A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub. Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source. Which solution will meet these requirements?
A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create anAWS Lambda function that will update the threat list Configure the Lambda function to runin response to new Security Hub findings that come from GuardDuty.
B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWSLambda function that will create a block rule in the custom rule group Configure theLambda function to run in response to new Security Hub findings that come from GuardDuty
C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that willcreate a Drop action rule in the firewall policy Configure the Lambda function to run inresponse to new Security Hub findings that come from GuardDuty
D. Create an AWS Lambda function that will create a GuardDuty suppression rule.Configure the Lambda function to run in response to new Security Hub findings that comefrom GuardDuty.
A company recently deployed its web application on AWS. The company is preparing for a large-scale sales event and must ensure that the web application can scale to meet the demand The application's frontend infrastructure includes an Amazon CloudFront distribution that has an Amazon S3 bucket as an origin. The backend infrastructure includes an Amazon API Gateway API. several AWS Lambda functions, and an Amazon Aurora DB cluster The company's DevOps engineer conducts a load test and identifies that the Lambda functions can fulfill the peak number of requests However, the DevOps engineer notices request latency during the initial burst of requests Most of the requests to the Lambda functions produce queries to the database A large portion of the invocation time is used to establish database connections Which combination of steps will provide the application with the required scalability? (Select TWO)
A. Configure a higher reserved concurrency for the Lambda functions.
B. Configure a higher provisioned concurrency for the Lambda functions
C. Convert the DB cluster to an Aurora global database Add additional Aurora Replicas inAWS Regions based on the locations of the company's customers.
D. Refactor the Lambda Functions Move the code blocks that initialize databaseconnections into the function handlers.
E. Use Amazon RDS Proxy to create a proxy for the Aurora database Update the Lambdafunctions to use the proxy endpoints for database connections.
A company's security policies require the use of security hardened AMIS in production environments. A DevOps engineer has used EC2 Image Builder to create a pipeline that builds the AMIs on a recurring schedule. The DevOps engineer needs to update the launch templates of the companys Auto Scaling groups. The Auto Scaling groups must use the newest AMIS during the launch of Amazon EC2 instances. Which solution will meet these requirements with the MOST operational efficiency?
A. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Systems Manager Run Command document that updates the launchtemplates of the Auto Scaling groups with the newest AMI ID.
B. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Lambda function that updates the launch templates of the Auto Scalinggroups with the newest AMI ID.
C. Configure the launch template to use a value from AWS Systems Manager ParameterStore for the AMI ID. Configure the Image Builder pipeline to update the Parameter Storevalue with the newest AMI ID.
D. Configure the Image Builder distribution settings to update the launch templates with thenewest AMI ID. Configure the Auto Scaling groups to use the newest version of the launch template.
A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state. Which strategy should be used to meet these requirements?
A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use CloudFormation drift detection to detect when resources have drifted from theirexpected state.
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use AWS Config rules to detect when resources have drifted from their expected state.
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a launch constraint. Use AWS Config rules to detect when resources havedrifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a template constraint. Use Amazon EventBridge notifications to detect whenresources have drifted from their expected state.
A company is building a web and mobile application that uses a serverless architecture powered by AWS Lambda and Amazon API Gateway The company wants to fully automate the backend Lambda deployment based on code that is pushed to the appropriate environment branch in an AWS CodeCommit repository The deployment must have the following: • Separate environment pipelines for testing and production • Automatic deployment that occurs for test environments only Which steps should be taken to meet these requirements'?
A. Configure a new AWS CodePipelme service Create a CodeCommit repository for eachenvironment Set up CodePipeline to retrieve the source code from the appropriaterepository Set up the deployment step to deploy the Lambda functions with AWSCloudFormation.
B. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step Create aCodeCommit repository for each environment Set up each CodePipeline to retrieve thesource code from the appropriate repository Set up the deployment step to deploy theLambda functions with AWS CloudFormation.
C. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step. Create oneCodeCommit repository with a branch for each environment Set up each CodePipeline toretrieve the source code from the appropriate branch in the repository. Set up thedeployment step to deploy the Lambda functions with AWS CloudFormation
D. Create an AWS CodeBuild configuration for test and production environments Configurethe production pipeline to have a manual approval step. Create one CodeCommitrepository with a branch for each environment Push the Lambda function code to anAmazon S3 bucket Set up the deployment step to deploy the Lambda functions from theS3 bucket.
A healthcare services company is concerned about the growing costs of software licensing for an application for monitoring patient wellness. The company wants to create an audit process to ensure that the application is running exclusively on Amazon EC2 Dedicated Hosts. A DevOps engineer must create a workflow to audit the application to ensure compliance. What steps should the engineer take to meet this requirement with the LEAST administrative overhead?
A. Use AWS Systems Manager Configuration Compliance. Use calls to the putcompliance-items API action to scan and build a database of noncompliant EC2 instancesbased on their host placement configuration. Use an Amazon DynamoDB table to storethese instance IDs for fast access. Generate a report through Systems Manager by callingthe list-compliance-summaries API action.
B. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for theinstance depending on the number of instances to be checked. Send the list ofnoncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instanceto process instance IDs from the SQS queue and write them to Amazon DynamoDB. Usean AWS Lambda function to terminate noncompliant instance IDs obtained from the queue,and send them to an Amazon SNS email topic for distribution.
C. Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recordingon all Amazon EC2 resources for the region. Create a custom AWS Config rule thattriggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint. Modify the LambdaevaluateCompliance () function to verify host placement to return a NON_COMPLIANTresult if the instance is not running on an EC2 Dedicated Host. Use the AWS Config reportto address noncompliant instances.
D. Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls tothe EC2 RunCommand API action. Invoke a AWS Lambda function that analyzes the hostplacement of the instance. Store the EC2 instance ID of noncompliant resources in anAmazon RDS for MySQL DB instance. Generate a report by querying the RDS instanceand exporting the query results to a CSV text file.
A company's application runs on Amazon EC2 instances. The application writes to a log file that records the username, date, time: and source IP address of the login. The log is published to a log group in Amazon CloudWatch Logs The company is performing a root cause analysis for an event that occurred on the previous day The company needs to know the number of logins for a specific user from the past 7 days Which solution will provide this information'?
A. Create a CloudWatch Logs metric filter on the log group Use a filter pattern that matchesthe username. Publish a CloudWatch metric that sums the number of logins over the past 7days.
B. Create a CloudWatch Logs subscription on the log group Use a filter pattern thatmatches the username Publish a CloudWatch metric that sums the number of logins overthe past 7 days
C. Create a CloudWatch Logs Insights query that uses an aggregation function to count thenumber of logins for the username over the past 7 days. Run the query against the loggroup
D. Create a CloudWatch dashboard. Add a number widget that has a filter pattern thatcounts the number of logins for the username over the past 7 days directly from the loggroup
AnyCompany is using AWS Organizations to create and manage multiple AWS accounts AnyCompany recently acquired a smaller company, Example Corp. During the acquisition process, Example Corp's single AWS account joined AnyCompany's management account through an Organizations invitation. AnyCompany moved the new member account under an OU that is dedicated to Example Corp. AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is named OrganizationAccountAccessRole to access member accounts. This role is configured with a full access policy When the DevOps engineer tries to use the AWS Management Console to assume the role in Example Corp's new member account, the DevOps engineer receives the following error message "Invalid information in one or more fields. Check your information or contact your administrator." Which solution will give the DevOps engineer access to the new member account?
A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account.
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account,
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role.
A company has an application that includes AWS Lambda functions. The Lambda functions run Python code that is stored in an AWS CodeCommit repository. The company has recently experienced failures in the production environment because of an error in the Python code. An engineer has written unit tests for the Lambda functions to help avoid releasing any future defects into the production environment. The company's DevOps team needs to implement a solution to integrate the unit tests into an existing AWS CodePipeline pipeline. The solution must produce reports about the unit tests for the company to view. Which solution will meet these requirements?
A. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Create a newAWS CodeBuild project. In the CodePipeline pipeline, configure a test stage that uses thenew CodeBuild project. Create a buildspec.yml file in the CodeCommit repository. In thebuildspec.yml file, define the actions to run a CodeGuru review.
B. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a CodeBuild report group. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of JUNITXML in the build phase section.Configure the test reports to be uploaded to the new CodeBuild report group.
C. Create a new AWS CodeArtifact repository. Create a new AWS CodeBuild project. Inthe CodePipeline pipeline, configure a test stage that uses the new CodeBuild project.Create an appspec.yml file in the original CodeCommit repository. In the appspec.yml file,define the actions to run the unit tests with an output of CUCUMBERJSON in the buildphase section. Configure the tests reports to be sent to the new CodeArtifact repository.
D. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a new Amazon S3 bucket. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of HTML in the phases section. In the reportssection, upload the test reports to the S3 bucket.
A DevOps engineer is setting up a container-based architecture. The engineer has decided to use AWS CloudFormation to automatically provision an Amazon ECS cluster and an Amazon EC2 Auto Scaling group to launch the EC2 container instances. After successfully creating the CloudFormation stack, the engineer noticed that, even though the ECS cluster and the EC2 instances were created successfully and the stack finished the creation, the EC2 instances were associating with a different cluster. How should the DevOps engineer update the CloudFormation template to resolve this issue?
A. Reference the EC2 instances in the AWS: ECS: Cluster resource and reference theECS cluster in the AWS: ECS: Service resource.
B. Reference the ECS cluster in the AWS: AutoScaling: LaunchConfiguration resource ofthe UserData property.
C. Reference the ECS cluster in the AWS:EC2: lnstance resource of the UserDataproperty.
D. Reference the ECS cluster in the AWS: CloudFormation: CustomResource resource to trigger an AWS Lambda function that registers the EC2 instances with the appropriate ECScluster.