A developer is building an application that uses an AWS Lambda function to process data. The application requires minimum latency. The Lambda function must have predictable function start times. All setup activities for the execution environment must happen before invocation of the Lambda function. Which solution will meet these requirements?
A. Increase the memory of the Lambda function to the maximum amount. Configure an Amazon EventBridge rule to schedule invocations of the Lambda function every minute to keep the execution environment active.
B. Optimize the static initialization code that runs when a new execution environment is prepared for the first time. Decrease and compress the size of the Lambda function package and the imported libraries and dependencies.
C. Increase the reserved concurrency of the Lambda function to the maximum value for unreserved account concurrency. Run any setup activities manually before the initial invocation of the Lambda function.
D. Publish a new version of the Lambda function. Configure provisioned concurrency for the Lambda function with the required minimum number of execution environments.
A developer wants to deploy a new version of an AWS Elastic Beanstalk application. During deployment the application must maintain full capacity and avoid service interruption. Additionally, the developer must minimize the cost of additional resources that support the deployment. Which deployment method should the developer use to meet these requirements?
A. All at once
B. Rolling with additional batch
C. Bluegreen
D. Immutable
Explanation: This solution will meet the requirements by using a rolling with additional batch deployment method, which deploys the new version of the application to a separate group of instances and then shifts traffic to those instances in batches. This way, the application maintains full capacity and avoids service interruption during deployment, as well as minimizes the cost of additional resources that support the deployment. Option A is not optimal because it will use an all at once deployment method, which deploys the new version of the application to all instances simultaneously, which may cause service interruption or downtime during deployment. Option C is not optimal because it will use a blue/green deployment method, which deploys the new version of the application to a separate environment and then swaps URLs with the original environment, which may incur more costs for additional resources that support the deployment. Option D is not optimal because it will use an immutable deployment method, which deploys the new version of the application to a fresh group of instances and then redirects traffic to those instances, which may also incur more costs for additional resources that support the deployment.
A company regularly receives route status updates from its delivery trucks as events in Amazon EventBridge. The company is building an API-based application in a VPC that will consume and process the events to create a delivery status dashboard. The API application must not be available by using public IP addresses because of security and compliance requirements. How should the company send events from EventBridge to the API application?
A. Create an AWS Lambda function that runs in the same VPC as the API application. Configure the function as an EventBridge target. Use the function to send events to the API.
B. Create an internet-facing Application Load Balancer (ALB) in front of the API application. Associate a security group with rules that block access from all external sources except for EventBridge. Configure the ALB as an EventBridge target.
C. Create an internet-facing Network Load Balancer (NLB) in front of the API application. Associate a security group with rules that block access from all external sources except for EventBridge. Configure the NLB as an EventBridge target.
D. Use the application API endpoint in the VPC as a target for EventBridge. Send events directly to the application API endpoint from EventBridge.
Explanation: Why Option A is Correct: Running an AWS Lambda function within the same VPC ensures secure communication without exposing the API application to public IP addresses. The Lambda function can serve as a secure EventBridge target to send events to the API.
A company is preparing to migrate an application to the company's first AWS environment Before this migration, a developer is creating a proof-of-concept application to validate a model for building and deploying container-based applications on AWS. Which combination of steps should the developer take to deploy the containerized proof-ofconcept application with the LEAST operational effort? (Select TWO.)
A. Package the application into a zip file by using a command line tool Upload the package to Amazon S3
B. Package the application into a container image by using the Docker CLI. Upload the image to Amazon Elastic Container Registry (Amazon ECR)
C. Deploy the application to an Amazon EC2 instance by using AWS CodeDeploy.
D. Deploy the application to Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate
E. Deploy the application to Amazon Elastic Container Service (Amazon ECS) on AWS Fargate
Explanation:
A developer is trying get data from an Amazon DynamoDB table called demoman-table.
The developer configured the AWS CLI to use a specific IAM use's credentials and ran the
following command.
The command returned errors and no rows were returned.
What is the MOST likely cause of these issues?
A. The command is incorrect; it should be rewritten to use put-item with a string argument
B. The developer needs to log a ticket with AWS Support to enable access to the demoman-table
C. Amazon DynamoOB cannot be accessed from the AWS CLI and needs to called via the REST API
D. The IAM user needs an associated policy with read access to demoman-table
Explanation: This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimalbecause it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.
A developer needs to use a code template to create an automated deployment of an application onto Amazon EC2 instances. The template must be configured to repeat deployment, installation, and updates of resources for the application. The template must be able to create identical environments and roll back to previous versions. Which solution will meet these requirements?
A. Use AWS Amplify for automatic deployment templates. Use a traffic-splitting deployment to copy any deployments. Modify any resources created by Amplify, if necessary.
B. Use AWS CodeBuild for automatic deployment. Upload the required AppSpec file template. Save the appspec.yml file in the root directory folder of the revision. Specify the deployment group that includes the EC2 instances for the deployment.
C. Use AWS CloudFormation to create an infrastructure template in JSON format to deploy the EC2 instances. Use Cloud Formation helper scripts to install the necessary software and to start the application. Call the scripts directly from the template.
D. Use AWS AppSync to deploy the application. Upload the template as a GraphQL schema. Specify the EC2 instances for deployment of the application. Use resolvers as a version control mechanism and to make any updates to the deployments.
A developer is writing an application that will retrieve sensitive data from a third-party
system. The application will format the data into a PDF file. The PDF file could be more
than 1 MB. The application will encrypt the data to disk by using AWS Key Management
Service (AWS KMS). The application will decrypt the file when a user requests to download
it. The retrieval and formatting portions of the application are complete.
The developer needs to use the GenerateDataKey API to encrypt the PDF file so that the
PDF file can be decrypted later. The developer needs to use an AWS KMS symmetric
customer managed key for encryption.
Which solutions will meet these requirements?
A. Write the encrypted key from the GenerateDataKey API to disk for later use. Use the plaintext key from the GenerateDataKey API and a symmetric encryptionalgorithm to encrypt the file.
B. Write the plain text key from the GenerateDataKey API to disk for later use. Use the encrypted key from the GenerateDataKey API and a symmetric encryptionalgorithm to encrypt the file.
C. Write the encrypted key from the GenerateDataKey API to disk for later use. Use the plaintext key from the GenerateDataKey API to encrypt the file by using the KMS Encrypt API
D. Write the plain text key from the GenerateDataKey API to disk for later use. Use the encrypted key from the GenerateDataKey API to encrypt the file by using the KMS Encrypt API
Explanation:
The GenerateDataKey API returns a data key that is encrypted under a symmetric
encryption KMS key that you specify, and a plaintext copy of the same data
key1. The data key is a random byte string that can be used with any standard
encryption algorithm, such as AES or SM42. The plaintext data key can be used to
encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be
stored with the encrypted data and later decrypted by AWS KMS1.
In this scenario, the developer needs to use the GenerateDataKey API to encrypt
the PDF file so that it can be decrypted later. The developer also needs to use an
AWS KMS symmetric customer managed key for encryption.
A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token being used should expire automatically and needs to be refreshed periodically. How can a developer meet these requirements?
A. Create an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API Gateway, and use the temporary credentials generated by the identity pool.
B. Create and maintain a database record for each user with a corresponding token and use an AWS Lambda authorizer in API Gateway.
C. Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use the identity or access token.
D. Create an 1AM user for each API user, attach an invoke permissions policy to the API. and use an I AM authorizer in API Gateway.
A developer is migrating a containerized application from an on-premises
environment to the AWS Cloud. The developer is using the AWS CDK to provision a
container in Amazon ECS on AWS Fargate. The container is behind an Application
Load Balancer (ALB).
When the developer deploys the stack, the deployment fails because the ALB fails
health checks. The developer needs to resolve the failed health checks.
Which solutions will meet this requirement? (Select TWO.)
A. Confirm that the capacity providers for the container have been provisioned and are properly sized.
B. Confirm that the target group port matches the port mappings in the ECS task definition.
C. Confirm that a hosted zone associated with the ALB matches a hosted zone that is referenced in the ECS task definition.
D. Confirm that the ALB listener on the mapped port has a default action that redirects to the application's health check path endpoint.
E. Confirm that the ALB listener on the mapped port has a default action that forwards to the correct target group.
Explanation:
Option B:Thetarget group portin the ALB must match the port specified in the ECS
task definition. If there is a mismatch, the ALB health check will fail since it cannot
correctly route traffic to the container.
Option E:The ALB listener must have a default action that forwards requests to the
correct target group associated with the ECS service. If this configuration is
missing, the health check will fail as no traffic is routed to the service.
Option Ais irrelevant to resolving health check issues since capacity providers
relate to provisioning compute capacity.
Option C(hosted zone) is not directly related to ALB health checks.
Option D(redirecting traffic) is not related to ECS health check configurations.
A developer migrated a legacy application to an AWS Lambda function. The function uses
a third-party service to pull data with a series of API calls at the end of each month. The
function than processes the data to generate the monthly reports. The function has Been
working with no issues so far.
The third-party service recently issued a restriction to allow a feed number to API calls
each minute and each day. If the API calls exceed the limit tor each minute or each day,
then the service will produce errors. The API also provides the minute limit and daily limit in
the response header. This restriction might extend the overall process to multiple days
because the process is consuming more API calls than the available limit.
What is the MOST operationally efficient way to refactor the server less application to
accommodate this change?
A. Use an AWS Step Functions State machine to monitor API failures. Use the Wait state to delay calling the Lambda function.
B. Use an Amazon Simple Queue Service (Amazon SQS) queue to hold the API calls. Configure the Lambda function to poll the queue within the API threshold limits.
C. Use an Amazon CloudWatch Logs metric to count the number of API calls. Configure an Amazon CloudWatch alarm flat slops the currently running instance of the Lambda function when the metric exceeds the API threshold limits.
D. Use Amazon Kinesis Data Firehose to batch me API calls and deliver them to an Amazon S3 bucket win an event notification to invoke the Lambda function.
Explanation: The solution that will meet the requirements is to use an AWS Step Functions state machine to monitor API failures. Use the Wait state to delay calling the Lambda function. This way, the developer can refactor the serverless application to accommodate the change in a way that is automated and scalable. The developer can use Step Functions to orchestrate the Lambda function and handle any errors or retries. The developer can also use the Wait state to pause the execution for a specified duration or until a specified timestamp, which can help avoid exceeding the API limits. The other options either involve using additional services that are not necessary or appropriate for this scenario, or do not address the issue of API failures.
An application that runs on AWS Lambda requires access to specific highly confidential objects in an Amazon S3 bucket. In accordance with the principle of least privilege a company grants access to the S3 bucket by using only temporary credentials. How can a developer configure access to the S3 bucket in the MOST secure way?
A. Hardcode the credentials that are required to access the S3 objects in the application code. Use the credentials to access me required S3 objects.
B. Create a secret access key and access key ID with permission to access the S3 bucket. Store the key and key ID in AWS Secrets Manager. Configure the application to retrieve the Secrets Manager secret and use the credentials to access me S3 objects.
C. Create a Lambda function execution role Attach a policy to the rote that grants access to specific objects in the S3 bucket.
D. Create a secret access key and access key ID with permission to access the S3 bucket Store the key and key ID as environment variables m Lambda. Use the environment variables to access the required S3 objects.
Explanation: This solution will meet the requirements by creating a Lambda function execution role, which is an IAM role that grants permissions to a Lambda function to access AWS resources such as Amazon S3 objects. The developer can attach a policy to the role that grants access to specific objects in the S3 bucket that are required by the application, following the principle of least privilege. Option A is not optimal because it will hardcode the credentials that are required to access S3 objects in the application code, which is insecure and difficult to maintain. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will store the secret access key and access key ID as environment variables in Lambda, which is also insecure and difficult to maintain.
A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in. What is the MOST operationally efficient solution that meets this requirement?
A. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon API Gateway API to invoke the function. Call the API from the client side when login confirmation is received.
B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function.
C. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Create an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status.
D. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose. Create an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user.
Explanation: Amazon Cognito user pools support Lambda triggers, which are custom functions that can be executed at various stages of the user pool workflow. A post authentication Lambda trigger can be used to perform custom actions after a user is authenticated, such as sending an email notification. Amazon SES is a cloud-based email sending service that can be used to send transactional or marketing emails. A Lambda function can use the Amazon SES API to send an email to the user’s email address after the user logs in successfully.
| Page 11 out of 31 Pages |
| Previous |