Incorrect From Test Flashcards

Question

A company runs an e-commerce website that uses Amazon DynamoDB where pricing for items is dynamically updated in real time. At any given time, multiple updates may occur simultaneously for pricing information on a particular product. This is causing the original editor’s changes to be overwritten without a proper review process. Which DynamoDB write option should be selected to prevent this overwriting? ``` Conditional writes Concurrent writes Batch writes Atomic writes ```

Answer 1

Conditional writes A conditional write succeeds only if the item attributes meet one or more expected conditions. Otherwise, it returns an error. Conditional writes are helpful in many situations. For example, you might want a PutItem operation to succeed only if there is not already an item with the same primary key. Or you could prevent an UpdateItem operation from modifying an item if one of its attributes has a certain value.

Answer 2

CORRECT: "Create a mapping template" is the correct answer. Mapping template overrides provides you with the flexibility to perform many-to-one parameter mappings; override parameters after standard API Gateway mappings

Answer 3

CORRECT: "Create a role with the required permissions in the Production and Testing accounts and have the Developer assume that role" is the correct answer.

Answer 4

Enable public access and grant everyone the s3:GetObject permissions Upload an index document and enter the name of the index document when enabling static website hosting INCORRECT: "Upload an index and error document and enter the name of the index and error documents when enabling static website hosting" is incorrect as the error document is optional and the question specifically asks for the steps that MUST be completed.

Answer 5

Origin response" is the correct answer.

Answer 6

Create a resource group In AWS, a resource is an entity that you can work with. Examples include an Amazon EC2 instance, an AWS CloudFormation stack, or an Amazon S3 bucket. If you work with multiple resources, you might find it useful to manage them as a group rather than move from one AWS service to another for each task.

Answer 7

AWS CodePipeline INCORRECT: "AWS CodeBuild" is incorrect as CodeBuild is used for compiling code, running unit tests and creating the deployment package. It does not manage the deployment of the code.

Answer 8

| Cluster Query Language

Answer 9

Enable Amazon DynamoDB streams on the “orders” table, configure the “customers” microservice to read records from the stream

Answer 10

Encrypt the data directly with a customer managed customer master key

Answer 11

Create a Docker image that runs the X-Ray daemon, upload it to a Docker image repository, and then deploy it to the Amazon ECS cluster.

Answer 12

Create an event notification for all s3:ObjectCreated:* API calls INCORRECT: "Create an event notification for all s3:ObjectCreated:Put API calls" is incorrect as this will not capture all new object creation events (e.g. POST or COPY). The wildcard should be used instead.

Answer 13

| Create an ECS Service with Auto Scaling and attach an Elastic Load Balancer

Answer 14

CORRECT: "Store the files in the /tmp directory and delete the files when the execution completes" is the correct answer. The /tmp directory can be used for storing temporary files within the execution context. This can be used for storing static assets that can be used by subsequent invocations of the function. If the assets must be deleted before the function is invoked again the function code should take care of deleting them.

Answer 15

The AppSpec file INCORRECT: "The BuildSpec file" is incorrect as this is a file type that is used with AWS CodeBuild.

Answer 16

Enable cross-origin resource sharing (CORS) for the method in API Gateway INCORRECT: "Enable cross-origin resource sharing (CORS) on the S3 bucket" is incorrect as CORS must be enabled on the requested endpoint which is API Gateway, not S3.

Answer 17

Create four distinct IAM roles, each containing the required permissions for the associated ECS services, then configure each ECS task definition to reference the associated IAM role INCORRECT: "Create four distinct IAM roles, each containing the required permissions for the associated ECS services, then configure each ECS service to reference the associated IAM role" is incorrect as the reference should be made within the task definition.

Answer 18

Configure a Dead Letter Queue (DLQ) You can configure a dead letter queue (DLQ) on AWS Lambda to give you more control over message handling for all asynchronous invocations, including those delivered via AWS events (S3, SNS, IoT, etc.).

Answer 19

| Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Answer 20

CORRECT: "Enable API Gateway execution logging" is a correct answer. CORRECT: "Enable API Gateway access logs" is also a correct answer. There are two types of API logging in CloudWatch: execution logging and access logging. In execution logging, API Gateway manages the CloudWatch Logs. The process includes creating log groups and log streams, and reporting to the log streams any caller's requests and responses.

Answer 21

"Use the DynamoDB Encryption Client to enable end-to-end protection using client-side encryption" is the correct answer. In addition to encryption at rest, which is a server-side encryption feature, AWS provides the Amazon DynamoDB Encryption Client. This client-side encryption library enables you to protect your table data before submitting it to DynamoDB.

Answer 22

"Set ConsistentRead to true when calling GetItem" is the correct answer. When you request a strongly consistent read, DynamoDB returns a response with the most up-to-date data, reflecting the updates from all prior write operations that were successful. The GetItem operation returns a set of attributes for the item with the given primary key. If there is no matching item, GetItem does not return any data and there will be no Item element in the response. GetItem provides an eventually consistent read by default. If your application requires a strongly consistent read, set ConsistentRead to true. Although a strongly consistent read might take more time than an eventually consistent read, it always returns the last updated value.

Answer 23

“Contact AWS Support to increase the concurrent execution limits” is the correct answer. The average execution time is 100 seconds and 50 requests are received per second. This means the concurrency requirement is 100 x 50 = 5,000. As 5,000 is well above the default allowed concurrency of 1,000 executions a second. Therefore, the Developer will need to contact AWS Support to increase the concurrent execution limits.

Answer 24

"Create a custom Amazon CloudWatch metric for concurrent users" is the correct answer. You can create a custom CloudWatch metric for your EC2 Linux instance statistics by creating a script through the AWS Command Line Interface (AWS CLI). Then, you can monitor that metric by pushing it to CloudWatch. In this scenario you could then monitor the number of users currently logged in.

Answer 25

"Modify the application to issue query API calls with eventual consistency reads" is the correct answer. In general, Scan operations are less efficient than other operations in DynamoDB. A Scan operation always scans the entire table or secondary index. It then filters out values to provide the result you want, essentially adding the extra step of removing data from the result set. If possible, you should avoid using a Scan operation on a large table or index with a filter that removes many results. Also, as a table or index grows, the Scan operation slows. The Scan operation examines every item for the requested values and can use up the provisioned throughput for a large table or index in a single operation. For faster response times, design your tables and indexes so that your applications can use Query instead of Scan. (For tables, you can also consider using the GetItem and BatchGetItem APIs.) Additionally, eventual consistency consumes fewer RCUs than strong consistency. Therefore, the application should be refactored to use query APIs with eventual consistency.

Answer 26

"Set the value of the route selection expression to $request.body.action" is the correct answer. In your WebSocket API, incoming JSON messages are directed to backend integrations based on routes that you configure. (Non-JSON messages are directed to a $default route that you configure.)

Answer 27

Encrypt the data directly with a customer managed customer master key INCORRECT: "Encrypt the data directly with an AWS managed customer master key" is incorrect as the network-attached file system is proprietary and therefore will not be supported by AWS managed CMKs.

Answer 28

CORRECT: "Immutable" is the correct answer. INCORRECT: "Rolling with Additional Batch" is incorrect because it requires manual redeployment in the case of failure.

Answer 29

CORRECT: "Server-side encryption with customer-provided encryption keys (SSE-C)" is the correct answer. Server-side encryption is about protecting data at rest. Server-side encryption encrypts only the object data, not object metadata. Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages the encryption as it writes to disks and decryption when you access your objects. Therefore, you don't need to maintain any code to perform data encryption and decryption. The only thing you do is manage the encryption keys you provide.

Answer 30

CORRECT: "Create an alias that points to both the new and previous versions of the function code and assign a weighting for sending a portion of traffic to the new version" You can create one or more aliases for your AWS Lambda function. A Lambda alias is like a pointer to a specific Lambda function version. Users can access the function version using the alias ARN. You can point an alias a multiple versions of your function code and then assign a weighting to direct certain amounts of traffic to each version. This enables a blue/green style of deployment and means it’s easy to roll back to the older version by simply updating the weighting if issues occur.

Answer 31

Amazon Simple Queue Service (SQS) Amazon Kinesis Amazon DynamoDB An event source mapping is an AWS Lambda resource that reads from an event source and invokes a Lambda function. You can use event source mappings to process items from a stream or queue in services that don't invoke Lambda functions directly. Lambda provides event source mappings for the following services.

Answer 32

CORRECT: "Create an IAM role with the PutMetricData permission and create a new Auto Scaling launch configuration to launch instances using that role" is the correct answer INCORRECT: "Create an IAM role with the PutMetricData permission and modify the Amazon EC2 instances to use that role" is incorrect as you should create a new launch configuration for the Auto Scaling group rather than updating the instances manually.

Answer 33

CORRECT: "Amazon Cognito user pools and identity pools" is the correct answer. INCORRECT: "Amazon Cognito identity pools and AWS IAM" is incorrect as a Cognito user pool should be used as the directory source for creating and managing users. IAM is used for accounts that are used to administer AWS services, not for application user access. The first requirement is provided by an Amazon Cognito User Pool. With a Cognito user pool you can add sign-up and sign-in to mobile and web apps and it also offers a user directory so user accounts can be created directly within the user pool. Users also have the ability to reset their passwords. To access AWS services you need a Cognito Identity Pool. An identity pool can be used with a user pool and enables a user to obtain temporary limited-privilege credentials to access AWS services.

Answer 34

CORRECT: "By using the GetTraceSummaries API with a filter expression" is the correct answer. A subset of segment fields are indexed by X-Ray for use with filter expressions. For example, if you set the user field on a segment to a unique identifier, you can search for segments associated with specific users in the X-Ray console or by using the GetTraceSummaries API.

Answer 35

CORRECT: "Configure the Origin Protocol Policy" is a correct answer. CORRECT: "Configure the Viewer Protocol Policy" is also a correct answer. To enable SSL between the origin and the distribution the Developer can configure the Origin Protocol Policy. Depending on the domain name used (CloudFront default or custom), the steps are different. To enable SSL between the end-user and CloudFront the Viewer Protocol Policy should be configured.

Answer 36

A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics. Therefore, the Developer should create a custom namespace with a unique metric name for each application. This namespace will then allow the metrics for each individual application to be shown in a single view through CloudWatch. CORRECT: "Create a custom namespace with a unique metric name for each application" is the correct answer. INCORRECT: "Create a custom dimension with a unique metric name for each application" is incorrect as a dimension further clarifies what a metric is and what data it stores.

Answer 37

Any delete operation will consume RCUs to scan/query the table and WCUs to delete the items. It will be much cheaper and simpler to just delete the table and recreate it again ahead of the next batch job. This can easily be automated through the API. INCORRECT: "Issue an AWS CLI aws dynamodb delete-item command with a wildcard" is incorrect as this operation deletes data from a table one item at a time, which is highly inefficient. You also must specify the item's primary key values; you cannot use a wildcard.

Answer 38

CORRECT: "Run the aws cloudformation package command to upload the source code to an Amazon S3 bucket and produce a modified CloudFormation template" is the correct answer. INCORRECT: "Run the aws serverless create-package command to embed the source file directly into the existing CloudFormation template" is incorrect as the Developer has the choice to run either “aws cloudformation package” or “sam package”, but not “aws serverless create-package”.

Answer 39

Run the aws iam create-instance-profile command Run the aws iam add-role-to-instance-profile command Run the aws ec2 associate-instance-profile command To add a role to an Amazon EC2 instance using the AWS CLI you must first create an instance profile. Then you need to add the role to the instance profile and finally assign the instance profile to the Amazon EC2 instance.

Answer 40

CORRECT: "Enable default encryption when creating the bucket" is the correct answer.

Answer 41

CORRECT: "Enable a DynamoDB stream and trigger the Lambda function synchronously from the stream" is the correct answer. INCORRECT: "Enable a DynamoDB stream and trigger the Lambda function asynchronously from the stream" is incorrect as the invocation should be synchronous. Immediately after an item in the table is modified, a new record appears in the table's stream. AWS Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records.

Answer 42

CORRECT: "200 Read Capacity Units" is the correct answer. To determine the number of RCUs required to handle 100 strongly consistent reads per/second with an average item size of 5KB, perform the following steps: 1. Determine the average item size by rounding up the next multiple of 4KB (5KB rounds up to 8KB). 2. Determine the RCU per item by dividing the item size by 4KB (8KB/4KB = 2). 3. Multiply the value from step 2 with the number of reads required per second (2x100 = 200).

Answer 43

CORRECT: "Implement an AWS Lambda authorizer that references the DynamoDB authentication table" is the correct answer. There are two types of Lambda authorizers: * A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token. * A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller's identity in a combination of headers, query string parameters, stageVariables, and $context variables.

Answer 44

CORRECT: "Store a secret in AWS Secrets Manager and enable automatic rotation every 30 days" is the correct answer.

Answer 45

CORRECT: "Create an API Gateway Lambda authorizer" is the correct answer.

Answer 46

6 RCU and 7 WCU Read capacity unit (RCU): * Each API call to read data from your table is a read request. * Read requests can be strongly consistent, eventually consistent, or transactional. * For items up to 4 KB in size, one RCU can perform one strongly consistent read request per second. * Items larger than 4 KB require additional RCUs. * For items up to 4 KB in size, one RCU can perform two eventually consistent read requests per second. * Transactional read requests require two RCUs to perform one read per second for items up to 4 KB. * For example, a strongly consistent read of an 8 KB item would require two RCUs, an eventually consistent read of an 8 KB item would require one RCU, and a transactional read of an 8 KB item would require four RCUs. Write capacity unit (WCU): * Each API call to write data to your table is a write request. * For items up to 1 KB in size, one WCU can perform one standard write request per second. * Items larger than 1 KB require additional WCUs. * Transactional write requests require two WCUs to perform one write per second for items up to 1 KB. * For example, a standard write request of a 1 KB item would require one WCU, a standard write request of a 3 KB item would require three WCUs, and a transactional write request of a 3 KB item would require six WCUs.

Answer 47

Encrypt the secret values client-side using encryption helpers • Encryption helpers – The Lambda console lets you encrypt environment variable values client side, before sending them to Lambda. This enhances security further by preventing secrets from being displayed unencrypted in the Lambda console, or in function configuration that's returned by the Lambda API. The console also provides sample code that you can adapt to decrypt the values in your function handler.

Answer 48

Use Amazon Cognito to associate unauthenticated users with an IAM role that has limited access to resources

Answer 49

Create standalone policies instead of using inline policies Use groups to assign permissions to users Explanation AWS provide a number of best practices for AWS IAM that help you to secure your resources. The key best practices referenced in this scenario are as follows: * Use groups to assign permissions to users – this is correct as you should create permissions policies and assign them to groups. Users can be added to the groups to get the permissions they need to perform their jobs. * Create standalone policies instead of using inline policies (Use Customer Managed Policies Instead of Inline Policies in the AWS best practices) – this refers to creating your own policies that are standalone policies which can be reused multiple times (assigned to multiple entities such as groups, and users). This is better than using inline policies which are directly attached to a single entity. INCORRECT: "Use user accounts to delegate permissions" is incorrect as you should use roles to delegate permissions.

Answer 50

Explanation If you use AWS SAM to create your serverless application, it comes built-in with CodeDeploy to provide gradual Lambda deployments. With just a few lines of configuration, AWS SAM does the following for you: * Deploys new versions of your Lambda function, and automatically creates aliases that point to the new version. * Gradually shifts customer traffic to the new version until you're satisfied that it's working as expected, or you roll back the update. * Defines pre-traffic and post-traffic test functions to verify that the newly deployed code is configured correctly and your application operates as expected. * Rolls back the deployment if CloudWatch alarms are triggered. There are several options for how CodeDeploy shifts traffic to the new Lambda version. You can choose from the following: * Canary: Traffic is shifted in two increments. You can choose from predefined canary options. The options specify the percentage of traffic that's shifted to your updated Lambda function version in the first increment, and the interval, in minutes, before the remaining traffic is shifted in the second increment. * Linear: Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined linear options that specify the percentage of traffic that's shifted in each increment and the number of minutes between each increment. All-at-once: All traffic is shifted from the original Lambda function to the updated Lambda function version at once. Therefore CodeDeployDefault.LambdaCanary10Percent5Minutes is the best answer as this will shift 10 percent of the traffic and then after 5 minutes shift the remainder of the traffic. The entire deployment will take 5 minutes to cut over.

Answer 51

A task placement constraint is a rule that is considered during task placement. Task placement constraints can be specified when either running a task or creating a new service. The task placement constraints can be updated for existing services as well. Amazon ECS supports the following types of task placement constraints: distinctInstance Place each task on a different container instance. This task placement constraint can be specified when either running a task or creating a new service. memberOf Place tasks on container instances that satisfy an expression. For more information about the expression syntax for constraints, see Cluster Query Language. The memberOf task placement constraint can be specified with the following actions: * Running a task * Creating a new service * Creating a new task definition * Creating a new revision of an existing task definition The example task placement constraint below uses the memberOf constraint to place tasks on instances in the databases task group. It can be specified with the following actions: CreateService, UpdateService, RegisterTaskDefinition, and RunTask. ``` "placementConstraints": [ { "expression": "task:group == databases", "type": "memberOf" } ] The Developer should therefore use task placement constraints as in the above example to control the placement of the database task. ``` INCORRECT: "Cluster Query Language" is incorrect. Cluster queries are expressions that enable you to group objects. For example, you can group container instances by attributes such as Availability Zone, instance type, or custom metadata.

Answer 52

Upload a ZIP file containing the function code to Amazon S3, then add a reference to it in an AWS::Lambda::Function resource in the template Create an AWS::Lambda::Function resource in the template, then write the code directly inside the CloudFormation template

Answer 53

# Define the containers in the Dockerrun.aws.json file in JSON format and save at the root of the source directory You can launch a cluster of multicontainer instances in a single-instance or autoscaling Elastic Beanstalk environment using the Elastic Beanstalk console. The single container and multicontainer Docker platforms for Elastic Beanstalk support the use of Docker images stored in a public or private online image repository. You specify images by name in the Dockerrun.aws.json file and save it in the root of your source directory.

Answer 54

CORRECT: "Create a COGNITO_USER_POOLS authorizer in API Gateway" is the correct answer. To use an Amazon Cognito user pool with your API, you must first create an authorizer of the COGNITO_USER_POOLS type and then configure an API method to use that authorizer. After the API is deployed, the client must first sign the user in to the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request's Authorization header. The API call succeeds only if the required token is supplied and the supplied token is valid, otherwise, the client isn't authorized to make the call because the client did not have credentials that could be authorized.

Answer 55

The GenerateDataKey API is used with the AWS KMS services and generates a unique symmetric data key. This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data. For this scenario we can use GenerateDataKey to obtain an encryption key from KMS that we can then use within the function code to encrypt the file. This ensures that the file is encrypted BEFORE it is uploaded to Amazon S3. CORRECT: "Use the GenerateDataKey API, then use the data key to encrypt the file using the Lambda code" is the correct answer.

Answer 56

CORRECT: "Use a task placement constraint" is the correct answer. INCORRECT: "Use a task placement strategy" is incorrect as this is used to select instances for task placement using the binpack, random and spread algorithms.

Answer 57

CORRECT: "Use the AWS STS decode-authorization-message API to decode the message" is the correct answer. Explanation The AWS STS decode-authorization-message API decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request. The output is then decoded into a more human-readable output that can be viewed in a JSON editor. The following example is the decoded output from the error shown in the question: { "DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AIDAXP4J2EKU7YXXG3EJ4\",\"name\":\"Paul\",\"arn\":\"arn:aws:iam::515148227241:user/Paul\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:ap-southeast-2:51514822724lu}]}}}"..... } Therefore, the best answer is to use the AWS STS decode-authorization-message API to decode the message.

Answer 58

Use the Principal element in a policy to specify the principal that is allowed or denied access to a resource. You cannot use the Principal element in an IAM identity-based policy. You can use it in the trust policies for IAM roles and in resource-based policies. Resource-based policies are policies that you embed directly in an IAM resource. CORRECT: "Principal" is the correct answer.

Answer 59

Explanation Amazon DynamoDB supports identity-based policies only. The best practice method to assign permissions to the table is to create a permissions policy that grants access to the table and assigning that policy to an IAM group that contains the Developer’s user accounts. This will provide all users with accounts in the IAM group with the access required to access the DynamoDB table. CORRECT: "Attach a permissions policy to an IAM group containing the Developer’s IAM user accounts that grants access to the table" is the correct answer.

Answer 60

Explanation The Developer needs the permissions to retrieve items, update/modify items, and create items. Therefore permissions for the following API actions are required: * GetItem - The GetItem operation returns a set of attributes for the item with the given primary key. * UpdateItem - Edits an existing item's attributes, or adds a new item to the table if it does not already exist. You can put, delete, or add attribute values. * PutItem - Creates a new item, or replaces an old item with a new item. If an item that has the same primary key as the new item already exists in the specified table, the new item completely replaces the existing item.

Answer 61

CORRECT: "Contact AWS support to request an AWS KMS rate limit increase" is a correct answer. CORRECT: "Perform error retries with exponential backoff in the application code" is a correct answer. AWS KMS establishes quotas for the number of API operations requested in each second. When you exceed an API request quota, AWS KMS throttles the request, that is, it rejects an otherwise valid request and returns a ThrottlingException error like the following one. As the error indicates, one of the recommendations is to reduce the frequency of calls which can be implemented by using exponential backoff logic in the application code. It is also possible to contact AWS and request an increase in the quota.

Answer 62

The BatchGetItem operation returns the attributes of one or more items from one or more tables. You identify requested items by primary key. A single operation can retrieve up to 16 MB of data, which can contain as many as 100 items. In order to minimize response latency, BatchGetItem retrieves items in parallel. By default, BatchGetItem performs eventually consistent reads on every table in the request. If you want strongly consistent reads instead, you can set ConsistentRead to true for any or all tables.

Answer 63

At the Amazon S3 bucket level, you can configure permissions through a bucket policy. For example, you can limit access to the objects in a bucket by IP address range or specific IP addresses. Alternatively, you can make the objects accessible only through HTTPS. CORRECT: "Create an S3 bucket policy that denies traffic where SecureTransport is false" is the correct answer.

Answer 64

You need to configure your Git client to communicate with CodeCommit repositories. As part of this configuration, you provide IAM credentials that CodeCommit can use to authenticate you. IAM supports CodeCommit with three types of credentials: * Git credentials, an IAM -generated user name and password pair you can use to communicate with CodeCommit repositories over HTTPS. * SSH keys, a locally generated public-private key pair that you can associate with your IAM user to communicate with CodeCommit repositories over SSH. * AWS access keys, which you can use with the credential helper included with the AWS CLI to communicate with CodeCommit repositories over HTTPS.

Answer 65

With Destinations, you can route asynchronous function results as an execution record to a destination resource without writing additional code. An execution record contains details about the request and response in JSON format including version, timestamp, request context, request payload, response context, and response payload. For each execution status such as Success or Failure you can choose one of four destinations: another Lambda function, SNS, SQS, or EventBridge. Lambda can also be configured to route different execution results to different destinations. In this scenario the Developer can publish the processed data to an Amazon SNS topic by configuring an Amazon SNS topic as an on-failure destination. CORRECT: "Configure an Amazon SNS topic as an on-failure destination" is the correct answer. INCORRECT: "Push the failed records to an Amazon SQS queue" is incorrect as SQS will not notify the administrators, SNS should be used.

Answer 66

Service control policies (SCPs) are one type of policy that you can use to manage your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines. You can configure the SCPs in your organization to work as either of the following: * A deny list – actions are allowed by default, and you specify what services and actions are prohibited * An allow list – actions are prohibited by default, and you specify what services and actions are allowed CORRECT: "Create a deny list and specify the API actions to deny" is the correct answer.

Answer 67

INCORRECT: "BeforeAllowTraffic > AfterAllowTraffic" is incorrect as this would be valid for AWS Lambda. CORRECT: "BeforeInstall > AfterInstall > AfterAllowTestTraffic > BeforeAllowTraffic > AfterAllowTraffic" is the correct answer.

Answer 68

You can send trace data to X-Ray in the form of segment documents. A segment document is a JSON formatted string that contains information about the work that your application does in service of a request. Your application can record data about the work that it does itself in segments, or work that uses downstream services and resources in subsegments. Segments record information about the work that your application does. A segment, at a minimum, records the time spent on a task, a name, and two IDs. The trace ID tracks the request as it travels between services. The segment ID tracks the work done for the request by a single service. CORRECT: "The PutTraceSegments API action" is the correct answer. INCORRECT: "The PutTelemetryRecords API action" is incorrect as this is used by the AWS X-Ray daemon to upload telemetry. INCORRECT: "The UpdateGroup API action" is incorrect as this updates a group resource. INCORRECT: "The GetTraceSummaries API action" is incorrect as this retrieves IDs and annotations for traces available for a specified time frame using an optional filter.

Answer 69

An AWS Lambda function's execution role grants it permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when your function is invoked. You can create an execution role for development that has permission to send logs to Amazon CloudWatch and upload trace data to AWS X-Ray. The most likely cause of this issue is that the execution role assigned to the Lambda function does not have the permissions (shown above) to write to CloudWatch Logs. CORRECT: "The execution role for the Lambda function is missing permissions to write log data to the CloudWatch Logs" is the correct answer.

Answer 70

You can use CloudWatch Logs to monitor applications and systems using log data. For example, CloudWatch Logs can track the number of errors that occur in your application logs and send you a notification whenever the rate of errors exceeds a threshold you specify. CloudWatch Logs uses your log data for monitoring; so, no code changes are required. For example, you can monitor application logs for specific literal terms (such as "NullReferenceException") or count the number of occurrences of a literal term at a particular position in log data (such as "404" status codes in an Apache access log). When the term you are searching for is found, CloudWatch Logs reports the data to a CloudWatch metric that you specify. Log data is encrypted while in transit and while it is at rest. CORRECT: "Use CloudWatch Logs to track the number of errors that occur in the application logs and send an SNS notification" is the correct answer.

Answer 71

Use a FIFO queue and configure the Lambda function to add a message deduplication token to the message body

Answer 72

CORRECT: "BeforeInstall > AfterInstall > ApplicationStart > ValidateService" is the correct answer.

Answer 73

In DynamoDB, you have the option to specify conditions when granting permissions using an IAM policy. For example, you can: * Grant permissions to allow users read-only access to certain items and attributes in a table or a secondary index. * Grant permissions to allow users write-only access to certain attributes in a table, based upon the identity of that user. To implement this kind of fine-grained access control, you write an IAM permissions policy that specifies conditions for accessing security credentials and the associated permissions. You then apply the policy to IAM users, groups, or roles that you create using the IAM console. Your IAM policy can restrict access to individual items in a table, access to the attributes in those items, or both at the same time. You use the IAM Condition element to implement a fine-grained access control policy. By adding a Condition element to a permissions policy, you can allow or deny access to items and attributes in DynamoDB tables and indexes, based upon your particular business requirements. You can also grant permissions on a table, but restrict access to specific items in that table based on certain primary key values. CORRECT: "Restrict access to specific items based on certain primary key values" is the correct answer.

Answer 74

Amazon S3 and Amazon CloudFront

Answer 75

Explanation Amazon S3 is object storage built to store and retrieve any amount of data from anywhere on the Internet. Amazon S3 uses standards-based REST and SOAP interfaces designed to work with any internet-development toolkit. Amazon S3 is a simple key-based object store. The key is the name of the object and the value is the actual data itself. Keys can be any string, and they can be constructed to mimic hierarchical attributes. CORRECT: "Amazon S3" is the correct answer.

Answer 76

CORRECT: "Use a lazy loading caching strategy" is the correct answer. There are two caching strategies available: Lazy Loading and Write-Through: Lazy Loading Loads the data into the cache only when necessary (if a cache miss occurs). Lazy loading avoids filling up the cache with data that won’t be requested. If requested data is in the cache, ElastiCache returns the data to the application. If the data is not in the cache or has expired, ElastiCache returns a null. The application then fetches the data from the database and writes the data received into the cache so that it is available for next time. Data in the cache can become stale if Lazy Loading is implemented without other strategies (such as TTL).

Answer 77

CORRECT: "Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key" is the correct answer. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. You can even encrypt the data encryption key under another encryption key and encrypt that encryption key under another encryption key. But, eventually, one key must remain in plaintext so you can decrypt the keys and your data. This top-level plaintext key encryption key is known as the master key.

Answer 78

CORRECT: "Create a global secondary index with a partition key of sport_name and a sort key of score, and get the results" is the correct answer. INCORRECT: "Use a DynamoDB query operation with the key attributes of user_id and sport_name and order the results based on the score attribute" is incorrect as this is less efficient compared to using a GSI.

Answer 79

When this policy is evaluated, IAM replaces the variable ${aws:username}with the friendly name of the actual current user. This means that a single policy applied to a group of users can control access to a bucket by using the username as part of the resource's name. CORRECT: "Variable" is the correct answer. INCORRECT: "Condition" is incorrect. The Condition element (or Condition block) lets you specify conditions for when a policy is in effect.

Answer 80

CORRECT: "Create a state machine using the Amazon States Language" is the correct answer. AWS Step Functions is a web service that enables you to coordinate the components of distributed applications and microservices using visual workflows. You build applications from individual components that each perform a discrete function, or task, allowing you to scale and change applications quickly. The following are key features of AWS Step Functions: * Step Functions is based on the concepts of tasks and state machines. * You define state machines using the JSON-based Amazon States Language.

Answer 81

Amazon Cognito identity pools support both authenticated and unauthenticated identities. Authenticated identities belong to users who are authenticated by any supported identity provider. Unauthenticated identities typically belong to guest users. CORRECT: "Create a new identity pool, enable access to unauthenticated identities, and grant access to AWS resources" is the correct answer. INCORRECT: "Create a new user pool, enable access to unauthenticated identities, and grant access to AWS resources" is incorrect as you must use identity pools for unauthenticated users.

Answer 82

CORRECT: "Use Amazon DynamoDB Accelerator (DAX) to cache the data" is the correct answer. INCORRECT: "Use exponential backoff in the application code for DynamoDB queries" is incorrect as this may reduce the requirement for over-provisioning reads but it will not solve the problem of reducing latency. With this solution the application performance will be worse, it’s a case of reducing cost along with performance.

Answer 83

Use backlog per instance metric with target tracking scaling policy - If you use a target tracking scaling policy based on a custom Amazon SQS queue metric, dynamic scaling can adjust to the demand curve of your application more effectively. ---- Docker swarm - A Docker swarm is a container orchestration tool, meaning that it allows the user to manage multiple containers deployed across multiple host machines. A swarm consists of multiple Docker hosts which run in swarm mode and act as managers (to manage membership and delegation) and workers (which run swarm services). ECS service scheduler - Amazon ECS provides a service scheduler (for long-running tasks and applications), the ability to run tasks manually (for batch jobs or single run tasks), with Amazon ECS placing tasks on your cluster for you. You can specify task placement strategies and constraints that allow you to run tasks in the configuration you choose, such as spread out across Availability Zones. It is also possible to integrate with custom or third-party schedulers. ECS step scaling policy - Although Amazon ECS Service Auto Scaling supports using Application Auto Scaling step scaling policies, AWS recommends using target tracking scaling policies instead. For example, if you want to scale your service when CPU utilization falls below or rises above a certain level, create a target tracking scaling policy based on the CPU utilization metric provided by Amazon ECS.

Answer 84

Create a CNAME record A CNAME record maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com or example.net) or subdomain (acme.example.com or zenith.example.org). CNAME records can be used to map one domain name to another. Although you should keep in mind that the DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com. You cannot create a CNAME record for example.com, but you can create CNAME records for www.example.com, newproduct.example.com, and so on. --- Create an A record - Used to point a domain or subdomain to an IP address. 'A record' cannot be used to map one domain name to another.

Answer 85

1. Create the app from a template provided by AWS CDK 2. Add code to the app to create resources within stacks 3. Build the app (optional) 4. Synthesize one or more stacks in the app 5. Deploy stack(s) to your AWS account

Answer 86

Exported Output Values in CloudFormation must have unique names within a single Region ----

Answer 87

AWS Serverless Application Repository (SAR)

Answer 88

IAM Access Analyzer - AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. --- Access Advisor feature on IAM console - To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments. S3 Object Lock - S3 Object Lock enables you to store objects using a "Write Once Read Many" (WORM) model. S3 Object Lock can help prevent accidental or inappropriate deletion of data S3 Analytics - By using Amazon S3 analytics Storage Class Analysis you can analyze storage access patterns to help you decide when to transition the right data to the right storage class. You cannot use S3 Analytics to identify unintended access to your S3 resources.

Answer 89

X-Ray sampling By customizing sampling rules, you can control the amount of data that you record, and modify sampling behavior on the fly without modifying or redeploying your code. Sampling rules tell the X-Ray SDK how many requests to record for a set of criteria. X-Ray SDK applies a sampling algorithm to determine which requests get traced however because our application is failing to send data to X-Ray it does not help in determining the cause of failure. --- Incorrect options: EC2 X-Ray Daemon - The AWS X-Ray daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API. The daemon logs could help with figuring out the problem.

Answer 90

AWS Organizations Service Control Policy (SCP) – Use an AWS Organizations Service Control Policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions. Permissions boundary - Permissions boundary is a managed policy that is used for an IAM entity (user or role). The policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions.

Answer 91

"Cognito User Pools" After successful authentication, Amazon Cognito returns user pool tokens to your app. You can use the tokens to grant your users access to your own server-side resources, or to the Amazon API Gateway. Amazon Cognito user pools implement ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard. The ID token is a JSON Web Token (JWT) that contains claims about the identity of the authenticated user such as name, email, and phone_number. You can use this identity information inside your application. The ID token can also be used to authenticate users against your resource servers or server applications.

Answer 92

!FindInMap [ MapName, TopLevelKey, SecondLevelKey ] RegionMap: us-east-1: HVM64: "ami-0ff8a91507f77f867"

Answer 93

You can't change the queue type after you create it The visibility timeout value for the queue is in seconds, which defaults to 30 seconds

Answer 94

Separate public traffic from private traffic - The nodes of an internet-facing load balancer have public IP addresses. Load balancers route requests to your targets using private IP addresses. Therefore, your targets do not need public IP addresses to receive requests from users over the internet. Build a highly available system - Elastic Load Balancing provides fault tolerance for your applications by automatically balancing traffic across targets – Amazon EC2 instances, containers, IP addresses, and Lambda functions – in multiple Availability Zones while ensuring only healthy targets receive traffic.

Answer 95

Cognito Sync Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and the web without requiring your own backend. The client libraries cache data locally so your app can read and write data regardless of device connectivity status.

Answer 96

Configure Application Auto Scaling to manage Lambda provisioned concurrency on a schedule Due to a spike in traffic, when Lambda functions scale, this causes the portion of requests that are served by new instances to have higher latency than the rest. To enable your function to scale without fluctuations in latency, use provisioned concurrency. By allocating provisioned concurrency before an increase in invocations, you can ensure that all requests are served by initialized instances with very low latency

Answer 97

Use Envelope Encryption and reference the data as file within the code While AWS KMS does support sending data up to 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with AWS KMS it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller data key go over the network. The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire block of data to AWS KMS and suffer network latency. AWS Lambda environment variables can have a maximum size of 4 KB. Additionally, the direct 'Encrypt' API of KMS also has an upper limit of 4 KB for the data payload. To encrypt 1 MB, you need to use the Encryption SDK and pack the encrypted file with the lambda function.

Answer 98

"no limit": There are no message limits for storing in SQS, but 'in-flight messages' do have limits. Make sure to delete messages after you have processed them. There can be a maximum of approximately 120,000 inflight messages (received from a queue by a consumer, but not yet deleted from the queue).

Answer 99

ValidateService: ValidateService is the last deployment lifecycle event. It is used to verify the deployment was completed successfully. Incorrect options: AllowTraffic - During this deployment lifecycle event, internet traffic is allowed to access instances after a deployment. This event is reserved for the AWS CodeDeploy agent and cannot be used to run scripts

Answer 100

Use the DynamoDB on-demand backup capability to write to Amazon S3 and download locally - This option is not feasible for the given use-case. DynamoDB has two built-in backup methods (On-demand, Point-in-time recovery) that write to Amazon S3, but you will not have access to the S3 buckets that are used for these backups.

Answer 101

AWS Security Token Service (STS) - AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). However, it is not supported by API Gateway. Incorrect options: Standard AWS IAM roles and policies - Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage your APIs, as well as who can invoke them.

Answer 102

Generate a public SSH key from a private SSH key. Then, import the key into each of your AWS Regions Here is the correct way of reusing SSH keys in your AWS Regions: Generate a public SSH key (.pub) file from the private SSH key (.pem) file. Set the AWS Region you wish to import to. Import the public SSH key into the new Region.

Answer 103

Reboot the Spot Instance

Answer 104

Increase the number of shards within your data streams to provide enough capacity Configure the data producer to retry with an exponential backoff --- Use Kinesis enhanced fan-out for Kinesis Data Streams - You should use enhanced fan-out if you have, or expect to have, multiple consumers retrieving data from a stream in parallel. Therefore, using enhanced fan-out will not help address the ProvisionedThroughputExceeded exception as the constraint is the capacity limit of the Kinesis Data Stream.

Answer 105

IAM Access Analyzer - AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. You can set the scope for the analyzer to an organization or an AWS account. This is your zone of trust. The analyzer scans all of the supported resources within your zone of trust. When Access Analyzer finds a policy that allows access to a resource from outside of your zone of trust, it generates an active finding.

Answer 106

KMS stores the CMK, and receives data from the clients, which it encrypts and sends back A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. You can generate CMKs in KMS, in an AWS CloudHSM cluster, or import them from your key management infrastructure. AWS KMS supports symmetric and asymmetric CMKs. A symmetric CMK represents a 256-bit key that is used for encryption and decryption. An asymmetric CMK represents an RSA key pair that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key pair that is used for signing and verification.

Answer 107

Explanation An event source mapping is an AWS Lambda resource that reads from an event source and invokes a Lambda function. You can use event source mappings to process items from a stream or queue in services that don't invoke Lambda functions directly. Lambda provides event source mappings for the following services. Services That Lambda Reads Events From Amazon Kinesis Amazon DynamoDB Amazon Simple Queue Service

Answer 108

CORRECT: "Use an Amazon Cognito identity pool, federate with the SAML provider, and use a trust policy with an IAM condition key to limit employee access" is the correct answer.

Answer 109

Explanation CodeDeploy provides two deployment type options – in-place and blue/green. Note that AWS Lambda and Amazon ECS deployments cannot use an in-place deployment type.

Answer 110

CORRECT: "Amazon Cognito user pools and identity pools" is the correct answer. Explanation There are two key requirements in this scenario. Firstly the company wants to manage user accounts using a system that allows users to reset their own passwords. The company also wants to authorize users to access AWS services. The first requirement is provided by an Amazon Cognito User Pool. With a Cognito user pool you can add sign-up and sign-in to mobile and web apps and it also offers a user directory so user accounts can be created directly within the user pool. Users also have the ability to reset their passwords. To access AWS services you need a Cognito Identity Pool. An identity pool can be used with a user pool and enables a user to obtain temporary limited-privilege credentials to access AWS services.

Answer 111

CORRECT: "Enable default encryption when creating the bucket" is the correct answer. Explanation Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. You can set default encryption on a bucket so that all new objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).

Answer 112

Therefore, we need to create an S3 bucket policy that denies any S3 Put request that do not include the x-amz-server-side-encryption header. There are two possible values for the x-amz-server-side-encryption header: AES256, which tells S3 to use S3-managed keys, and aws:kms, which tells S3 to use AWS KMS–managed keys. INCORRECT: "Enable Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) on the Amazon S3 bucket" is incorrect as this will enable default encryption but will not enforce encryption on the S3 bucket. You do still need to enable default encryption on the bucket, but this alone will not enforce encryption.

Answer 113

Explanation You can launch a cluster of multicontainer instances in a single-instance or autoscaling Elastic Beanstalk environment using the Elastic Beanstalk console. The single container and multicontainer Docker platforms for Elastic Beanstalk support the use of Docker images stored in a public or private online image repository. You specify images by name in the Dockerrun.aws.json file and save it in the root of your source directory. CORRECT: "Define the containers in the Dockerrun.aws.json file in JSON format and save at the root of the source directory" is the correct answer.

Answer 114

CORRECT: "Create a COGNITO_USER_POOLS authorizer in API Gateway" is the correct answer. A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign into your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through a Software Development Kit (SDK).

Answer 115

CORRECT: "Implement developer-authenticated identities by using Amazon Cognito, and get credentials for these identities" is the correct answer. Amazon Cognito supports developer authenticated identities, in addition to web identity federation through Facebook (Identity Pools), Google (Identity Pools), Login with Amazon (Identity Pools), and Sign in with Apple (identity Pools). With developer authenticated identities, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources. Using developer authenticated identities involves interaction between the end user device, your backend for authentication, and Amazon Cognito. Therefore, the Developer can implement developer-authenticated identities by using Amazon Cognito, and get credentials for these identities.

Answer 116

CORRECT: “Set the Origin Protocol Policy to “HTTPS Only”” is a correct answer. CORRECT: “Set the Viewer Protocol Policy to “HTTPS Only” or “Redirect HTTP to HTTPS”” is also a correct answer.

Answer 117

CORRECT: "Create an S3 bucket policy that denies traffic where SecureTransport is false" is the correct answer. INCORRECT: "Create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-server-side-encryption" is incorrect. This will ensure that the data is encrypted at rest, but not in-transit.

Answer 118

CORRECT: "Setup an Alias that will point to the latest version" is the correct answer. INCORRECT: "Publish a mutable version and point it to the $LATEST version" is incorrect as all published versions are immutable (cannot be modified) and you cannot modify a published version to point to the $LATEST version.

Answer 119

CORRECT: "Install the Kinesis Producer Library (KPL) for ingesting data into the stream" is the correct answer. An Amazon Kinesis Data Streams producer is an application that puts user data records into a Kinesis data stream (also called data ingestion). The Kinesis Producer Library (KPL) simplifies producer application development, allowing developers to achieve high write throughput to a Kinesis data stream. The KPL is an easy-to-use, highly configurable library that helps you write to a Kinesis data stream. It acts as an intermediary between your producer application code and the Kinesis Data Streams API actions. The KPL performs the following primary tasks: * Writes to one or more Kinesis data streams with an automatic and configurable retry mechanism * Collects records and uses PutRecords to write multiple records to multiple shards per request * Aggregates user records to increase payload size and improve throughput * Integrates seamlessly with the Kinesis Client Library (KCL) to de-aggregate batched records on the consumer * Submits Amazon CloudWatch metrics on your behalf to provide visibility into producer performance

Answer 120

"Lambda Authorizer" An Amazon API Gateway Lambda authorizer (formerly known as a custom authorizer) is a Lambda function that you provide to control access to your API. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. Before creating an API Gateway Lambda authorizer, you must first create the AWS Lambda function that implements the logic to authorize and, if necessary, to authenticate the caller.

Answer 121

Access Advisor feature on IAM console To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments. Additionally, by removing unused roles, you can simplify your monitoring and auditing efforts by focusing only on roles that are in use.

Answer 122

5.3 TiB - General Purpose SSD (gp2) volumes offer cost-effective storage that is ideal for a broad range of workloads. These volumes deliver single-digit millisecond latencies and the ability to burst to 3,000 IOPS for extended periods of time. Between a minimum of 100 IOPS (at 33.33 GiB and below) and a maximum of 16,000 IOPS (at 5,334 GiB and above), baseline performance scales linearly at 3 IOPS per GiB of volume size.

Answer 123

AWS Management Console might have been used to create the launch configuration - By default, basic monitoring is enabled when you create a launch template or when you use the AWS Management Console to create a launch configuration. This could be the reason behind only the basic monitoring taking place.

Answer 124

Use Cognito Identity pools to enable trusted third-party authenticated users to access DynamoDB Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services. Amazon Cognito identity pools support the following identity providers: Public providers: Login with Amazon (Identity Pools), Facebook (Identity Pools), Google (Identity Pools), Sign in with Apple (Identity Pools). Amazon Cognito User Pools Open ID Connect Providers (Identity Pools) SAML Identity Providers (Identity Pools) Developer Authenticated Identities (Identity Pools) https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html

Answer 125

Standard Workflows on AWS Step Functions are suitable for long-running, durable, and auditable workflows that can also support any human approval steps You should use Express Workflows for workloads with high event rates and short duration Express Workflows have a maximum duration of five minutes and Standard workflows have a maximum duration of one year.

Answer 126

Correct option: aws ec2 monitor-instances --instance-ids i-1234567890abcdef0 - This enables detailed monitoring for a running instance.

Answer 127

By default, CloudTrail tracks only bucket-level actions. To track object-level actions, you need to enable Amazon S3 data events Member accounts will be able to see the organization trail, but cannot modify or delete it - Organization trails must be created in the master account, and when specified as applying to an organization, are automatically applied to all member accounts in the organization If you have created an organization in AWS Organizations, you can also create a trail that will log all events for all AWS accounts in that organization. This is referred to as an organization trail.

Answer 128

CodeBuild scales automatically, the organization does not have to do anything for scaling or for parallel builds - AWS CodeBuild is a fully managed build service in the cloud. CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy. CodeBuild eliminates the need to provision, manage, and scale your own build servers. It provides prepackaged build environments for popular programming languages and build tools such as Apache Maven, Gradle, and more. You can also customize build environments in CodeBuild to use your own build tools. CodeBuild scales automatically to meet peak build requests.

Answer 129

Use S3 Object Ownership to default bucket owner to be the owner of all objects in the bucket S3 Object Ownership is an Amazon S3 bucket setting that you can use to control ownership of new objects that are uploaded to your buckets. By default, when other AWS accounts upload objects to your bucket, the objects remain owned by the uploading account. With S3 Object Ownership, any new objects that are written by other accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner, who then has full control of the objects.

Answer 130

The Lambda function invocation is asynchronous - When an asynchronous invocation event exceeds the maximum age or fails all retry attempts, Lambda discards it. Or sends it to dead-letter queue if you have configured one. The event fails all processing attempt - A dead-letter queue acts the same as an on-failure destination in that it is used when an event fails all processing attempts or expires without being processed.

Answer 131

Opt for Blue/Green deployment Incorrect options: Opt for Rolling deployment - This deployment type is present for AWS Elastic Beanstalk and not for EC2 instances directly. Opt for Immutable deployment - This deployment type is present for AWS Elastic Beanstalk and not for EC2 instances directly.

Answer 132

You terminated the container instance while it was in STOPPED state, that lead to this synchronization issues - If you terminate a container instance while it is in the STOPPED state, that container instance isn't automatically removed from the cluster. You will need to deregister your container instance in the STOPPED state by using the Amazon ECS console or AWS Command Line Interface. Once deregistered, the container instance will no longer appear as a resource in your Amazon ECS cluster.

Answer 133

Use IAM roles and resource-based policies delegate access across accounts within different partitions via programmatic access only - This statement is incorrect and hence the right choice for this question. IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, assume that you have an account in US West (N. California) in the standard aws partition. You also have an account in China (Beijing) in the aws-cn partition. You can't use an Amazon S3 resource-based policy in your account in China (Beijing) to allow access for users in your standard AWS account.

Answer 134

The cluster name Parameter has not been updated in the file /etc/ecs/ecs.config during bootstrap - In the ecs.config file you have to configure the parameter ECS_CLUSTER='your_cluster_name' to register the container instance with a cluster named 'your_cluster_name'.

Answer 135

Configure Lambda to connect to VPC with private subnet and Security Group needed to access RDS - You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your lambda function to the VPC to access private resources during execution. When you connect a function to a VPC, Lambda creates an elastic network interface for each combination of the security group and subnet in your function's VPC configuration. This is the right way of giving RDS access to Lambda.

Answer 136

Update stage variable value from the stage name of test to that of prod After creating your API, you must deploy it to make it callable by your users. To deploy an API, you create an API deployment and associate it with a stage. A stage is a logical reference to a lifecycle state of your API (for example, dev, prod, beta, v2). API stages are identified by the API ID and stage name. They're included in the URL that you use to invoke the API. Each stage is a named reference to a deployment of the API and is made available for client applications to call.

Answer 137

Correct option: "CodeDeploy Agent" The CodeDeploy agent is a software package that, when installed and configured on an instance, makes it possible for that instance to be used in CodeDeploy deployments. The CodeDeploy agent archives revisions and log files on instances. The CodeDeploy agent cleans up these artifacts to conserve disk space. You can use the :max_revisions: option in the agent configuration file to specify the number of application revisions to the archive by entering any positive integer. CodeDeploy also archives the log files for those revisions. All others are deleted, except for the log file of the last successful deployment.

Answer 138

MOCK This type of integration lets API Gateway return a response without sending the request further to the backend. This is useful for API testing because it can be used to test the integration setup without incurring charges for using the backend and to enable collaborative development of an API. In collaborative development, a team can isolate their development effort by setting up simulations of API components owned by other teams by using the MOCK integrations. It is also used to return CORS-related headers to ensure that the API method permits CORS access. In fact, the API Gateway console integrates the OPTIONS method to support CORS with a mock integration.

Answer 139

Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) You have the following options for protecting data at rest in Amazon S3: Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects. Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. When you use server-side encryption with AWS KMS (SSE-KMS), you can use the default AWS managed CMK, or you can specify a customer-managed CMK that you have already created. Creating your own customer-managed CMK gives you more flexibility and control over the CMK. For example, you can create, rotate, and disable customer-managed CMKs. You can also define access controls and audit the customer-managed CMKs that you use to protect your data.

Answer 140

EBS volumes support both in-flight encryption and encryption at rest using KMS

Answer 141

AWS Kinesis Data Streams You can raise this limit to up to 7 days by enabling extended data retention or up to 365 days by enabling long-term data retention

Answer 142

Same-Region Replication (SRR) and Cross-Region Replication (CRR) can be configured at the S3 bucket level, a shared prefix level, or an object level using S3 object tags - Amazon S3 Replication (CRR and SRR) is configured at the S3 bucket level, a shared prefix level, or an object level using S3 object tags. You add a replication configuration on your source bucket by specifying a destination bucket in the same or different AWS region for replication. S3 lifecycle actions are not replicated with S3 replication - With S3 Replication (CRR and SRR), you can establish replication rules to make copies of your objects into another storage class, in the same or a different region. Lifecycle actions are not replicated, and if you want the same lifecycle configuration applied to both source and destination buckets, enable the same lifecycle configuration on both.

Answer 143

| The total size of all environment variables shouldn't exceed 4 KB. There is no limit on the number of variables

Answer 144

"The developers should insert logging statements in the Lambda function code which are then available via CloudWatch logs" When you invoke a Lambda function, two types of error can occur. Invocation errors occur when the invocation request is rejected before your function receives it. Function errors occur when your function's code or runtime returns an error. Depending on the type of error, the type of invocation, and the client or service that invokes the function, the retry behavior, and the strategy for managing errors varies.

Answer 145

Option C is CORRECT as enabling canary release will allow the developer to route a % of the traffic to the new API in a random order ensuring no one customer is affected too long. Canary release is a part of a stage in the API Gateway console. Option D is incorrect because promoting a canary release will make the deployment release, thereby having no delta between the canary and base stage. If this option is selected, all customers will be affected.

Answer 146

Option E is CORRECT. When using a proxy integration with Lambda, it is necessary to add “Access-Control-Allow-Headers” and “Access-Control-Allow-Origin” headers the response in the Lambda function as a proxy integration will not return an integration response. All three steps need to be used when enabling CORS for an API with a Lambda proxy integration.

Answer 147

Option D is CORRECT as only authorized users can invalidate cache. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

Answer 148

Option B is CORRECT as changing Burst to 100 and Rate to 100 will allow 100 concurrent requests to be made and processed at any given point in time. Option A is incorrect as changing Burst to 50 and Rate to 50 will mean that 50 concurrent requests can be made and processed at any given point in time. Option C is incorrect as changing Burst to 50 and Rate to 100 will allow 50 concurrent requests to be made but 100 processed at any given point in time. The remaining 50 requests will be a 429 error and will have to retry after an interval.

Answer 149

Option A is CORRECT as the POST request satisfies the condition for a simple cross-origin request. So allowing the Access-Control-Request-Origin header will make it so that it can be accessed from other origins.

Answer 150

An ALB has three possible target types: Instance, IP and Lambda When the target type is IP, you can specify IP addresses from specific CIDR blocks only. You can't specify publicly routable IP addresses.

Answer 151

Leverage the capabilities offered by ElastiCache for Redis with cluster mode enabled You can leverage ElastiCache for Redis with cluster mode enabled to enhance reliability and availability with little change to your existing workload. Cluster Mode comes with the primary benefit of horizontal scaling up and down of your Redis cluster, with almost zero impact on the performance of the cluster. Enabling Cluster Mode provides a number of additional benefits in scaling your cluster. In short, it allows you to scale in or out the number of shards (horizontal scaling) versus scaling up or down the node type (vertical scaling). This means that Cluster Mode can scale to very large amounts of storage (potentially 100s of terabytes) across up to 90 shards, whereas a single node can only store as much data in memory as the instance type has capacity for. Cluster Mode also allows for more flexibility when designing new workloads with unknown storage requirements or heavy write activity. In a read-heavy workload, one can scale a single shard by adding read replicas, up to five, but a write-heavy workload can benefit from additional write endpoints when cluster mode is enabled.

Answer 152

All the nodes in a Redis cluster must reside in the same region While using Redis with cluster mode enabled, you cannot manually promote any of the replica nodes to primary While using Redis with cluster mode enabled, there are some limitations: - You cannot manually promote any of the replica nodes to primary. - Multi-AZ is required. - You can only change the structure of a cluster, the node type, and the number of nodes by restoring from a backup.

Answer 153

Your Lambda function ran out of RAM The maximum amount of memory available to the Lambda function at runtime is 10,240 MB. Your Lambda function was deployed with 10,240 MB of RAM, but it seems your code requested or used more than that, so the Lambda function failed.

Answer 154

Use the AWS CLI associate-kms-key command and specify the KMS key ARN Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS (AWS KMS) customer master key (CMK). Encryption using AWS KMS is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists. After you associate a CMK with a log group, all newly ingested data for the log group is encrypted using the CMK. This data is stored in an encrypted format throughout its retention period. CloudWatch Logs decrypts this data whenever it is requested. CloudWatch Logs must have permissions for the CMK whenever encrypted data is requested. To associate the CMK with an existing log group, you can use the associate-kms-key command.

Answer 155

In the Java system properties: aws.accessKeyId and aws.secretKey. In system environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. In the default credentials file (the location of this file varies by platform). Credentials delivered through the Amazon EC2 container service if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set and security manager has permission to access the variable. In the instance profile credentials, which exist within the instance metadata associated with the IAM role for the EC2 instance. Web Identity Token credentials from the environment or container.

Answer 156

Between clients and CloudFront as well as between CloudFront and backend For web distributions, you can configure CloudFront to require that viewers use HTTPS to request your objects, so connections are encrypted when CloudFront communicates with viewers. You also can configure CloudFront to use HTTPS to get objects from your origin, so connections are encrypted when CloudFront communicates with your origin.

Answer 157

Enable SQS KMS encryption Server-side encryption (SSE) lets you transmit sensitive data in encrypted queues. SSE protects the contents of messages in queues using keys managed in AWS Key Management Service (AWS KMS). AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When you use Amazon SQS with AWS KMS, the data keys that encrypt your message data are also encrypted and stored with the data they protect. You can choose to have SQS encrypt messages stored in both Standard and FIFO queues using an encryption key provided by AWS Key Management Service (KMS).

Answer 158

Create an S3 event to invoke a Lambda function that inserts records into DynamoDB The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration that identifies the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the notifications. You store this configuration in the notification subresource that is associated with a bucket.

Answer 159

# Define a dev environment with a single instance and a 'load test' environment that has settings close to production environment AWS Elastic Beanstalk makes it easy to create new environments for your application. You can create and manage separate environments for development, testing, and production use, and you can deploy any version of your application to any environment. Environments can be long-running or temporary. When you terminate an environment, you can save its configuration to recreate it later. It is common practice to have many environments for the same application. You can deploy multiple environments when you need to run multiple versions of an application. So for the given use-case, you can set up 'dev' and 'load test' environment.

Answer 160

Cache dependencies on S3 AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your build servers. Downloading dependencies is a critical phase in the build process. These dependent files can range in size from a few KBs to multiple MBs. Because most of the dependent files do not change frequently between builds, you can noticeably reduce your build time by caching dependencies in S3.

Answer 161

The bucket owner also needs to be object owner to get the object access logs If the bucket owner is also the object owner, the bucket owner gets the object access logs. Otherwise, the bucket owner must get permissions, through the object ACL, for the same object API to get the same object-access API logs.

Answer 162

Repositories are automatically encrypted at rest

Answer 163

Use CloudWatch integration feature with S3 You can export log data from your CloudWatch log groups to an Amazon S3 bucket and use this data in custom processing and analysis, or to load onto other systems.

Answer 164

Put the function and the dependencies in one folder and zip them together There's only one way of deploying a Lambda function, which is to provide the zip file with all dependencies that it'll need

Answer 165

Open up port 80 & port 443 Configure your EC2 instances to redirect HTTP traffic to HTTPS Assign an SSL certificate to the Load Balancer

Answer 166

- -starting-token | - -max-items

Answer 167

Make a snapshot of the database before it gets deleted

Answer 168

Provide the correct IAM task role to the X-Ray container Deploy the X-Ray daemon agent as a sidecar container

Answer 169

Use a Lifecycle Policy Each time you upload a new version of your application with the Elastic Beanstalk console or the EB CLI, Elastic Beanstalk creates an application version. If you don't delete versions that you no longer use, you will eventually reach the application version limit and be unable to create new versions of that application. You can avoid hitting the limit by applying an application version lifecycle policy to your applications. A lifecycle policy tells Elastic Beanstalk to delete old application versions or to delete application versions when the total number of versions for an application exceeds a specified number.

Answer 170

Enable storage auto-scaling for RDS MySQL If your workload is unpredictable, you can enable storage autoscaling for an Amazon RDS DB instance. With storage autoscaling enabled, when Amazon RDS detects that you are running out of free database space it automatically scales up your storage. Amazon RDS starts a storage modification for an autoscaling-enabled DB instance when these factors apply: Free available space is less than 10 percent of the allocated storage. The low-storage condition lasts at least five minutes. At least six hours have passed since the last storage modification. The maximum storage threshold is the limit that you set for autoscaling the DB instance. You can't set the maximum storage threshold for autoscaling-enabled instances to a value greater than the maximum allocated storage.

Answer 171

Write the AWS Lambda code inline in CloudFormation in the AWS::Lambda::Function block as long as there are no third-party dependencies Upload all the code as a zip to S3 and refer the object in AWS::Lambda::Function block

Answer 172

Setup a Worker environment and a cron.yaml file

Answer 173

MessageGroupId The message group ID is the tag that specifies that a message belongs to a specific message group. Messages that belong to the same message group are always processed one by one, in a strict order relative to the message group (however, messages that belong to different message groups might be processed out of order).

Answer 174

SSE-C For the given use-case, the company wants to manage the encryption keys via its custom application and let S3 manage the encryption, therefore you must use Server-Side Encryption with Customer-Provided Keys (SSE-C).

Answer 175

Use a Lambda@Edge Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency. With Lambda@Edge, you don't have to provision or manage infrastructure in multiple locations around the world. You pay only for the compute time you consume - there is no charge when your code is not running.

Answer 176

S3 Select S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL expressions. By using S3 Select to retrieve only the data needed by your application, you can achieve drastic performance increases in many cases you can get as much as a 400% improvement

Answer 177

aws ecs create-service --service-name ecs-simple-service --task-definition ecs-demo --desired-count 10

Answer 178

AWS_XRAY_DAEMON_ADDRESS

Answer 179

Specify a ProjectionExpression: A projection expression is a string that identifies the attributes you want. To retrieve a single attribute, specify its name. For multiple attributes, the names must be comma-separated.

Answer 180

Consider using Global tables if your application is accessed by globally distributed users Use eventually consistent reads in place of strongly consistent reads whenever possible

Answer 181

Create a saved configuration in Team A's account and download it to your local machine. Make the account-specific parameter changes and upload to the S3 bucket in Team B's account. From Elastic Beanstalk console, create an application from 'Saved Configurations'

Answer 182

Set up reserved concurrency for the Lambda function B so that it throttles if it goes above a certain concurrency limit To ensure that a function can always reach a certain level of concurrency, you can configure the function with reserved concurrency. When a function has reserved concurrency, no other function can use that concurrency. Incorrect options: Set up provisioned concurrency for the Lambda function B so that it throttles if it goes above a certain concurrency limit - You should use provisioned concurrency to enable your function to scale without fluctuations in latency. By allocating provisioned concurrency before an increase in invocations, you can ensure that all requests are served by initialized instances with very low latency. Provisioned concurrency is not used to limit the maximum concurrency for a given Lambda function, so this option is incorrect.

Answer 183

If two writes are made to a single non-versioned object at the same time, it is possible that only a single event notification will be sent

Answer 184

!GetAtt !GetAtt - The Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template. This example snippet returns a string containing the DNS name of the load balancer with the logical name myELB - YML : !GetAtt myELB.DNSName JSON : "Fn::GetAtt" : [ "myELB" , "DNSName" ] Incorrect options: !Sub - The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify. In your templates, you can use this function to construct commands or outputs that include values that aren't available until you create or update a stack. !Ref - The intrinsic function Ref returns the value of the specified parameter or resource. !FindInMap - The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section. For example, you can use this in the Mappings section that contains a single map, RegionMap, that associates AMIs with AWS regions.

Answer 185

Use Cognito Authentication via Cognito User Pools for your Application Load Balancer Application Load Balancer can be used to securely authenticate users for accessing your applications. This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic.

Answer 186

Run AWS CodeBuild locally using CodeBuild Agent With the Local Build support for AWS CodeBuild, you just specify the location of your source code, choose your build settings, and CodeBuild runs build scripts for compiling, testing, and packaging your code. You can use the AWS CodeBuild agent to test and debug builds on a local machine. By building an application on a local machine you can: Test the integrity and contents of a buildspec file locally. Test and build an application locally before committing. Identify and fix errors quickly from your local development environment

Answer 187

Create an IAM role in Account B with access to DynamoDB. Modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. Update the Lambda function code to add the AssumeRole API call

Answer 188

A process replaces an existing object and immediately tries to read it. Amazon S3 always returns the latest version of the object

Answer 189

A volume restored from an encrypted snapshot, or a copy of an encrypted snapshot is always encrypted Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region

Answer 190

Set the DeleteOnTermination attribute to False using the command line Incorrect options: Update the attribute using AWS management console. Select the EC2 instance and then uncheck the Delete On Termination check box for the root EBS volume - You can set the DeleteOnTermination attribute to False when you launch a new instance. It is not possible to update this attribute of a running instance from the AWS console.

Answer 191

Server-Side Encryption with Customer-Provided Keys (SSE-C) Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects. Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. For the given use-case, the company wants to manage the encryption keys via its custom application and let S3 manage the encryption, therefore you must use Server-Side Encryption with Customer-Provided Keys (SSE-C).

Answer 192

Deploy the new version to a separate environment via Blue/Green Deployment, and then swap Route 53 records of the two environments to redirect traffic to the new version Incorrect: Deploy the new application version using 'Rolling' deployment policy - This policy avoids downtime and minimizes reduced availability, at a cost of a longer deployment time. However rollback process is via manual redeploy, so it's not as quick as the Blue/Green deployment.

Answer 193

Use Kinesis Firehose to ingest data and Kinesis Data Analytics to generate leaderboard scores and time-series analytics Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics services. It can capture, transform, and deliver streaming data to Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, generic HTTP endpoints, and service providers like Datadog, New Relic, MongoDB, and Splunk. It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, transform, and encrypt your data streams before loading, minimizing the amount of storage used and increasing security. Amazon Kinesis Data Analytics is the easiest way to transform and analyze streaming data in real-time with Apache Flink. Apache Flink is an open source framework and engine for processing data streams. Amazon Kinesis Data Analytics reduces the complexity of building, managing, and integrating Apache Flink applications with other AWS services.

Answer 194

- Use exponential backoff in your app - Configure reserved concurrency - Request a service quota increase.

Answer 195

Amazon CloudWatch Application Load Balancer Amazon EC2 Instance

Answer 196

Declare a ResultPath field filter on the Amazon States Language specification. In the Amazon States Language, these fields filter and control the flow of JSON from state to state: - InputPath - OutputPath - ResultPath - Parameters Out of these field filters, the ResultPath field filter is the only one that can control input values and its previous results to be passed to the state output. Hence, the correct answer is: Declare a ResultPath field filter on the Amazon States Language specification. The option that says: Declare an OutputPath field filter on the Amazon State Language specification is incorrect because it just operates on the output level. It is used to filter out unwanted information and pass only the portion of JSON that you care about that will be passed onto the next state.

Answer 197

Use the execution context in your function and add logic in your code to check if a connection exists before creating one. After a Lambda function is executed, AWS Lambda maintains the execution context for some time in anticipation of another Lambda function invocation. In effect, the service freezes the execution context after a Lambda function completes, and thaws the context for reuse, if AWS Lambda chooses to reuse the context when the Lambda function is invoked again.

Answer 198

AWS_XRAY_CONTEXT_MISSING _X_AMZN_TRACE_ID AWS Lambda uses environment variables to facilitate communication with the X-Ray daemon and configure the X-Ray SDK. _X_AMZN_TRACE_ID: Contains the tracing header, which includes the sampling decision, trace ID, and parent segment ID. If Lambda receives a tracing header when your function is invoked, that header will be used to populate the _X_AMZN_TRACE_ID environment variable. If a tracing header was not received, Lambda will generate one for you. AWS_XRAY_CONTEXT_MISSING: The X-Ray SDK uses this variable to determine its behavior in the event that your function tries to record X-Ray data, but a tracing header is not available. Lambda sets this value to LOG_ERROR by default. AWS_XRAY_DAEMON_ADDRESS: This environment variable exposes the X-Ray daemon's address in the following format: IP_ADDRESS:PORT. You can use the X-Ray daemon's address to send trace data to the X-Ray daemon directly, without using the X-Ray SDK.

Answer 199

Set the Viewer Protocol Policy to use HTTPS Only. Set the Viewer Protocol Policy to use Redirect HTTP to HTTPS. Configuring the ALB to use its default SSL/TLS certificate is incorrect because there is no default SSL certificate in ELB, unlike what we have in CloudFront.

Answer 200

You provided an IAM role in the CreateFunction API which AWS Lambda is unable to assume.

Answer 201

Create a VPC endpoint for S3. | An *internal* web application

Answer 202

Create an Identity Pool in Amazon Cognito and enable access to unauthenticated identities. (you should also enable *guest user* access)

Answer 203

Use Traffic Shifting with Lambda Aliases.

Answer 204

Latency IntegrationLatency - Monitor the IntegrationLatency metrics to measure the responsiveness of the backend. - Monitor the Latency metrics to measure the overall responsiveness of your API calls. - Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.

Answer 205

GenerateDataKeyWithoutPlaintext GenerateDataKeyWithoutPlaintext is identical to GenerateDataKey except that it returns only the encrypted copy of the data key. This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key.

Answer 206

HTTP HTTP_PROXY is incorrect because this type is only used for HTTP proxy integration where you don't need to do data mapping for your request and response data.

Answer 207

Enable DynamoDB Streams and set the value of StreamViewType to NEW_IMAGE. Use Kinesis Adapter in the application to consume streams from DynamoDB. DynamoDB Streams provides a time-ordered sequence of item level changes in any DynamoDB table. The changes are *de-duplicated and stored for 24 hours.* Applications can access this log and view the data items as they appeared before and after they were modified, in near real time. Using the Kinesis Adapter is the recommended way to consume Streams from DynamoDB. The DynamoDB Streams API is intentionally similar to that of Kinesis Streams, a service for real-time processing of streaming data at massive scale. The option that says: Enable DynamoDB Streams and set the value of StreamViewType to NEW_IMAGE. Create a trigger in AWS Lambda to capture stream data and forward it to your application is incorrect because just like what is mentioned above, it is better to use Kinesis instead of Lambda for the real-time data analytics application.

Answer 208

Use the blue / green deployment strategy to decouple the Amazon RDS instance from your Elastic Beanstalk environment. Create an RDS DB snapshot of the database and enable deletion protection. Create a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance. Before terminating the old Elastic Beanstalk environment, remove its security group rule first before proceeding. --- ...is incorrect because although the deployment strategy being used here is valid, the existing security group rule is not yet removed which hinders the deletion of the old environment.

Answer 209

By default, the data records are only accessible for 24 hours from the time they are added to a Kinesis stream. --- In this scenario, the consumer of the data stream is configured to *process the data every other day.* Since the default data retention of Kinesis data stream is only 24 hours, the data from the day before is already lost prior to the scheduled processing. Hence, the root cause of the problem in this scenario is because by default, the data records are only accessible for 24 hours from the time they are added to a Kinesis stream.

Answer 210

AssumeRole *developers belonging to different AWS accounts*

Answer 211

Package your application as a zip file and deploy it using the eb deploy command.

Answer 212

Set the concurrency execution limit of both functions to 450. Decrease the concurrency execution limit of the first function. --- Setting the concurrency execution limit of the second function to 0 is incorrect because this will throttle all future invocations of this function and will make the problem worse. Setting the concurrency execution limit of both functions to 500 is incorrect because by default, a newly created AWS account has a concurrent execution limit of only 1000. Take note that AWS Lambda will keep the unreserved concurrency pool at a minimum of 100 concurrent executions so that functions that do not have specific limits set can still process requests. Hence, you can only allocate a concurrent execution limit of 900 for a single Lambda function or 450 for two functions.

Answer 213

codecommit: GitPull codecommit: GitPush -- The codecommit:GitPull permission is required to pull information from a CodeCommit repository to a local repo and conversely, the codecommit:GitPush permission is required to push information from a local repo to a CodeCommit repository. This is an IAM policy permission only, not an API action. Hence, these two options are the required permissions needed by the developer in this scenario.

Answer 214

Use the Invoke API to call the Lambda function and set the invocation type request parameter to Event.

Answer 215

subsegments For services that don't send their own segments like Amazon DynamoDB, X-Ray uses subsegments to generate inferred segments and downstream nodes on the service map. This lets you see all of your downstream dependencies, even if they don't support tracing, or are external. Subsegments represent your application's view of a downstream call as a client. If the downstream service is also instrumented, the segment that it sends replaces the inferred segment generated from the upstream client's subsegment. The node on the service graph always uses information from the service's segment, if it's available, while the edge between the two nodes uses the upstream service's subsegment.

Answer 216

Set the namespace subsegment field to aws for AWS SDK calls and remote for other downstream calls. Set the metadata object with any additional custom data that you want to store in the segment. --- annotations - annotations object with key-value pairs that you want X-Ray to index for search. metadata - metadata object with any additional data that you want to store in the segment.

Answer 217

Configure the port mappings and network mode settings in your task definition file to allow traffic on UDP port 2000. Create a Docker image that runs the X-Ray daemon, upload it to a Docker image repository, and then deploy it to your Amazon ECS cluster. --- Adding the xray-daemon.config configuration file in your Docker image is incorrect because this step is not suitable for ECS. The xray-daemon.config configuration file is primarily used in Elastic Beanstalk.

Answer 218

Include your function source inline in the ZipFile parameter of the AWS::Lambda::Function resource in the CloudFormation template.

Answer 219

Increase both the instance size and the number of open shards. By increasing the instance size and number of shards in your Kinesis stream, the developer allows the instances to handle more record processors, which are running in parallel within the instance. It also allows the stream to properly accommodate the rate of data being sent in. The data capacity of your stream is a function of the number of shards that you specify for the stream. The total capacity of the stream is the sum of the capacities of its shards.

Answer 220

x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5 headers

Answer 221

Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory. Use the Decrypt operation to decrypt the encrypted data key. --- It is recommended that you use the following pattern to encrypt data locally in your application: 1. Use the GenerateDataKey operation to get a data encryption key. 2. Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory. 3. Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data. To decrypt data locally: 1. Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key. 2. Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.

Answer 222

Set up CloudFormation with Systems Manager Parameter Store to retrieve the latest AMI IDs for your template. Whenever you decide to update the EC2 instances, call the update-stack API in CloudFormation in your CloudFormation template. You can use the existing Parameters section of your CloudFormation template to define Systems Manager parameters, along with other parameters. Systems Manager parameters are a unique type that is different from existing parameters because they refer to actual values in the Parameter Store. The value for this type of parameter would be the Systems Manager (SSM) parameter key instead of a string or other value.

Answer 223

There will be at most 100 Lambda function invocations running concurrently. --- For Lambda functions that process Kinesis or DynamoDB streams, the number of shards is the unit of concurrency. If your stream has 100 active shards, there will be at most 100 Lambda function invocations running concurrently. This is because Lambda processes each shard’s events in sequence. Hence, the correct answer in this scenario is that: there will be at most 100 Lambda function invocations running concurrently. The option that says: the Lambda function has 500 concurrent executions is incorrect because the number of concurrent executions for poll-based event sources is different from push-based event sources. This number of concurrent executions would have been correct if the Lambda function is integrated with a push-based even source such as API Gateway or Amazon S3 Events. Remember that the Kinesis and Lambda integration is using a poll-based event source, which means that the number of shards is the unit of concurrency for the function.

Answer 224

Include the x-amz-server-side-encryption header with a value of aws:kms in your upload request. Including the x-amz-server-side-encryption header with a value of aws:kms as well as the x-amz-server-side-encryption-aws-kms-key-id header containing the ID of the default AWS KMS key in your upload request is incorrect because although this is a valid option, you actually don't need to add the x-amz-server-side-encryption-aws-kms-key-id header if you will be using the default AWS KMS key. Take note that the scenario explicitly mentioned to provide a solution with the LEAST amount of configuration.

Answer 225

4 shards : 2 instances The Kinesis Client Library (KCL) ensures that for every shard there is a record processor running and processing that shard. It also tracks the shards in the stream using an Amazon DynamoDB table. Since the question requires the system to smoothly process streaming data, a fair number of shards and instances are required. By launching 4 shards, the stream will have more capacity for reading and writing data. By launching 2 instances, each instance will focus on processing two shards. It also provides high availability in the event that one instance goes down. Therefore, the ratio of 4 shards : 2 instances is the correct answer.

Answer 226

Cluster Query Language Hence, the correct ECS feature which provides you with expressions that you can use to group container instances by a specific attribute is Cluster Query Language. Task Group is incorrect because this is just a set of related tasks. This does not provide expressions that enable you to group objects. All tasks with the same task group name are considered as a set when performing spread placement. Task Placement Constraint is incorrect because it is just a rule that is considered during task placement. Although it uses cluster queries when you are placing tasks on container instances based on a specific expression, it does not provide the actual expressions which are used to group those container instances.

Answer 227

The developer does not have the kms:Decrypt permission. The AWS CLI S3 commands perform a multipart upload when the file is large. To perform a multipart upload with encryption using an AWS Key Management Service (AWS KMS) customer master key (CMK), the requester must have permission to the kms:Decrypt and kms:GenerateDataKey* actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload. Hence, the correct answers in this scenario are: - The AWS CLI S3 commands perform a multipart upload when the file is large. - The developer does not have the kms:Decrypt permission

Answer 228

Use an Elastic Load Balancer and configure sticky sessions. If an instance fails or becomes unhealthy, the load balancer stops routing requests to that instance and chooses a new healthy instance based on the existing load balancing algorithm. The load balancer treats the session as now "stuck" to the new healthy instance, and continues routing requests to that instance even if the failed instance comes back.

Answer 229

Using AWS X-Ray, define an arbitrary subsegment inside the code to instrument the function. A subsegment can contain additional details about a call to an AWS service, an external HTTP API, or an SQL database. You can define arbitrary subsegments to instrument specific functions or lines of code in your application.

Answer 230

Update the images by using versioned file names. When you update existing files in a CloudFront distribution, AWS recommends that you include some sort of version identifier either in your file names or in your directory names to give yourself better control over your content. This identifier might be a date-time stamp, a sequential number, or some other method of distinguishing two versions of the same object.

Answer 231

Perform a rate-limited parallel scan operation.

Answer 232

Get the awsRequestId from the context object and log it to a file. The second argument is the context object. A context object is passed to your function by Lambda at runtime. This object provides methods and properties that provide information about the invocation, function, and runtime environment. The request ID of all invocation requests is automatically logged in CloudWatch Logs, but you might want to get it from the Lambda context object if you have a need for custom logging such as logging key events with an associated request identifier. In this case, you can access the request ID from context.awsRequestID and write to a separate log file. Hence, the correct answer is: Get the awsRequestId from the context object and log it to a file.

Answer 233

Re-enabling disabled keys Creation of symmetric and asymmetric keys The option that says: Import your own key material to an asymmetric CMK is incorrect because you can only import your own key material to symmetric CMKs and not for asymmetric types. The option that says: Automatic key rotation for CMKs in custom key stores is incorrect because automatic key rotation is only supported in symmetric CMKs. Automatic key rotation is not available for asymmetric CMKs, CMKs in custom key stores, and CMKs with imported key material.

Answer 234

Create an IAM role with cloudwatch:PutMetricData permission for the new Auto Scaling launch configuration from which you launch instances. The option that says: Modify the existing Auto Scaling launch configuration to use an IAM role with the cloudwatch:PutMetricData permission for the instances is incorrect because modifying an existing launch configuration is not possible.

Answer 235

Specify the containers in a single task definition and configure EFS as its volume type.

Answer 236

Configure the Git credential helper with the AWS credential profile. The option that says: Generate an HTTPS Git credential for AWS CodeCommit. Configure the Git credential helper with the AWS credential profile is incorrect. Although this solution works, you still don't have to create HTTPS GIT credentials since you're already using the access key credentials to authenticate with CodeCommit.

Answer 237

Cognito ID Cognito Key Pair is incorrect because this is not a unique Amazon Cognito identifier but a cryptography key.

Answer 238

Amazon Cognito Identity Pools and User Pools. A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers. Amazon User Pools and AWS Security Token Service (STS) are incorrect. While it is true that you need AWS STS to allow users to access Amazon S3, it is already abstracted by the Amazon Cognito Identity Pools. That being said, you have to configure an Identity Pool to accept users federated with your Cognito User Pool.

Answer 239

Build the SAM template in the local machine and call the sam deploy command to package and deploy the SAM template from an S3 bucket. -- sam init - Initializes a serverless application with an AWS SAM template. The template provides a folder structure for your Lambda functions and is connected to an event source such as APIs, S3 buckets, or DynamoDB tables. This application includes everything you need to get started and to eventually extend it into a production-scale application.

Answer 240

Out of all the types of State, only the Task State and the Parallel State can be used to run processes in the state machine. In the given scenario, the application logic inside the Lambda function process data synchronously. In this case, Task State should be used. States can perform a variety of functions in your state machine: Task State - Do some work in your state machine Choice State - Make a choice between branches of execution Fail or Succeed State - Stop execution with failure or success Pass State - Simply pass its input to its output or inject some fixed data, without performing work. Wait State - Provide a delay for a certain amount of time or until a specified time/date. Parallel State - Begin parallel branches of execution. Map State - Dynamically iterate steps.

Answer 241

Add a local secondary index while creating the *new* Thread table. Use the Query operation to utilize the LastPostDateTime attribute as the sort key Creating a global secondary index and using the Query operation to utilize the LastPostDateTime attribute as the sort key is incorrect because using a local secondary index is a more appropriate solution to be used in this scenario. Take note that in this scenario, it is still using the same partition key (ForumName), but with an alternate sort key (LastPostDateTime) which warrants the use of a local secondary index.

Answer 242

Embed a primary key within the record. Applications that need strict guarantees should embed a primary key within the record to remove duplicates later when processing

Answer 243

Lambda custom integration Lambda proxy integration is incorrect as this type of integration is the one where you do not have to configure both the integration request and integration response.

Answer 244

Use X-Ray SDK to generate segment documents with subsegments and send them to the X-Ray daemon, which will buffer them and upload to the X-Ray API in batches.

Answer 245

Use Enhanced Monitoring in RDS.

Answer 246

Integrate AWS AppSync to your mobile app. AWS AppSync is quite similar with Amazon Cognito Sync which is also a service for synchronizing application data across devices. It enables user data like app preferences or game state to be synchronized as well however, the key difference is that, it also extends these capabilities by allowing multiple users to synchronize and collaborate in real time on shared data.

Answer 247

Cognito Sync Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and the web without requiring your own backend.

Answer 248

Use filter expressions via the X-Ray console. Fetch the trace IDs and annotations using the GetTraceSummaries API.

Answer 249

Select AWSLambdaDynamoDBExecutionRole managed policy as the function's execution role. Create an event source mapping in Lambda to send records from your stream to a Lambda function. Select AWSLambdaBasicExecutionRole managed policy with full access to DynamoDB as the function's execution role is incorrect because it lacks the necessary permissions. This role only provides Lambda permissions to upload logs to CloudWatch.

Answer 250

Use the GenerateDataKey operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally. Erase the plaintext data key from memory and store the encrypted data key alongside the locally encrypted data.

Answer 251

Enable Transparent Data Encryption (TDE). Amazon RDS supports using Transparent Data Encryption (TDE) to encrypt stored data on your DB instances running Microsoft SQL Server.

Answer 252

Queries on this index support eventual consistency only. Queries or scans on this index consume capacity units from the index, not from the base table. The following options are incorrect because these are about local secondary indexes: - When you query this index, you can choose either eventual consistency or strong consistency. - Queries or scans on this index consume read capacity units from the base table - For each partition key value, the total size of all indexed items must be 10 GB or less.

Answer 253

Implement Amazon S3 server-side encryption with customer-provided keys (SSE-C). Encrypt the data on the client-side before sending to Amazon S3 using their own master key. -- Implementing Amazon S3 server-side encryption with Amazon S3-Managed Encryption Keys is incorrect because the Amazon S3-Managed encryption does not comply with the policy mentioned in the given scenario since the keys are managed by AWS (through Amazon S3) and not by the company. The suitable server-side encryption that you should use here is SSE-C.

Answer 254

Markers --- Using Timers is incorrect because it just enables you to notify your decider when a certain amount of time has elapsed and does not meet the requirement in this scenario.

Answer 255

Enable DynamoDB Streams to stream all the changes from the Customer service table and trigger a Lambda function to update the Payment service table. -- The option that says: Use a Kinesis data stream to stream all the changes from the Customer service database directly into the Payment service table is incorrect. Kinesis Data Stream is a valid service for streaming changes from a DynamoDB table. However, it cannot directly write stream records to a DynamoDB table. You need a processing layer that will poll records from the stream and update the other DynamoDB table.

Answer 256

IntegrationLatency Latency - Monitor the IntegrationLatency metrics to measure the responsiveness of the backend. - Monitor the Latency metrics to measure the overall responsiveness of your API calls.

Answer 257

Amazon DynamoDB Accelerator (DAX) Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management.

Answer 258

GenerateDataKeyWithoutPlaintext GenerateDataKey is incorrect because this operation also returns a plaintext copy of the data key along with the copy of the encrypted data key under a customer master key (CMK) that you specified. Take note that the scenario explicitly mentioned that the API must return only the encrypted copy of the data key which will be used later for encryption. Although this API can be used in this scenario, it is not recommended since the actual encryption process of the data happens at a later time and not in real-time.

Answer 259

Global Secondary Indexes per table | Provisioned throughput limits