Amazon DOP-C02 Question Answers

What is Amazon DOP-C02?

Amazon DOP-C02 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Professional Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified DevOps Engineer - Professional Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon DOP-C02 Practice Questions. Passing AWS Certified DevOps Engineer - Professional will be your ticket to a better future!

Pass with Amazon DOP-C02 Braindumps!

Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified DevOps Engineer - Professional is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon DOP-C02 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Professional certification is all about having the right information. Hence, we filled our Amazon DOP-C02 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified DevOps Engineer - Professional Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon DOP-C02 Braindumps now!

We aim to provide all AWS Certified Professional certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon DOP-C02 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.

Why Choose Amazon DOP-C02 PDF?

Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified DevOps Engineer - Professional candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Professional solutions. Amazon DOP-C02 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon DOP-C02 Dumps with ease.

If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].

Question # 1

A company has a mission-critical application on AWS that uses automatic scaling Thecompany wants the deployment lilecycle to meet the following parameters.• The application must be deployed one instance at a time to ensure the remaining fleetcontinues to serve traffic• The application is CPU intensive and must be closely monitored• The deployment must automatically roll back if the CPU utilization of the deploymentinstance exceeds 85%. Which solution will meet these requirements?

A. Use AWS CloudFormalion to create an AWS Step Functions state machine and AutoScaling hfecycle hooks to move to one instance at a time into a wait state Use AWSSystems Manager automation to deploy the update to each instance and move it back intothe Auto Scaling group using the heartbeat timeout
B. Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to theCPU utilization metric. Use the CodeDeployDefault OneAtAtime configuration as adeployment strategy Configure automatic rollbacks within the deployment group to roll backthe deployment if the alarm thresholds are breached
C. Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling Configure analarm tied to the CPU utilization metric Configure rolling deployments with a fixed batchsize of one instance Enable enhanced health to monitor the status of the deployment androll back based on the alarm previously created.
D. Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2Auto Scaling Configure an alarm tied to the CPU utilization metric Deploy updates one at atime Configure automatic rollbacks within the Auto Scaling group to roll back thedeployment if the alarm thresholds are breached

Show Answer

---

Question # 2

A company has 20 service learns Each service team is responsible for its ownmicroservice. Each service team uses a separate AWS account for its microservice and aVPC with the 192 168 0 0/22 CIDR block. The company manages the AWS accounts withAWS Organizations.Each service team hosts its microservice on multiple Amazon EC2 instances behind anApplication Load Balancer. The microservices communicate with each other across thepublic internet. The company's security team has issued a new guideline that allcommunication between microservices must use HTTPS over private network connectionsand cannot traverse the public internet.A DevOps engineer must implement a solution that fulfills these obligations and minimizesthe number of changes for each service team.Which solution will meet these requirements?

A. Create a new AWS account in AWS Organizations Create a VPC in this account anduse AWS Resource Access Manager to share the private subnets of this VPC with theorganization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names forcommunication between microservices.
B. Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWSPrivateLink to create VPC endpoints in each AWS account for the NLBs Createsubscriptions to each VPC endpoint in each of the other AWS accounts Use the VPCendpoint DNS names for communication between microservices.
C. Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPCpeering connections between each of the microservice VPCs Update the route tables foreach VPC to use the peering links Use the NLB DNS names for communication betweenmicroservices.
D. Create a new AWS account in AWS Organizations Create a transit gateway in thisaccount and use AWS Resource Access Manager to share the transit gateway with theorganization. In each of the microservice VPCs. create a transit gateway attachment to theshared transit gateway Update the route tables of each VPC to use the transit gatewayCreate a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLBDNS names for communication between microservices.

Show Answer

---

Question # 3

A security team is concerned that a developer can unintentionally attach an Elastic IPaddress to an Amazon EC2 instance in production. No developer should be allowed toattach an Elastic IP address to an instance. The security team must be notified if anyproduction server has an Elastic IP address at any timeHow can this task be automated'?

A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-addressattempts Create an AWS Lambda function to disassociate the Elastic IP address from theinstance, and alert the security team.
B. Attach an 1AM policy to the developers' 1AM group to deny associate-addresspermissions Create a custom AWS Config rule to check whether an Elastic IP address isassociated with any instance tagged as production, and alert the security team
C. Ensure that all 1AM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IPaddress is associated with any instance tagged as production, and alert the secunty team ifan instance has an Elastic IP address associated with it
D. Create an AWS Config rule to check that all production instances have EC2 1AM rolesthat include deny associate-address permissions Verify whether there is an Elastic IPaddress associated with any instance, and alert the security team if an instance has anElastic IP address associated with it.

Show Answer

---

Question # 4

A company is using AWS CodePipeline to deploy an application. According to a newguideline, a member of the company's security team must sign off on any applicationchanges before the changes are deployed into production. The approval must be recordedand retained.Which combination of actions will meet these requirements? (Select TWO.)

A. Configure CodePipeline to write actions to Amazon CloudWatch Logs.
B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of eachpipeline stage.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3.
D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval.Create a policy that gives the security team access to manage CodePipeline customactions.
E. Create a CodePipeline manual approval action before the deployment step. Create apolicy that grants the security team access to approve manual approval stages.

Show Answer

---

Question # 5

A company has an AWS CodeDeploy application. The application has a deployment groupthat uses a single tag group to identify instances for the deployment of ApplicationA. Thesingle tag group configuration identifies instances that have Environment=Production andName=ApplicattonA tags for the deployment of ApplicationA.The company launches an additional Amazon EC2 instance with Department=MarketingEnvironment^Production. and Name=ApplicationB tags. On the next CodeDeploydeployment of ApplicationA. the additional instance has ApplicationA installed on it. ADevOps engineer needs to configure the existing deployment group to preventApplicationA from being installed on the additional instanceWhich solution will meet these requirements?

A. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Name=ApplicationA tag.
B. Change the current single tag group to include the Department=MarketmgEnvironment=Production and Name=ApplicationAtags
C. Add another single tag group that includes only the Department=Marketing tag. Keepthe Environment=Production and Name=ApplicationA tags with the current single tag group
D. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Department=Marketing tag

Show Answer

---

Question # 6

A company uses an organization in AWS Organizations to manage its AWS accounts. Thecompany recently acquired another company that has standalone AWS accounts. Theacquiring company's DevOps team needs to consolidate the administration of the AWSaccounts for both companies and retain full administrative control of the accounts. TheDevOps team also needs to collect and group findings across all the accounts to implementand maintain a security posture.Which combination of steps should the DevOps team take to meet these requirements?(Select TWO.)

A. Invite the acquired company's AWS accounts to join the organization. Create an SCPthat has full administrative privileges. Attach the SCP to the management account.
B. Invite the acquired company's AWS accounts to join the organization. Create theOrganizationAccountAccessRole 1AM role in the invited accounts. Grant permission to themanagement account to assume the role.
C. Use AWS Security Hub to collect and group findings across all accounts. Use SecurityHub to automatically detect new accounts as the accounts are added to the organization.
D. Use AWS Firewall Manager to collect and group findings across all accounts. Enable allfeatures for the organization. Designate an account in the organization as the delegatedadministrator account for Firewall Manager.
E. Use Amazon Inspector to collect and group findings across all accounts. Designate anaccount in the organization as the delegated administrator account for Amazon Inspector.

Show Answer

---

Question # 7

A company is reviewing its 1AM policies. One policy written by the DevOps engineer hasbeen (lagged as too permissive. The policy is used by an AWS Lambda function thatissues a stop command to Amazon EC2 instances tagged with Environment:NonProduccion over the weekend. The current policy is:

A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
F. Option  F

Show Answer

---

Question # 8

A company's application teams use AWS CodeCommit repositories for their applications.The application teams have repositories in multiple AWSaccounts. All accounts are in an organization in AWS Organizations.Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configuredwith an external IdP to assume a developer IAM role. The developer role allows theapplication teams to use Git to work with the code in the repositories.A security audit reveals that the application teams can modify the main branch in anyrepository. A DevOps engineer must implement a solution thatallows the application teams to modify the main branch of only the repositories that theymanage.Which combination of steps will meet these requirements? (Select THREE.)

A. Update the SAML assertion to pass the user's team name. Update the IAM role's trustpolicy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations managementaccount. Associate the template with all the repositories. Add the developer role ARN as anapprover.
C. Create an approval rule template for each account. Associate the template with allrepositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}"condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to thename of the associated team.
E. Attach an SCP to the accounts. Include the following statement:
F. Create an IAM permissions boundary in each account. Include the following statement: A computerscreen shot of textDescription automatically generated

Show Answer

---

Question # 9

A company has an application and a CI/CD pipeline. The CI/CD pipeline consists of anAWS CodePipeline pipeline and an AWS CodeBuild project. The CodeBuild project runstests against the application as part of the build process and outputs a test report. Thecompany must keep the test reports for 90 days.Which solution will meet these requirements?

A. Add a new stage in the CodePipeline pipeline after the stage that contains theCodeBuild project. Create an Amazon S3 bucket to store the reports. Configure an S3deploy action type in the new CodePipeline stage with the appropriate path and format forthe reports.
B. Add a report group in the CodeBuild project buildspec file with the appropriate path andformat for the reports. Create an Amazon S3 bucket to store the reports. Configure anAmazon EventBridge rule that invokes an AWS Lambda function to copy the reports to theS3 bucket when a build is completed. Create an S3 Lifecycle rule to expire the objects after90 days.
C. Add a new stage in the CodePipeline pipeline. Configure a test action type with theappropriate path and format for the reports. Configure the report expiration time to be 90days in the CodeBuild project buildspec file.
D. Add a report group in the CodeBuild project buildspec file with the appropriate path andformat for the reports. Create an Amazon S3 bucket to store the reports. Configure thereport group as an artifact in the CodeBuild project buildspec file. Configure the S3 bucketas the artifact destination. Set the object expiration to 90 days.

Show Answer

---

Question # 10

An ecommerce company uses a large number of Amazon Elastic Block Store (AmazonEBS) backed Amazon EC2 instances. To decrease manual work across all the instances, aDevOps engineer is tasked with automating restart actions when EC2 instance retirementevents are scheduled.How can this be accomplished?

A. Create a scheduled Amazon EventBridge rule to run an AWS Systems Manager Automation runbook that checks if any EC2 instances are scheduled for retirement once aweek If the instance is scheduled for retirement the runbook will hibernate the instance
B. Enable EC2Auto Recovery on all of the instances. Create an AWS Config rule to limitthe recovery to occur during a maintenance window only
C. Reboot all EC2 instances during an approved maintenance window that is outside ofstandard business hours Set up Amazon CloudWatch alarms to send a notification in caseany instance is failing EC2 instance status checks
D. Set up an AWS Health Amazon EventBridge rule to run AWS Systems ManagerAutomation runbooks that stop and start the EC2 instance when a retirement scheduledevent occurs.

Show Answer

---

Question # 11

A DevOps engineer is using AWS CodeDeploy across a fleet of Amazon EC2 instances inan EC2 Auto Scaling group. The associated CodeDeploy deployment group, which isintegrated with EC2 Auto Scaling, is configured to perform in-place deployments withcodeDeployDefault.oneAtATime During an ongoing new deployment, the engineerdiscovers that, although the overall deployment finished successfully, two out of fiveinstances have the previous application revision deployed. The other three instances havethe newest application revisionWhat is likely causing this issue?

A. The two affected instances failed to fetch the new deployment.
B. A failed Afterinstall lifecycle event hook caused the CodeDeploy agent to roll back to theprevious version on the affected instances
C. The CodeDeploy agent was not installed in two affected instances.
D. EC2 Auto Scaling launched two new instances while the new deployment had not yetfinished, causing the previous version to be deployed on the affected instances.

Show Answer

---

Question # 12

A company is examining its disaster recovery capability and wants the ability to switch over its daily operations to a secondary AWS Region. The company uses AWS CodeCommit asa source control tool in the primary Region.A DevOps engineer must provide the capability for the company to develop code in thesecondary Region. If the company needs to use the secondary Region, developers canadd an additional remote URL to their local Git configuration.Which solution will meet these requirements?

A. Create a CodeCommit repository in the secondary Region. Create an AWS CodeBuildproject to perform a Git mirror operation of the primary Region's CodeCommit repository tothe secondary Region's CodeCommit repository. Create an AWS Lambda function thatinvokes the CodeBuild project. Create an Amazon EventBridge rule that reacts to mergeevents in the primary Region's CodeCommit repository. Configure the EventBridge rule toinvoke the Lambda function.
B. Create an Amazon S3 bucket in the secondary Region. Create an AWS Fargate task toperform a Git mirror operation of the primary Region's CodeCommit repository and copythe result to the S3 bucket. Create an AWS Lambda function that initiates the Fargate task.Create an Amazon EventBridge rule that reacts to merge events in the CodeCommitrepository. Configure the EventBridge rule to invoke the Lambda function.
C. Create an AWS CodeArtifact repository in the secondary Region. Create an AWSCodePipeline pipeline that uses the primary Region's CodeCommit repository for thesource action. Create a Cross-Region stage in the pipeline that packages the CodeCommitrepository contents and stores the contents in the CodeArtifact repository when a pullrequest is merged into the CodeCommit repository.
D. Create an AWS Cloud9 environment and a CodeCommit repository in the secondaryRegion. Configure the primary Region's CodeCommit repository as a remote repository inthe AWS Cloud9 environment. Connect the secondary Region's CodeCommit repository tothe AWS Cloud9 environment.

Show Answer

---

Question # 13

A company has a single developer writing code for an automated deployment pipeline. Thedeveloper is storing source code in an Amazon S3 bucket for each project. The companywants to add more developers to the team but is concerned about code conflicts and lostwork The company also wants to build a test environment to deploy newer versions of codefor testing and allow developers to automatically deploy to both environments when code ischanged in the repository.What is the MOST efficient way to meet these requirements?

A. Create an AWS CodeCommit repository tor each project, use the mam branch forproduction code: and create a testing branch for code deployed to testing Use featurebranches to develop new features and pull requests to merge code to testing and mainbranches.
B. Create another S3 bucket for each project for testing code, and use an AWS Lambdafunction to promote code changes between testing and production buckets Enableversioning on all buckets to prevent code conflicts.
C. Create an AWS CodeCommit repository for each project, and use the main branch forproduction and test code with different deployment pipelines for each environment Usefeature branches to develop new features.
D. Enable versioning and branching on each S3 bucket, use the main branch for productioncode, and create a testing branch for code deployed to testing. Have developers use eachbranch for developing in each environment.

Show Answer

---

Question # 14

A company is using AWS to run digital workloads. Each application team in the companyhas its own AWS account for application hosting. The accounts are consolidated in anorganization in AWS Organizations.The company wants to enforce security standards across the entire organization. To avoidnoncompliance because of security misconfiguration, the company has enforced the use ofAWS CloudFormation. A production support team can modify resources in the productionenvironment by using the AWS Management Console to troubleshoot and resolve application-related issues.A DevOps engineer must implement a solution to identify in near real time any AWSservice misconfiguration that results in noncompliance. The solution must automaticallyremediate the issue within 15 minutes of identification. The solution also must tracknoncompliant resources and events in a centralized dashboard with accurate timestamps.Which solution will meet these requirements with the LEAST development overhead?

A. Use CloudFormation drift detection to identify noncompliant resources. Use driftdetection events from CloudFormation to invoke an AWS Lambda function for remediation.Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group.Configure an Amazon CloudWatch dashboard to use the log group for tracking.
B. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by usingAmazon Athena to identify noncompliant resources. Use AWS Step Functions to trackquery results on Athena for drift detection and to invoke an AWS Lambda function forremediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena asthe data source.
C. Turn on the configuration recorder in AWS Config in all the AWS accounts to identifynoncompliant resources. Enable AWS Security Hub with the ~no-enable-default-standardsoption in all the AWS accounts. Set up AWS Config managed rules and custom rules. Setup automatic remediation by using AWS Config conformance packs. For tracking, set up adashboard on Security Hub in a designated Security Hub administrator account.
D. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by usingAmazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logsfilters for drift detection. Use Amazon EventBridge to invoke the Lambda function forremediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up adashboard on OpenSearch Service for tracking.

Show Answer

---

Question # 15

A DevOps engineer manages a company's Amazon Elastic Container Service (AmazonECS) cluster. The cluster runs on several Amazon EC2 instances that are in an AutoScaling group. The DevOpsengineer must implement a solution that logs and reviews all stopped tasks for errors.Which solution will meet these requirements?

A. Create an Amazon EventBridge rule to capture task state changes. Send the event to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to investigate stopped tasks.
B. Configure tasks to write log data in the embedded metric format. Store the logs inAmazon CloudWatch Logs. Monitor the ContainerInstanceCount metric for changes.
C. Configure the EC2 instances to store logs in Amazon CloudWatch Logs. Create aCloudWatch Contributor Insights rule that uses the EC2 instance log data. Use theContributor Insights rule to investigate stopped tasks.
D. Configure an EC2 Auto Scaling lifecycle hook for the EC2_INSTANCE_TERMINATINGscale-in event. Write the SystemEventLog file to Amazon S3. Use Amazon Athena to querythe log file for errors.

Show Answer

---

Question # 16

A company has deployed a critical application in two AWS Regions. The application usesan Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53alias DNS records for both ALBs.The company uses Amazon Route 53 Application Recovery Controller to ensure that theapplication can fail over between the two Regions. The Route 53 ARC configurationincludes a routing control for both Regions. The company uses Route 53 ARC to performquarterly disaster recovery (DR) tests.During the most recent DR test, a DevOps engineer accidentally turned off both routingcontrols. The company needs to ensure that at least one routing control is turned on at alltimes.Which solution will meet these requirements?

A. In Route 53 ARC. create a new assertion safety rule. Apply the assertion safety rule tothe two routing controls. Configure the rule with the ATLEAST type with a threshold of 1.
B. In Route 53 ARC, create a new gating safety rule. Apply the assertion safety rule to thetwo routing controls. Configure the rule with the OR type with a threshold of 1.
C. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS:Route53: HealthCheck resource type. Specify the ARNs of the two routing controls as thetarget resource. Create a new readiness check for the resource set.
D. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS:Route53RecoveryReadiness: DNSTargetResource resource type. Add the domain namesof the two Route 53 alias DNS records as the target resource. Create a new readinesscheck for the resource set.

Show Answer

---

Question # 17

A company manages a multi-tenant environment in its VPC and has configured AmazonGuardDuty for the corresponding AWS account. The company sends all GuardDutyfindings to AWS Security Hub.Traffic from suspicious sources is generating a large number of findings. A DevOpsengineer needs to implement a solution to automatically deny traffic across the entire VPCwhen GuardDuty discovers a new suspicious source.Which solution will meet these requirements?

A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create anAWS Lambda function that will update the threat list Configure the Lambda function to runin response to new Security Hub findings that come from GuardDuty.
B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWSLambda function that will create a block rule in the custom rule group Configure theLambda function to run in response to new Security Hub findings that come from GuardDuty
C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that willcreate a Drop action rule in the firewall policy Configure the Lambda function to run inresponse to new Security Hub findings that come from GuardDuty
D. Create an AWS Lambda function that will create a GuardDuty suppression rule.Configure the Lambda function to run in response to new Security Hub findings that comefrom GuardDuty.

Show Answer

---

Question # 18

A company recently deployed its web application on AWS. The company is preparing for alarge-scale sales event and must ensure that the web application can scale to meet thedemandThe application's frontend infrastructure includes an Amazon CloudFront distribution thathas an Amazon S3 bucket as an origin. The backend infrastructure includes an AmazonAPI Gateway API. several AWS Lambda functions, and an Amazon Aurora DB clusterThe company's DevOps engineer conducts a load test and identifies that the Lambdafunctions can fulfill the peak number of requests However, the DevOps engineer noticesrequest latency during the initial burst of requests Most of the requests to the Lambdafunctions produce queries to the database A large portion of the invocation time is used toestablish database connectionsWhich combination of steps will provide the application with the required scalability? (SelectTWO)

A. Configure a higher reserved concurrency for the Lambda functions.
B. Configure a higher provisioned concurrency for the Lambda functions
C. Convert the DB cluster to an Aurora global database Add additional Aurora Replicas inAWS Regions based on the locations of the company's customers.
D. Refactor the Lambda Functions Move the code blocks that initialize databaseconnections into the function handlers.
E. Use Amazon RDS Proxy to create a proxy for the Aurora database Update the Lambdafunctions to use the proxy endpoints for database connections.

Show Answer

---

Question # 19

A company's security policies require the use of security hardened AMIS in productionenvironments. A DevOps engineer has used EC2 Image Builder to create a pipeline thatbuilds the AMIs on a recurring schedule.The DevOps engineer needs to update the launch templates of the companys Auto Scalinggroups. The Auto Scaling groups must use the newest AMIS during the launch of AmazonEC2 instances.Which solution will meet these requirements with the MOST operational efficiency?

A. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Systems Manager Run Command document that updates the launchtemplates of the Auto Scaling groups with the newest AMI ID.
B. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Lambda function that updates the launch templates of the Auto Scalinggroups with the newest AMI ID.
C. Configure the launch template to use a value from AWS Systems Manager ParameterStore for the AMI ID. Configure the Image Builder pipeline to update the Parameter Storevalue with the newest AMI ID.
D. Configure the Image Builder distribution settings to update the launch templates with thenewest AMI ID. Configure the Auto Scaling groups to use the newest version of the launch template.

Show Answer

---

Question # 20

A company requires its internal business teams to launch resources through pre-approvedAWS CloudFormation templates only. The security team requires automated monitoringwhen resources drift from their expected state.Which strategy should be used to meet these requirements?

A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use CloudFormation drift detection to detect when resources have drifted from theirexpected state.
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use AWS Config rules to detect when resources have drifted from their expected state.
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a launch constraint. Use AWS Config rules to detect when resources havedrifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a template constraint. Use Amazon EventBridge notifications to detect whenresources have drifted from their expected state.

Show Answer

---

Question # 21

A company is building a web and mobile application that uses a serverless architecturepowered by AWS Lambda and Amazon API Gateway The company wants to fullyautomate the backend Lambda deployment based on code that is pushed to theappropriate environment branch in an AWS CodeCommit repositoryThe deployment must have the following:• Separate environment pipelines for testing and production• Automatic deployment that occurs for test environments onlyWhich steps should be taken to meet these requirements'?

A. Configure a new AWS CodePipelme service Create a CodeCommit repository for eachenvironment Set up CodePipeline to retrieve the source code from the appropriaterepository Set up the deployment step to deploy the Lambda functions with AWSCloudFormation.
B. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step Create aCodeCommit repository for each environment Set up each CodePipeline to retrieve thesource code from the appropriate repository Set up the deployment step to deploy theLambda functions with AWS CloudFormation.
C. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step. Create oneCodeCommit repository with a branch for each environment Set up each CodePipeline toretrieve the source code from the appropriate branch in the repository. Set up thedeployment step to deploy the Lambda functions with AWS CloudFormation
D. Create an AWS CodeBuild configuration for test and production environments Configurethe production pipeline to have a manual approval step. Create one CodeCommitrepository with a branch for each environment Push the Lambda function code to anAmazon S3 bucket Set up the deployment step to deploy the Lambda functions from theS3 bucket.

Show Answer

---

Question # 22

A healthcare services company is concerned about the growing costs of software licensingfor an application for monitoring patient wellness. The company wants to create an auditprocess to ensure that the application is running exclusively on Amazon EC2 DedicatedHosts. A DevOps engineer must create a workflow to audit the application to ensurecompliance.What steps should the engineer take to meet this requirement with the LEASTadministrative overhead?

A. Use AWS Systems Manager Configuration Compliance. Use calls to the putcompliance-items API action to scan and build a database of noncompliant EC2 instancesbased on their host placement configuration. Use an Amazon DynamoDB table to storethese instance IDs for fast access. Generate a report through Systems Manager by callingthe list-compliance-summaries API action.
B. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for theinstance depending on the number of instances to be checked. Send the list ofnoncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instanceto process instance IDs from the SQS queue and write them to Amazon DynamoDB. Usean AWS Lambda function to terminate noncompliant instance IDs obtained from the queue,and send them to an Amazon SNS email topic for distribution.
C. Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recordingon all Amazon EC2 resources for the region. Create a custom AWS Config rule thattriggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint. Modify the LambdaevaluateCompliance () function to verify host placement to return a NON_COMPLIANTresult if the instance is not running on an EC2 Dedicated Host. Use the AWS Config reportto address noncompliant instances.
D. Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls tothe EC2 RunCommand API action. Invoke a AWS Lambda function that analyzes the hostplacement of the instance. Store the EC2 instance ID of noncompliant resources in anAmazon RDS for MySQL DB instance. Generate a report by querying the RDS instanceand exporting the query results to a CSV text file.

Show Answer

---

Question # 23

A company's application runs on Amazon EC2 instances. The application writes to a log filethat records the username, date, time: and source IP address of the login. The log ispublished to a log group in Amazon CloudWatch LogsThe company is performing a root cause analysis for an event that occurred on theprevious day The company needs to know the number of logins for a specific user from thepast 7 daysWhich solution will provide this information'?

A. Create a CloudWatch Logs metric filter on the log group Use a filter pattern that matchesthe username. Publish a CloudWatch metric that sums the number of logins over the past 7days.
B. Create a CloudWatch Logs subscription on the log group Use a filter pattern thatmatches the username Publish a CloudWatch metric that sums the number of logins overthe past 7 days
C. Create a CloudWatch Logs Insights query that uses an aggregation function to count thenumber of logins for the username over the past 7 days. Run the query against the loggroup
D. Create a CloudWatch dashboard. Add a number widget that has a filter pattern thatcounts the number of logins for the username over the past 7 days directly from the loggroup

Show Answer

---

Question # 24

AnyCompany is using AWS Organizations to create and manage multiple AWS accountsAnyCompany recently acquired a smaller company, Example Corp. During the acquisitionprocess, Example Corp's single AWS account joined AnyCompany's management accountthrough an Organizations invitation. AnyCompany moved the new member account underan OU that is dedicated to Example Corp.AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is namedOrganizationAccountAccessRole to access member accounts. This role is configured witha full access policy When the DevOps engineer tries to use the AWS Management Consoleto assume the role in Example Corp's new member account, the DevOps engineerreceives the following error message "Invalid information in one or more fields. Check yourinformation or contact your administrator."Which solution will give the DevOps engineer access to the new member account?

A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account.
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account,
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role.

Show Answer

---

Question # 25

A company has an application that includes AWS Lambda functions. The Lambda functionsrun Python code that is stored in an AWS CodeCommit repository. The company hasrecently experienced failures in the production environment because of an error in thePython code. An engineer has written unit tests for the Lambda functions to help avoidreleasing any future defects into the production environment.The company's DevOps team needs to implement a solution to integrate the unit tests intoan existing AWS CodePipeline pipeline. The solution must produce reports about the unittests for the company to view.Which solution will meet these requirements?

A. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Create a newAWS CodeBuild project. In the CodePipeline pipeline, configure a test stage that uses thenew CodeBuild project. Create a buildspec.yml file in the CodeCommit repository. In thebuildspec.yml file, define the actions to run a CodeGuru review.
B. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a CodeBuild report group. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of JUNITXML in the build phase section.Configure the test reports to be uploaded to the new CodeBuild report group.
C. Create a new AWS CodeArtifact repository. Create a new AWS CodeBuild project. Inthe CodePipeline pipeline, configure a test stage that uses the new CodeBuild project.Create an appspec.yml file in the original CodeCommit repository. In the appspec.yml file,define the actions to run the unit tests with an output of CUCUMBERJSON in the buildphase section. Configure the tests reports to be sent to the new CodeArtifact repository.
D. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a new Amazon S3 bucket. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of HTML in the phases section. In the reportssection, upload the test reports to the S3 bucket.

Show Answer

---

Question # 26

A DevOps engineer is setting up a container-based architecture. The engineer has decidedto use AWS CloudFormation to automatically provision an Amazon ECS cluster and anAmazon EC2 Auto Scaling group to launch the EC2 container instances. After successfullycreating the CloudFormation stack, the engineer noticed that, even though the ECS clusterand the EC2 instances were created successfully and the stack finished the creation, theEC2 instances were associating with a different cluster.How should the DevOps engineer update the CloudFormation template to resolve thisissue?

A. Reference the EC2 instances in the AWS: ECS: Cluster resource and reference theECS cluster in the AWS: ECS: Service resource.
B. Reference the ECS cluster in the AWS: AutoScaling: LaunchConfiguration resource ofthe UserData property.
C. Reference the ECS cluster in the AWS:EC2: lnstance resource of the UserDataproperty.
D. Reference the ECS cluster in the AWS: CloudFormation: CustomResource resource to trigger an AWS Lambda function that registers the EC2 instances with the appropriate ECScluster.

Show Answer

---

Question # 27

A DevOps engineer is planning to deploy a Ruby-based application to production. Theapplication needs to interact with an Amazon RDS for MySQL database and should haveautomatic scaling and high availability. The stored data in the database is critical andshould persist regardless of the state of the application stack.The DevOps engineer needs to set up an automated deployment strategy for theapplication with automatic rollbacks. The solution also must alert the application team whena deployment fails.Which combination of steps will meet these requirements? (Select THREE.)

A. Deploy the application on AWS Elastic Beanstalk. Deploy an Amazon RDS for MySQLDB instance as part of the Elastic Beanstalk configuration.
B. Deploy the application on AWS Elastic Beanstalk. Deploy a separate Amazon RDS forMySQL DB instance outside of Elastic Beanstalk.
C. Configure a notification email address that alerts the application team in the AWS ElasticBeanstalk configuration.
D. Configure an Amazon EventBridge rule to monitor AWS Health events. Use an AmazonSimple Notification Service (Amazon SNS) topic as a target to alert the application team.
E. Use the immutable deployment method to deploy new application versions.
F. Use the rolling deployment method to deploy new application versions.

Show Answer

---

Question # 28

A company is using AWS Organizations to centrally manage its AWS accounts. Thecompany has turned on AWS Config in each member account by using AWS CloudFormation StackSets The company has configured trusted access in Organizations forAWS Config and has configured a member account as a delegated administrator accountfor AWS ConfigA DevOps engineer needs to implement a new security policy The policy must require allcurrent and future AWS member accounts to use a common baseline of AWS Config rulesthat contain remediation actions that are managed from a central account Nonadministratorusers who can access member accounts must not be able to modify thiscommon baseline of AWS Config rules that are deployed into each member accountWhich solution will meet these requirements?

A. Create a CloudFormation template that contains the AWS Config rules and remediationactions. Deploy the template from the Organizations management account by using CloudFormation StackSets.
B. Create an AWS Config conformance pack that contains the AWS Config rules andremediation actions Deploy the pack from the Organizations management account by usingCloudFormation StackSets.
C. Create a CloudFormation template that contains the AWS Config rules and remediationactions Deploy the template from the delegated administrator account by using AWSConfig.
D. Create an AWS Config conformance pack that contains the AWS Config rules andremediation actions. Deploy the pack from the delegated administrator account by usingAWS Config.

Show Answer

---

Question # 29

A company uses AWS and has a VPC that contains critical compute infrastructure withpredictable traffic patterns. The company has configured VPC flow logs that are publishedto a log group in Amazon CloudWatch Logs.The company's DevOps team needs to configure a monitoring solution for the VPC flowlogs to identify anomalies in network traffic to the VPC over time. If the monitoring solutiondetects an anomaly, the company needs the ability to initiate a response to the anomaly.How should the DevOps team configure the monitoring solution to meet theserequirements?

A. Create an Amazon Kinesis data stream. Subscribe the log group to the data stream.Configure Amazon Kinesis Data Analytics to detect log anomalies in the data stream.Create anAWS Lambda function to use as the output of the data stream. Configure the Lambda function to write to the default Amazon EventBridge event bus in the event of an anomalyfinding.
B. Create an Amazon Kinesis Data Firehose delivery stream that delivers events to anAmazon S3 bucket. Subscribe the log group to the delivery stream. Configure AmazonLookout for Metrics to monitor the data in the S3 bucket for anomalies. Create an AWSLambda function to run in response to Lookout for Metrics anomaly findings. Configure theLambda function to publish to the default Amazon EventBridge event bus.
C. Create an AWS Lambda function to detect anomalies. Configure the Lambda function topublish an event to the default Amazon EventBridge event bus if the Lambda functiondetects an anomaly. Subscribe the Lambda function to the log group.
D. Create an Amazon Kinesis data stream. Subscribe the log group to the data stream.Create an AWS Lambda function to detect log anomalies. Configure the Lambda functionto write to the default Amazon EventBridge event bus if the Lambda function detects ananomaly. Set the Lambda function as the processor for the data stream.

Show Answer

---

Question # 30

A DevOps engineer wants to find a solution to migrate an application from on premises toAWS The application is running on Linux and needs to run on specific versions of ApacheTomcat HAProxy and Varnish Cache to function properly. The application's operatingsystem-level parameters require tuning The solution must include a way to automate thedeployment of new application versions. The infrastructure should be scalable and faultyservers should be replaced automatically.Which solution should the DevOps engineer use?

A. Upload the application as a Docker image that contains all the necessary software toAmazon ECR Create an Amazon ECS cluster using an AWS Fargate launch type and an Auto Scaling group. Create an AWS CodePipeline pipeline that uses Amazon ECR as asource and Amazon ECS as a deployment provider
B. Upload the application code to an AWS CodeCommit repository with a savedconfiguration file to configure and install the software Create an AWS Elastic Beanstalkweb server tier and a load balanced-type environment that uses the Tomcat solution stackCreate an AWS CodePipeline pipeline that uses CodeCommit as a source and ElasticBeanstalk as a deployment provider
C. Upload the application code to an AWS CodeCommit repository with a set ofebextensions files to configure and install the software. Create an AWS Elastic Beanstalkworker tier environment that uses the Tomcat solution stack Create an AWS CodePipelinepipeline that uses CodeCommit as a source and Elastic Beanstalk as a deploymentprovider
D. Upload the application code to an AWS CodeCommit repository with an appspec.yml fileto configure and install the necessary software. Create an AWS CodeDeploy deploymentgroup associated with an Amazon EC2 Auto Scaling group Create an AWS CodePipelinepipeline that uses CodeCommit as a source and CodeDeploy as a deployment provider

Show Answer

---

Question # 31

A company needs a strategy for failover and disaster recovery of its data and application. The application uses a MySQL database and Amazon EC2 instances. The companyrequires a maximum RPO of 2 hours and a maximum RTO of 10 minutes for its data andapplication at all times.Which combination of deployment strategies will meet these requirements? (Select TWO.)

A. Create an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store.Use Aurora's automatic recovery capabilities in the event of a disaster.
B. Create an Amazon Aurora global database in two AWS Regions as the data store. In theevent of a failure, promote the secondary Region to the primary for the application. Updatethe application to use the Aurora cluster endpoint in the secondary Region.
C. Create an Amazon Aurora cluster in multiple AWS Regions as the data store. Use aNetwork Load Balancer to balance the database traffic in different Regions.
D. Set up the application in two AWS Regions. Use Amazon Route 53 failover routing thatpoints to Application Load Balancers in both Regions. Use health checks and Auto Scalinggroups in each Region.
E. Set up the application in two AWS Regions. Configure AWS Global Accelerator to pointto Application Load Balancers (ALBs) in both Regions. Add both ALBs to a single endpointgroup. Use health checks and Auto Scaling groups in each Region.

Show Answer

---

Question # 32

A DevOps engineer is building an application that uses an AWS Lambda function to queryan Amazon Aurora MySQL DB cluster. The Lambda function performs only read queries.Amazon EventBridge events invoke the Lambda function.As more events invoke the Lambda function each second, the database's latencyincreases and the database's throughput decreases. The DevOps engineer needs toimprove the performance of the application.Which combination of steps will meet these requirements? (Select THREE.)

A. Use Amazon RDS Proxy to create a proxy. Connect the proxy to the Aurora clusterreader endpoint. Set a maximum connections percentage on the proxy.
B. Implement database connection pooling inside the Lambda code. Set a maximumnumber of connections on the database connection pool.
C. Implement the database connection opening outside the Lambda event handler code.
D. Implement the database connection opening and closing inside the Lambda eventhandler code.
E. Connect to the proxy endpoint from the Lambda function.
F. Connect to the Aurora cluster endpoint from the Lambda function.

Show Answer

---

Question # 33

A company wants to deploy a workload on several hundred Amazon EC2 instances. Thecompany will provision the EC2 instances in an Auto Scaling group by using a launchtemplate.The workload will pull files from an Amazon S3 bucket, process the data, and put theresults into a different S3 bucket. The EC2 instances must have least-privilege permissionsand must use temporary security credentials.Which combination of steps will meet these requirements? (Select TWO.)

A. Create an IAM role that has the appropriate permissions for S3 buckets. Add the IAMrole to an instance profile.
B. Update the launch template to include the IAM instance profile.
C. Create an IAM user that has the appropriate permissions for Amazon S3. Generate asecret key and token.
D. Create a trust anchor and profile. Attach the IAM role to the profile.
E. Update the launch template. Modify the user data to use the new secret key and token.

Show Answer

---

Question # 34

A company's application uses a fleet of Amazon EC2 On-Demand Instances to analyzeand process data. The EC2 instances are in an Auto Scaling group. The Auto Scalinggroup is a target group for an Application Load Balancer (ALB). The application analyzescritical data that cannot tolerate interruption. The application also analyzes noncritical datathat can withstand interruption. The critical data analysis requires quick scalability in response to real-time applicationdemand. The noncritical data analysis involves memory consumption. A DevOps engineermust implement a solution that reduces scale-out latency for the critical data. The solutionalso must process the noncritical data.Which combination of steps will meet these requirements? (Select TWO.)

A. For the critical data, modify the existing Auto Scaling group. Create a warm poolinstance in the stopped state. Define the warm pool size. Create a new version of thelaunch template that has detailed monitoring enabled. use Spot Instances.
B. For the critical data, modify the existing Auto Scaling group. Create a warm poolinstance in the stopped state. Define the warm pool size. Create a new version of thelaunch template that has detailed monitoring enabled. Use On-Demand Instances.
C. For the critical data. modify the existing Auto Scaling group. Create a lifecycle hook toensure that bootstrap scripts are completed successfully. Ensure that the application on theinstances is ready to accept traffic before the instances are registered. Create a newversion of the launch template that has detailed monitoring enabled.
D. For the noncritical data, create a second Auto Scaling group that uses a launchtemplate. Configure the launch template to install the unified Amazon CloudWatch agentand to configure the CloudWatch agent with a custom memory utilization metric. Use SpotInstances. Add the new Auto Scaling group as the target group for the ALB. Modify theapplication to use two target groups for critical data and noncritical data.
E. For the noncritical data, create a second Auto Scaling group. Choose the predefinedmemory utilization metric type for the target tracking scaling policy. Use Spot Instances.Add the new Auto Scaling group as the target group for the ALB. Modify the application touse two target groups for critical data and noncritical data.

Show Answer

---

Question # 35

A company runs an application with an Amazon EC2 and on-premises configuration. ADevOps engineer needs to standardize patching across both environments. Companypolicy dictates that patching only happens during non-business hours.Which combination of actions will meet these requirements? (Choose three.)

A. Add the physical machines into AWS Systems Manager using Systems Manager HybridActivations.
B. Attach an IAM role to the EC2 instances, allowing them to be managed by AWSSystems Manager.
C. Create IAM access keys for the on-premises machines to interact with AWS SystemsManager.
D. Run an AWS Systems Manager Automation document to patch the systems every hour.
E. Use Amazon EventBridge scheduled events to schedule a patch window.
F. Use AWS Systems Manager Maintenance Windows to schedule a patch window.

Show Answer

---

Question # 36

A company has an application that runs on AWS Lambda and sends logs to AmazonCloudWatch Logs. An Amazon Kinesis data stream is subscribed to the log groups inCloudWatch Logs. A single consumer Lambda function processes the logs from the datastream and stores the logs in an Amazon S3 bucket.The company's DevOps team has noticed high latency during the processing and ingestionof some logs.Which combination of steps will reduce the latency? (Select THREE.)

A. Create a data stream consumer with enhanced fan-out. Set the Lambda function thatprocesses the logs as the consumer.
B. Increase the ParallelizationFactor setting in the Lambda event source mapping.
C. Configure reserved concurrency for the Lambda function that processes the logs.
D. Increase the batch size in the Kinesis data stream.
E. Turn off the ReportBatchltemFailures setting in the Lambda event source mapping.
F. Increase the number of shards in the Kinesis data stream.

Show Answer

---

Question # 37

A company has multiple development groups working in a single shared AWS account. TheSenior Manager of the groups wants to be alerted via a third-party API call when thecreation of resources approaches the service limits for the account.Which solution will accomplish this with the LEAST amount of development effort?

A. Create an Amazon CloudWatch Event rule that runs periodically and targets an AWSLambda function. Within the Lambda function, evaluate the current state of the AWSenvironment and compare deployed resource values to resource limits on the account.Notify the Senior Manager if the account is approaching a service limit.
B. Deploy an AWS Lambda function that refreshes AWS Trusted Advisor checks, andconfigure an Amazon CloudWatch Events rule to run the Lambda function periodically.Create another CloudWatch Events rule with an event pattern matching Trusted Advisorevents and a target Lambda function. In the target Lambda function, notify the SeniorManager.
C. Deploy an AWS Lambda function that refreshes AWS Personal Health Dashboardchecks, and configure an Amazon CloudWatch Events rule to run the Lambda functionperiodically. Create another CloudWatch Events rule with an event pattern matchingPersonal Health Dashboard events and a target Lambda function. In the target Lambdafunction, notify the Senior Manager.
D. Add an AWS Config custom rule that runs periodically, checks the AWS service limitstatus, and streams notifications to an Amazon SNS topic. Deploy an AWS Lambdafunction that notifies the Senior Manager, and subscribe the Lambda function to the SNStopic.

Show Answer

---

Question # 38

A DevOps engineer is architecting a continuous development strategy for a company'ssoftware as a service (SaaS) web application running on AWS. For application and securityreasons users subscribing to this application are distributed across multiple. ApplicationLoad Balancers (ALBs) each of which has a dedicated Auto Scaling group and fleet ofAmazon EC2 instances The application does not require a build stage and when it iscommitted to AWS CodeCommit, the application must trigger a simultaneous deploymentto all ALBs Auto Scaling groups and EC2 fleets.Which architecture will meet these requirements with the LEAST amount of configuration?

A. Create a single AWS CodePipeline pipeline that deploys the application in parallel usingunique AWS CodeDeploy applications and deployment groups created for each ALB-AutoScaling group pair.
B. Create a single AWS CodePipeline pipeline that deploys the application using a singleAWS CodeDeploy application and single deployment group.
C. Create a single AWS CodePipeline pipeline that deploys the application in parallel usinga single AWS CodeDeploy application and unique deployment group for each ALB-AutoScaling group pair.
D. Create an AWS CodePipeline pipeline for each ALB-Auto Scaling group pair thatdeploys the application using an AWS CodeDeploy application and deployment groupcreated for the same ALB-Auto Scaling group pair.

Show Answer

---

Question # 39

A company uses AWS Directory Service for Microsoft Active Directory as its identityprovider (IdP). The company requires all infrastructure to be defined and deployed by AWS CloudFormation. A DevOps engineer needs to create a fleet of Windows-based Amazon EC2 instances tohost an application. The DevOps engineer has created aCloudFormation template that contains an EC2 launch template, IAM role, EC2 securitygroup, and EC2 Auto Scaling group. The DevOps engineer must implement a solution thatjoins all EC2 instances to the domain of the AWS Managed Microsoft AD directory.Which solution will meet these requirements with the MOST operational efficiency?

A. In the CloudFormation template, create an AWS::SSM::Document resource that joinsthe EC2 instance to the AWS Managed Microsoft AD domain by using the parameters forthe existing directory. Update the launch template to include the SSMAssociation propertyto use the new SSM document. Attach the AmazonSSMManagedlnstanceCore andAmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2instances use.
B. In the CloudFormation template, update the launch template to include specific tags thatpropagate on launch. Create an AWS::SSM::Association resource to associate the AWSJoinDirectoryServiceDomainAutomation runbook with the EC2 instances that have thespecified tags. Define the required parameters to join the AWS Managed Microsoft ADdirectory. Attach the AmazonSSMManagedlnstanceCore andAmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2instances use.
C. Store the existing AWS Managed Microsoft AD domain connection details in AWSSecrets Manager. In the CloudFormation template, create an AWS::SSM::Associationresource to associate the AWS-CreateManagedWindowslnstanceWithApproval Automationrunbook with the EC2 Auto Scaling group. Pass the ARNs for the parameters from SecretsManager to join the domain. Attach the AmazonSSMDirectoryServiceAccess andSecretsManagerReadWrite AWS managed policies to the IAM role that the EC2 instancesuse.
D. Store the existing AWS Managed Microsoft AD domain administrator credentials in AWSSecrets Manager. In the CloudFormation template, update the EC2 launch template toinclude user data. Configure the user data to pull the administrator credentials from SecretsManager and to join the AWS Managed Microsoft AD domain. Attach theAmazonSSMManagedlnstanceCore and SecretsManagerReadWrite AWS managedpolicies to the IAM role that the EC2 instances use.

Show Answer

---

Question # 40

A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the onpremisesconfigurations. The migrated applications require access to shared storage thatuses SMB for Windows and NFS for Linux.The company is also creating a pilot light disaster recovery (DR) environment in anotherAWS Region. The company will use automation to launch and configure the EC2 instancesin the DR Region. The company needs to replicate the storage to the DR Region.Which storage solution will meet these requirements?

A. Use Amazon S3 for the application storage. Create an S3 bucket in the primary Regionand an S3 bucket in the DR Region. Configure S3 Cross-Region Replication (CRR) fromthe primary Region to the DR Region.
B. Use Amazon Elastic Block Store (Amazon EBS) for the application storage. Create abackup plan in AWS Backup that creates snapshots of the EBS volumes that are in theprimary Region and replicates the snapshots to the DR Region.
C. Use a Volume Gateway in AWS Storage Gateway for the application storage. ConfigureCross-Region Replication (CRR) of the Volume Gateway from the primary Region to theDR Region.
D. Use Amazon FSx for NetApp ONTAP for the application storage. Create an FSx forONTAP instance in the DR Region. Configure NetApp SnapMirror replication from theprimary Region to the DR Region.

Show Answer

---

Question # 41

A company runs a workload on Amazon EC2 instances. The company needs a control thatrequires the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances inthe AWS account. If an EC2 instance does not prevent the use of Instance MetadataService Version 1 (IMDSv1), the EC2 instance must be terminated.Which solution will meet these requirements?

A. Set up AWS Config in the account. Use a managed rule to check EC2 instances.Configure the rule to remediate the findings by using AWS Systems Manager Automationto terminate the instance.
B. Create a permissions boundary that prevents the ec2:Runlnstance action if theec2:MetadataHttpTokens condition key is not set to a value of required. Attach thepermissions boundary to the IAM role that was used to launch the instance.
C. Set up Amazon Inspector in the account. Configure Amazon Inspector to activate deepinspection for EC2 instances. Create an Amazon EventBridge rule for an Inspector2finding. Set an AWS Lambda function as the target to terminate the instance.
D. Create an Amazon EventBridge rule for the EC2 instance launch successful event. Sendthe event to an AWS Lambda function to inspect the EC2 metadata and to terminate theinstance.

Show Answer

---

Question # 42

A company is launching an application that stores raw data in an Amazon S3 bucket. Threeapplications need to access the data to generate reports. The data must be redacteddifferently for each application beforethe applications can access the data.Which solution will meet these requirements?

A. Create an S3 bucket for each application. Configure S3 Same-Region Replication (SRR) from the raw data's S3 bucket to each application's S3 bucket. Configure each applicationto consume data from its own S3 bucket.
B. Create an Amazon Kinesis data stream. Create an AWS Lambda function that isinvoked by object creation events in the raw data's S3 bucket. Program the Lambdafunction to redact data for each application. Publish the data on the Kinesis data stream.Configure each application to consume data from the Kinesis data stream.
C. For each application, create an S3 access point that uses the raw data's S3 bucket asthe destination. Create an AWS Lambda function that is invoked by object creation eventsin the raw data's S3 bucket. Program the Lambda function to redact data for eachapplication. Store the data in each application's S3 access point. Configure eachapplication to consume data from its own S3 access point.
D. Create an S3 access point that uses the raw data's S3 bucket as the destination. Foreach application, create an S3 Object Lambda access point that uses the S3 access point.Configure the AWS Lambda function for each S3 Object Lambda access point to redactdata when objects are retrieved. Configure each application to consume data from its ownS3 Object Lambda access point.

Show Answer

---

Question # 43

A company hosts applications in its AWS account Each application logs to an individualAmazon CloudWatch log group. The company’s CloudWatch costs for ingestion areincreasing A DevOps engineer needs to Identify which applications are the source of the increased logging costs.Which solution Will meet these requirements?

A. Use CloudWatch metrics to create a custom expression that Identifies the CloudWatchlog groups that have the most data being written to them.
B. Use CloudWatch Logs Insights to create a set of queries for the application log groupsto Identify the number of logs written for a period of time
C. Use AWS Cost Explorer to generate a cost report that details the cost for CloudWatchusage
D. Use AWS CloudTrail to filter for CreateLogStream events for each application

Show Answer

---

Question # 44

A company uses an organization in AWS Organizations that has all features enabled. Thecompany uses AWS Backup in a primary account and uses an AWS Key ManagementService (AWS KMS) key to encrypt the backups.The company needs to automate a cross-account backup of the resources that AWSBackup backs up in the primary account. The company configures cross-account backup inthe Organizations management account. The company creates a new AWS account in theorganization and configures an AWS Backup backup vault in the new account. Thecompany creates a KMS key in the new account to encrypt the backups. Finally, thecompany configures a new backup plan in the primary account. The destination for the new backup plan is the backup vault in the new account.When the AWS Backup job in the primary account is invoked, the job creates backups inthe primary account. However, the backups are not copied to the new account's backupvault.Which combination of steps must the company take so that backups can be copied to thenew account's backup vault? (Select TWO.)

A. Edit the backup vault access policy in the new account to allow access to the primaryaccount.
B. Edit the backup vault access policy in the primary account to allow access to the newaccount.
C. Edit the backup vault access policy in the primary account to allow access to the KMSkey in the new account.
D. Edit the key policy of the KMS key in the primary account to share the key with the newaccount.
E. Edit the key policy of the KMS key in the new account to share the key with the primaryaccount.

Show Answer

---

Question # 45

A growing company manages more than 50 accounts in an organization in AWSOrganizations. The company has configured its applications to send logs to AmazonCloudWatch Logs.A DevOps engineer needs to aggregate logs so that the company can quickly search thelogs to respond to future security incidents. The DevOps engineer has created a new AWSaccount for centralized monitoring.Which combination of steps should the DevOps engineer take to make the application logssearchable from the monitoring account? (Select THREE.)

A. In the monitoring account, download an AWS CloudFormation template fromCloudWatch to use in Organizations. Use CloudFormation StackSets in the organization'smanagement account to deploy the CloudFormation template to the entire organization.
B. Create an AWS CloudFormation template that defines an IAM role. Configure the role toallow logs-amazonaws.com to perform the logs:Link action if the aws:ResourceAccountproperty is equal to the monitoring account ID. Use CloudFormation StackSets in theorganization's management account to deploy the CloudFormation template to the entireorganization.
C. Create an IAM role in the monitoring account. Attach a trust policy that allowslogs.amazonaws.com to perform the iam:CreateSink action if the aws:PrincipalOrgldproperty is equal to the organization ID.
D. In the organization's management account, enable the logging policies for theorganization.
E. use CloudWatch Observability Access Manager in the monitoring account to create asink. Allow logs to be shared with the monitoring account. Configure the monitoring accountdata selection to view the Observability data from the organization ID.
F. In the monitoring account, attach the CloudWatchLogsReadOnlyAccess AWS managedpolicy to an IAM role that can be assumed to search the logs.

Show Answer

---

Question # 46

A company plans to use Amazon CloudWatch to monitor its Amazon EC2 instances. Thecompany needs to stop EC2 instances when the average of the NetworkPacketsIn metric isless than 5 for at least 3 hours in a 12-hour time window. The company must evaluate themetric every hour. The EC2 instances must continue to run if there is missing data for theNetworkPacketsIn metric during the evaluation period.A DevOps engineer creates a CloudWatch alarm for the NetworkPacketsIn metric. TheDevOps engineer configures a threshold value of 5 and an evaluation period of 1 hour.Which set of additional actions should the DevOps engineer take to meet theserequirements?

A. Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treatmissing data as breaching the threshold. Add an AWS Systems Manager action to stop theinstance when the alarm enters the ALARM state.
B. Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treatmissing data as not breaching the threshold. Add an EC2 action to stop the instance whenthe alarm enters the ALARM state.
C. Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treatmissing data as breaching the threshold. Add an EC2 action to stop the instance when thealarm enters the ALARM state.
D. Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treatmissing data as not breaching the threshold. Add an AWS Systems Manager action to stop the instance when the alarm enters the ALARM state.

Show Answer

---

Question # 47

A company builds an application that uses an Application Load Balancer in front of AmazonEC2 instances that are in an Auto Scaling group. Theapplication is stateless. The Auto Scaling group uses a custom AMI that is fully prebuilt.The EC2 instances do not have a custom bootstrapping process.The AMI that the Auto Scaling group uses was recently deleted. The Auto Scaling group'sscaling activities show failures because the AMI ID does not exist.Which combination of steps should a DevOps engineer take to meet these requirements?(Select THREE.)

A. Create a new launch template that uses the new AMI.
B. Update the Auto Scaling group to use the new launch template.
C. Reduce the Auto Scaling group's desired capacity to O.
D. Increase the Auto Scaling group's desired capacity by I.
E. Create a new AMI from a running EC2 instance in the Auto Scaling group.
F. Create a new AMI by copying the most recent public AMI of the operating system thatthe EC2 instances use.

Show Answer

---

Question # 48

A company's application teams use AWS CodeCommit repositories for their applications.The application teams have repositories in multiple AWSaccounts. All accounts are in an organization in AWS Organizations.Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configuredwith an external IdP to assume a developer IAM role. The developer role allows theapplication teams to use Git to work with the code in the repositories.A security audit reveals that the application teams can modify the main branch in anyrepository. A DevOps engineer must implement a solution thatallows the application teams to modify the main branch of only the repositories that theymanage.Which combination of steps will meet these requirements? (Select THREE.

A. Update the SAML assertion to pass the user's team name. Update the IAM role's trustpolicy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations managementaccount. Associate the template with all the repositories. Add the developer role ARN as anapprover.
C. Create an approval rule template for each account. Associate the template with allrepositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}"condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to thename of the associated team.
E. Attach an SCP to the accounts. Include the following statement:

Show Answer

---

Question # 49

A company deploys a web application on Amazon EC2 instances that are behind anApplication Load Balancer (ALB). The company stores the application code in an AWSCodeCommit repository. When code is merged to the main branch, an AWS Lambdafunction invokes an AWS CodeBuild project. The CodeBuild project packages the code,stores the packaged code in AWS CodeArtifact, and invokes AWS Systems Manager RunCommand to deploy the packaged code to the EC2 instances.Previous deployments have resulted in defects, EC2 instances that are not running thelatest version of the packaged code, and inconsistencies between instances.Which combination of actions should a DevOps engineer take to implement a more reliabledeployment solution? (Select TWO.)

A. Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as asource provider. Configure pipeline stages that run the CodeBuild project in parallel to buildand test the application. In the pipeline, pass the CodeBuild project output artifact to anAWS CodeDeploy action.
B. Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as asource provider. Create separate pipeline stages that run a CodeBuild project to build andthen test the application. In the pipeline, pass the CodeBuild project output artifact to anAWS CodeDeploy action.
C. Create an AWS CodeDeploy application and a deployment group to deploy thepackaged code to the EC2 instances. Configure the ALB for the deployment group.
D. Create individual Lambda functions that use AWS CodeDeploy instead of SystemsManager to run build, test, and deploy actions.
E. Create an Amazon S3 bucket. Modify the CodeBuild project to store the packages in theS3 bucket instead of in CodeArtifact. Use deploy actions in CodeDeploy to deploy theartifact to the EC2 instances.

Show Answer

---

Question # 50

A company manages AWS accounts for application teams in AWS Control Tower.Individual application teams are responsible for securing their respective AWS accounts.A DevOps engineer needs to enable Amazon GuardDuty for all AWS accounts in which theapplication teams have not already enabled GuardDuty. The DevOps engineer is usingAWS CloudFormation StackSets from the AWS Control Tower management account.How should the DevOps engineer configure the CloudFormation template to prevent failureduring the StackSets deployment?

A. Create a CloudFormation custom resource that invokes an AWS Lambda function.Configure the Lambda function to conditionally enable GuardDuty if GuardDuty is notalready enabled in the accounts.
B. Use the Conditions section of the CloudFormation template to enable GuardDuty inaccounts where GuardDuty is not already enabled.
C. Use the CloudFormation Fn. GetAtt intrinsic function to check whether GuardDuty isalready enabled If GuardDuty is not already enabled use the Resources section of theCloudFormation template to enable GuardDuty.
D. Manually discover the list of AWS account IDs where GuardDuty is not enabled Use theCloudFormation Fn: ImportValue intrinsic function to import the list of account IDs into theCloudFormation template to skip deployment for the listed AWS accounts.

Show Answer

---

Question # 51

A company builds a container image in an AWS CodeBuild project by running Dockercommands. After the container image is built, the CodeBuild project uploads the containerimage to an Amazon S3 bucket. The CodeBuild project has an IAM service role that haspermissions to access the S3 bucket.A DevOps engineer needs to replace the S3 bucket with an Amazon Elastic ContainerRegistry (Amazon ECR) repository to store the container images. TheDevOps engineer creates an ECR private image repository in the same AWS Region of theCodeBuild project. The DevOps engineer adjusts the IAM service role with the permissions that are necessary to work with the new ECR repository. The DevOps engineer also placesnew repository information into the docker build command and the docker push commandthat are used in the buildspec.yml file.When the CodeBuild project runs a build job, the job fails when the job tries to access theECR repository.Which solution will resolve the issue of failed access to the ECR repository?

A. Update the buildspec.yml file to log in to the ECR repository by using the aws ecr getlogin-password AWS CLI command to obtain an authentication token. Update the dockerlogin command to use the authentication token to access the ECR repository.
B. Add an environment variable of type SECRETS_MANAGER to the CodeBuild project. Inthe environment variable, include the ARN of the CodeBuild project's IAM service role.Update the buildspec.yml file to use the new environment variable to log in with the dockerlogin command to access the ECR repository.
C. Update the ECR repository to be a public image repository. Add an ECR repositorypolicy that allows the IAM service role to have access.
D. Update the buildspec.yml file to use the AWS CLI to assume the IAM service role forECR operations. Add an ECR repository policy that allows the IAM service role to haveaccess.

Show Answer

---

Question # 52

A company has multiple development teams in different business units that work in ashared single AWS account All Amazon EC2 resources that are created in the accountmust include tags that specify who created the resources. The tagging must occur withinthe first hour of resource creation.A DevOps engineer needs to add tags to the created resources that Include the user IDthat created the resource and the cost center ID The DevOps engineer configures an AWSLambda function With the cost center mappings to tag the resources. The DevOpsengineer also sets up AWS CloudTrail in the AWS account. An Amazon S3 bucket storesthe CloudTrail event logsWhich solution will meet the tagging requirements?

A. Create an S3 event notification on the S3 bucket to invoke the Lambda function fors3.ObJectTagging:Put events. Enable bucket versioning on the S3 bucket.
B. Enable server access logging on the S3 bucket. Create an S3 event notification on theS3 bucket for s3. ObjectTaggIng.• events
C. Create a recurring hourly Amazon EventBridge scheduled rule that invokes the Larnbdafunction. Modify the Lambda function to read the logs from the S3 bucket
D. Create an Amazon EventBridge rule that uses Amazon EC2 as the event source.Configure the rule to match events delivered by CloudTraiI. Configure the rule to target theLambda function

Show Answer

---

Question # 53

A company runs its container workloads in AWS App Runner. A DevOps engineermanages the company's container repository in Amazon Elastic Container Registry(Amazon ECR).The DevOps engineer must implement a solution that continuously monitors the containerrepository. The solution must create a new container image when the solution detects anoperating system vulnerability or language package vulnerability.Which solution will meet these requirements?

A. Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as thetarget repository. Turn on enhanced scanning on the ECR repository. Create an AmazonEventBridge rule to capture an Inspector2 finding event. Use the event to invoke the imagepipeline. Re-upload the container to the repository.
B. Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as thetarget repository. Enable Amazon GuardDuty Malware Protection on the containerworkload. Create an Amazon EventBridge rule to capture a GuardDuty finding event. Usethe event to invoke the image pipeline.
C. Create an AWS CodeBuild project to create a container image. Use Amazon ECR asthe target repository. Turn on basic scanning on the repository. Create an AmazonEventBridge rule to capture an ECR image action event. Use the event to invoke theCodeBuild project. Re-upload the container to the repository.
D. Create an AWS CodeBuild project to create a container image. Use Amazon ECR asthe target repository. Configure AWS Systems Manager Compliance to scan all managednodes. Create an Amazon EventBridge rule to capture a configuration compliance statechange event. Use the event to invoke the CodeBuild project.

Show Answer

---

Question # 54

A company recently launched multiple applications that use Application Load Balancers.Application response time often slows down when the applications experience problems ADevOps engineer needs to Implement a monitoring solution that alerts the company whenthe applications begin to perform slowly The DevOps engineer creates an Amazon SimpleNotification Semce (Amazon SNS) topic and subscribe the company's email address to thetopicWhat should the DevOps engineer do next to meet the requirements?

A. Create an Amazon EventBridge rule that invokes an AWS Lambda function to query theapplications on a 5-minute interval Configure the Lambda function to publish a notificationto the SNS topic when the applications return errors.
B. Create an Amazon CloudWatch Synthetics canary that runs a custom script to query theapplications on a 5-minute interval. Configure the canary to use the SNS topic when theapplications return errors.
C. Create an Amazon CloudWatch alarm that uses the AWS/AppljcabonELB namespaceRequestCountPerTarget metric Configure the CloudWatch alarm to send a notificationwhen the number of connections becomes greater than the configured number of threadsthat the application supports Configure the CloudWatch alarm to use the SNS topic.
D. Create an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespaceRequestCountPerTarget metric Configure the CloudWatch alarm to send a notificationwhen the average response time becomes greater than the longest response time that theapplication supports Configure the CloudWatch alarm to use the SNS topic

Show Answer

---

Question # 55

A company sells products through an ecommerce web application The company wants adashboard that shows a pie chart of product transaction details. The company wants tointegrate the dashboard With the company’s existing Amazon CloudWatch dashboardsWhich solution Will meet these requirements With the MOST operational efficiency?

A. Update the ecommerce application to emit a JSON object to a CloudWatch log group foreach processed transaction. Use CloudWatch Logs Insights to query the log group and tovisualize the results in a pie chart format Attach the results to the desired CloudWatchdashboard.
B. Update the ecommerce application to emit a JSON object to an Amazon S3 bucket foreach processed transaction. Use Amazon Athena to query the S3 bucket and to visualizethe results In a Pie chart format. Export the results from Athena Attach the results to thedesired CloudWatch dashboard
C. Update the ecommerce application to use AWS X-Ray for instrumentation. Create a new X-Ray subsegment Add an annotation for each processed transaction. Use X-Ray traces toquery the data and to visualize the results in a pie chart format Attach the results to thedesired CloudWatch dashboard
D. Update the ecommerce application to emit a JSON object to a CloudWatch log group foreach processed transaction_ Create an AWS Lambda function to aggregate and write theresults to Amazon DynamoDB. Create a Lambda subscription filter for the log file. Attachthe results to the desired CloudWatch dashboard.

Show Answer

---

Question # 56

A company manages multiple AWS accounts by using AWS Organizations with OUS forthe different business divisions, The company is updating their corporate network to usenew IP address ranges. The company has 10 Amazon S3 buckets in different AWSaccounts. The S3 buckets store reports for the different divisions. The S3 bucketconfigurations allow only private corporate network IP addresses to access the S3 buckets.A DevOps engineer needs to change the range of IP addresses that have permission toaccess the contents of the S3 buckets The DevOps engineer also needs to revoke the permissions of two OUS in the companyWhich solution will meet these requirements?

A. Create a new SCP that has two statements, one that allows access to the new range ofIP addresses for all the S3 buckets and one that demes access to the old range of IPaddresses for all the S3 buckets. Set a permissions boundary for theOrganzauonAccountAccessRole role In the two OUS to deny access to the S3 buckets.
B. Create a new SCP that has a statement that allows only the new range of IP addressesto access the S3 buckets. Create another SCP that denies access to the S3 buckets.Attach the second SCP to the two OUS
C. On all the S3 buckets, configure resource-based policies that allow only the new rangeof IP addresses to access the S3 buckets. Create a new SCP that denies access to the S3buckets. Attach the SCP to the two OUs.
D. On all the S3 buckets, configure resource-based policies that allow only the new rangeof IP addresses to access the S3 buckets. Set a permissions boundary for theOrganizationAccountAccessRole role in the two OUS to deny access to the S3 buckets.

Show Answer

---

Question # 57

A DevOps engineer has developed an AWS Lambda function The Lambda function startsan AWS CloudFormation drift detection operation on all supported resources for a specificCloudFormation stack The Lambda function then exits Its invocation The DevOps engineerhas created an Amazon EventBrdge scheduled rule that Invokes the Lambda functionevery hour. An Amazon Simple Notification Service (Amazon SNS) topic already exists Inthe AWS account. The DevOps engineer has subscribed to the SNS topic to receivenotificationsThe DevOps engineer needs to receive a notification as soon as possible when drift isdetected in this specific stack configuration.Which solution Will meet these requirements?

A. Configure the existing EventBridge rule to also target the SNS topic Configure an SNSsubscription filter policy to match the Cloud Formation stack. Attach the subscription filterpolicy to the SNS tomc
B. Create a second Lambda function to query the CloudFormation API for the driftdetection results for the stack Configure the second Lambda function to publish a messageto the SNS topic If drift ts detected Adjust the existing EventBridge rule to also target thesecond Lambda function
C. Configure Amazon GuardDuty in the account with drift detection for all CloudFormationstacks. Create a second EventBndge rule that reacts to the GuardDuty drift detection eventfinding for the specific CloudFormation stack. Configure the SNS topic as a target of thesecond EventBridge rule.
D. Configure AWS Config in the account. Use the cloudformation-stack-drift-detectioncheckmanaged rule. Create a second EventBndge rule that reacts to a compliance changeevent for the CloudFormaUon stack. Configure the SNS topc as a target of the secondEventBridge rule.

Show Answer

---

Question # 58

A company has configured an Amazon S3 event source on an AWS Lambda function Thecompany needs the Lambda function to run when a new object is created or an existingobject IS modified In a particular S3 bucket The Lambda function will use the S3 bucketname and the S3 object key of the incoming event to read the contents of the created ormodified S3 object The Lambda function will parse the contents and save the parsedcontents to an Amazon DynamoDB table. The Lambda function's execution role has permissions to read from the S3 bucket and towrite to the DynamoDB table, During testing, a DevOps engineer discovers that theLambdafunction does not run when objects are added to the S3 bucket or when existing objects aremodified.Which solution will resolve this problem?

A. Increase the memory of the Lambda function to give the function the ability to processlarge files from the S3 bucket.
B. Create a resource policy on the Lambda function to grant Amazon S3 the permission toinvoke the Lambda function for the S3 bucket
C. Configure an Amazon Simple Queue Service (Amazon SQS) queue as an OnFailuredestination for the Lambda function
D. Provision space in the /tmp folder of the Lambda function to give the function the abilityto process large files from the S3 bucket

Show Answer

---

Question # 59

A company needs to ensure that flow logs remain configured for all existing and new VPCsin its AWS account. The company uses an AWS CloudFormation stack to manage itsVPCs. The company needs a solution that will work for any VPCs that any IAM usercreates.Which solution will meet these requirements?

A. Add the resource to the CloudFormation stack that creates the VPCs.
B. Create an organization in AWS Organizations. Add the company's AWS account to theorganization. Create an SCP to prevent users from modifying VPC flow logs.
C. Turn on AWS Config. Create an AWS Config rule to check whether VPC flow logs areturned on. Configure automatic remediation to turn on VPC flow logs.
D. Create an IAM policy to deny the use of API calls for VPC flow logs. Attach the IAMpolicy to all IAM users.

Show Answer

---

Question # 60

A company is launching an application. The application must use only approved AWSservices. The account that runs the application was created less than 1 year ago and isassigned to an AWS Organizations OU.The company needs to create a new Organizations account structure. The accountstructure must have an appropriate SCP that supports the use of only services that arecurrently active in the AWS account.The company will use AWS Identity and Access Management (IAM) Access Analyzer in thesolution.Which solution will meet these requirements?

A. Create an SCP that allows the services that IAM Access Analyzer identifies. Create anOU for the account. Move the account into the new OU. Attach the new SCP to the newOU. Detach the default FullAWSAccess SCP from the new OU.
B. Create an SCP that denies the services that IAM Access Analyzer identifies. Create anOU for the account. Move the account into the new OIJ. Attach the new SCP to the newOU.
C. Create an SCP that allows the services that IAM Access Analyzer identifies. Attach thenew SCP to the organization's root.
D. Create an SCP that allows the services that IAM Access Analyzer identifies. Create anOU for the account. Move the account into the new OU. Attach the new SCP to themanagement account. Detach the default FullAWSAccess SCP from the new OU.

Show Answer

---

Question # 61

A DevOps engineer is deploying a new version of a company's application in an AWSCodeDeploy deployment group associated with its Amazon EC2 instances. After sometime, the deployment fails. The engineer realizes that all the events associated with thespecific deployment ID are in a Skipped status and code was not deployed in the instancesassociated with the deployment group.What are valid reasons for this failure? (Select TWO.).

A. The networking configuration does not allow the EC2 instances to reach the internet viaa NAT gateway or internet gateway and the CodeDeploy endpoint cannot be reached.
B. The IAM user who triggered the application deployment does not have permission tointeract with the CodeDeploy endpoint.
C. The target EC2 instances were not properly registered with the CodeDeploy endpoint.
D. An instance profile with proper permissions was not attached to the target EC2instances.
E. The appspec. yml file was not included in the application revision.

Show Answer

---

Question # 62

A company detects unusual login attempts in many of its AWS accounts. A DevOpsengineer must implement a solution that sends a notification to the company's securityteam when multiple failed login attempts occur. The DevOps engineer has already createdan Amazon Simple Notification Service (Amazon SNS) topic and has subscribed thesecurity team to the SNS topic.Which solution will provide the notification with the LEAST operational effort?

A. Configure AWS CloudTrail to send log management events to an Amazon CloudWatchLogs log group. Create a CloudWatch Logs metric filter to match failed ConsoleLoginevents. Create a CloudWatch alarm that is based on the metric filter. Configure an alarmaction to send messages to the SNS topic.
B. Configure AWS CloudTrail to send log management events to an Amazon S3 bucket. Create an Amazon Athena query that returns a failure if the query finds failed logins in thelogs in the S3 bucket. Create an Amazon EventBridge rule to periodically run the query.Create a second EventBridge rule to detect when the query fails and to send a message tothe SNS topic.
C. Configure AWS CloudTrail to send log data events to an Amazon CloudWatch Logs loggroup. Create a CloudWatch logs metric filter to match failed Consolel_ogin events. Createa CloudWatch alarm that is based on the metric filter. Configure an alarm action to sendmessages to the SNS topic.
D. Configure AWS CloudTrail to send log data events to an Amazon S3 bucket. Configurean Amazon S3 event notification for the s3:ObjectCreated event type. Filter the event typeby ConsoleLogin failed events. Configure the event notification to forward to the SNS topic.

Show Answer

---

Amazon DOP-C02 Frequently Asked Questions