DECK 4 Flashcards

Question 1

Q

A developer needs to manage AWS infrastructure as code and must be able to deploy multiple identical copies of the infrastructure, stage changes, and revert to previous versions.

Which approach addresses these requirements?

A. Use cost allocation reports and AWS OpsWorks to deploy and manage the infrastructure.

B. Use Amazon CloudWatch metrics and alerts along with resource tagging to deploy and manage the infrastructure.

C. Use AWS Elastic Beanstalk and AWS CodeCommit to deploy and manage the infrastructure.

D. Use AWS CloudFormation and AWS CodeCommit to deploy and manage the infrastructure.

Answer

A

D. Use AWS CloudFormation and AWS CodeCommit to deploy and manage the infrastructure.

Question 2

Q

What is required to trace Lambda-based applications with AWS X-Ray?

A. Send logs from the Lambda application to an S3 bucket; trigger a Lambda function from the bucket to send data to AWS X-Ray.

B. Trigger a Lambda function from the application logs in Amazon CloudWatch to submit tracing data to AWS X-Ray.

C. Use an IAM execution role to give the Lambda function permissions and enable tracing.

D. Update and add AWS X-Ray daemon code to relevant parts of the Lambda function to set up the trace.

Answer

A

C. Use an IAM execution role to give the Lambda function permissions and enable tracing.

Question 3

Q

A development team is building a new application that will run on Amazon EC2 and use Amazon DynamoDB as a storage layer. The developers all have assigned
IAM user accounts in the same IAM group. The developers currently can launch EC2 instances, and they need to be able to launch EC2 instances with an instance role allowing access to Amazon DynamoDB.

Which AWS IAM changes are needed when creating an instance role to provide this functionality?

A. Create an IAM permission policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole and iam:PassRole permissions for the role.

B. Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.

C. Create an IAM permission policy attached to the role that allows access to Amazon EC2. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.

D. Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole permission for the role.

Answer

A

B. Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.

Question 4

Q

A developer is migrating code to an AWS Lambda function that will an Amazon Aurora MySQL database. What is the MOST secure way to authenticate the function to the database?

A. Store the database credentials as encrypted parameters in AWS Systems Manager Parameters Store. Obtain the credentials from Systems Manager when the Lambda function needs to connect to the database.

B. Store the database credentials in AWS Secrets Manager. Let Secrets Manager handle the rotation of the credentials, as required.

C. Store the database credentials in an Amazon S3 bucket that has a restrictive bucket policy for the Lambda role when accessing the credentials. Use AWS KMS to encrypt the data.

D. Create a policy with rds-db:connect access to the database and attach it to the role assigned to the Lambda function.

Answer

A

B. Store the database credentials in AWS Secrets Manager. Let Secrets Manager handle the rotation of the credentials, as required.

Question 5

Q

A development team uses AWS Elastic Beanstalk for application deployment. The team has con figured the application version lifecycle policy to limit the number of application versions to 25. However, even with the lifecycle policy, the source bundle is deleted from the Amazon S3 source bucket.

What should a developer do in the Elastic Beanstalk application version lifecycle settings to retain the source code in the S3 bucket?

A. Change the Set the application versions limit by total count setting to zero.

B. Disable the Lifecycle policy setting.

C. Change the Set the application version limit by age setting to zero.

D. Set Retention to Retain source bundle in S3.

Answer

A

D. Set Retention to Retain source bundle in S3.

Question 6

Q

A developer has built a market application that stores pricing data in Amazon DynamoDB with Amazon ElastiCache in front. The prices of items in the market change frequently. Sellers have begun complaining that, after they update the price of an item, the price does not actually change in the product listing.

What could be causing this issue?

A. The cache is not being invalidated when the price of the item is changed

B. The price of the item is being retrieved using a write-through ElastiCache cluster

C. The DynamoDB table was provisioned with insu fficient read capacity

D. The DynamoDB table was provisioned with insuffi cient write capacity

Answer

A

A. The cache is not being invalidated when the price of the item is changed

Question 7

Q

A developer is provided with an HTTPS clone URL for an AWS CodeCommit repository. What needs to be configured before cloning this repository?

A. Use AWS KMS to set up public and private keys for use with AWS CodeCommit.

B. Set up the Git credential helper to use an AWS credential profile, and enable the helper to send the path to the repositories.

C. Use AWS Certificate Manager to provision public and private SSL/TLS certificates.

D. Generate encryption keys using AWS CloudHSM, then export the key for use with AWS CodeCommit.

Answer

A

B. Set up the Git credential helper to use an AWS credential profile, and enable the helper to send the path to the repositories.

Question 8

Q

A developer is building an application using an Amazon API Gateway REST API backend by an AWS Lambda function that interacts with an Amazon DynamoDB table. During testing, the developer observes high latency when making requests to the API.

How can the developer evaluate the end-to-end latency and identify performance bottlenecks?

A. Enable AWS CloudTrail logging and use the logs to map each latency and bottleneck.

B. Enable and con figure AWS X-Ray tracing on API Gateway and the Lambda function. Use X-Ray to trace and analyze user requests.

C. Enable Amazon CloudWatch Logs for the Lambda function. Enable execution logs for API Gateway to view and analyze user request logs.

D. Enable VPC Flow Logs to capture and analyze network tra ffic within the VPC.

Answer

A

B. Enable and con figure AWS X-Ray tracing on API Gateway and the Lambda function. Use X-Ray to trace and analyze user requests.

Question 9

Q

A developer is writing an AWS Lambda function. The developer wants to log key events that occur during the Lambda function and include a unique identi fier to associate the events with a speci fic function invocation.

Which of the following will help the developer accomplish this objective?

A. Obtain the request identi fier from the Lambda context object. Architect the application to write logs to the console.

B. Obtain the request identi fier from the Lambda event object. Architect the application to write logs to a file.

C. Obtain the request identi fier from the Lambda event object. Architect the application to write logs to the console.

D. Obtain the request identi fier from the Lambda context object. Architect the application to write logs to a file.

Answer

A

A. Obtain the request identi fier from the Lambda context object. Architect the application to write logs to the console.

Question 10

Q

An IAM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the IAM access key and secret access key, which allow full administrative access.

Given that multiple modes of IAM access are present for this EC2 instance, which of the following is correct?

A. The EC2 instance will only be able to list the S3 buckets.

B. The EC2 instance will only be able to list the contents of one S3 bucket at a time.

C. The EC2 instance will be able to perform all actions on any S3 bucket.

D. The EC2 instance will not be able to perform any S3 action on any S3 bucket.

Answer

A

C. The EC2 instance will be able to perform all actions on any S3 bucket.

Question 11

Q

Two containerized microservices are hosted on Amazon EC2 ECS. The first microservice reads an Amazon RDS Aurora database instance, and the second microservice reads an Amazon DynamoDB table.

How can each microservice be granted the minimum privileges?

A. Set ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in ECS agent con figuration file. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.

B. Set ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in the ECS agent con figuration file. Grant the instance profi le role read- only access to the Aurora database and DynamoDB.

C. Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent con figuration fi le. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.

D. Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent con figuration fi le. Grant the instance profi le role read-only access to the Aurora database and DynamoDB.

Answer

A

C. Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent con figuration fi le. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.

Question 12

Q

A developer has written an AWS Lambda function using Java as the runtime environment. The developer wants to isolate a performance bottleneck in the code.

Which steps should be taken to reveal the bottleneck?

A. Use the Amazon CloudWatch API to write timestamps to a custom CloudWatch metric. Use the CloudWatch console to analyze the resulting data.

B. Use the AWS X-Ray API to write trace data into X-Ray from strategic places within the code. Use the Amazon CloudWatch console to analyze the resulting data.

C. Use the AWS X-Ray API to write trace data into X-Ray from strategic places within the code. Use the X-Ray console to analyze the resulting data.

D. Use the Amazon CloudWatch API to write timestamps to a custom CloudWatch metric. Use the AWS X-Ray console to analyze the resulting data.

Answer

A

C. Use the AWS X-Ray API to write trace data into X-Ray from strategic places within the code. Use the X-Ray console to analyze the resulting data.

Question 13

Q

A developer added a new feature to an application running on an Amazon EC2 instance that uses Amazon SQS. After deployment, the developer noticed a signi ficant increase in Amazon SQS costs. When monitoring the Amazon SQS metrics on Amazon CloudWatch, the developer found that on average one message per minute is posted on this queue.

What can be done to reduce Amazon SQS costs for this application?

A. Increase the Amazon SQS queue polling timeout.

B. Scale down the Amazon SQS queue to the appropriate size for low tra ffic demand.

C. Con gure push delivery via Amazon SNS instead of polling the Amazon SQS queue.

D. Use an Amazon SQS first-in, first-out (FIFO) queue instead of a standard queue.

Answer

A

A. Increase the Amazon SQS queue polling timeout.

Question 14

Q

A developer is using Amazon DynamoDB to store application data. The developer wants to further improve application performance by reducing response times for read and write operations.

Which DynamoDB feature should be used to meet these requirements?

A. Amazon DynamoDB Streams
B. Amazon DynamoDB Accelerator
C. Amazon DynamoDB global tables
D. Amazon DynamoDB transactions

Answer

A

C. Amazon DynamoDB global tables

Question 15

Q

A developer is creating a script to automate the deployment process for a serverless application. The developer wants to use an existing AWS Serverless
Application Model (AWS SAM) template for the application.

What should the developer use for the project? (Choose two.)

A. Call aws cloudformation package to create the deployment package. Call aws cloudformation deploy to deploy the package afterward.

B. Call sam package to create the deployment package. Call sam deploy to deploy the package afterward.

C. Call aws s3 cp to upload the AWS SAM template to Amazon S3. Call aws lambda update-function-code to create the application.

D. Create a ZIP package locally and call aws serverlessrepo create-application to create the application.

E. Create a ZIP package and upload it to Amazon S3. Call aws cloudformation create-stack to create the application.

Answer

A

A. Call aws cloudformation package to create the deployment package. Call aws cloudformation deploy to deploy the package afterward.

B. Call sam package to create the deployment package. Call sam deploy to deploy the package afterward.

Question 16

Q

A development team is designing a mobile app that requires multi-factor authentication.

Which steps should be taken to achieve this? (Choose two.)

A. Use Amazon Cognito to create a user pool and create users in the user pool.

B. Send multi-factor authentication text codes to users with the Amazon SNS Publish API call in the app code.

C. Enable multi-factor authentication for the Amazon Cognito user pool.

D. Use AWS IAM to create IAM users.
E. Enable multi-factor authentication for the users created in AWS IAM.

Answer

A

A. Use Amazon Cognito to create a user pool and create users in the user pool.

C. Enable multi-factor authentication for the Amazon Cognito user pool.

Question 17

Q

A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes: user_id, user_name, user_score, and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation.

Which set of conditions should be added in the policy attached to the role for the dynamodb: PutItem API call?

A. https://vceguide.com/wp-content/uploads/2021/01/01-01-2021-Amazon-AWS-Certified-Developer-Associate_Page_138_Image_0001.jpg

B. https://vceguide.com/wp-content/uploads/2021/01/01-01-2021-Amazon-AWS-Certified-Developer-Associate_Page_138_Image_0002.jpg

C. https://vceguide.com/wp-content/uploads/2021/01/01-01-2021-Amazon-AWS-Certified-Developer-Associate_Page_139_Image_0001.jpg

D. https://vceguide.com/wp-content/uploads/2021/01/01-01-2021-Amazon-AWS-Certified-Developer-Associate_Page_139_Image_0002.jpg

Answer

A

C. https://vceguide.com/wp-content/uploads/2021/01/01-01-2021-Amazon-AWS-Certified-Developer-Associate_Page_139_Image_0001.jpg

Question 18

Q

A developer is using AWS CodeDeploy to deploy an application running on Amazon EC2. The developer wants to change the file permissions for a specifi c deployment file.
Which lifecycle event should a developer use to meet this requirement?

A. AfterInstall
B. DownloadBundle
C. BeforeInstall
D. ValidateService

Answer

A

A. AfterInstall

Question 19

Q

Given the following AWS CloudFormation template:

Description: Creates a new Amazon S3 bucket for shared content. Uses a random bucket name to avoid conflicts.

Resources:
     ContentBucket:
          Type: AWS::S3::Bucket
     Outputs:
          ContentBucketName:
               Value: !Ref ContentBucket

What is the MOST e fficient way to reference the new Amazon S3 bucket from another AWS CloudFormation template?

A. Add an Export declaration to the Outputs section of the original template and use ImportValue in other templates.

B. Add Exported: true to the Contentbucket in the original template and use ImportResource in other templates.

C. Create a custom AWS CloudFormation resource that gets the bucket name from the ContentBucket resource of the first stack.

D. Use Fn::Include to include the existing template in other templates and use the ContentBucket resource directly.

Answer

A

A. Add an Export declaration to the Outputs section of the original template and use ImportValue in other templates.

Question 20

Q

A company is developing a report executed by AWS Step Functions. Amazon CloudWatch shows errors in the Step Functions task state machine. To troubleshoot each task, the state input needs to be included along with the error message in the state output.

Which coding practice can preserve both the original input and the error for the state?

A. Use ResultPath in a Catch statement to include the error with the original input.

B. Use InputPath in a Catch statement and set the value to null.

C. Use ErrorEquals in a Retry statement to include the error with the original input.

D. Use OutputPath in a Retry statement and set the value to $.

Answer

A

A. Use ResultPath in a Catch statement to include the error with the original input.

Question 21

Q

A developer receives the following error message when trying to launch or terminate an Amazon EC2 instance using a boto3 script.

https://www.examtopics.com/assets/media/exam-media/03756/0014900001.png

What should the developer do to correct this error message?

A. Assign an IAM role to the EC2 instance to allow necessary API calls on behalf of the client.

B. Implement an exponential backoff algorithm for optimizing the number of API requests made to Amazon EC2.

C. Increase the overall network bandwidth to handle higher API request rates.

D. Upgrade to the latest AWS CLI version so that boto3 can handle higher request rates.

Answer

A

B. Implement an exponential backoff algorithm for optimizing the number of API requests made to Amazon EC2.

Question 22

Q

A developer is updating an application deployed on AWS Elastic Beanstalk. The new version is incompatible with the old version. To successfully deploy the update, a full cutover to the new, updated version must be performed on all instances at one time, with the ability to roll back changes in case of a deployment failure in the new version.

How can this be performed with the LEAST amount of downtime?

A. Use the Elastic Beanstalk All at once deployment policy to update all instances simultaneously.

B. Perform an Elastic Beanstalk Rolling with additional batch deployment.

C. Deploy the new version in a new Elastic Beanstalk environment and swap environment URLs.

D. Perform an Elastic Beanstalk Rolling deployment.

Answer

A

C. Deploy the new version in a new Elastic Beanstalk environment and swap environment URLs.

Question 23

Q

A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to download speci fic documents when requested, and only for a duration of 15 minutes.

How can the developer meet these requirements?

A. Copy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15 minutes.

B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.

C. Use server-side encryption with AWS KMS managed keys (SSE-KMS) and download the documents using HTTPS.

D. Modify the S3 bucket policy to only allow speci fic users to download the documents. Revert the change after 15 minutes.

Answer

A

B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.

Question 24

Q

A developer wants to send multi-value headers to an AWS Lambda function that is registered as a target with an Application Load Balancer (ALB).

What should the developer do to achieve this?

A. Place the Lambda function and target group in the same account.

B. Send the request body to the Lambda function with a size less than 1 MB.

C. Include the Base64 encoding status, status code, status description, and headers in the Lambda function.

D. Enable the multi-value headers on the ALB.

Answer

A

D. Enable the multi-value headers on the ALB.

Question 25

Q

An ecommerce startup is preparing for an annual sales event. As the traffi c to the company’s application increases, the development team wants to be noti fied when the Amazon EC2 instance’s CPU utilization exceeds 80%.

Which solution will meet this requirement?

A. Create a custom Amazon CloudWatch alarm that sends a noti fication to an Amazon SNS topic when the CPU utilization exceeds 80%.

B. Create a custom AWS Cloud Trail alarm that sends a noti fication to an Amazon SNS topic when the CPU utilization exceeds 80%.

C. Create a cron job on the EC2 instance that executes the –describe-instance-information command on the host instance every 15 minutes and sends the results to an Amazon SNS topic.

D. Create an AWS Lambda function that queries the AWS CloudTrail logs for the CPUUtilization metric every 15 minutes and sends a noti fication to an Amazon SNS topic when the CPU utilization exceeds 80%.

Answer

A

A. Create a custom Amazon CloudWatch alarm that sends a noti fication to an Amazon SNS topic when the CPU utilization exceeds 80%.

Question 26

Q

An application running on Amazon EC2 opens connections to an Amazon RDS SQL Server database. The developer does not want to store the user name and password for the database in the code. The developer would also like to automatically rotate the credentials.

What is the MOST secure way to store and access the database credentials?

A. Create an IAM role that has permissions to access the database. Attach the role to the EC2 instance.

B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.

C. Store the credentials in an encrypted text fi le in an Amazon S3 bucket. Con figure the EC2 instance’s user data to download the credentials from Amazon S3 as the instance boots.

D. Store the user name and password credentials directly in the source code. No further action is needed because the source code is stored in a private repository.

Answer

A

B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.

Question 27

Q

A global company has an application running on Amazon EC2 instances that serves image files from Amazon S3. User requests from the browser are causing high tra ffic, which results in degraded performance.

Which optimization solution should a developer implement to increase application performance?

A. Create multiple pre fixes in the S3 bucket to increase the request rate.

B. Create an Amazon ElastiCache cluster to cache and serve frequently accessed items.

C. Use Amazon CloudFront to serve the content of images stored in Amazon S3.

D. Submit a ticket to AWS Support to request a rate limit increase for the S3 bucket.

Answer

A

C. Use Amazon CloudFront to serve the content of images stored in Amazon S3.

Question 28

Q

An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center, and the encryption is handled by
S3.

Which type of encryption should be used?

A. Use server-side encryption with Amazon S3-managed keys

B. Use server-side encryption with AWS KMS-managed keys

C. Use client-side encryption with customer master keys

D. Use server-side encryption with customer-provided keys

Answer

A

D. Use server-side encryption with customer-provided keys

Question 29

Q

A development team is working on a mobile app that allows users to upload pictures to Amazon S3. The team expects the app will be used by hundreds of thousands of users during a single event simultaneously. Once the pictures are uploaded, the backend service will scan and parse the pictures for inappropriate content.

Which approach is the MOST resilient way to achieve this goal, which also smooths out temporary volume spikes for the backend service?

A. Develop an AWS Lambda function to check the upload folder in the S3 bucket. If new uploaded pictures are detected, the Lambda function will scan and parse them.

B. Once a picture is uploaded to Amazon S3, publish the event to an Amazon SQS queue. Use the queue as an event source to trigger an AWS Lambda function. In the Lambda function, scan and parse the picture.

C. When the user uploads a picture, invoke an API hosted in Amazon API Gateway. The API will invoke an AWS Lambda function to scan and parse the picture.

D. Create a state machine in AWS Step Functions to check the upload folder in the S3 bucket. If a new picture is detected, invoke an AWS Lambda function to scan and parse it.

Answer

A

B. Once a picture is uploaded to Amazon S3, publish the event to an Amazon SQS queue. Use the queue as an event source to trigger an AWS Lambda function. In the Lambda function, scan and parse the picture.

Question 30

Q

A development team wants to run their container workloads on Amazon ECS. Each application container needs to share data with another container to collect logs and metrics.

What should the developer team do to meet these requirements?

A. Create two pod specifications. Make one to include the application container and the other to include the other container. Link the two pods together.

B. Create two task de finitions. Make one to include the application container and the other to include the other container. Mount a shared volume between the two tasks.

C. Create one task de finition. Specify both containers in the de finition. Mount a shared volume between those two containers.

D. Create a single pod speci fication. Include both containers in the specifi cation. Mount a persistent volume to both containers.

Answer

A

B. Create two task de finitions. Make one to include the application container and the other to include the other container. Mount a shared volume between the two tasks.

Question 31

Q

A company has 25,000 employees and is growing. The company is creating an application that will be accessible to its employees only. A developer is using
Amazon S3 to store images and Amazon RDS to store application data. The company requires that all employee information remain in the legacy Security
Assertion Markup Language (SAML) employee directory only and is not interested in mirroring any employee information on AWS.

How can the developer provide authorized access for the employees who will be using this application so each employee can access their own application data only?

A. Use Amazon VPC and keep all resources inside the VPC, and use a VPC link for the S3 bucket with the bucket policy.

B. Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy.

C. Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognito- identity.amazonaws.com:sub variable to grant access to the employees.

D. Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only.

Answer

A

C. Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognito- identity.amazonaws.com:sub variable to grant access to the employees.

Question 32

Q

A company has developed a new serverless application using AWS Lambda functions that will be deployed using the AWS Serverless Application Model (AWS
SAM) CLI.

Which step should the developer complete prior to deploying the application?

A. Compress the application to a .zip le and upload it into AWS Lambda

B. Test the new AWS Lambda function by first tracing it in AWS X-Ray

C. Bundle the serverless application using a SAM package

D. Create the application environment using the eb create my-env command

Answer

A

C. Bundle the serverless application using a SAM package

Question 33

Q

A company stores all personally identi fiable information (PII) in an Amazon DynamoDB table named PII in Account A. An application running on Amazon EC2 instances in Account B requires access to the PII table. An administrator in Account A created an IAM role named AccessPII with privileges to access the PII table, and made Account B a trusted entity.

Which combination of additional steps should developers take to access the table? (Choose two.)

A. Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role.

B. Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role with predefi ned service control policies.

C. Ask an administrator in Account A to allow the EC2 IAM role permission to assume the AccessPII role with prede fined service control policies.

D. Include the AssumeRole API in the application code logic to obtain credentials to access the PII table.

E. Include the GetSessionToken API in the application code logic to obtain credentials to access the PII table.

Answer

A

B. Ask an administrator in Account B to allow the EC2 IAM role permission to assume the AccessPII role with predefi ned service control policies.

D. Include the AssumeRole API in the application code logic to obtain credentials to access the PII table.

Question 34

Q

A developer is creating an AWS Lambda function that generates a new fi le each time it runs. Each new file must be checked into an AWS CodeCommit repository hosted in the same AWS account.

How should the developer accomplish this?

A. When the Lambda function starts, use the Git CLI to clone the repository. Check the new fi le into the cloned repository and push the change.

B. After the new fi le is created in Lambda, use cURL to invoke the CodeCommit API. Send the file to the repository.

C. Use an AWS SDK to instantiate a CodeCommit client. Invoke the put_ file method to add the file to the repository.

D. Upload the new to an Amazon S3 bucket. Create an AWS Step Function to accept S3 events. In the Step Function, add the new file to the repository.

Answer

A

C. Use an AWS SDK to instantiate a CodeCommit client. Invoke the put_ file method to add the file to the repository.

Question 35

Q

A developer must ensure that the IAM credentials used by an application in Amazon EC2 are not misused or compromised.

What should the developer use to keep user credentials secure?

A. Environment variables
B. AWS credentials file
C. Instance profi le credentials
D. Command line options

Answer

A

C. Instance profi le credentials

Question 36

Q

A company has an application where reading objects from Amazon S3 is based on the type of user. The user types are registered user and guest user. The company has 25,000 users and is growing. Information is pulled from an S3 bucket depending on the user type.

Which approaches are recommended to provide access to both user types? (Choose two.)

A. Provide a different access key and secret access key in the application code for registered users and guest users to provide read access to the objects.

B. Use S3 bucket policies to restrict read access to specifi c IAM users.

C. Use Amazon Cognito to provide access using authenticated and unauthenticated roles.

D. Create a new IAM user for each user and grant read access.

E. Use the AWS IAM service and let the application assume the different roles using the AWS Security Token Service (AWS STS) AssumeRole action depending on the type of user and provide read access to Amazon S3 using the assumed role.

Answer

A

C. Use Amazon Cognito to provide access using authenticated and unauthenticated roles.

E. Use the AWS IAM service and let the application assume the different roles using the AWS Security Token Service (AWS STS) AssumeRole action depending on the type of user and provide read access to Amazon S3 using the assumed role.

Question 37

Q

A developer is testing an application that invokes an AWS Lambda function asynchronously. During the testing phase, the Lambda function fails to process after two retries.

How can the developer troubleshoot the failure?

A. Con figure AWS CloudTrail logging to investigate the invocation failures

B. Confi gure Dead Letter Queues by sending events to Amazon SQS for investigation

C. Con figure Amazon Simple Work ow Service to process any direct unprocessed events

D. Con figure AWS Con fig to process any direct unprocessed events

Answer

A

B. Confi gure Dead Letter Queues by sending events to Amazon SQS for investigation

Question 38

Q

A developer is setting up Amazon API Gateway for their company’s products. The API will be used by registered developers to query and update their environments. The company wants to limit the amount of requests end users can send for both cost and security reasons. Management wants to offer registered developers the option of buying larger packages that allow for more requests.

How can the developer accomplish this with the LEAST amount of overhead management?

A. Enable throttling for the API Gateway stage. Set a value for both the rate and burst capacity. If a registered user chooses a larger package, create a stage for them, adjust the values, and share the new URL with them.

B. Set up Amazon CloudWatch API logging in API Gateway. Create a filter based on the user and requestTime fields and create an alarm on this filter. Write an AWS Lambda function to analyze the values and requester information, and respond accordingly. Set up the function as the target for the alarm. If a registered user chooses a larger package, update the Lambda code with the values.

C. Enable Amazon CloudWatch metrics for the API Gateway stage. Set up CloudWatch alarms based off the Count metric and the ApiName, Method, Resource, and Stage dimensions to alerts when request rates pass the threshold. Set the alarm action to Deny. If a registered user chooses a larger package, create a user-speci fic alarm and adjust the values.

D. Set up a default usage plan, specify values for the rate and burst capacity, and associate it with a stage. If a registered user chooses a larger package, create a custom plan with the appropriate values and associate the plan with the user.

Answer

A

D. Set up a default usage plan, specify values for the rate and burst capacity, and associate it with a stage. If a registered user chooses a larger package, create a custom plan with the appropriate values and associate the plan with the user.

Question 39

Q

A developer is refactoring a monolithic application. The application takes a POST request and performs several operations. Some of the operations are in parallel while others run sequentially. These operations have been refactored into individual AWS Lambda functions. The POST request will be processed by Amazon API
Gateway.

How should the developer invoke the Lambda functions in the same sequence using API Gateway?

A. Use Amazon SQS to invoke the Lambda functions

B. Use an AWS Step Functions activity to run the Lambda functions

C. Use Amazon SNS to trigger the Lambda functions

D. Use an AWS Step Functions state machine to orchestrate the Lambda functions

Answer

A

D. Use an AWS Step Functions state machine to orchestrate the Lambda functions

Question 40

Q

A company is adding stored value (or gift card) capability to its highly popular casual gaming website. Users need to be able to trade this value for other users’ items on the platform. This would require both users’ records be updated as a single transaction, or both users’ records to be completely rolled back.

Which AWS database options can provide the transactional capability required for this new feature? (Choose two.)

A. Amazon DynamoDB with operations made with the ConsistentRead parameter set to true

B. Amazon ElastiCache for Memcached with operations made within a transaction block

C. Amazon Aurora MySQL with operations made within a transaction block

D. Amazon DynamoDB with reads and writes made using Transact* operations

E. Amazon Redshift with operations made within a transaction block.

Answer

A

C. Amazon Aurora MySQL with operations made within a transaction block

D. Amazon DynamoDB with reads and writes made using Transact* operations

Question 41

Q

A developer has created a REST API using Amazon API Gateway. The developer wants to log who and how each caller accesses the API. The developer also wants to control how long the logs are kept.

What should the developer do to meet these requirements?

A. Enable API Gateway execution logging. Delete old logs using API Gateway retention settings.

B. Enable API Gateway access logs. Use Amazon CloudWatch retention settings to delete old logs.

C. Enable detailed Amazon CloudWatch metrics. Delete old logs with a recurring AWS Lambda function.

D. Create and use API Gateway usage plans. Delete old logs with a recurring AWS Lambda function.

Answer

A

B. Enable API Gateway access logs. Use Amazon CloudWatch retention settings to delete old logs.

Question 42

Q

A company is developing a new web application in Python. A developer must deploy the application using AWS Elastic Beanstalk from the AWS Management
Console. The developer creates an Elastic Beanstalk source bundle to upload using the console.

Which of the following are requirements when creating the source bundle? (Choose two.)

A. The source bundle must include the ebextensions.yaml file

B. The source bundle must not include a top-level directory

C. The source bundle must be compressed with any required dependencies in a top-level parent folder

D. The source bundle must be created as a single .zip or .war fi le

E. The source bundle must be uploaded into Amazon EFS

Answer

A

B. The source bundle must not include a top-level directory

D. The source bundle must be created as a single .zip or .war fi le

Question 43

Q

A developer is creating a role to access Amazon S3 buckets. To create the role, the developer uses the AWS CLI create-role command.

Which policy should be added to allow the Amazon EC2 service to assume the role?

A. Managed policy
B. Trust policy
C. Inline policy
D. Service control policy (SCP)

Answer

A

B. Trust policy

Question 44

Q

A company is running a custom application on a set of on-premises Linux servers that are accessed using Amazon API Gateway AWS X-Ray tracing has been enabled on the API test stage.

How can a developer enable X-Ray tracing on the on-premises servers with the LEAST amount of con figuration?

A. Install and run the X-Ray SDK on the on-premises servers to capture and relay the data to the X-Ray service.

B. Install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service.

C. Capture incoming requests on-premises and con figure an AWS Lambda function to pull, process, and relay relevant data to X-Ray using the PutTraceSegments API call.

D. Capture incoming requests on-premises and con figure an AWS Lambda function to pull, process, and relay relevant data to X-Ray using the PutTelemetryRecords API call.

Answer

A

B. Install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service.

Question 45

Q

A developer works in an environment with multiple AWS accounts that have AWS Lambda functions processing the same 100 KB payloads. The developer wants to centralize the point of origin of the payloads to one account and have all the Lambda functions be invoked whenever the initiating event occurs in the parent account.

How can the developer design the work ow in the MOST e fficient way, so all the multi-account Lambda functions get invoked when the event occurs?

A. Create a Lambda function in the parent account and use cross-account IAM roles with the AWS Security Token Service (AWS STS) AssumeRole API call to make AWS Lambda invoke the API call to invoke all the cross-account Lambda functions.

B. Subscribe all the multi-account Lambda functions to an Amazon SNS topic and make a SNS Publish API call with the payload to the SNS topic.

C. Set up an Amazon SQS queue with the queue policy permitting the ReceiveMessage action for multi-account Lambda functions. Then send the payload to the SQS queue using the sqs:SendMessage permission and poll the queue using multi-account Lambda functions.

D. Use a worker on an Amazon EC2 instance to poll for the payload event. Invoke all Lambda functions using the Lambda Invoke API after using cross-account IAM roles with the AWS Security Token Service (AWS STS) AssumeRole API call.

Answer

A

B. Subscribe all the multi-account Lambda functions to an Amazon SNS topic and make a SNS Publish API call with the payload to the SNS topic.

Question 46

Q

A large company has its application components distributed across multiple AWS accounts. The company needs to collect and visualize trace data across these accounts.

What should be used to meet these requirements?

A. AWS X-Ray
B. Amazon CloudWatch
C. Amazon VPC flow logs
D. Amazon Elasticsearch Service

Answer

A

A. AWS X-Ray

Question 47

Q

A development team uses AWS Elastic Beanstalk to deploy a Java-based web application. The team wants to ensure that the changes to the source code and the con figuration are always deployed on new instances. The team con figures the Elastic Beanstalk environment to use immutable updates. However, an error occurs the fi rst time a change is deployed with the new update policy.

What is the MOST likely cause of this issue?

A. Immutable updates are not supported for Java-based applications.

B. The account has reached its on-demand instance limit.

C. Immutable updates are only supported for m4.large and larger instance types.

D. The developer must also modify the .ebextensions/immutable-updates.confi g file to enable immutable updates.

Answer

A

B. The account has reached its on-demand instance limit.

Question 48

Q

A developer tested an application locally and then deployed it to AWS Lambda. While testing the application remotely, the Lambda function fails with an access denied message.

How can this issue be addressed?

A. Update the Lambda function’s execution role to include the missing permissions.

B. Update the Lambda function’s resource policy to include the missing permissions.

C. Include an IAM policy document at the root of the deployment package and redeploy the Lambda function.

D. Redeploy the Lambda function using an account with access to the AdministratorAccess policy.

Answer

A

A. Update the Lambda function’s execution role to include the missing permissions.

Question 49

Q

An application contains two components: one component to handle HTTP requests, and another component to handle background processing tasks. Each component must scale independently. The developer wants to deploy this application using AWS Elastic Beanstalk.

How should this application be deployed, based on these requirements?

A. Deploy the application in a single Elastic Beanstalk environment.

B. Deploy each component in a separate Elastic Beanstalk environment.

C. Use multiple Elastic Beanstalk environments for the HTTP component, but one environment for the background task component.

D. Use multiple Elastic Beanstalk environments for the background task component, but one environment for the HTTP component.

Answer

A

C. Use multiple Elastic Beanstalk environments for the HTTP component, but one environment for the background task component.

Question 50

Q

A company experienced partial downtime during the last deployment of a new application. AWS Elastic Beanstalk split the environment’s Amazon EC2 instances into batches and deployed a new version one batch at a time after taking them out of service. Therefore, full capacity was not maintained during deployment.
The developer plans to release a new version of the application, and is looking for a policy that will maintain full capacity and minimize the impact of the failed deployment.

Which deployment policy should the developer use?

A. Immutable
B. All at Once
C. Rolling
D. Rolling with an Additional Batch

Answer

A

A. Immutable

Question 51

Q

An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS queue. A requirement for the application is that all messages must be encrypted at rest.
Developers are instructed to use methods that allow for centralized key management and minimize possible support requirements whenever possible.

Which of the following solutions supports these requirements?

A. Encrypt individual messages by using client-side encryption with customer managed keys, then write to the SQS queue.

B. Encrypt individual messages by using SQS Extended Client and the Amazon S3 encryption client.

C. Create an SQS queue, and encrypt the queue by using sewer-side encryption with AWS KMS.

D. Create an SQS queue, and encrypt the queue by using client-side encryption.

Answer

A

C. Create an SQS queue, and encrypt the queue by using sewer-side encryption with AWS KMS.

Question 52

Q

A company is developing a serverless ecommerce web application. The application needs to make coordinated, all-or-nothing changes to multiple items in the company’s inventory table in Amazon DynamoDB.

Which solution will meet these requirements?

A. Enable transactions for the DynamoDB table. Use the BatchWriteItem operation to update the items.

B. Use the TransactWriteItems operation to group the changes. Update the items in the table.

C. Set up a FIFO queue using Amazon SQS. Group the changes in the queue. Update the table based on the grouped changes.

D. Create a transaction table in an Amazon Aurora DB cluster to manage the transactions. Write a backend process to sync the Aurora DB table and the DynamoDB table.

Answer

A

B. Use the TransactWriteItems operation to group the changes. Update the items in the table.

Question 53

Q

How can a developer use a debugger for AWS Lambda code that is deployed with AWS Serverless Application Model (AWS SAM)?

A. Download the Lambda code locally and use the AWS CLI to execute it

B. Use the Lambda console to connect the debugger

C. Use AWS SAM to invoke a function locally in debug mode

D. Connect a third-party-compatible integrated development environment (IDE) to the Lambda debugger endpoint

Answer

A

C. Use AWS SAM to invoke a function locally in debug mode

Question 54

Q

An application takes longer than expected to process an Amazon SQS message.
What should the developer do to the application so that other instances do not pick up the same message?

A. Make a ReceiveMessage call to get the same message again from the queue

B. Issue a DeleteMessage call to delete the message from the queue

C. Use SendMessage to pass the message to the dead letter queue

D. Send a ChangeMessageVisibility call to extend VisibilityTimeout

Answer

A

D. Send a ChangeMessageVisibility call to extend VisibilityTimeout

Question 55

Q

A developer is building a WebSocket API using Amazon API Gateway. The payload sent to this API is JSON that includes an action key. This key can have three different values: create, update, and remove. The developer must integrate with different routes based on the value of the action key of the incoming JSON payload.

How can the developer accomplish this task with the LEAST amount of con figuration?

A. Deploy the WebSocket API to three stages for the respective routes: create, update, and remove

B. Create a new route key and set the name as action

C. Set the value of the route selection expression to action

D. Set the value of the route selection expression to $request.body.action

Answer

A

D. Set the value of the route selection expression to $request.body.action

Question 56

Q

A development team is creating a new application designed to run on AWS. While the test and production environments will run on Amazon EC2 instances, developers will each run their own environment on their laptops.

Which of the following is the simplest and MOST secure way to access AWS services from the local development machines?

A. Use an IAM role to assume a role and execute API calls using the role.

B. Create an IAM user to be shared with the entire development team; provide the development team with the access key.

C. Create an IAM user for each developer on the team; provide each developer with a unique access key.

D. Set up a federation through an Amazon Cognito user pool.

Answer

A

C. Create an IAM user for each developer on the team; provide each developer with a unique access key.

Question 57

Q

A developer wants to ensure the Amazon EC2 instances in AWS Elastic Beanstalk execute a certain set of commands before the application is ready to use.

Which Elastic Beanstalk feature will allow the developer to accomplish this?

A. Rolling update
B. Immutable update
C. User data
D. .ebextensions

Answer

A

D. .ebextensions

Question 58

Q

A developer is planning to use an Amazon API Gateway and AWS Lambda to provide a REST API. The developer will have three distinct environments to manage: development, test, and production.

How should the application be deployed while minimizing the number of resources to manage?

A. Create a separate API Gateway and separate Lambda function for each environment in the same Region.

B. Assign a Region for each environment and deploy API Gateway and Lambda to each Region.

C. Create one API Gateway with multiple stages with one Lambda function with multiple aliases.

D. Create one API Gateway and one Lambda function, and use a REST parameter to identify the environment.

Answer

A

C. Create one API Gateway with multiple stages with one Lambda function with multiple aliases.

Question 59

Q

A developer is creating an application to process a large number of requests. Requests must be processed in order, and each request should be processed only once.

How should Amazon SQS be deployed to achieve this?

A. Con figure First in First out (FIFO) delivery in a standard Amazon SQS queue to process requests.

B. Use an SQS FIFO queue to process requests.

C. Use the SetOrder attribute to ensure sequential request processing.

D. Convert the standard queue to a FIFO queue by renaming the queue to use the . fifo su ffix.

Answer

A

B. Use an SQS FIFO queue to process requests.

Question 60

Q

An application is using a custom library to make HTTP calls directly to AWS service endpoints. The application is experiencing transient errors that are causing processes to stop when each error is first encountered. A request has been made to make the application more resilient by adding error retries and exponential backoff.

How should a developer implement the changes with MINIMAL custom code?

A. Add a Retry-After HTTP header to API requests

B. Use the AWS CLI to confi gure the retry settings in a named pro file

C. Change the custom library to retry on 5xx errors only

D. Use an AWS SDK and set retry-speci fic con figurations

Answer

A

D. Use an AWS SDK and set retry-speci fic con figurations

Question 61

Q

https://www.examtopics.com/assets/media/exam-media/03756/0016900001.png

Which techniques will help mitigate this exception? (Choose two.)

A. Implement retries with exponential backoff

B. Use a PutRecord API instead of PutRecords

C. Reduce the frequency and/or size of the requests

D. Use Amazon SNS instead of Kinesis

E. Reduce the number of KCL consumers

Answer

A

A. Implement retries with exponential backoff

C. Reduce the frequency and/or size of the requests

Question 62

Q

A developer is building an application integrating an Amazon API Gateway with an AWS Lambda function. When calling the API, the developer receives the following error:
Wed Nov 08 01:13:00 UTC 2017 : Method completed with status: 502

What should the developer do to resolve the error?

A. Change the HTTP endpoint of the API to an HTTPS endpoint

B. Change the format of the payload sent to the API Gateway

C. Change the format of the Lambda function response to the API call

D. Change the authorization header in the API call to access the Lambda function

Answer

A

C. Change the format of the Lambda function response to the API call

Question 63

Q

How does Envelope Encryption work in AWS KMS?

A. The Customer Master Key is used to encrypt/decrypt a data key. The Plaintext Data Key is used to encrypt customer data.

B. Two encryption keys are used. The Customer Master Key encrypts customer data. The Data Key is used to re-encrypt the encrypted data.

C. Two encryption keys are used. The Data Key encrypts customer data. The Customer Master Key is used to re-encrypt the encrypted data.

D. The Customer Master Key is used to encrypt/decrypt a data key. The Encrypted Data Key is used to encrypt customer data.

Answer

A

A. The Customer Master Key is used to encrypt/decrypt a data key. The Plaintext Data Key is used to encrypt customer data.

Question 64

Q

A developer must build a mobile application that allows users to read and write data from an Amazon DynamoDB table to store user state for each unique user.
The solution needs to limit data access to allow users access only to their own data.

Which solution below is the most secure?

A. Embed AWS access credentials into the application and create DynamoDB queries that limit user access.

B. Use Amazon Cognito identity pools to assign unique identi fiers and provide user access.

C. Modify the DynamoDB table to allow public read and writes, then add client-side filtering.

D. Create a web portal for users to create an account on AWS Directory Service.

Answer

A

B. Use Amazon Cognito identity pools to assign unique identi fiers and provide user access.

Answer 65

A

D. Update the attached IAM role adding the needed permissions.

Answer 66

A

C. Create an IAM role, con figure read and write access for the DynamoDB table, and attach to the EC2 instances.

Answer 67

A

A. Create two SQS queues; one for paying members, and one for non-paying members. Poll the paying member queue first and then poll the non-paying member queue.

Answer 68

A

A. Confi gure a high-resolution CloudWatch alarm.

Answer 69

A

A. Use an Amazon X-Ray agent with role assumption to publish data into the centralized account.

Answer 70

A

C. Use Amazon Cognito to con figure a user pool, and user the Cognito API to authenticate and authorize the user.

Answer 71

A

B. Instrument each microservice request using the AWS X-Ray SDK. Examine the sub-segments associated with the requests.

Answer 72

A

B. Implement an Amazon SQS queue to decouple the front-end and backend servers.

E. Modify the backend servers to pull from an Amazon SQS queue.

Answer 73

A

A. Con figure AWS credentials in the application server with an AWS SDK

Answer 74

A

D. The IAM user needs an associated policy with read access to demoman-table.

Answer 75

A

D. Use the canary release deployment option in API Gateway. Direct a percentage of the API tra ffic using the canarySettings setting.

Answer 76

A

A. Create 20 or more prefi xes in Amazon S3. Place fi les by prefi xes. Read in parallel by prefi xes.

Answer 77

A

C. Assume the new role in the Lambda function when accessing the table.

Answer 78

A

B. Use Amazon Cognito identity pools with a SAML identity provider as one of the authentication providers.

Answer 79

A

C. Instrument application code using the AWS SDK.

D. Install the X-Ray agent on the application servers.

Answer 80

A

A. Grant the CloudFormation execution role S3 list and get permissions. Add a bucket policy to Amazon S3 with the Principal of AWS: [account numbers]

Answer 81

A

D. The S3 event is discarded after the event is retried twice.

Answer 82

A

C. Improve latency and throughput for read-heavy application workloads.

E. Improve performance of compute-intensive applications.

Answer 83

A

B. Install the Amazon CloudWatch agent on the instance to send the logs to CloudWatch. Delete the logs from the instance once they are sent to CloudWatch.

Answer 84

A

C. Create aliases and versions in AWS Lambda.

Answer 85

A

D. Use an Amazon S3 backed Amazon CloudFront distribution with a high Time-to-Live (TTL) to maximize caching.

Answer 86

A

B. In the Amazon EC2 Systems Manager Parameter Store; grant the application access with IAM

Answer 87

A

C. Authenticate and get a token from an Amazon Cognito user pool. Exchange the token for AWS credentials with an Amazon Cognito identity pool. Use the credentials to access DynamoDB.

Brainscape's Knowledge GenomeTM

DECK 4 Flashcards

Brainscape's Knowledge Genome^TM