DOP-C02 dumps
5 Star


Customer Rating & Feedbacks
98%


Exactly Questions Came From Dumps
Exam Overview

Amazon DOP-C02 Question Answers

AWS Certified DevOps Engineer - Professional Dumps December 2024

Are you tired of looking for a source that'll keep you updated on the AWS Certified DevOps Engineer - Professional Exam? Plus, has a collection of affordable, high-quality, and incredibly easy Amazon DOP-C02 Practice Questions? Well then, you are in luck because Salesforcexamdumps.com just updated them! Get Ready to become a AWS Certified Professional Certified.

discount banner
PDF $120  $24
Test Engine
$170  $34
PDF + Test Engine $210  $42

Here are Amazon DOP-C02 PDF available features:

250 questions with answers Updation Date : 23 Dec, 2024
1 day study required to pass exam 100% Passing Assurance
100% Money Back Guarantee Free 3 Months Updates
Last 24 Hours Result
93

Students Passed

96%

Average Marks

95%

Questions From Dumps

4160

Total Happy Clients

What is Amazon DOP-C02?

Amazon DOP-C02 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Professional Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified DevOps Engineer - Professional Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon DOP-C02 Practice Questions. Passing AWS Certified DevOps Engineer - Professional will be your ticket to a better future!

Pass with Amazon DOP-C02 Braindumps!

Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified DevOps Engineer - Professional is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon DOP-C02 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Professional certification is all about having the right information. Hence, we filled our Amazon DOP-C02 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified DevOps Engineer - Professional Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon DOP-C02 Braindumps now!

We aim to provide all AWS Certified Professional certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon DOP-C02 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.

Why Choose Amazon DOP-C02 PDF?

Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified DevOps Engineer - Professional candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Professional solutions. Amazon DOP-C02 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon DOP-C02 Dumps with ease.

If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at support@salesforcexamdumps.com.

Amazon DOP-C02 Sample Questions

Question # 1

A company has microservices running in AWS Lambda that read data from Amazon DynamoDB. The Lambda code is manually deployed by developers after successful testing The company now needs the tests and deployments be automated and run in the cloud Additionally, traffic to the new versions of each microservice should be incrementally shifted over time after deployment. What solution meets all the requirements, ensuring the MOST developer velocity? 

A. Create an AWS CodePipelme configuration and set up a post-commit hook to trigger thepipeline after tests have passed Use AWS CodeDeploy and create a Canary deploymentconfiguration that specifies the percentage of traffic and interval
B. Create an AWS CodeBuild configuration that triggers when the test code is pushed UseAWS CloudFormation to trigger an AWS CodePipelme configuration that deploys the newLambda versions and specifies the traffic shift percentage and interval
C. Create an AWS CodePipelme configuration and set up the source code step to triggerwhen code is pushed. Set up the build step to use AWS CodeBuild to run the tests Set upan AWS CodeDeploy configuration to deploy, then select theCodeDeployDefault.LambdaLinearlDPercentEvery3Minut.es Option.
D. Use the AWS CLI to set up a post-commit hook that uploads the code to an Amazon S3bucket after tests have passed. Set up an S3 event trigger that runs a Lambda function thatdeploys the new version. Use an interval in the Lambda function to deploy the code overtime at the required percentage


Question # 2

A company has a fleet of Amazon EC2 instances that run Linux in a single AWS account. The company is using an AWS Systems Manager Automation task across the EC2 instances. During the most recent patch cycle, several EC2 instances went into an error state because of insufficient available disk space. A DevOps engineer needs to ensure that the EC2 instances have sufficient available disk space during the patching process in the future. Which combination of steps will meet these requirements? {Select TWO.) 

A. Ensure that the Amazon CloudWatch agent is installed on all EC2 instances
B. Create a cron job that is installed on each EC2 instance to periodically delete temporary files.
C. Create an Amazon CloudWatch log group for the EC2 instances. Configure a cron jobthat is installed on each EC2 instance to write the available disk space to a CloudWatch logstream for the relevant EC2 instance.
D. Create an Amazon CloudWatch alarm to monitor available disk space on all EC2instances Add the alarm as a safety control to the Systems Manager Automation task.
E. Create an AWS Lambda function to periodically check for sufficient available disk spaceon all EC2 instances by evaluating each EC2 instance's respective Amazon CloudWatchlog stream.


Question # 3

A company uses Amazon EC2 as its primary compute platform. A DevOps team wants to audit the company's EC2 instances to check whether any prohibited applications have been installed on the EC2 instances. Which solution will meet these requirements with the MOST operational efficiency? 

A. Configure AWS Systems Manager on each instance Use AWS Systems ManagerInventory Use Systems Manager resource data sync to synchronize and store findings inan Amazon S3 bucket Create an AWS Lambda function that runs when new objects areadded to the S3 bucket. Configure the Lambda function to identify prohibited applications.
B. Configure AWS Systems Manager on each instance Use Systems Manager InventoryCreate AWS Config rules that monitor changes from Systems Manager Inventory to identifyprohibited applications.
C. Configure AWS Systems Manager on each instance. Use Systems Manager Inventory.Filter a trail in AWS CloudTrail for Systems Manager Inventory events to identify prohibitedapplications.
D. Designate Amazon CloudWatch Logs as the log destination for all application instancesRun an automated script across all instances to create an inventory of installed applicationsConfigure the script to forward the results to CloudWatch Logs Create a CloudWatch alarmthat uses filter patterns to search log data to identify prohibited applications.


Question # 4

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated. The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication. Which combination of steps will meet these requirements? (Select TWO.) 

A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA).Provision a client certificate that is signed by the private CA.
B. Provision a client certificate that is signed by a public certificate authority (CA). Importthe certificate into AWS Certificate Manager (ACM).
C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the APIGateway mutual TLS to use the client certificate that is stored in the S3 bucket as the truststore.
D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configurethe API Gateway mutual TLS to use the private key that is stored in the S3 bucket as thetrust store.
E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket.Configure the API Gateway mutual TLS to use the private CA certificate that is stored in theS3 bucket as the trust store.


Question # 5

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB) The EC2 Instances are in multiple Availability Zones The application was misconfigured in a single Availability Zone, which caused a partial outage of the application. A DevOps engineer made changes to ensure that the unhealthy EC2 instances in one Availability Zone do not affect the healthy EC2 instances in the other Availability Zones. The DevOps engineer needs to test the application's failover and shift where the ALB sends traffic During failover. the ALB must avoid sending traffic to the Availability Zone where the failure has occurred. Which solution will meet these requirements? 

A. Turn off cross-zone load balancing on the ALB Use Amazon Route 53 ApplicationRecovery Controller to start a zonal shift away from the Availability Zone
B. Turn off cross-zone load balancing on the ALB's target group Use Amazon Route 53Application Recovery Controller to start a zonal shift away from the Availability Zone
C. Create an Amazon Route 53 Application Recovery Controller resource set that uses theDNS hostname of the ALB Start a zonal shift for the resource set away from the AvailabilityZone
D. Create an Amazon Route 53 Application Recovery Controller resource set that uses theARN of the ALB's target group Create a readiness check that uses theElbV2TargetGroupsCanServeTraffic rule


Question # 6

A DevOps engineer needs to implement integration tests into an existing AWS CodePipelme CI/CD workflow for an Amazon Elastic Container Service (Amazon ECS) service. The CI/CD workflow retrieves new application code from an AWS CodeCommit repository and builds a container image. The CI/CD workflow then uploads the container image to Amazon Elastic Container Registry (Amazon ECR) with a new image tag version. The integration tests must ensure that new versions of the service endpoint are reachable and that vanous API methods return successful response data The DevOps engineer has already created an ECS cluster to test the service Which combination of steps will meet these requirements with the LEAST management overhead? (Select THREE. 

A. Add a deploy stage to the pipeline Configure Amazon ECS as the action provider
B. Add a deploy stage to the pipeline Configure AWS CodeDeploy as the action provider
C. Add an appspec.yml file to the CodeCommit repository
D. Update the image build pipeline stage to output an imagedefinitions json file thatreferences the new image tag.
E. Create an AWS Lambda function that runs connectivity checks and API calls against theservice. Integrate the Lambda function with CodePipeline by using aLambda action stage
F. Write a script that runs integration tests against the service. Upload the script to anAmazon S3 bucket. Integrate the script in the S3 bucket with CodePipeline by using an S3action stage.


Question # 7

A company uses Amazon RDS for all databases in Its AWS accounts The company uses AWS Control Tower to build a landing zone that has an audit and logging account All databases must be encrypted at rest for compliance reasons. The company's security engineer needs to receive notification about any noncompliant databases that are in the company's accounts Which solution will meet these requirements with the MOST operational efficiency? 

A. Use AWS Control Tower to activate the optional detective control (guardrail) todetermine whether the RDS storage is encrypted Create an Amazon Simple NotificationService (Amazon SNS) topic in the company's audit account. Create an AmazonEventBridge rule to filter noncompliant events from the AWS Control Tower control(guardrail) to notify the SNS topic. Subscribe the security engineer's email address to theSNS topic
B. Use AWS Cloud Formation StackSets to deploy AWS Lambda functions to everyaccount. Write the Lambda function code to determine whether the RDS storage isencrypted in the account the function is deployed to Send the findings as an AmazonCloudWatch metric to the management account Create an Amazon Simple NotificationService (Amazon SNS) topic. Create a CloudWatch alarm that notifies the SNS topic whenmetric thresholds are met. Subscribe the security engineer's email address to the SNStopic.
C. Create a custom AWS Config rule in every account to determine whether the RDSstorage is encrypted Create an Amazon Simple Notification Service (Amazon SNS) topic inthe audit account Create an Amazon EventBridge rule to filter noncompliant events fromthe AWS Control Tower control (guardrail) to notify the SNS topic. Subscribe the securityengineer's email address to the SNS topic
D. Launch an Amazon EC2 instance. Run an hourly cron job by using the AWS CLI todetermine whether the RDS storage is encrypted in each AWS account Store the results inan RDS database. Notify the security engineer by sending email messages from the EC2instance when noncompliance is detected


Question # 8

A company is migrating from its on-premises data center to AWS. The company currently uses a custom on-premises CI/CD pipeline solution to build and package software. The company wants its software packages and dependent public repositories to be available in AWS CodeArtifact to facilitate the creation of application-specific pipelines. Which combination of steps should the company take to update the CI/CD pipeline solution and to configure CodeArtifact with the LEAST operational overhead? (Select TWO.) 

A. Update the CI/CD pipeline to create a VM image that contains newly packaged softwareUse AWS Import/Export to make the VM image available as anAmazon EC2 AMI. Launch the AMI with an attached 1AM instance profile that allowsCodeArtifact actions. Use AWS CLI commands to publish the packages to a CodeArtifactrepository.
B. Create an AWS Identity and Access Management Roles Anywhere trust anchor Createan 1AM role that allows CodeArtifact actions and that has a trust relationship on the trustanchor. Update the on-premises CI/CD pipeline to assume the new 1AM role and topublish the packages to CodeArtifact.
C. Create a new Amazon S3 bucket. Generate a presigned URL that allows the PutObjectrequest. Update the on-premises CI/CD pipeline to use thepresigned URL to publish the packages from the on-premises location to the S3 bucket.Create an AWS Lambda function that runs when packages are created in the bucketthrough a put command Configure the Lambda function to publish the packages toCodeArtifact
D. For each public repository, create a CodeArtifact repository that is configured with anexternal connection Configure the dependent repositories as upstream public repositories.
E. Create a CodeArtifact repository that is configured with a set of external connections tothe public repositories. Configure the external connections to be downstream of therepository


Question # 9

A company is running a custom-built application that processes records. All the components run on Amazon EC2 instances that run in an Auto Scaling group. Each record's processing is a multistep sequential action that is compute-intensive. Each step is always completed in 5 minutes or less. A limitation of the current system is that if any steps fail, the application has to reprocess the record from the beginning The company wants to update the architecture so that the application must reprocess only the failed steps. What is the MOST operationally efficient solution that meets these requirements? 

A. Create a web application to write records to Amazon S3 Use S3 Event Notifications topublish to an Amazon Simple Notification Service (Amazon SNS) topic Use an EC2instance to poll Amazon SNS and start processing Save intermediate results to Amazon S3to pass on to the next step
B. Perform the processing steps by using logic in the application. Convert the applicationcode to run in a container. Use AWS Fargate to manage the container Instances. Configurethe container to invoke itself to pass the state from one step to the next.
C. Create a web application to pass records to an Amazon Kinesis data stream. Decouplethe processing by using the Kinesis data stream and AWS Lambda functions.
D. Create a web application to pass records to AWS Step Functions. Decouple theprocessing into Step Functions tasks and AWS Lambda functions.


Question # 10

A company is developing an application that will generate log events. The log events consist of five distinct metrics every one tenth of a second and produce a large amount of data The company needs to configure the application to write the logs to Amazon Time stream The company will configure a daily query against the Timestream table. Which combination of steps will meet these requirements with the FASTEST query performance? (Select THREE.) 

A. Use batch writes to write multiple log events in a Single write operation
B. Write each log event as a single write operation
C. Treat each log as a single-measure record
D. Treat each log as a multi-measure record
E. Configure the memory store retention period to be longer than the magnetic storeretention period
F. Configure the memory store retention period to be shorter than the magnetic storeretention period


Question # 11

A company has an application that stores data that includes personally Identifiable Information (Pll) In an Amazon S3 bucket All data Is encrypted with AWS Key Management Service (AWS KMS) customer managed keys. All AWS resources are deployed from an AWS Cloud Formation template. A DevOps engineer needs to set up a development environment for the application in a different AWS account The data in the development environment's S3 bucket needs to be updated once a week from the production environment's S3 bucket. The company must not move Pll from the production environment without anonymizmg the Pll first The data in each environment must be encrypted with different KMS customer managed keys. Which combination of steps should the DevOps engineer take to meet these requirements? (Select TWO ) 

A. Activate Amazon Macie on the S3 bucket In the production account Create an AWSStep Functions state machine to initiate a discovery job and redact all Pll before copyingfiles to the S3 bucket in the development account. Give the state machine tasks decryptpermissions on the KMS key in the production account. Give the state machine tasks encrypt permissions on the KMS key in the development account
B. Set up S3 replication between the production S3 bucket and the development S3 bucketActivate Amazon Macie on the development S3 bucket Create an AWS Step Functionsstate machine to initiate a discovery job and redact all Pll as the files are copied to thedevelopment S3 bucket. Give the state machine tasks encrypt and decrypt permissions onthe KMS key in the development account.
C. Set up an S3 Batch Operations job to copy files from the production S3 bucket to thedevelopment S3 bucket. In the development account, configure anAWS Lambda function to redact all Pll. Configure S3 Object Lambda to use the Lambdafunction for S3 GET requests Give the Lambda function's 1AM role encrypt and decryptpermissions on the KMS key in the development account.
D. Create a development environment from the CloudFormatlon template in thedevelopment account. Schedule an Amazon EventBridge rule to start the AWS StepFunctions state machine once a week
E. Create a development environment from the CloudFormation template in thedevelopment account. Schedule a cron job on an Amazon EC2 instance to run once aweek to start the S3 Batch Operations job.


Question # 12

A company uses AWS Organizations to manage its AWS accounts. The organization root has a child OU that is named Department. The Department OU has a child OU that is named Engineering. The default FullAWSAccess policy is attached to the root, the Department OU. and the Engineering OU. The company has many AWS accounts in the Engineering OU. Each account has an administrative 1AM role with the AdmmistratorAccess 1AM policy attached. The default FullAWSAccessPolicy is also attached to each account. A DevOps engineer plans to remove the FullAWSAccess policy from the Department OU The DevOps engineer will replace the policy with a policy that contains an Allow statement for all Amazon EC2 API operations. What will happen to the permissions of the administrative 1AM roles as a result of this change'? 

A. All API actions on all resources will be allowed
B. All API actions on EC2 resources will be allowed. All other API actions will be denied.
C. All API actions on all resources will be denied
D. All API actions on EC2 resources will be denied. All other API actions will be allowed.


Question # 13

A company uses containers for its applications The company learns that some container Images are missing required security configurations A DevOps engineer needs to implement a solution to create a standard base image The solution must publish the base image weekly to the us-west-2 Region, us-east-2 Region, and eu-central-1 Region. Which solution will meet these requirements? 

A. Create an EC2 Image Builder pipeline that uses a container recipe to build the image.Configure the pipeline to distribute the image to an Amazon Elastic Container Registry(Amazon ECR) repository in us-west-2. Configure ECR replication from us-west-2 to useast-2 and from us-east-2 to eu-central-1 Configure the pipeline to run weekly
B. Create an AWS CodePipeline pipeline that uses an AWS CodeBuild project to build theimage Use AWS CodeOeploy to publish the image to an Amazon Elastic ContainerRegistry (Amazon ECR) repository in us-west-2 Configure ECR replication from us-west-2to us-east-2 and from us-east-2 to eu-central-1 Configure the pipeline to run weekly
C. Create an EC2 Image Builder pipeline that uses a container recipe to build the ImageConfigure the pipeline to distribute the image to Amazon Elastic Container Registry(Amazon ECR) repositories in all three Regions. Configure the pipeline to run weekly.
D. Create an AWS CodePipeline pipeline that uses an AWS CodeBuild project to build theimage Use AWS CodeDeploy to publish the image to Amazon Elastic Container Registry(Amazon ECR) repositories in all three Regions. Configure the pipeline to run weekly.


Question # 14

A company's DevOps team manages a set of AWS accounts that are in an organization in AWS Organizations The company needs a solution that ensures that all Amazon EC2 instances use approved AMIs that the DevOps team manages. The solution also must remediate the usage of AMIs that are not approved The individual account administrators must not be able to remove the restriction to use approved AMIs. Which solution will meet these requirements? 

A. Use AWS CloudFormation StackSets to deploy an Amazon EventBridge rule to eachaccount. Configure the rule to react to AWS CloudTrail events for Amazon EC2 and tosend a notification to an Amazon Simple Notification Service (Amazon SNS) topic.Subscribe the DevOps team to the SNS topic
B. Use AWS CloudFormation StackSets to deploy the approved-amis-by-id AWS Configmanaged rule to each account. Configure the rule with the list of approved AMIs. Configurethe rule to run the the AWS-StopEC2lnstance AWS Systems Manager Automation runbookfor the noncompliant EC2 instances.
C. Create an AWS Lambda function that processes AWS CloudTrail events for AmazonEC2 Configure the Lambda function to send a notification to an Amazon Simple NotificationService (Amazon SNS) topic. Subscribe the DevOps team to the SNS topic. Deploy theLambda function in each account in the organization Create an Amazon EventBridge rulein each account Configure the EventBridge rules to react to AWS CloudTrail events forAmazon EC2 and to invoke the Lambda function.
D. Enable AWS Config across the organization Create a conformance pack that uses theapproved -amis-by-id AWS Config managed rule with the list of approved AMIs. Deploy theconformance pack across the organization. Configure the rule to run the AWSStopEC2lnstanceAWS Systems Manager Automation runbook for the noncompliant EC2instances.


Question # 15

A company has set up AWS CodeArtifact repositories with public upstream repositories The company's development team consumes open source dependencies from the repositories in the company's internal network. The company's security team recently discovered a critical vulnerability in the most recent version of a package that the development team consumes. The security team has produced a patched version to fix the vulnerability. The company needs to prevent the vulnerable version from being downloaded. The company also needs to allow the security team to publish the patched version. Which combination of steps will meet these requirements? {Select TWO.) 

A. Update the status of the affected CodeArtifact package version to unlisted
B. Update the status of the affected CodeArtifact package version to deleted
C. Update the status of the affected CodeArtifact package version to archived.
D. Update the CodeArtifact package origin control settings to allow direct publishing and toblock upstream operations
E. Update the CodeArtifact package origin control settings to block direct publishing and toallow upstream operations.


Question # 16

AnyCompany is using AWS Organizations to create and manage multiple AWS accounts AnyCompany recently acquired a smaller company, Example Corp. During the acquisition process, Example Corp's single AWS account joined AnyCompany's management account through an Organizations invitation. AnyCompany moved the new member account under an OU that is dedicated to Example Corp. AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is named OrganizationAccountAccessRole to access member accounts. This role is configured with a full access policy When the DevOps engineer tries to use the AWS Management Console to assume the role in Example Corp's new member account, the DevOps engineer receives the following error message "Invalid information in one or more fields. Check your information or contact your administrator." Which solution will give the DevOps engineer access to the new member account? 

A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account.
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account,
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role.


Question # 17

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWSRegions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US). Which combination of actions will meet these requirements? (Select TWO.) 

A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.
B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it forall Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity innon-US Regions.
C. Use an AWS Lambda function that checks for AWS service activity and deploy it to allRegions. Write an Amazon EventBridge rule that runs the Lambda function every hour,sending an alert if activity is found in a non-US Region.
D. Use an AWS Lambda function to query Amazon Inspector to look for service activity innon-US Regions and send alerts if any activity is found.
E. Write an SCP using the aws: RequestedRegion condition key limiting access to USRegions. Apply the policy to all users, groups, and roles


Question # 18

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWSRegions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US). Which combination of actions will meet these requirements? (Select TWO.) 

A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.
B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it forall Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity innon-US Regions.
C. Use an AWS Lambda function that checks for AWS service activity and deploy it to allRegions. Write an Amazon EventBridge rule that runs the Lambda function every hour,sending an alert if activity is found in a non-US Region.
D. Use an AWS Lambda function to query Amazon Inspector to look for service activity innon-US Regions and send alerts if any activity is found.
E. Write an SCP using the aws: RequestedRegion condition key limiting access to USRegions. Apply the policy to all users, groups, and roles


Question # 19

A software team is using AWS CodePipeline to automate its Java application release pipeline The pipeline consists of a source stage, then a build stage, and then a deploy stage. Each stage contains a single action that has a runOrder value of 1. The team wants to integrate unit tests into the existing release pipeline. The team needs a solution that deploys only the code changes that pass all unit tests. Which solution will meet these requirements? 

A. Modify the build stage. Add a test action that has a runOrder value of 1. Use AWSCodeDeploy as the action provider to run unit tests.
B. Modify the build stage Add a test action that has a runOrder value of 2 Use AWSCodeBuild as the action provider to run unit tests
C. Modify the deploy stage Add a test action that has a runOrder value of 1 Use AWSCodeDeploy as the action provider to run unit tests
D. Modify the deploy stage Add a test action that has a runOrder value of 2 Use AWSCodeBuild as the action provider to run unit tests


Question # 20

A company has a new AWS account that teams will use to deploy various applications. The teams will create many Amazon S3 buckets for application- specific purposes and to store AWS CloudTrail logs. The company has enabled Amazon Macie for the account. A DevOps engineer needs to optimize the Macie costs for the account without compromising the account's functionality. Which solutions will meet these requirements? (Select TWO.) 

A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
B. Exclude S3 buckets that have public read access from automated discovery.
C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
D. Configure discovery jobs to include S3 objects based on the last modified criterion.
E. Configure discovery jobs to include S3 objects that are tagged as production only.


Question # 21

A company has a new AWS account that teams will use to deploy various applications. The teams will create many Amazon S3 buckets for application- specific purposes and to store AWS CloudTrail logs. The company has enabled Amazon Macie for the account. A DevOps engineer needs to optimize the Macie costs for the account without compromising the account's functionality. Which solutions will meet these requirements? (Select TWO.) 

A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
B. Exclude S3 buckets that have public read access from automated discovery.
C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
D. Configure discovery jobs to include S3 objects based on the last modified criterion.
E. Configure discovery jobs to include S3 objects that are tagged as production only.


Question # 22

A company hired a penetration tester to simulate an internal security breach The tester performed port scans on the company's Amazon EC2 instances. The company's security measures did not detect the port scans. The company needs a solution that automatically provides notification when port scans are performed on EC2 instances. The company creates and subscribes to an Amazon Simple Notification Service (Amazon SNS) topic. What should the company do next to meet the requirement? 

A. Ensure that Amazon GuardDuty is enabled Create an Amazon CloudWatch alarm fordetected EC2 and port scan findings. Connect the alarm to the SNS topic.
B. Ensure that Amazon Inspector is enabled Create an Amazon EventBridge event fordetected network reachability findings that indicate port scans Connect the event to theSNS topic.
C. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event fordetected CVEs that cause open port vulnerabilities. Connect the event to the SNS topic
D. Ensure that AWS CloudTrail is enabled Create an AWS Lambda function to analyze theCloudTrail logs for unusual amounts of traffic from an IP address range Connect theLambda function to the SNS topic.


Question # 23

A company is developing a web application's infrastructure using AWS CloudFormation The database engineering team maintains the database resources in a Cloud Formation template, and the software development team maintains the web application resources in a separate CloudFormation template. As the scope of the application grows, the software development team needs to use resources maintained by the database engineering team However, both teams have their own review and lifecycle management processes that they want to keep. Both teams also require resource-level change-set reviews. The software development team would like to deploy changes to this template using their Cl/CD pipeline. Which solution will meet these requirements? 

A. Create a stack export from the database CloudFormation template and import thosereferences into the web application CloudFormation template
B. Create a CloudFormation nested stack to make cross-stack resource references andparameters available in both stacks.
C. Create a CloudFormation stack set to make cross-stack resource references andparameters available in both stacks.
D. Create input parameters in the web application CloudFormation template and passresource names and IDs from the database stack.


Question # 24

A company wants to use AWS Systems Manager documents to bootstrap physical laptops for developers The bootstrap code Is stored in GitHub A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the registration code, and installed an activation ID on all the laptops. Which set of steps should be taken next? 

A. Configure the Systems Manager document to use the AWS-RunShellScnpt command tocopy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with asourceType of S3
B. Configure the Systems Manager document to use the aws-configurePackage plugin withan install action and point to the Git repository
C. Configure the Systems Manager document to use the aws-downloadContent plugin witha sourceType of GitHub and sourcelnfo with the repository details.
D. Configure the Systems Manager document to use the aws:softwarelnventory plugin andrun the script from the Git repository


Question # 25

A company has a mission-critical application on AWS that uses automatic scaling The company wants the deployment lilecycle to meet the following parameters. • The application must be deployed one instance at a time to ensure the remaining fleet continues to serve traffic • The application is CPU intensive and must be closely monitored • The deployment must automatically roll back if the CPU utilization of the deployment instance exceeds 85%. Which solution will meet these requirements? 

A. Use AWS CloudFormalion to create an AWS Step Functions state machine and AutoScaling hfecycle hooks to move to one instance at a time into a wait state Use AWSSystems Manager automation to deploy the update to each instance and move it back intothe Auto Scaling group using the heartbeat timeout
B. Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to theCPU utilization metric. Use the CodeDeployDefault OneAtAtime configuration as adeployment strategy Configure automatic rollbacks within the deployment group to roll backthe deployment if the alarm thresholds are breached
C. Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling Configure analarm tied to the CPU utilization metric Configure rolling deployments with a fixed batchsize of one instance Enable enhanced health to monitor the status of the deployment androll back based on the alarm previously created.
D. Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2Auto Scaling Configure an alarm tied to the CPU utilization metric Deploy updates one at atime Configure automatic rollbacks within the Auto Scaling group to roll back thedeployment if the alarm thresholds are breached


Question # 26

A company has 20 service learns Each service team is responsible for its own microservice. Each service team uses a separate AWS account for its microservice and a VPC with the 192 168 0 0/22 CIDR block. The company manages the AWS accounts with AWS Organizations. Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer. The microservices communicate with each other across the public internet. The company's security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public internet. A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team. Which solution will meet these requirements? 

A. Create a new AWS account in AWS Organizations Create a VPC in this account anduse AWS Resource Access Manager to share the private subnets of this VPC with theorganization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names forcommunication between microservices.
B. Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWSPrivateLink to create VPC endpoints in each AWS account for the NLBs Createsubscriptions to each VPC endpoint in each of the other AWS accounts Use the VPCendpoint DNS names for communication between microservices.
C. Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPCpeering connections between each of the microservice VPCs Update the route tables foreach VPC to use the peering links Use the NLB DNS names for communication betweenmicroservices.
D. Create a new AWS account in AWS Organizations Create a transit gateway in thisaccount and use AWS Resource Access Manager to share the transit gateway with theorganization. In each of the microservice VPCs. create a transit gateway attachment to theshared transit gateway Update the route tables of each VPC to use the transit gatewayCreate a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLBDNS names for communication between microservices.


Question # 27

A security team is concerned that a developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production. No developer should be allowed to attach an Elastic IP address to an instance. The security team must be notified if any production server has an Elastic IP address at any time How can this task be automated'? 

A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-addressattempts Create an AWS Lambda function to disassociate the Elastic IP address from theinstance, and alert the security team.
B. Attach an 1AM policy to the developers' 1AM group to deny associate-addresspermissions Create a custom AWS Config rule to check whether an Elastic IP address isassociated with any instance tagged as production, and alert the security team
C. Ensure that all 1AM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IPaddress is associated with any instance tagged as production, and alert the secunty team ifan instance has an Elastic IP address associated with it
D. Create an AWS Config rule to check that all production instances have EC2 1AM rolesthat include deny associate-address permissions Verify whether there is an Elastic IPaddress associated with any instance, and alert the security team if an instance has anElastic IP address associated with it.


Question # 28

A company is using AWS CodePipeline to deploy an application. According to a new guideline, a member of the company's security team must sign off on any application changes before the changes are deployed into production. The approval must be recorded and retained. Which combination of actions will meet these requirements? (Select TWO.) 

A. Configure CodePipeline to write actions to Amazon CloudWatch Logs.
B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of eachpipeline stage.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3.
D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval.Create a policy that gives the security team access to manage CodePipeline customactions.
E. Create a CodePipeline manual approval action before the deployment step. Create apolicy that grants the security team access to approve manual approval stages.


Question # 29

A company has an AWS CodeDeploy application. The application has a deployment group that uses a single tag group to identify instances for the deployment of ApplicationA. The single tag group configuration identifies instances that have Environment=Production and Name=ApplicattonA tags for the deployment of ApplicationA. The company launches an additional Amazon EC2 instance with Department=Marketing Environment^Production. and Name=ApplicationB tags. On the next CodeDeploy deployment of ApplicationA. the additional instance has ApplicationA installed on it. A DevOps engineer needs to configure the existing deployment group to prevent ApplicationA from being installed on the additional instance Which solution will meet these requirements? 

A. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Name=ApplicationA tag.
B. Change the current single tag group to include the Department=MarketmgEnvironment=Production and Name=ApplicationAtags
C. Add another single tag group that includes only the Department=Marketing tag. Keepthe Environment=Production and Name=ApplicationA tags with the current single tag group
D. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Department=Marketing tag


Question # 30

A company uses an organization in AWS Organizations to manage its AWS accounts. The company recently acquired another company that has standalone AWS accounts. The acquiring company's DevOps team needs to consolidate the administration of the AWS accounts for both companies and retain full administrative control of the accounts. The DevOps team also needs to collect and group findings across all the accounts to implement and maintain a security posture. Which combination of steps should the DevOps team take to meet these requirements? (Select TWO.) 

A. Invite the acquired company's AWS accounts to join the organization. Create an SCPthat has full administrative privileges. Attach the SCP to the management account.
B. Invite the acquired company's AWS accounts to join the organization. Create theOrganizationAccountAccessRole 1AM role in the invited accounts. Grant permission to themanagement account to assume the role.
C. Use AWS Security Hub to collect and group findings across all accounts. Use SecurityHub to automatically detect new accounts as the accounts are added to the organization.
D. Use AWS Firewall Manager to collect and group findings across all accounts. Enable allfeatures for the organization. Designate an account in the organization as the delegatedadministrator account for Firewall Manager.
E. Use Amazon Inspector to collect and group findings across all accounts. Designate anaccount in the organization as the delegated administrator account for Amazon Inspector.


Question # 31

A company is reviewing its 1AM policies. One policy written by the DevOps engineer has been (lagged as too permissive. The policy is used by an AWS Lambda function that issues a stop command to Amazon EC2 instances tagged with Environment: NonProduccion over the weekend. The current policy is:

 

A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
F. Option  F


Question # 32

A company's application teams use AWS CodeCommit repositories for their applications. The application teams have repositories in multiple AWS accounts. All accounts are in an organization in AWS Organizations. Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured with an external IdP to assume a developer IAM role. The developer role allows the application teams to use Git to work with the code in the repositories. A security audit reveals that the application teams can modify the main branch in any repository. A DevOps engineer must implement a solution that allows the application teams to modify the main branch of only the repositories that they manage. Which combination of steps will meet these requirements? (Select THREE.) 

A. Update the SAML assertion to pass the user's team name. Update the IAM role's trustpolicy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations managementaccount. Associate the template with all the repositories. Add the developer role ARN as anapprover.
C. Create an approval rule template for each account. Associate the template with allrepositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}"condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to thename of the associated team.
E. Attach an SCP to the accounts. Include the following statement:
F. Create an IAM permissions boundary in each account. Include the following statement: A computerscreen shot of textDescription automatically generated


Question # 33

A company has an application and a CI/CD pipeline. The CI/CD pipeline consists of an AWS CodePipeline pipeline and an AWS CodeBuild project. The CodeBuild project runs tests against the application as part of the build process and outputs a test report. The company must keep the test reports for 90 days. Which solution will meet these requirements? 

A. Add a new stage in the CodePipeline pipeline after the stage that contains theCodeBuild project. Create an Amazon S3 bucket to store the reports. Configure an S3deploy action type in the new CodePipeline stage with the appropriate path and format forthe reports.
B. Add a report group in the CodeBuild project buildspec file with the appropriate path andformat for the reports. Create an Amazon S3 bucket to store the reports. Configure anAmazon EventBridge rule that invokes an AWS Lambda function to copy the reports to theS3 bucket when a build is completed. Create an S3 Lifecycle rule to expire the objects after90 days.
C. Add a new stage in the CodePipeline pipeline. Configure a test action type with theappropriate path and format for the reports. Configure the report expiration time to be 90days in the CodeBuild project buildspec file.
D. Add a report group in the CodeBuild project buildspec file with the appropriate path andformat for the reports. Create an Amazon S3 bucket to store the reports. Configure thereport group as an artifact in the CodeBuild project buildspec file. Configure the S3 bucketas the artifact destination. Set the object expiration to 90 days.


Question # 34

An ecommerce company uses a large number of Amazon Elastic Block Store (Amazon EBS) backed Amazon EC2 instances. To decrease manual work across all the instances, a DevOps engineer is tasked with automating restart actions when EC2 instance retirement events are scheduled. How can this be accomplished? 

A. Create a scheduled Amazon EventBridge rule to run an AWS Systems Manager Automation runbook that checks if any EC2 instances are scheduled for retirement once aweek If the instance is scheduled for retirement the runbook will hibernate the instance
B. Enable EC2Auto Recovery on all of the instances. Create an AWS Config rule to limitthe recovery to occur during a maintenance window only
C. Reboot all EC2 instances during an approved maintenance window that is outside ofstandard business hours Set up Amazon CloudWatch alarms to send a notification in caseany instance is failing EC2 instance status checks
D. Set up an AWS Health Amazon EventBridge rule to run AWS Systems ManagerAutomation runbooks that stop and start the EC2 instance when a retirement scheduledevent occurs.


Question # 35

A DevOps engineer is using AWS CodeDeploy across a fleet of Amazon EC2 instances in an EC2 Auto Scaling group. The associated CodeDeploy deployment group, which is integrated with EC2 Auto Scaling, is configured to perform in-place deployments with codeDeployDefault.oneAtATime During an ongoing new deployment, the engineer discovers that, although the overall deployment finished successfully, two out of five instances have the previous application revision deployed. The other three instances have the newest application revision What is likely causing this issue? 

A. The two affected instances failed to fetch the new deployment.
B. A failed Afterinstall lifecycle event hook caused the CodeDeploy agent to roll back to theprevious version on the affected instances
C. The CodeDeploy agent was not installed in two affected instances.
D. EC2 Auto Scaling launched two new instances while the new deployment had not yetfinished, causing the previous version to be deployed on the affected instances.


Question # 36

A company is examining its disaster recovery capability and wants the ability to switch over its daily operations to a secondary AWS Region. The company uses AWS CodeCommit asa source control tool in the primary Region. A DevOps engineer must provide the capability for the company to develop code in the secondary Region. If the company needs to use the secondary Region, developers can add an additional remote URL to their local Git configuration. Which solution will meet these requirements? 

A. Create a CodeCommit repository in the secondary Region. Create an AWS CodeBuildproject to perform a Git mirror operation of the primary Region's CodeCommit repository tothe secondary Region's CodeCommit repository. Create an AWS Lambda function thatinvokes the CodeBuild project. Create an Amazon EventBridge rule that reacts to mergeevents in the primary Region's CodeCommit repository. Configure the EventBridge rule toinvoke the Lambda function.
B. Create an Amazon S3 bucket in the secondary Region. Create an AWS Fargate task toperform a Git mirror operation of the primary Region's CodeCommit repository and copythe result to the S3 bucket. Create an AWS Lambda function that initiates the Fargate task.Create an Amazon EventBridge rule that reacts to merge events in the CodeCommitrepository. Configure the EventBridge rule to invoke the Lambda function.
C. Create an AWS CodeArtifact repository in the secondary Region. Create an AWSCodePipeline pipeline that uses the primary Region's CodeCommit repository for thesource action. Create a Cross-Region stage in the pipeline that packages the CodeCommitrepository contents and stores the contents in the CodeArtifact repository when a pullrequest is merged into the CodeCommit repository.
D. Create an AWS Cloud9 environment and a CodeCommit repository in the secondaryRegion. Configure the primary Region's CodeCommit repository as a remote repository inthe AWS Cloud9 environment. Connect the secondary Region's CodeCommit repository tothe AWS Cloud9 environment.


Question # 37

A company has a single developer writing code for an automated deployment pipeline. The developer is storing source code in an Amazon S3 bucket for each project. The company wants to add more developers to the team but is concerned about code conflicts and lost work The company also wants to build a test environment to deploy newer versions of code for testing and allow developers to automatically deploy to both environments when code is changed in the repository. What is the MOST efficient way to meet these requirements? 

A. Create an AWS CodeCommit repository tor each project, use the mam branch forproduction code: and create a testing branch for code deployed to testing Use featurebranches to develop new features and pull requests to merge code to testing and mainbranches.
B. Create another S3 bucket for each project for testing code, and use an AWS Lambdafunction to promote code changes between testing and production buckets Enableversioning on all buckets to prevent code conflicts.
C. Create an AWS CodeCommit repository for each project, and use the main branch forproduction and test code with different deployment pipelines for each environment Usefeature branches to develop new features.
D. Enable versioning and branching on each S3 bucket, use the main branch for productioncode, and create a testing branch for code deployed to testing. Have developers use eachbranch for developing in each environment.


Question # 38

A company is using AWS to run digital workloads. Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations. The company wants to enforce security standards across the entire organization. To avoid noncompliance because of security misconfiguration, the company has enforced the use of AWS CloudFormation. A production support team can modify resources in the production environment by using the AWS Management Console to troubleshoot and resolve application-related issues. A DevOps engineer must implement a solution to identify in near real time any AWS service misconfiguration that results in noncompliance. The solution must automatically remediate the issue within 15 minutes of identification. The solution also must track noncompliant resources and events in a centralized dashboard with accurate timestamps. Which solution will meet these requirements with the LEAST development overhead? 

A. Use CloudFormation drift detection to identify noncompliant resources. Use driftdetection events from CloudFormation to invoke an AWS Lambda function for remediation.Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group.Configure an Amazon CloudWatch dashboard to use the log group for tracking.
B. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by usingAmazon Athena to identify noncompliant resources. Use AWS Step Functions to trackquery results on Athena for drift detection and to invoke an AWS Lambda function forremediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena asthe data source.
C. Turn on the configuration recorder in AWS Config in all the AWS accounts to identifynoncompliant resources. Enable AWS Security Hub with the ~no-enable-default-standardsoption in all the AWS accounts. Set up AWS Config managed rules and custom rules. Setup automatic remediation by using AWS Config conformance packs. For tracking, set up adashboard on Security Hub in a designated Security Hub administrator account.
D. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by usingAmazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logsfilters for drift detection. Use Amazon EventBridge to invoke the Lambda function forremediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up adashboard on OpenSearch Service for tracking.


Question # 39

A DevOps engineer manages a company's Amazon Elastic Container Service (Amazon ECS) cluster. The cluster runs on several Amazon EC2 instances that are in an Auto Scaling group. The DevOps engineer must implement a solution that logs and reviews all stopped tasks for errors. Which solution will meet these requirements? 

A. Create an Amazon EventBridge rule to capture task state changes. Send the event to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to investigate stopped tasks.
B. Configure tasks to write log data in the embedded metric format. Store the logs inAmazon CloudWatch Logs. Monitor the ContainerInstanceCount metric for changes.
C. Configure the EC2 instances to store logs in Amazon CloudWatch Logs. Create aCloudWatch Contributor Insights rule that uses the EC2 instance log data. Use theContributor Insights rule to investigate stopped tasks.
D. Configure an EC2 Auto Scaling lifecycle hook for the EC2_INSTANCE_TERMINATINGscale-in event. Write the SystemEventLog file to Amazon S3. Use Amazon Athena to querythe log file for errors.


Question # 40

A company has deployed a critical application in two AWS Regions. The application uses an Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53 alias DNS records for both ALBs. The company uses Amazon Route 53 Application Recovery Controller to ensure that the application can fail over between the two Regions. The Route 53 ARC configuration includes a routing control for both Regions. The company uses Route 53 ARC to perform quarterly disaster recovery (DR) tests. During the most recent DR test, a DevOps engineer accidentally turned off both routing controls. The company needs to ensure that at least one routing control is turned on at all times. Which solution will meet these requirements? 

A. In Route 53 ARC. create a new assertion safety rule. Apply the assertion safety rule tothe two routing controls. Configure the rule with the ATLEAST type with a threshold of 1.
B. In Route 53 ARC, create a new gating safety rule. Apply the assertion safety rule to thetwo routing controls. Configure the rule with the OR type with a threshold of 1.
C. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS:Route53: HealthCheck resource type. Specify the ARNs of the two routing controls as thetarget resource. Create a new readiness check for the resource set.
D. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS:Route53RecoveryReadiness: DNSTargetResource resource type. Add the domain namesof the two Route 53 alias DNS records as the target resource. Create a new readinesscheck for the resource set.


Question # 41

A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub. Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source. Which solution will meet these requirements? 

A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create anAWS Lambda function that will update the threat list Configure the Lambda function to runin response to new Security Hub findings that come from GuardDuty.
B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWSLambda function that will create a block rule in the custom rule group Configure theLambda function to run in response to new Security Hub findings that come from GuardDuty
C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that willcreate a Drop action rule in the firewall policy Configure the Lambda function to run inresponse to new Security Hub findings that come from GuardDuty
D. Create an AWS Lambda function that will create a GuardDuty suppression rule.Configure the Lambda function to run in response to new Security Hub findings that comefrom GuardDuty.


Question # 42

A company recently deployed its web application on AWS. The company is preparing for a large-scale sales event and must ensure that the web application can scale to meet the demand The application's frontend infrastructure includes an Amazon CloudFront distribution that has an Amazon S3 bucket as an origin. The backend infrastructure includes an Amazon API Gateway API. several AWS Lambda functions, and an Amazon Aurora DB cluster The company's DevOps engineer conducts a load test and identifies that the Lambda functions can fulfill the peak number of requests However, the DevOps engineer notices request latency during the initial burst of requests Most of the requests to the Lambda functions produce queries to the database A large portion of the invocation time is used to establish database connections Which combination of steps will provide the application with the required scalability? (Select TWO) 

A. Configure a higher reserved concurrency for the Lambda functions.
B. Configure a higher provisioned concurrency for the Lambda functions
C. Convert the DB cluster to an Aurora global database Add additional Aurora Replicas inAWS Regions based on the locations of the company's customers.
D. Refactor the Lambda Functions Move the code blocks that initialize databaseconnections into the function handlers.
E. Use Amazon RDS Proxy to create a proxy for the Aurora database Update the Lambdafunctions to use the proxy endpoints for database connections.


Question # 43

A company's security policies require the use of security hardened AMIS in production environments. A DevOps engineer has used EC2 Image Builder to create a pipeline that builds the AMIs on a recurring schedule. The DevOps engineer needs to update the launch templates of the companys Auto Scaling groups. The Auto Scaling groups must use the newest AMIS during the launch of Amazon EC2 instances. Which solution will meet these requirements with the MOST operational efficiency? 

A. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Systems Manager Run Command document that updates the launchtemplates of the Auto Scaling groups with the newest AMI ID.
B. Configure an Amazon EventBridge rule to receive new AMI events from Image Builder.Target an AWS Lambda function that updates the launch templates of the Auto Scalinggroups with the newest AMI ID.
C. Configure the launch template to use a value from AWS Systems Manager ParameterStore for the AMI ID. Configure the Image Builder pipeline to update the Parameter Storevalue with the newest AMI ID.
D. Configure the Image Builder distribution settings to update the launch templates with thenewest AMI ID. Configure the Auto Scaling groups to use the newest version of the launch template.


Question # 44

A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state. Which strategy should be used to meet these requirements? 

A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use CloudFormation drift detection to detect when resources have drifted from theirexpected state.
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use AWS Config rules to detect when resources have drifted from their expected state.
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a launch constraint. Use AWS Config rules to detect when resources havedrifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a template constraint. Use Amazon EventBridge notifications to detect whenresources have drifted from their expected state.


Question # 45

A company is building a web and mobile application that uses a serverless architecture powered by AWS Lambda and Amazon API Gateway The company wants to fully automate the backend Lambda deployment based on code that is pushed to the appropriate environment branch in an AWS CodeCommit repository The deployment must have the following: • Separate environment pipelines for testing and production • Automatic deployment that occurs for test environments only Which steps should be taken to meet these requirements'? 

A. Configure a new AWS CodePipelme service Create a CodeCommit repository for eachenvironment Set up CodePipeline to retrieve the source code from the appropriaterepository Set up the deployment step to deploy the Lambda functions with AWSCloudFormation.
B. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step Create aCodeCommit repository for each environment Set up each CodePipeline to retrieve thesource code from the appropriate repository Set up the deployment step to deploy theLambda functions with AWS CloudFormation.
C. Create two AWS CodePipeline configurations for test and production environmentsConfigure the production pipeline to have a manual approval step. Create oneCodeCommit repository with a branch for each environment Set up each CodePipeline toretrieve the source code from the appropriate branch in the repository. Set up thedeployment step to deploy the Lambda functions with AWS CloudFormation
D. Create an AWS CodeBuild configuration for test and production environments Configurethe production pipeline to have a manual approval step. Create one CodeCommitrepository with a branch for each environment Push the Lambda function code to anAmazon S3 bucket Set up the deployment step to deploy the Lambda functions from theS3 bucket.


Question # 46

A healthcare services company is concerned about the growing costs of software licensing for an application for monitoring patient wellness. The company wants to create an audit process to ensure that the application is running exclusively on Amazon EC2 Dedicated Hosts. A DevOps engineer must create a workflow to audit the application to ensure compliance. What steps should the engineer take to meet this requirement with the LEAST administrative overhead? 

A. Use AWS Systems Manager Configuration Compliance. Use calls to the putcompliance-items API action to scan and build a database of noncompliant EC2 instancesbased on their host placement configuration. Use an Amazon DynamoDB table to storethese instance IDs for fast access. Generate a report through Systems Manager by callingthe list-compliance-summaries API action.
B. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for theinstance depending on the number of instances to be checked. Send the list ofnoncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instanceto process instance IDs from the SQS queue and write them to Amazon DynamoDB. Usean AWS Lambda function to terminate noncompliant instance IDs obtained from the queue,and send them to an Amazon SNS email topic for distribution.
C. Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recordingon all Amazon EC2 resources for the region. Create a custom AWS Config rule thattriggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint. Modify the LambdaevaluateCompliance () function to verify host placement to return a NON_COMPLIANTresult if the instance is not running on an EC2 Dedicated Host. Use the AWS Config reportto address noncompliant instances.
D. Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls tothe EC2 RunCommand API action. Invoke a AWS Lambda function that analyzes the hostplacement of the instance. Store the EC2 instance ID of noncompliant resources in anAmazon RDS for MySQL DB instance. Generate a report by querying the RDS instanceand exporting the query results to a CSV text file.


Question # 47

A company's application runs on Amazon EC2 instances. The application writes to a log file that records the username, date, time: and source IP address of the login. The log is published to a log group in Amazon CloudWatch Logs The company is performing a root cause analysis for an event that occurred on the previous day The company needs to know the number of logins for a specific user from the past 7 days Which solution will provide this information'? 

A. Create a CloudWatch Logs metric filter on the log group Use a filter pattern that matchesthe username. Publish a CloudWatch metric that sums the number of logins over the past 7days.
B. Create a CloudWatch Logs subscription on the log group Use a filter pattern thatmatches the username Publish a CloudWatch metric that sums the number of logins overthe past 7 days
C. Create a CloudWatch Logs Insights query that uses an aggregation function to count thenumber of logins for the username over the past 7 days. Run the query against the loggroup
D. Create a CloudWatch dashboard. Add a number widget that has a filter pattern thatcounts the number of logins for the username over the past 7 days directly from the loggroup


Question # 48

AnyCompany is using AWS Organizations to create and manage multiple AWS accounts AnyCompany recently acquired a smaller company, Example Corp. During the acquisition process, Example Corp's single AWS account joined AnyCompany's management account through an Organizations invitation. AnyCompany moved the new member account under an OU that is dedicated to Example Corp. AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is named OrganizationAccountAccessRole to access member accounts. This role is configured with a full access policy When the DevOps engineer tries to use the AWS Management Console to assume the role in Example Corp's new member account, the DevOps engineer receives the following error message "Invalid information in one or more fields. Check your information or contact your administrator." Which solution will give the DevOps engineer access to the new member account? 

A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account.
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account,
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role.


Question # 49

A company has an application that includes AWS Lambda functions. The Lambda functions run Python code that is stored in an AWS CodeCommit repository. The company has recently experienced failures in the production environment because of an error in the Python code. An engineer has written unit tests for the Lambda functions to help avoid releasing any future defects into the production environment. The company's DevOps team needs to implement a solution to integrate the unit tests into an existing AWS CodePipeline pipeline. The solution must produce reports about the unit tests for the company to view. Which solution will meet these requirements? 

A. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Create a newAWS CodeBuild project. In the CodePipeline pipeline, configure a test stage that uses thenew CodeBuild project. Create a buildspec.yml file in the CodeCommit repository. In thebuildspec.yml file, define the actions to run a CodeGuru review.
B. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a CodeBuild report group. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of JUNITXML in the build phase section.Configure the test reports to be uploaded to the new CodeBuild report group.
C. Create a new AWS CodeArtifact repository. Create a new AWS CodeBuild project. Inthe CodePipeline pipeline, configure a test stage that uses the new CodeBuild project.Create an appspec.yml file in the original CodeCommit repository. In the appspec.yml file,define the actions to run the unit tests with an output of CUCUMBERJSON in the buildphase section. Configure the tests reports to be sent to the new CodeArtifact repository.
D. Create a new AWS CodeBuild project. In the CodePipeline pipeline, configure a teststage that uses the new CodeBuild project. Create a new Amazon S3 bucket. Create abuildspec.yml file in the CodeCommit repository. In the buildspec.yml file, define theactions to run the unit tests with an output of HTML in the phases section. In the reportssection, upload the test reports to the S3 bucket.


Question # 50

A DevOps engineer is setting up a container-based architecture. The engineer has decided to use AWS CloudFormation to automatically provision an Amazon ECS cluster and an Amazon EC2 Auto Scaling group to launch the EC2 container instances. After successfully creating the CloudFormation stack, the engineer noticed that, even though the ECS cluster and the EC2 instances were created successfully and the stack finished the creation, the EC2 instances were associating with a different cluster. How should the DevOps engineer update the CloudFormation template to resolve this issue? 

A. Reference the EC2 instances in the AWS: ECS: Cluster resource and reference theECS cluster in the AWS: ECS: Service resource.
B. Reference the ECS cluster in the AWS: AutoScaling: LaunchConfiguration resource ofthe UserData property.
C. Reference the ECS cluster in the AWS:EC2: lnstance resource of the UserDataproperty.
D. Reference the ECS cluster in the AWS: CloudFormation: CustomResource resource to trigger an AWS Lambda function that registers the EC2 instances with the appropriate ECScluster.


Question # 51

A DevOps engineer is planning to deploy a Ruby-based application to production. The application needs to interact with an Amazon RDS for MySQL database and should have automatic scaling and high availability. The stored data in the database is critical and should persist regardless of the state of the application stack. The DevOps engineer needs to set up an automated deployment strategy for the application with automatic rollbacks. The solution also must alert the application team when a deployment fails. Which combination of steps will meet these requirements? (Select THREE.) 

A. Deploy the application on AWS Elastic Beanstalk. Deploy an Amazon RDS for MySQLDB instance as part of the Elastic Beanstalk configuration.
B. Deploy the application on AWS Elastic Beanstalk. Deploy a separate Amazon RDS forMySQL DB instance outside of Elastic Beanstalk.
C. Configure a notification email address that alerts the application team in the AWS ElasticBeanstalk configuration.
D. Configure an Amazon EventBridge rule to monitor AWS Health events. Use an AmazonSimple Notification Service (Amazon SNS) topic as a target to alert the application team.
E. Use the immutable deployment method to deploy new application versions.
F. Use the rolling deployment method to deploy new application versions.


Question # 52

A company is using AWS Organizations to centrally manage its AWS accounts. The company has turned on AWS Config in each member account by using AWS Cloud Formation StackSets The company has configured trusted access in Organizations for AWS Config and has configured a member account as a delegated administrator account for AWS Config A DevOps engineer needs to implement a new security policy The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules that contain remediation actions that are managed from a central account Nonadministrator users who can access member accounts must not be able to modify this common baseline of AWS Config rules that are deployed into each member account Which solution will meet these requirements? 

A. Create a CloudFormation template that contains the AWS Config rules and remediationactions. Deploy the template from the Organizations management account by using CloudFormation StackSets.
B. Create an AWS Config conformance pack that contains the AWS Config rules andremediation actions Deploy the pack from the Organizations management account by usingCloudFormation StackSets.
C. Create a CloudFormation template that contains the AWS Config rules and remediationactions Deploy the template from the delegated administrator account by using AWSConfig.
D. Create an AWS Config conformance pack that contains the AWS Config rules andremediation actions. Deploy the pack from the delegated administrator account by usingAWS Config.


Question # 53

A company uses AWS and has a VPC that contains critical compute infrastructure with predictable traffic patterns. The company has configured VPC flow logs that are published to a log group in Amazon CloudWatch Logs. The company's DevOps team needs to configure a monitoring solution for the VPC flow logs to identify anomalies in network traffic to the VPC over time. If the monitoring solution detects an anomaly, the company needs the ability to initiate a response to the anomaly. How should the DevOps team configure the monitoring solution to meet these requirements? 

A. Create an Amazon Kinesis data stream. Subscribe the log group to the data stream.Configure Amazon Kinesis Data Analytics to detect log anomalies in the data stream.Create anAWS Lambda function to use as the output of the data stream. Configure the Lambda function to write to the default Amazon EventBridge event bus in the event of an anomalyfinding.
B. Create an Amazon Kinesis Data Firehose delivery stream that delivers events to anAmazon S3 bucket. Subscribe the log group to the delivery stream. Configure AmazonLookout for Metrics to monitor the data in the S3 bucket for anomalies. Create an AWSLambda function to run in response to Lookout for Metrics anomaly findings. Configure theLambda function to publish to the default Amazon EventBridge event bus.
C. Create an AWS Lambda function to detect anomalies. Configure the Lambda function topublish an event to the default Amazon EventBridge event bus if the Lambda functiondetects an anomaly. Subscribe the Lambda function to the log group.
D. Create an Amazon Kinesis data stream. Subscribe the log group to the data stream.Create an AWS Lambda function to detect log anomalies. Configure the Lambda functionto write to the default Amazon EventBridge event bus if the Lambda function detects ananomaly. Set the Lambda function as the processor for the data stream.


Question # 54

A DevOps engineer wants to find a solution to migrate an application from on premises to AWS The application is running on Linux and needs to run on specific versions of Apache Tomcat HAProxy and Varnish Cache to function properly. The application's operating system-level parameters require tuning The solution must include a way to automate the deployment of new application versions. The infrastructure should be scalable and faulty servers should be replaced automatically. Which solution should the DevOps engineer use? 

A. Upload the application as a Docker image that contains all the necessary software toAmazon ECR Create an Amazon ECS cluster using an AWS Fargate launch type and an Auto Scaling group. Create an AWS CodePipeline pipeline that uses Amazon ECR as asource and Amazon ECS as a deployment provider
B. Upload the application code to an AWS CodeCommit repository with a savedconfiguration file to configure and install the software Create an AWS Elastic Beanstalkweb server tier and a load balanced-type environment that uses the Tomcat solution stackCreate an AWS CodePipeline pipeline that uses CodeCommit as a source and ElasticBeanstalk as a deployment provider
C. Upload the application code to an AWS CodeCommit repository with a set ofebextensions files to configure and install the software. Create an AWS Elastic Beanstalkworker tier environment that uses the Tomcat solution stack Create an AWS CodePipelinepipeline that uses CodeCommit as a source and Elastic Beanstalk as a deploymentprovider
D. Upload the application code to an AWS CodeCommit repository with an appspec.yml fileto configure and install the necessary software. Create an AWS CodeDeploy deploymentgroup associated with an Amazon EC2 Auto Scaling group Create an AWS CodePipelinepipeline that uses CodeCommit as a source and CodeDeploy as a deployment provider


Question # 55

A company needs a strategy for failover and disaster recovery of its data and application. The application uses a MySQL database and Amazon EC2 instances. The companyrequires a maximum RPO of 2 hours and a maximum RTO of 10 minutes for its data and application at all times. Which combination of deployment strategies will meet these requirements? (Select TWO.) 

A. Create an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store.Use Aurora's automatic recovery capabilities in the event of a disaster.
B. Create an Amazon Aurora global database in two AWS Regions as the data store. In theevent of a failure, promote the secondary Region to the primary for the application. Updatethe application to use the Aurora cluster endpoint in the secondary Region.
C. Create an Amazon Aurora cluster in multiple AWS Regions as the data store. Use aNetwork Load Balancer to balance the database traffic in different Regions.
D. Set up the application in two AWS Regions. Use Amazon Route 53 failover routing thatpoints to Application Load Balancers in both Regions. Use health checks and Auto Scalinggroups in each Region.
E. Set up the application in two AWS Regions. Configure AWS Global Accelerator to pointto Application Load Balancers (ALBs) in both Regions. Add both ALBs to a single endpointgroup. Use health checks and Auto Scaling groups in each Region.


Question # 56

A DevOps engineer is building an application that uses an AWS Lambda function to query an Amazon Aurora MySQL DB cluster. The Lambda function performs only read queries. Amazon EventBridge events invoke the Lambda function. As more events invoke the Lambda function each second, the database's latency increases and the database's throughput decreases. The DevOps engineer needs to improve the performance of the application. Which combination of steps will meet these requirements? (Select THREE.) 

A. Use Amazon RDS Proxy to create a proxy. Connect the proxy to the Aurora clusterreader endpoint. Set a maximum connections percentage on the proxy.
B. Implement database connection pooling inside the Lambda code. Set a maximumnumber of connections on the database connection pool.
C. Implement the database connection opening outside the Lambda event handler code.
D. Implement the database connection opening and closing inside the Lambda eventhandler code.
E. Connect to the proxy endpoint from the Lambda function.
F. Connect to the Aurora cluster endpoint from the Lambda function.


Question # 57

A company wants to deploy a workload on several hundred Amazon EC2 instances. The company will provision the EC2 instances in an Auto Scaling group by using a launch template. The workload will pull files from an Amazon S3 bucket, process the data, and put the results into a different S3 bucket. The EC2 instances must have least-privilege permissions and must use temporary security credentials. Which combination of steps will meet these requirements? (Select TWO.) 

A. Create an IAM role that has the appropriate permissions for S3 buckets. Add the IAMrole to an instance profile.
B. Update the launch template to include the IAM instance profile.
C. Create an IAM user that has the appropriate permissions for Amazon S3. Generate asecret key and token.
D. Create a trust anchor and profile. Attach the IAM role to the profile.
E. Update the launch template. Modify the user data to use the new secret key and token.


Question # 58

A company's application uses a fleet of Amazon EC2 On-Demand Instances to analyze and process data. The EC2 instances are in an Auto Scaling group. The Auto Scaling group is a target group for an Application Load Balancer (ALB). The application analyzes critical data that cannot tolerate interruption. The application also analyzes noncritical data that can withstand interruption. The critical data analysis requires quick scalability in response to real-time application demand. The noncritical data analysis involves memory consumption. A DevOps engineer must implement a solution that reduces scale-out latency for the critical data. The solution also must process the noncritical data. Which combination of steps will meet these requirements? (Select TWO.) 

A. For the critical data, modify the existing Auto Scaling group. Create a warm poolinstance in the stopped state. Define the warm pool size. Create a new version of thelaunch template that has detailed monitoring enabled. use Spot Instances.
B. For the critical data, modify the existing Auto Scaling group. Create a warm poolinstance in the stopped state. Define the warm pool size. Create a new version of thelaunch template that has detailed monitoring enabled. Use On-Demand Instances.
C. For the critical data. modify the existing Auto Scaling group. Create a lifecycle hook toensure that bootstrap scripts are completed successfully. Ensure that the application on theinstances is ready to accept traffic before the instances are registered. Create a newversion of the launch template that has detailed monitoring enabled.
D. For the noncritical data, create a second Auto Scaling group that uses a launchtemplate. Configure the launch template to install the unified Amazon CloudWatch agentand to configure the CloudWatch agent with a custom memory utilization metric. Use SpotInstances. Add the new Auto Scaling group as the target group for the ALB. Modify theapplication to use two target groups for critical data and noncritical data.
E. For the noncritical data, create a second Auto Scaling group. Choose the predefinedmemory utilization metric type for the target tracking scaling policy. Use Spot Instances.Add the new Auto Scaling group as the target group for the ALB. Modify the application touse two target groups for critical data and noncritical data.


Question # 59

A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours. Which combination of actions will meet these requirements? (Choose three.) 

A. Add the physical machines into AWS Systems Manager using Systems Manager HybridActivations.
B. Attach an IAM role to the EC2 instances, allowing them to be managed by AWSSystems Manager.
C. Create IAM access keys for the on-premises machines to interact with AWS SystemsManager.
D. Run an AWS Systems Manager Automation document to patch the systems every hour.
E. Use Amazon EventBridge scheduled events to schedule a patch window.
F. Use AWS Systems Manager Maintenance Windows to schedule a patch window.


Question # 60

A company has an application that runs on AWS Lambda and sends logs to Amazon CloudWatch Logs. An Amazon Kinesis data stream is subscribed to the log groups in CloudWatch Logs. A single consumer Lambda function processes the logs from the data stream and stores the logs in an Amazon S3 bucket. The company's DevOps team has noticed high latency during the processing and ingestion of some logs. Which combination of steps will reduce the latency? (Select THREE.) 

A. Create a data stream consumer with enhanced fan-out. Set the Lambda function thatprocesses the logs as the consumer.
B. Increase the ParallelizationFactor setting in the Lambda event source mapping.
C. Configure reserved concurrency for the Lambda function that processes the logs.
D. Increase the batch size in the Kinesis data stream.
E. Turn off the ReportBatchltemFailures setting in the Lambda event source mapping.
F. Increase the number of shards in the Kinesis data stream.


Question # 61

A company has multiple development groups working in a single shared AWS account. The Senior Manager of the groups wants to be alerted via a third-party API call when the creation of resources approaches the service limits for the account. Which solution will accomplish this with the LEAST amount of development effort? 

A. Create an Amazon CloudWatch Event rule that runs periodically and targets an AWSLambda function. Within the Lambda function, evaluate the current state of the AWSenvironment and compare deployed resource values to resource limits on the account.Notify the Senior Manager if the account is approaching a service limit.
B. Deploy an AWS Lambda function that refreshes AWS Trusted Advisor checks, andconfigure an Amazon CloudWatch Events rule to run the Lambda function periodically.Create another CloudWatch Events rule with an event pattern matching Trusted Advisorevents and a target Lambda function. In the target Lambda function, notify the SeniorManager.
C. Deploy an AWS Lambda function that refreshes AWS Personal Health Dashboardchecks, and configure an Amazon CloudWatch Events rule to run the Lambda functionperiodically. Create another CloudWatch Events rule with an event pattern matchingPersonal Health Dashboard events and a target Lambda function. In the target Lambdafunction, notify the Senior Manager.
D. Add an AWS Config custom rule that runs periodically, checks the AWS service limitstatus, and streams notifications to an Amazon SNS topic. Deploy an AWS Lambdafunction that notifies the Senior Manager, and subscribe the Lambda function to the SNStopic.


Question # 62

A DevOps engineer is architecting a continuous development strategy for a company's software as a service (SaaS) web application running on AWS. For application and security reasons users subscribing to this application are distributed across multiple. Application Load Balancers (ALBs) each of which has a dedicated Auto Scaling group and fleet of Amazon EC2 instances The application does not require a build stage and when it is committed to AWS CodeCommit, the application must trigger a simultaneous deployment to all ALBs Auto Scaling groups and EC2 fleets. Which architecture will meet these requirements with the LEAST amount of configuration? 

A. Create a single AWS CodePipeline pipeline that deploys the application in parallel usingunique AWS CodeDeploy applications and deployment groups created for each ALB-AutoScaling group pair.
B. Create a single AWS CodePipeline pipeline that deploys the application using a singleAWS CodeDeploy application and single deployment group.
C. Create a single AWS CodePipeline pipeline that deploys the application in parallel usinga single AWS CodeDeploy application and unique deployment group for each ALB-AutoScaling group pair.
D. Create an AWS CodePipeline pipeline for each ALB-Auto Scaling group pair thatdeploys the application using an AWS CodeDeploy application and deployment groupcreated for the same ALB-Auto Scaling group pair.


Question # 63

A company uses AWS Directory Service for Microsoft Active Directory as its identity provider (IdP). The company requires all infrastructure to be defined and deployed by AWS CloudFormation. A DevOps engineer needs to create a fleet of Windows-based Amazon EC2 instances to host an application. The DevOps engineer has created a CloudFormation template that contains an EC2 launch template, IAM role, EC2 security group, and EC2 Auto Scaling group. The DevOps engineer must implement a solution that joins all EC2 instances to the domain of the AWS Managed Microsoft AD directory. Which solution will meet these requirements with the MOST operational efficiency? 

A. In the CloudFormation template, create an AWS::SSM::Document resource that joinsthe EC2 instance to the AWS Managed Microsoft AD domain by using the parameters forthe existing directory. Update the launch template to include the SSMAssociation propertyto use the new SSM document. Attach the AmazonSSMManagedlnstanceCore andAmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2instances use.
B. In the CloudFormation template, update the launch template to include specific tags thatpropagate on launch. Create an AWS::SSM::Association resource to associate the AWSJoinDirectoryServiceDomainAutomation runbook with the EC2 instances that have thespecified tags. Define the required parameters to join the AWS Managed Microsoft ADdirectory. Attach the AmazonSSMManagedlnstanceCore andAmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2instances use.
C. Store the existing AWS Managed Microsoft AD domain connection details in AWSSecrets Manager. In the CloudFormation template, create an AWS::SSM::Associationresource to associate the AWS-CreateManagedWindowslnstanceWithApproval Automationrunbook with the EC2 Auto Scaling group. Pass the ARNs for the parameters from SecretsManager to join the domain. Attach the AmazonSSMDirectoryServiceAccess andSecretsManagerReadWrite AWS managed policies to the IAM role that the EC2 instancesuse.
D. Store the existing AWS Managed Microsoft AD domain administrator credentials in AWSSecrets Manager. In the CloudFormation template, update the EC2 launch template toinclude user data. Configure the user data to pull the administrator credentials from SecretsManager and to join the AWS Managed Microsoft AD domain. Attach theAmazonSSMManagedlnstanceCore and SecretsManagerReadWrite AWS managedpolicies to the IAM role that the EC2 instances use.


Question # 64

A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the onpremisesconfigurations. The migrated applications require access to shared storage that uses SMB for Windows and NFS for Linux. The company is also creating a pilot light disaster recovery (DR) environment in another AWS Region. The company will use automation to launch and configure the EC2 instances in the DR Region. The company needs to replicate the storage to the DR Region. Which storage solution will meet these requirements? 

A. Use Amazon S3 for the application storage. Create an S3 bucket in the primary Regionand an S3 bucket in the DR Region. Configure S3 Cross-Region Replication (CRR) fromthe primary Region to the DR Region.
B. Use Amazon Elastic Block Store (Amazon EBS) for the application storage. Create abackup plan in AWS Backup that creates snapshots of the EBS volumes that are in theprimary Region and replicates the snapshots to the DR Region.
C. Use a Volume Gateway in AWS Storage Gateway for the application storage. ConfigureCross-Region Replication (CRR) of the Volume Gateway from the primary Region to theDR Region.
D. Use Amazon FSx for NetApp ONTAP for the application storage. Create an FSx forONTAP instance in the DR Region. Configure NetApp SnapMirror replication from theprimary Region to the DR Region.


Question # 65

A company runs a workload on Amazon EC2 instances. The company needs a control that requires the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances in the AWS account. If an EC2 instance does not prevent the use of Instance Metadata Service Version 1 (IMDSv1), the EC2 instance must be terminated. Which solution will meet these requirements? 

A. Set up AWS Config in the account. Use a managed rule to check EC2 instances.Configure the rule to remediate the findings by using AWS Systems Manager Automationto terminate the instance.
B. Create a permissions boundary that prevents the ec2:Runlnstance action if theec2:MetadataHttpTokens condition key is not set to a value of required. Attach thepermissions boundary to the IAM role that was used to launch the instance.
C. Set up Amazon Inspector in the account. Configure Amazon Inspector to activate deepinspection for EC2 instances. Create an Amazon EventBridge rule for an Inspector2finding. Set an AWS Lambda function as the target to terminate the instance.
D. Create an Amazon EventBridge rule for the EC2 instance launch successful event. Sendthe event to an AWS Lambda function to inspect the EC2 metadata and to terminate theinstance.


Question # 66

A company is launching an application that stores raw data in an Amazon S3 bucket. Three applications need to access the data to generate reports. The data must be redacted differently for each application before the applications can access the data. Which solution will meet these requirements? 

A. Create an S3 bucket for each application. Configure S3 Same-Region Replication (SRR) from the raw data's S3 bucket to each application's S3 bucket. Configure each applicationto consume data from its own S3 bucket.
B. Create an Amazon Kinesis data stream. Create an AWS Lambda function that isinvoked by object creation events in the raw data's S3 bucket. Program the Lambdafunction to redact data for each application. Publish the data on the Kinesis data stream.Configure each application to consume data from the Kinesis data stream.
C. For each application, create an S3 access point that uses the raw data's S3 bucket asthe destination. Create an AWS Lambda function that is invoked by object creation eventsin the raw data's S3 bucket. Program the Lambda function to redact data for eachapplication. Store the data in each application's S3 access point. Configure eachapplication to consume data from its own S3 access point.
D. Create an S3 access point that uses the raw data's S3 bucket as the destination. Foreach application, create an S3 Object Lambda access point that uses the S3 access point.Configure the AWS Lambda function for each S3 Object Lambda access point to redactdata when objects are retrieved. Configure each application to consume data from its ownS3 Object Lambda access point.


Question # 67

A company hosts applications in its AWS account Each application logs to an individual Amazon CloudWatch log group. The company’s CloudWatch costs for ingestion are increasing A DevOps engineer needs to Identify which applications are the source of the increased logging costs. Which solution Will meet these requirements? 

A. Use CloudWatch metrics to create a custom expression that Identifies the CloudWatchlog groups that have the most data being written to them.
B. Use CloudWatch Logs Insights to create a set of queries for the application log groupsto Identify the number of logs written for a period of time
C. Use AWS Cost Explorer to generate a cost report that details the cost for CloudWatchusage
D. Use AWS CloudTrail to filter for CreateLogStream events for each application


Question # 68

A company uses an organization in AWS Organizations that has all features enabled. The company uses AWS Backup in a primary account and uses an AWS Key Management Service (AWS KMS) key to encrypt the backups. The company needs to automate a cross-account backup of the resources that AWS Backup backs up in the primary account. The company configures cross-account backup in the Organizations management account. The company creates a new AWS account in the organization and configures an AWS Backup backup vault in the new account. The company creates a KMS key in the new account to encrypt the backups. Finally, the company configures a new backup plan in the primary account. The destination for the new backup plan is the backup vault in the new account. When the AWS Backup job in the primary account is invoked, the job creates backups in the primary account. However, the backups are not copied to the new account's backup vault. Which combination of steps must the company take so that backups can be copied to the new account's backup vault? (Select TWO.) 

A. Edit the backup vault access policy in the new account to allow access to the primaryaccount.
B. Edit the backup vault access policy in the primary account to allow access to the newaccount.
C. Edit the backup vault access policy in the primary account to allow access to the KMSkey in the new account.
D. Edit the key policy of the KMS key in the primary account to share the key with the newaccount.
E. Edit the key policy of the KMS key in the new account to share the key with the primaryaccount.


Question # 69

A growing company manages more than 50 accounts in an organization in AWS Organizations. The company has configured its applications to send logs to Amazon CloudWatch Logs. A DevOps engineer needs to aggregate logs so that the company can quickly search the logs to respond to future security incidents. The DevOps engineer has created a new AWS account for centralized monitoring. Which combination of steps should the DevOps engineer take to make the application logs searchable from the monitoring account? (Select THREE.) 

A. In the monitoring account, download an AWS CloudFormation template fromCloudWatch to use in Organizations. Use CloudFormation StackSets in the organization'smanagement account to deploy the CloudFormation template to the entire organization.
B. Create an AWS CloudFormation template that defines an IAM role. Configure the role toallow logs-amazonaws.com to perform the logs:Link action if the aws:ResourceAccountproperty is equal to the monitoring account ID. Use CloudFormation StackSets in theorganization's management account to deploy the CloudFormation template to the entireorganization.
C. Create an IAM role in the monitoring account. Attach a trust policy that allowslogs.amazonaws.com to perform the iam:CreateSink action if the aws:PrincipalOrgldproperty is equal to the organization ID.
D. In the organization's management account, enable the logging policies for theorganization.
E. use CloudWatch Observability Access Manager in the monitoring account to create asink. Allow logs to be shared with the monitoring account. Configure the monitoring accountdata selection to view the Observability data from the organization ID.
F. In the monitoring account, attach the CloudWatchLogsReadOnlyAccess AWS managedpolicy to an IAM role that can be assumed to search the logs.


Question # 70

A company plans to use Amazon CloudWatch to monitor its Amazon EC2 instances. The company needs to stop EC2 instances when the average of the NetworkPacketsIn metric is less than 5 for at least 3 hours in a 12-hour time window. The company must evaluate the metric every hour. The EC2 instances must continue to run if there is missing data for the NetworkPacketsIn metric during the evaluation period. A DevOps engineer creates a CloudWatch alarm for the NetworkPacketsIn metric. The DevOps engineer configures a threshold value of 5 and an evaluation period of 1 hour. Which set of additional actions should the DevOps engineer take to meet these requirements? 

A. Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treatmissing data as breaching the threshold. Add an AWS Systems Manager action to stop theinstance when the alarm enters the ALARM state.
B. Configure the Datapoints to Alarm value to be 3 out of 12. Configure the alarm to treatmissing data as not breaching the threshold. Add an EC2 action to stop the instance whenthe alarm enters the ALARM state.
C. Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treatmissing data as breaching the threshold. Add an EC2 action to stop the instance when thealarm enters the ALARM state.
D. Configure the Datapoints to Alarm value to be 9 out of 12. Configure the alarm to treatmissing data as not breaching the threshold. Add an AWS Systems Manager action to stop the instance when the alarm enters the ALARM state.


Question # 71

A company builds an application that uses an Application Load Balancer in front of Amazon EC2 instances that are in an Auto Scaling group. The application is stateless. The Auto Scaling group uses a custom AMI that is fully prebuilt. The EC2 instances do not have a custom bootstrapping process. The AMI that the Auto Scaling group uses was recently deleted. The Auto Scaling group's scaling activities show failures because the AMI ID does not exist. Which combination of steps should a DevOps engineer take to meet these requirements? (Select THREE.) 

A. Create a new launch template that uses the new AMI.
B. Update the Auto Scaling group to use the new launch template.
C. Reduce the Auto Scaling group's desired capacity to O.
D. Increase the Auto Scaling group's desired capacity by I.
E. Create a new AMI from a running EC2 instance in the Auto Scaling group.
F. Create a new AMI by copying the most recent public AMI of the operating system thatthe EC2 instances use.


Question # 72

A company's application teams use AWS CodeCommit repositories for their applications. The application teams have repositories in multiple AWS accounts. All accounts are in an organization in AWS Organizations. Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured with an external IdP to assume a developer IAM role. The developer role allows the application teams to use Git to work with the code in the repositories. A security audit reveals that the application teams can modify the main branch in any repository. A DevOps engineer must implement a solution that allows the application teams to modify the main branch of only the repositories that they manage. Which combination of steps will meet these requirements? (Select THREE. 

A. Update the SAML assertion to pass the user's team name. Update the IAM role's trustpolicy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations managementaccount. Associate the template with all the repositories. Add the developer role ARN as anapprover.
C. Create an approval rule template for each account. Associate the template with allrepositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}"condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to thename of the associated team.
E. Attach an SCP to the accounts. Include the following statement:


Question # 73

A company deploys a web application on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The company stores the application code in an AWS CodeCommit repository. When code is merged to the main branch, an AWS Lambda function invokes an AWS CodeBuild project. The CodeBuild project packages the code, stores the packaged code in AWS CodeArtifact, and invokes AWS Systems Manager Run Command to deploy the packaged code to the EC2 instances. Previous deployments have resulted in defects, EC2 instances that are not running the latest version of the packaged code, and inconsistencies between instances. Which combination of actions should a DevOps engineer take to implement a more reliable deployment solution? (Select TWO.) 

A. Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as asource provider. Configure pipeline stages that run the CodeBuild project in parallel to buildand test the application. In the pipeline, pass the CodeBuild project output artifact to anAWS CodeDeploy action.
B. Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as asource provider. Create separate pipeline stages that run a CodeBuild project to build andthen test the application. In the pipeline, pass the CodeBuild project output artifact to anAWS CodeDeploy action.
C. Create an AWS CodeDeploy application and a deployment group to deploy thepackaged code to the EC2 instances. Configure the ALB for the deployment group.
D. Create individual Lambda functions that use AWS CodeDeploy instead of SystemsManager to run build, test, and deploy actions.
E. Create an Amazon S3 bucket. Modify the CodeBuild project to store the packages in theS3 bucket instead of in CodeArtifact. Use deploy actions in CodeDeploy to deploy theartifact to the EC2 instances.


Question # 74

A company manages AWS accounts for application teams in AWS Control Tower. Individual application teams are responsible for securing their respective AWS accounts. A DevOps engineer needs to enable Amazon GuardDuty for all AWS accounts in which the application teams have not already enabled GuardDuty. The DevOps engineer is using AWS CloudFormation StackSets from the AWS Control Tower management account. How should the DevOps engineer configure the CloudFormation template to prevent failure during the StackSets deployment? 

A. Create a CloudFormation custom resource that invokes an AWS Lambda function.Configure the Lambda function to conditionally enable GuardDuty if GuardDuty is notalready enabled in the accounts.
B. Use the Conditions section of the CloudFormation template to enable GuardDuty inaccounts where GuardDuty is not already enabled.
C. Use the CloudFormation Fn. GetAtt intrinsic function to check whether GuardDuty isalready enabled If GuardDuty is not already enabled use the Resources section of theCloudFormation template to enable GuardDuty.
D. Manually discover the list of AWS account IDs where GuardDuty is not enabled Use theCloudFormation Fn: ImportValue intrinsic function to import the list of account IDs into theCloudFormation template to skip deployment for the listed AWS accounts.


Question # 75

A company builds a container image in an AWS CodeBuild project by running Docker commands. After the container image is built, the CodeBuild project uploads the container image to an Amazon S3 bucket. The CodeBuild project has an IAM service role that has permissions to access the S3 bucket. A DevOps engineer needs to replace the S3 bucket with an Amazon Elastic Container Registry (Amazon ECR) repository to store the container images. The DevOps engineer creates an ECR private image repository in the same AWS Region of the CodeBuild project. The DevOps engineer adjusts the IAM service role with the permissions that are necessary to work with the new ECR repository. The DevOps engineer also places new repository information into the docker build command and the docker push command that are used in the buildspec.yml file. When the CodeBuild project runs a build job, the job fails when the job tries to access the ECR repository. Which solution will resolve the issue of failed access to the ECR repository? 

A. Update the buildspec.yml file to log in to the ECR repository by using the aws ecr getlogin-password AWS CLI command to obtain an authentication token. Update the dockerlogin command to use the authentication token to access the ECR repository.
B. Add an environment variable of type SECRETS_MANAGER to the CodeBuild project. Inthe environment variable, include the ARN of the CodeBuild project's IAM service role.Update the buildspec.yml file to use the new environment variable to log in with the dockerlogin command to access the ECR repository.
C. Update the ECR repository to be a public image repository. Add an ECR repositorypolicy that allows the IAM service role to have access.
D. Update the buildspec.yml file to use the AWS CLI to assume the IAM service role forECR operations. Add an ECR repository policy that allows the IAM service role to haveaccess.


Amazon DOP-C02 Frequently Asked Questions


Customers Feedback

What our clients say about DOP-C02 Exam Simulations

Leave a comment

Your email address will not be published. Required fields are marked *

Rating / Feedback About This Exam