounts. One day, when you try to update the StackSet with an updated template, the operation failed and one stack instance status became OUTDATED. Which option will NOT cause this issue?
In the AWS Organization, the trusted access between the AWS Organization's management account and target (member) accounts has been disabled ## Footnote the trusted access with the AWS Organization is not used by the self-managed permissions method.
135
A company owns an AWS OpsWorks stack for a web application. As most of the existing AWS resources are managed by AWS Systems Manager, you want to migrate the OpsWorks Stack application to Application Manager in AWS Systems Manager. The migration enables you to monitor the instances in the Application Manager page and also use some AWS features that are unavailable in OpsWorks such as the integrations with Auto Scaling group and application load balancers. How would you perform the migration in the most suitable way?
Use the AWS provided migration script to generate a CloudFormation template based on the existing OpsWorks layers. Customize the template and provision the CloudFormation stack. View the provisioned resources in the custom application of Application Manager
136
As a DevOps engineer, you are using a CloudFormation stack to maintain an AWS Auto Scaling group resource (AWS::AutoScaling::AutoScalingGroup). You want to use a suitable CloudFormation update policy to control how AWS CloudFormation handles updates for the Auto Scaling group resource. During the update, CloudFormation should only replace the instances in the existing Auto Scaling group instead of replacing the Auto Scaling group. The maximum number of instances that CloudFormation updates at any time should be 1 and at least 1 instance should be in service when old instances are being updated. Which UpdatePolicy is the most accurate in the CloudFormation template?
UpdatePolicy: AutoScalingRollingUpdate: MinInstancesInService: '1' MaxBatchSize: '1' WaitOnResourceSignals: 'true' PauseTime: PT10M
137
You need to create a new AWS OpsWorks Chef 12 stack with custom cookbooks. The OpsWorks stack will run in a new VPC with private and public subnets. There will be an Elastic Load Balancer resource in the public subnets. All these AWS resources need to be maintained by a CloudFormation template. To achieve better security, the requirement is that the OpsWorks instances must be put in the private subnets and only allow the incoming traffic routed through the Elastic Load Balancer. Which of the following resources are required to achieve this requirement in the CloudFormation template?
"ELBAttachment": { "Type": "AWS::OpsWorks::ElasticLoadBalancerAttachment", "Properties": { "ElasticLoadBalancerName": { "Ref": "ELB" }, "LayerId": { "Ref": "OpsWorksLayer" } } } "OpsWorksSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceSecurityGroupId": { "Ref": "ELBSecurityGroup" } } ] } }
138
Your company has used the SAP service to manage business operations and customer relations. In order to monitor the SAP data and perform further analysis, you want to build up AWS services to automatically transfer data from SAP to an S3 bucket. The data transfer needs to be based on the SAP Open Data Protocol (OData) and the generated data in S3 should be in JSON format. All the data should be encrypted both at rest and in transit. The frequency of the transfer should be every 2 minutes. Which of the following methods is the most accurate and easiest one that you should choose?
In Amazon AppFlow, create a connection for the SAP OData service. Create a flow in AppFlow. Select the SAP OData connection as the source and the S3 bucket as the destination. Choose to run the flow every two minutes
139
As a DevOps engineer, you are helping the team to configure a new in-memory database in Amazon MemoryDB for Redis. This high performance and durable MemoryDB database is built for microservices applications. Applications will be deployed in EC2 instances in several private subnets of a VPC. The MemoryDB database cluster will be deployed in the same private subnets as the EC2 instances. To ensure the security of the data transferred between the applications and the MemoryDB database, how would you manage access between the EC2 instances and the MemoryDB cluster in the most suitable way?
Create a VPC security group for the MemoryDB cluster and configure a custom inbound rule to only allow the incoming traffic from the EC2 security group on port 6379
140
You are working in a company as a DevOps engineer. Your team needs to build applications for several proof-of-concept projects. Your manager asks you to use AWS App Runner to deploy from the source code in GitHub repositories directly to the web applications in the AWS cloud. Through AWS App Runner, you can quickly build up the continuous integration and deployment (CI/CD) pipelines to perform automatic deployments whenever developers push new commits to the code repositories. When creating the AWS App Runner service, which of the following configurations would you need to set up?
Create IAM identity-based policies and apply them to IAM entities. Specify if the IAM entities can access the AWS App Runner console and manage the App Runner service
141
You are working in a bank as a cloud engineer. For a new web application, you need to configure a service that can automatically create and manage custom Ubuntu 20 AMI images. The images will be used by EC2 Auto Scaling groups. As the web application processes sensitive customer data, the images need to be compliant with STIG (Security Technical Implementation Guides) standards which are created by the Defense Information Systems Agency (DISA) to secure information systems and software. How would you use EC2 Image Builder to automate the image-building process?
In EC2 Image Builder, create an image recipe that contains the STIG component together with other necessary build components. Create an image pipeline with the recipe to automate the image build process
142
Your company owns several legacy Java applications in the on-premises data centers. The applications are running on the IBM WebSphere application server on Ubuntu. As a DevOps engineer, you plan to use the AWS App2Container (A2C) commander line tool to lift and shift the legacy Java applications to the AWS platform. Through App2Container, you would like to first analyze the applications and then generate Dockerfiles to deploy them as containerized workloads on AWS. Which of the following options is NOT supported by App2Container?
Use App2Container to create an ECR repository to store the application Docker images. Create an Elastic Beanstalk application to deploy the Docker containers
143
You are a DevOps engineer. In your team, developers start to use the AWS Copilot CLI tool to deploy microservices in Amazon ECS Fargate. The application source code and Dockerfiles are pushed into a GitHub repository. The developers use Copilot to manage several environments (i.e. Dev, QA, Production) and use the “copilot svc deploy” CLI command to deploy the services to various environments manually. Now you need to build centralized, automated pipelines for the applications, which automatically build and push the applications on Git push. Developers can also use Copilot to monitor the pipelines. How would you achieve these requirements?
Use “copilot pipeline” CLI commands to generate CodePipeline manifest files and deploy pipelines in AWS CodePipeline. Use the “copilot pipeline status” command to monitor the pipeline status
144
Your team is helping developers to build up AWS resources for a new project through CloudFormation StackSets. The project requires an Aurora database in the private subnets of a VPC. As the workload of the application may have sudden and unpredictable increases in activity, your team suggests using Aurora Serverless to manage the database capacities. One colleague has drafted the CloudFormation template and asked you to review it. In the CloudFormation template, you find that Aurora Serverless v1 is being used and you are suggesting using Aurora Serverless v2. Which option is NOT a benefit of using AWS Aurora Serverless v2 compared with v1?
With Aurora Serverless v2, you can seamlessly scale both the compute and memory capacities as needed with no disruption to client connections
145
What is API Gateway throttling account limit?
10.000 rps across all API
146
What is a API Gateway throttling response code?
429 - Too many requests
147
What code are API GW Client Errors?
4XX
148
What code are API GW Server Errors?
5XX
149
The Main difference between ECS and Fargate
In ECS, you need to provision and manage the underlying EC2 instances. Fargate is a serverless, yoiu don't need to manage any servers - AWS handles the infrastructure provisioning and scaling automatically.
150
A company has a large development team who run many projects in a single shared AWS account. The company wants to optimize costs by automatically stopping EBS-backed Amazon EC2 instances if resources are idle. Which solution will meet these requirements?
Use a scheduled Amazon CloudWatch Events rule to target a custom AWS Lambda function that runs AWS Trusted Advisor checks. Create a second CloudWatch Events rule to filter events from Trusted Advisor to trigger a Lambda function to stop the idle instances
151
A DevOps engineer must deploy a serverless website on AWS. The website will host content that includes HTML files, images, videos, and JavaScript (client-side scripts). The website must be optimized for global performance and be protected against web exploits. Which actions should the engineer take?
Deploy the website using a static website running on Amazon S3. Create an Amazon CloudFront distribution and an AWS WAF web ACL
152
A company has deployed AWS Single Sign-On (AWS SSO) and needs to ensure that user accounts are not created within AWS Identity and Access Management (AWS IAM). A DevOps engineer must create an automated solution for immediately disabling credentials of any new IAM user that is created. The security team must be notified when user creation events take place. Which combination of steps should the DevOps engineer take to meet these requirements?
- Create an Amazon EventBridge rule that is triggered by IAM CreateUser API calls in AWS CloudTrail - reate an AWS Lambda function that disables the access keys and deletes the login profiles associated with new IAM users. Configure the function as a target of the EventBridge rule - Create an Amazon SNS topic that is a target of the EventBridge rule. Subscribe the security team's group email address to the topic
153
A DevOps engineer is building a web application that will use federated access to a SAML identity provider (IdP). The web application requires sign up and sign in functionality using a custom webpage with authenticated access to AWS services. Which steps should the DevOps engineer take to implement the authentication and access control solution for the web application?
Use Amazon Cognito and create a user pool for federated sign-in. Add a SAML IdP and enter identifiers to map the sign-in email addresses to the relevant provider. Generate access tokens and exchange them for temporary security credentials providing access to the appropriate AWS services
154
An application is being deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team requires that the traffic is secured with SSL/TLS certificates. Protection against common web exploits must also be implemented. The solution should not have a performance impact on the EC2 instances. What steps should be taken to secure the web application?
- Add an SSL/TLS certificate to a secure listener on the ALB - Create an AWS WAF web ACL and attach it to the ALB
155
A DevOps engineer manages an application that stores logs in Amazon CloudWatch Logs. The engineer needs to archive the logs in an Amazon S3 bucket. The log files are rarely accessed after 90 days and for compliance reasons must be retained for 10 years. The solution should run in an automated fashion. Which combination of steps should the DevOps engineer take to meet the requirements?
- Create a CloudWatch Logs subscription filter that uses Amazon Kinesis Data Firehose to stream all logs to an S3 bucket - Create an S3 bucket lifecycle policy that transitions the log files to S3 Glacier after 90 days and expires the log files after 3,650 days"
156
A company plans to deploy a high-performance computing (HPC) workload on Amazon EC2 instances in a shared Amazon VPC. Developers in multiple participant accounts must be granted access to the cluster to perform analytics. The cluster requires a shared file system that supports file-based access to objects stored in Amazon S3 buckets. Which deployment steps should be implemented to support the required features and access control?
Deploy an Amazon FSx for Lustre file system. Create an IAM role that can be assumed by members of the participant accounts and provide permissions through an identity based policy assigned to the role. Use security groups to enable file system access
157
A legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. It should not be possible to create IAM users unless the user account making the requires is specific on an exception list. A DevOps engineer must apply these restrictions. Which solution will meet these requirements?
Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringNotLike for aws:username with a value of the exception list
158
A company requires an automated solution that terminates Amazon EC2 instances that have been logged into manually within 24 hours of the login event. The applications running in the account are launched using Auto Scaling groups and the CloudWatch Logs agent is configured on all instances. How should a DevOps engineer build the automation?
Create a CloudWatch Logs subscription filter that delivers logs to an AWS Lambda function. Configure the function to tag the resources that produced the login event. Create a CloudWatch Events rule that triggers another Lambda function daily that terminates all instances that were tagged
159
A development team run a fleet of Amazon EC2 instances in a dev/test environment. A manager is concerned about the costs of the workloads. While the developers are unable to determine the exact resource requirements for each workload, they also cannot terminate any instances as all are currently in operational use. What is the best way to ensure the most efficient use of the underlying hardware?
Use AWS Computer Optimizer to report on resource utilization on EC2 instances and use the recommendations to manually reconfigure resources for improved utilization
160
A company runs a Java application in an on-premises data center. The application is not currently containerized but the company plans to migrate it to the AWS Cloud and modernize the application into a containerized deployment. A CI/CD pipeline should also be created to automate application updates. Which solution can a DevOps engineer use to meet all these requirements?
Use AWS App2Container (A2C) to analyze and inventory the on-premises application and then containerize it on Amazon ECS. Configure A2C to build a CI/CD pipeline using CodeBuild and CodeDeploy
161
A company runs a Java application in an on-premises data center. The application is not currently containerized but the company plans to migrate it to the AWS Cloud and modernize the application into a containerized deployment. A CI/CD pipeline should also be created to automate application updates. Which solution can a DevOps engineer use to meet all these requirements?
Use AWS App2Container (A2C) to analyze and inventory the on-premises application and then containerize it on Amazon ECS. Configure A2C to build a CI/CD pipeline using CodeBuild and CodeDeploy
162
A company runs many different workloads across hundreds of Amazon EC2 instances. The DevOps team requires that all instances have standard configurations. These configurations include standard logging, metrics, security assessments, and weekly patching. Which combination of actions meets these requirements with the most operational efficiency?
- Use AWS Systems Manager to install and manage Amazon Inspector, Systems Manager Patch Manager, and the Amazon CloudWatch agent on all instances - Use AWS Systems Manager maintenance windows with Systems Manager Run Command to schedule Systems Manager Patch Manager tasks. Use Amazon EventBridge to schedule Amazon Inspector assessment runs
163
critical production application running on AWS uses automatic scaling. The operations team must run updates on the application that affect only one instance at a time. The deployment process must ensure all remaining instances continue to serve traffic. The deployment must roll back if the update causes the CPU utilization of the updated instance to exceed 85%. Which solution will meet these requirements?
Configure AWS CodeDeploy with Amazon EC2 Auto Scaling. Create an alarm based on the CPU utilization metric. Use the CodeDeployDefault.OneAtAtime configuration for deployment. Configure automatic rollbacks to roll back the deployment if the alarm thresholds are exceeded
164
A data intelligence and analytics company has implemented a CI/CD pipeline using AWS CodePipeline which takes code from an AWS CodeCommit repository and then builds it using AWS CodeBuild. During the deploy stage, the application is deployed onto an Amazon ECS cluster. During deployment, the application is only partly updated on some ECS tasks which are running an older version of the image. A DevOps engineer investigated and found that terminating the task or clearing the local Docker cache fixes the issue, but a more robust solution is required that provides visibility and identification to track where container images are deployed. Also, the start-up time of the containers needs to be optimized. Which actions should the DevOps engineer take to achieve these requirements?
- Move all the dependencies into a single image and pull them from a single container registry - When creating a new task definition for the ECS service, ensure to add the sha256 hash in the full image name so that ECS pulls the correct image every time
165
A company uses a single AWS account and Region for development activities with multiple teams working on independent projects. A DevOps engineer must implement a mechanism to notify the operations manager when the creation of resources approaches the service limits for the AWS account. Which solution will accomplish this with the LEAST amount of development effort?
Create an AWS Lambda function that refreshes AWS Trusted Advisor checks and use an Amazon EventBridge rule to run the Lambda function regularly. Create another EventBridge rule with an event pattern matching Trusted Advisor checks and configure an Amazon SNS topic that notifies the operations manager
166
The launch template that is used by an Auto Scaling group has been modified to use a new instance type and AMI. The Auto Scaling group is deployed using AWS CloudFormation. There are 8 production EC2 instances running in the Auto Scaling group. A DevOps engineer needs to modify the Auto Scaling group to use the new template version without causing any interruption to the application and must ensure that at least 4 instances are always running.
Use the AutoScalingRollingUpdate attribute with the MinInstancesInService property
167
A DevOps engineer is deploying a three-tier application on AWS that includes an Application Load Balancer in front of the Amazon ECS web tier, an Amazon ECS application tier, and an Amazon RDS database. The load balancer should only distribute traffic to the web tier if the web tier can successfully communicate with the application and database tiers. How can this validation be implemented?
Create a health check endpoint in the web application that tests connectivity to the application and database tiers. Configure the endpoint as the health check URL for the target group
168
A DevOps engineer launched an Amazon EC2 instance in an Amazon VPC. The instance must download an object from a restricted Amazon S3 bucket. When trying to download the object, a 403 Access Denied error was received. What are two possible causes for this error?
- The bucket policy does not grant permission - There is an issue with the IAM role configuration
169
A development team is running a project that will involve deploying applications across several Amazon VPCs. The applications will require fully meshed network connectivity to enable transitive routing between VPCs. The development lead is concerned about security and has requested centralized control over network access controls. Which deployment will satisfy the requirements with the most operational efficiency?
Deploy AWS Transit Gateway to create a fully meshed network topology with transitive routing. Use AWS Network Firewall to centrally deploy and manage security policies across the VPCs
170
An eCommerce company has operations in several countries around the world. The company runs an application in co-location facilities that uses Linux servers and a relational database running on MySQL. The application will be migrated to AWS and will include Amazon EC2 instances behind an Application Load Balancer in multiple AWS Regions. The database configuration has not yet been finalized. A DevOps engineer has been asked to assist with determining the best solution for the database. The data includes product catalog information which must be served with low latency and customer purchase information which should be kept within each Region for compliance purposes. Which database solution should the DevOps engineer recommend to meet these requirements with the LEAST changes to the application?
Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer purchase data
171
A law firm is planning to migrate existing applications to AWS. These applications are hosted in an on-premises data center and are complex in nature. The applications could take many months to migrate. While the migration is underway, the application development team implemented a tactical solution using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application. The ad-hoc solution worked for several weeks; however, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache: Error from CloudFront". Network monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests. Which option could be the reason for the error and how can it be solved?
The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server
172
An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). Users on the internet have reported performance issues with the application. A DevOps engineer must investigate the reports and identify the processing latencies for requests. How can the engineer obtain this information?
Enable access logs on the load balancer
173
A web application runs on Amazon EC2 instances in an EC2 Auto Scaling group behind an Application Load Balancer (ALB). A DevOps engineer needs to implement a strategy for deploying updates that meets the following requirements: · Automatically launches the new version of the application on a second set of instances with the same capacity as the old version of the application. · Maintains the old version unchanged while the new version is launched. · Shifts traffic to the new version when the instances are fully deployed. · Terminates the old fleet of instances automatically 1 hour after shifting traffic. Which solution will satisfy these requirements?
Use AWS CodeDeploy and create a deployment group that uses a blue/green deployment configuration. Use the BlueInstanceTerminationOption to terminate the instances in the blue environment after 1 hour
174
A company manages several legacy applications that all generate different log formats. The logs need to be standardized so they can be queried and analyzed. A DevOps engineer needs a solution for standardizing the log formats before writing them to an Amazon S3 bucket. How can this requirement be met at the LOWEST cost?
Configure the Amazon Kinesis Agent to upload the logs to Amazon Kinesis Data Firehose and use an AWS Lambda function to normalize the log files before they are loaded to Amazon S3
175
The DevOps team at a global retail company wants to deploy the latest application code to through build, staging, beta & prod environments. While doing the staging deployment, an automated functional test suite needs to be executed which runs for approximately two hours to complete regression testing. The code is managed via AWS CodeCommit. How can a DevOps engineer optimize the configuration and automate the pipeline?
Create a CodePipeline pointing to the master branch of the CodeCommit repository and automatically deploy to a staging environment using CodeDeploy. After that stage, invoke a CodeBuild build that will run the test suite. If the stage doesn’t fail, the last stage will deploy the application to production
176
The information security policy of a company has been updated and now requires that all Amazon EBS volumes must be encrypted. Any volumes that are not encrypted should be marked as non-compliant. The company uses AWS Organizations to manage multiple accounts. A DevOps engineer needs to automatically deploy the solution and ensure that this compliance check is applied. Which solution will accomplish this MOST efficiently?
Create an AWS Config rule at the AWS organization level to check whether EBS encryption is enabled. Create and apply an SCP to prohibit stopping and deleting AWS Config across the organization
177
A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in. What is the MOST operationally efficient solution that meets this requirement?
Create an AWS Lambda function that uses Amazon SES to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function" ## Footnote Amazon Cognito can invoke a trigger after signing in a user such as triggering an AWS Lambda function. Cognito will pass certain parameters to the Lambda function and the Lambda function can then trigger Amazon SES to send an email notification.
178
A DevOps engineer builds an artifact locally and then uploads it to an Amazon S3 bucket. The application has a local cache that must be cleared as part of the deployment. The engineer executes a command to do this, retrieves the artifact from Amazon S3, and unzips the artifact to complete the deployment. The engineer wants to migrate to an automated CI/CD solution and incorporate checks to stop and roll back the deployment in the event of a failure. This requires tracking the progression of the deployment. Which combination of actions will accomplish this?
- Write a custom script that clears the cache and specify the script in the BeforeInstall lifecycle hook in the AppSpec file - Set up an AWS CodePipeline pipeline to deploy the application. Check the code into a code repository as a source for the pipeline - Use AWS CodeBuild to build the artifact and upload it to Amazon S3. Use AWS CodeDeploy to deploy the artifact to the Amazon EC2 instances
179
A company needs is deploying a new application in AWS and requires a CI/CD pipeline to automate process. The company requires that the entire CI/CD pipeline can be re-provisioned in different AWS accounts or Regions within minutes. The pipeline must support continuous integration, continuous delivery, and automatic rollback upon deployment failure. A DevOps engineer has already created an AWS CodeCommit repository to store the source code. Which combination of actions should the DevOps engineer take to meet these requirements?
- Configure an AWS CodePipeline pipeline with a build stage using AWS CodeBuild - Launch Amazon EC2 instances in an AWS Elastic Beanstalk environment and configure the environment as the deployment target in AWS CodePipeline - Provision all resources using AWS CloudFormation
180
A retail company has hired a DevOps engineer to provide consultancy services. The company runs Oracle and PostgreSQL services on Amazon RDS for storing large quantities of data generated by manufacturing equipment. The business analytics team has been running ad-hoc queries on these databases to prepare daily reports for senior management. The engineering team has observed that the database performance takes a hit whenever these reports are run by the analytics team. To facilitate the business analytics reporting, the engineering team now wants to replicate this data with high availability and consolidate these databases into a petabyte-scale data warehouse by streaming data to Amazon Redshift. Which solution should the DevOps engineer recommend to achieve these requirements?
Use AWS Database Migration Service to replicate the data from the databases into Amazon Redshift
181
A company is using AWS CodeCommit for version control and AWS CodePipeline for orchestration of software deployments. The development team are using a remote main branch as the trigger for the pipeline. A developer noticed that the CodePipeline pipeline was not triggered after the developer pushed code changes to the CodeCommit repository. Which action should be taken to troubleshoot this issue?
Check that an Amazon CloudWatch Events rule has been created for the main branch to trigger the pipeline
182
An application is deployed on Amazon EC2 instances in an Auto Scaling group. The application includes a process that sometimes fails causing the application to return an error. Restarting the process resolves the issue. The DevOps team are investigating the issue. While the investigation is ongoing an engineer needs a method of identifying the issue and quickly remediating it without affecting the capacity of the Auto Scaling group. Which approach meets this requirement in the fastest possible time?
Install the Amazon CloudWatch agent on the EC2 instances and use the procstat plugin to monitor the application process and send metrics to CloudWatch. Use Systems Manager Run Command to restart any processes that are failed
183
A company is running an eCommerce application on a fleet of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. There have been issues occurring occasionally where instances fail to launch successfully, and the support team wants to be notified whenever this occurs. Which configuration update will achieve these requirements? Which action will accomplish this?
Configure an Amazon SNS topic for the Auto Scaling group that sends a notification whenever a failed instance launch occurs
184
A DevOps engineer is developing an application that calls AWS Lambda functions. The functions must connect to a database and credentials must not be stored in source code. The credentials for connection to the database must be regularly rotated to meet security policy requirements. What should a DevOps engineer do to meet these requirements?
tore the credentials in AWS Secrets Manager. Associate the Lambda function with a role that can retrieve the credentials from Secrets Manager given using the secret ID
185
An application runs on Amazon EC2 instances and calls an AWS Lambda function to process certain operations. A DevOps engineer needs to update the Lambda code without needing to modify the application on EC2. The updates should be initially tested with a subset of the traffic and rollback must be possible if issues occur. The solution must be operationally efficient. Which actions should the DevOps engineer take?
Create an alias that points to the current version of the function. Publish an additional version with the new code, add the version to the alias, and configure a weight that directs 10% of traffic to the new version. Modify the application on EC2 to use the alias endpoint address
186
A custom application processes data associated with customer purchase activity using a multistep sequential action. Each step completes within 5 minutes. If a single step fails the entire process must be restarted. The current solution uses Amazon EC2 instances in an Auto Scaling group. The company wants to update the application architecture so that if a single step fails only that step should be reprocessed. What is the MOST operationally efficient solution that meets these requirements?
reate a web application to pass the data to AWS Step Functions. Decouple the processing into Step Functions tasks and AWS Lambda functions
187
A company requires an extremely high performance in-memory database for an application. The database used should store data durably across multiple availability zones. The application requires that the database support strong consistency and can scale seamlessly to many terabytes in size. Which database should the company use for this application?
Use Amazon MemoryDB for Redis
188
A financial company has applications hosted in multiple AWS accounts which are managed by AWS organizations. A security audit was conducted to address any potential security breaches and implement best practices. The security audit report recommended that all security related logging and security findings are collect in a centralized security account. How can this be achieved?
GuardDuty analyzes and processes VPC flow log, AWS CloudTrail event log, and DNS log data sources. You don’t need to manually manage these data sources because the data is automatically leveraged and analyzed when you activate GuardDuty. For example, GuardDuty consumes VPC Flow Log events directly from the VPC Flow Logs feature through an independent and duplicative stream of flow logs. As a result, you don’t incur any operational burden on existing workloads.
189
A custom application generates events and produces data that must be processed for each event. An event-driven solution is required to process the events and save the output to a serverless key/value store. Which actions should a DevOps engineer take?
Configure the application to submit the event data to an SNS topic. Subscribe an AWS Lambda function to the topic and configure the function to process the data and save the output to an Amazon DynamoDB table
190
A DevOps engineer needs to enable cross-Region replication for all the objects in an Amazon S3 bucket. The destination bucket will also be created in a separate AWS account. The objects must be automatically replicated between the source and target buckets across Regions and accounts. Which combination of actions should be performed to enable this replication?
- Create an IAM role in the source account that has permissions to the source and destination buckets - Add statements to the target bucket policy allowing the replication IAM role to replicate objects - Create a replication rule in the source bucket to enable replication for all the objects in the bucket
191
A company stores sensitive data in Amazon S3 buckets. Each day the development team create new buckets for projects they are working on, and all existing and future buckets must be secured. The security team requires encryption, logging, and versioning to be enabled. It is also required that buckets should not be publicly accessible. What should a DevOps engineer do to meet these requirements?
Enable AWS Config rules and configure automatic remediation using AWS Systems Manager documents
192
A DevOps manager requires a disaster recovery (DR) solution for a workload deployed on Amazon EC2 instances in an Amazon VPC within the us-east-1 Region. The DR solution should enable data replication to a staging area subnet in another AWS Region. The DR solution minimize operational overhead and enable fast failover and failback. Which solution meets these requirements?
Use AWS Elastic Disaster Recovery to replicate data to a staging area subnet in another Region using the replication agent installed on the EC2 instance
193
A company manages a continuous integration and continuous delivery (CI/CD) pipeline that includes a Jenkins implementation that runs on Amazon EC2. The security team has requested that all build artifacts are encrypted as they contain company sensitive data. Which changes should a DevOps engineer make to meet these requirements whilst reducing operational overhead for ongoing management?
Replace the Jenkins instance running on Amazon EC2 with AWS CodeBuild and configure artifact encryption
194
A DevOps engineer is using AWS CodeBuild to build an application into a Docker image. The buildspec file is used to run the application build. The engineer needs to push the Docker image to an Amazon ECR repository only upon the successful completion of each build.
Add a post_build phase to the buildspec file that uses the commands block to push the Docker image
195
A company allows DevOps engineers to assume an administrator IAM role when they need more permissions within an AWS account. The security team would like to be able to track usage of the administrator role and receive a notification when the administrator IAM role is assumed. How should this be accomplished?
Create an Amazon EventBridge events rule with an AWS API call via CloudTrail event pattern that triggers an AWS Lambda function that publishes a notification to an Amazon SNS topic if the administrator IAM role is assumed
196
To increase security, a company plans to use AWS Systems Manager Session Manager to managed Amazon EC2 instances rather than SSH. The connectivity to Session Manager should also use a private network connection. Which configuration actions should be taken to implement this?
- Attach an IAM instance profile to the EC2 instances that provides the necessary permissions for Systems Manager - Create a VPC endpoint for Systems Manager in the Region where the instances are running
197
An organization is running containerized applications across Amazon EKS, Amazon ECS, and on-premises clusters. Due to some recent issues that caused outages, a solution is required to track container performance and system health, detect errors. The solution should enable collection and aggregation of time-series metrics from all container services for monitoring and analytics. Which combination of services can the organization use?
Use Amazon Managed Service for Prometheus for collection of metrics and use Amazon Managed Grafana for visualization and analytics
198
An application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. When bringing new EC2 instances online, the application must be tested before traffic can be directed to the instances. Which Auto Scaling process should a DevOps engineer suspend to allow testing to be performed without removing the instances from the Auto Scaling group?
Suspend the process AddToLoadBalancer
199
A company has several AWS accounts and an on-premises data center. Several microservices applications run across the accounts and data center. The distributed architecture results in challenges with investigating application issues as the logs are saved in a variety of locations. A DevOps engineer must configure a solution that centralizes and aggregates the logs for analytics. What is the MOST efficient and cost-effective solution?
Collect system logs and application logs using the Amazon CloudWatch Logs agent. Install the CloudWatch Logs agent on the on-premises servers. Store all logs in an S3 bucket in a central account. Set up an Amazon S3 trigger and an AWS Lambda function to analyze incoming logs and automatically identify anomalies. Use Amazon Athena to run ad hoc queries on the logs in the central account
200
A DevOps team manages an application that consists of four separate AWS Lambda functions. A DevOps Engineer on the team has built a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild that builds, tests, packages, and deploys each Lambda function in sequence. The pipeline uses an Amazon EventBridge rule that executes the pipeline after a change is made to the application source code. During testing, the engineer noticed that the pipeline takes a long time to complete. What should the DevOps Engineer do to improve the speed of the pipeline?
Configure parallel executions of the Lambda functions by specifying the same runOrder in the CodePipeline configuration for the stage
201
A company plans to migrate a Python application to AWS. A DevOps engineer must deploy the application in a configuration that supports blue/green deployments and rollback. Which solution will meet these requirements with the LEAST operational complexity?
Use AWS Elastic Beanstalk to host the application. Deploy new versions to separate environments and use Elastic Beanstalk to swap CNAMEs to redirect traffic
202
A media company is developing a new application which will be supported by mobile devices, tablets, and desktops. Each platform is customized for a different user experience and various viewing modes based on the resources being requested by users. This is enabled by path-based routing behind the scenes, using instances deployed on Amazon EC2. An auto scaling group has been configured to ensure EC2 instances are highly scalable. Which of the following combinations will ensure high performance and minimal cost?
- Amazon CloudFront with Lambda@Edge and utilize an application load balancer behind auto scaling group - Utilize ALB behind ASG
203
A DevOps engineer is deploying a series of updates to a web application that runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The updates are being deployed using a blue/green strategy with immutable instances. An issue has been occurring where users are being logged of the application during deployments. The DevOps engineer needs to ensure that users remain logged in when scaling events occur and application updates are deployed. How can these requirements be met with the LOWEST latency?
Configure the application to store authenticated session information in an Amazon ElastiCache cluster
204
A DevOps engineer is deploying an AWS Service Catalog portfolio using AWS CodePipeline. A mapping.yaml file is used to define the portfolio and its associated permissions and products and is committed to an AWS CodeCommit repository which is defined in the pipeline. How can the engineer automate the creation of new portfolios and products when the mapping.yaml file is updated?
Use an AWS Lambda action in CodePipeline to run an AWS Lambda function to verify and push new versions of products into the AWS Service Catalog
205
A company is using AWS CodePipeline to automate the release lifecycle of an application. AWS CodeDeploy used to deploy an application to Amazon ECS using the blue/green deployment model. The company wants to run test scripts to validate the green version of the application before shifting traffic. The scripts will complete in less than 5 minutes. If errors are discovered by the scripts, the application must be rolled back. Which strategy will meet these requirements?
Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTestTraffic lifecycle event to invoke an AWS Lambda function to run the test scripts. If errors are found, exit the Lambda function with an error to trigger rollback
206
A DevOps engineer created an S3 event notification to trigger an AWS Lambda function when objects are uploaded to the bucket. The solution was initially working but has since stopped working. The engineer noticed that the function is no longer being invoked. What are two possible causes for this error?
- The event notification has been deleted from the S3 bucket - The resource-based policy has been removed from the function
207
A company is concerned about the security of their Amazon EC2 instances. They require an automated solution for identifying security vulnerabilities on the instances and notifying the security team. They also require an audit trail of all login activities on the EC2 instances. Which solution will meet these requirements?
Use Amazon Inspector to automatically detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and upload them to Amazon CloudWatch Logs
208
A DevOps engineer must implement a serverless service that uses Amazon API Gateway, AWS Lambda, and DynamoDB. The serverless service must be deployed in multiple Regions and ensure fast response times for users within each geography. Which solution will meet the requirements?
Create API Gateway APIs in each Region and configure Amazon Route 53 with latency-based routing rules and health checks. Configure the APIs with a Lambda proxy integration to a function in the same Region. Retrieve and update the data in a DynamoDB global table
209
A company’s shopping website is hosted in an Auto Scaling group (ASG) of Amazon EC2 instances. There’s a sale coming up and the company anticipate huge traffic on the website. Currently, there’s a dynamic target tracking policy which scales up the instances gradually. However, the EC2 instances are taking a long time to spin up and the load balancer is sending traffic to unhealthy instances. How can the issue be resolved with minimal operational overhead and cost?
Add a lifecycle hook to the Auto Scaling group, and to scale up quickly, utilize a warm pool
210
A company runs several business-critical applications on Amazon EC2 instances in an Amazon VPC. The company requires the applications to be available 24/7 and there should be no outages except for pre-arranged updates. The DevOps team requires an automated notification mechanism that lets them know if the state of any of the instance’s changes.
Create an Amazon EventBridge rule with an event pattern configured with the ‘EC2 Instance State-change Notification
211
The DevOps team at an e-commerce company introduced multiple stages of security to the code release process. As an additional measure, they want to add additional SAST & DAST tools into an automated pipeline. These tools should be invoked for every code push in an AWS CodeCommit repository. The code must be sent via an external API. Which actions should a DevOps engineer take to achieve these requirements MOST efficiently?
Create a CloudWatch Event rule on the CodeCommit repository that reacts to code pushes. Choose an AWS Lambda function as a target that will request the code from CodeCommit, zip it, and send it to the 3rd party API
212
An application running on an Amazon EC2 instance stores sensitive data on an attached Amazon EBS volume. The volume is not encrypted. A DevOps engineer must enable encryption at rest for the data. Which actions should the engineer take?
- Copy an unencrypted snapshot of the volume and encrypt the new snapshot. Volumes restored from this encrypted snapshot will also be encrypted - Create and mount a new, encrypted EBS volume. Move the data to the new volume. Delete the old EBS volume
213
Several applications will be deployed using AWS CloudFormation. The applications must be deployed into multiple accounts the company manages. Multiple administrator accounts must be granted permissions to create and manage the CloudFormation stacks and operational overhead should be minimized. Which actions meet these requirements?
- Create an AWS Organization with all features enabled and add all the accounts to the organization - Enable trusted access with AWS Organizations and create CloudFormation stack sets using the management account
214
Difference between service maaged and self-mananaged permissions in AWS Organisations
With self-managed permissions, you can deploy stack instances to specific AWS accounts in specific Regions. To do this, you must first create the necessary IAM roles to establish a trusted relationship between the account you're administering the stack set from and the account you're deploying stack instances to. With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. With this model, you don't need to create the necessary IAM roles; StackSets creates the IAM roles on your behalf.
215
A company has deployed a web service that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company has deployed the application in us-east-1. The web service uses Amazon Route 53 records for DNS requests for example.com. The records are configured with health checks that assess the availability of the web service. A second environment has been deployed into eu-west-1. The company requires traffic to be routed to the environment that provides the lowest latency for user requests. In the event of a regional outage, traffic should be directed to the alternate Region. Which configuration will achieve these requirements?
Create a subdomain named us.example.com with failover routing. Configure the US ALB as primary and the EU ALB as secondary. Create another subdomain named eu.example.com with failover routing. Configure the EU ALB as primary and the US ALB as secondary. Create latency-based routing records for example.com that are aliased to us.example.com and eu.example.com
216
A company is deploying a new serverless application that uses AWS Lambda functions. A DevOps engineer must create a continuous deployment pipeline for the application. The deployment preferences must be configured to minimize the impact of failed deployments. Which deployment configuration will meet these requirements?
Use an AWS SAM template to define the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent30Minutes deployment type
217
An automotive organization is planning to migrate their website into AWS across multiple accounts. The current infrastructure uses an on-premises Microsoft IIS web server and Microsoft SQL server for the data persistence layer. They want to be able to scale their infrastructure based on demand. Along with the current website, they also want to collect user interest data from ad clicks that occur on the website. Amazon RedShift has been chosen for the consumption and aggregation of data. Which of the below architectures best suits their needs?
Build the website to run in stateless EC2 instances which auto scale with traffic and migrate the databases into Amazon RDS. Push ad/referrer data using Amazon Kinesis Data Firehose to S3 where it can be consumed by the internal billing system to determine referral fees. Additionally create another Kinesis delivery stream to push the data to Amazon Redshift warehouse for analysis
218
An application is hosted on Amazon EC2 instances behind an Application Load Balancer with an Amazon API Gateway REST API as the front end. Users should experience minimal disruptions during any deployment of a new version of the application. It must also be possible to quickly roll back if there is an issue. Which solution will meet these requirements with MINIMAL changes to the application?
Deploy updates into a separate environment parallel to the existing one. Configure API Gateway to use a canary release deployment to send a small percentage of API traffic to the new environment
219
A startup company is launching a web application on AWS that uses Amazon EC2 instances behind an Application Load Balancer. The EC2 instances will store data in an Amazon RDS database and an Amazon DynamoDB table. The DevOps team require separate environments for development, testing, and production. What is the MOST secure method of obtaining password credentials?
Launch the EC2 instances with an IAM instance profile with permissions to access AWS services. Retrieve the database credentials from AWS Secrets Manager
220
A DevOps team is building a pipeline in AWS CodePipeline that will build, stage, test, and then deploy an application on Amazon EC2. The team will add a manual approval stage between the test stage and the deployment stage. The development team uses a custom chat tool that offers a webhook interface for sending notifications. The DevOps team require status updates for pipeline activity and approval requests to be posted to the chat tool. How can this be achieved?
Create an Amazon EventBridge rule that filters on CodePipeline Pipeline Execution State Change events. Publish the events to an Amazon SNS topic. Create an AWS Lambda function that sends event details to the chat webhook URL and subscribe the function to the SNS topic
221
A company is deploying a new application that uses Amazon EC2 instances for the web tier and a MySQL database for the database tier. An Application Load Balancer (ALB) will be used in front of the web tier. The company requires an RPO of 2 hours and an RTO of 10 minutes for the solution. Which combination of deployment strategies will meet these requirements?
- Create an Amazon Aurora global database in two Regions for the database tier. In the event of a failure, promote the secondary Region to take on read/write responsibilities - Deploy the application in two Regions and create Amazon Route 53 failover-based routing records pointing to the ALB in each Regions. Enable health checks for the records
222
An online retail chain processes thousands of orders each day from 100 countries and its website is localized in 15 languages. The company’s website faces continual security threats and challenges in the form of HTTP flood attacks, distributed denial of service (DDoS) attacks, and rogue robots that flood its website with traffic. Most of these attacks originate from certain countries. The company wants to block access to its application from specific countries; however, the company wants to allow its remote development team (from one of the blocked countries) to have access to the application. The application is deployed on EC2 instances running behind an Application Load Balancer (ALB) with AWS WAF. How can a DevOps engineer protect workloads from DDoS attacks whilst allowing the development team to be productive?
- Use an AWS WAF IP set statement that specifies the IP addresses that needs to be allowed - Use an AWS WAF geo match statement listing the countries that need to be blocked
223
A financial services company requires that DevOps engineers should not log directly into Amazon EC2 instances that process highly sensitive data except in exceptional circumstances. The security team requires a notification within 15 minutes if a DevOps engineer does log in to an instance. Which solution will meet these requirements with the least operational overhead?
Install the Amazon CloudWatch agent on the EC2 instances. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user login data. If this information is found, send a notification to the security team using Amazon SNS
224
An application runs on Amazon EC2 instances in an Auto Scaling group behind an application Load Balancer (ALB). The applications runs across two Availability Zones (AZs). Recently the application has become very popular and to increase reliability of the application a DevOps engineer has configured the Auto Scaling group to launch instances across three AZs. However, instances launched in the newly added AZ are not receiving any traffic. What is the most likely cause of this issue?
The new AZ has not been enabled for the ALB
225
A company uses GitHub to store the code for their software development. The company’s DevOps team want to automate the build process of an application. When the GitHub repository is updated, the code should be compiled, tested, and then pushed to an Amazon S3 bucket. Which combination of steps would address these requirements?
- Create an AWS CodeBuild project with GitHub as the source repository - Add a buildspec.yml file to the source code with build instructions - Configure a GitHub webhook to trigger a build every time a code change is pushed to the repository
226
A service provider has created business relationships with several companies. The service provider plans to deploy an application to multiple AWS accounts managed by these partner companies using AWS CloudFormation. Each partner company has granted the permissions to create IAM roles with permissions for the deployment in their respective accounts. The organization must minimize operational overhead and stack management. Which actions should be taken to deploy the application across these accounts?
Create IAM roles in each partner account that grant administrators in the service provider’s account permissions to perform stack set operations in the partner accounts. Use CloudFormation stack sets with self-managed permissions to deploy the application
227
A company runs a serverless application that includes video sharing functionality for logged in users. The video service has become popular, and the company need to know which videos are getting the most interest. A DevOps engineer has been asked to identify the access patterns of the videos. The video files are stored in an Amazon S3 bucket. The information that must be gathered includes the number of users who access specific video files per day and the number of access requests for these files. How can the company meet these requirements with the LEAST amount of effort?
Enable S3 server access logging and use Amazon Athena to create an external table for the log files. Use Athena to run SQL queries and analyze the access patterns
228
A global multi-player gaming application that was deployed in Europe now needs to be extended globally. Availability of the application must be extremely high, and latency should be low. The application is hosted on Amazon EC2 instances. It is anticipated that the traffic will be unevenly distributed with a few locations having much more traffic than others. Which routing strategies would be best fit considering above parameters?
Deploy the EC2 instances in an Auto Scaling group behind an Application Load Balancer in two different Regions. Create a Route 53 geoproximity-based routing record. Point the record to each of your load balancers
229
A DevOps engineer deployed an application to AWS which makes use of Amazon EC2 Auto Scaling to launch new instances. The engineer needs to modify the instance type used for all new instances that are launched through automatic scaling. The Auto Scaling group is configured to use a launch template. Which of the following actions should be taken to achieve this requirement?
Modify the existing launch template to create a new version that uses the new instance type and modify the Auto Scaling group to use the new template version
230
A company leverages AWS CloudFormation to build their infrastructure on AWS. The security department is concerned about sensitive data being exposed. A DevOps engineer has been asked to implement steps to prevent the exposure of sensitive parameters such as passwords during infrastructure deployment operations. Which combination of steps should be taken to improve security when deploying infrastructure using AWS CloudFormation?
- Use AWS Secrets Manager to store sensitive data as secret values and use dynamic references in AWS CloudFormation - Use the CloudFormation NoEcho parameter property to mask any sensitive parameter values
231
A financial organization is using a multi-account strategy with AWS Organizations. The AWS accounts are organized into different organizational units. Amazon CloudWatch Logs is used for logging within each account. The company needs to ship all the logs to a single centralized account for archiving purposes. The solution must be secure, and centralized, and the logs must be stored cost-effectively. How can a DevOps Engineer meet these requirements?
Create a log destination in the centralized account and create a log subscription on that destination. Create a Kinesis Firehose delivery stream and subscribe it to the log destination. The target of Kinesis Firehose should be Amazon S3
232
A DevOps engineer needs to stream data from Amazon CloudWatch Logs to a VPC-based Amazon OpenSearch Service cluster. The DevOps engineer creates an OpenSearch subscription filter for the OpenSearch cluster. However, the DevOps engineer notices that the logs are not visible in Amazon OpenSearch. What should the DevOps engineer do to solve this problem?
Add lambda.amazonaws.com in the trust relationship of the CloudWatch Logs Lambda IAM execution role
233
A company manages both Amazon EC2 instances and on-premises servers running Linux and Windows. A DevOps engineer needs to manage patching across these environments. All patching must take place outside of business hours. Which combination of actions will meet these requirements?
- Add the on-premises servers into AWS Systems Manager using Systems Manager Hybrid Activations - Add the on-premises servers into AWS Systems Manager using Systems Manager Hybrid Activations - Use AWS Systems Manager Maintenance Windows to schedule a patch window outside of business hours
234
A DevOps Engineer needs a scalable Node.js application in AWS with a MySQL database. There should be no downtime during deployments and if issues occur rollback to a previous version must be easy to implement. The database may also be used by other applications. Which solution meets these requirements?
Deploy the application using AWS Elastic Beanstalk. Configure the environment type for Elastic Load Balancing and Auto Scaling. Create the Amazon RDS MySQL instance outside the Elastic Beanstalk stack
235
An application sits behind a Network Load Balancer (NLB) that is configured with a TLS listener. The DevOps team must analyze traffic patterns and require information about the connections made by clients. The data that is captured must be stored securely with encryption at rest and should only be accessible to the DevOps team members. Which actions should a DevOps engineer take?
Enable access logs on the NLB and configure an Amazon S3 bucket as the destination. Enable SSE-S3 encryption on the S3 bucket and configure the bucket policy to allow write access for the principal ‘delivery.logs.amazonaws.com’. Apply an IAM permissions policy to the DevOps team that grants read access
236
A new application is being deployed on AWS using Amazon EC2 instances. The operations team must monitor the instance’s application logs and API activity and need a solution for querying both sets of logs. Which solution will meet these requirements?
Install the Amazon CloudWatch agent on the instances to send the application logs to Amazon CloudWatch Logs and configure AWS CloudTrail to log API activity to CloudWatch Logs. Use CloudWatch Logs Insights to query both sets of logs
237
A DevOps team is assisting with the deployment of a web application's infrastructure using AWS CloudFormation. The database management team maintains the database resources in a CloudFormation template, and the software development team maintains the web application resources in a separate CloudFormation template. The software development team needs to use resources maintained by the database engineering team. However, both teams have their own review and lifecycle management processes that they want to maintain. Both teams also require resource-level change-set reviews. The software development team would like to deploy changes to this template using their CI/CD pipeline. Which solution will meet these requirements?
Create a stack export from the database CloudFormation template and import those references into the web application CloudFormation template
238
A DevOps team is assisting with the deployment of a web application's infrastructure using AWS CloudFormation. The database management team maintains the database resources in a CloudFormation template, and the software development team maintains the web application resources in a separate CloudFormation template. The software development team needs to use resources maintained by the database engineering team. However, both teams have their own review and lifecycle management processes that they want to maintain. Both teams also require resource-level change-set reviews. The software development team would like to deploy changes to this template using their CI/CD pipeline. Which solution will meet these requirements?
Create a stack export from the database CloudFormation template and import those references into the web application CloudFormation template
239
A fast-growing US based company has just opened an office in Frankfurt, Germany. The users in the new office have reported high latency for the company’s CRM application. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and stores data in an Amazon DynamoDB table. The CRM application runs in the us-east-1 Region. A DevOps engineer must minimize application response times and improve availability for users in both Regions. Which combination of actions should be taken to address the latency issues?
- Create a new ALB and Auto Scaling group in the eu-central-1 Region and configure the new ALB to direct traffic to the new Auto Scaling group - Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB - Use DynamoDB Global Tables to create a replica of the existing DynamoDB table in the eu-central-1 Region
240
As part of single click deployment strategy, a financial organization is utilizing AWS CodeCommit, CodeBuild and CodeDeploy in an automated pipeline using AWS CodePipeline. It was discovered that in some instances, code was deployed which led to vulnerabilities in production systems. It is mandated that additional checks must be included before code is promoted into production. What additional steps could be taken to ensure code quality?
Add a manual approval to a stage before the deploy action in the code pipeline deploying code to PROD
241
DevOps engineer is deploying a new application with a MySQL-compatible Amazon Aurora database cluster. The Multi-AZ database will have a cross-Region read replica deployed for disaster recovery. The DevOps engineer wants to automate promotion of the replica in the event of a failure of the primary database. Which deployment option should the DevOps engineer choose?
Save the Aurora endpoint in AWS Systems Manager Parameter Store. Create an Amazon EventBridge event that detects the database failure and runs an AWS Lambda function to promote the replica instance and update the endpoint URL stored in AWS Systems Manager Parameter Store. Configure the application to retrieve the updated endpoint from the parameter store if the application fails
242
An application runs on Amazon ECS instances in an Auto Scaling group behind an Application Load Balancer. An issue has occurred where instances are failing to respond to requests and are failing HTTP target group health checks. A DevOps engineer has reviewed the configuration and noticed that the application has failed on some EC2 instances and error messages relating to memory usage have been logged in the system logs of affected instances. The application may have a memory leak and the DevOps engineer needs to take steps to improve the resiliency of the application. Monitoring and notifications should be enabled for when issues occur. Which combination of actions will meet these requirements?
- Configure the Auto Scaling group configuration to replace the EC2 instances when they fail the load balancer's health checks - Configure the Amazon CloudWatch agent on the EC2 instances. Create an alarm based on memory utilization metrics and send a message to an Amazon SNS topic when the alarm is triggered
243
A company is deploying a serverless application that includes an Amazon API Gateway REST API and an AWS Lambda function. A DevOps engineer must come up with a strategy for updating the application that enables new features to be tested on a small number of users before rolling out the update to all users. Which deployment strategy will meet these requirements?
Use AWS CloudFormation to deploy the serverless services and use Lambda function versions. When code needs to be changed, update the CloudFormation stack with the new Lambda code and update the API versions using a canary release strategy. Promote the new version when testing is complete
244
A critical application runs on Amazon EC2 instances in an Auto Scaling group. A script runs on the instances every 10 seconds to check application availability. A DevOps engineer must use this information returned by the script to monitor the application and trigger an alarm if there is an issue. The data should be collected every 1-minute and the solution must be cost-effective. Which action should the engineer take?
Use a custom Amazon CloudWatch metric and configure a statistic set that aggregates data points and publishes the data every 1-minute
245
A company uses a tagging strategy to allocate usage costs for AWS resources. An application runs on Amazon EC2 instances in an Auto scaling group. The Amazon EBS volumes that are attached to instances are being created without the correct cost center tags. A DevOps engineer must correct the configuration to ensure the EBS volumes are tagged appropriately. What is the MOST efficient solution that meets this requirement?
Update the Auto Scaling group launch template to include the cost center tags for EBS volumes
246
A gaming startup company is finishing its migration to AWS and realizes that many DevOps engineers have permissions to delete Amazon DynamoDB tables. A solution is required to receive near real-time notifications when the API call DeleteTable is invoked in DynamoDB. Which actions should be taken to achieve this requirement most cost-effectively?
Enable AWS CloudTrail. Create an Amazon EventBridge rule to track an AWS API call via CloudTrail and use Amazon SNS as a target
247
The security team at a company requires a solution to identify activities that indicate that Amazon EC2 instances have been compromised. The solution should notify them by email if issues are discovered. Which solution will meet these requirements?
Configure AWS GuardDuty to identify activities that indicate the EC2 instances have been compromised. Create an Amazon EventBridge rule with an event source set to ‘aws.guardduty’. Send a notification using an Amazon SNS topic when the specified events are logged
248
A development team use a staging deployment of an application to test updates. The application includes an Amazon RDS database instances and Amazon EC2 instances. The resources only need to run when testing deployments are run using AWS CodePipeline. The testing usually runs for just a few hours a couple of times each week. A DevOps engineer wants cost-effective automating the instantiation and shutdown of the resources without changing the architecture of the application Which solution best meets the requirements?
Configure CodePipeline to subscribe to an event in Amazon EventBridge that triggers an AWS Systems Manager automation document that starts and stops the EC2 and RDS instances before and after deployment tests
249
An application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The instances often come online before they are ready which leads to errors being experienced. The health check configuration provides a 60-second grace period and considers instances healthy after two 200 response codes from /index.php. This page can respond intermittently during the deployment process. A DevOps engineer has been tasked with troubleshooting the errors. The instances should come online as soon as possible but not before they are ready. Which strategy can be used to address this issue? Which strategy would address this issue?
Modify the deployment script to create a /health-check.php file at the end of the deployment and modify the health check path to point to that file
250
A company runs an application across thousands of EBS-backed Amazon EC2 instances. The company needs to ensure availability of the application and requires that instances are restarted when an EC2 instance retirement event is scheduled. How can this a DevOps engineer automate this task?
Create a rule in Amazon EventBridge with AWS Health as the source and look for instance retirement scheduled events. Run an AWS Systems Manager automation document that stops and starts affected instances
251
An application uses an Elastic Load Balancer (ELB) in front of an Auto Scaling group of Amazon EC2 instances. A recent update to the application has resulted in longer times to run and complete bootstrap scripts. The instances often become healthy before they are ready to accept traffic resulting in errors. A DevOps engineer must prevent the instances from being registered with Elastic Load Balancing until the instances are ready to accept traffic. Which solution meets these requirements?
Use an Auto Scaling lifecycle hook to verify that the bootstrap scripts have completed before registering the instances with the ELB
252
To improve security, a company plans to use AWS Systems Manager Session Manager to manage EC2 instances instead of using key pairs. The company also requires that access to Session Manager goes across private networks only. Which combinations of actions will accomplish this?
- Attach an IAM policy providing the required Systems Manager permissions to an existing IAM instance profile - Create VPC endpoints for Systems Manager in the relevant AWS Region to provide private access
253
A DevOps engineer must implement a serverless service that runs on multiple AWS Lambda functions and uses Amazon DynamoDB as the data store. The functions require a front end that supports unencrypted HTTP and allows routing to the functions based on the path in the URL. Which solution will meet the requirements?
Deploy an Application Load Balancer (ALB) as the front end. Create an HTTP listener and configure the Lambda functions as targets in separate target groups. Create path-based routing rules that forward requests to targets based on path values in the request
254
A DevOps manager has been asked to optimize the costs associated with Amazon EBS volumes. There are many unattached EBS volumes which should be deleted if not used for 14 days. The manager asked a DevOps engineer to create an automation solution that deletes volumes that have been unattached for 14 days or more. Which solution will accomplish this?
Create an Amazon CloudWatch Events rule to invoke an AWS Lambda function daily. Configure the function to find unattached EBS volumes and tag them with the current date and delete unattached volumes that have tags with dates that are more than 14 days old
255
An application that was updated is returning HTTP 502 Bad Gateway errors to users. The application runs on Amazon EC2 instances in an Auto Scaling group that spans multiple Availability Zones. The DevOps engineer wants to analyze the issue, but Auto Scaling is terminating the instances shortly after launch as the health check status is changing to unhealthy. What steps can the DevOps engineer take to gain access to one of the instances for troubleshooting?
Add a lifecycle hook to your Auto Scaling group to move instances in the Terminating state to the Terminating:Wait state
256
A DevOps Engineer manages a containerized rules engine application running inside an Amazon ECS container which pulls configuration files from AWS Systems Manager Parameter Store every time the container spins up. The configuration files are in a JSON format and are around 3 KB in size. As new clients are onboarding, the engineer must load many new configuration files. The configuration files may increase significantly in number with increasing customer load. The engineer must load the configuration files on the fly after changes are done. The engineer must also ensure a history can be maintained for configuration changes. What is the best solution for onboarding the new configuration files with the LEAST effort?
Store configuration files in a versioning enabled Amazon S3 bucket and load the configuration settings using an Amazon EventBridge trigger and AWS Lambda function that is triggered by a cron job
257
A DevOps engineer updated the AWS CloudFormation template for an application. The stack update failed and CloudFormation attempted to roll back the stack to its previous state. The roll back process failed and generated a UPDATE_ROLLBACK_FAILED error message. What are the most likely causes for this issue?
- The user or role that was used to perform the stack update had insufficient permissions - Changes to resources were made outside of CloudFormation and the template was not updated
258
A DevOps engineer needs a managed environment for running a Node.js application. The infrastructure should support load balancing and auto scaling. The application will require a managed relational database, and data should be stored persistently and protected from accidental deletion. The solution should minimize ongoing operational effort. Which actions should the engineer take to meet these requirements?
- Create an AWS Elastic Beanstalk environment with load balancing and auto scaling enabled - Create an independent Amazon RDS database in an Amazon VPC with automatic backups and deletion protection enabled
259
When deploying a newly developed application on AWS, a DevOps team notices an intermittent error when attempting to make a connection to the application. The application has a two-tier architecture with an AWS Lambda function backed by an Amazon API gateway and a NoSQL database as the data store. The DevOps team noticed that sometime after deployment the error stops occurring. This application is deployed by AWS CodeDeploy and the Lambda function is deployed as the last step of pipeline. What is the most efficient way for a DevOps engineer to resolve the issue?
Add a BeforeAllowTraffic hook to the AppSpec file which tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function
260
An online sales application is being migrated to AWS with the application layer hosted on Amazon EC2 instances and the database layer on a PostgreSQL database. It is mandated that the application must have minimal downtime as it receives traffic 24/7 and any downtime may reduce business revenue. The application must also be fault tolerant including the data layer. Concerns have been raised around performance of the database layer during sales events and other peak periods. The application must also be continually scanned for vulnerabilities. Which option will meet the above requirements?
Create an Auto Scaling group of EC2 instances in a multi-AZ configuration. Deploy an Application Load Balancer to serve traffic to the Auto Scaling group. For the database, use Amazon Aurora for improved throughput in a multi-master configuration for high availability. Use Amazon Inspector to perform automatic security assessments
261
An application is being deployed using an AWS CodePipeline pipeline. The pipeline includes an AWS CodeBuild stage which downloads source code from AWS CodeCommit, pulls data from an S3 bucket, and builds and tests the application before deployment. A DevOps engineer has discovered that the S3 data is not being successfully downloaded due to a permissions issue. How can the permissions be assigned to CodeBuild in the MOST secure manner?
Modify the service role for the CodeBuild project to include permissions for S3. Use the AWS CLI to download the data
262
A DevOps engineer is migrating an application running on Docker containers from an on-premises data center to AWS. The application must run with minimal management overhead. Encrypted communications between the data center and AWS must be implemented for secure connectivity with on-premises resources. Which actions should the DevOps engineer take to meet these requirements?
- Migrate the container-based workload to Amazon ECS with the Fargate launch type in a custom VPC - Implement an AWS Managed VPN to encrypt traffic between the on-premises data center and the VPC
263
A company manages several AWS accounts in an AWS Organizations organization. There are several applications running in each account. Many resources have not been tagged properly and the finance team cannot fully determine the costs that should be attributed to each application. A DevOps engineer has been asked to remediate this issue and ensure it does not happen again. Which combination of actions should the DevOps engineer take to meet these requirements?
- Create and attach an SCP that requires tags to be specified when creating resources - Scan all accounts with Tag Editor. Assign the required tag to each resource
264
A company is migrating an important production application to the AWS Cloud. The application includes a containerized web tier and a MySQL database. The application must be deployed with high availability and fault tolerance and must minimize cost. How should a DevOps engineer refactor the application?
- Migrate the web tier to an AWS Fargate cluster and configure a service and attach an Application Load Balancer - Migrate the MySQL database to an Amazon RDS Multi-AZ deployment
265
A financial organization is already utilizing a CI/CD pipeline to deploy applications in production. A DevOps team has automated the entire upgrade flow for a database upgrade process. During deployment, they triggered a CI/CD pipeline with no human intervention, and the upgrade progressed smoothly. Then, 20 minutes in, the pipeline became stuck, and the update halted. It was discovered that a planned outage in an AWS region caused the pipeline to fail. What solution can a DevOps engineer implement to prevent this from happening again without causing unnecessary delay or cost?
Embed AWS Health API insights into the CI/CD pipelines using AWS Lambda functions to automatically stop deployments when an AWS Health event is reported in the Region
266
A DevOps Engineer must deploy a three-tier web application on AWS. The application will run on Amazon EC2 instances and will use an Amazon RDS database tier. The engineer must select a deployment model the reduces operational overhead as much as possible. Which solution best meets these requirements?
Use AWS OpsWorks to create an Application Load Balancer, an Auto Scaling group, and application and database resources. Deploy application updates using OpsWorks lifecycle events
267
A DevOps Engineer manages an application running across accounts which is deployed via AWS CloudFormation. The application stack has an Amazon ECS Fargate cluster which spins up multiple tasks for the application layer and utilizes an Amazon ElastiCache Redis cache to store frequently accessed data. The accounts are labelled “sandbox” and “staging”. While the stack spins up fine, the application is unable to connect to Redis with the below error logged in Amazon CloudWatch Logs. “Stopped reason ResourceInitializationError: unable to pull secrets or registry auth: pull command failed :: signal: killed“. What is the possible fix for the above error?
- Ensure inbound connectivity is allowed in the application security group on port 6379 from the Redis cluster subnet - Ensure an ENI is configured for the ECS tasks in the AWS Fargate cluster and there is an api.ecr endpoint
268
An application was recently migrated to AWS. While the initial version worked, a new version is displaying an error relating to the database layer. A DevOps engineer checked Amazon CloudWatch Logs and determined that the error was due to a database connection issue. However, no new database deployment has been performed and there were no changes to the database. Typically the application fetches the database credentials from AWS Secrets Manager. What is the most likely cause of the issue?
When secret rotation is configured in Secrets Manager, it causes the secret to rotate once as soon as you store the secret. This can lead to a situation where the old credentials are not usable anymore after the initial rotation. It is possible that the team forgot to update the application to retrieve the secret from Secrets Manager
269
A company is deploying an application in four AWS Regions across North America, Europe and Asia. The application will be used by millions of users. The application must allow users to submit data through the application layer in each Region and have it saved in a low-latency database layer. The company also must ensure that the data can be read through the application layer in each Region. Which solution will meet these requirements with the LOWEST latency of reads and writes?
Create a table in Amazon DynamoDB and enable global tables in each of the four Regions
270
A legacy application runs on a single Amazon EC2 instance and is backed with Amazon EBS storage. The company requires the ability to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance. Which solution will meet these requirements?
Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric and select the EC2 action to recover the instance
271
A DevOps engineer is troubleshooting problems with an application which uses AWS Lambda to process messages in an Amazon SQS standard queue. The function sometimes fails to process the messages in the queue. The engineer needs to analyze the events to determine the cause of the issue and update the function code. Which action should the engineer take to achieve this outcome?
Configure a redrive policy to move the messages to a dead-letter queue
272
A DevOps engineer has created a CI/CD pipeline in which AWS CodeDeploy is used to deploy an AWS Lambda function as the last stage of the pipeline. For proper execution, the Lambda function relies on an Amazon API Gateway API to have been fully deployed and ready to accept requests. The DevOps engineer needs to ensure that the API is ready to accept requests before traffic is shifted to the deployed Lambda function version. How can this requirement be met?
Use the BeforeAllowTraffic hook in the AppSpec file to call a validation function that checks that the API is ready to accept requests
273
A DevOps engineer is troubleshooting an issue with an AWS CodeDeploy deployment to a deployment group containing Amazon EC2 instances. The engineer noticed that all events associated with the specific deployment ID are in a Skipped status, and code was not deployed in the instances associated with the deployment group. Which of the following as possible reasons for this failure?
- The EC2 instances cannot reach the internet or CodeDeploy public endpoints using a NAT gateway or internet gateway - The target EC2 instances do not have an instance profile attached that provides the required permissions
274
An application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application is used by users around the world who access the application using a custom DNS domain name. The application must support encryption in transit, be protected from DDoS attacks and web exploits, should be optimized for performance. Which actions should a DevOps engineer take to meet these requirements?
- Create an Amazon CloudFront distribution with the ALB as an origin. Configure the custom domain name and attach an SSL/TLS certificate - Create an AWS WAF web ACL, configure a default action and rule, and specify the CloudFront distribution that WAF should inspect
275
An application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application is used by users around the world who access the application using a custom DNS domain name. The application must support encryption in transit, be protected from DDoS attacks and web exploits, should be optimized for performance. Which actions should a DevOps engineer take to meet these requirements?
- Create an Amazon CloudFront distribution with the ALB as an origin. Configure the custom domain name and attach an SSL/TLS certificate - Create an AWS WAF web ACL, configure a default action and rule, and specify the CloudFront distribution that WAF should inspect
276
A DevOps team is developing a PHP web application which will be deployed on Amazon EC2 instances. The application has been designed to use a MySQL database. The team requires a deployment model in which they can reliably build, test, and deploy new updates daily, without downtime or degraded performance. The application must also be able to scale to meet an unpredictable number of concurrent users. Which action will allow the team to quickly meet these objectives?
Create two auto scaling AWS Elastic Beanstalk environments: one for test and one for production. Build the application using AWS CodeBuild and use Amazon RDS to store data. When new versions of the applications have passed all tests, use the Elastic Beanstalk 'swap cname' to promote the test environment to production
277
A global health care company uses AWS CloudFormation templates to deploy applications across various environments. The template includes Amazon EC2 instances and an Amazon RDS database. During the testing phase before the application went live, the Amazon RDS instance type was changed and caused the instance to be re-created, resulting in the loss of test data. Also, when the CloudFormation stacks are deleted, it is mandatory to keep a snapshot of the EBS volumes for backup and compliance purposes. How can this be achieved?
- Use DeletionPolicy=Snapshot to persist the EBS volumes attached to Amazon EC2 instances - In the AWS CloudFormation template, set the DeletionPolicy of the AWS::RDS::DBInstance DeletionPolicy property to “Retain
278
A company is developing a continuous delivery pipeline using AWS CodePipeline. The application is deployed across multiple ALBs each of which has a dedicated Auto Scaling group. A DevOps engineer must configure the pipeline so that a simultaneous deployment is triggered to all ALBs and Auto Scaling groups when code is committed to an AWS CodeCommit repository. Which deployment option meets these requirements with the LEAST amount of configuration?
Use a single AWS CodePipeline pipeline that deploys the application in parallel using a single AWS CodeDeploy application and separate deployment groups for each pair of ALB and Auto Scaling group
279
A company is using AWS Storage Gateway for a branch office location. The gateway is configured in file gateway mode in front of an Amazon S3 bucket that contains files that must be processed by workers in the branch office. Each night a batch process uploads many files to the S3 bucket. Users have reported that the new files are not visible in the morning though they do exist in the S3 bucket. How can a DevOps engineer ensure that the files become visible?
Configure an Amazon EventBridge event to run on a schedule and trigger an AWS Lambda functions that executes the RefreshCache command
280
A web application runs on a custom port. The application has been deployed in an Auto Scaling group with an Application Load Balancer (ALB). After launching instances the Auto Scaling and Target Group health checks are returning a healthy status. However, users report that the application is not accessible. Which steps should a DevOps engineer take to troubleshoot the issue?
- Modify the Target Group health check configuration to check the application process on the custom port and path - Modify the Auto Scaling group health check configuration to check the application process on the custom port and path
281
A DevOps engineer needs to implement an automated deployment process for an application running on AWS. The implementation should minimize deployment costs whilst ensuring that at least half of the instances are available at any time to service user requests. If the application fails on some instances they should be automatically replaced. Which deployment strategy will meet these requirements?
Implement Auto Scaling with an Elastic Load Balancer. Use AWS CodeDeploy with the CodeDeployDefault.HalfAtAtime deployment strategy. Enable an ELB health check and set the Auto Scaling health check to ELB"
282
What is the amount of time that Opswork stack wait for a response from an underlying instance before deeming it as a instance?
5 mins
283
You have just been assigned to take care of the Automated resources which have been setup by your company in AWS. You are looking at integrating some of the company's chef recipes to be used for the existing Opswork stacks already setup in AWS. But when you go to the recipes section, you cannot see the option to add any recipes. What could be the reason for this?
The stacks were created without the custom cookbooks option. Just change the stack settings accordingly
284
You are a Devops Engineer and are designing an Opswork stack in AWS. The company has some custom recipes that are part of their on-premise Chef configuration. These same recipes need to be run whenever an instance is launched in Opsworks. Which steps need to be carried out to to ensure this requirement gets fulfilled.
- Ensure the custom cookbooks option is set in Opswork stack - Ensure the recipe is placed as part of the Setup Lifecycle event as part of the Layer setting
285
Which file needs to be included along with your source code binaries when your application uses the EC2/On-Premises compute platform, and deploy it using the AWS Code Deploy service.
appspec.yml
286
When using EC2 instances with the Code Deploy service, which of the following are some of the pre- requisites to ensure that the EC2 instances can work with Code Deploy.
Ensure an IAM role is attached to the instance so that it can work with the Code Deploy Service Ensure that the CodeDeploy agent is installed on the EC2 Instance
287
You are a Devops Engineer for your company. The company has a number of Cloudformation templates in AWS. There is a concern from the IT Security department and they want to know who all use the Cloudformation stacks in the company's AWS account. What can be done to take care of this security concern?
Enable Cloudtrail logs so that the API calls can be recorded
288
Your company has a number of Cloudformation stacks defined in AWS. As part of the routine housekeeping activity, a number of stacks have been targeted for deletion. But a few of the stacks are not getting deleted and are failing when you are trying to delete them. What could be valid reason for this?
The stack has an S3 bucket defined which has objects present in it The stack has a EC2 Security Group which has EC2 Instances attached to it
289
You have a Jenkins pipeline to update a CloudFormation stack. The pipeline uses AWS CloudFormation CLI update-stack. Sometimes when the Jenkins job runs, certain AWS resources are recreated, which is not as expected. Your manager asks you to add a step in the pipeline to list the changes that will be applied to the stack. The Jenkins job continues only after the changes are reviewed. How would you modify the Jenkins pipeline?
In the new step, use CloudFormation CLI create-change-set to generate the list of changes that will be applied in the stack. Review the changes before continuing the Jenkins job
290
You are on Devops engineer for your company. You have been instructed to deploy docker containers using the Opswork service. How could you achieve this?
Use custom cookbooks for your Opswork stack and provide the Git repository which has the Chef recipes for the Docker containers In the App for Opswork deployment, specify the git url for the recipes which will deploy the applications in the docker environment
291
Your development team use .Net for their web application. The application code is hosted in a Git repository. They want to set up continuous integration and deployment pipelines and deploy it to AWS. Which method can be used to fulfil this requirement?
Use the Code Pipeline service to set up the pipelines for the application in AWS
292
Your company is planning on using the available services in AWS to completely automate their integration,build and deployment process. They are planning on using AWS CodeBuild to build their artifacts. Whenusing CodeBuild, which file specifies a collection of build commands that can be used by the service during the build process.
buildspec.yml
293
What can be used in Cloudformation to coordinate the creation of stack resources?
AWS::CloudFormation::WaitCondition CreationPolicy attribute
294
Which resource is used in Cloudformation to create nested stacks?
AWS::CloudFormation::Stack
295
You have a set of web servers hosted in AWS which host a web application used by on section of users. You want to monitor the number of errors which occur when using the web application. Which options can be used for this purpose?
- Send the logs from the instances onto Cloudwatch logs - Search for the keyword “ERROR” in Cloudwotch logs - Increment a metric filter in Cloudwotch whenever the pattern is matched
296
Your company is supporting a number of applications that need to be moved to AWS. Initially they thought of moving these applications to the Elastic beanstalk service. When going to the Elastic beahstolk service, you can see that the underlying platform service is not an option in the Elastic beanstolk service. Which options can be used to port your application onto Elastic beanstalk?
Create a docker container for the custom application and then deploy it to Elastic beanstalk
297
Which are ways to ensure that data is secured while in transit when using the AWS Elastic load balancer?
Use an SSL front end listener for your ELB Use an HTTPS front end listener for your ELB
298
Your company currently has a set of EC2 Instances running a web application which sits behind an Elastic Load Balancer. You also have an Amazon RDS instance which is used by the web application. You have been asked to ensure that this architecture is self healing in nature and cost effective. What would fulfill this requirement?
Use Cloudwatch metrics to Check the utilization of the web layer. Use Autoscaling Group to scale the web instances accordingly based on the cloudwatch metrics Utilize the Multi-AZ feature for the Amazon RDS layer
299
The AWS Code Deploy service can be used to deploy code from which source repositories?
- S3 - Github - Bitbucket
300
You are designing Cloudformotion template to install a set of web servers on E02 Instances. The following User data needs to be passed to the EC2 Instances #l/bin/bash sudo apt—get update sudo apt—get install -y nginx Where in the Cloudformation template would you ideally pass this User Data?
In the properties section of the EC2 Instance in the resources section
301
A company has a Node.js application deployed in on Elastic Beanstalk environment. At the moment the environment uses on “All at once” deployment strategy. The new versions ore deployed in all instances simultaneously and there is a short time of outage. If there is a problem with the new version, onother deployment is required to perform the rollback. Your monoger asks you to use another method that deploys new versions to a fresh group of instances. And the new instances should serve troffio only after the health check has passed. In the meantime, you do not wont to maintain two environments in Elostio Beanstalk. Which deployment strategy should you select?
Configure cm Immutable deployment strategy in the Elastic Beanstalk environment
302
You have a set of E02 Instances in an Autoscaling Group that processes messages from an SQS queue. The messages contain the location in S3 from where video's heed to be processed by the EC2 Instances. When a scale in happens, it is noticed that an at times that the EC2 Instance is still in a state of processing a video when the instance is terminated. How can you implement a solution which will ensure this does not happen?
Use lifecycle hooks to ensure the processing is complete before the termination occurs
303
Your company is hosting cm application in AWS. The application consists of a set of web servers and AWS RDS. The application is a read intensive application. It has been noticed that the response time of the application increases due to the load on the AWS RDS instance. Which of the following measures can be taken to scale the data tier?
Create an Amazon DB Redd Replica. Configure the application layer to query the Reed Replica for the read operations Use ElastiCache in front of your Amazon RDS DB to cache common queries
304
You are using Jenkins as your continuous integration systems for the application hosted in AWS. The builds are then placed on newly launched EC2 Instances. You want to ensure that the overall cost of the entire continuous integration and deployment pipeline is minimized. Which options would meet theserequirements?
- Ensure that all build tests are conducted using Jenkins before deploying the build to newly launched EC2 Instances - Ensure the Instances are launched only when the build tests are completed
305
You are using Elastic beanstelk to deploy on application that consists of a web and application server. There is a requirement to run some python scripts before the application version is deployed to the web server. What can be used to achieve this?
Make use of container commands
306
Your company has a set of EC2 instances sitting behind an Elastic Load Boloncer. There is on requirement to create an OpsWorks stack to host the newer version of this application. The OpsWorks stock has been created and the current ELB was selected to host the newer version of the application. Now the application is not responding to the requests. What could be the cause?
After the ELB is attached to the OpsWorks stock, it would have de— registered the instances of the current application and therefore the current application is not responding to requests
307
You have a set of E02 Instances running behind an ELB. These E02 Instances are launched via on Autos Group. There is on requirement to ensure that the logs from the server are stored in a durable storage. This is so that log data can be analyzed by staff in the future. Which steps can be implemented to ensure this requirement is fulfilled.
On the web servers, create a scheduled task that executes a script to rotate and transmit the logs to on Amazon S3 bucket Use AWS Delta Pipeline to move log data from the Amazon 83 bucket to Amazon Redshift in order to process and run reports
308
Your company has a set of development teams that work in a variety of programming languages. They develop applications which have OI lot of different application dependencies. There is on move from the company to move these development environments onto AWS. What is the best option to make this happen.
Use the Elastic beanstalk service and use Docker containers to host each application environment for the developer community
309
You need to maintain om AWS Organization. The Organization includes several organization units (OUS) and dozens of accounts. You wont to get the service last access data for different OUS and accounts. Then you cam refine the policies in the Organization and allow access to only the services that the entities in the AWS Organization use. Which method would you take to address this requirement?
Use AWS Console or CLI to view the service access report in IAM for Organization activities. Check the report to see when on allowed service was accessed lost time
310
You are on DevOps engineer and you need to oleom up IAM entities that are no longer used. There is on IAM policy called IAMACcessForDemo which contains CloudFormotion full access, KMS full access and some other permissions. However, nobody in your team knows what the IAM policy is used for and whether it is safe to delete it. How would you Check the time when the granted services by the policy were lost accessed?
In AWS Console, Check the Access Adviser of the IAM policy to see when the permitted services were last accessed. If they were accessed on long time ago, it would be safe to delete the policy
311
Your development team is using on Elastic beanstalk environment. After a week, the environment was torndown and CI new one was created. When the development team tried to access the data on the older environment, it was not available. Why is this the case?
This is because the underlying EC2 Instances are created with no persistent local storage
312
You have a setup in AWS which consists of EC2 Instances sitting behind and ELB. The launching and termination of the Instances are controlled via an Autoscoling Group. The architecture consists of a MySQL AWS RDS database. What can be used to induce one more step towards a self healing architecture for this design?
Enable Multi-AZ feature for the AWS RDS database
313
You are working in a large company. The company is building new serverless applications with the AWS Serverless Application Model (AWS SAM) framework. The serverless applications include resources such as API Gateways, Lambda functions, DynamoDB tables, Step functions, etc. For the serverless AWS resources to interact with one another, proper access and permissions need to be set up between the resources. For example, on Lambda function needs suitable permission to write new items in on DynomoDB table. What is the most appropriate way for you to manage these permissions using AWS SAM?
Use SAM connectors (AWS::Serverless::Conhector) to provide simple and well-scoped permissions between the resources. For unsupported resource types for SAM connectors, use CIoudFormotion mechanisms to configure IAM users, roles, and policies
314
You are working as a DevOps engineer. Your company owns an online shopping application. The application publishes application logs (Le. Clickstredm logs) to CI CloudWatCh log group. In order to perform log analysis and application monitoring, you have also configured an Amazon OpenSearCh Service Cluster as the search and analytics engine. Now you want to stream the CloudWatch Logs data to the Amazon OpenSearch Service cluster in near real-time. Which method is the most appropriate one?
Select the CloudWatCh log group, create on Amazon OpehSeOIrch Service subscription filter, and stream the selected logs to the OpenSeorch Service Cluster
315
You are on AWS Cloud engineer. Your company owns an AWS Organization with dozens of AWS accounts. In the AWS Organization administrator account, you have created on CloudFormotion StackSet to manage AWSresources in multiple AWS oooounts across specified AWS Regions. In the StackSet, the seIf-managed permissions method has been used to establish the trust relationship between the administrator and target accounts. One day, when you try to update the StookSet with on updated template, the operation failed and one stock instance status become OUTDATED. Which option will NOT cause this issue?
In the AWS Organization, the trusted access between the AWS Organization's management account and target (member) accounts has been disabled
316
A company owns an AWS OpsWorks stack for a web application. As most of the existing AWS resources are managed by AWS Systems Manager, you want to migrate the OpsWorks Stack application to Application Manager in AWS Systems Manager. The migration enables you to monitor the instances in the Application Manager page and also use some AWS features that are unavailable in OpsWorks such as the integrations with Auto Scaling group and application load balahoers. How would you perform the migration in the most suitable way?
Use the AWS provided migration script to generate a CloudFormation template based on the existing OpsWorks layers. Customize the template and provision the CloudFormation stock. View the provisioned resources in the custom application of Application Manager
317
As a DevOps engineer, you are using on CloudFormotion stock to maintain om AWS Auto Scaling group resource (AWS::AutoSooIihg::AutoScalingGroup). You wont to use a suitable CIouolFormotion update policy to control how AWS CloudFormotion handles updates for the Auto Scaling group resource. During the update, CloudFormotion should only replace the instances in the existing Auto Scolihg group instead of replacing the Auto Scolihg group. The maximum number of instances that CIoudFormotion updates at any time should be 1 and at least] instance should be in service when old instances are being updated. Which UpdatePolicies is the most accurate in the CloudFormation template?
UpdatePolicy: AutoScolingRollingUpdate: MinlnstonceslnService: '1' MaxBatchSize: '1' WaitOnResourceSignals: 'true' PauseTime: PT10M
318
As a DevOps engineer, you are helping the team to configure a new in-memory database in Amazon MemoryDB for Redis. This high performance and durable MemoryDB database is built for microservices applications. Applications will be deployed in EC2 instances in several private subnets of on VPC. The MemoryDB database Cluster will be deployed in the some private subhets as the E02 instances. To ensure the security of the dOItC] transferred between the applications and the MemoryDB database, how would you manage access between the EC2 instances and the MemoryDB Cluster in the most suitable way?
Create a VPC security group for the MemoryDB Cluster and configure on custom inbound rule to only allow the incoming traffic from the EC2 security group on port 6379
319
You are working in a company as a DevOps engineer. Your team needs to build applications for several proof-of-concept projects. Your manager asks you to use AWS App Runner to deploy from the source code in GitHub repositories directly to the web applications in the AWS Cloud. Through AWS App Runner, you can quickly build up the continuous integration and deployment (Cl/CD) pipelines to perform automatic deployments whenever developers push new commits to the code repositories. When creating the AWS App Runner service, which configuration would you need to set up?
Create IAM identity-based policies and apply them to IAM entities. Specify if the IAM entities can access the AWS App Runner console and manage the App Runner service
320
You are working in a bank as a cloud engineer. For a new web application, you need to configure a service that can automatically create and manage custom Ubuntu 20 AMI images. The images will be used by E02 Auto Scaling groups. As the web application processes sensitive customer data, the images heed to be compliant with STIG (Security Technical Implementation Guides) standards which are created by the Defense Information Systems Agency (DISA) to secure information systems and software. How would you use EC2 Image Builder to automate the image-building process?
In EC2 Image Builder, create an image recipe that contains the STIG component together with other necessary build components. Create an image pipeline with the recipe to automate the image build process
321
Your company owns several legacy Java applications in the on-premises dOItC] centers. The applications are running on the IBM WebSphere application server on Ubuntu. As a DevOps engineer, you plan to use the AWS App2Container (A2C) commander line tool to lift and shift the legacy Java applications to the AWS platform. Through AppContainer, you would like to first analyze the applications and then generate Dockerfiles to deploy them as containerized workloads on AWS. Which options is NOT supported by App2Container?
Use App2Container to create an ECR repository to store the application Docker images. Create cm Elastic Beanstalk application to deploy the Docker containers
322
A DevOps engineer is helping the development team to create a Nodejs application with AWS Elastic Beanstalk. He modified the maximum number of instances in Auto Scaling Group to 10 in the AWS console during environment creation. However, in the source bundle, there is on configuration file in the folder .ebextehsions that sets the maximum number of instances to 5. Given that the maximum number is 4 for Elastic Beanstalk environment by default, what is the maximum number of ASG after the DevOps engineer in the AWS console creates the environment?
The max number is 10
323
You are on AWS DevOps engineer in a company, and you created a job in Jenkins to use a script to build on Elastic Beonstalk environment. An eb config command has been used to configure on Security Group for on Elastic Lood Boloncer. After some time, onother colleague found that the Security Group should be Changed o another one. He modified this configuration option with on config file in the .ebextensions folder. However, when the Jenkins job was rebuilt, the Security Group did not change to the new one. What is the reason and how would you fix this issue?
The settings in the .ebextehsions folder cannot override that in the EB CLI command. Remove the configuration settings for Security Group in eb config commend
324
Your company has a set of resources hosted in AWS. Your IT Supervisor is concerned with the costs incurred by the resources running in AWS and wants to optimize the costs as much as possible. Which of the following ways could help achieve this efficiently?
Create Cloudwatch alarms to monitor underutilized resources and either shutdown or terminate resources that are not required Use the Trusted Advisor to see underutilized resources
325
You are using AWS CodePipeIihe service to build up a pipeline for on new web application. In the Source stage, the source provider is GitHub, and its output artifact is configured as WebApp. In the Build stage, there are two build actions in parallel and both of them have used AWS CodeBuild as the service provider. For these two build actions, which configurations of input/output artifacts are correct?
Build Action 1 (input artifact: WebApp, output artiafact: WebAppBuild1); Build Action 2 (input artifact: WebApp, output artifact: WebAppBuild2)
326
The company you work for has on huge amount of infrastructure built on AWS. However, there have been some concerns recently about the security of this infrastructure. An external auditor has been given the task of running a thorough Check of all of your company's AWS assets. The auditor will be in the USA while your company's infrastructure resides in the Asia Pacific (Sydney) region on AWS. Initially, he needs to check all of your VPC assets, specifically security groups and NACLS You hove been assigned the task of providing the auditor with on login to be able to do this. Which of the following would be the best and most secure solution to provide the auditor to begin his initial investigations? Choose the correct answer from the options below.
Create an IAM user who will have read-only access to your AWS VPC infrastructure and provide the auditor with those credentials
327
You're building a mobile application game. The application needs permissions for each user to communicate and store data in DynomoDB tables. What is the best method for granting each mobile device that installs your application to access DynomoDB tables for storage when required?
Create an IAM role with the proper permission policy to communicate with the DynamoDB table. Use web identity federation, which assumes the IAM role using AssumeRoleWithWebldehtity, when the user signs in, granting temporary security credentials using STS
328
You are in Charge of creating a Cloudformation template that will be used to spin our resources on demand for your DevOps team. The requirement is that this cloudformotion template should be able to spin up resources in different regions. Which of the following aspects of Cloudformotion templates can help you design the template to spin up resources based on the region?
Use the mappings section in the Cloudformetion template so that the relevant resource can be spun up based on the relevant region
329
A company has developed a Ruby on Rails content management platform. Currently, OpsWorks has several stocks for dev, staging, and production to deploy and manage the application. Now the company wants to start using Python instead of Ruby and needs a smoother transition without any interruption. The company needs to cut over from the existing Ruby code to the Python code. How should the company manage the new deployment?
Create a new stock that contains 01 new layer with the Python code. To cut over to the new stock, the company should consider using Blue/Green deployment.
330
You were assigned on task to migrate cm on-premises application to the AWS Elastic Beanstalk environment. The operating system is Amazon Linux and package managers yum 0nd RubyGems are required in order to install all necessary packages for the application. You have created config files in .ebextehsions. In the config files, you added a Package section to install software packages. Which statement is correct for the Package section in the configuration file?
Within each package manager, package installation order isn't guaranteed
331
You are working as a AWS DevOps admins for your company. You are in Charge of building a nested infrastructure for the company's development teams using CloudFormotIOh. The template will include building the VPC and networking components installing a LAMP stack and securing the created resources. As per the AWS best practices, what is the best way to design this template?
Create multiple Cloudformotion templates for each set of logical resources, one for networking, the other for LAMP stock creation
332
Your security officer has told you that you need to tighten up the logging of all events that occur on your AWS account. He wants to be able to access all events that occur on the oooount ooross all regions quickly and in the simplest way possible. He also wants to make sure that he is the only person who can access these events in the most secure way possible. Which of the following would be the best solution to assure his requirements are met?
Use CloudTroil to log all events to one S3 bucket. Make this S3 bucket only accessible by your security officer with a bucket policy that restricts access to his user only and odds MFA to the policy for on further security level
333
Your team is using AWS API Gateway and Lambda function to maintain om API endpoint. Recently, there is a Change in the Lambda function which adds some new dCItOl in the response body. The Lambda function is upgraded and a new API is added to support the Change. The team wants to keep both version] and version2 of the API to be available simultaneously to your API consumers. How should you modify the version1 API in API Gateway to behave as the V1 consumers expect?
Add a mapping template in the Integration Response of versiont API to remove the new data so that the response is transformed to the original format
334
You are having a web and worker role infrastructure defined in AWS using Amazon EC2 resources. You are using SQS to momenge the jobs being sent by the web role. Which of the following is the right way to ensure the worker processes are adequately set up to handle the number of jobs sent by the web role?
Use Cloudwatch monitoring to Check the size of the queue and then scale out using Autoscaling to ensure that it can handle the right number of jobs
335
A team has implemented a service with AWS API Gateway and Lambda. The service endpoint can save input JSON data to the internal database and S3. After the service has run for several years, some data in the JSON body are no longer used and should not be saved anymore. The backend Lambda has been upgraded to support only the valid JSON values. The original API in API Gateway is still used for some time before Old users migrate to the new API. How should the original API be configured so that the Lambda still supports the old request in the backend?
Configure a mapping template in Integration Request to remove the obsolete data so that the original API requests are transformed to be supported by the new Lambda
336
You are responsible for maintaining several AWS CloudFormation templates. Last month, there were two incidents that resources in existing CloudFormation stacks that someone has Changed without any alerts or notifications. Because of that, the potential changes may have negative impacts on the stacks, and the Changes may be lost if the stacks are re-deployed. This is hot compliant with company policy. Your team lead asked you to warn the team whenever a drift in the CloudFormation stack appears. What is the best way to achieve that?
Create a rule in AWS Config to evaluate if the stack is considered to have drifted for its resources. If the rule is NON_COMPLIANT, notify the team via om SNS notification
337
There is OI requirement for an application hosted on a VPC to access the on-premises LDAP server. The VPC and the on-premises location are connected via om IPSeC VPN. Which are the right options for the application to authenticate each user.
The application authenticates against LDAP and retrieves the name of cm IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access any AWS resources Develop om identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials to access the appropriate AWS service
338
A company has strict security policies. For its AWS services, special attention is required to ensure that there is no security vulnerability. You are asked to set up on rule in AWS Config to inspect if the AWS resources are always as expected. The rule is very complicated, and there is no existing AWS monoged rule that con meet the company’s needs. Which actions in combinations can achieve this requirement?
Create an AWS Lambda function that contains the logic of the custom rule to evaluate whether the AWS resources are compliant In AWS Config, add a custom rule and specify the ARN of cm AWS Lambda function that Checks AWS resources
339
A developer asks you to help on setting up AWS CodeBuild for on new Java project. The project is built by Maven. In its buildspec.yml file, there are several phases such as install, pre_build and build. There is a requirement that if on command in a phase has failed, CodeBuild still has a chance to run some she'll commands to do custom operations such the log collection. How should you configure the CodeBuild project to meet the need?
Add a finally block after the commands block in each phase. Put the custom shell commands in the finally block
340
In on large corporation, an AWS organization is established with several OUs (organizational units). Because of several new security requirements, the security operator needs to create several CloudWOItCh Events rules. For one rule, the requirement is that if certain AWS services have not been used by an OU for 6 months but are suddenly used recently, an SNS notification will be triggered. How would you quickly get the service—last— accessed information to identify the potential services to add to the CloudWotCh Event rule?
In the IAM access adviser, view the service—last—aceessed information for each OU to help identify which services should be added in the CloudWatch Event rule
341
You are working in on large corporation, and your team is in charge of the new Cl/CD pipeline for on migration project from on—premises to AWS. The product used a license that limited the number of vCPUs, and it is decided that the some license will be used on the AWS platform. The software is baked on Amazon AMI and several teams including QA, DEV and Production frequently launch new EC2 instances using the Jenkins pipeline. Your team manager is worried that the number of servers used is getting too large one! asked you to add on step in Jenkins to get the current license consumption status. What is the best way for you to implement that?
Create a License Configuration for this license in AWS License Manager. Call the CLI Iist-usage-for-icense-configuration to get the license consumption status
342
Your team was assigned a task to create a Jenkins job to do the backup for a very complicated system. The Jenkins job will trigger the backup task every week. For the backup itself, there are several steps involved, including running preparation scripts, launching DB snapshots, Checking DB snapshots status, running post scripts, etc. A Lambda function can implement each step. Besides, the solution architect expects the running status for each step com be visualized and managed by an AWS owned service. Which service should you use to achieve this requirement?
AWS Step Functions
343
You are on DevOps engineer in a company whose data analysis department is planning to benefit from CloudWotch Logs to troubleshoot some business use cases by exploring the content in a container logs. How is it possible to automate a pipeline for analysis in this context?
You create on IAM policy to allow your container instances to use the CloudWatch Logs APIs, and then you must attach that policy to ecslnstanceRole. Then, you install the CloudWatch agent on your container instances. On the Fargate launch type, you view the logs from your containers. On the EC2 launch type, you get different logs from your containers in one convenient location. If you are not using the Amazon ECS—optimized AMI, you will have to edit the /eto/eos/eos.config file and add ECS_AVAILABLE_LOGGING_DRIVERS=["json-file","awslogs"] to specify that the awslogs logging driver is available on the container instance
344
A gaming company adopted AWS CloudFormation to automate load-testing of their games. They have created on AWS Cloud Formation template for each gaming environment and one for the load-testing stack. The load-testing stack creates an Amazon Relational Database Service (RDS) Postgres database and two web servers running on Amazon Elastic Compute Cloud (EC2) that send HTTP requests, measure response times, and write the results into the database. A test run usually takes between 15 and 30 minutes. Once the tests are done, the AWS Cloud Formation stacks are torn down immediately. The test results written to the Amazon RDS database must remain accessible for visualization and analysis. What are possible solutions that allow access to the test results after the AWS CloudFormation load-testihg stack is deleted.
Define a deletion policy of type Retain for the Amazon RDS resource to assure that the RDS database is not deleted with the AWS CloudFormation stack Define a deletion policy of type Snapshot for the Amazon RDS resource to assure that the RDS database can be restored after the AWS CIoudFormation stack is deleted
345
You are writing on AWS CloudFormation template, and you want to assign values to properties that will not be available until runtime. You know that you can use intrinsic functions to do this but are unsure which part of the template they can use. Which of the following is correct in describing how you can currently use intrinsic functions in on AWS CIoudFormotion template?
You can use intrinsic functions only in specific parts of a template. Currently, you can use intrinsic functions in resource properties, outputs, metadato attributes, and update policy attributes
346
Your company has on e-commerce application accessed by users all over the world. You have EC2 instances deployed in multiple regions. You want to monitor the performance of these EC2 instances. How can you use CloudWotoh to monitor these instances?
Have one single dashboard to report metrics to CloudWatch from different regions
347
The company you are working for is prototyping a HIPAA-compliant application. You as a DevOps engineer have to automate the resource auditing process, including CIS AWS Foundations Benchmark requirements CIS an external compliance framework. The results have to be sent periodically as email notifications. Which statement is true when creating custom AWS Config rules via AWS Lambda function to model criteria meeting?
You develop custom rules and add them to AWS Config. Then, you associate each custom rule with an AWS Lambda function containing the logic that evaluates whether your AWS resources comply with the rule. The Lambda function will require permission to query AWS Config and publish a message to Amazon SNS
348
A web-startup runs its very successful social news application on Amazon EC2 with on Elastic Load Balencer, an Auto—Scaling group of Jave/Tomcat application-servers, end DynamoDB eas a data store. The main web application best runs on m2 x large instances since it is highly memory-bound. Each new deployment requires semi-automated creation and testing of a new AMI for the application servers which takes quite a while and is therefore only done once per week. Recently, a new feature has been implemented in nodejs and waits to be integrated into the architecture. First tests show that the new component is CPU bound because the company has some experience with using Chef. They decided to streamline the deployment process and move both the standard application and the new feature to OpsWorks because it can be used es on application life cycle tool to simplify the application's management and reduce the deployment cycles. What configuration in AWS Ops Works is necessary to integrate the new Chef module in the most cost-efficient and flexible way?
Create one AWS Ops Works stack, create two AWS Ops Works layers and create one custom recipe
349
You are using an AWS CodePipeIine to create a CloudFormation stack. The stack is used to deploy resources for a human approval project that allows the execution of a state machine to pause during a task. The workflow continues to the next state once the user has approved the task. In the CloudFormation template, there are already resources including Lambda functions that send email links for approval, an API Gateway endpoint that triggers Lambda functions and an SNS topic that sends an email for approval. What is another key resource that needs to be created in the template?
A Step Function resource created in the type AWS::StepFunotions::StateMachine
350
A company just started to use AWS ECS/ECR for its dockerized applications. They are looking for a pipeline service with on source stage that can deploy a container application to the ECS Cluster using a blue/green deployment. At the moment, all docker images are already stored in the ECR service which will be used in the pipelines as artifactories. What is the quickest way to implement this pipeline?
In AWS CodePipeline, add a source stage for ECR docker image and a deployment stage for ECS where the deployment runs with a CodeDeploy application and deployment group
351
A DevOps engineer is building a pipeline in AWS CodePipeline to build a docker image and push it to AWS ECR. In the CodePipeline, the source stage is configured with AWS CodeCommit where the source files are stored. In the build stage, the Action Provider is AWS CodeBuild. For its buildspec.yml file, there are three phases which are pre_build, build and post_build. The build stage in the pipeline is responsible for creating the image and pushing it to the ECR repository. Which command should be put in the pre_build stage in the buildspec.yml file?
aws ecr get-Iogin --region $AWS_DEFAULT_REGION
352
You are in charge of designing on CIoudFormation template which deploys a LAMP stock. After deploying a stack, you see that the status of the stack is showing one CREATE_COMPLETE , but the Apache server is still not up and running and is experiencing issues while starting up. You want to ensure that the stock creation only shows the status of CREATE_COMPLETE after all resources defined in the stack are up and running. How can you achieve this?
Use the CreationPolicy to ensure it is associated with the EC2 Instance resource Use the CFN helper scripts to signal once the resource configuration is complete
353
You are designing a Cloudformation stock which involves the creation of a web server and a database server. You need to ensure that the web server in the stack gets created after the database server is created. How can you achieve this?
Use the DependsOn attribute to ensure that the database server is created before the web server
354
Company ABC has started to use AWS Service Catalog to manage its CloudFornnontion stacks within the company. In Service Catalog, several portfolios have been created with relevant products configured. It is supposed to assign access to different users or teams for these different products. For example, for one important payment service, only DevOps team can create, modify or delete the product. In Service Catalog, how should you manage the user access?
Assign permissions to IAM users, groups, and roles
355
A team has an application which is a website. The team wants to test different versions of the website to the users without redirecting or Changing the browser URL. In order to perform this kind of A/B testing, the team does not plan to modify any front—end or back-end code with additional logic. And it is supposed to put this logic to CDN network. What is the best place/service to implement the switching logic?
Lambda@Edge
356
You are creating CIoudFormation templates for new applications. In the templates, you need to include certain custom resources as they are not supported by the AWS CIoudFormotion resource types. You want to use the AWS::CloudFormation::CustomResource resource type to specify the custom resources. The resource type has on ServioeToken property that determines where AWS CIoudFormation sends requests to. Which endpoints can you configure in the ServiceToken property?
An Amazon SNS topic ARN A Lambda function ARN
357
A large company uses AWS CodeCommit to manage its source code. There are over a hundred of repositories and many teams are working on different projects. As a DevOps engineer, you need to allocate suitable access to different users. For example, development team should not access the repositories that contain sensitive data. How should you manage this?
Tag repositories in AWS CodeCommit. Create policies in IAM that allow or deny actions on repositories based on the tags associated with repositories
358
You are the DevOps engineer in a company assigned to support a development team interested in having a CI/CD pipeline in AWS CodePipeline to deal with several complex cases, handle asynchronous workflow-driven actions, and keep centralized logging for the workflow execution history to CloudWotCh Logs. What is the most robust approach to follow?
Create an AWS Step Functions state machine to handle workflow-driven actions via specific, leolh single purpose AWS Lambda functions. Configure a CodePipeline deploy action to trigger on AWS Lambda function that decouples the Step Functions state machine and the pipeline itself. To deal with centralized logging, it is possible while creating or updating a state machine to configure logging to Amazon CloudWatch Logs
359
Your team is developing an application for a government project. For continuous deployment, you have built a CloudFormetion stack to deploy EC2 instances. A third party software is installed in the instances and its license requires that the software should be bound to dedicated virtual machines. Whenever the CloudFormation stack is redeployed, the software should be installed in the same physical hosts. Which method would you select to achieve this requirement?
Allocate dedicated hosts for this application which allow you to reliably launch EC2 instances on the same physical servers. In the CloudFormation template, specify the allocated HostlD and configure the tenancy type to be dedicated host
360
Your social media marketing application has a component written in Ruby running on AWS Elastic Beanstalk. This application component posts messages to social media sites in support of various marketing campaigns. Your management now requires you to record replies to these social media messages to analyze the effectiveness of the marketing campaign in comparison to post and future efforts. You’ve already developed a new application component to interface with the social media site APIs in order to read the replies. Which process should you use to record the social media replies in a durable data store that can be accessed out any time for analytics of historical data?
Deploy the new application component as an Elastic Beanstalk application, read the data from the social media sites, store it and process it in DynamoDB, and use Apache Hive with Amazon Elastic MapReduce for analytics
361
You are managing an application that acts as the front end and you use MongoDB for document management which is hosted on a relevant Web server. You pre-bake AMl's with the latest version of the Web server, then used the UserData section to setup the application. You how have on Change to the underlying Operating system version and need to deploy thot accordingly. How com this be done in the easiest way possible?
Create a new pre-baked AMI with the new OS and use the UserData section to deploy the application
362
You are managing the development of an application that uses DynamoDB to store JSON data. You have already set the Read and Write capacity of the DynamoDB table. You are unsure of the amount of the traffic that will be received by the application during the deployment time. How can you ensure that the DynamoDB is not highly throttled and does not become a bottleneck for the application?
Monitor the ConsumedReadCapacityUnits and ConsumedWriteCapacityUnits metric using Cloudwatch Create a Cloudwatch alarm which would then send a trigger to AWS Lambda to increase the Read and Write capacity of the DynomoDB table
363
You are using Elastic Beanstalk for your development team. You are responsible for deploying multiple versions of your application. How can you ensure, in on ideal way, that you don’t cross the application version limit in Elastic Beanstalk?
Use lifecyle policies in Elastic BeansTalk
364
Your organization owns several AWS accounts. The AWS operation team creates several bose docker images in AWS ECR. Another development team is working on on new project in which the build phase needs to use AWS CodeBuild to build artifacts. One requirement is that the environment image of CodeBuild must use on ECR dooker image owned by the operation team. However, the ECR dooker image is located in different AWS account. How would you resolve this and create the CodeBuild project?
Select custom image and Choose ECR image registry. Enter the full ECR repository URI for the repository in the other account
365
Your team has created a new AWS CodeDeploy application to automate deployments to Amazon EC2 instances under an outoscaling group. It is possible that a deployment activity has failed due to software issues. Your manager asked you to configure automatic rollback for the deployment group in the production environment. In terms of the automatic rollback configuration of CodeDeploy, which statement is correct?
Automatic rollback com be triggered when alarm thresholds are met
366
Your company has used on-premises Jenkins server as the CI/CD tool for several years. Recently, us most of its products olreody migrated to AWS platform. The DevOps team is considering the possibilities to use AWS CodePipeline us the new tool to replace Jenkins server. You were told to make on initial onolysis and report to your monoger. Whort are the advantages of CodePipeIine when compared to Jenkins server?
AWS CodePipeline integrates well with other AWS services such as CodeCommit and CodeBuild. It is easily configured for users of the AWS ecosystem IAM policies com be configured to control the access to CodePipeline resources
367
You were assigned on new task to create a pipeline in AWS CodePipeIine service for a new Android App. In the pipeline, the source stage is GitHub and the build stage uses CodeBuild to build the App. During the build stage, it uses on buildspec file to generate artifacts which are stored in a S3 bucket. Another stage needs to be added in order to test the new version of App in AWS Device Form. A test project in AWS Device Farm was already created by QA team. How should you configure this new stage in AWS CodePipeline?
Add a new test stage and add AWS Device Farm as the action provider. Configure the AWS Device Farm project ID and device pool ARN in the stage
368
A team is developing a new web application which will be deployed in AWS EC2. Within the company, Atlassiom JIRA Software is commonly used to manage many existing projects. For this new project, the team lead expected to manage using a unified project management dashboard where there is information such as JIRA stories/issues, continuous deployment status, application endpoints, etc. What is the best way to achieve this requirement?
Create an AWS CodeStar project. Configure the connection to JIRA in the CodeStar project. Customize the project dashboard as required
369
You are on Devops engineer for your compantere is a requirement to host a custom application which has custom dependencies for a development team. This needs to be done using AWS service. What is the ideal way to fulfil this requirement.
Package the application and dependencies with Decker, and deploy the Docker container with Elastic Beanstalk
370
Your team uses AWS CodeStar to manage a Java project. The source code is put in AWS CodeCommit. The build stage is managed by AWS CodeBuild and then the deployment stage uses CloudFormation to deploy a stack including resources such as Lambda function. The team lead has added several team members intothe CodeStar project including Jonson (Owner), Tony (Viewer) and Eric (Contributor). Different roles should have different permissions in the project. How are the permissions managed in CodeStar?
Different team member roles have relevant IAM policies allocated automatically by AWS. CodeStar users only need to make sure the correct roles are assigned to team members
371
A large corporation owns a huge amount of data which is located in AWS S3. There are applications that keep reading or writing data in these S3 buckets. The security auditor was worried that there may be some sensitive data that was exposed in S3. For example, certain applications may store some text files which contain customers’ PII information. The auditor asked for a solution to quickly scan potential security related issues in these S3 buckets. Which solution is the best?
Enable Amazon Macie as it can scan security issues in S3 and generate alerts based on the level of risks
372
You have defined a Linux based instance stack in Opswork. You now want to attach a database to the Opswork stock. What is an important step to ensure that the application on the Linux instances cam communicate with the database
Add the appropriate driver packages to ensure the application com work with the database
373
You have on Opswork stock defined with Linux instances. You have executed on recipe , but the execution has failed. What option would you use to diagnose the reason of the failure?
Log into the instance and Check if the recipe was properly configured
374
You were assigned on task to create a security monitoring dashboard in AWS. The dashboard should be able to identify whether EC2 instances are exposed to common vulnerabilities and exposures (CVES). For example, if on EC2 instance does not install certain patch and is exposed to a known CVE, this incident should be discovered. Which approach is the best one to implement this?
Enable AWS Inspector and make sure all EC2 instances have the Inspector agents installed properly. Include CVE rule package in the assessment template
375
You are in charge of maintaining several AWS CloudFormotion StackSets in a large organization. One StackSets was created to configure infrastructure resources such as IAM roles and security groups in several regions for on web application. Recently, due to certain new features of the application, one parameter value of the CIoudFormotion StackSets needs to be updated. However, this update is only required for two regions and the other regions should not be Changed for the parameter. How should you implement this?
Choose Override StockSet parameters from the Actions menu. Specify the two regions that you want to modify and then override the StackSet parameters for these regions
376
One application of your company was configured to send all application logs to a Kinesis Stream and the logs can exist in the Stream shards for 24 hours. A recent company strategy is to use Splunk Enterprise to search, monitor and onolyze application logs and a Splunk server has already been deployed in on EC2 instance. Which approach is the best to load the streaming data in Kinesis Stream to the Splunk instance?
Use Amazon Kinesis Data Firehose as a fully managed service to deliver real-time streaming data in Kinesis Stream to the Splunk instance
377
You have on AWS OpsWorks Stack running Chef Version 11.10. Your company hosts its own proprietary cookbook on Amazon S3, and this is specified as on custom cookbook in the stack. You want to use on open-source cookbook located in on external Git repository. Whot tasks should you perform to enable the use of both custom cookbooks?
In the AWS OpsWorks stack settings, enable Berkshelf. Create a new cookbook with a Berksfile that specifies the other two cookbooks. Configure the stack to use this new cookbook
378
One of your engineers has written a web application in the Go Programming language and has asked your DevOps team to deploy it to AWS. The application code is hosted on a Git repository.
Create a new AWS Elastic Beanstalk application and configure a Go environment to host your application, Using Git Check out the latest version of the code, once the local repository for Elastic Beanstalk is configured use "eb create" command to create on environment and then use "eb deploy" command to deploy the application Write on Dockerfile that installs the Go base image and fetches your application using Git, create on new AWS Elastic Beanstalk application and use this Dockerfile to automate the deployment
379
You have a large multi-tier architecture creating using CloudFormation, that serves public facing web traffic through a load balancer and is backed by a web tier that is contained within an Amazon EC2 Auto Scaling group. During a peak in traffic, you discover that your web tier is adding new instances disproportionately compared to the amount of incoming traffic and the Auto Scaling policy that was set up. What should you do in order to stop the Auto Scaling group from scaling incorrectly in response to incoming traffic?
Using a custom CloudWatch metric insert the elapsed time since the instance launch to the time the instance responds to on Elastic Load Balancing health check, and periodically adjust the Pause Time and the CoolDown property on the AutoScaling group to be over the value of the metric
380
You have on Amazon ECS Cluster with the Forgote lounoh type. There is on ECS service running in the Cluster. The applications running in the ECS may have high workload in the morning and when it happens, the ECS overoge CPU utilization is very high. After the peak hour, the CPU utilization drops as well. You want to configure the auto scaling for the ECS service so that the number of ECS tasks com be scaled out and scaled in based on the CPU CloudWatch metric. The minimum and maximum number of tasks should also be defined. How would you implement this?
Select the ECS service and configure the service auto scaling by adding a target tracking scaling policy based on the CloudWatch ECSServiceAverogeCPUUtilization metric
381
Your team is building a big data application. In your AWS account, you use on Amazon DooumentDB Cluster to manage o MongoDB compatible database. The DocumentDB Cluster uses the db.r5.large instance class and you have configured one primary instonce and 5 replicas in the Cluster. As the business grows, you have found that both the CPU and Memory capacities need to be increased in the cluster’s instances and the db.r5.2xlorge instance class should be used. The impacts on the application should be minimized when you scale the Cluster instances. What method would you select?
Add more replicas with the db.r5.2xlarge instance type to the DocumentDB Cluster. Initiate a failover by promoting a new replica to be the primary instance. Remove all replicas with the old instance type
382
You are starting to use AWS Elastic Disaster Recovery to replicate on-premises applications in the Linux platform to AWS. You have successfully configured the source servers in Elastic Disaster Recovery. The source servers are being replicated with the Point in Time (PIT) snapshots created in AWS Elastic Disaster Recovery. You have also configured other related network and application settings for the recovery. However, you are still unsure if the instances can be properly recovered in the AWS environment. You want to perform hon-disruptive tests for the failover. Wha method is the most appropriate?
In AWS Elastic Disaster Recovery, open the Initiate recovery job menu and select Initiate drill. Check if the drill instance is successfully launched and verify if the applications are running properly
383
As a DevOps engineer, you are creating o CloudFormation stack for a web application. The stack includes ECS resources such as ECS Cluster, ECS service, and ECS task definition. Now you want to use CIoudFormation to perform ECS blue/green deployments through AWS CodeDeploy. CIoudFormation only creates the blue ECS resources during stack creation. In on future stack update, CIoudFormotion will generate all the necessary green application environment resources and delete the blue resources. Which option in the CIoudFormation template is required to enable CloudFormation to perform blue/green deployments?
A Transform section in the template that invokes the AWS::CodeDeployBlueGreen transform and a Hook section that invokes the AWS::CodeDeploy::BlueGreen hook
384
As a DevOps engineer in a large organization, you are using on AWS CloudFormotion StackSet to deploy AWS resources in dozens of AWS accounts across multiple AWS Regions. One day, when you updated the StackSet, the update foiled immediately and the StackSet stotus become FAILED. You find that StackSet only updated one stock in on region and faled because on IAM policy was missing in that particular region. There is no such issue in other regions. You have fixed the IAM policy in the region and wont to retry the StackSet update. In the future StackSet updates, you wont to continue the stock update for other regions even if there is a failure in one region. How would you do that?
In the StackSet Actions menu, Choose Edit StackSet details to retry updating stacks. Increase the Failure tolerance parameter to specify the maximum number of stack operation failures that can occur
385
You are working in a Iarge company. In one AWS account, there is on S3 bucket created in the us-east-1 region. Important files are stored in the S3 bucket such as customer financial data. You need to configure a backup service for the S3 bucket that can automate the creation of backups of the S3 objects. Whenever needed, the backup service should allow you to restore to any point in time within the lost month. You can choose to restore the files in the existing bucket or on new bucket. What method is the most appropriate?
Create a backup plan in AWS Backup that enables continuous backups for point-in-time recovery. Assign the s3 bucket resource to the backup plan
386
Your team creates on internal tool deployed in AWS. The traffic is distributed by on network load bolancer and the backend is on Auto Scaling group. The tool is supposed to be used by other teams massively within the company. You have created on endpoint service powered by AWS PrivateLink for the tool and plan to share the service with other eligible interal consumers. You need to manoge permissions of the endpoint service by only allowing trusted service consumers (AWS principals) to use it. How would you achieve this requirement?
Select the endpoint service and in the Allow principals tob, add the ARNa of the AWS principals that you want to allow. Besides, review and only approve the connection requests from consumers that you trust
387
Your team has recently deployed a web application in production. The application is hosted in AWS EC2. In order to verify the application performance, you are working with testers to perform chaos testing on the system. You wont to use AWS Fault Injection Simulator to perform fault injection experiments on the AWS workloads. For example, you wont to run on CPU stress test on the EC2 instance to see how the application responds. But in the meantime, you need to set a guardrail on the test so that the CPU does not reach so high (Le. 80%) that the application performance becomes unacceptable. How would you implement this?
Create a CIoudWetCh alarm to set a CPU utilization threshold. In the experiment template of the AWS Fault Injection Simulator, select the CloudWatCh alarm as a stop condition
388
You are working in a bank. Your company has on AWS Organization with a large number of AWS accounts for various departments. In order to quickly investigate and identify the root cause of security findings, you are working with the security team to enable the Amazon Detective service. With the service, time-based events from AWS CIoudTrail and Amazon VPC flow logs and findings detected by GuardDuty will be collected. To start using the service, you need to determine cm administrator account in Detective that manages the organization's behaviour graphs and member accounts. What is the best way to Choose the administrator account in Detective?
Choose the some administrator account as GuardDuty and AWS Security Hub so that the integrations between these services work seamlessly. For example, when viewing details for a GuardDuty finding, you can directly view its details in Detective
389
In one of your AWS accounts, you have created a directory in AWS Managed Microsoft AD powered by Windows Server 2019. You have launched several Windows EC2 instances and successfully joined these instances in the Microsoft AD directory. The team needs to launch new Linux EC2 instances using the CentOS7 operating system. You need to join these EC2 instonoes seamlessly and securely to the directory. You already had a service account for domain join with minimum privileges. What is the most appropriate method to join the Linux instances?
Create a secret in AWS Secrets Manager to store the domain service account credentials. Create an IAM role that has read permission for the secret. Launch the EC2 instance with the IAM role and Choose the domain for Domain join directory
390
The data analytics team needs om Apache Spark workload to process and analyze vast amounts of data stored in S3. You wont to host it in an Amazon EMR application as EMR provides open-source compatibility, concurrency, and optimized runtime versions for Apache Spark. In the meantime, you wish to simplify the configurations of EMR Clusters and EMR should automatically manage settings such as instance types, Cluster sizes, and the number of workers. What one is the most appropriate that you should select?
Create cm EMR Studio first and then configure om EMR Serverless application in the EMR Studio. Choose the Spark type and set up the pre-initialized capacities for the application
391
Your company starts to use AWS CodeArtifact to manage software artifacts. You have created on domain in AWS CodeArtifact and mainly use it to store Python packages. The CodeArtifact repository also connects with the external public PyPl store. Now you want to integrate CodeArtifact with the existing AWS CodeBuild projects. You need to make sure that the pre_build or build phases of CodeBuild projects can successfully install the Python packages (ie. pip install) through AWS CodeArtifact. Which configuration is required to set up the permissions?
In the IAM roles used by CodeBuild projects, add the policies to allow the CodeArtifact read related actions such as "codeartifact:GetAuthorizationToken" and "codeartifact:ReadFromRepository"
392
You are an AWS administrator. Last week, a new employee accidentally deleted a repository branch in CodeCommit. For certain key repositories, you are told to create on notification when someone deletes any branch in CodeCommit. You plan to configure a trigger in CodeCommit. Which service should you use to implement this in the best way?
For the repository event of deleting branches, create on trigger in CodeCommit to an Amazon SNS topic to provide notifications to users
393
You are on DevOps engineer for a company. With stack policies in place, you have been requested to create a cost-effective rolling deployment solution with minimal downtime. How should you achieve this?
Re-deploy with a CIoudFormontion template, define update policies on Auto Scaling groups in your CloudFormation template Use AutoscolingRollingUpdate attribute to specify how CloudFormation handles updates to Autoscaling Group Resource
394
You have an Auto Scaling group with on Elastic Load Balancer. You decide to suspend the Auto Scaling AddToLoadBolancer for on short period of time. What will happen to the instances launched during the suspension period?
The instances will not be registered with ELB. You must manually register when the process is resumed
395
Your current log analysis application takes more than four hours to generate a report of the top 10 users of your web application. You have been asked to implement a system that can report this information in real-time, ensure that the report is always up to date, and handle increases in the number of requests to your web application. Choose the option that is cost-effective and can fulfill the requirements.
Post your log data to on Amazon Kinesis data stream, and subscribe to your log-processing application so that it is configured to process your logging data. Configure your application to Autoscale to handle the load on demand
396
You are a DevOps engineer. One development team needs to develop a proof-of-concept feature in AWS as quickly as possible. Several team members need to manage, contribute, or view the project during the time. They already have their own IAM user accounts. Other then that, it will be better if the project has on dashboard that provides cm overall view of the project, such as build, test and deploy. The team lead has consulted you on the methods that the team should use. Which AWS service should you suggest?
AWS CodeStar
397
An application is deployed in AWS Elastic Beanstalk. You have a saved configuration from the test environment. Now you need to create pipelines for the performance test. You plan to apply the saved configuration. However, you find that some configurations need to be modified in the new environment. You do not want to modify the saved configuration YAML file. Which option would you take to address this concern?
Use EB CLI or AWS CLI to update the Elastic Beanstalk environment with new options such as aws elasticbeanstalk update-environment
398
You have been tasked with deploying a scalable distributed system using AWS OpsWorks. Your distributed system is required to scale on demand. As it is distributed, each node must hold a configuration file containing the hostnames of the other instances within the layer. How should you configure AWS OpsWorks to manage scaling this application dynamically?
Create a Chef Recipe to update this configuration file, configure your AWS OpsWorks stack to use custom cookbooks, and assign this recipe to the Configure LifeCycIe Event of the specific layer
399
Your company develops a variety of web applications using many platforms and programming languages with different application dependencies. Each application must be developed and deployed quickly and be highly available to satisfy your business requirements. What method should you use to deploy these applications rapidly?
Deploy web applications from Docker containers in an Elastic Beanstalk environment with Auto Scaling and Elastic Load Balancing
400
A large IT componyjust hired you as a senior AWS DevOps engineer. You are supposed to provide a solution to notify the team appropriately when the status of Trusted Adviser checks has changed. For example, if the Cost Optimization Checks in Trusted Advisor have just found a Low Utilization Amazon EC2 Instance, there should be a notification to a Slack Channel so that the operation team can react to the status change and potentially optimize the cost. Which combinations of services should you use to meet this requirement?
Create a new CloudWatch Events rule. Add event source as "Trusted Advisor" and event type as "Check Item Refresh Status" Use a Lambda function to pass on customized notification to the Slack Channel when Check status in CloudWatch Event has changed
401
You are on DevOps engineer in a financial company. In order to meet on ongoing compliance audit in the company, you need to set up CloudWatch alarms for the key AWS resources in production including EC2, DynomoDB, Lambda, etc. To save time, you plan to create CloudWatch alarms based on existing CloudWatch Metrics. Which scenarios are suitable for this?
When the latency of ELB exceeds 10 seconds over two minutes, trigger an alarm and send an email notification to your team Notify the team when excessive throttling occurs for a DynamoDB table that stores users’ subscription data
402
You design a service that aggregates clickstream data in batch and delivers reports to subscribers via email only once per week. Data is extremely spikey, geographically distributed, high-scale, and unpredictable. How should you design this system?
Use on CloudFront distribution with access log delivery to S3. Clicks should be recorded as query string GETS to the distribution. Reports are built and sent by periodically running EMR jobs over the access logs in S3
403
You want to pass queue messages that are 1GB each. How should you achieve this?
Use the Amazon SQS Extended Client Library for Java and Amazon S3 as on storage mechanism for message bodies
404
You are working for a large supermarket chain as u DevOps engineer. Your company has stored a huge amount of data in different AWS and on-premise sources. The data includes daily transactions, customer data , etc. You have on task to build up an AWS QuickSight service that can use machine learning technologies to help other teams to analyze data, visualize data through dashboards and discover hidden trends. Which data can NOT be provided to QuickSight for analysis?
YAML files stored in S3 buckets
405
You have provided AWS consulting service to a financial company that just migrated its major on-premises products to AWS. Last week, there was an outage of AWS hardware which impacted one of the EBS volumes. This failure was alerted in the AWS Personal Health Dashboard. However, it took the team several hours to be aware of that. The company asks for a solution to notify the team when there is cm open issue happening in AWS Personal Health Dashboard. Which approach should you recommend?
Create a CloudWontch Event Rule that filters AWS Health Event and triggers om SNS notification when there is a new event
406
An application is installed in EC2 and sends customized metrics to AWS CloudWotch. You have configured lots of AWS CloudWatch alorms based on these metric reports data. You have found that there ore several CloudWatch alarms that have the state of “INSUFFICIENT_DATA” at times. You confirmed with developers that certain metric data is only intermittently generated by design. What should you perform to ignore these “INSUFFICIENT_DATA” alarms?
Configure these CloudWatch alarms to treat missing data points as “ignore” so that “INSUFFICIENT_DATA” does not show up
407
You have created a new Auto Scaling group for a new application which sets the minimum capacity as 1 and the maximum capacity as 20. The ASG is running well for two weeks. However, recently there were cases that some instances were not terminated successfully. You need to work out on way to notify the team via email whenever any instance fails to terminate. What is the simplest way to implement this?
Configure the Auto Scaling group to send a notification to cm SNS topic whenever instances fail to terminate
408
Your team created a DynamoDB table called “GlobaI-Temperature” to track the highest/Iowest temperatures of Cities in different countries. The items in the table were identified by on partition key (Countryld) and there was no sort key. The application is recently improved with more features and some queries need to be based on a new partition key (Cityld) and sort key (HighestTemperonture). How should you implement this?
Add a Global Secondary Index with a partition key as Cityld and a sort key as HighestTemperature
409
You use DynomoDB to store the customer banking data. You need to create an audit log of all Changes to the data. It’s important not to lose any information. What is an elegant way to accomplish this?
Use a DynomoDB Stream and stream all changes to AWS Lambda. Log the Changes to AWS Cloudtch Logs, removing sensitive information before logging
410
If I want CloudFormation stack status updates to show up in on continuous delivery system as Close to real-time as possible, how should I achieve this?
Subscribe your continuous delivery system to on SNS topic that you also tell your CIoudFormotion stack to publish events into
411
A DevOps engineer has used a CloudFormation template to create on RDS resource for a new web application. The RDS database has used the engine of PostgreSQL, and the encryption is not enabled. However, for certain security considerations, the database needs to be updated to enable encryption. The CloudFormation template is updated accordingly (StorageEhcrypted is true). To prevent data loss during the CloudFormation stack update, the data should be restored from the latest DB snapshot. Which two steps should be taken in combination to meet this requirement?
Deactivate any applications that are using the DB instance and then create a manual snapshot Add the DBSnapshotldentifier property with the ID of the used DB snapshot
412
You have on application hosted in AWS, which sits on EC2 Instances behind on Elastic Cloud Balancer. You have added on new feature to your application end are now receiving users' complaints that the site has a slow response. Which of the below actions can you carry out to help you pinpoint the issue?
Create some custom Cloudwatch metrics which are pertinent to the key features of your application
413
You currently have an application deployed via Elastic Beanstalk. You are now deploying a new application. In Elastic Beanstalk, the current instances are detached, and new instances are deployed and reattached. But the new instances are still not receiving any sort of traffic immediately. Why does this happen?
It takes time for the ELB to register the instances. Hence there is on small time frame before your instances can start receiving traffic
414
You are helping another team to create on AWS Aurora Database for on new application. The users of the application mainly come from Europe and North America. You propose to configure on Aurora Global Database. The primary database is located in eu-west-1 region, and the secondary database is located in us-east-1 region. Which benefits can this Amazon Aurora Global Database bring?
The Cluster in the secondary region us-east-1 enables low-latency reads Aurora Global Database is available for both Aurora MySQL and Aurora PostgreSQL For disaster recovery, the secondary Cluster can be easily promoted to allow full read and write operations
415
In order to improve the security of applications deployed on your company’s AWS platform, you are configuring AWS Inspector to continually assess EC2 instances (both Linux and Windows) to see if there are security related vulnerabilities and then get the potential issues fixed in time. When you defined a new assessment target in the AWS Inspector console, you chose oll EC2 instances in that AWS account and region and gave permissions to talk to the AWS Inspector APIs. You also selected the option to install AWS Inspector agents in all instances. What conditions must be met to generate the Inspector assessment report?
All EC2 instances need to have the AWS Systems Manager (SSM) Agent installed The EC2 instances should have a role to allow SSM Run Command
416
As a DevOps engineer, you are supporting the development team to deploy a new e-commerce software. You have used AWS CodeDeploy to deploy the latest software release to several AWS EC2 instances. In this CodeDeploy application, there are two Deployment groups called Stage and Prod. Currently, the only difference between Stage and Prod is the logging level which com be configured in a file. What is the most efficient way to implement the different logging levels for Deployment groups Stage and Prod?
For the script file in the Beforelnstall hook, use the environment variable DEPLOYMENT_GROUP_NAME to determine the Deployment Group. Then modify the logging level accordingly in the script
417
Your DevOps team has maintained a large number of EC2 instances in several AWS accounts. There are some instances that were launched for testing purposes and are no longer used. To save cost, you need to work out an approach to quickly identify the EC2 instances that have a low utilization rate, such as daily CPU utilization is 10% or less for several days. Which method is the best that you should choose?
In Trusted Advisor, Check the status of Low Utilization Amazon EC2 Instances which is part of Cost Optimization Checks
418
You are responsible for maintaining dozens of CIouolFormation templates. Most of them use mappings to manage AMI IDS for different regions omd instance types. However, the AMI IDs can change regularly, such as when there are software updates. In that case, you have to modify all related CIoudFormation templates, which is very timeo-consuming. You are considering on automated method to query and get the correct AMI IDs for CIoudFormation. Which two approaches together com help you achieve this?
Create a Lambda function to get the latest AMIS for a given region and instance type In the CloudFormotion template, create a custom resource type to invoke and send input values to a Lambda function to get the correct AMIS. After the custom resource gets a proper response, the stack proceeds with other resources
419
A CloudFormation stack has included several AWS resources including EC2 instances. Previously, it used a mapping table to manage AMI IDs for different regions and instance types. During the creation of the EC2 resource, the AMI ID is received from the function of "Fn::FindInMap". However, you have to correct the mapping table for this approach whenever there is on new AMI ID available. You are looking at other better approaches to fetch the updated AMIs automatically. A Lambda function is already deployed by you to get the latest AMI with the region and instance type as the input. What is the best way to use the Lambda function to achieve this requirement?
Create a Custom resource in the CloudFormation template. Associate the Lambda with the Custom resource by specifying the Amazon Resource Name (ARN) of the Lambda function for the ServiceToken property
420
You work in the security team, and you need to ensure that all EC2 instances have installed certain latest security patches in time. However, the requirement is that the patches are installed in the dev and test environments for on week before they are installed in production instances. All EC2 instances can be differentiated via Tags. What is the best way to implement this using AWS Systems Manager?
Create a customized Patch Baseline. Create several Patch Groups for dev, test, and production instances and tag the instances. Associate the Patch Groups with the new Patch Baseline. Schedule the patching in a maintenance window as required
421
A large IT company has used AWS ECS to deploy dozens of Microservices. There is a new requirement from management to report any state Change of either ECS container instances or ECS tasks to on group Channel in Microsoft Teams. The notification messages should be nicely readable and sent immediately whenever a status Change happens. Which two methods in combinations can achieve this requirement?
Add on new Cloudtch Events rule for status change of ECS. Add a Ldmbda function es the target when an event is triggered Create a Lambda function to analyze the state Change event in ECS and then provide on appropriate message to the Channel in Microsoft Teams
422
A large financial company runs a Cloud Hybrid environment. Previously, separate deployment tools are used for on-premises and AWS servers. There is an increasing need to manage the deployment with the same tool for all the instances. You proposed to use AWS CodeDeploy for this requirement. Given that all existing on-premise machines are running on Ubuntu 16.04 LTS operating system, which prerequisites must be met to configure on-premises instances with AWS CodeDeploy?
The local account used to configure the on-premises instance must be able to run either as sudo or root The IAM identity to register the on-premises instance in CodeDeploy service must be granted proper permissions
423
A bank has adopted a strict IT process to deploy new software releases. It uses AWS CodeDeploy to manage several deployment stages including Feature Test, System Integration Test and Production. Each stage has a Deployment Group in CodeDeploy. And relevant targets are added into each group using Tags. For example, the servers that contain the Production tong will only be deployed when a new deployment is created for the Production Deployment Group. Which targets can NOT be added to Deployment Group by Tags or list in AWS CodeDeploy?
ECS Cluster with cm Amazon Linux AMI Lambda function written in Python 3.6
424
Your DevOps teom manages dozens of AWS accounts. Some of them belong to certain AWS Organizations and some do not. There is a new requirement to set up a CloudWotoh rule in the master account whenever there is a new event of EC2 termination for any of the other accounts. You plan to set up on CloudWatch Events rule in each account and get the event sent to the default Event bus in the monster account. Which condition is NOT mandatory for this solution to work?
All accounts should belong to certain AWS Organization
425
You have an Opswork stack setup in AWS. You want to install some updates to the Linux instances in the stack. What can be used to publish those updates?
Create and start new instances programmatically to replace your current online instances. Then delete the current instances On Linux-based instances in Chef 11.10 or older stacks, run the Update Dependencies stack command
426
You are helping the team to configure on application using AWS OpsWorks. The OpsWorks stock has two layers - PHP App Server and MySQL database. While configuring the application, you notice that the built-in OpsWorks Chef recipes can install required applications such as PHP, Apache web server, MySQL, etc. However, you still need to add custom recipes in the PHP App Server layer for EC2 instances to run while deploying the web application. The custom recipes are stored in o GitHub repository. How would you configure these custom recipes in OpsWorkS?
In OpsWorks, select the PHP App Server layer. In the Custom Chef recipes section, add the custom recipes to the Deploy lifecycle event. Redeploy the OpsWorks App with the recipes
427
You are on DevOps engineer managing a CloudFormetion StackSet deployed in the us-east-1 region. One day, you are trying to import on existing CloudFormetion stack from the us-east-2 Region to the StackSet. The stack import operation has failed and the stock instance is in INOPERABLE status. It seems that the stack instance is stuck in this state and is excluded from any further UpdateStockSet operations. You want to revert the stack import operation, fix the import failure error on the stack, and then retry the import operation. What method should you use?
In the CloudFormotion StackSet, use the Delete Stacks from StackSets option and enable RetainStacks during configuration, then delete the stock instance from the stack set. Retry the stack import operation after the import failure error has been fixed
428
Your company uses on on-premise private certificate authority (CA) to issue certificates. Now you plan to create a new CA through AWS Private Certificate Authority to replace the on-premise one. When configuring the private CA, you want to use the certificate revocation list (CRL) distribution as the certificate revocation option. A certificate revocation list (CRL) is a type of blocklist that includes certificates that should no longer be trusted. Which of the following methods is the most appropriate to configure the CRL for a CA in AWS Private Certificate Authority?
Create on Amazon S3 bucket for the CRL entries. Block public access for the S3 bucket and configure on CloudFront distribution for it. Set up the private CA to use the CIoudFront distribution
429
Your team has deployed o Lombda function with on API in Amazon API Gateway. There is a production stage for the API. In the stage, you have configured a stage voriable called Version and its value is “Prod”. Now you need to configure a canary release for the production stage. Initially, 50% of the traffic goes to the canary and the other 50% goes to the existing stage. When troffic reaches the canary release, you want to make sure that the value of the Version variable becomes “Canary” so that you can trace the API traffic status. How would you achieve this in API Gateway?
In the production stage of the API, create on canary release deployment. Set the stages request distribution accordingly for the canary and production stages. For the Version stage variable, set its Canary Override Value to “Canary”
430
Your team is working on a new feature for a mobile application. You want to use AWS AppConfig to manage whether or not the feature is turned on in the production environment. The mobile application will use the AppConfig API to fetch the feature flag status which indicates whether the feature is enabled. When enabling the feature, you also want to use a deployment type that processes the deployment by increments of a growth factor (ie. 20% for each step) so that you can monitor the application with the new feature and roll back the deployment if errors have happened. How would you achieve this requirement in AppConfig?
In the AWS AppConfig application, create a feature flag for the feature. Create a custom linear deployment strategy. When enabling the feature flag, use the linear deployment strategy
431
A Company uses Amazon Elastic Container Registry (ECR) to securely store the container images for your workload in Amazon Elastic Container Service (ECS). You need to work with the security team to scan the ECR images to identify software vulnerabilities. ECR has provided two scanning types - Basic scanning and Enhanced scanning. Due to a limited budget, you need to consider whether Enhanced scanning is necessary and should be enabled. What image scanning features is ONLY provided by ECR Enhanced scanning?
ECR image scanning can integrate with Amazon Inspector to perform continuous vulnerability scanning for both operating systems and programming language package vulnerabilities
432
Your company owns or web application deployed in AWS ECS. The application also communicates with other microservices and databases (i.e., DynomoDB) in AWS. Your manager asks you to use AWS X-Ray to collect data about requests that the application serves and also the calls the application makes to downstream AWS resources. You need to configure the X-Ray daemon properly so that the daemon can communicate with the application and upload truce date: to X-Ray. What is required when running the X- Ray daemon on Amazon ECS?
In the ECS task definition, deploy the X-Ray daemon Docker image alongside the web application Docker image. Use port mappings and network mode settings to allow the application to communicate with the daemon container
433
You are on DevOps engineer working in a bank. You need to work with the development team to deploy on new Java web application in AWS Elastic Beanstalk. The application will provide key financial services and it is essential to ensure its availability. In the Elastic Beanstalk application, when the launch configurations (i.e., instance type) need to be modified, you need to make sure that the instances are replaced efficiently and safely. When the update fails, the rollback process should be straightforward. How would you design the update type for the launch configuration Changes?
Use the immutable update type for the launch configuration changes. Create new instances in on second, temporary Auto Scaling group. When all of the new instances pass health Checks, transfer them to the original Auto Scaling group, and terminate the temporary Auto Scaling group and old instances
434
You have on application running on on Amazon EC2 instance, omol you are using IAM roles to access AWS Service APIs securely. How can you configure your application running on that instance to retrieve the API keys for use with the AWS SDKs?
When using AWS SDK and Amazon EC2 roles, you do not have to retrieve API keys explicitly. Because the SDK handles retrieving them from the Amazon EC2 MetaData service
435
You work in a startup company, and your team is developing a new Android App. Whenever a user uploads a photo in the App, a notification will be sent to his friends immediately. An AWS DynamoDB table has been created to save the photo information per user, and the DynomoDB Stream is enabled to capture the item modifications. Which service com integrate with DynomoDB Stream, process its events and send notifications?
A Lambda function
436
You have several CloudFormation stacks in your IT organization. What command will help you see all the Cloudformation stocks that have been deleted three months earlier?
list-stacks
437
A big retail company has owned lots of on-premises servers. In order to design on disaster recovery plan in the Cloud, the company plans to migrate its major servers to the AWS ap-southeast-2 region. The servers are deployed in Windows virtual machines managed by Microsoft Hyper-V. Your team lead wants to use an AWS tool to simplify the migration process to generate AMIs periodically. Also, the tool can schedule replications and track the progress. Which tool should you use to meet the need?
AWS Server Migration Service
438
As a DevOps engineer, you are helping the development team to set up a CI/CD pipeline. The new application should be deployed in on ECS Cluster with o CIoudFormation stack. In the CloudFormotion YAML file, you need to include AWS resources of on ECS Cluster, a Launch template, on Auto Scaling group and so on. The Auto Scaling group instances should be registered in the ECS Cluster. How would you configure the ASG in the CIoudFormation template?
In the Launch template Metodata, add the ECS_CLUSTER environment parameter in the /etc/ecs/ecs.config file to register the instances
439
You are on DevOps engineer in a company. There will be on security audit in the company and the security team asks you to provide evidence that the web applications in AWS are protected from the most critical attacks mentioned in “Open Web Application Security Project (OWASP) Top10”. For example, web application vulnerabilities such as SQL injection and Cross-Site Scripting (XSS) should be mitigated by on approach. This approach should also be cost-effective and simple to implement. Which of the following options would you select?
Set up AWS WAF and use a CloudFormation stack to create a Web ACL along with condition types and rules to protect the web applications in AWS
440
As a DevOps engineer, you are using a CloudFormation stack to maintain an AWS Auto Scaling group resource (AWS::AutoScaling::AutoScalingGroup). You want to use a suitable CloudFormation update policy to control how AWS CloudFormation handles updates for the Auto Scaling group resource. During the update, CloudFormation should only replace the instances in the existing Auto Scaling group instead of replacing the Auto Scaling group. The maximum number of instances that CloudFormation updates at any time should be 1 and at least 1 instance should be in service when old instances are being updated. Which UpdatePolicy is the most accurate in the CloudFormation template?
UpdatePolicy: AutoScalingRollingUpdate: MinInstancesInService: '1' MaxBatchSize: '1' WaitOnResourceSignals: 'true' PauseTime: PT10M

AWS DevOps Professional Exam (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions