A company has multiple development groups working in a single shared AWS account. The Senior Manager of the groups wants to be alerted via a third-party API call when the creation of resources approaches the service limits for the account. Which solution will accomplish this with the LEAST amount of development effort?
A. Create an Amazon CloudWatch Event rule that runs periodically and targets an AWSLambda function. Within the Lambda function, evaluate the current state of the AWSenvironment and compare deployed resource values to resource limits on the account.Notify the Senior Manager if the account is approaching a service limit.
B. Deploy an AWS Lambda function that refreshes AWS Trusted Advisor checks, andconfigure an Amazon CloudWatch Events rule to run the Lambda function periodically.Create another CloudWatch Events rule with an event pattern matching Trusted Advisorevents and a target Lambda function. In the target Lambda function, notify the SeniorManager.
C. Deploy an AWS Lambda function that refreshes AWS Personal Health Dashboardchecks, and configure an Amazon CloudWatch Events rule to run the Lambda functionperiodically. Create another CloudWatch Events rule with an event pattern matchingPersonal Health Dashboard events and a target Lambda function. In the target Lambdafunction, notify the Senior Manager.
D. Add an AWS Config custom rule that runs periodically, checks the AWS service limitstatus, and streams notifications to an Amazon SNS topic. Deploy an AWS Lambdafunction that notifies the Senior Manager, and subscribe the Lambda function to the SNStopic.
A DevOps engineer is architecting a continuous development strategy for a company's software as a service (SaaS) web application running on AWS. For application and security reasons users subscribing to this application are distributed across multiple. Application Load Balancers (ALBs) each of which has a dedicated Auto Scaling group and fleet of Amazon EC2 instances The application does not require a build stage and when it is committed to AWS CodeCommit, the application must trigger a simultaneous deployment to all ALBs Auto Scaling groups and EC2 fleets. Which architecture will meet these requirements with the LEAST amount of configuration?
A. Create a single AWS CodePipeline pipeline that deploys the application in parallel usingunique AWS CodeDeploy applications and deployment groups created for each ALB-AutoScaling group pair.
B. Create a single AWS CodePipeline pipeline that deploys the application using a singleAWS CodeDeploy application and single deployment group.
C. Create a single AWS CodePipeline pipeline that deploys the application in parallel usinga single AWS CodeDeploy application and unique deployment group for each ALB-AutoScaling group pair.
D. Create an AWS CodePipeline pipeline for each ALB-Auto Scaling group pair thatdeploys the application using an AWS CodeDeploy application and deployment groupcreated for the same ALB-Auto Scaling group pair.
A company uses AWS Directory Service for Microsoft Active Directory as its identity provider (IdP). The company requires all infrastructure to be defined and deployed by AWS CloudFormation. A DevOps engineer needs to create a fleet of Windows-based Amazon EC2 instances to host an application. The DevOps engineer has created a CloudFormation template that contains an EC2 launch template, IAM role, EC2 security group, and EC2 Auto Scaling group. The DevOps engineer must implement a solution that joins all EC2 instances to the domain of the AWS Managed Microsoft AD directory. Which solution will meet these requirements with the MOST operational efficiency?
A. In the CloudFormation template, create an AWS::SSM::Document resource that joinsthe EC2 instance to the AWS Managed Microsoft AD domain by using the parameters forthe existing directory. Update the launch template to include the SSMAssociation propertyto use the new SSM document. Attach the AmazonSSMManagedlnstanceCore andAmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2instances use.
B. In the CloudFormation template, update the launch template to include specific tags thatpropagate on launch. Create an AWS::SSM::Association resource to associate the AWSJoinDirectoryServiceDomainAutomation runbook with the EC2 instances that have thespecified tags. Define the required parameters to join the AWS Managed Microsoft ADdirectory. Attach the AmazonSSMManagedlnstanceCore andAmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2instances use.
C. Store the existing AWS Managed Microsoft AD domain connection details in AWSSecrets Manager. In the CloudFormation template, create an AWS::SSM::Associationresource to associate the AWS-CreateManagedWindowslnstanceWithApproval Automationrunbook with the EC2 Auto Scaling group. Pass the ARNs for the parameters from SecretsManager to join the domain. Attach the AmazonSSMDirectoryServiceAccess andSecretsManagerReadWrite AWS managed policies to the IAM role that the EC2 instancesuse.
D. Store the existing AWS Managed Microsoft AD domain administrator credentials in AWSSecrets Manager. In the CloudFormation template, update the EC2 launch template toinclude user data. Configure the user data to pull the administrator credentials from SecretsManager and to join the AWS Managed Microsoft AD domain. Attach theAmazonSSMManagedlnstanceCore and SecretsManagerReadWrite AWS managedpolicies to the IAM role that the EC2 instances use.
A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the onpremisesconfigurations. The migrated applications require access to shared storage that uses SMB for Windows and NFS for Linux. The company is also creating a pilot light disaster recovery (DR) environment in another AWS Region. The company will use automation to launch and configure the EC2 instances in the DR Region. The company needs to replicate the storage to the DR Region. Which storage solution will meet these requirements?
A. Use Amazon S3 for the application storage. Create an S3 bucket in the primary Regionand an S3 bucket in the DR Region. Configure S3 Cross-Region Replication (CRR) fromthe primary Region to the DR Region.
B. Use Amazon Elastic Block Store (Amazon EBS) for the application storage. Create abackup plan in AWS Backup that creates snapshots of the EBS volumes that are in theprimary Region and replicates the snapshots to the DR Region.
C. Use a Volume Gateway in AWS Storage Gateway for the application storage. ConfigureCross-Region Replication (CRR) of the Volume Gateway from the primary Region to theDR Region.
D. Use Amazon FSx for NetApp ONTAP for the application storage. Create an FSx forONTAP instance in the DR Region. Configure NetApp SnapMirror replication from theprimary Region to the DR Region.
A company runs a workload on Amazon EC2 instances. The company needs a control that requires the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances in the AWS account. If an EC2 instance does not prevent the use of Instance Metadata Service Version 1 (IMDSv1), the EC2 instance must be terminated. Which solution will meet these requirements?
A. Set up AWS Config in the account. Use a managed rule to check EC2 instances.Configure the rule to remediate the findings by using AWS Systems Manager Automationto terminate the instance.
B. Create a permissions boundary that prevents the ec2:Runlnstance action if theec2:MetadataHttpTokens condition key is not set to a value of required. Attach thepermissions boundary to the IAM role that was used to launch the instance.
C. Set up Amazon Inspector in the account. Configure Amazon Inspector to activate deepinspection for EC2 instances. Create an Amazon EventBridge rule for an Inspector2finding. Set an AWS Lambda function as the target to terminate the instance.
D. Create an Amazon EventBridge rule for the EC2 instance launch successful event. Sendthe event to an AWS Lambda function to inspect the EC2 metadata and to terminate theinstance.
A company is launching an application that stores raw data in an Amazon S3 bucket. Three applications need to access the data to generate reports. The data must be redacted differently for each application before the applications can access the data. Which solution will meet these requirements?
A. Create an S3 bucket for each application. Configure S3 Same-Region Replication (SRR) from the raw data's S3 bucket to each application's S3 bucket. Configure each applicationto consume data from its own S3 bucket.
B. Create an Amazon Kinesis data stream. Create an AWS Lambda function that isinvoked by object creation events in the raw data's S3 bucket. Program the Lambdafunction to redact data for each application. Publish the data on the Kinesis data stream.Configure each application to consume data from the Kinesis data stream.
C. For each application, create an S3 access point that uses the raw data's S3 bucket asthe destination. Create an AWS Lambda function that is invoked by object creation eventsin the raw data's S3 bucket. Program the Lambda function to redact data for eachapplication. Store the data in each application's S3 access point. Configure eachapplication to consume data from its own S3 access point.
D. Create an S3 access point that uses the raw data's S3 bucket as the destination. Foreach application, create an S3 Object Lambda access point that uses the S3 access point.Configure the AWS Lambda function for each S3 Object Lambda access point to redactdata when objects are retrieved. Configure each application to consume data from its ownS3 Object Lambda access point.
A company hosts applications in its AWS account Each application logs to an individual Amazon CloudWatch log group. The company’s CloudWatch costs for ingestion are increasing A DevOps engineer needs to Identify which applications are the source of the increased logging costs. Which solution Will meet these requirements?
A. Use CloudWatch metrics to create a custom expression that Identifies the CloudWatchlog groups that have the most data being written to them.
B. Use CloudWatch Logs Insights to create a set of queries for the application log groupsto Identify the number of logs written for a period of time
C. Use AWS Cost Explorer to generate a cost report that details the cost for CloudWatchusage
D. Use AWS CloudTrail to filter for CreateLogStream events for each application
A company uses an organization in AWS Organizations that has all features enabled. The company uses AWS Backup in a primary account and uses an AWS Key Management Service (AWS KMS) key to encrypt the backups. The company needs to automate a cross-account backup of the resources that AWS Backup backs up in the primary account. The company configures cross-account backup in the Organizations management account. The company creates a new AWS account in the organization and configures an AWS Backup backup vault in the new account. The company creates a KMS key in the new account to encrypt the backups. Finally, the company configures a new backup plan in the primary account. The destination for the new backup plan is the backup vault in the new account. When the AWS Backup job in the primary account is invoked, the job creates backups in the primary account. However, the backups are not copied to the new account's backup vault. Which combination of steps must the company take so that backups can be copied to the new account's backup vault? (Select TWO.)
A. Edit the backup vault access policy in the new account to allow access to the primaryaccount.
B. Edit the backup vault access policy in the primary account to allow access to the newaccount.
C. Edit the backup vault access policy in the primary account to allow access to the KMSkey in the new account.
D. Edit the key policy of the KMS key in the primary account to share the key with the newaccount.
E. Edit the key policy of the KMS key in the new account to share the key with the primaryaccount.
A growing company manages more than 50 accounts in an organization in AWS Organizations. The company has configured its applications to send logs to Amazon CloudWatch Logs. A DevOps engineer needs to aggregate logs so that the company can quickly search the logs to respond to future security incidents. The DevOps engineer has created a new AWS account for centralized monitoring. Which combination of steps should the DevOps engineer take to make the application logs searchable from the monitoring account? (Select THREE.)
A. In the monitoring account, download an AWS CloudFormation template fromCloudWatch to use in Organizations. Use CloudFormation StackSets in the organization'smanagement account to deploy the CloudFormation template to the entire organization.
B. Create an AWS CloudFormation template that defines an IAM role. Configure the role toallow logs-amazonaws.com to perform the logs:Link action if the aws:ResourceAccountproperty is equal to the monitoring account ID. Use CloudFormation StackSets in theorganization's management account to deploy the CloudFormation template to the entireorganization.
C. Create an IAM role in the monitoring account. Attach a trust policy that allowslogs.amazonaws.com to perform the iam:CreateSink action if the aws:PrincipalOrgldproperty is equal to the organization ID.
D. In the organization's management account, enable the logging policies for theorganization.
E. use CloudWatch Observability Access Manager in the monitoring account to create asink. Allow logs to be shared with the monitoring account. Configure the monitoring accountdata selection to view the Observability data from the organization ID.
F. In the monitoring account, attach the CloudWatchLogsReadOnlyAccess AWS managedpolicy to an IAM role that can be assumed to search the logs.
A company plans to use Amazon CloudWatch to monitor its Amazon EC2 instances. The company needs to stop EC2 instances when the average of the NetworkPacketsIn metric is less than 5 for at least 3 hours in a 12-hour time window. The company must evaluate the metric every hour. The EC2 instances must continue to run if there is missing data for the NetworkPacketsIn metric during the evaluation period. A DevOps engineer creates a CloudWatch alarm for the NetworkPacketsIn metric. The DevOps engineer configures a threshold value of 5 and an evaluation period of 1 hour. Which set of additional actions should the DevOps engineer take to meet these requirements?
A. Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treatmissing data as breaching the threshold. Add an AWS Systems Manager action to stop theinstance when the alarm enters the ALARM state.
B. Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treatmissing data as not breaching the threshold. Add an EC2 action to stop the instance whenthe alarm enters the ALARM state.
C. Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treatmissing data as breaching the threshold. Add an EC2 action to stop the instance when thealarm enters the ALARM state.
D. Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treatmissing data as not breaching the threshold. Add an AWS Systems Manager action to stop the instance when the alarm enters the ALARM state.