A developer is receiving HTTP 400: ThrottlingException errors intermittently when calling
the Amazon CloudWatch API. When a call fails, no data is retrieved.
What best practice should first be applied to address this issue?
A. Contact AWS Support for a limit increase.
B. Use the AWS CLI to get the metrics.
C. Analyze the applications and remove the API call.
D. Retry the call with exponential backoff.
A developer is migrating some features from a legacy monolithic application to use AWS
Lambda functions instead. The application currently stores data in an Amazon Aurora DB cluster that runs in private subnets in a VPC. The AWS account has one VPC deployed.
The Lambda functions and the DB cluster are deployed in the same AWS Region in the
same AWS account.
The developer needs to ensure that the Lambda functions can securely access the DB
cluster without crossing the public internet.
Which solution will meet these requirements?
A. Configure the DB cluster's public access setting to Yes.
B. Configure an Amazon RDS database proxy for the Lambda functions.
C. Configure a NAT gateway and a security group for the Lambda functions.
D. Configure the VPC, subnets, and a security group for the Lambda functions.
Explanation: This solution will meet the requirements by allowing the Lambda functions to access the DB cluster securely within the same VPC without crossing the public internet. The developer can configure a VPC endpoint for RDS in a private subnet and assign it to the Lambda functions. The developer can also configure a security group forthe Lambda functions that allows inbound traffic from the DB cluster on port 3306 (MySQL). Option A is not optimal because it will expose the DB cluster to public access, which may compromise its security and data integrity. Option B is not optimal because it will introduce additional latency and complexity to use an RDS database proxy for accessing the DB cluster from Lambda functions within the same VPC. Option C is not optimal because it will require additional costs and configuration to use a NAT gateway for accessing resources in private subnets from Lambda functions.
A developer is deploying a company's application to Amazon EC2 instances The application generates gigabytes of data files each day The files are rarely accessed but the files must be available to the application's users within minutes of a request during the first year of storage The company must retain the files for 7 years. How can the developer implement the application to meet these requirements MOST costeffectively?
A. Store the files in an Amazon S3 bucket Use the S3 Glacier Instant Retrieval storage class Create an S3 Lifecycle policy to transition the files to the S3 Glacier Deep Archive storage class after 1 year
B. Store the files in an Amazon S3 bucket. Use the S3 Standard storage class. Create an S3 Lifecycle policy to transition the files to the S3 Glacier Flexible Retrieval storage class after 1 year.
C. Store the files on an Amazon Elastic Block Store (Amazon EBS) volume Use Amazon Data Lifecycle Manager (Amazon DLM) to create snapshots of the EBS volumes and to store those snapshots in Amazon S3
D. Store the files on an Amazon Elastic File System (Amazon EFS) mount. Configure EFS lifecycle management to transition the files to the EFS Standard-Infrequent Access (Standard-IA) storage class after 1 year.
Explanation: Amazon S3 Glacier Instant Retrieval is an archive storage class that delivers
the lowest-cost storage for long-lived data that is rarely accessed and requires retrieval in
milliseconds. With S3 Glacier Instant Retrieval, you can save up to 68% on storage costs
compared to using the S3 Standard-Infrequent Access (S3 Standard-IA) storage class,
when your data is accessed once per quarter. https://aws.amazon.com/s3/storageclasses/
glacier/instant-retrieval/
A developer is troubleshooting a three-tier application, which is deployed on Amazon EC2
instances. There is a connectivity problem between the application servers and the
database servers.
Which AWS services or tools should be used to identify the faulty component? (Select
TWO.)
A. AWS CloudTrail
B. AWS Trusted Advisor
C. Amazon VPC Flow Logs
D. Network access control lists
E. AWS Config rules
An application interacts with Amazon Aurora to store and track customer information. The primary database is set up with multiple read replicas for improving the performance of the read queries. However, one of the Aurora replicas is receiving most or all of the traffic, while the other Aurora replica remains idle. How can this issue be resolved?
A. Disable application-level DNS caching.
B. Enable application-level DNS caching.
C. Enable application pooling.
D. Disable application pooling.
A company needs to deploy all its cloud resources by using AWS CloudFormation
templates A developer must create an Amazon Simple Notification Service (Amazon SNS)
automatic notification to help enforce this rule. The developer creates an SNS topic and
subscribes the email address of the company's security team to the SNS topic.
The security team must receive a notification immediately if an 1AM role is created without
the use of CloudFormation.
Which solution will meet this requirement?
A. Create an AWS Lambda function to filter events from CloudTrail if a role was created without CloudFormation Configure the Lambda function to publish to the SNS topic. Create an Amazon EventBridge schedule to invoke the Lambda function every 15 minutes
B. Create an AWS Fargate task in Amazon Elastic Container Service (Amazon ECS) to filter events from CloudTrail if a role was created without CloudFormation Configure the Fargate task to publish to the SNS topic Create an Amazon EventBridge schedule to run the Fargate task every 15 minutes
C. Launch an Amazon EC2 instance that includes a script to filter events from CloudTrail if a role was created without CloudFormation. Configure the script to publish to the SNS topic. Create a cron job to run the script on the EC2 instance every 15 minutes.
D. Create an Amazon EventBridge rule to filter events from CloudTrail if a role was created without CloudFormation Specify the SNS topic as the target of the EventBridge rule.
A company has an Amazon S3 bucket containing premier content that it intends to make available to only paid subscribers of its website. The S3 bucket currently has default permissions of all objects being private to prevent inadvertent exposure of the premier content to non-paying website visitors. How can the company Limit the ability to download a premier content file in the S3 Bucket to paid subscribers only?
A. Apply a bucket policy that allows anonymous users to download the content from the S3 bucket.
B. Generate a pre-signed object URL for the premier content file when a pad subscriber requests a download.
C. Add a Docket policy that requires multi-factor authentication for request to access the S3 bucket objects.
D. Enable server-side encryption on the S3 bucket for data protection against the nonpaying website visitors.
Explanation: This solution will limit the ability to download a premier content file in the S3 bucket to paid subscribers only because it uses a pre-signed object URL that grants temporary access to an S3 object for a specified duration. The pre-signed object URL can be generated by the company’s website when a paid subscriber requests a download, and can be verified by Amazon S3 using the signature in the URL. Option A is not optimal because it will allow anyone to download the content from the S3 bucket without verifying their subscription status. Option C is not optimal because it will require additional steps and costs to configure multi-factor authentication for accessing the S3 bucket objects, which may not be feasible or user-friendly for paid subscribers. Option D is not optimal because it will not prevent non-paying website visitors from accessing the S3 bucket objects, but only encrypt them at rest.
A developer is optimizing an AWS Lambda function and wants to test the changes in production on a small percentage of all traffic. The Lambda function serves requests to a REST API in Amazon API Gateway. The developer needs to deploy their changes and perform a test in production without changing the API Gateway URL. Which solution will meet these requirements?
A. Define a function version for the currently deployed production Lambda function. Update the API Gateway endpoint to reference the new Lambda function version. Upload and publish the optimized Lambda function code. On the production API Gateway stage, define a canary release and set the percentage of traffic to direct to the canary release. Update the API Gateway endpoint to use the $LATEST version of the Lambda function. Publish the API to the canary stage.
B. Define a function version for the currently deployed production Lambda function. Update the API Gateway endpoint to reference the new Lambda function version. Upload and publish the optimized Lambda function code. Update the API Gateway endpoint to use the $LATEST version of the Lambda function.Deploy a new API Gateway stage.
C. Define an alias on the $LATEST version of the Lambda function. Update the API Gateway endpoint to reference the new Lambda function alias. Upload andpublish the optimized Lambda function code. On the production API Gateway stage, define a canary release and set the percentage of traffic to direct to the canary release. Update the API Gateway endpoint to use the SLAT EST version of the Lambda function. Publish to the canary stage.
D. Define a function version for the currently deployed production Lambda function. Update the API Gateway endpoint to reference the new Lambda functionversion. Upload and publish the optimized Lambda function code. Update the API Gateway endpoint to use the $LATEST version of the Lambda function.Deploy the API to the production API Gateway stage.
Explanation:
A Lambda alias is a pointer to a specific Lambda function version or another
alias1. A Lambda alias allows you to invoke different versions of a function using
the same name1. You can also split traffic between two aliases by assigning
weights to them1.
In this scenario, the developer needs to test their changes in production on a small
percentage of all traffic without changing the API Gateway URL. To achieve this,
the developer can follow these steps:
By using this solution, the developer can test their changes in production on a
small percentage of all traffic without changing the API Gateway URL. The
developer can also monitor and compare metrics between the canary and
production releases, and promote or disable the canary as needed2.
A developer is managing an application that uploads user files to an Amazon S3 bucket named companybucket. The company wants to maintain copies of all the files uploaded by users forcompliance purposes, while ensuring users still have access to the data through the application. Which IAM permissions should be applied to users to ensure they can create but not remove files from the bucket?
A. "Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::companybucket"]
}
]
}
B. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:CreateBucket", "s3:GetBucketLocation"],
"Resource": "arn:aws:s3:::companybucket"
}
]
}
C. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:PutObjectRetention"],
"Resource": "arn:aws:s3:::companybucket"
}
]
}
D. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": ["arn:aws:s3:::companybucket"]
}
]
}
Explanation:
To meet the requirement:
Users must be able to upload (PutObject) and read (GetObject) files but not delete
them.
Option D ensures users cannot delete files by omitting the s3:DeleteObject action
while allowing s3:GetObject and s3:PutObject.
Option A: Includes s3:DeleteObject, which allows users to delete files and does not
meet the requirement.
Option B: Contains unrelated actions like CreateBucket, which is not relevant here.
Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict
DeleteObject.
A developer is investigating an issue in part of a company's application. In the application messages are sent to an Amazon Simple Queue Service (Amazon SQS) queue The AWS Lambda function polls messages from the SQS queue and sends email messages by using Amazon Simple Email Service (Amazon SES) Users have been receiving duplicate email messages during periods of high traffic. Which reasons could explain the duplicate email messages? (Select TWO.)
A. Standard SQS queues support at-least-once message delivery
B. Standard SQS queues support exactly-once processing, so the duplicate email messages are because of user error.
C. Amazon SES has the DomainKeys Identified Mail (DKIM) authentication incorrectly configured
D. The SQS queue's visibility timeout is lower than or the same as the Lambda function's timeout.
E. The Amazon SES bounce rate metric is too high.
Explanation:
A healthcare company is developing a multi-tier web application to manage patient records
that are in an Amazon Aurora PostgreSQL database cluster. The company stores the
application code in a Git repository and deploys the code to Amazon EC2 instances.
The application must comply with security policies and follow the principle of least privilege.
The company must securely manage database credentials and API keys within the
application code. The company must have the ability to rotate encryption keys on demand.
Which solution will meet these requirements?
A. Store database credentials and API keys in AWS Secrets Manager. Use AWS managed AWS KMS keys. Set up automatic key rotation. Use the AWS SDK to retrieve secrets.
B. Store the database credentials and API keys in AWS Secrets Manager. Use customer managed AWS KMS keys. Set up automatic key rotation. Create a key policy in the application to retrieve secrets by using the AWS SDK.
C. Store the database credentials in the application code. Separate credentials by using environment-specific branches that have restricted access to the code repositories.
D. Store the database credentials and API keys as parameters in AWS Systems Manager Parameter Store. Encrypt the credentials and API keys with AWS managed AWS KMS keys. Use the AWS SDK to retrieve secrets.
Explanation: Requirement Summary:
Multi-tier app on EC2 + Aurora PostgreSQL
Must comply withleast privilegeandsecurity policies
Need to managecredentials and API keys securely
Must supportkey rotation on demand
Evaluate Options:
A. Secrets Manager + AWS managed KMS keys
Best practice for secure secret storage
Supportsauto rotation
Uses AWS SDK to fetch at runtime (secure, avoids hardcoding)
AWS managed keys arerotated automaticallyandeasier to manage
B. Secrets Manager + customer managed keys
Also valid, butadds complexity
Since the question asks forLEAST development effort, AWS-managed keys are
preferred
C. Store secrets in code
Violates all security best practices
D. Use SSM Parameter Store + AWS managed keys
Possible, butSecrets Manageris preferred when rotation is needed
Parameter Store doesnot natively rotate secrets
A company has developed a new serverless application using AWS Lambda functions that will be deployed using the AWS Serverless Application Model (AWS SAM) CLI. Which step should the developer complete prior to deploying the application?
A. Compress the application to a zip file and upload it into AWS Lambda.
B. Test the new AWS Lambda function by first tracing it m AWS X-Ray.
C. Bundle the serverless application using a SAM package.
D. Create the application environment using the eb create my-env command.
Explanation:
This step should be completed prior to deploying the application because it prepares the
application artifacts for deployment. The AWS Serverless Application Model (AWS SAM) is
a framework that simplifies building and deploying serverless applications on AWS. The
AWS SAM CLI is a command-line tool that helps you create, test, and deploy serverless
applications using AWS SAM templates. The sam package command bundles the
application artifacts, such as Lambda function code and API definitions, and uploads them
to an Amazon S3 bucket. The command also returns a CloudFormation template that is
ready to be deployed with the sam deploy command. Compressing the application to a zip
file and uploading it to AWS Lambda will not work because it does not use AWS SAM
templates or CloudFormation. Testing the new Lambda function by first tracing it in AWS XRay
will not prepare the application for deployment, but only monitor its performance and
errors. Creating the application environment using the eb create my-env command will not
work because it is a command for AWS Elastic Beanstalk, not AWS SAM.
| Page 5 out of 31 Pages |
| Previous |