exam 4 Flashcards
A company has an application where reading objects from Amazon S3 is based on the type of user. The user types are registered user and guest user. The company has 25,000 users and is growing. Information is pulled from an S3 bucket depending on the user type. Which approaches are recommended to provide access to both user types? (Choose two.)
A. Provide a different access key and secret access key in the application code for registered users and guest users to provide read access to the objects.
B. Use S3 bucket policies to restrict read access to specific IAM users.
C. Use Amazon Cognito to provide access using authenticated and unauthenticated roles.
D. Create a new IAM user for each user and grant read access.
E. Use the AWS IAM service and let the application assume the different roles using the AWS Security Token Service (AWS STS) AssumeRole action depending on the type of user and provide read access to Amazon S3 using theassumed role.
A. Provide a different access key and secret access key in the application code for registered users and guest users to provide read access to the objects.
B. Use S3 bucket policies to restrict read access to specific IAM users.
A company has 25,000 employees and is growing. The company is creating an application that will be accessible to its employees only. A developer is using Amazon S3 to store images and Amazon RDS to store application data. The company requires that all employee information remain in the legacy Security Assertion Markup Language (SAML) employee directory only and is not interested in mirroring any employee information on AWS. How can the developer provide authorized access for the employees who will be using this application so each employee can access their own application data only?
A. Use Amazon VPC and keep all resources inside the VPC, and use a VPC link for the S3 bucket with the bucket policy.
B. Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy.
C. Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognitoidentity. amazonaws.com:sub variable to grant access to the employees.
D. Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only.
C. Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognitoidentity. amazonaws.com:sub variable to grant access to the employees.
A company has developed a new serverless application using AWS Lambda functions that will be deployed using the AWS Serverless Application Model (AWS SAM) CLI. Which step should the developer complete prior to deploying the application?
A. Compress the application to a .zip file and upload it into AWS Lambda.
B. Test the new AWS Lambda function by first tracing it in AWS X-Ray.
C. Bundle the serverless application using a SAM package.
D. Create the application environment using the eb create my-env command.
A. Compress the application to a .zip file and upload it into AWS Lambda.
A company stores all personally identifiable information (PII) in an Amazon DynamoDB table named PII in AccountA. An application running on Amazon EC2 instances in Account B requires access to the PII table. An administrator in Account A created an IAM role named AccessPII with privileges to access the PII table, and made Account B a trusted entity. Which combination of additional steps should developers take to access the table? (Choose two.)
A. Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role.
B. Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role with predefined service control policies.
C. Ask an administrator in Account A to allow the EC2 IAM role permission to assume the AccessPII role with predefined service control policies.
D. Include the AssumeRole API in the application code logic to obtain credentials to access the PII table.
E. Include the GetSessionToken API in the application code logic to obtain credentials to access the PII table.
C. Ask an administrator in Account A to allow the EC2 IAM role permission to assume the AccessPII role with predefined service control policies.
E. Include the GetSessionToken API in the application code logic to obtain credentials to access the PII table.
An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center, and the encryption is handled by S3. Which type of encryption should be used?
A. Use server-side encryption with Amazon S3-managed keys.
B. Use server-side encryption with AWS KMS-managed keys.
C. Use client-side encryption with customer master keys.
D. Use server-side encryption with customer-provided keys.
C. Use client-side encryption with customer master keys.
A development team is working on a mobile app that allows users to upload pictures to Amazon S3. The team expects the app will be used by hundreds of thousands of users during a single event simultaneously. Once the pictures are uploaded, the backend service will scan and parse the pictures for inappropriate content. Which approach is the MOST resilient way to achieve this goal, which also smooths out temporary volume spikes for the backend service?
A. Develop an AWS Lambda function to check the upload folder in the S3 bucket. If new uploaded pictures are detected, the Lambda function will scan and parse them.
B. Once a picture is uploaded to Amazon S3, publish the event to an Amazon SQS queue. Use the queue as an event source to trigger an AWS Lambda function. In the Lambda function, scan and parse the picture.
C. When the user uploads a picture, invoke an API hosted in Amazon API Gateway. The API will invoke an AWS Lambda function to scan and parse the picture.
D. Create a state machine in AWS Step Functions to check the upload folder in the S3 bucket. If a new picture is detected, invoke an AWS Lambda function to scan and parse it.
B. Once a picture is uploaded to Amazon S3, publish the event to an Amazon SQS queue. Use the queue as an event source to trigger an AWS Lambda function. In the Lambda function, scan and parse the picture.
A development team wants to run their container workloads on Amazon ECS. Each application container needs to share data with another container to collect logs and metrics. What should the developer team do to meet these requirements?
A. Create two pod specifications. Make one to include the application container and the other to include the other container. Link the two pods together.
B. Create two task definitions. Make one to include the application container and the other to include the other container. Mount a shared volume between the two tasks.
C. Create one task definition. Specify both containers in the definition. Mount a shared volume between those two containers.
D. Create a single pod specification. Include both containers in the specification. Mount a persistent volume to both containers.
A. Create two pod specifications. Make one to include the application container and the other to include the other container. Link the two pods together.
A developer wants to send multi-value headers to an AWS Lambda function that is registered as a target with an Application Load Balancer (ALB). What should the developer do to achieve this?
A. Place the Lambda function and target group in the same account.
B. Send the request body to the Lambda function with a size less than 1 MB.
C. Include the Base64 encoding status, status code, status description, and headers in the Lambda function.
D. Enable the multi-value headers on the ALB.
D. Enable the multi-value headers on the ALB.
An ecommerce startup is preparing for an annual sales event. As the traffic to the company’s application increases, the development team wants to be notified when the Amazon EC2 instance’s CPU utilization exceeds 80%. Which solution will meet this requirement?
A. Create a custom Amazon CloudWatch alarm that sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
B. Create a custom AWS Cloud Trail alarm that sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
C. Create a cron job on the EC2 instance that executes the –describe-instance-information command on the host instance every 15 minutes and sends the results to an Amazon SNS topic.
D. Create an AWS Lambda function that queries the AWS CloudTrail logs for the CPUUtilization metric every 15 minutes and sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
A. Create a custom Amazon CloudWatch alarm that sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
An application running on Amazon EC2 opens connections to an Amazon RDS SQL Server database. The developer does not want to store the user name and password for the database in the code. The developer would also like to automatically rotate the credentials. What is the MOST secure way to store and access the database credentials?
A. Create an IAM role that has permissions to access the database. Attach the role to the EC2 instance.
B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.
C. Store the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance’s user data to download the credentials from Amazon S3 as the instance boots.
D. Store the user name and password credentials directly in the source code. No further action is needed because the source code is stored in a private repository.
B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.
A global company has an application running on Amazon EC2 instances that serves image files from Amazon S3. User requests from the browser are causing high traffic, which results in degraded performance. Which optimization solution should a developer implement to increase application performance?
A. Create multiple prefixes in the S3 bucket to increase the request rate.
B. Create an Amazon ElastiCache cluster to cache and serve frequently accessed items.
C. Use Amazon CloudFront to serve the content of images stored in Amazon S3.
D. Submit a ticket to AWS Support to request a rate limit increase for the S3 bucket.
C. Use Amazon CloudFront to serve the content of images stored in Amazon S3.
A developer is updating an application deployed on AWS Elastic Beanstalk. The new version is incompatible with the old version. To successfully deploy the update, a full cutover to the new, updated version must be performed on all instances at one time, with the ability to roll back changes in case of a deployment failure in the new version. How can this be performed with the LEAST amount of downtime?
A. Use the Elastic Beanstalk All at once deployment policy to update all instances simultaneously.
B. Perform an Elastic Beanstalk Rolling with additional batch deployment.
C. Deploy the new version in a new Elastic Beanstalk environment and swap environment URLs.
D. Perform an Elastic Beanstalk Rolling deployment.
D. Perform an Elastic Beanstalk Rolling deployment.
A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to download specific documents when requested, and only for a duration of 15 minutes. How can the developer meet these requirements?
A. Copy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15 minutes.
B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
C. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
D. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
A company is developing a report executed by AWS Step Functions, Amazon CloudWatch shows errors in the Step Functions task state machine. To troubleshoot each task, the state input needs to be included along with the error message in the state output. Which coding practice can preserve both the original input and the error for the state?
A. Use ResultPath in a Catch statement to include the error with the original input.
B. Use InputPath in a Catch statement and set the value to null.
C. Use Error Equals in a Retry statement to include the error with the original input.
D. Use OutputPath in a Retry statement and set the value to $.
A. Use ResultPath in a Catch statement to include the error with the original input
A developer receives the following error message when trying to launch or terminate an Amazon EC2 instance using a boto3 script. What should the developer do to correct this error message?
A. Assign an IAM role to the EC2 instance to allow necessary API calls on behalf of the client.
B. Implement an exponential backoff algorithm for optimizing the number of API requests made to Amazon EC2.
C. Increase the overall network bandwidth to handle higher API request rates.
D. Upgrade to the latest AWS CLI version so that boto3 can handle higher request rates.
B. Implement an exponential backoff algorithm for optimizing the number of API requests made to Amazon EC2.
Given the following AWS CloudFormation template: What is the MOST efficient way to reference the new Amazon S3 bucket from another AWS CloudFormation template?
A. Add an Export declaration to the Outputs section of the original template and use ImportValue in other templates.
B. Add Exported: true to the Contentbucket in the original template and use ImportResource in other templates.
C. Create a custom AWS CloudFormation resource that gets the bucket name from the ContentBucket resource of the first stack.
D. Use Fn::Include to include the existing template in other templates and use the ContentBucket resource directly.
C. Create a custom AWS CloudFormation resource that gets the bucket name from the ContentBucket resource of the first stack.
A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes: user_id, user_name, user_score, and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation. Which set of conditions should be added in the policy attached to the role for the dynamodb: PutItem API call?
A. A.
B. B.
C. C.
D. D.
C. C.
A developer is using AWS CodeDeploy to deploy an application running on Amazon EC2. The developer wants to change the file permissions for a specific deployment file. Which lifecycle event should a developer use to meet this requirement?
A. AfterInstall.
B. DownloadBundle.
C. BeforeInstall.
D. ValidateService.
A. AfterInstall.
A developer is using Amazon DynamoDB to store application data. The developer wants to further improve application performance by reducing response times for read and write operations. Which DynamoDB feature should be used to meet these requirements?
A. Amazon DynamoDB Streams.
B. Amazon DynamoDB Accelerator.
C. Amazon DynamoDB global tables.
D. Amazon DynamoDB transactions.
D. Amazon DynamoDB transactions.
A developer is creating a script to automate the deployment process for a serverless application. The developer wants to use an existing AWS Serverless Application Model (AWS SAM) template for the application. What should the developer use for the project? (Choose two.)
A. Call aws cloudformation package to create the deployment package. Call aws cloudformation deploy to deploy the package afterward.
B. Call sam package to create the deployment package. Call sam deploy to deploy the package afterward.
C. Call aws s3 cp to upload the AWS SAM template to Amazon S3. Call aws lambda update-function-code to create the application.
D. Create a ZIP package locally and call aws serverlessrepo create-application to create the application.
E. Create a ZIP package and upload it to Amazon S3. Call aws cloudformation create-stack to create the application.
C. Call aws s3 cp to upload the AWS SAM template to Amazon S3. Call aws lambda update-function-code to create the application.
E. Create a ZIP package and upload it to Amazon S3. Call aws cloudformation create-stack to create the application.
