Due to compliance regulations, management has asked you to provide a system that allows for cost-effective long-term storage of your application logs and provides a way for support staff to view the logs more quickly. Currently your log system archives logs automatically to Amazon S3 every hour, and support staff must wait for these logs to appear in Amazon S3, because they do not currently have access to the systems to view live logs. What method should you use to become compliant while also providing a faster way for support staff to have access to logs? Update Amazon S3 lifecycle policies to archive old logs to Amazon Glacier, and add a new policy
to push all log entries to Amazon SQS for ingestion by the support team. Update Amazon S3 lifecycle policies to archive old logs to Amazon Glacier, and add a new policy
to push all log entries to Amazon SQS for ingestion by the support team. Update Amazon Glacier lifecycle policies to pull new logs from Amazon S3, and in the Amazon
EC2 console, enable the CloudWatch Logs Agent on all of your application servers. Update Amazon S3 lifecycle policies to archive old logs to Amazon Glacier. key can be different from the tableEnable Amazon S3 partial uploads on your Amazon S3 bucket, and trigger an Amazon SNS notification when a partial upload occurs. Use or write a service to stream your application logs to CloudWatch Logs. Use an Amazon
Elastic Map Reduce cluster to live stream your logs from CloudWatch Logs for ingestion by the
support team, and create a Hadoop job to push the logs to S3 in five-minute chunks.
You want to securely distribute credentials for your Amazon RDS instance to your fleet of web server instances.
The credentials are stored in a file that is controlled by a configuration management system. How do you securely deploy the credentials in an automated manner across the fleet of web server instances, which can number in the hundreds, while retaining the ability to roll back if needed? Store your credential files in an Amazon S3 bucket. Use Amazon S3 server-side encryption on the credential files. Have a scheduled job that pulls down the credential files into the instances every 10 minutes. Store the credential files in your version-controlled repository with the rest of your code. Have a post-commit action in version control that kicks off a job in your continuous integration system which securely copses the new credential files to all web server instances.
Insert credential files into user data and use an instance lifecycle policy to periodically refresh the file from the user data. Keep credential files as a binary blob in an Amazon RDS MySQL DB instance, and have a script on each Amazon EC2 instance that pulls the files down from the RDS instance Store the credential files in your version-controlled repository with the rest of your code. Use a parallel file copy program to send the credential files from your local machine to the Amazon EC2 instances.
You are using a configuration management system to manage your Amazon EC2 instances. On your Amazon EC2 Instances, you want to store credentials for connecting to an Amazon RDS DB instance. How should you securely store these credentials? Give the Amazon EC2 instances an IAM role that allows read access to a private Amazon S3 bucket. Store a file with database credentials in the Amazon S3 bucket. Have your configuration management system pull the file from the bucket when it is needed. Launch an Amazon EC2 instance and use the configuration management system to bootstrap the instance with the Amazon RDS DB credentials.Create an AMI from this instance. Store the Amazon RDS DB credentials in Amazon EC2 user data. Import the credentials into the Instance on boot. Assign an IAM role to your Amazon RDS instance, and use this IAM role to access the Amazon RDS DB from your Amazon EC2 instances Store your credentials in your version control system, in plaintext. Check out a copy of your credentials from the version control system on boot. Use Amazon EBS encryption on the volume storing the Amazon RDS DB credentials.
Your company has developed a web application and is hosting it in an Amazon S3 bucket configured for static website hosting. The application is using the AWS SDK for JavaScript in the browser to access data stored in an Amazon DynamoDB table. How can you ensure that API keys for access to your data in DynamoDB are kept secure? Create an Amazon S3 role in IAM with access to the specific DynamoDB tables, and assign it to the bucket hosting your website. Configure S3 bucket tags with your AWS access keys for your bucket hosing your website so that the application can query them for access. Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials. Store AWS keys in global variables within your application and configure the application to use these credentials when making requests.
You need to implement A/B deployments for several multi-tier web applications. Each of them has Its Individual infrastructure: Amazon Elastic Compute Cloud (EC2) front-end servers, Amazon ElastiCache clusters, Amazon Simple Queue Service (SQS) queues, and Amazon Relational Database (RDS) Instances. Which combination of services would give you the ability to control traffic between different deployed versions of your application? (Choose one.) Create one AWS Elastic Beanstalk application and all AWS resources (using configuration files inside the application source bundle) for each web application. New versions would be deployed a-eating Elastic Beanstalk environments and using the Swap URLs feature. Using AWS CloudFormation templates, create one Elastic Beanstalk application and all AWS resources (in the same template) for each web application. New versions would be deployed using AWS CloudFormation templates to create new Elastic Beanstalk environments, and traffic would be balanced between them using weighted Round Robin (WRR) records in Amazon Route53. Using AWS CloudFormation templates, create one Elastic Beanstalk application and all AWS resources (in the same template) for each web application. New versions would be deployed updating a parameter on the CloudFormation template and passing it to the cfn-hup helper daemon, and traffic would be balanced between them using Weighted Round Robin (WRR) records in Amazon Route 53 Create one Elastic Beanstalk application and all AWS resources (using configuration files inside the application source bundle) for each web application. New versions would be deployed updating the Elastic Beanstalk application version for the current Elastic Beanstalk environment.
You work for an insurance company and are responsible for the day-to-day operations of your company's online quote system used to provide insurance quotes to members of the public. Your company wants to use the application logs generated by the system to better understand customer behavior.Industry, regulations also require that you retain all application logs for the system indefinitely in order to investigate fraudulent claims in the future. You have been tasked with designing a log management system with the following requirements:
- All log entries must be retained by the system, even during unplanned instance failure.
- The customer insight team requires immediate access to the logs from the past seven days.
- The fraud investigation team requires access to all historic logs, but will wait up to 24 hours before these logs are available.
How would you meet these requirements in a cost-effective manner? Choose 3 answers Configure your application to write logs to the instance's ephemeral disk, because this storage is free and has good write performance. Create a script that moves the logs from the instance to Amazon 53 once an hour. Write a script that is configured to be executed when the instance is stopped or terminated and that will upload any remaining logs on the instance to Amazon S3. Create an Amazon S3 lifecycle configuration to move log files from Amazon S3 to Amazon Glacier after seven days. Configure your application to write logs to the instance's default Amazon EBS boot volume, because this storage already exists. Create a script that moves the logs from the instance to Amazon 53 once an hour. Configure your application to write logs to a separate Amazon EBS volume with the "delete on termination" field set to false. Create a script that moves the logs from the instance to Amazon S3 once an hour. Create a housekeeping script that runs on a T2 micro instance managed by an Auto Scaling group for high availability. The script uses the AWS API to identify any unattached Amazon EBS volumes containing log files. Your housekeeping script will mount the Amazon EBS volume, upload all logs to Amazon S3, and
then delete the volume.
.
You have an application running on Amazon EC2 in an Auto Scaling group. Instances are being bootstrapped dynamically, and the bootstrapping takes over 15 minutes to complete. You find that instances are reported by Auto Scaling as being In Service before bootstrapping has completed. You are receiving application alarms related to new instances before they have completed bootstrapping, which is causing confusion. You find the cause: your application monitoring tool is polling the Auto Scaling Service API for instances that are In Service, and creating alarms for new previously unknown instances. Which of the following will ensure that new instances are not added to your application monitoring tool before bootstrapping is completed? Create an Auto Scaling group lifecycle hook to hold the instance in a pending: wait state until your
bootstrapping is complete. Once bootstrapping is complete, notify Auto Scaling to complete the lifecycle hook and move the instance into a pending: complete state. Use the default Amazon CloudWatch application metrics to monitor your application's health. Configure an Amazon SNS topic to send these CloudWatch alarms to the correct recipients. Tag all instances on launch to identify that they are in a pending state. Change your application monitoring tool to look for this tag before adding new instances, and the use the Amazon API to set the instance state to 'pending' until bootstrapping is complete Increase the desired number of instances in your Auto Scaling group configuration to reduce the time it takes to bootstrap future instances.
You have been given a business requirement to retain log files for your application for 10 years. You need to regularly retrieve the most recent logs for troubleshooting. Your logging system must be cost-effective, given the large volume of logs. What technique should you use to meet these requirements? Store your log in Amazon CloudWatch Logs. Store your logs in Amazon Glacier. Store your logs in Amazon S3, and use lifecycle policies to archive to Amazon Glacier. Store your logs in HDFS on an Amazon EMR cluster. Store your logs on Amazon EBS, and use Amazon EBS snapshots to archive them.
You work for a startup that has developed a new photo-sharing application for mobile devices. Over recent months your application has increased in popularity; this has resulted in a decrease in the performance of the application clue to the increased load. Your application has a two-tier architecture that is composed of an Auto Scaling PHP application tier and a MySQL RDS instance initially deployed with AWS CloudFormation. Your Auto Scaling group has a min value of 4 and a max value of 8. The desired capacity is now at 8 because of the high CPU utilization of the instances. After some analysis, you are confident that the performance issues stem from a constraint in CPU capacity, although memory utilization remains low. You therefore decide to move from the general-purpose M3 instances to the compute-optimized C3 instances. How would you deploy this change while minimizing any interruption to your end users? Sign into the AWS Management Console, copy the old launch configuration, and create a new launch configuration that specifies the C3 instances. Update the Auto Scaling group with the new launch configuration. Auto Scaling will then update the instance type of all running instances. Sign into the AWS Management Console, and update the existing launch configuration with the
new C3 instance type. Add an UpdatePolicy attribute to your Auto Scaling group that specifies AutoScalingRollingUpdate. Update the launch configuration specified in the AWS CloudFormation template with the new C3 instance type. Run a stack update with the new template. Auto Scaling will then update the instances with the new instance type. Update the launch configuration specified in the AWS CloudFormation template with the new C3 instance type. Also add an UpdatePolicy attribute to your Auto Scaling group that specifies AutoScalingRollingUpdate. Run a stack update with the new template.
You've been tasked with implementing an automated data backup solution for your application servers that run on Amazon EC2 with Amazon EBS volumes. You want to use a distributed data store for your backups to avoid single points of failure and to increase the durability of the data. Daily backups should be retained for 30 days so that you can restore data within an hour. How can you implement this through a script that a scheduling daemon runs daily on the application servers? Write the script to call the ec2-create-volume API, tag the Amazon EBS volume with the current date time group, and copy backup data to a second Amazon EBS volume. Use the ec2-describe-volumes API to enumerate existing backup volumes. Call the ec2-delete-volume API to prune backup volumes that are tagged with a date-tine group older than 30 days. Write the script to call the Amazon Glacier upload archive API, and tag the backup archive with the current date-time group. Use the list vaults API to enumerate existing backup archives Call the delete vault API to prune backup archives that are tagged with a date-time group older than 30 days. Write the script to call the ec2-create-snapshot API, and tag the Amazon EBS snapshot with the current date-time group. Use the ec2-describe-snapshot API to enumerate existing Amazon EBS snapshots. Call the ec2-delete-snapShot API to prune Amazon EBS snapshots that are tagged with a date-time group older than 30 days. Write the script to call the ec2-create-volume API, tag the Amazon EBS volume with the current date-time group, and use the ec2-copy-snapshot API to back up data to the new Amazon EBS volume. Use the ec2- describe-snapshot API to enumerate existing backup volumes. Call the ec2-delete-snaphot API to prune backup Amazon EBS volumes that are tagged with a date-time group older than 30 days.
An application is being deployed with two Amazon EC2 Auto Scaling groups, each configured with an Application Load Balancer. The application is deployed to one of the Auto Scaling groups and an Amazon Route 53 alias record is pointed to the Application Load Balancer of the last deployed Auto Scaling group. Deployments alternate between the two Auto Scaling groups. Home security devices are making requests into the application. The Development team notes that new requests are coming into the old stack days after the deployment. The issue is caused by devices
that are not observing the Time to Live (TTL) setting on the Amazon Route 53 alias record. What steps should the DevOps Engineer take to address the issue with requests coming to the old stacks, while creating minimal additional resources? Reduce the application to one Application Load Balancer. Create two target groups named Blue and Green. Create a rule on the Application Load Balancer pointed to a single target group. Add logic to the deployment to update the Application Load Balancer rule to the target group of the newly deployed Auto Scaling group. Create an Amazon CloudFront distribution. Set the two existing Application Load Balancers as origins on the distribution. After a deployment, update the CloudFront distribution behavior to send requests to the newly deployed Auto Scaling group. Move the application to an AWS Elastic Beanstalk application with two environments. Perform new deployments on the non-live environment. After a deployment, perform an Elastic Beanstalk CNAME swap to make the newly deployed environment the live environment. Create a fleet of Amazon EC2 instances running HAProxy behind an Application Load Balancer. The HAProxy instances will proxy the requests to one of the existing Auto Scaling groups. After a deployment the HAProxy instances are updated to send requests to the newly deployed Auto Scaling
group.
A company has several AWS accounts. The accounts are shared and used across multiple teams
globally, primarily for Amazon EC2 instances. Each EC2 instance has tags for team, environment, and
cost center to ensure accurate cost allocations. How should a DevOps Engineer help the teams audit their costs and automate infrastructure cost optimization across multiple shared environments and accounts? Create a separate Amazon CloudWatch dashboard for EC2 instance tags based on cost center, environment, and team, and publish the instance tags out using unique links for each team. For each team, set up a CloudWatch Events rule with the CloudWatch dashboard as the source, and set up a trigger to initiate an AWS Lambda function to reduce underutilized instances. Use AWS Systems Manager to track instance utilization and report underutilized instances to Amazon CloudWatch. Filter data in CloudWatch based on tags for team, environment, and cost center. Set up triggers from CloudWatch into AWS Lambda to reduce underutilized instances Create an Amazon CloudWatch Events rule with AWS Trusted Advisor as the source for low utilization EC2 instances. Trigger an AWS Lambda function that filters out reported data based on tags for each team, environment, and cost center, and store the Lambda function in Amazon S3. Set up a second trigger to initiate a Lambda function to reduce underutilized instances. Set up a scheduled script on the EC2 instances to report utilization and store the instances in an Amazon DynamoDB table. Create a dashboard in Amazon QuickSight with DynamoDB as the source data to find underutilized instances. Set up triggers from Amazon QuickSight in AWS Lambda to reduce underutilized instances.
How long are the messages kept on an SQS queue by default? 4 days 1 day 2 weeks If a message is not read, it is never deleted.
You need to grant a vendor access to your AWS account. They need to be able to read protected messages in a private S3 bucket at their leisure. They also use AWS. What is the best way to accomplish this? Create a cross-account IAM Role with permission to access the bucket, and grant permission to use the Role to the vendor AWS account. Create an IAM User with API Access Keys. Grant the User permissions to access the bucket. Give the vendor the AWS Access Key ID and AWS Secret Access Key for the User. Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor. Generate a signed S3 PUT URL and a signed S3 PUT URL, both with wildcard values and 2 year durations. Pass the URLs to the vendor.
A DevOps Engineer is responsible for the deployment of a PHP application. The Engineer is working in a hybrid deployment, with the application running on both on-premises servers and Amazon EC2 instances. The application needs access to a database containing highly confidential information. Application instances need access to database credentials, which must be encrypted at rest and in transit before reaching the instances. How should the Engineer automate the deployment process while also meeting the security requirements? Use AWS Elastic Beanstalk with a PHP platform configuration to deploy application packages to the instances. Store database credentials on AWS Systems Manager Parameter Store using the Secure String data type. Define an IAM role for Amazon EC2 allowing access, and decrypt only the database credentials. Associate this role to all the instances. Use AWS CodeDeploy to deploy application packages to the instances. Store database credentials in the AppSpec file. Define an IAM policy for allowing access to only the database credentials. Attach the IAM policy to the role associated to the instance profile for CodeDeploy- managed instances and the role used for on-premises instances registration on CodeDeploy. Use AWS CodeDeploy to deploy application packages to the instances. Store database credentials on AWS Systems Manager Parameter Store using the Secure String data type. Define an IAM policy for allowing access, and decrypt only the database credentials. Attach the IAM policy to the role associated to the instance profile for CodeDeploy-managed instances, and to the role used for onpremises instances registration on CodeDeploy. Use AWS CodeDeploy to deploy application packages to the instances. Store database credentials
on AWS Systems Manager Parameter Store using the Secure String data type. Define an IAM role with
an attached policy that allows decryption of the database credentials. Associate this role to all the
instances and on-premises servers.
A Developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing. Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The Developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated. How can log collection be automated? Use Auto Scaling lifecycle hooks to put instances in a Terminating: Wait state. Create a Config rule for EC2 Instance-terminate Lifecycle Action and trigger a step function that executes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon CloudWatch Events rule for EC2 'Instance-terminate Lifecycle Action and trigger an AWS Lambda function that executes a SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected. Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait state. Create an Amazon CloudWatch Alarm for EC2 Instance Terminate Successful and trigger an AWS Lambda function that executes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected. Use Auto Scaling lifecycle hooks to put instances in a Terminating: Wait state. Create an Amazon CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent that executes a script to called logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch. You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and you must decide how to authenticate and authorize your users for access to these images. You also need to manage the storage of these images. Which two of the following approaches should you use?
Choose 2 answers Authenticate your users at the application level, and use AWS Security Token Service (STS) to grant token-based authorization to S3 objects. Authenticate your users at the application level, and send an SMS token message to the user. Create an Amazon S3 bucket with the same name as the SMS message token, and move the user's objects to that bucket. Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code. Create an Amazon S3 bucket per user, and use your application to generate the S3 URI for the appropriate content. Use a key-based naming scheme comprised from the user IDs for all user objects in a single Amazon S3 bucket.
Your company currently runs a large multi-tier web application. One component is an API service that all other components of your application rely on to perform read/write operations. This service must have high availability and zero downtime during deployments. Which technique should you use to provide cost-effective, zero-downtime deployments for this
component? Re-deploy your application behind a load balancer using an AWS OpsWorks stack and use AWS OpsWorks stack versioning, during deployment create a new version of your application, tell AWS OpsWorks to launch the new version behind your load balancer, and when the new version is launched, terminate the old AWS OpsWorks stack. Re-deploy your application on Elastic Beanstalk. During deployment, create a new version of your application, and create a new environment running that version in Elastic BeanStalk. Finally, take advantage of the Elastic Beanstalk Swap CNAME operation to switch to the new environment. Re-deploy your application behind a load balancer that uses Auto Scaling groups. Create a new identical Auto Scaling group and associate it to your Amazon Route53 zone. Configure Amazon Route53 to auto- weight traffic over to the new Auto Scaling group when all instances are marked as healthy. Use an AWS CloudFormation template to re-deploy your application behind a load balancer, and launch a new AWS CloudFormation stack during each deployment. Update your load balancer to send traffic to the new stack, and then deploy your software. Leave your old stacks running, and tag their resources with the version for rollback.
Your application Amazon Elastic Compute Cloud (EC2) instances bootstrap by using a master configuration file that is kept in a version-enabled Amazon Simple Storage Service (S3) bucket. Which one of the following methods should you use to securely install the current configuration version onto the instances in a cost-effective way? Create an Amazon DynamoDB table to store the different versions of the configuration file. Associate AWS Identity and Access Management (IAM) EC2 roles to the Amazon EC2 instances, and reference the DynamoDB table to get the latest file from Amazon Simple Storage Service (S3). Associate an IAM EC2 role to the instances, list the object versions using the Amazon S3 API, and then get the latest object. Store the IAM credentials in the Amazon EC2 user data for each instance, and then simply get the object from S3, because the default is the current version. Associate an IAM EC2 role to the instances, and then simply get the object from Amazon S3, because the default is the current version. Associate an IAM S3 role to the bucket, list the object versions using the Amazon S3 API, and then get the latest object.
You are building a Docker image with the following Dockerfile. How many layers will the
resulting image have?
FROM scratch
CMD /app/hello.sh 4 1 3 2.
Which major database needs a BYO license? MariaDB MySQL Oracle PostgreSQL.
You meet once per month with your operations team to review the past month's data. During the meeting, you realize that 3 weeks ago, your monitoring system which pings over HTTP from outside AWS recorded a large spike in latency on your 3-tier web service API. You use DynamoDB for the database layer, ELB, EBS, and EC2 for the business logic tier, and SQS, ELB, and EC2 for the presentation layer. Which of the following techniques will NOT help you figure out what happened? Review CloudWatch Metrics graphs to determine which component(s) slowed the system down. Analyze your logs to detect bursts in traffic at that time. Review your ELB access logs in S3 to see if any ELBs in your system saw the latency. Check your CloudTrail log history around the spike's time for any API calls that caused slowness.
Using the AWS CLI, which command retrieves CloudTrail trail settings, including the status of the trail itself? aws cloudtrail return-trails aws cloudtrail describe-trails aws cloudtrail get-settings aws cloudtrail validate-settings.
You are running Amazon CloudTrail on an Amazon S3 bucket and look at your most recent log. You notice that the entries include the ListThings and CreateThings actions and wonder if your devices have been hacked. Based on these entries, what service would you be concerned may have been hacked? AWS IoT Amazon Glacier AWS CodePipeline Amazon Inspector.
What is the order of most-to-least rapidly-scaling (fastest to scale first)?
a) EC2 + ELB + Auto Scaling
b) Lambda
c) RDS B, A, C C, B, A A, C, B C, A, B.
A company is using AWS for an application. The Development team must automate its deployments. The team has set up an AWS CodePipeline to deploy the application to Amazon EC2 instances by using AWS CodeDeploy after it has been built using the AWS CodeBuild service. The team would like to add automated testing to the pipeline to confirm that the application is healthy before deploying it to the next stage of the pipeline using the same code. The team requires a manual approval action before the application is deployed, even if the test is successful. The testing and approval must be accomplished at the lowest costs, using the simplest management solution. Which solution will meet these requirements? Add a test action after the last deploy action of the pipeline. Configure the action to use CodeBuild to perform the required tests. If these tests are successful, mark the action as successful. Add a manual approval action that uses Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage. Add a manual approval action after the last deploy action of the pipeline. Use Amazon SNS to inform the team of the stage being triggered. Next, add a test action using CodeBuild to do the required tests. At the end of the pipeline, add a deploy action to deploy the application to the next stage. Create a new pipeline that uses a source action that gets the code from the same repository as the first pipeline. Add a deploy action to deploy the code to a test environment. Use a test action using AWS Lambda to test the deployment. Add a manual approval action by using Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage. Add a test action after the last deployment action. Use a Jenkins server on Amazon EC2 to do the required tests and mark the action as successful if the tests pass. Create a manual approval action that uses Amazon SQS to notify the team and add a deploy action to deploy the application to the next stage.
Ansible provides some methods for controlling how or when a task is ran. Which of the
following is a valid method for controlling a task with a loop? - with: <value> - with_items: <value> - items: <value> - only_when: <conditional>.
You need to perform ad-hoc business analytics queries on well-structured data. Data comes in constantly at a high velocity. Your business intelligence team can understand SQL. What AWS service(s) should you look to first? EMR running Apache Spark Kinesis Firehose + RDS EMR using Hive Kinesis Firehose + RedShift.
An education company has a Docker-based application running on multiple Amazon EC2 instances in an Amazon ECS cluster. When deploying a new version of the application, the Developer, pushes a new image to a private Docker container registry, and then stops and starts all tasks to ensure that they all have the latest version of the application. The Developer discovers that the new tasks are, occasionally running with an old image. How can this issue be prevented? Update the digest on the task definition when pushing the new image. Use Amazon ECR for a Docker container registry. After pushing the new image, restart ECS Agent, and then start the tasks. Use "latest" for the Docker image tag in the task definition.
To monitor API calls against our AWS account by different users and entities, we can use
________ to create a history of calls in bulk for later review, and use ___________ for reacting to
AWS API calls in real-time. AWS CloudTrail; AWS Config AWS CloudTrail; CloudWatch Events AWS Config; AWS Lambda AWS Config; AWS Inspector.
You need to deploy an AWS stack in a repeatable manner across multiple environments. You have selected CloudFormation as the right tool to accomplish this, but have found that there is a resource type you need to create and model, but is unsupported by CloudFormation. How should you overcome this challenge? Use a CloudFormation Custom Resource Template by selecting an API call to proxy for create, update, and delete actions. CloudFormation will use the AWS SDK, CLI, or API method of your choosing as the state transition function for the resource type you are modeling. Create a CloudFormation Custom Resource Type by implementing create, update, and delete functionality, either by subscribing a Custom Resource Provider to an SNS topic, or by implementing the logic in AWS Lambda. Submit a ticket to the AWS Forums. AWS extends CloudFormation Resource Types by releasing tooling to the AWS Labs organization on GitHub. Their response time is usually 1 day, and they complete requests within a week or two. Instead of depending on CloudFormation, use Chef, Puppet, or Ansible to author Heat templates, which are declarative stack resource definitions that operate over the OpenStack hypervisor and cloud environment.
You manage a three-tier web application consisting of an autoscaled web proxy tier, an
autoscaled application tier, and an Amazon RDS database tier.
You use a load balancer to distribute requests from end users to the web proxy tier and another,
internal load balancer to distribute requests between the web tier and the application tier.
After deploying a small database schema update, you notice that all of your web and application
instances have been terminated.
What may have caused this? Your Auto Scaling group health check type is set to "EC2" to check that the instances themselves
are healthy. Your load balancer use TCP health checks to provide application-level health checks The cooldown period of the Auto Scaling group is too short, so the instances don't have enough time to recover from an issue. Your load balancers use an HTTP health check, and the page relies on retrieving data from your database.
A Development team is building more than 40 applications. Each app is a three-tiered web application based on an ELB Application Load Balancer, Amazon EC2, and Amazon RDS. Because the applications will be used internally, the Security team wants to allow access to the 40 applications only from the corporate network and block access from external IP addresses. The corporate network reaches the internet through proxy servers. The proxy servers have 12 proxy IP addresses that are being changed one or two times per month. The Network Infrastructure team manages the proxy servers; they upload the file that contains the latest proxy IP addresses into an Amazon S3 bucket. The DevOps Engineer must build a solution to ensure that the applications are accessible from the corporate network. Which solution achieves these requirements with MINIMAL impact to application development, MINIMAL operational effort, and the LOWEST infrastructure cost? Ensure that all the applications are hosted in the same Virtual Private Cloud (VPC). Otherwise, consolidate the applications into a single VPC. Establish an AWS Direct Connect connection with an active/standby configuration. Change the ELB security groups to allow only inbound HTTPS connections from the corporate network IP addresses. Implement an AWS Lambda function to read the list of proxy IP addresses from the S3 object and to update the ELB security groups to allow HTTPS only from the given IP addresses. Configure the S3 bucket to invoke the Lambda function when the object is updated. Save the IP address list to the S3 bucket when they are changed. Implement a Python script with the AWS SDK for Python (Bolo), which downloads the S3 object that contains the proxy IP addresses, scans the ELB security groups, and updates them to allow only HTTPS inbound from the given IP addresses. Launch an EC2 instance and store the script in the instance. Use a cron job to execute the script daily. Enable ELB socially groups to allow HTTPS inbound access from the Internet. Use Amazon Cognito to integrate the company's Active Directory as the identity provider. Change the 40 applications to integrate with Amazon Cognito so that only company employees can log into the application. Save the user access logs to Amazon CloudWatch Logs to record user access activities.
What is AWS CloudTrail Processing Library? A PHP library that renders various generic containers needed for CloudTrail log files. A Java library that makes it easy to build an application that reads and processes CloudTrail log files. A static library with CloudTrail log files in a movable format machine code that is directly executable. An object library with CloudTrail log files in a movable format machine code that is usually not directly executable.
A Development team is working on a serverless application in AWS. To quickly identify and remediate potential production issues, the team decides to roll out changes to a small number of users as a test before the full release. The DevOps Engineer must develop a solution to minimize downtime and impact. Which of the following solutions should be used to meet the requirements?
(Select TWO.) Create an ELB Network Load Balancer with two target groups. Set up the Network Load Balancer for Amazon API Gateway private integration Associate one target group with the current version and the other target group with the new version. Configure the load balancer to route 10% of incoming traffic to the new version. As the new version becomes stable, detach the old version from the load balancer. Create an Application Load Balancer with two target groups. Set up the Application Load Balancer for Amazon API Gateway private integration. Associate one target group to the current version and the other target group to the new version. Configure API Gateway to route 10% of incoming traffic to the new version. As the new version becomes stable, configure API Gateway to send all traffic to the new version and detach the old version from the load balancer. In Amazon API Gateway, create a canary release deployment by adding canary settings to the stage of a regular deployment. Configure API Gateway to route 10% of the incoming traffic to the canary release. As the canary release is considered stable, promote it to a production release Create a rollover record set in AWS Route 53 pointing to the AWS Lambda endpoints for the old and new versions. Configure Route 53 to route 10% of incoming traffic to the new version. As the new version becomes stable, update the DNS record to route all traffic to the new version. Create an alias for an AWS Lambda function pointing to both the current and new versions. Configure the alias to route 10% of incoming traffic to the new version. As the new version is considered stable, update the alias to route all traffic to the new version.
You need your CI to build AMIs with code pre-installed on the images on every new code push. You need to do this as cheaply as possible. How do you do this? Bid on spot instances just above the asking price as soon as new commits come in, perform all instance configuration and setup, then create an AMI based on the spot instance. Have the CI launch a new on-demand EC2 instance when new commits come in, perform all instance configuration and setup, then create an AMI based on the on-demand instance. Purchase a Light Utilization Reserved Instance to save money on the continuous integration machine. Use these credits whenever your create AMIs on instances. When the CI instance receives commits, attach a new EBS volume to the CI machine. Perform all setup on this EBS volume so you don't need a new EC2 instance to create the AMI.
When thinking of DynamoDB, what are true of Global Secondary Key properties? The partition key and sort key can be different from the table. Only the partition key can be different from the table. Either the partition key or the sort key can be different from the table, but not both. Only the sort key can be different from the table.
You need to process long-running jobs once and only once. How might you do this? Use an SNS queue and set the visibility timeout to long enough for jobs to process. Use an SQS queue and set the reprocessing timeout to long enough for jobs to process. Use an SQS queue and set the visibility timeout to long enough for jobs to process. Use an SNS queue and set the reprocessing timeout to long enough for jobs to process.
You need to know when you spend $1000 or more on AWS. What's the easy way for you to see that notification? AWS CloudWatch Events tied to API calls, when certain thresholds are exceeded, publish to SNS. Scrape the billing page periodically and pump into Kinesis. AWS CloudWatch Metrics + Billing Alarm + Lambda event subscription. When a threshold is exceeded, email the manager. Scrape the billing page periodically and publish to SNS.
You need to grant a vendor access to your AWS account. They need to be able to read protected
messages in a private S3 bucket at their leisure. They also use AWS. What is the best way to
accomplish this? Create an IAM User with API Access Keys. Grant the User permissions to access the bucket. Give the vendor the AWS Access Key ID and AWS Secret Access Key for the User. Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor. Create a cross-account IAM Role with permission to access the bucket, and grant permission to use the Role to the vendor AWS account. Generate a signed S3 PUT URL and a signed S3 PUT URL, both with wildcard values and 2 year durations. Pass the URLs to the vendor.
Your serverless architecture using AWS API Gateway, AWS Lambda, and AWS DynamoDB experienced a large increase in traffic to a sustained 400 requests per second, and dramatically increased in failure rates. Your requests, during normal operation, last 500 milliseconds on average. Your DynamoDB table did not exceed 50% of provisioned throughput, and Table primary keys are designed correctly. What is the most likely issue? Your API Gateway deployment is throttling your requests. Your AWS API Gateway Deployment is bottlenecking on request (de)serialization. You did not request a limit increase on concurrent Lambda function executions. You used Consistent Read requests on DynamoDB and are experiencing semaphore lock.
Why are more frequent snapshots or EBS Volumes faster? Blocks in EBS Volumes are allocated lazily, since while logically separated from other EBS Volumes, Volumes often share the same physical hardware. Snapshotting the first time forces full block range allocation, so the second snapshot doesn't need to perform the allocation phase and is faster. The snapshots are incremental so that only the blocks on the device that have changed after your last snapshot are saved in the new snapshot. AWS provisions more disk throughput for burst capacity during snapshots if the drive has been pre-warmed by snapshotting and reading all blocks. The drive is pre-warmed, so block access is more rapid for volumes when every block on the device has already been read at least one time.
You need to migrate 10 million records in one hour into DynamoDB. All records are 1.5KB in size.
The data is evenly distributed across the partition key. How many write capacity units should you
provision during this batch load? 6667 4166 5556 2778.
You have an application which consists of EC2 instances in an Auto Scaling group. Between a particular time frame every day, there is an increase in traffic to your website. Hence users are complaining of a poor response time on the application. You have configured your Auto Scaling group to deploy one new EC2 instance when CPU utilization is greater than 60% for 2 consecutive periods of 5 minutes. What is the least cost-effective way to resolve this problem? Decrease the consecutive number of collection periods Increase the minimum number of instances in the Auto Scaling group Decrease the collection period to ten minutes Decrease the threshold CPU utilization percentage at which to deploy a new instance.
You have decided that you need to change the instance type of your production instances which are
running as part of an AutoScaling group. The entire architecture is deployed using CloudFormation
Template. You currently have 4 instances in Production. You cannot have any interruption in service
and need to ensure 2 instances are always runningduring the update? Which of the options below
listed can be used for this? AutoScalingRollingUpdate AutoScalingScheduledAction AutoScalingReplacingUpdate AutoScalinglntegrationUpdate.
You currently have the following setup in AWS Create a second ELB, and a new Auto Scaling Group assigned a new Launch Configuration. Create a
new AMI with the updated app. Use Route53 Weighted Round Robin records to adjust the proportion
of traffic hitting the two ELBs. Create new AM Is with the new app. Then use the new EC2 instances in half proportion to the
older instances. Redeploy with AWS Elastic Beanstalk and Elastic Beanstalk versions. Use Route 53 Weighted Round
Robin records to adjust the proportion of traffic hitting the two ELBs Create a full second stack of instances, cut the DNS over to the new stack of instances, and change
the DNS back if a rollback is needed.
Your application is currently running on Amazon EC2 instances behind a load balancer. Your
management has decided to use a Blue/Green deployment strategy. How should you implement this
for each deployment? Set up Amazon Route 53 health checks to fail over from any Amazon EC2 instance that is currently
being deployed to. Using AWS CloudFormation, create a test stack for validating the code, and then deploy the code
to each production Amazon EC2 instance. Create a new load balancer with new Amazon EC2 instances, carry out the deployment, and then
switch DNS over to the new load balancer using Amazon Route 53 after testing. Launch more Amazon EC2 instances to ensure high availability, de-register each Amazon EC2
instance from the load balancer, upgrade it, and test it, and then register it again with the load
balancer.
You have an application running a specific process that is critical to the application's functionality,
and have added the health check process to your Auto Scaling Group. The instances are showing
healthy but the application itself is not working as it should. What could be the issue with the health
check, since it is still showing the instances as healthy. You do not have the time range in the health check properly configured It is not possible for a health check to monitor a process that involves the application The health check is not configured properly The health check is not checking the application process.
You have just recently deployed an application on EC2 instances behind an ELB. After a couple of
weeks, customers are complaining on receiving errors from the application. You want to diagnose the
errors and are trying to get errors from the ELB access logs. But the ELB access logs are empty. What
is the reason for this. You do not have the appropriate permissions to access the logs You do not have your CloudWatch metrics correctly configured ELB Access logs are only available for a maximum of one week Access logging is an optional feature of Elastic Load Balancing that is disabled by default.
You have deployed an application to AWS which makes use of Autoscaling to launch new instances.
You now want to change the instance type for the new instances. Which of the following is one of the
action items to achieve this deployment? Use Elastic Beanstalk to deploy the new application with the new instance type Use Cloudformation to deploy the new application with the new instance type Create a new launch configuration with the new instance type Create new EC2 instances with the new instance type and attach it to the Autoscaling Group.
Your application stores sensitive information on an EBS volume attached to your EC2 instance. How
can you protect your information? Choose two answers from the options given below Unmount the EBS volume, take a snapshot and encrypt the snapshot. Re-mount the Amazon EBS
volume It is not possible to encrypt an EBS volume, you must use a lifecycle policy to transfer data to S3 for
encryption. Copy the unencrypted snapshot and check the box to encrypt the new snapshot. Volumes restored
from this encrypted snapshot will also be encrypted. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume.
Delete the old Amazon EBS volume *t.
Which Auto Scaling process would be helpful when testing new instances before sending traffic to them, while still keeping them in your Auto Scaling Group? Suspend the process AZ Rebalance Suspend the process Health Check Suspend the process Replace Unhealthy Suspend the process AddToLoadBalancer.
You have an ELB setup in AWS with EC2 instances running behind it. You have been requested to
monitor the incoming connections to the ELB. Which of the below options can suffice this
requirement? UseAWSCIoudTrail with your load balancer Enable access logs on the load balancer Use a CloudWatch Logs Agent Create a custom metric CloudWatch filter on your load balancer.
Your company has multiple applications running on AWS. Your company wants to develop a tool that
notifies on-call teams immediately via email when an alarm is triggered in your environment. You
have multiple on-call teams that work different shifts, and the tool should handle notifying the
correct teams at the correct times. How should you implement this solution? Create an Amazon SNS topic and an Amazon SQS queue. Configure the Amazon SQS queue as a
subscriber to the Amazon SNS topic.
Configure CloudWatch alarms to notify this topic when an alarm is triggered. Create an Amazon EC2
Auto Scaling group with both minimum and desired Instances configured to 0. Worker nodes in this
group spawn when messages are added to the queue. Workers then use Amazon Simple Email
Service to send messages to your on call teams. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers. Use
the AWS SDK tools to integrate your application with Amazon SNS and send messages to this new
topic. Notifications will be sent to on-call users when a CloudWatch alarm is triggered. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers.
Create a secondary Amazon SNS topic for alarms and configure your CloudWatch alarms to notify this
topic when triggered. Create an HTTP subscriber to this topic that notifies your application via HTTP
POST when an alarm is triggered. Use the AWS SDK tools to integrate your application with Amazon
SNS and send messages to the first topic so that on-call engineers receive alerts. Create an Amazon SNS topic for each on-call group, and configure each of these with the team
member emails as subscribers. Create another Amazon SNS topic and configure your CloudWatch
alarms to notify this topic when triggered. Create an HTTP subscriber to this topic that notifies your
application via HTTP POST when an alarm is triggered. Use the AWS SDK tools to integrate your
application with Amazon SNS and send messages to the correct team topic when on shift.
You are responsible for your company's large multi-tiered Windows-based web application running
on Amazon EC2 instances situated behind a load balancer. While reviewing metrics, you've started
noticing an upwards trend for slow customer page load time. Your manager has asked you to come
up with a solution to ensure that customer load time is not affected by too many requests per
second. Which technique would you use to solve this issue? Re-deploy your infrastructure usingan AWS CloudFormation template. Configure Elastic Load
Balancing health checks to initiate a new AWS CloudFormation stack when health checks return failed. Re-deploy your infrastructure using an AWS CloudFormation template. Spin up a second AWS
CloudFormation stack. Configure Elastic Load Balancing SpillOver functionality to spill over any slow
connections to the second AWS CloudFormation stack. Re-deploy your infrastructure using AWS CloudFormation, Elastic Beanstalk, and Auto Scaling. Set
up your Auto Scalinggroup policies to scale based on the number of requests per second as well as
the current customer load time. Re-deploy your application using an Auto Scaling template. Configure the Auto Scaling template to
spin up a new Elastic Beanstalk application when the customer load time surpasses your threshold.
During metric analysis, your team has determined that the company's website during peak hours is
experiencing response times higher than anticipated. You currently rely on Auto Scaling to make sure
that you are scaling your environment during peak windows. How can you improve your Auto Scaling
policy to reduce this high response time? Choose 2 answers. Push custom metrics to CloudWatch to monitor your CPU and network bandwidth from your
servers, which will allow your Auto Scaling policy to have betterfine-grain insight. Increase your AutoScalinggroup's number of maxservers. Create a script that runs and monitors your servers; when it detects an anomaly in load, it posts to
an Amazon SNS topic that triggers Elastic Load Balancing to add more servers to the load balancer. . Push custom metrics to CloudWatch for your application that include more detailed information
about your web application, such as how many requests it is handling and how many are waiting to
be processed.
Management has reported an increase in the monthly bill from Amazon Web Services, and they are
extremely concerned with this increased cost. Management has asked you to determine the exact
cause of this increase. After reviewing the billing report, you notice an increase in the data transfer
cost. How can you provide management with a better insight into data transfer use? Update your Amazon CloudWatch metrics to use five-second granularity, which will give better
detailed metrics that can be combined with your billing data to pinpoint anomalies. Use Amazon CloudWatch Logs to run a map-reduce on your logs to determine high usage and data
transfer. Deliver custom metrics to Amazon CloudWatch per application that breaks down application data
transfer into multiple, more specific data points. Using Amazon CloudWatch metrics, pull your Elastic Load Balancing outbound data transfer
metrics monthly, and include them with your billing report to show which application is causing
higher bandwidth usage.
You have an application consisting of a stateless web server tier running on Amazon EC2 instances
behind load balancer, and are using Amazon RDS with read replicas. Which of the following methods
should you use to implement a self-healing and cost-effective architecture? Choose 2 answers from
the optionsgiven below Set up a third-party monitoring solution on a cluster of Amazon EC2 instances in order to emit
custom Cloud Watch metrics to trigger the termination of unhealthy Amazon EC2 instances. Set up scripts on each Amazon EC2 instance to frequently send ICMP pings to the load balancer in
order to determine which instance is unhealthy and replace it. Set up an Auto Scalinggroup for the web server tier along with an Auto Scaling policy that uses the
Amazon RDS DB CPU utilization Cloud Watch metric to scale the instances. Set up an Auto Scalinggroup for the web server tier along with an Auto Scaling policy that uses the
Amazon EC2 CPU utilization CloudWatch metric to scale the instances. Use a larger Amazon EC2 instance type for the web server tier and a larger DB instance type for the data storage layer to ensure that they don't become unhealthy. Set up an Auto Scalinggroup for the database tier along with an Auto Scaling policy that uses the
Amazon RDS read replica lag CloudWatch metric to scale out the Amazon RDS read replicas. Use an Amazon RDS Multi-AZ deployment.
You currently run your infrastructure on Amazon EC2 instances behind an Auto Scalinggroup. All logs
for your application are currentl\ written to ephemeral storage. Recently your company experienced
a major bug in the code that made it through testing and was ultimately deployed to your fleet. This
bug triggered your Auto Scalinggroup to scale up and back down before you could successfully
retrieve the logs off your server to better assist you in troubleshooting the bug. Which technique
should you use to make sure you are able to review your logs after your instances have shut down? Configure the ephemeral policies on your Auto Scaling group to back up on terminate. . Configure your Auto Scaling policies to create a snapshot of all ephemeral storage on terminate. Install the CloudWatch Logs Agent on your AMI, and configure CloudWatch Logs Agent to stream
your logs. Install the CloudWatch monitoring agent on your AMI, and set up new SNS alert for CloudWatch
metrics that triggers the CloudWatch monitoring agent to backup all logs on the ephemeral drive.
You have a code repository that uses Amazon S3 as a data store. During a recent audit of your
security controls, some concerns were raised about maintaining the integrity of the data in the
Amazon S3 bucket. Another concern was raised around securely deploying code from Amazon S3 to
applications running on Amazon EC2 in a virtual private cloud. What are some measures that you can
implement to mitigate these concerns? Choose two answers from the options given below. Add an Amazon S3 bucket policy with a condition statement to allow access only from Amazon
EC2 instances with RFC 1918 IP addresses and enable bucket versioning. Add an Amazon S3 bucket policy with a condition statement that requires multi-factor
authentication in order to delete objects and enable bucket versioning. Use a configuration management service to deploy AWS Identity and Access Management user
credentials to the Amazon EC2 instances. Use these credentials to securely access the Amazon S3
bucket when deploying code. Create an Amazon Identity and Access Management role with authorization to access the Amazon
S3 bucket, and launch all of your application's Amazon EC2 instances with this role. Use AWS Data Pipeline to lifecycle the data in your Amazon S3 bucket to Amazon Glacier on a
weekly basis. Use AWS Data Pipeline to lifecycle the data in your Amazon S3 bucket to Amazon Glacier on a
weekly basis.
The project you are working on currently uses a single AWS CloudFormation template to deploy its
AWS infrastructure, which supports a multi-tier web application. You have been tasked with
organizing the AWS CloudFormation resources so that they can be maintained in the future, and so
that different departments such as Networking and Security can review the architecture before it
goes to Production. How should you do this in a way that accommodates each department, using
their existing workflows? Organize the AWS CloudFormation template so that related resources are next to each other in the
template, such as VPC subnets and routing rules for Networkingand security groups and 1AM
information for Security. Separate the AWS CloudFormation template into a nested structure that has individual templates
for the resources that are to be governed by different departments, and use the outputs from the
networking and security stacks for the application template that you control. Organize the AWS CloudFormation template so that related resources are next to each other in the
template for each department's use, leverage your existing continuous integration tool to constantly
deploy changes from all parties to the Production environment, and then run tests for validation. Use a custom application and the AWS SDK to replicate the resources defined in the current AWS
CloudFormation template, and use the existing code review system to allow other departments to
approve changes before altering the application for future deployments.
The operations team and the development team want a single place to view both operating system
and application logs. How should you implement this using A WS services? Choose two from the
options below Using AWS CloudFormation, create a Cloud Watch Logs LogGroup and send the operating system
and application logs of interest using the Cloud Watch Logs Agent. Using AWS CloudFormation and configuration management, set up remote logging to send events
via UDP packets to CloudTrail. Using configuration management, set up remote logging to send events to Amazon Kinesis and
insert these into Amazon CloudSearch or Amazon Redshift, depending on available analytic tools. Using AWS CloudFormation, merge the application logs with the operating system logs, and use
1AM Roles to allow both teams to have access to view console output from Amazon EC2.
You have the following application to be setup in AWS
1) A web tier hosted on EC2 Instances
2) Session data to be written to DynamoDB
3) Log files to be written to Microsoft SQL Server
How can you allow an application to write data to a DynamoDB table? Add an 1AM user to a running EC2 instance Add an 1AM user that allows write access to the DynamoDB table. Create an 1AM role that allows read access to the DynamoDB table. Create an 1AM role that allows write access to the DynamoDB table.
You are a DevOps engineer for a company. You have been requested to create a rolling deployment
solution that is cost-effective with minimal downtime. How should you achieve this? Choose two
answers from the options below Re-deploy your application using a CloudFormation template to deploy Elastic Beanstalk Re-deploy with a CloudFormation template, define update policies on Auto Scalinggroups in your
CloudFormation template Use UpdatePolicy attribute to specify how CloudFormation handles updates to Auto Scaling Group
resource. . After each stack is deployed, tear down the old stack.
You have an Auto Scaling group of Instances that processes messages from an Amazon Simple Queue
Service (SQS) queue. The group scales on the size of the queue. Processing Involves calling a thirdparty web service. The web service is complaining about the number of failed and repeated calls it is
receiving from you. You have noticed that when the group scales in, instances are being terminated
while they are processing. What cost-effective solution can you use to reduce the number of
incomplete process attempts? Create a new Auto Scaling group with minimum and maximum of 2 and instances running web
proxy software. Configure the VPC route table to route HTTP traffic to these web proxies. Modify the application running on the instances to enable termination protection while it
processes a task and disable it when the processing is complete. Increase the minimum and maximum size for the Auto Scalinggroup, and change the scaling
policies so they scale less dynamically. Modify the application running on the instances to put itself into an Auto Scaling Standby state
while it processes a task and return itself to InService when the processing is complete.
Your mobile application includes a photo-sharing service that is expecting tens of thousands of users
at launch. You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and
you must decide how to authenticate and authorize your users for access to these images. You also
need to manage the storage of these images. Which two of the following approaches should you
use? Choose two answers from the options below Create an Amazon S3 bucket per user, and use your application to generate the S3 URI for the
appropriate content. Use AWS Identity and Access Management (1AM) user accounts as your application-level user
database, and offload the burden of authentication from your application code. Authenticate your users at the application level, and use AWS Security Token Service (STS) to grant
token-based authorization to S3 objects. Authenticate your users at the application level, and send an SMS token message to the user.
Create an Amazon S3 bucket with the same name as the SMS message token, and move the user's
objects to that bucket. Use a key-based naming scheme comprised from the user IDs for all user objects in a single
Amazon S3 bucket.
You have been requested to use CloudFormation to maintain version control and achieve automation
for the applications in your organization. How can you best use CloudFormation to keep everything
agile and maintain multiple environments while keeping cost down? Create separate templates based on functionality, create nested stacks with CloudFormation Use CloudFormation custom resources to handle dependencies between stacks Create multiple templates in one CloudFormation stack. Combine all resources into one template for version control and automation.
You have an Auto Scaling group with 2 AZs. One AZ has 4 EC2 instances and the other has 3 EC2
instances. None of the instances are protected from scale in. Based on the default Auto Scaling
termination policy what will happen? Auto Scaling selects an instance to terminate randomly Auto Scaling will terminate unprotected instances in the Availability Zone with the oldest launch
configuration. Auto Scaling terminates which unprotected instances are closest to the next billing hour Auto Scaling will select the AZ with 4 EC2 instances and terminate an instance.
You are doing a load testing exercise on your application hosted on AWS. While testing your Amazon
RDS MySQL DB instance, you notice that when you hit 100% CPU utilization on it, your application
becomes non- responsive. Your application is read-heavy. What are methods to scale your data tier
to meet the application's needs? Choose three answers from the options given below Add Amazon RDS DB read replicas, and have your application direct read queries to them. Add your Amazon RDS DB instance to an Auto Scalinggroup and configure your Cloud Watch metric
based on CPU utilization. Use an Amazon SQS queue to throttle data going to the Amazon RDS DB instance Use ElastiCache in front of your Amazon RDS DB to cache common queries. Shard your data set among multiple Amazon RDS DB instances. Enable Multi-AZ for your Amazon RDS DB instance.
You are administering a continuous integration application that polls version control for changes and
then launches new Amazon EC2 instances for a full suite of build tests. What should you do to ensure
the lowest overall cost while being able to run as many tests in parallel as possible? Perform syntax checking on the continuous integration system before launching a new Amazon
EC2 instance for build test, unit and integration tests. Perform syntax and build tests on the continuous integration system before launching the new
Amazon EC2 instance unit and integration tests. Perform all tests on the continuous integration system, using AWS OpsWorks for unit, integration, and build tests. Perform syntax checking on the continuous integration system before launching a new AWS Data
Pipeline for coordinating the output of unit, integration, and build tests.
If your application performs operations or workflows that take a long time to complete, what service
can the Elastic Beanstalk environment do for you? Manages a Amazon SQS queue and running a daemon process on each instance Manages a Amazon SNS Topic and running a daemon process on each instance Manages Lambda functions and running a daemon process on each instance Manages the ELB and running a daemon process on each instance.
You have an Auto Scaling group with an Elastic Load Balancer. You decide to suspend the Auto Scaling
AddToLoadBalancer for a short period of time. What will happen to the instances launched during
the suspension period? The instances will be registered with ELB once the process has resumed Auto Scaling will not launch the instances during this period because of the suspension The instances will not be registered with ELB. You must manually register when the process is
resumed It is not possible to suspend the AddToLoadBalancer process.
You are using Elastic Beanstalk to manage your e-commerce store. The store is based on an open
source e- commerce platform and is deployed across multiple instances in an Auto Scaling group.
Your development team often creates new "extensions" for the e-commerce store. These extensions
include PHP source code as well as an SQL upgrade script used to make any necessary updates to the
database schema. You have noticed that some extension deployments fail due to an error when
running the SQL upgrade script. After further investigation, you realize that this is because the SQL
script is being executed on all of your Amazon EC2 instances. How would you ensure that the SQL
script is only executed once per deployment regardless of how many Amazon EC2 instances are
running at the time? Use a "Container command" within an Elastic Beanstalk configuration file to execute the script,
ensuring that the "leader only" flag is set to true. Make use of the Amazon EC2 metadata service to query whether the instance is marked as the
leader" in the Auto Scaling group. Only execute the script if "true" is returned. Use a "Solo Command" within an Elastic Beanstalk configuration file to execute the script. The
Elastic Beanstalk service will ensure that the command is only executed once. Update the Amazon RDS security group to only allow write access from a single instance in the
Auto Scaling group; that way, only one instance will successfully execute the script on the database.
Using the AWS CLI, which command retrieves CloudTrail trail settings, including the status of the trail itself? aws cloudtrail return-trails aws cloudtrail validate-settings aws cloudtrail get-settings aws cloudtrail describe-trails.
A company wants to use Amazon DynamoDB for maintaining metadata on its forums. See the
sample data set in the image below.
A DevOps Engineer is required to define the table schema with the partition key, the sort key, the
local secondary index, projected attributes, and fetch operations. The schema should support the
following example searches using the least provisioned read capacity units to minimize cost.
- Search within ForumName for items where the subject starts with `a'.
- Search forums within the given LastPostDateTime time frame.
- Return the thread value where LastPostDateTime is within the last
three months.
Which schema meets the requirements? Use Subject as the primary key and ForumName as the sort key. Have LSI with LastPostDateTime as the sort key and fetch operations for thread. Use ForumName as the primary key and Subject as the sort key. Have LSI with LastPostDateTime as the sort key and the projected attribute thread. Use ForumName as the primary key and Subject as the sort key. Have LSI with Thread as the sort key and the projected attribute LastPostDateTime. Use Subject as the primary key and ForumName as the sort key. Have LSI with Thread as the sort key and fetch operations for LastPostDateTime.
If Ansible encounters a resource that does not meet the requirements specified in the play it
makes the necessary changes to the resource; however if the resource is already in the desired state
Ansible will do nothing. This is an example of which methodology? Idempotency Immutability Convergence Infrastructure as Code.
A company is setting a centralized logging solution on AWS and has several requirements. The
company wants its Amazon CloudWatch Logs and VPC Flow logs to come from different sub accounts and to be delivered to a single auditing account. However, the number of sub accounts keeps changing. The company also needs to index the logs in the auditing account to gather actionable insight. How should a DevOps Engineer implement the solution to meet all of the company's requirements? Define the resource configurations in AWS Service Catalog, and monitor the AWS Service Catalog compliance and violations in Amazon CloudWatch. Then, set up and share a live CloudWatch dashboard. Set up Amazon SNS notifications for violations and corrections. Use AWS Config to record configuration changes and output the data to an Amazon S3 bucket. Create an Amazon QuickSight analysis of the dataset, and use the information on dashboards and mobile devices. Create a resource group that displays resources with the specified tags and those without tags. Use the AWS Management Console to view compliant and non-compliant resources. Define the compliance and tagging requirements in Amazon inspector. Output the results to Amazon CloudWatch Logs. Build a metric filter to isolate the monitored elements of interest and present the data in a CloudWatch dashboard.
A company is adopting AWS CodeDeploy to automate its application deployments for a Java-
Apache Tomcat application with an Apache webserver. The Development team started with a proof
of concept, created a deployment group for a developer environment, and performed functional
tests within the application. After completion, the team will create additional deployment groups for
staging and production The current log level is configured within the Apache settings, but the team
wants to change this configuration dynamically when the deployment occurs, so that they can set
different log level configurations depending on the deployment group without having a different
application revision for each group.
How can these requirements be met with the LEAST management overhead and without requiring
different script versions for each deployment group? Tag the Amazon EC2 instances depending on the deployment group. Then place a script into the application revision that calls the metadata service and the EC2 API to identify which deployment group the instance is part of. Use this information to configure the log level settings. Reference the script as part of the Afterinstall lifecycle hook in the appspec yml file. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_NAME to identify which deployment group the instances is part of. Use this information to configure the log level settings. Reference this script as part of the Beforelnstall lifecycle hook in the appspec.yml file Create a CodeDeploy custom environment variable for each environment. Then place a script into the application revision that checks this environment variable to identify which deployment group the instance is part of. Use this information to configure the log level settings. Reference this script as part of the ValidateService lifecycle hook in the appspec yml file. Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_ID to identify which deployment group the instance is part of to configure the log level settings. Reference this script as part of the Install lifecycle hook in the appspec yml file.
If designing a single playbook to run across multiple Linux distributions that have distribution
specific commands, what would be the best method to allow a successful run? Enable fact gathering and use the `when' conditional to match the distribution to the task. This isn't possible, a separate playbook for each target Linux distribution is required. Use `ignore_errors: true' in the tasks. Use the `shell' module to write your own checks for each command that is ran.
A company is deploying a new mobile game on AWS for its customers around the world. The
Development team uses AWS Code services and must meet the following requirements:
- Clients need to send/receive real-time playing data from the backend
frequently and with minimal latency
- Game data must meet the data residency requirement
Which strategy can a DevOps Engineer implement to meet their needs? Deploy the backend application to multiple regions. Any update to the code repository triggers a two- stage build and deployment pipeline. A successful deployment in one region invokes an AWS Lambda function to copy the build artifacts to an Amazon S3 bucket in another region. After the artifact is copied, it triggers a deployment pipeline in the new region. Deploy the backend application to multiple Availability Zones in a single region. Create an Amazon CloudFront distribution to serve the application backend to global customers. Any update to the code repository triggers a two-stage build-and-deployment pipeline. The pipeline deploys the backend application to all Availability Zones. Deploy the backend application to multiple regions. Use AWS Direct Connect to serve the
application backend to global customers. Any update to the code repository triggers a two-stage build-and- deployment pipeline in the region. After a successful deployment in the region, the pipeline continues to deploy the artifact to another region. Deploy the backend application to multiple regions. Any update to the code repository triggers a two- stage build-and-deployment pipeline in the region. After a successful deployment in the region,
the pipeline invokes the pipeline in another region and passes the build artifact location.
The pipeline uses the artifact location and deploys applications in the new region.
Which one of the following is a restriction of AWS EBS Snapshots? Snapshot restorations are restricted to the region in which the snapshots are created. You cannot share unencrypted snapshots. To share a snapshot with a user in other region the snapshot has to be created in that region first. You cannot share a snapshot containing sensitive data such as an AWS Access Key ID or AWS Secret Access Key.
A company wants to use a grid system for a proprietary enterprise in-memory data store on
top of AWS. This system can run in multiple server nodes in any Linux-based distribution. The system
must be able to reconfigure the entire cluster every time a node is added or removed. When adding
or removing nodes, an /etc./cluster/nodes. config file must be updated, listing the IP addresses of the
current node members of that cluster The company wants to automate the task of adding new nodes
to a cluster. What can a DevOps Engineer do to meet these requirements? Use AWS OpsWorks Stacks to layer the server nodes of that cluster. Create a Chef recipe that populates the content of the/etc/cluster/nodes config file and restarts the service by using the current members of the layer. Assign that recipe to the Configure lifecycle event. Put the file nodes.config in version control. Create an AWS CodeDeploy deployment configuration and deployment group based on an Amazon EC2 tag value for the cluster nodes. When adding a new node to the cluster, update the file with all tagged instances, and make a commit in version control. Deploy the new file and restart the services. Create an Amazon S3 bucket and upload a version of the etc/cluster/ nodes.config file. Create a crontab script that will poll for that S3 file and download it frequently. Use a process manager, such as Monit or systemd, to restart the cluster services when it detects that the new file was modified. When adding a node to the cluster, edit the file's most recent members. Upload the new file to the S3 bucket . Create a user data script that lists all members of the current security group of the cluster and automatically updates the /etc/cluster/nodes.config file whenever a new instance is added to the cluster.
A Development team uses AWS CodeCommit for source code control. Developers apply their
changes to various feature branches and create pull requests to move those changes to the master branch when they are ready for production. A direct push to the master branch should not be allowed. The team applied the AWS managed policy AWSCodeCommitPowerUser to the Developers' IAM rote, but now members are able to push to the master branch directly on every repository in the
AWS account. What actions should be taken to restrict this? Create an additional policy to include a deny rule for the codecommit: GitPush action, and include a restriction for the specific repositories in the resource statement with a condition for the master reference. Remove the IAM policy and add an AWSCodeCommitReadOnlypolicy. Add an allow rule for the codecommit: GitPush action for the specific repositories in the resource statement with a condition for the master reference. Modify the IAM policy and include a deny rule for the codecommit: GitPush action for the specific repositories in the resource statement with a condition for the master reference. Create an additional policy to include an allow rule for the codecommit: GitPush action and include a restriction for the specific repositories in the resource statement with a condition for the feature branches reference.
Your CTO has asked you to make sure that you know what all users of your AWS account are
doing to change resources at all times. She wants a report of who is doing what over time, reported
to her once per week, for as broad a resource type group as possible. How should you do this? Create a global AWS CloudTrail Trail. Configure a script to aggregate the log data into a report, publish it to S3 once per week and deliver this to the CTO. Use CloudWatch Events Rules with an SNS topic subscribed to all AWS API calls. Subscribe the CTO to an email type delivery on this SNS Topic. Use AWS IAM credential reports to deliver a CSV of all uses of IAM User Tokens over time to the CTO. Use AWS Config with an SNS subscription on a Lambda, and insert these changes over time into a DynamoDB table. Generate reports based on the contents of this table.
You have been asked to handle a large data migration from multiple Amazon RDS MySQL
instances to a DynamoDB table. You have been given a short amount of time to complete the data migration. What will allow you to complete this complex data processing workflow? Create an Amazon Kinesis data stream, pipe in all of the Amazon RDS data, and direct the data toward a DynamoDB table. Write a script in your language of choice, install the script on an Amazon EC2 instance, and then use Auto Scaling groups to ensure that the latency of the migration pipelines never exceeds four seconds in any 15- minute period. Write a bash script to run on your Amazon RDS instance that will export data into DynamoDB. Create a data pipeline to export Amazon RDS data and import the data into DynamoDB.
You would like to run automated, continuous application level integration tests on all members of an Auto Scaling group. Which two options should you use?
Choose 2 answers. Use the AWS SDK to run the DescribeInstances API call on the Auto Scaling group, and then iterate over the members and remotely connect to each Amazon EC2 instance and run the integration tests. Use the AWS SDK to run the DescribeAutoScalinglnstances API call on the Auto Scaling Group, iterate over the members using the Describe Instances API call, remotely connect to each Amazon EC2 instance, and then run the integration tests. Set up a custom CloudWatch metric with the output of your integration tests that are run by a scheduled process on each instance, and then set up a CloudWatch alert for any failures. Using an Auto Cycle Group lifecycle policy, define a scheduled task to run integration tests when a new Amazon EC2 instance enters the InService state. Set up a custom CloudWatch metric that uses the output of the DescribeAutoScalingInstances API call to determine the HealthCheck status of the Amazon EC2 instances. Using the Auto Cycle Group lifecycle policy, define a scheduled task to run integration tests on individual instances using the Amazon EC2 user data to export test data to CloudWatch Logs.
You are using AWS Elastic Beanstalk to deploy your application and must make data stored on
an Amazon Elastic Block Store (EBS) volume snapshot available to the Amazon Elastic Compute Cloud (EC2) instances. How can you modify your Elastic Beanstalk environment so that the data is added to the Amazon EC2 instances every time you deploy your application? Add commands to a configuration file in the .ebextensions folder of your deployable archive that mount an additional Amazon EBS volume on launch. Also add a "BlockDeviceMappings" option, and specify the snapshot to use for the block device in the Auto Scaling launch configuration. Add commands to a configuration file in the .ebextensions folder of your deployable archive that uses the create-volume Amazon EC2 API or CLI to create a new ephemeral volume based on the specified snapshot and then mounts the volume on launch. Add commands to the Amazon EC2 user data that will be executed by eb-init, which uses the create- volume Amazon EC2 API or CLI to create a new Amazon EBS volume based on the specified snapshot, and then mounts the volume on launch. Add commands to the Chef recipe associated with your environment, use the create-volume Amazon EC2 API or CLI to create a new Amazon EBS volume based on the specified snapshot, and then mount the volume on launch.
Your DevOps team is responsible for a multi-tier, Windows-based web application consisting
of web servers, Amazon RDS database instances, and a load balancer behind Amazon Route53.
You've been asked by your manager to build a cost-effective rolling deployment solution for this web
application.
What method should you use? Re-deploy your application on an AWS OpsWorks stack. Use the AWS OpsWorks done stack feature to allow updates between duplicate stacks. Re-deploy your application on Elastic Beanstalk and take advantage of Elastic BeanStalk rolling updates. Re-deploy your application using an AWS CloudFormation template, launch a new AWS CloudFormation stack during each deployment, and then tear down the old stack. Re-deploy your application using an AWS CloudFormation template. Use AWS CloudFormation rolling deployment policies, create a new policy for your AWS CloudFormation stack, and initiate an update stack operation to deploy new code.
Your system automatically provisions EIPs to EC2 instances in a VPC on boot. The system provisions the whole VPC and stack at once. You have two of them per VPC. On your new AWS account, your attempt to create a Development environment failed, after successfully creating Staging and Production environments in the same region. What happened? You didn't choose the Development version of the AMI you are using. You didn't set the Development flag to true when deploying EC2 instances. You hit the soft limit of 5 EIPs per region and requested a 6th. You hit the soft limit of 2 VPCs per region and requested a 3rd.
You are responsible for a large-scale video transcoding system that operates with an Auto
Scaling group of video transcoding workers.
The Auto Scaling group is configured with a minimum of 750 Amazon EC2 instances and a maximum of 1000 Amazon EC2 instances.
You are using Amazon SQS to pass a message containing the URI for a video stored in Amazon S3 to the transcoding workers. An Amazon CloudWatch alarm has notified you that the queue depth is becoming very large.
How can you resolve the alarm without the risk of increasing the time to transcode videos?
Choose 2 answers. Create a second queue in Amazon SQS. Adjust the Amazon CloudWatch alarms for a higher queue depth. Create a new Auto Scaling group with a launch configuration that has a larger Amazon EC2 instance type Add an additional Availability Zone to the Auto Scaling group configuration. Change the Amazon CloudWatch alarm so that it monitors the CPU utilization of the Amazon EC2 instances rather than the Amazon SQS queue depth. Adjust the Auto Scaling group configuration to increase the maximum number of Amazon EC2 instances.
You have a complex system that involves networking, IAM policies, and multiple, three-tier
applications. You are still receiving requirements for the new system, so you don't yet know how many AWS components will be present in the final design.
You want to start using AWS CloudFormation to define these AWS resources so that you can
automate and version-control your infrastructure.
How would you use AWS CloudFormation to provide agile new environments for your customers in a cost-effective, reliable manner? Manually create one template to encompass all the resources that you need for the system, so you only have a single template to version-control. Create multiple separate templates for each logical part of the system, create nested stacks in AWS CloudFormation, and maintain several templates to version-control. Create multiple separate templates for each logical part of the system, and provide the outputs from one to the next using an Amazon Elastic Compute Cloud (EC2) instance running the SDK for finer granularity of control. Manually construct the networking layer using Amazon Virtual Private Cloud (VPC) because this does not change often, and then use AWS CloudFormation to define all other ephemeral resources.
Your mobile application includes a photo-sharing service that is expecting tens of thousands
of users at launch. You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and you must decide how to authenticate and authorize your users for access to these images. You also need to manage the storage of these images.
Which two of the following approaches should you use?
Choose 2 answers Create an Amazon S3 bucket per user, and use your application to generate the S3 URI for the appropriate content. Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code. Authenticate your users at the application level, and use AWS Security Token Service (STS) to grant token-based authorization to S3 objects. Authenticate your users at the application level, and send an SMS token message to the user. Create an Amazon S3 bucket with the same name as the SMS message token, and move the user's objects to that bucket. Use a key-based naming scheme comprised from the user IDs for all user objects in a single Amazon S3 bucket.
A DevOps Engineer is designing a deployment strategy for a web application. The application
will use an Auto Scaling group to launch Amazon EC2 instances using an AMI. The same infrastructure will be deployed in multiple environments (development, test, and quality assurance). The deployment strategy should meet the following requirements:
- Minimize the startup time for the instance
- Allow the same AMI to work in multiple environments
- Store secrets for multiple environments securely
How should this be accomplished? Preconfigure the AMI using an AWS Lambda function that launches an Amazon EC2 instance, and then runs a script to install the software and create the AMI. Configure an Auto Scaling lifecycle hook to determine which environment the instance is launched in, and, based on that finding, run a configuration script. Save the secrets on an .ini file and store them in Amazon S3. Retrieve the secrets using a configuration script in EC2 user data. Preconfigure the AMI by installing all the software using AWS Systems Manager automation and configure Auto Scaling to tag the instances at launch with their specific environment. Then use a bootstrap script in user data to read the tags and configure settings for the environment. Use the AWS Systems Manager Parameter Store to store the secrets using AWS KMS. Use a standard AMI from the AWS Marketplace. Configure Auto Scaling to detect the current environment. Install the software using a script in Amazon EC2 user data. Use AWS Secrets Manager to store the credentials for all environments. Preconfigure the AMI by installing all the software and configuration for all environments.
Configure Auto Scaling to tag the instances at launch with their environment. Use the Amazon EC2 user data to trigger an AWS Lambda function that reads the instance ID and then reconfigures the setting for the proper environment. Use the AWS Systems Manager Parameter Store to store the secrets using AWS KMS.
A root owner is trying to create an IAM user of the various departments. The owner has created groups for each department, but wants to still delineate the user based on the sub division
level. The two users from different sub departments should be identified separately and have separate permissions. How can the root owner configure this? Create a hierarchy of the IAM users which are separated based on the department. Create a nested group. Use the paths to separate the users of the same group. It is not possible to delineate within a group.
What is the scope of an EC2 security group? Availability Zone Placement Group Region VPC.
A healthcare services company is concerned about the growing costs of software licensing for
an application for monitoring patient wellness. The company wants to create an audit process to
ensure that the application is running exclusively on Amazon EC2 Dedicated Hosts. A DevOps
Engineer must create a workflow to audit the application to ensure compliance.
What steps should the Engineer take to meet this requirement with the LEAST administrative
overhead? Use AWS Systems Manager Configuration Compliance. Use calls to the put-compliance- items API action to scan and build a database of noncompliant EC2 instances based on their host placement configuration. Use an Amazon DynamoDB table to store these instance IDs for fast access. Generate a report through Systems Manager by calling the list-compliance- summaries API action. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for the instance depending on the number of instances to be checked. Send the list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDB. Use an AWS Lambda function to terminate noncompliant instance IDs obtained from the queue, and send them to an Amazon SNS email topic for distribution. Use AWS Config Identify all EC2 instances to be audited by enabling Config Recording on all Amazon EC2 resources for the region. Create a custom AWS Config rule that triggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint. Modify the Lambda evaluate.Compliance () function to verify host placement to return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use the AWS Config report to address noncompliant instances. Use AWS CloudTrail. Identity all EC2 instances to be audited by analyzing all calls to the EC2 RunCommand API action. Invoke an AWS Lambda function that analyzes the host placement of the instance. Store the EC2 instance ID of noncompliant resources in an Amazon RDS MySOL DB instance. Generate a report by querying the RDS instance and exporting the query results to a CSV text file.
After a daily scrum with your development teams, you've agreed that using Blue/Green style
deployments would benefit the team. Which technique should you use to deliver this new requirement? Re-deploy your application on AWS Elastic Beanstalk, and take advantage of Elastic Beanstalk deployment types. Using an AWS CloudFormation template, re-deploy your application behind a load balancer,
launch a new AWS CloudFormation stack during each deployment, update your load balancer to send half your traffic to the new stack while you test, after verification update the load balancer to send 100% of traffic to the new stack, and then terminate the old stack. Re-deploy your application behind a load balancer that uses Auto Scaling groups, create a new identical Auto Scaling group, and associate it to the load balancer. During deployment, set the desired number of instances on the old Auto Scaling group to zero, and when all instances have terminated, delete the old Auto Scaling group. Using an AWS OpsWorks stack, re-deploy your application behind an Elastic Load Balancing load balancer and take advantage of OpsWorks stack versioning, during deployment create a new version of your application, tell OpsWorks to launch the new version behind your load balancer, and when the new version is launched, terminate the old OpsWorks stack.
What is the scope of an EC2 EIP? Placement Group Availability Zone Region VPC.
Your CTO thinks your AWS account was hacked. What is the only way to know for certain if
there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks? Use CloudTrail Log File Integrity Validation. Use AWS Config SNS Subscriptions and process events in real time. Use CloudTrail backed up to AWS S3 and Glacier. Use AWS Config Timeline forensics.
A DevOps Engineer has a single Amazon Dynamo DB table that received shipping orders and
tracks inventory. The Engineer has three AWS Lambda functions reading from a DymamoDB stream
on that table. The Lambda functions perform various functions such as doing an item count, moving
items to Amazon Kinesis Data Firehose, monitoring inventory levels, and creating vendor orders
when parts are low. While reviewing logs, the Engineer notices the Lambda functions occasionally fail under increased load, receiving a stream throttling error.
Which is the MOST cost-effective solution that requires the LEAST amount of operational
management? Use AWS Glue integration to ingest the DynamoDB stream, then migrate the Lambda code to an AWS Fargate task. Use Amazon Kinesis streams instead of Dynamo DB streams, then use Kinesis analytics to trigger the Lambda functions. Create a fourth Lambda function and configure it to be the only Lambda reading from the stream. Then use this Lambda function to pass the payload to the other three Lambda functions. Have the Lambda functions query the table directly and disable DynamoDB streams. Then have the Lambda functions query from a global secondary index.
Which EBS volume type is best for high performance NoSQL cluster deployments? io1 gp1 standard gp2.
A user has created a new EBS volume from an existing snapshot. The user mounts the volume on the instance to which it is attached. Which of the below mentioned options is a required step before the user can mount the volume? Run a cyclic check on the device for data consistency Create the file system of the volume Resize the volume as per the original snapshot size No step is required. The user can directly mount the device.
You are building a large, multi-tenant SaaS (software-as-a-service) application with a
component that fetches data to process from a customer-specific Amazon S3 bucket in their account.
How should you ensure that your application follows security best practices and limits risk when
fetching data from customer-owned Amazon S3 buckets? Have users create an IAM user with a policy that grants read-only access to the Amazon S3 bucket required by your application, and store the corresponding access keys in an encrypted database that holds their account data. Have users create a cross-account lAM role with a policy that grants read-only access to the Amazon S3 bucket required by your application to the AWS account ID running your production Sass application. Have users create an Amazon S3 bucket policy that grants read-only access to the Amazon S3 bucket required by your application, and securely store the corresponding access keys in the database holding their account data. Have users create an Amazon S3 bucket policy that grants read-only access to the Amazon S3 bucket required by your application and limits access to the public IP address of the SaaS application.
Which of the following are not valid sources for OpsWorks custom cookbook repositories? HTTP(S) Git AWS EBS Subversion.
Your application has an Auto Scaling group of m3.large instances running an application that
receives messages born an Amazon SQS queue. After a while, the number of instances reaches the maximum set for the group and the number of messages on the queue continues to increase. You have discovered that a third- party library used by the application has a bug that causes a memory leak.
What cost-effective steps can you take to continue message processing while the library developer
fixes the bug? Enable Elastic Load Balancing health checks for the Auto Scaling group. When Elastic Load Balancing has detected a failure, Auto Scaling will terminate the failing application's instance and launch a new one. Use Amazon EC2 instance memory usage CloudWatch metrics to raise alerts when they reach and defined level and send a message to Auto Scaling to fail the instance health check. Use application monitoring on the instance to restart the application when memory usage reaches a defined level. Create a new Auto Scaling launch configuration to use the r3.large instance type. Update the Auto Scaling group with the new launch configuration.
You need to replicate API calls across two systems in real time. What tool should you use as a buffer and transport mechanism for API call events? AWS SQS AWS Lambda AWS Kinesis AWS SNS.
A retail company has adopted AWS OpsWorks for managing its deployments. In the last three
months: the company has discovered that some production instances have been restarting without
reason. Upon inspection of the AWS CloudTrail logs, a DevOps Engineer determined that those
instances were restarted by OpsWorks. The Engineer now wants automated email notifications
whenever OpsWorks restarts an instance when the instance is deemed unhealthy or unable to
communicate with the service endpoint.
How can the Engineer meet this requirement? Create a Chef recipe to place a cron to run a custom script within the Amazon EC2 instances that sends an email to the team by using Amazon SES if the OpsWorks agent detects an instance failure. Create an Amazon SNS topic and create a subscription for this topic that contains the destination email address. Create an Amazon CloudWatch rule: specify aws . opsworks as a source and specify auto- healing in the initiated_by details. Use the SNS topic as a target. Create an Amazon SNS topic and create a subscription for this topic that contains the destination email address. Create an Amazon CloudWatch rule specify aws. opsworks as a source and specify instance- replacement in the initiated_by details. Use the SNS topic as a target. Create a subscription for this topic that contains the email address. Enable instance restart notifications within the OpsWorks layer and indicate the destination email address for the notification.
You work for a startup that has developed a new photo-sharing application for mobile
devices. Over recent months your application has increased in popularity; this has resulted in a decrease in the performance of the application clue to the increased load. Your application has a two-tier architecture that is composed of an Auto Scaling PHP application tier and a MySQL RDS instance initially deployed with AWS CloudFormation. Your Auto Scaling group has a min value of 4 and a max value of 8. The desired capacity is now at 8 because of the high CPU utilization of the instances. After some analysis, you are confident that the performance issues stem from a constraint in CPU capacity, although memory utilization remains low. You therefore decide to move from the general-purpose M3 instances to the compute-optimized C3 instances. How would you deploy this change while minimizing any interruption to your end users? Sign into the AWS Management Console, copy the old launch configuration, and create a new launch configuration that specifies the C3 instances. Update the Auto Scaling group with the new launch configuration. Auto Scaling will then update the instance type of all running instances. Sign into the AWS Management Console, and update the existing launch configuration with the new C3 instance type. Add an UpdatePolicy attribute to your Auto Scaling group that specifies AutoScalingRollingUpdate. Update the launch configuration specified in the AWS CloudFormation template with the new C3 instance type. Run a stack update with the new template. Auto Scaling will then update the instances with the new instance type. Update the launch configuration specified in the AWS CloudFormation template with the new C3 instance type. Also add an UpdatePolicy attribute to your Auto Scaling group that specifies AutoScalingRollingUpdate. Run a stack update with the new template.
You are creating an application which stores extremely sensitive financial information. All
information in the system must be encrypted at rest and in transit. Which of these is a violation of
this policy? ELB SSL termination. ELB Using Proxy Protocol v1. CloudFront Viewer Protocol Policy set to HTTPS redirection. Telling S3 to use AES256 on the server-side.
You run a small online consignment marketplace. Interested sellers complete an online application in order to allow them to sell their products on your website. Once approved, they can post their product using a custom interface. From that pant, you manage the shopping cart process so that when a buyer decides to buy a product, you handle the billing and coordinate the shipping. Part of this process requires sending emails to the buyer and the seller at different stages. Your system has been running on AWS for a few months. Occasionally, products are shipped before payment cleared and emails are sent out of order. Furthermore, sometimes credit cards are being charged twice. How can you resolve these problems? Use the Amazon Simple Queue Service (SQS), and use a different set of workers for each task. Use the Amazon Simple Workflow Service (SWF), and use a different set of workers for each task. Use the Simple Email Service (SES) to control the correct order of email delivery. Use the AWS Data Pipeline service to control the process flow of the various tasks. Use the Amazon Simple Queue Service (SQS), and use a single set of workers for each task.
Which of these is not an instrinsic function in AWS CloudFormation? Fn::Equals Fn::If Fn::Not Fn::Parse.
A production account has a requirement that any Amazon EC2 instance that has been logged
into manually must be terminated within 24 hours. All applications in the production account are
using Auto Scaling groups with Amazon CloudWatch Logs agent configured.
How can this process be automated? Create a CloudWatch Logs subscription to an AWS Step Functions application. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Then create a CloudWatch Events rule to trigger a second AWS Lambda function once a day that will terminate all instances with this tag. Create a CloudWatch alarm that will trigger on the login event. Send the notification to an Amazon SNS topic that the Operations team is subscribed to, and have them terminate the EC2 instance within 24 hours. Create a CloudWatch alarm that will trigger on the login event.Amazon SQS queue. Use a group of worker instances to process messages from the queue, which
then schedules the Amazon CloudWatch Events rule to trigger. Create a CloudWatch Logs subscription in an AWS Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create a CloudWatch Events rule to trigger a daily Lambda function that terminates all instances with this tag.
Which of these is not a Pseudo Parameter in AWS CloudFormation? AWS::StackName AWS::AccountId AWS::StackArn AWS::NotificationARNs.
You are creating a new API for video game scores. Reads are 100 times more common than
writes, and the top 1% of scores are read 100 times more frequently than the rest of the scores.
What's the best design for this system, using DynamoDB? DynamoDB table with 100x higher read than write throughput, with CloudFront caching. DynamoDB table with roughly equal read and write throughput, with CloudFront caching. DynamoDB table with 100x higher read than write throughput, with ElastiCache caching. DynamoDB table with roughly equal read and write throughput, with ElastiCache caching.
When an Auto Scaling group is running in Amazon Elastic Compute Cloud (EC2), your
application rapidly scales up and down in response to load within a 10-minute window; however,
after the load peaks, you begin to see problems in your configuration management system where previously terminated Amazon EC2 resources are still showing as active.
What would be a reliable and efficient way to handle the cleanup of Amazon EC2 resources within
your configuration management system?
Choose 2 answers Write a script that is run by a daily cron job on an Amazon EC2 instance and that executes API Describe calls of the EC2 Auto Scaling group and removes terminated instances from the configuration management system. Configure an Amazon Simple Queue Service (SQS) queue for Auto Scaling actions that has a script that listens for new messages and removes terminated instances from the configuration management system. Use your existing configuration management system to control the launching and bootstrapping of instances to reduce the number of moving parts in the automation. Write a small script that is run during Amazon EC2 instance shutdown to de-register the resource from the configuration management system. Use Amazon Simple Workflow Service (SWF) to maintain an Amazon DynamoDB database that contains a whitelist of instances that have been previously launched, and allow the Amazon SWF worker to remove information from the configuration management system.
A Developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an
Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The Developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated.
How can log collection be automated? Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait state. Create an Amazon CloudWatch Alarm for EC2 Instance Terminate Successful and trigger an AWS Lambda function that executes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected. Use Auto Scaling lifecycle hooks to put instances in a Terminating: Wait state. Create a Config rule for EC2 Instance-terminate Lifecycle Action and trigger a step function that executes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected. Use Auto Scaling lifecycle hooks to put instances in a Terminating: Wait state. Create an Amazon CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent that executes a script to called logs, push them to Amazon S3, and complete the lifecycle action once
logs are collected. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon CloudWatch Events rule for EC2 'Instance-terminate Lifecycle Action and trigger an AWS Lambda function that executes a SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
A company has developed a static website hosted on an Amazon S3 bucket. The website is
deployed using AWS CloudFormation. The CloudFormation template defines an S3 bucket and a custom resource that copies content into the bucket from a source location. The company has
decided that it needs to move the website to a new location, so the existing CloudFormation stack
must be deleted and re-created. However, CloudFormation reports that the stack could not be
deleted cleanly. What is the MOST likely cause and how can the DevOps Engineer mitigate this problem for this and future versions of the website? Deletion has failed because the S3 bucket has an active website configuration. Modify the
CloudFormation template to remove the Website Configuration properly from the S3 bucket
resource. Deletion has failed because the S3 bucket is not empty. Modify the custom resource's AWS
Lambda function code to recursively empty the bucket when RequestType is Delete. Deletion has failed because the custom resource does not define a deletion policy. Add a
DeletionPolicy property to the custom resource definition with a value of RemoveOnDeletion. Deletion has failed because the S3 bucket is not empty. Modify the S3 bucket resource in the CloudFormation template to add a DeletionPolicy property with a value of Empty.
A Development team is currently using AWS CodeDeploy to deploy an application revision to
an Auto Scaling group. If the deployment process fails, it must be rolled back automatically and a
notification must be sent.
What is the MOST effective configuration that can satisfy all of the requirements? Create Amazon CloudWatch Events rules for CodeDeploy operations. Configure a CloudWatch Events rule to send out an Amazon SNS message when the deployment fails. Configure CodeDeploy to automatically roll back when the deployment fails. Use available Amazon CloudWatch metrics for CodeDeploy to create CloudWatch alarms.
Configure CloudWatch alarms to send out an Amazon SNS message when the deployment fails. Use AWS CLI to redeploy a previously deployed revision. Configure a CodeDeploy agent to create a trigger that will send notification to Amazon SNS topics when the deployment fails. Configure CodeDeploy to automatically roll back when the deployment fails. Use AWS CloudTrail to monitor API calls made by or on behalf of CodeDeploy in the AWS account. Send an Amazon SNS message when deployment fails. Use AWS CLI to redeploy a previouslydeployed revision.
Using the AWS CLI, which command would you use to change the configuration settings for a
CloudTrail trail? modify-trail change-trail update-trail set-trail.
You have an ASP.NET web application running in Amazon Elastic Beanstalk. Your next version of the application requires a third-party Windows Installer package to be installed on the instance on first boot and before the application launches.
Which options are possible? Choose 2 answers In the application's Global.asax file, run msiexec.exe to install the package using Process.Start() in the Application Start event handler. In the source bundle's .ebextensions folder, create a file with a .config extension. In the file, under the "packages" section and "msi" package manager, include the package's URL. Launch a new Amazon EC2 instance from the AMI used by the environment. Log into the instance, install the package and run sysprep. Create a new AMI. Configure the environment to use the new AMI. In the environment's configuration, edit the instances configuration and add the package's URL to the "Packages" section. In the source bundle's .ebextensions folder, create a "Packages" folder. Place the package in the folder.
What are the bare minimum requirements for a valid Ansible playbook? The hosts, connection type, fact gathering, vars and tasks. The hosts declaration and tasks A YAML file with a single line containing `---'. At least one play with at least a hosts declaration.
Your social media marketing application has a component written in Ruby running on AWS
Elastic Beanstalk. This application component posts messages to social media sites in support of various marketing campaigns. Your management now requires you to record replies to these social media messages to analyze the effectiveness of the marketing campaign in comparison to past and future efforts. You' ve already developed a new application component to interface with the social media site APIs in order to read the replies. Which process should you use to record the social media replies in a durable data store that can be accessed at any time for analysis of historical data? Deploy the new application component in an Auto Scaling group of Amazon Elastic Compute Cloud (EC2) Instances, read the data from the social media sites, store it with Amazon Elastic Block Store, and use AWS Data Pipeline to publish it to Amazon Kinesis for analytics. Deploy the new application component as an Elastic Beanstalk application, read the data from the social media sites, store it in Amazon DynamoDB, and use Apache Hive with Amazon Elastic MapReduce for analytics. Deploy the new application component in an Auto Scaling group of Amazon EC2 instances, read the data from the social media sites, store it in Amazon Glacier, and use AWS Data Pipeline to publish it to Amazon Redshift for analytics. Deploy the new application component as an Amazon Elastic Beanstalk application, read the data from the social media site, store it with Amazon Elastic Block Store, and use Amazon Kinesis to stream the data to Amazon CloudWatch for analytics.
You want to build a new search tool feature for your monitoring system that will allow your
information security team to quickly audit all API calls in your AWS accounts. What combination of AWS services can you use to develop and automate the backend processes supporting this tool?
Choose 3 answers. Create an Amazon CloudSearch domain for API call logs. Configure the search domain so that it can be used to index API call logs for the search tool. Use AWS CloudTrail to store API call logs in an Amazon S3 bucket. Configure an Amazon Simple Notification Service topic called "log-notification" that notifies subscribers when new logs are available. Subscribe an Amazon SQS queue to the topic. Use Amazon Cloudwatch to ship AWS CloudTrail logs to your monitoring system. Create an AWS Elastic Beanstalk application in worker role mode that uses an Amazon Simple Email Service (SES) domain to facilitate batch processing new API call log files retrieved from an Amazon S3 bucket into a search index. Use AWS CloudTrail to store API call logs in an Amazon S3 bucket. Configure Amazon Simple Email Service (SES) to notify subscribers when new logs are available. Subscribe an Amazon SQS queue to the email domain. Create Amazon Cloudwatch custom metrics for the API call logs. Configure a Cloudwatch search domain so that it can be used to index API call logs for the search tool. Create an AWS Elastic Beanstalk application in worker role mode that uses an Amazon SQS queue to facilitate batch processing new API call log files retrieved from an Amazon S3 bucket into a search.
You need to create a simple, holistic check for your system's general availablity and uptime.
Your system presents itself as an HTTP-speaking API. What is the most simple tool on AWS to achieve this with? Route53 Health Checks CloudWatch Health Checks AWS ELB Health Checks EC2 Health Checks.
You are designing an enterprise data storage system. Your data management software
system requires mountable disks and a real filesystem, so you cannot use S3 for storage. You need
persistence, so you will be using AWS EBS Volumes for your system. The system needs as low- cost
storage as possible, and access is not frequent or high throughput, and is mostly sequential reads.
Which is the most appropriate EBS Volume Type for this scenario? gp1 io1 standard gp2.
You are building a Docker image with the following Dockerfile. How many layers will the
resulting image have?
FROM scratch
CMD /app/hello.sh 2 4 1 3.
You have a large number of web servers in an Auto Scaling group behind a load balancer. On an hourly basis, you want to filter and process the logs to collect data on unique visitors, and then put that data in a durable data store in order to run reports. Web servers in the Auto Scaling group are constantly launching and terminating based on your scaling policies, but you do not want to lose any of the log data from these servers during a stop/termination initiated by a user or by Auto
Scaling.
What two approaches will meet these requirements?
Choose 2 answers Install an Amazon Cloudwatch Logs Agent on every web server during the bootstrap process. Create a CloudWatch log group and define Metric Filters to create custom metrics that track unique visitors from the streaming web server logs. Create a scheduled task on an Amazon EC2 instance that runs every hour to generate a new report based on the Cloudwatch custom metrics. On the web servers, create a scheduled task that executes a script to rotate and transmit the logs to Amazon Glacier. Ensure that the operating system shutdown procedure triggers a logs transmission when the Amazon EC2 instance is stopped/terminated.
Use Amazon Data Pipeline to process the data in Amazon Glacier and run reports every hour. On the web servers, create a scheduled task that executes a script to rotate and transmit the logs to an Amazon S3 bucket. Ensure that the operating system shutdown procedure triggers a logs transmission when the Amazon EC2 instance is stopped/terminated.
Use AWS Data Pipeline to move log data from the Amazon S3 bucket to Amazon Redshift In order to process and run reports every hour. Install an AWS Data Pipeline Logs Agent on every web server during the bootstrap process. Create a log group object in AWS Data Pipeline, and define Metric Filters to move processed log data directly from the web servers to Amazon Redshift and run reports every hour.
You work for a company that automatically tags photographs using artificial neural networks
(ANNs), which run on GPUs using C++. You receive millions of images at a time, but only 3 times per
day on average. These images are loaded into an AWS S3 bucket you control for you in a batch, and
then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well.
Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires
5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket.
Which of these is the best system architectures for this system? Create an OpsWorks Stack with two Layers. The first contains lifecycle scripts for launching and bootstrapping an HTTP API on G2 instances for ANN image processing, and the second has an alwayson instance which monitors the S3 manifest bucket for new files. When a new file is detected, request instances to boot on the ANN layer. When the instances are booted and the HTTP APIs are up, submit processing requests to individual instances. Make an S3 notification configuration which publishes to AWS Lambda on the manifest bucket. Make the Lambda create a CloudFormation Stack which contains the logic to construct an autoscaling worker tier of EC2 G2 instances with the ANN code on each instance. Create an SQS queue of the images in the manifest. Tear the stack down when the queue is empty. Deploy your ANN code to AWS Lambda as a bundled binary for the C++ extension. Make an S3 notification configuration on the manifest, which publishes to another AWS Lambda running controller code. This controller code publishes all the images in the manifest to AWS Kinesis. Your ANN code Lambda Function uses the Kinesis as an Event Source. The system automatically scales when the stream contains image events. Create an Auto Scaling, Load Balanced Elastic Beanstalk worker tier Application and Environment. Deploy the ANN code to G2 instances in this tier. Set the desired capacity to 1. Make the code periodically check S3 for new manifests. When a new manifest is detected, push all of the images in the manifest into the SQS queue associated with the Elastic Beanstalk worker tier.
You need to create an audit log of all changes to customer banking data. You use DynamoDB
to store this customer banking data. It's important not to lose any information due to server failures.
What is an elegant way to accomplish this? Use a DynamoDB StreamSpecification and stream all changes to AWS Lambda. Log the changes to AWS CloudWatch Logs, removing sensitive information before logging. Before writing to DynamoDB, do a pre-write acknoledgment to disk on the application server, removing sensitive information before logging. Periodically rotate these log files into S3. Use a DynamoDB StreamSpecification and periodically flush to an EC2 instance store, removing sensitive information before putting the objects. Periodically flush these batches to S3. Before writing to DynamoDB, do a pre-write acknoledgment to disk on the application server, removing sensitive information before logging. Periodically pipe these files into CloudWatch Logs.
To monitor API calls against our AWS account by different users and entities, we can use
________ to create a history of calls in bulk for later review, and use ___________ for reacting to
AWS API calls in real-time. AWS Config; AWS Inspector AWS CloudTrail; AWS Config AWS CloudTrail; CloudWatch Events AWS Config; AWS Lambda.
You are building a mobile app for consumers to post cat pictures online. You will be storing the images in AWS S3. You want to run the system very cheaply and simply. Which one of these options allows you to build a photo sharing application without needing to worry about scaling expensive uploads processes, authentication/authorization and so forth? Build the application out using AWS Cognito and web identity federation to allow users to log in using Facebook or Google Accounts. Once they are logged in, the secret token passed to that user is used to directly access resources on AWS, like AWS S3. Use JWT or SAML compliant systems to build authorization policies. Users log in with a username and password, and are given a token they can use indefinitely to make calls against the photo infrastructure. Use AWS API Gateway with a constantly rotating API Key to allow access from the client-side. Construct a custom build of the SDK and include S3 access in it. Create an AWS oAuth Service Domain ad grant public signup and access to the domain. During setup, add at least one major social media site as a trusted Identity Provider for users.
A government agency is storing highly confidential files in an encrypted Amazon S3 bucket.
The agency has configured federated access and has allowed only a particular on-premises Active
Directory user group to access this bucket. The agency wants to maintain audit records and automatically detect and revert any accidental changes administrators make to the IAM policies used for providing this restricted federated access. Which of the following options provide the FASTEST way to meet these requirements? Configure an Amazon CloudWatch Events Event Bus on an AWS CloudTrail API for triggering the AWS Lambda function that detects and reverts the change. Configure an AWS Config rule to detect the configuration change and execute an AWS Lambda function to revert the change. Schedule an AWS Lambda function that will scan the IAM policy attached to the federated access role for detecting and reverting any changes. Restrict administrators in the on-premises Active Directory from changing the IAM policies.
What is the scope of an EBS volume? VPC Region Placement Group Availability Zone.
A company is implementing an Amazon ECS cluster to run its workload. The company
architecture will run multiple ECS services on the cluster, with an Application Load Balancer on the
front end, using multiple target groups to route traffic. The Application Development team has been
struggling to collect logs that must be collected and sent to an Amazon S3 bucket for near- real time analysis What must the DevOps Engineer configure in the deployment to meet these requirements?
(Select THREE) Install the Amazon CloudWatch Logs logging agent on the ECS instances. Change the logging driver in the ECS task definition to 'awslogs'. Download the Amazon CloudWatch Logs container instance from AWS and configure it as a task. Update the application service definitions to include the logging task. Use Amazon CloudWatch Events to schedule an AWS Lambda function that will run every 60 seconds running the create-export -task CloudWatch Logs command, then point the output to the logging S3 bucket. Enable access logging on the Application Load Balancer, then point it directly to the S3 logging bucket. Enable access logging on the target groups that are used by the ECS services, then point it directly to the S3 logging bucket. Create an Amazon Kinesis Data Firehose with a destination of the S3 logging bucket, then create an Amazon CloudWatch Logs subscription filter for Kinesis.
Due to compliance regulations, management has asked you to provide a system that allows
for cost-effective long-term storage of your application logs and provides a way for support staff to
view the logs more quickly. Currently your log system archives logs automatically to Amazon S3 every hour, and support staff must wait for these logs to appear in Amazon S3, because they do not
currently have access to the systems to view live logs.
What method should you use to become compliant while also providing a faster way for support staff
to have access to logs? Update Amazon S3 lifecycle policies to archive old logs to Amazon Glacier, and add a new policy to push all log entries to Amazon SQS for ingestion by the support team. Update Amazon S3 lifecycle policies to archive old logs to Amazon Glacier, and use or write a service to also stream your application logs to CloudWatch Logs. Update Amazon Glacier lifecycle policies to pull new logs from Amazon S3, and in the Amazon EC2 console, enable the CloudWatch Logs Agent on all of your application servers. Update Amazon S3 lifecycle policies to archive old logs to Amazon Glacier. key can be different from the tableEnable Amazon S3 partial uploads on your Amazon S3 bucket, and trigger an Amazon SNS notification when a partial upload occurs. Use or write a service to stream your application logs to CloudWatch Logs. Use an Amazon Elastic Map Reduce cluster to live stream your logs from CloudWatch Logs for ingestion by the support team, and create a Hadoop job to push the logs to S3 in five-minute chunks.
You are running a Docker daemon on a Linux host and it becomes unresponsive. Which signal, when sent to a Docker process with the kill command, forces the full stack trace to be logged
for debugging purposes? -TRACE -IOTRACE -SIGUSER1 -KILLTRACE.
Which command will start an assessment run? aws inspector start-assessment-run --assessment-template-arn <template-arn> aws inspector start-assessment-run --assessment-run-name examplerun --assessment-target <target-arn> aws inspector start-assessment-run --assessment-run-name examplerun aws inspector start-assessment-run --assessment-run-name examplerun --assessment-duration <duration-in-seconds>.
A DevOps Engineer is working on a project that is hosted on Amazon Linux and has failed a
security review. The DevOps Manager has been asked to review the company buildspec.yami file for
an AWS CodeBuild project and provide recommendations. The builspec.yami file is configured as
follows:
What changes should be recommended to comply with AWS security best practices? (Select THREE.) Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable. Store the DB_PASSWORD as a SecurityString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables. Move the environment variables to the `db-deploy-bucket' Amazon S3 bucket, add a prebuild stage to download, then export the variables. Use AWS Systems Manager run command versus scp and ssh commands directly to the instance. Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.
You run operations for a company that processes digital wallet payments at a very high
volume. One second of downtime, during which you drop payments or are otherwise unavailable, loses you on average USD 100. You balance the financials of the transaction system once per day.
Which database setup is best suited to address this business risk? A multi-AZ RDS deployment with synchronous replication to multiple standbys and read-replicas for fast failover and ACID properties. A multi-region, multi-master, active-active RDS configuration using database-level ACID design principles with database trigger writes for replication. A multi-region, multi-master, active-active DynamoDB configuration using application control-level BASE design principles with change-stream write queue buffers for replication. A multi-AZ DynamoDB setup with changes streamed to S3 via AWS Kinesis, for highly durable storage and BASE properties.
A DevOps Engineer is deploying a new web application. The company chooses AWS Elastic
Beanstalk for deploying and managing the web application, and Amazon RDS MySQL to handle
persistent data. The company requires that new deployments have minimal impact if they fail.
The application resources must be at full capacity during deployment, and rolling back a deployment
must also be possible.
Which deployment sequence will meet these requirements? Deploy the application using Elastic Beanstalk and connect to an external RDS MySQL instance using Elastic Beanstalk environment properties. Use Elastic Beanstalk features for a blue/green deployment to deploy the new release to a separate environment, and then swap the CNAME in the two environments to redirect traffic to the new version. Deploy the application using Elastic Beanstalk, and include RDS MySQL as part of the environment. Use default Elastic Beanstalk behavior to deploy changes to the application, and let rolling updates deploy changes to the application. Deploy the application using Elastic Beanstalk, and include RDS MySQL as part of the environment. Use Elastic Beanstalk immutable updates for application deployments. Deploy the application using Elastic Beanstalk, and connect to an external RDS MySQL instance using Elastic Beanstalk environment properties. Use Elastic Beanstalk immutable updates for application deployments.
An IT department manages a portfolio with Windows and Linux (Amazon and Red Hat
Enterprise Linux) servers both on-premises and on AWS. An audit reveals that there is no process for updating OS and core application patches, and that the servers have inconsistent patch levels.
Which of the following provides the MOST reliable and consistent mechanism for updating and
maintaining all servers at the recent OS and core application patch levels? Install AWS Systems Manager agent on all on-premises and AWS servers. Create Systems Manager Resource Groups. Use Systems Manager Patch Manager with a preconfigured patch baseline to run scheduled patch updates during maintenance windows. Install the AWS OpsWorks agent on all on-premises and AWS servers. Create an OpsWorks stack with separate layers for each operating system, and get a recipe from the Chef supermarket to run the patch commands for each layer during maintenance windows. Use a shell script to install the latest OS patches on the Linux servers using yum and schedule it to run automatically using cron. Use Windows Update to automatically patch Windows servers. Use AWS Systems Manager Parameter Store to securely store credentials for each Linux and Windows server. Create Systems Manager Resource Groups. Use the Systems Manager Run Command to remotely deploy patch updates using the credentials in Systems Manager Parameter Store.
The Security team depends on AWS CloudTrail to detect sensitive security issues in the
company's AWS account. The DevOps Engineer needs a solution to auto-remediate CloudTrail being turned off in an AWS account.
What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries? Create an Amazon CloudWatch Events rule for the CloudTrail StopLogging event. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the CloudWatch Events rule. Deploy the AWS-managed CloudTrail-enabled AWS Config rule, set with a periodic interval of 1 hour. Create an Amazon CloudWatch Events rule for AWS Config rules compliance change. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the CloudWatch Events rule. Create an Amazon CloudWatch Events rule for a scheduled event every 5 minutes. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on an CloudTrail trail in the AWS account. Add the Lambda function ARN as a target to the CloudWatch Events rule. Launch a t2.nano instance with a script running every 5 minutes that uses the AWS SDK to query CloudTrail in the current account. If the CloudTrail trail is disabled, have the script re-enable the trail.
When thinking of AWS Elastic Beanstalk's model, which is true? Applications have many deployments, deployments have many environments. Environments have many applications, applications have many deployments. Applications have many environments, environments have many deployments. Deployments have many environments, environments have many applications.
Your application requires a fault-tolerant, low-latency and repeatable method to load configurations files via Auto Scaling when Amazon Elastic Compute Cloud (EC2) instances launch.
Which approach should you use to satisfy these requirements? Securely copy the content from a running Amazon EC2 instance. Use an Amazon EC2 UserData script to copy the configurations from an Amazon Storage Services (S3) bucket. Use a script via cfn-init to pull content hosted in an Amazon ElastiCache cluster. Use a script via cfn-init to pull content hosted on your on-premises server. Use an Amazon EC2 UserData script to pull content hosted on your on-premises server.
You need to know when you spend $1000 or more on AWS. What's the easy way for you to
see that notification? AWS CloudWatch Events tied to API calls, when certain thresholds are exceeded, publish to SNS. Scrape the billing page periodically and pump into Kinesis. AWS CloudWatch Metrics + Billing Alarm + Lambda event subscription. When a threshold is
exceeded, email the manager. Scrape the billing page periodically and publish to SNS.
When writing custom Ansible modules, which language is not supported? Python C++ Bash All of the languages listed are supported.
When thinking of DynamoDB, what are true of Global Secondary Key properties? The partition key and sort key can be different from the table. Only the partition key can be different from the table. Either the partition key or the sort key can be different from the table, but not both. Only the sort key can be different from the table.
Your company releases new features with high frequency while demanding high application
availability. As part of the application's A/B testing, logs from each updated Amazon EC2 instance of the application need to be analyzed in near real-time, to ensure that the application is working flawlessly after each deployment. If the logs show arty anomalous behavior, then the application version of the instance is changed to a more stable one.
Which of the following methods should you use for shipping and analyzing the logs in a highly
available manner? Ship the logs to Amazon S3 for durability and use Amazon EMR to analyze the logs in a batch manner each hour. Ship the logs to Amazon CloudWatch Logs and use Amazon EMR to analyze the logs in a batch manner each hour. Ship the logs to an Amazon Kinesis stream and have the consumers analyze the logs in a live manner. Ship the logs to a large Amazon EC2 instance and analyze the logs in a live manner. Store the logs locally on each instance and then have an Amazon Kinesis stream pull the logs for live analysis.
Which is not a restriction on AWS EBS Snapshots? Snapshots which are shared cannot be used as a basis for other snapshots. You cannot share a snapshot containing an AWS Access Key ID or AWS Secret Access Key. You cannot share unencrypted snapshots. Snapshot restorations are restricted to the region in which the snapshots are created.
The Ansible Inventory system allows many attributes to be defined within it. Which item
below is not one of these? Group variables Host groups Include vars Children groups.
What is the main difference between calling the commands `ansible' and `ansible-playbook'
on the command line? `ansible' is for setting configuration and environment variables which `ansible-playbook' will use when running plays. `ansible-playbook' is for running entire Playbooks while `ansible' is for calling ad-hoc commands. `ansible-playbook' runs the playbooks by using the `ansible' command to run the individual plays `ansible' is for running individual plays and `ansible-playbook' is for running the entire playbook.
Your application's Auto Scaling Group scales up too quickly, too much, and stays scaled when traffic decreases. What should you do to fix this? Set a longer cooldown period on the Group, so the system stops overshooting the target capacity. The issue is that the scaling system doesn't allow enough time for new instances to begin servicing requests before measuring aggregate load again. Calculate the bottleneck or constraint on the compute layer, then select that as the new metric, and set the metric thresholds to the bounding values that begin to affect response latency. Raise the CloudWatch Alarms threshold associated with your autoscaling group, so the scaling takes more of an increase in demand before beginning. Use larger instances instead of lots of smaller ones, so the Group stops scaling out so much and wasting resources as the OS level, since the OS uses a higher proportion of resources on smaller instances.
An online retail company based in the United States plans to expand its operations to Europe
and Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an
Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple
Availability Zones. All data is stored in an Amazon Aurora database instance.
When the product is deployed in multiple regions, the company wants a single product catalog across
all regions, but for compliance purposes, its customer information and purchases must be kept in
each region. How should the company meet these requirements with the LEAST amount of
application changes? Use Amazon Redshift for the product catalog and Amazon DynamoDB tables for the customer information and purchases. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases. Use Aurora for the product catalog and Amazon DynamoDB global tables for the customer
information and purchases.
What does the Docker network docker_gwbridge do? allows communication between containers on the same host allows communication between swarm nodes on different hosts allows communication between swarm nodes on the same host allows communication between containers on the different hosts.
A Development team is building more than 40 applications. Each app is a three-tiered web
application based on an ELB Application Load Balancer, Amazon EC2, and Amazon RDS.
Because the applications will be used internally, the Security team wants to allow access to the
40 applications only from the corporate network and block access from external IP addresses.
The corporate network reaches the internet through proxy servers. The proxy servers have 12 proxy IP addresses that are being changed one or two times per month. The Network Infrastructure team manages the proxy servers; they upload the file that contains the latest proxy IP addresses into an Amazon S3 bucket. The DevOps Engineer must build a solution to ensure that the applications are accessible from the corporate network. Which solution achieves these requirements with MINIMAL impact to application development, MINIMAL operational effort, and the LOWEST infrastructure cost? Implement an AWS Lambda function to read the list of proxy IP addresses from the S3 object and to update the ELB security groups to allow HTTPS only from the given IP addresses. Configure the S3 bucket to invoke the Lambda function when the object is updated. Save the IP address list to the S3 bucket when they are changed. Ensure that all the applications are hosted in the same Virtual Private Cloud (VPC). Otherwise, consolidate the applications into a single VPC. Establish an AWS Direct Connect connection with an active/standby configuration. Change the ELB security groups to allow only inbound HTTPS connections from the corporate network IP addresses. Implement a Python script with the AWS SDK for Python (Bolo), which downloads the S3 object that contains the proxy IP addresses, scans the ELB security groups, and updates them to allow only HTTPS inbound from the given IP addresses. Launch an EC2 instance and store the script in the instance. Use a cron job to execute the script daily. Enable ELB socially groups to allow HTTPS inbound access from the Internet. Use Amazon Cognito to integrate the company's Active Directory as the identity provider. Change the 40 applications to integrate with Amazon Cognito so that only company employees can log into the application. Save the user access logs to Amazon CloudWatch Logs to record user access activities.
You have an application consisting of a stateless web server tier running on Amazon EC2
instances behind load balancer, and are using Amazon RDS with read replicas.
Which of the following methods should you use to implement a self-healing and cost-effective
architecture? Choose 2 answers. Set up a third-party monitoring solution on a cluster of Amazon EC2 instances in order to emit custom CloudWatch metrics to trigger the termination of unhealthy Amazon EC2 instances. Set up scripts on each Amazon EC2 instance to frequently send ICMP pings to the load balancer in order to determine which instance is unhealthy and replace it. Set up an Auto Scaling group for the web server tier along with an Auto Scaling policy that uses the Amazon RDS DB CPU utilization CloudWatch metric to scale the instances. Set up an Auto Scaling group for the web server tier along with an Auto Scaling policy that uses the Amazon EC2 CPU utilization CloudWatch metric to scale the instances. Use a larger Amazon EC2 instance type for the web server tier and a larger DB instance type for the data storage layer to ensure that they don't become unhealthy. Set up an Auto Scaling group for the database tier along with an Auto Scaling policy that uses the Amazon RDS read replica lag CloudWatch metric to scale out the Amazon RDS read replicas. Use an Amazon RDS Multi-AZ deployment.
You have an application consisting of a stateless web server tier running on Amazon EC2
instances behind load balancer, and are using Amazon RDS with read replicas.
Which of the following methods should you use to implement a self-healing and cost-effective
architecture? Choose 2 answers. By using the Elastic Load Balancing Latency CloudWatch metric. By using the HTTP X-Forwarded-For header for requests from the load balancer. By running a distributed load test to the load balancer. By using the load balancer access logs.
A DevOps Engineer is leading the implementation for automating patching of Windows-based
workstations in a hybrid cloud environment by using AWS Systems Manager (SSM). What steps
should the Engineer follow to set up Systems Manager to automate patching in this environment?
(Select TWO.) Create multiple IAM service roles for Systems Manager so that the ssm amazonaws.com service can execute the AssumeRole operation on every instance. Register the role on a per-resource level to enable the creation of a service token. Perform managed-instance activation with the newly created service role attached to each managed instance. Create an IAM service role for Systems Manager so that the ssm amazonaws.com service can execute the AssumeRole operation. Register the role to enable the creation of a service token. Perform managed-instance activation with the newly created service role. Using previously obtained activation codes and activation IDs, download and install the SSM Agent on the hybrid servers, and register the servers or virtual machines on the Systems Manager service. Hybrid instances will show with an "mi-" prefix in the SSM console. Using previously obtained activation codes and activation IDs, download and install the SSM Agent on the hybrid servers, and register the servers or virtual machines on the Systems Manager service. Hybrid instances will show with an "i-" prefix in the SSM console as if they were provisioned as a regular Amazon EC2 instance. Run AWS Config to create a list of instances that are unpatched and not compliant. Create an instance scheduler job, and through an AWS Lambda function, perform the instance patching to bring them up to compliance.
Which services can be used as optional components of setting up a new Trail in CloudTrail? KMS, SNS and SES CloudWatch, S3 and SNS KMS, Cloudwatch and SNS KMS, S3 and CloudWatch.
You set up a scalable continuous integration platform on AWS.
The platform consists of a master node that can delegate project build jobs to multiple slave nodes,
all running on Amazon EC2. The build output will be stored in Amazon S3.
You always have five slave nodes deployed. Each slave node can handle 10 build jobs simultaneously. Your master node publishes a custom Amazon CloudWatch metric with the name
"RunningBuildiobs" that Slows you to programmatically track how many build jobs are running across your platform. Which two configuration options will allow you to flexibly scale your platform to support more than 50 simultaneous build jobs while minimizing costs?
Choose 2 answers Place your fleet of slave nodes in an Auto Scaling group. Configure a CloudWatch alarm that triggers an Auto Scaling policy to launch Amazon EC2 Instances when "RunningBuildJobs" is greater than 45 for more than five minutes. Configure a CloudWatch alarm that sends an alert when "RunningBuildJobs" is greater than 45 for more than five minutes. Use Amazon Simple Queue Service to process additional build jobs when the CloudWatch alarm is triggered. Configure your fleet of slave nodes to fully utilize all of your purchased Amazon EC2 Heavy Utilization Reserved Instances. Configure a CloudWatch alarm that launches new Amazon EC2 instances when "RunningBuildJobs" is less than 40 for more than five minutes. Run your fleet of slave nodes in an Auto Scaling group. Configure a Cloudwatch alarm that launches new Amazon EC2 Dedicated Instances when "RunningBuildJobs" is less than 40 for more than five minutes. Place your fleet of slave nodes in an Auto Scaling group. Configure a CloudWatch alarm that triggers an Auto Scaling policy to terminate Amazon EC2 instances when "RunningBuildJobs" is less than 40 for more than five minutes.
What storage driver does Docker generally recommend that you use if it is available? zfs btrfs aufs overlay.
Which answer is the proper syntax for specifying two target hosts on the command line when running an Ansible Playbook? ansible-playbook -h host1.example.com -i all playbook.yml ansible-playbook -i host1.example.com playbook.yml ansible-playbook -h host1.example.com,host2.example.com playbook.yml ansible-playbook -i host1.example.com,host2.example.com playbook.yml.
Which resource can not be defined in an Ansible Playbook? Fact Gathering State Host Groups Inventory File Variables.
You are using a configuration management system to manage your Amazon EC2 instances.
On your Amazon EC2 Instances, you want to store credentials for connecting to an Amazon RDS DB instance. How should you securely store these credentials? Give the Amazon EC2 instances an IAM role that allows read access to a private Amazon S3 bucket. Store a file with database credentials in the Amazon S3 bucket. Have your configuration management system pull the file from the bucket when it is needed. Launch an Amazon EC2 instance and use the configuration management system to bootstrap the instance with the Amazon RDS DB credentials. Create an AMI from this instance. Store the Amazon RDS DB credentials in Amazon EC2 user data. Import the credentials into the Instance on boot. Assign an IAM role to your Amazon RDS instance, and use this IAM role to access the Amazon RDS DB from your Amazon EC2 instances. Store your credentials in your version control system, in plaintext. Check out a copy of your credentials from the version control system on boot. Use Amazon EBS encryption on the volume storing the Amazon RDS DB credentials.
A company has an application that has predictable peak traffic times. The company wants the
application instances to scale up only during the peak times. The application stores state in Amazon DynamoDB. The application environment uses a standard Node.js application stack and custom Chef recipes stored in a private Git repository. Which solution is MOST cost-effective and requires the LEAST amount of management overhead when performing rolling updates of the application environment? Create a custom AMI with the Node.js environment and application stack using Chef recipes. Use the AMI in an Auto Scaling group and set up scheduled scaling for the required times, then set up an Amazon EC2 IAM role that provides permission to access DynamoDB. Create a Docker file that uses the Chef recipes for the application environment based on an official Node.js Docker image. Create an Amazon ECS cluster and a service for the application environment, then create a task based on this Docker image. Use scheduled scaling to scale the containers at the appropriate times and attach a task-level IAM role that provides permission to access DynamoDB. Configure AWS OpsWorks stacks and use custom Chef cookbooks. Add the Git repository information where the custom recipes are stored, and add a layer in OpsWorks for the Node.js application server. Then configure the custom recipe to deploy the application in the deploy step. Configure time- based instances and attach an Amazon EC2 IAM role that provides permission to access DynamoDB. Configure AWS OpsWorks stacks and push the custom recipes to an Amazon S3 bucket and configure custom recipes to point to the S3 bucket. Then add an application layer type for a standard Node.js application server and configure the custom recipe to deploy the application in the deploy step from the S3 bucket. Configure time-based instances and attach an Amazon EC2 IAM role that provides permission to access DynamoDB.
A company is creating a software solution that executes a specific parallel-processing
mechanism. The software can scale to tens of servers in some special scenarios. This solution uses a proprietary library that is license-based, requiring that each individual server have a single, dedicated license installed. The company has 200 licenses and is planning to run 200 server nodes concurrently at most.
The company has requested the following features:
- A mechanism to automate the use of the licenses at scale.
- Creation of a dashboard to use in the future to verify which licenses are available at any moment.
What is the MOST effective way to accomplish these requirements'? Upload the licenses to a private Amazon S3 bucket. Create an AWS CloudFormation template with a Mappings section for the licenses. In the template, create an Auto Scaling group to launch the servers. In the user data script, acquire an available license from the Mappings section. Create an Auto Scaling lifecycle hook, then use it to update the mapping after the instance is terminated. Upload the licenses to an Amazon DynamoDB table. Create an AWS CloudFormation template that uses an Auto Scaling group to launch the servers. In the user data script, acquire an available license from the DynamoDB table. Create an Auto Scaling litecycle hook, then use it to update the mapping after the instance is terminated. Upload the licenses to a private Amazon S3 bucket. Populate an Amazon SQS queue with the list of licenses stored in S3. Create an AWS CloudFormation template that uses an Auto Scaling group to launch the servers. In the user data script acquire an available license from SQS. Create an Auto Scaling lifecycle hook, then use it to put the license back in SQS after the instance is terminated. Upload the licenses to an Amazon DynamoDB table. Create an AWS CLI script to launch the servers by using the parameter --count, with min:max instances to launch. In the user data script, acquire an available license from the DynamoDB table. Monitor each instance and, in case of failure, replace the instance, then manually update the DynamoDB table.
You recently encountered a major bug in your Windows-based web application during a
deployment cycle. During this failed deployment, it took the team four hours to roll back to a previously working state, which left customers with a poor user experience. During the post-mortem, your team discussed the need to provide a quicker way to roll back failed
deployments. You currently run your web application on Amazon EC2 using Windows 2012R2 and use Elastic Load Balancing for your load balancing needs.
Which technique should you use to solve this problem? Create deployable versioned bundles of your application. Store the bundles on Amazon S3. Re-deploy your web application on Elastic Beanstalk, and enable the Elastic Beanstalk auto- rollback feature tied to CloudWatch metrics that define failure. Re-deploy your web application using an AWS OpsWorks stack, and use the AWS OpsWorks autorollback feature to initiate a rollback during failures. Create deployable versioned bundles of your application. Store the bundle on Amazon S3. Re-deploy your web application using an AWS OpsWorks stack, and use AWS OpsWorks application versioning to initiate a rollback during failures. Re-deploy your web application using Elastic Beanstalk, and use the Elastic Beanstalk application versions when deploying. During failures, re-deploy the previous version to the Elastic Beanstalk environment. Re-deploy your web application using Elastic Beanstalk, and use the Elastic Beanstalk API to trigger a FailedDeployment API call to initiate a rollback to the previous version.
DevOps Engineer is working with an application deployed to 12 Amazon EC2 instances
across 3 Availability Zones. New instances can be started from an AMI image. On a typical day, each EC2 instance has 30% utilization during business hours and 10% utilization after business hours.
The CPU utilization has an immediate spike in the first few minutes of business hours. Other increases in CPU utilization rise gradually. The Engineer has been asked to reduce costs while retaining the same or higher reliability.
Which solution meets these requirements? Create two Amazon CloudWatch Events rules with schedules before and after business hours begin and end. Create two AWS Lambda functions, one invoked by each rule. The first function should stop nine instances after business hours end, the second function should restart the nine instances before the business day begins. Create an Amazon EC2 Auto Scaling group using the AMI image, with a scaling action based on the Auto Scaling group's CPU Utilization average with a target of 75%. Create a scheduled action for the group to adjust the minimum number of instances to three after business hours end and reset to six before business hours begin. Create two Amazon CloudWatch Events rules with schedules before and after business hours begin and end. Create an AWS CloudFormation stack, which creates an EC2 Auto Scaling group, with a parameter for the number of instances. Invoke the stack from each rule, passing a parameter value of three in the morning, and six in the evening. Create an EC2 Auto Scaling group using the AMI image, with a scaling action based on the Auto Scaling group's CPU Utilization average with a target of 75%. Create a scheduled action to terminate nine instances each evening after the close of business.
A DevOps Engineer is building a continuous deployment pipeline for a serverless application
using AWS CodePipeline and AWS CodeBuild. The source, build, and test stages have been created with the deploy stage remaining. The company wants to reduce the risk of an unsuccessful
deployment by deploying to a specified subset of customers and monitoring prior to a full release to
all customers. How should the deploy stage be configured to meet these requirements? Use AWS CloudFormation to publish a new version on every stack update. Then set up a
CodePipeline approval action for a Developer to test and approve the new version. Finally, use a CodePipeline invoke action to update an AWS Lambda function to use the production alias Use CodeBuild to use the AWS CLI to update the AWS Lambda function code, then publish a new version of the function and update the production alias to point to the new version of the function. Use AWS CloudFormation to define the serverless application and AWS CodeDeploy to deploy the AWS Lambda functions using DeploymentPreference: Canary10Percentl5Minutes. Use AWS CloudFormation to publish a new version on every stack update. Use the RoutingConfig property of the AWS : :Lambda: : Alias resource to update the traffic routing during the stack update.
You are using Elastic Beanstalk to manage your e-commerce store. The store is based on an
open source e- commerce platform and is deployed across multiple instances in an Auto Scaling
group. Your development team often creates new "extensions" for the e-commerce store.
These extensions include PHP source code as well as an SQL upgrade script used to make any
necessary updates to the database schema. You have noticed that some extension deployments fail due to an error when running the SQL upgrade script. After further investigation, you realize that this is because the SQL script is being executed on all of your Amazon EC2 instances. How would you ensure that the SQL script is only executed once per deployment regardless of how
many Amazon EC2 instances are running at the time? Use a "Container command" within an Elastic Beanstalk configuration file to execute the script, ensuring that the "leader only" flag is set to true. Make use of the Amazon EC2 metadata service to query whether the instance is marked as the leader" in the Auto Scaling group. Only execute the script if "true" is returned. Use a "Solo Command" within an Elastic Beanstalk configuration file to execute the script. The Elastic Beanstalk service will ensure that the command is only executed once. Update the Amazon RDS security group to only allow write access from a single instance in the Auto Scaling group; that way, only one instance will successfully execute the script on the database.
Which statement is true about configuring proxy support for Amazon Inspector agent on Linux- based systems? Amazon Inspector proxy support on Linux-based systems is achieved through installing proxyenabled version of the agent which comes with pre-configured files that you need to edit to match your environment. Amazon Inspector agent does NOT support the use of proxy on Linux-based systems. Amazon Inspector proxy configuration on Linux-based system is included in awsagent.env file under /etc/init.d/ Amazon Inspector agent proxy settings on Linux-based systems are configured through WinHTTP proxy.
A company needs to introduce automatic DNS failover for a distributed web application to a
disaster recovery or standby installation. The DevOps Engineer plans to configure Amazon Route
53 to provide DNS routing to alternate endpoint in the event of an application failure. What steps
should the Engineer take to accomplish this? (Select TWO.) Create Amazon Route 53 health checks for each endpoint that cannot be entered as alias records. Ensure firewall and routing rules allow Amazon Route 53 to send requests to the endpoints that are specified in the health checks. Create alias records that route traffic to AWS resources and set the value of the Evaluate Target Health option to Yes, then create all the non-alias records. Create a governing Amazon Route 53 record set, set it to failover, and associate it with the primary and secondary Amazon Route 53 record sets to distribute traffic to healthy DNS entries. Create an Amazon CloudWatch alarm to monitor the primary Amazon Route 53 DNS entry. Then create an associated AWS Lambda function to execute the failover API call to Route 53 to the secondary DNS entry.
You were just hired as a DevOps Engineer for a startup. Your startup uses AWS for 100% of
their infrastructure. They currently have no automation at all for deployment, and they have had
many failures while trying to deploy to production. The company has told you deployment process
risk mitigation is the most important thing now, and you have a lot of budget for tools and AWS
resources.
Their stack:
2-tier API
Data stored in DynamoDB or S3, depending on type
Compute layer is EC2 in Auto Scaling Groups
They use Route53 for DNS pointing to an ELB
An ELB balances load across the EC2 instances
The scaling group properly varies between 4 and 12 EC2 servers. Which of the following approaches,
given this company's stack and their priorities, best meets the company's needs? Model the stack in AWS Elastic Beanstalk as a single Application with multiple Environments. Use Elastic Beanstalk's Rolling Deploy option to progressively roll out application code changes when promoting across environments. Model the stack in 3 CloudFormation templates: Data layer, compute layer, and networking layer. Write stack deployment and integration testing automation following Blue-Green methodologies. Model the stack in AWS OpsWorks as a single Stack, with 1 compute layer and its associated ELB. Use Chef and App Deployments to automate Rolling Deployment. Model the stack in 1 CloudFormation template, to ensure consistency and dependency graph resolution. Write deployment and integration testing automation following Rolling Deployment methodologies.
Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account? Use short but complex password on the root account and any administrators. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city. Use MFA on all users and accounts, especially on the root account. Don't write down or remember the root account password after creating the AWS account.
What is web identity federation? Use of an identity provider like Google or Facebook to become an AWS IAM User. Use of an identity provider like Google or Facebook to exchange for temporary AWS security credentials. Use of AWS IAM User tokens to log in as a Google or Facebook user. Use of AWS STS Tokens to log in as a Google or Facebook user.
For Amazon Inspector's integration with CloudTrail, what information is logged for List* and
Describe* APIs? None. Amazon Inspector is an automated service and not monitored by CloudTrail. Both request and response information is logged. Only request information is logged . Request information is always logged. Response information is logged only for Completed
assessment runs.
Which tool will Ansible not use, even if available, to gather facts? facter lsb_release Ansible setup module ohai.
Your company wants to understand where cost is coming from in the company's production
AWS account. There are a number of applications and services running at any given time. Without
expending too much initial development time, how best can you give the business a good
understanding of which applications cost the most per month to operate? Create an automation script which periodically creates AWS Support tickets requesting detailed intra-month information about your bill. Use custom CloudWatch Metrics in your system, and put a metric data point whenever cost is incurred. Use AWS Cost Allocation Tagging for all resources which support it. Use the Cost Explorer to analyze costs throughout the month. Use the AWS Price API and constantly running resource inventory scripts to calculate total price based on multiplication of consumed resources over time.
You manage a three-tier web application consisting of an autoscaled web proxy tier, an
autoscaled application tier, and an Amazon RDS database tier.
You use a load balancer to distribute requests from end users to the web proxy tier and another,
internal load balancer to distribute requests between the web tier and the application tier.
After deploying a small database schema update, you notice that all of your web and application
instances have been terminated.
What may have caused this? Your load balancers use an HTTP health check, and the page relies on retrieving data from your
database. Your load balancer use TCP health checks to provide application-level health checks. The cooldown period of the Auto Scaling group is too short, so the instances don't have enough time to recover from an issue. Your Auto Scaling group health check type is set to "EC2" to check that the instances themselves are healthy.
Consider the portion of a CloudTrail log file below. Which type of event is being captured?
"eventTime":"2016-07-16T17:35:32Z",
"eventSource":"signin.amazonaws.com",
"eventName":"ConsoleLogin",
"awsRegion":"us-west-1",
"sourceIPAddress":"192.1.2.10", AWS console sign-in AWS log off AWS error AWS deployment.
You need your API backed by DynamoDB to stay online during a total regional AWS failure.
You can tolerate a couple minutes of lag or slowness during a large failure event, but the system
should recover with normal operation after those few minutes. What is a good approach? Set up DynamoDB cross-region replication in a master-standby configuration, with a single standby in another region. Create an Auto Scaling Group behind an ELB in each of the two regions DynamoDB is running in. Add a Route53 Latency DNS Record with DNS Failover, using the ELBs in the two regions as the resource records. Set up a DynamoDB Multi-Region table. Create an Auto Scaling Group behind an ELB in each of the two regions DynamoDB is running in. Add a Route53 Latency DNS Record with DNS Failover, using the ELBs in the two regions as the resource records. Set up a DynamoDB Multi-Region table. Create a cross-region ELB pointing to a cross-region Auto Scaling Group, and direct a Route53 Latency DNS Record with DNS Failover to the cross- region ELB. Set up DynamoDB cross-region replication in a master-standby configuration, with a single standby in another region. Create a cross-region ELB pointing to a cross-region Auto Scaling Group, and direct a Route53 Latency DNS Record with DNS Failover to the cross-region ELB.
You have been tasked with deploying a scalable distributed system using AWS OpsWorks.
Your distributed system is required to scale on demand. As it is distributed, each node must hold a
configuration file that includes the hostnames of the other instances within the layer.
How should you configure AWS OpsWorks to manage scaling this application dynamically? Create a Chef Recipe to update this configuration file, configure your AWS OpsWorks stack to use custom cookbooks, and assign this recipe to the Configure LifeCycle Event of the specific layer. Update this configuration file by writing a script to poll the AWS OpsWorks service API for new instances. Configure your base AMI to execute this script on Operating System startup. Create a Chef Recipe to update this configuration file, configure your AWS OpsWorks stack to use custom cookbooks, and assign this recipe to execute when instances are launched. Configure your AWS OpsWorks layer to use the AWS-provided recipe for distributed host
configuration, and configure the instance hostname and file path parameters in your recipes settings.
A company has several AWS accounts. The accounts are shared and used across multiple
teams globally, primarily for Amazon EC2 instances. Each EC2 instance has tags for team,
environment, and cost center to ensure accurate cost allocations. How should a DevOps Engineer help the teams audit their costs and automate infrastructure cost optimization across multiple shared environments and accounts? Set up a scheduled script on the EC2 instances to report utilization and store the instances in an Amazon DynamoDB table. Create a dashboard in Amazon QuickSight with DynamoDB as the source data to find underutilized instances. Set up triggers from Amazon QuickSight in AWS Lambda to reduce underutilized instances. Create a separate Amazon CloudWatch dashboard for EC2 instance tags based on cost center, environment, and team, and publish the instance tags out using unique links for each team. For each team, set up a CloudWatch Events rule with the CloudWatch dashboard as the source, and set up a trigger to initiate an AWS Lambda function to reduce underutilized instances. Create an Amazon CloudWatch Events rule with AWS Trusted Advisor as the source for low utilization EC2 instances. Trigger an AWS Lambda function that filters out reported data based on tags for each team, environment, and cost center, and store the Lambda function in Amazon S3. Set up a second trigger to initiate a Lambda function to reduce underutilized instances. Use AWS Systems Manager to track instance utilization and report underutilized instances to Amazon CloudWatch. Filter data in CloudWatch based on tags for team, environment, and cost center. Set up triggers from CloudWatch into AWS Lambda to reduce underutilized instances.
Your application uses CloudFormation to orchestrate your application's resources. During
your testing phase before the application went live, your Amazon RDS instance type was changed and caused the instance to be re-created, resulting In the loss of test data.
How should you prevent this from occurring in the future? Within the AWS CloudFormation parameter with which users can select the Amazon RDS instance type, set AllowedValues to only contain the current instance type. Use an AWS CloudFormation stack policy to deny updates to the instance. Only allow UpdateStack permission to IAM principals that are denied SetStackPolicy. In the AWS CloudFormation template, set the AWS::RDS::DBInstance's DBlnstanceClass property to be read-only. Subscribe to the AWS CloudFormation notification "BeforeResourceUpdate," and call
CancelStackUpdate if the resource identified is the Amazon RDS instance. In the AWS CloudFormation template, set the DeletionPolicy of the AWS::RDS::DBInstance's DeletionPolicy property to "Retain.".
Which of these is not a reason a Multi-AZ RDS instance will failover? An Availability Zone outage A manual failover of the DB instance was initiated using Reboot with failover To autoscale to a higher instance class The primary DB instance fails.
An application runs on Amazon EC2 instances behind an Application Load Balancer. Amazon
RDS MySOL is used on the backend. The instances run in an Auto Scaling group across multiple
Availability Zones. The Application Load Balancer health check ensures the web servers are operating and able to make read/write SQL connections. Amazon Route 53 provides DNS functionality with a record pointing to the Application Load Balancer. A new policy requires a geographically isolated disaster recovery site with an RTO of 4 hours and an RPO of 15 minutes.
Which disaster recovery strategy will require the LEAST amount of changes to the application stack?
Launch a replica stack of everything except RDS in a different Availability Zone. Create an RDS read- only replica in a new Availability Zone and configure the new stack to point to the local RDS instance. Add the new stack to the Route 53 record set with a failover routing policy. Launch a replica stack of everything except RDS in a different region. Create an RDS read-only replica in a new region and configure the new stack to point to the local RDS instance. Add the new stack to the Route 53 record set with a latency routing policy. Launch a replica stack of everything except RDS in a different region. Upon failure, copy the snapshot over from the primary region to the disaster recovery region. Adjust the Amazon Route 53 record set to point to the disaster recovery region's Application Load Balancer. Launch a replica stack of everything except RDS in a different region. Create an RDS read-only replica in a new region and configure the new stack to point to the local RDS instance. Add the new stack to the Amazon Route 53 record set with a failover routing policy.
A user is defining a policy for an IAM user. Which of the below mentioned options is a valid
version defined for the policy? "Version":"2014-01-01" "Version":"2011-10-17" "Version":"2013-10-17" "Version":"2012-10-17".
You are designing a system which needs, at minumum, 8 m4.large instances operating to
service traffic. When designing a system for high availability in the us-east-1 region, which has 6
Availability Zones, you company needs to be able to handle death of a full availability zone. How
should you distribute the servers, to save as much cost as possible, assuming all of the EC2 nodes are properly linked to an ELB?
Your VPC account can utilize us-east-1's AZ's a through f, inclusive. 3 servers in each of AZ's a through d, inclusive. 8 servers in each of AZ's a and b. 2 servers in each of AZ's a through e, inclusive. 4 servers in each of AZ's a through c, inclusive.
A DevOps Engineer must create a Linux AMI in an automated fashion. The newly created
AMI identification must be stored in a location where other build pipelines can access the new
identification programmatically What is the MOST cost-effective way to do this? Build a pipeline in AWS CodePipeline to download and save the latest operating system Open Virtualization Format (OVF) image to an Amazon S3 bucket, then customize the image using the guestfish utility. Use the virtual machine (VM) import command to convert the OVF to an AMI, and store the AMI identification output as an AWS Systems Manager parameter. Create an AWS Systems Manager automation document with values instructing how the image should be created. Then build a pipeline in AWS CodePipeline to execute the automation document to build the AMI when triggered. Store the AMI identification output as a Systems Manager parameter. Build a pipeline in AWS CodePipeline to take a snapshot of an Amazon EC2 instance running the latest version of the application. Then start a new EC2 instance from the snapshot and update the running instance using an AWS Lambda function. Take a snapshot of the updated instance, then convert it to an AMI. Store the AMI identification output in an Amazon DynamoDB table. Launch an Amazon EC2 instance and install Packer. Then configure a Packer build with values defining how the image should be created. Build a Jenkins pipeline to invoke the Packer build when triggered to build an AMI. Store the AMI identification output in an Amazon DynamoDB table.
You need to scale an RDS deployment. You are operating at 10% writes and 90% reads,
based on your logging. How best can you scale this in a simple way? Create a second master RDS instance and peer the RDS groups. Cache all the database responses on the read side with CloudFront. Create read replicas for RDS since the load is mostly reads. Create a Multi-AZ RDS installs and route read traffic to standby.
The operations team and the development team want a single place to view both operating system and application logs. How should you implement this using AWS services? Choose 2 answers Using AWS CloudFormation, create a CloudWatch Logs LogGroup and send the operating system and application logs of interest using the CloudWatch Logs Agent. Using AWS CloudFormation and configuration management, set up remote logging to send events via UDP packets to CloudTrail. Using configuration management, set up remote logging to send events to Amazon Kinesis and insert these into Amazon CloudSearch or Amazon Redshift, depending on available analytic tools. Using AWS CloudFormation, create a CloudWatch Logs LogGroup.
Because the Cloudwatch Log agent automatically sends all operating system logs, you only have to configure the application logs for sending off-machine. Using AWS CloudFormation, merge the application logs with the operating system logs, and use IAM Roles to allow both teams to have access to view console output from Amazon EC2.
You want to build an application that coordinates work across distributed components, and
you find Amazon Simple Workflow Service (Amazon SWF) does this easily. You have enabled logging in CloudTrail, but you are unsure about Amazon SWF actions supported. Which of the following actions is NOT supported? RegisterDomain RegisterWorkflowActivity RegisterActivityType RegisterWorkflowType.
You are building a game high score table in DynamoDB. You will store each user's highest
score for each game, with many games, all of which have relatively similar usage levels and numbers
of players. You need to be able to look up the highest score for any game. What's the best
DynamoDB key structure? HighestScore as the hash / only key. GameID as the hash key, HighestScore as the range key. GameID as the hash / only key. GameID as the range / only key.
Within an IAM policy, can you add an IfExists condition at the end of a Null condition? Yes, you can add an IfExists condition at the end of a Null condition but not in all Regions. Yes, you can add an IfExists condition at the end of a Null condition depending on the condition. No, you cannot add an IfExists condition at the end of a Null condition. Yes, you can add an IfExists condition at the end of a Null condition.
What is true of the way that encryption works with EBS? Snapshotting an encrypted volume makes an encrypted snapshot; restoring an encrypted
snapshot creates an encrypted volume when specified / requested. Snapshotting an encrypted volume makes an encrypted snapshot when specified / requested; restoring an encrypted snapshot creates an encrypted volume when specified / requested. Snapshotting an encrypted volume makes an encrypted snapshot; restoring an encrypted
snapshot always creates an encrypted volume. Snapshotting an encrypted volume makes an encrypted snapshot when specified / requested; restoring an encrypted snapshot always creates an encrypted volume.
What is a circular dependency in AWS CloudFormation? When a Template references an earlier version of itself. When Nested Stacks depend on each other. When Resources form a DependOn loop. When a Template references a region, which references the original Template.
Your serverless architecture using AWS API Gateway, AWS Lambda, and AWS DynamoDB
experienced a large increase in traffic to a sustained 400 requests per second, and dramatically
increased in failure rates. Your requests, during normal operation, last 500 milliseconds on average.
Your DynamoDB table did not exceed 50% of provisioned throughput, and Table primary keys are
designed correctly. What is the most likely issue? Your API Gateway deployment is throttling your requests. Your AWS API Gateway Deployment is bottlenecking on request (de)serialization. You did not request a limit increase on concurrent Lambda function executions. You used Consistent Read requests on DynamoDB and are experiencing semaphore lock.
You need to perform ad-hoc business analytics queries on well-structured data. Data comes
in constantly at a high velocity. Your business intelligence team can understand SQL. What AWS
service(s) should you look to first? Kinesis Firehose + RDS Kinesis Firehose + RedShift EMR using Hive EMR running Apache Spark.
Which deployment method, when using AWS Auto Scaling Groups and Auto Scaling Launch
Configurations, enables the shortest time to live for individual servers? Pre-baking AMIs with all code and configuration on deploys. Using a Dockerfile bootstrap on instance launch. Using UserData bootstrapping scripts. Using AWS EC2 Run Commands to dynamically SSH into fleets.
What is the purpose of a Docker swarm worker node? scheduling services service swarm node HTTP API endpoints executing containers maintaining cluster state.
A company has a hybrid architecture solution in which some legacy systems remain onpremises,
while a specific cluster of servers is moved to AWS. The company cannot reconfigure the
legacy systems, so the cluster nodes must have a fixed hostname and local IP address for each server that is part of the cluster. The DevOps Engineer must automate the configuration for a six-node cluster with high availability across three Availability Zones (AZs), placing two elastic network
interfaces in a specific subnet for each AZ. Each node's hostname and local IP address should remain the same between reboots or instance failures. Which solution involves the LEAST amount of effort to automate this task? Create an AWS Elastic Beanstalk application and a specific environment for each server of the cluster. For each environment, give the hostname, elastic network interface, and AZ as input parameters. Use the local health agent to name the instance and attach a specific elastic network interface based on the current environment. Create a reusable AWS CloudFormation template to manage an Amazon EC2 Auto Scaling group with a minimum size of 1 and a maximum size of 1. Give the hostname, elastic network interface, and AZ as stack parameters. Use those parameters to set up an EC2 instance with EC2 Auto Scaling and a user data script to attach to the specific elastic network interface. Use CloudFormation nested stacks to nest the template six times for a total of six nodes needed for the cluster, and deploy using the master template. Create an Amazon DynamoDB table with the list of hostnames subnets, and elastic network interfaces to be used. Create a single AWS CloudFormation template to manage an Auto Scaling group with a minimum size of 6 and a maximum size of 6. Create a programmatic solution that is installed in each instance that will lock/release the assignment of each hostname and local IP address, depending on the subnet in which a new instance will be launched. Create a reusable AWS CLI script to launch each instance individually, which will name the instance, place it in a specific AZ, and attach a specific elastic network interface. Monitor the instances and in the event of failure, replace the missing instance manually by running the script again.
You need to migrate 10 million records in one hour into DynamoDB. All records are 1.5KB in
size. The data is evenly distributed across the partition key. How many write capacity units should you provision during this batch load? 6667 4166 5556 2778.
You need to deploy an AWS stack in a repeatable manner across multiple environments.
You have selected CloudFormation as the right tool to accomplish this, but have found that there is a resource type you need to create and model, but is unsupported by CloudFormation. How should you overcome this challenge? Use a CloudFormation Custom Resource Template by selecting an API call to proxy for create, update, and delete actions. CloudFormation will use the AWS SDK, CLI, or API method of your choosing as the state transition function for the resource type you are modeling. Submit a ticket to the AWS Forums. AWS extends CloudFormation Resource Types by releasing tooling to the AWS Labs organization on GitHub. Their response time is usually 1 day, and they complete requests within a week or two. Instead of depending on CloudFormation, use Chef, Puppet, or Ansible to author Heat templates, which are declarative stack resource definitions that operate over the OpenStack hypervisor and cloud environment. Create a CloudFormation Custom Resource Type by implementing create, update, and delete functionality, either by subscribing a Custom Resource Provider to an SNS topic, or by implementing the logic in AWS Lambda.
A DevOps Engineer has been asked by the Security team to ensure that AWS CloudTrail files
are not tampered with after being created. Currently, there is a process with multiple trails, using
AWS IAM to restrict access to specific trails. The Security team wants to ensure they can trace the
integrity of each file and make sure there has been no tampering.
Which option will require the LEAST effort to implement and ensure the legitimacy of the file while
allowing the Security team to prove the authenticity of the logs? Create an Amazon CloudWatch Events rule that triggers an AWS Lambda function when a new file is delivered. Configure the Lambda function to perform an MD5 hash check on the file, store the name and location of the file, and post the returned hash to an Amazon DynamoDB table. The Security team can use the values stored in DynamoDB to verify the file authenticity. Enable the CloudTrail file integrity feature on an Amazon S3 bucket. Create an IAM policy that grants the Security team access to the file integrity logs stored in the S3 bucket. Enable the CloudTrail file integrity feature on the trail. Use the digest file created by CloudTrail to verify the integrity of the delivered CloudTrail files. Create an AWS Lambda function that is triggered each time a new file is delivered to the
CloudTrail bucket. Configure the Lambda function to execute an MD5 hash check on the file, and store the result on a tag in an Amazon S3 object. The Security team can use the information on the tag to verify the integrity of the file.
What is the correct syntax for the AWS command to create a single region trail? aws create-trail --name trailname --s3-object objectname aws cloudtrail --s3-regionname IPaddress create-trail --name trailname aws cloudtrail create-trail --name trailname --s3-bucket-name bucketname aws cloudtrail create-trail --name trailname --s3-portnumber IPaddress.
You are building a Ruby on Rails application for internal, non-production use which uses
MySQL as a database. You want developers without very much AWS experience to be able to deploy
new code with a single command line push. You also want to set this up as simply as possible.
Which tool is ideal for this setup? AWS CloudFormation AWS OpsWorks AWS ELB + EC2 with CLI Push AWS Elastic Beanstalk.
For AWS Auto Scaling, what is the first transition state an instance enters after leaving steady state when scaling in due to health check failure or decreased load? Terminating Detaching Terminating:Wait EnteringStandby.
You are designing a service that aggregates clickstream data in batch and delivers reports to
subscribers via email only once per week. Data is extremely spikey, geographically distributed, highscale, and unpredictable. How should you design this system? Use a large RedShift cluster to perform the analysis, and a fleet of Lambdas to perform record inserts into the RedShift tables. Lambda will scale rapidly enough for the traffic spikes. Use a CloudFront distribution with access log delivery to S3. Clicks should be recorded as
querystring GETs to the distribution. Reports are built and sent by periodically running EMR jobs over the access logs in S3. Use API Gateway invoking Lambdas which PutRecords into Kinesis, and EMR running Spark performing GetRecords on Kinesis to scale with spikes. Spark on EMR outputs the analysis to S3, which are sent out via email. Use AWS Elasticsearch service and EC2 Auto Scaling groups. The Autoscaling groups scale based on click throughput and stream into the Elasticsearch domain, which is also scalable. Use Kibana to generate reports periodically.
You need to grant a vendor access to your AWS account. They need to be able to read
protected messages in a private S3 bucket at their leisure. They also use AWS. What is the best way
to accomplish this? Create an IAM User with API Access Keys. Grant the User permissions to access the bucket. Give the vendor the AWS Access Key ID and AWS Secret Access Key for the User. Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor. Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor. Generate a signed S3 PUT URL and a signed S3 PUT URL, both with wildcard values and 2 year durations. Pass the URLs to the vendor.
Your current log analysis application takes more than four hours to generate a report of the
top 10 users of your web application. You have been asked to implement a system that can report this information in real time, ensure that the report is always up to date, and handle increases in the number of requests to your web application. Choose the option that is cost-effective and can fulfill the requirements. Publish your data to CloudWatch Logs, and configure your application to autoscale to handle the load on demand. Publish your log data to an Amazon S3 bucket. Use AWS CloudFormation to create an Auto Scaling group to scale your post-processing application which is configured to pull down your log files stored an Amazon S3. Post your log data to an Amazon Kinesis data stream, and subscribe your log-processing
application so that is configured to process your logging data. Configure an Auto Scaling group to increase the size of your Amazon EMR duster. Create a multi-AZ Amazon RDS MySQL cluster, post the logging data to MySQL, and run a map reduce job to retrieve the required information on user counts.
A DevOps Engineer is asked to implement a strategy for deploying updates to a web
application with zero downtime. The application infrastructure is defined in AWS CloudFormation
and is made up of an Amazon Route 53 record, an Application Load Balancer, Amazon EC2 instances in an EC2 Auto Scaling group, and Amazon DynamoDB tables. To avoid downtime, there must be an active instance serving the application at all times.
Which strategies will ensure the deployment happens with zero downtime? (Select TWO.) In the CloudFormation template, modify the AWS::AutoScaling::AutoscalingGroup resource and add an UpdatePolicy attribute to define the required elements for a deployment with zero downtime. In the CloudFormation template, modify the AWS:: AutoScaling::DeploymentUpdates resource and add an UpdatePolicy attribute to define the required elements for a deployment with zero downtime. Add a new Application Load Balancer and Auto Scaling group to the CloudFormation template. Deploy new changes to the inactive Auto Scaling group. Use Route 53 to change the active Application Load Balancer. Add a new Application Load Balancer and Auto Scaling group to the CloudFormation template. Modify the AWS::AutoScaling::AutoScalingGroup resource and add an UpdatePolicy attribute to perform rolling updates. In the CloudFormation template, modify the UpgradePolicy attribute for the CloudFormation stack and specify the Auto Scaling group that will be updated Configure MinSuccessfulInstancesPercent and PauseTime to ensure the deployment happens with zero downtime.
Your company has developed a web application and is hosting it in an Amazon S3 bucket
configured for static website hosting. The application is using the AWS SDK for JavaScript in the browser to access data stored in an Amazon DynamoDB table.
How can you ensure that API keys for access to your data in DynamoDB are kept secure? Create an Amazon S3 role in IAM with access to the specific DynamoDB tables, and assign it to the bucket hosting your website. Configure S3 bucket tags with your AWS access keys for your bucket hosing your website so that the application can query them for access. Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials. Store AWS keys in global variables within your application and configure the application to use these credentials when making requests.
A social networking service runs a web API that allows its partners to search public posts.
Post data is stored in Amazon DynamoDB and indexed by AWS Lambda functions, with an Amazon ES domain storing the indexes and providing search functionality to the application. The service needs to maintain full capacity during deployments and ensure that failed deployments do not cause
downtime or reduced capacity, or prevent subsequent deployments.
How can these requirements be met? (Select TWO ) Run the web application in AWS Elastic Beanstalk with the deployment policy set to All at Once. Deploy the Lambda functions, DynamoDB tables, and Amazon ES domain with an AWS CloudFormation template. Deploy the web application, Lambda functions, DynamoDB tables, and Amazon ES domain in an AWS CloudFormation template. Deploy changes with an AWS CodeDeploy in-place deployment. Run the web application in AWS Elastic Beanstalk with the deployment policy set to Immutable Deploy the Lambda functions, DynamoDB tables, and Amazon ES domain with an AWS CloudFormation template. Deploy the web application, Lambda functions, DynamoDB tables, and Amazon ES domain in an AWS CloudFormation template. Deploy changes with an AWS CodeDeploy blue/green deployment. Run the web.application in AWS Elastic Beanstalk with the deployment policy set to Rolling Deploy the Lambda functions, DynamoDB tables, and Amazon ES domain with an AWS CloudFormation template.
Your company operates an application consisting of an AWS CloudFormation stack that
contains a load balancer, an Auto Scaling group of web servers, and an Amazon RDS instance.
To save time and costs, you update the current test stack when testing minor changes, and create a
new stack for major changes. As part of the testing procedure of your application, each version needs to be registered once and only once with a Configuration Management Database (CMDB).
What cost-effective solution should you choose to perform this registration? Use Auto Scaling Leader Node functionality to notify the registration application from the
UserData script of a single Instance. Use the AWS CloudFormation cfn-hup helper application to receive template updates on the leader node, which then notifies the CMDB. Define an AWS: :CloudFormation::CustomResource in the AWS CloudFormation template, with the application version as one of its properties. Modify the CMDB to subscribe to the resource's creation and update notifications. Define an AWS::CloudFormation::HttpRequest in the AWS CloudFormation template, and
configure it to notify the CMDB on stack creation and update. Define an AWS::EC2::Instance resource in the AWS CloudFormation template that is configured to run a UserData script to notify the CMDB and then terminate itself on completion.
What does it mean if you have zero IOPS and a non-empty I/O queue for all EBS volumes
attached to a running EC2 instance? The I/O queue is buffer flushing. Your EBS disk head(s) is/are seeking magnetic stripes. The EBS volume is unavailable. You need to re-mount the EBS volume in the OS.
What is the default maximum number of Roles per AWS account? 500 250 100 There is no limit.
When using Amazon SQS how much data can you store in a message? 8 KB 2 KB 16 KB 4 KB.
If a variable is assigned in the `vars' section of a playbook, where is the proper place to override that variable? Inventory group var playbook host_vars role defaults extra vars.
You run a SIP-based telephony application that uses Amazon EC2 for its web tier and uses
MySQL on Amazon RDS as its database. The application stores only the authentication profile data for its existing users in the database and therefore is read-intensive. Your monitoring system shows that your web instances and the database have high CPU utilization. Which of the following steps should you take in order to ensure the continual availability of your application? Choose 2 answers Use a CloudFront RTMP download distribution with the application tier as the origin for the distribution. Set up an Auto Scaling group for the application tier and a policy that scales based on the Amazon EC2 CloudWatch CPU utilization metric. Vertically scale up the Amazon EC2 instances manually. Set up an Auto Scaling group for the application tier and a policy that scales based on the Amazon RDS CloudWatch CPU utilization metric. Switch to General Purpose (SSD) Storage from Provisioned IOPS Storage (PIOPS) for the Amazon RDS database. Use multiple Amazon RDS read replicas.
Your company develops a variety of web applications using many platforms and programming languages with different application dependencies. Each application must be developed and deployed quickly and be highly evadable to satisfy your
business requirements. Which of the following methods should you use to deploy these applications rapidly? Develop the applications in Docker containers, and then deploy them to Elastic Beanstalk environments with Auto Scaling and Elastic Load Balancing. Use the AWS CloudFormation Docker import service to build and deploy the applications with high availability in multiple Availability Zones. Develop each application's code in DynamoDB, and then use hooks to deploy it to Elastic Beanstalk environments with Auto Scaling and Elastic Load Balancing. Store each application's code in a Git repository, develop custom package repository managers for each application's dependencies, and deploy to AWS OpsWorks in multiple Availability Zones.
Which statement is true about configuring proxy support for Amazon Inspector agent on a Windows-based system? Amazon Inspector agent supports proxy usage on Windows-based systems through the use of the WinHTTP proxy. Amazon Inspector agent supports proxy usage on Linux-based systems but not on Windows. Amazon Inspector proxy support on Windows-based systems is achieved through installing proxy enabled version of the agent which comes with preconfigured files that you need to edit to match your environment. Amazon Inspector agent supports proxy usage on Windows-based systems through awsagent.env configuration file.
After conducting a disaster recovery exercise, an Enterprise Architect discovers that a large team of Database and Storage Administrators need more then seven hours of manual effort to make a flagship application's database functional in a different AWS Region. The Architect also discovers that the recovered database is often missing as much as two hours of data transactions. Which solution provides improved RTO and RPO in a cross-region failover scenario? Deploy an Amazon RDS Multi-AZ instance backed by a multi-region Amazon EFS. Configure the RDS option group to enable multi-region availability for native automation of cross-region recovery and continuous data replication. Create an Amazon SNS topic subscribed to RDS-impacted events to send emails to the Database Administration team when significant query Latency is detected in a single Availability Zone. Use Amazon SNS topics to receive published messages from Amazon RDS availability and backup events. Use AWS Lambda for three separate functions with calls to Amazon RDS to snapshot a database instance, create a cross-region snapshot copy, and restore an instance from a snapshot. Use a scheduled Amazon CloudWatch Events rule at a frequency matching the RPO to trigger the Lambda function to snapshot a database instance. Trigger the Lambda function to create a cross-region snapshot copy when the SNS topic for backup events receives a new message. Configure the Lambda function to restore an instance from a snapshot to trigger sending new messages published to the availability SNS topic. Create a scheduled Amazon CloudWatch Events rule to make a call to Amazon RDS to create a snapshot from a database instance and specify a frequency to match the RPO. Create an AWS Step Functions task to call Amazon RDS to perform a cross-region snapshot copy into the failover region, and configure the state machine to execute the task when the RDS snapshot create state is complete. Create an SNS topic subscribed to RDS availability events, and push these messages to an Amazon SQS queue located in the failover region. Configure an Auto Scaling group of worker nodes to poll the queue for new messages and make a call to Amazon RDS to restore a database from a snapshot after a checksum on the cross-region copied snapshot returns valid. Use Amazon RDS scheduled instance lifecycle events to create a snapshot and specify a frequency to match the RPO. Use Amazon RDS scheduled instance lifecycle event configuration to perform a cross- region snapshot copy into the failover region upon SnapshotCreateComplete events. Configure Amazon CloudWatch to alert when the CloudWatch RDS namespace CPUUtilization metric for the database instance falls to 0% and make a call to Amazon RDS to restore the database snapshot in the failover region.
A company is using an AWS CloudFormation template to deploy web applications. The template requires that manual changes be made for each of the three major environments: production, staging, and development. The current sprint includes the new implementation and configuration of AWS CodePipeline for automated deployments. What changes should the DevOps Engineer make to ensure that the CloudFormation template is reusable across multiple pipelines? Use a CloudFormation custom resource to query the status of the CodePipeline to determine which environment is launched. Dynamically alter the launch configuration of the Amazon EC2 instances. Set up a CodePipeline pipeline for each environment to use input parameters. Use CloudFormation mappings to switch associated UserData for the Amazon EC2 instances to match the environment being launched. Set up a CodePipeline pipeline that has multiple stages, one for each development environment. Use AWS Lambda functions to trigger CloudFormation deployments to dynamically alter the UserData of the Amazon EC2 instances launched in each environment. Use CloudFormation input parameters to dynamically alter the LaunchConfiguration and UserData sections of each Amazon EC2 instance every time the CloudFormation stack is updated.
You are doing a load testing exercise on your application hosted on AWS. While testing your Amazon RDS MySQL DB instance, you notice that when you hit 100% CPU utilization on it, your application becomes non- responsive. Your application is read-heavy. What are methods to scale your data tier to meet the application's needs? Choose 3 answers Add Amazon RDS DB read replicas, and have your application direct read queries to them. Add your Amazon RDS DB instance to an Auto Scaling group and configure your CloudWatch metric based on CPU utilization. Use an Amazon SQS queue to throttle data going to the Amazon RDS DB instance. Use ElastiCache in front of your Amazon RDS DB to cache common queries. Shard your data set among multiple Amazon RDS DB instances. Enable Multi-AZ for your Amazon RDS DB instance.
You are administering a continuous integration application that polls version control for changes and then launches new Amazon EC2 instances for a full suite of build tests. What should you do to ensure the lowest overall cost while being able to run as many tests in parallel as possible? Perform syntax checking on the continuous integration system before launching a new Amazon EC2 instance for build test, unit and integration tests. Perform syntax and build tests on the continuous integration system before launching the new Amazon EC2 instance unit and integration tests. Perform all tests on the continuous integration system, using AWS OpsWorks for unit, integration, and build tests. Perform syntax checking on the continuous integration system before launching a new AWS Data Pipeline for coordinating the output of unit, integration, and build tests.
A healthcare provider has a hybrid architecture that includes 120 on-premises VMware servers running RedHat and 50 Amazon EC2 instances running Amazon Linux. The company is in the middle of an all-in migration to AWS and wants to implement a solution for collecting information from the on-premises virtual machines and the EC2 instances for data analysis. The information includes:
- Operating system type and version
- Data for installed applications
- Network configuration information, such as MAC and IP addresses
- Amazon EC2 instance AMI ID and IAM profile
How can these requirements be met with the LEAST amount of administration? Write a shell script to run as a cron job on EC2 instances to collect and push the data to Amazon S3. For on-premises resources, use VMware vSphere to collect the data and write it into a file gateway for storing the data in S3. Finally, use Amazon Athena on the S3 bucket tor analytics. Use a script on the on-premises virtual machines as well as the EC2 instances to gather and push the data into Amazon S3, and then use Amazon Athena for analytics. Install AWS Systems Manager agents on both the on-premises virtual machines and the EC2 instances. Enable inventory collection and configure resource data sync to an Amazon S3 bucket to analyze the data with Amazon Athena. Use AWS Application Discovery Service for deploying Agentless Discovery Connector in the VMware environment and Discovery Agents on the EC2 instances for collecting the data. Then use the AWS Migration Hub Dashboard for analytics.
A DevOps Engineer is responsible for the deployment of a PHP application. The Engineer is working in a hybrid deployment, with the application running on both on-premises servers and Amazon EC2 instances. The application needs access to a database containing highly confidential information. Application instances need access to database credentials, which must be encrypted at
rest and in transit before reaching the instances. How should the Engineer automate the deployment process while also meeting the security requirements? Use AWS Elastic Beanstalk with a PHP platform configuration to deploy application packages to the instances. Store database credentials on AWS Systems Manager Parameter Store using the Secure String data type. Define an IAM role for Amazon EC2 allowing access, and decrypt only the database credentials. Associate this role to all the instances. Use AWS CodeDeploy to deploy application packages to the instances. Store database credentials on AWS Systems Manager Parameter Store using the Secure String data type. Define an IAM policy for allowing access, and decrypt only the database credentials. Attach the IAM policy to the role associated to the instance profile for CodeDeploy-managed instances, and to the role used for onpremises instances registration on CodeDeploy. Use AWS CodeDeploy to deploy application packages to the instances. Store database credentials on AWS Systems Manager Parameter Store using the Secure String data type. Define an IAM role with an attached policy that allows decryption of the database credentials. Associate this role to all the instances and on-premises servers. Use AWS CodeDeploy to deploy application packages to the instances. Store database credentials in the AppSpec file. Define an IAM policy for allowing access to only the database credentials. Attach the IAM policy to the role associated to the instance profile for CodeDeploy- managed instances and the role used for on-premises instances registration on CodeDeploy.
Amazon Inspector agent collects telemetry data during assessment run and sends this data to Amazon Inspector dedicated S3 bucket for analysis. How can you access telemetry data out of Amazon Inspector and how can you benefit from this data in securing your resources? Telemetry data is kept in S3 and encrypted with a pre-assessment test key configured in KMS, as long as you have access to that key you can download and decrypt telemetry data. Telemetry data is stored in Amazon Inspector dedicated S3 bucket that does NOT belong to your account, Amazon Inspector currently does NOT provide an API or an S3 bucket access mechanism to collected telemetry. Data is retained temporarily only to allow for assistance with support requests. Telemetry data is saved on S3 bucket in your account, therefore telemetry data is accessible with proper permissions on that bucket. Telemetry data is deleted immediately after assessment run, therefore data can NOT be accessed or analyzed by any other tools.
What is the maximum supported single-volume throughput on EBS? 320MiB/s 160MiB/s 40MiB/s 640MiB/s.
A company wants to implement a Cl/CD pipeline for an application that is deployed on AWS. The company also has a source-code analysis tool hosted on premises that checks for security flaws. The tool has not yet been migrated to AWS and can be accessed only on premises. The company wants to run checks against the source code as part of the pipeline before the code is compiled. The checks take anywhere from minutes to an hour to complete. How can a DevOps Engineer meet these requirements'? Use AWS CodePipeline to create a pipeline. Add an action to the pipeline to invoke an AWS Lambda function after the source stage. Have the Lambda function invoke the source-code analysis tool on premises against the source input from CodePipeline. The function then waits for the execution to complete and places the output in a specified Amazon S3 location. Use AWS CodePipeline to create a pipeline, then create a custom action type. Create a job worker for the custom action that runs on hardware hosted on premises. The job worker handles running security checks with the on-premises code analysis tool and then returns the job results to CodePipeline. Have the pipeline invoke the custom action after the source stage. Use AWS CodePipeline to create a pipeline. Add a step after the source stage to make an HTTPS request to the on-premises hosted web service that invokes a test with the source code analysis tool. When the analysis is complete, the web service sends the results back by putting the results in an Amazon S3 output location provided by CodePipeline. Use AWS CodePipeline to create a pipeline. Create a shell script that copies the input source code
to a location on premises. Invoke the source code analysis tool and return the results to
CodePipeline.
What is required to achieve gigabit network throughput on EC2?
You already selected cluster-compute, 10GB instances with enhanced networking, and your workload
is already network-bound, but you are not seeing 10 gigabit speeds. Enable biplex networking on your servers, so packets are non-blocking in both directions and there's no switching overhead. Ensure the instances are in different VPCs so you don't saturate the Internet Gateway on any one VPC. Select PIOPS for your drives and mount several, so you can provision sufficient disk throughput. Use a placement group for your instances so the instances are physically near each other in the same Availability Zone.
Fill the blanks: __________ helps us track AWS API calls and transitions, _________ helps to
understand what resources we have now, and ________ allows auditing credentials and logins. AWS Config, CloudTrail, IAM Credential Reports CloudTrail, IAM Credential Reports, AWS Config CloudTrail, AWS Config, IAM Credential Reports AWS Config, IAM Credential Reports, CloudTrail
IT Certification Guaranteed, The Easy Way!
71.
What is the scope of AWS IAM? Global Availability Zone Region Placement Group.
A DevOps Engineer must track the health of a stateless RESTful service sitting behind a
Classic Load Balancer. The deployment of new application revisions is through a Cl/CD pipeline. If the service's latency increases beyond a defined threshold, deployment should be stopped until the
service has recovered. Which of the following methods allow for the QUICKEST detection time? Use Amazon CloudWatch metrics provided by Elastic Load Balancing to calculate average latency. Alarm and stop deployment when latency increases beyond the defined threshold. Use AWS Lambda and Elastic Load Balancing access logs to detect average latency. Alarm and stop deployment when latency increases beyond the defined threshold. Use AWS CodeDeploy's MinimumHealthyHosts setting to define thresholds for rolling back
deployments. If these thresholds are breached, roll back the deployment. Use Metric Filters to parse application logs in Amazon CloudWatch Logs. Create a filter for latency. Alarm and stop deployment when latency increases beyond the defined threshold.
You have an application running on an Amazon EC2 instance and you are using IAM roles to
securely access AWS Service APIs. How can you configure your application running on that instance to retrieve the API keys for use with the AWS SDKs? When assigning an EC2 IAM role to your instance in the console, in the "Chosen SDK" drop- down list, select the SDK that you are using, and the instance will configure the correct SDK on launch with the API keys. Within your application code, make a GET request to the IAM Service API to retrieve credentials for your user. When using AWS SDKs and Amazon EC2 roles, you do not have to explicitly retrieve API keys, because the SDK handles retrieving them from the Amazon EC2 MetaData service. Within your application code, configure the AWS SDK to get the API keys from environment
variables, because assigning an Amazon EC2 role stores keys in environment variables on launch.
You are responsible for your company's large multi-tiered Windows-based web application
running on Amazon EC2 instances situated behind a load balancer. While reviewing metrics, you've started noticing an upwards trend for slow customer page load time. Your manager has asked you to come up with a solution to ensure that customer load time is not affected by too many requests per second.
Which technique would you use to solve this issue? Re-deploy your infrastructure using an AWS CloudFormation template. Configure Elastic Load Balancing health checks to initiate a new AWS CloudFormation stack when health checks return failed. Re-deploy your infrastructure using an AWS CloudFormation template. Spin up a second AWS CloudFormation stack. Configure Elastic Load Balancing SpillOver functionality to spill over any slow connections to the second AWS CloudFormation stack. Re-deploy your infrastructure using AWS CloudFormation, Elastic Beanstalk, and Auto Scaling. Set up your Auto Scaling group policies to scale based on the number of requests per second as well as the current customer load time. Re-deploy your application using an Auto Scaling template. Configure the Auto Scaling template to spin up a new Elastic Beanstalk application when the customer load time surpasses your threshold.
A user is defining a policy for the IAM user. Which of the below mentioned elements can be found in an IAM policy? Not Effect Supported Data Types Principal Resource Version Management.
Your company operates a website for promoters to sell tickets for entertainment events. You are using a load balancer in front of an Auto Scaling group of web servers. Promotion of popular
events can cause surges of website visitors. During scaling-out at these times, newly launched instances are unable to complete configuration
quickly enough, leading to user disappointment. What options should you choose to improve scaling yet minimize costs? Choose 2 answers. Create an AMI with the application pre-configured.
Create a new Auto Scaling launch configuration using this new AMI, and configure the Auto Scaling group to launch with this AMI. Use Auto Scaling pre-warming to launch instances before they are required.
Configure pre-warming to use the CPU trend CloudWatch metric for the group. Publish a custom CloudWatch memo from your application on the number of tickets sold, and create an Auto Scaling policy based on this. Use the history of past scaling events for similar event sales to predict future scaling requirements. Use the Auto Scaling scheduled scaling feature to vary the size of the fleet. Configure an Amazon S3 bucket for website hosting. Upload into the bucket an HTML holding page with its x-amz-website-redirect-location' metadata property set to the load balancer endpoint. Configure Elastic Load Balancing to redirect to the holding page when the load on web servers is above a certain level.
You run accounting software in the AWS cloud. This software needs to be online
during the day every day of the week, and has a very static requirement for compute
resources. You also have other, unrelated batch jobs that need to run once per day at any time of your choosing. How should you minimize cost? Purchase a Heavy Utilization Reserved Instance to run the accounting software. Turn it off after hours. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs. Purchase a Medium Utilization Reserved Instance to run the accounting software. Turn it off after hours. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs. Purchase a Light Utilization Reserved Instance to run the accounting software. Turn it off after hours. Purchase a Full Utilization Reserved Instance to run the accounting software. Turn it off after hours. Run the batch jobs with the same instance class, so the Reserved Instance credits are also applied to the batch jobs.
What is the only layer in a Docker image that is not read-only? they are all read-only none are read-only the first layer the last layer.
From a compliance and security perspective, which of these statements is true? You do not ever need to rotate access keys for AWS IAM Users. You do not ever need to rotate access keys for AWS IAM Roles, nor AWS IAM Users. None of the other statements are true. You do not ever need to rotate access keys for AWS IAM Roles.
What are the default memory limit policies for a Docker container? Limited memory, limited kernel memory Unlimited memory, limited kernel memory Limited memory, unlimited kernel memory Unlimited memory, unlimited kernel memory.
What is AWS CloudTrail Processing Library? A static library with CloudTrail log files in a movable format machine code that is directly
executable An object library with CloudTrail log files in a movable format machine code that is usually not directly executable A Java library that makes it easy to build an application that reads and processes CloudTrail log A PHP library that renders various generic containers needed for CloudTrail log files.
You want to securely distribute credentials for your Amazon RDS instance to your fleet of
web server instances.The credentials are stored in a file that is controlled by a configuration management system. How do you securely deploy the credentials in an automated manner across the fleet of web server instances, which can number in the hundreds, while retaining the ability to roll back if needed? Store your credential files in an Amazon S3 bucket. Use Amazon S3 server-side encryption on the credential files. Have a scheduled job that pulls down the credential files into the instances every 10 minutes. Store the credential files in your version-controlled repository with the rest of your code.
Have a post-commit action in version control that kicks off a job in your continuous integration system which securely copses the new credential files to all web server instances. Insert credential files into user data and use an instance lifecycle policy to periodically refresh the file from the user data. Keep credential files as a binary blob in an Amazon RDS MySQL DB instance, and have a script on each Amazon EC2 instance that pulls the files down from the RDS instance. Store the credential files in your version-controlled repository with the rest of your code.
Use a parallel file copy program to send the credential files from your local machine to the Amazon EC2 instances.
A user is creating a new EBS volume from an existing snapshot. The snapshot size shows 10 GB. Can the user create a volume of 30 GB from that snapshot? Provided the original volume has set the change size attribute to true Yes Provided the snapshot has the modify size attribute set as true No.
You have an application running on Amazon EC2 in an Auto Scaling group. Instances are
being bootstrapped dynamically, and the bootstrapping takes over 15 minutes to complete.
You find that instances are reported by Auto Scaling as being In Service before bootstrapping has
completed. You are receiving application alarms related to new instances before they have completed bootstrapping, which is causing confusion. You find the cause: your application monitoring tool is polling the Auto Scaling Service API for instances that are In Service, and creating alarms for new previously unknown instances.
Which of the following will ensure that new instances are not added to your application monitoring
tool before bootstrapping is completed? Create an Auto Scaling group lifecycle hook to hold the instance in a pending: wait state until your bootstrapping is complete. Once bootstrapping is complete, notify Auto Scaling to complete the lifecycle hook and move the instance into a pending: complete state. Use the default Amazon CloudWatch application metrics to monitor your application's health. Configure an Amazon SNS topic to send these CloudWatch alarms to the correct recipients. Tag all instances on launch to identify that they are in a pending state.
Change your application monitoring tool to look for this tag before adding new instances, and the use the Amazon API to set the instance state to 'pending' until bootstrapping is complete. Increase the desired number of instances in your Auto Scaling group configuration to reduce the time it takes to bootstrap future instances.
A DevOps Engineer administers an application that manages video files for a video production company. The application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon RDS PostgreSOL Multi-AZ DB instance, and the video ides are stored in an Amazon S3 bucket. On a typical day 50 GB of new video are added to the S3 bucket. The Engineer must implement a multi-region disaster recovery plan with the least data loss and the lowest recovery times. The current application infrastructure is already described using AWS CloudFormation.
Which deployment option should the Engineer choose to meet the uptime and recovery objectives
for the system? Launch the application from the CloudFormation template in the second region, which sets the capacity of the Auto Scaling group to 1. Create an Amazon RDS read replica in the second region. In the second region, enable cross-region replication between the original S3 bucket and a new S3 bucket. To fail over, promote the read replica as master. Update the CloudFormation stack and increase the capacity of the Auto Scaling group. Launch the application from the CloudFormation template in the second region, witch sets the capacity of the Auto Scaling group to 1. Create a scheduled task to take daily Amazon RDS crossregion snapshots to the second region. In the second region, enable cross-region replication between the original S3 bucket and Amazon Glacier. In a disaster, launch a new application stack in the second region and restore the database from the most recent snapshot. Launch the application from the CloudFormation template in the second region which sets the capacity of the Auto Scaling group to 1. Use Amazon CloudWatch Events to schedule a nightly task to take a snapshot of the database, copy the snapshot to the second region, and replace the DB instance in the second region from the snapshot. In the second region, enable cross-region replication between the original S3 bucket and a new S3 bucket. To fail over, increase the capacity of the Auto Scaling group. Use Amazon CloudWatch Events to schedule a nightly task to take a snapshot of the database and copy the snapshot to the second region. Create an AWS Lambda function that copies each object to a new S3 bucket in the second region in response to S3 event notifications. In the second region, launch the application from the CloudFormation template and restore the database from the most recent snapshot.
Which of these is not a CloudFormation Helper Script? cfn-signal cfn-hup cfn-request cfn-get-metadata.
A company is implementing AWS CodePipeline to automate its testing process. The
company wants to be notified when the execution state fails and used the following custom event
pattern in Amazon CloudWatch:
Which type of events will match this event pattern? Failed deploy and build actions across all the pipelines. All rejected or failed approval actions across all the pipelines. All the events across all pipelines. Approval actions across all the pipelines.
You need to run a very large batch data processing job one time per day. The source data
exists entirely in S3, and the output of the processing job should also be written to S3 when finished.
If you need to version control this processing job and all setup and teardown logic for the system,
what approach should you use? Model an AWS EMR job in AWS Elastic Beanstalk. Model an AWS EMR job in AWS CloudFormation. Model an AWS EMR job in AWS OpsWorks. Model an AWS EMR job in AWS CLI Composer.
You are building out a layer in a software stack on AWS that needs to be able to scale out to
react to increased demand as fast as possible. You are running the code on EC2 instances in an Auto
Scaling Group behind an ELB. Which application code deployment method should you use? SSH into new instances that come online, and deploy new code onto the system by pulling it from an S3 bucket, which is populated by code that you refresh from source control on new pushes. Bake an AMI when deploying new versions of code, and use that AMI for the Auto Scaling Launch Configuration. Create a Dockerfile when preparing to deploy a new version to production and publish it to S3. Use UserData in the Auto Scaling Launch configuration to pull down the Dockerfile from S3 and run it when new instances launch. Create a new Auto Scaling Launch Configuration with UserData scripts configured to pull the latest code at all times.
You are in charge of a large-scale highly available multi-tier web application infrastructure.
This architecture consists of Amazon Route53 with a load balancer and multiple Amazon EC2
instances. You have been tasked to come up with a process to provide Blue/Green style deployments.
Which technique should you use to deliver this new requirement? Using Elastic Beanstalk re-deploy your application and configure Elastic Beanstalk Deployment types, and then use Amazon Route53's alias resource record set to swap between Elastic Beanstalk deployment types. Re-deploy your application behind a load balancer using an AWS CloudFormation template, launch a new AWS CloudFormation stack during each deployment, update your Amazon Route53 alias resource record set to point to the new load balancer, and finally, terminate your old AWS CloudFormation stack. Re-deploy your application behind a load balancer using Auto Scaling groups, create a new identical Auto Scaling group, and associate it to the load balancer.
During deployment, create a new Amazon Route53 hosted zone, add this new load balancer to the zone in an alias resource record set, and then remove your old Auto Scaling group. Re-deploy your application behind a load balancer using an OpsWorks stack, and use AWS OpsWorks stack versioning. During deployment, create a new version of your application, tell OpsWorks to launch the new version behind your load balancer, and when the new version launches, update your Amazon Route53 alias resource retort to point to the new load balancer.
In DynamoDB, a secondary index is a data structure that contains a subset of attributes from
a table, along with an alternate key to support ______ operations. None of the above Both Query Scan.
When thinking of AWS Elastic Beanstalk, which statement is true? Worker tiers pull jobs from SNS. Worker tiers pull jobs from HTTP. Worker tiers pull jobs from JSON. Worker tiers pull jobs from SQS.
Ansible provides some methods for controlling how or when a task is ran. Which of the
following is a valid method for controlling a task with a loop? - with: <value> - with_items: <value> - only_when: <conditional> - items: <value>.
A Developer is designing a continuous deployment workflow for a new Development team
to facilitate the process for source code promotion in AWS. Developers would like to store and
promote code for deployment from development to production while maintaining the ability to roll
back that deployment if it fails.
Which design will incur the LEAST amount of downtime? Create one repository in AWS CodeCommit. Create a development branch to hold merged changes. Use AWS CodeBuild to build and test the code stored in the development branch triggered on a new commit. Merge to the master and deploy to production by using AWS CodeDeploy for a blue/green deployment. Create one repository for each Developer in AWS CodeCommit and another repository to hold the production code. Use AWS CodeBuild to merge development and production repositories, and deploy to production by using AWS CodeDeploy for a blue/green deployment. Create one repository for development code in AWS CodeCommit and another repository to hold the production code. Use AWS CodeBuild to merge development and production repositories, and deploy to production by using AWS CodeDeploy for a blue/green deployment. Create a shared Amazon S3 bucket for the Development team to store their code. Set up an Amazon CloudWatch Events rule to trigger an AWS Lambda function that deploys the code to production by using AWS CodeDeploy for a blue/green deployment.
What flag would you use to limit a Docker container's memory usage to 128 megabytes? -memory 128m -m 128m --memory-reservation 128m -m 128MB.
If you're trying to configure an AWS Elastic Beanstalk worker tier for easy debugging if there
are problems finishing queue jobs, what should you configure? Configure Rolling Deployments. Configure Enhanced Health Reporting Configure Blue-Green Deployments. Configure a Dead Letter Queue.
To access the AWS Security Token Service (STS) you can issue calls directly to the AWS STS
Query API. This API is a web service interface that accepts ______ requests. PUT HTTPS POST GET.
How long are the messages kept on an SQS queue by default? If a message is not read, it is never deleted 2 weeks 1 day 4 days.
Your system uses a multi-master, multi-region DynamoDB configuration spanning two
regions to achieve high availablity. For the first time since launching your system, one of the AWS
Regions in which you operate over went down for 3 hours, and the failover worked correctly.
However, after recovery, your users are experiencing strange bugs, in which users on different sides
of the globe see different data. What is a likely design issue that was not accounted for when
launching? The system does not have Lambda Functor Repair Automatons, to perform table scans and chack for corrupted partition blocks inside the Table in the recovered Region. The system did not implement DynamoDB Table Defragmentation for restoring partition
performance in the Region that experienced an outage, so data is served stale. The system did not include repair logic and request replay buffering logic for post-failure, to resynchronize data to the Region that was unavailable for a number of hours. The system did not use DynamoDB Consistent Read requests, so the requests in different areas are not utilizing consensus across Regions at runtime.
You've been tasked with implementing an automated data backup solution for your application servers that run on Amazon EC2 with Amazon EBS volumes. You want to use a distributed data store for your backups to avoid single points of failure and to increase the durability of the data.
Daily backups should be retained for 30 days so that you can restore data within an hour.
How can you implement this through a script that a scheduling daemon runs daily on the application
servers? Write the script to call the ec2-create-volume API, tag the Amazon EBS volume with the current date time group, and copy backup data to a second Amazon EBS volume.
Use the ec2-describe-volumes API to enumerate existing backup volumes.
Call the ec2-delete-volume API to prune backup volumes that are tagged with a date-tine group older than 30 days. Write the script to call the Amazon Glacier upload archive API, and tag the backup archive with the current date-time group. Use the list vaults API to enumerate existing backup archives Call the delete vault API to prune backup archives that are tagged with a date-time group older than 30 days. Write the script to call the ec2-create-snapshot API, and tag the Amazon EBS snapshot with the current date-time group.Use the ec2-describe-snapshot API to enumerate existing Amazon EBS snapshots. Call the ec2-delete-snapShot API to prune Amazon EBS snapshots that are tagged with a date- time group older than 30 days. Write the script to call the ec2-create-volume API, tag the Amazon EBS volume with the current date-time group, and use the ec2-copy-snapshot API to back up data to the new Amazon EBS volume. Use the ec2- describe-snapshot API to enumerate existing backup volumes. Call the ec2-delete-snaphot API to prune backup Amazon EBS volumes that are tagged with a datetime group older than 30 days.
To run an application, a DevOps Engineer launches an Amazon EC2 instances with public IP
addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the Internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule? Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket. Create a security group for the application instances and whitelist only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
You run a clustered NoSQL database on AWS EC2 using AWS EBS. You need to reduce
latency for database response times. Performance is the most important concern, not availability.
You did not perform the initial setup, someone without much AWS knowledge did, so you are not sure if they configured everything optimally. Which of the following is NOT likely to be an issue
contributing to increased latency? The EC2 instances are not EBS Optimized. The database and requesting system are both in the wrong Availability Zone. The EBS Volumes are not using PIOPS. The database is not running in a placement group.
A company has microservices running in AWS Lambda that read data from Amazon
DynamoDB. The Lambda code is manually deployed by Developers after successful testing. The company now needs the tests and deployments be automated and run in the cloud. Additionally, traffic to the new versions of each microservice should be incrementally shifted over time after deployment. What solution meets all the requirements, ensuring the MOST developer velocity? Create an AWS CodePipeline configuration and set up a post-commit hook to trigger the pipeline after tests have passed. Use AWS CodeDeploy and create a Canary deployment configuration that specifies the percentage of traffic and interval. Create an AWS CodeBuild configuration that triggers when the test code is pushed. Use AWS CloudFormation to trigger an AWS CodePipeline configuration that deploys the new Lambda versions and specifies the traffic shift percentage and interval. Create an AWS CodePipeline configuration and set up the source code step to trigger when code is pushed. Set up the build step to use AWS CodeBuild to run the tests. Set up an AWS CodeDeploy configuration to deploy, then select the CodeDeployDefault.LambdaLinear10PercentEvery3Minutes option. Use the AWS CLI to set up a post-commit hook that uploads the code to an Amazon S3 bucket after tests have passed. Set up an S3 event trigger that runs a Lambda function that deploys the new version. Use an interval in the Lambda function to deploy the code over time at the required percentage.
A company used AWS CloudFormation to deploy a three-tier web application that stores
data in an Amazon RDS MySOL Multi-AZ DB instance. A DevOps Engineer must upgrade the RDS
instance to the latest major version of MySQL while incurring minimal downtime. How should the
Engineer upgrade the instance while minimizing downtime? Update the EngineVersion property of the AWS::RDS:: DBInstance resource type in the
CloudFormation template to the latest desired version. Launch a second stack and make the new RDS instance a read replica. Update the DBEngineVersion property of the AWS: : RDS : :DBInstance resource type in the CloudFormation template to the latest desired version. Perform an Update Stack operation. Create a new RDS Read Replicas resource with the same properties as the instance to be upgraded. Perform a second Update Stack operation. Update the DBEngineVersion property of the AWS: :RDS: :DB:Instance resource type in the CloudFormation template to the latest desired version. Create a new RDS Read Replicas resource with the same properties as the instance to be upgraded. Perform an Update Stack operation. Update the EngineVersion property of the AWS :: RDS :: DBInstance resource type in the
CloudFormation template to the latest version, and perform an Update Stack operation.
You have just come from your Chief Information Security Officer's (CISO) office with the
instructions to provide an audit report of all AWS network rules used by the organization's Amazon
EC2 instances. You have discovered that a single Describe-Security-Groups API call will return all of an account's security groups and rules within a region.
You create the following pseudo-code to create the required report:
- Parse "aws ec2 describe-security-groups" output
- For each security group
- Create report of ingress and egress rules
Which two additional pieces of logic should you include to meet the CISO's requirements?
Choose 2 answers Parse security groups in each region. Parse security groups in each Availability Zone and region. Evaluate VPC network access control lists. Evaluate AWS CloudTrail logs. Evaluate Elastic Load Balancing access control lists. Parse CloudFront access control lists.
You have an application running on multiple Amazon EC2 instances within an Auto Scaling
group. You notice that instances are being re-spawned as their health checks are failing in Amazon EC2. However, before you have a chance to diagnose the issue, the affected instances are being
terminated by the Auto Scaling service. You receive notifications of health checks failing and investigate within 20 minutes. However, this is not enough time to troubleshoot the issue. What should you change that will enable you to troubleshoot the instance before it is terminated by
the Auto Scaling service, while keeping costs minimal? Install the Amazon CloudWatch Logs Agent on the instance and configure application and system logs to be sent to the CloudWatch Logs service. Configure an Amazon SNS topic and associate it with your Auto Scaling group's CloudWatch alarms. Configure an Amazon SQS queue as a subscriber of this topic, and then create a fleet of Amazon EC2 workers that poll this queue and instruct the Amazon EC2 Auto Scaling API to remove the instance from the Auto Scaling group when an alarm is triggered. Create an Auto Scaling Group lifecycle hook to hold the instance in a terminating:wait state until you have completed any troubleshooting. When you have completed troubleshooting, wait for the terminating state to expire, or notify to Scaling to complete the lifecycle hook and terminate the Instance. Change the "DeleteOnTermination" flag to false in the Auto Scaling group configuration to ensure that instances are not deleted in the future.
Management has reported an increase in the monthly bill from Amazon web services, and they are extremely concerned with this increased cost. Management has asked you to determine the exact cause of this increase. After reviewing the billing report, you notice an increase in the data transfer cost. How can you provide management with a better insight into data transfer use? Update your Amazon CloudWatch metrics to use five-second granularity, which will give better detailed metrics that can be combined with your billing data to pinpoint anomalies. Use Amazon CloudWatch Logs to run a map-reduce on your logs to determine high usage and data transfer. Deliver custom metrics to Amazon CloudWatch per application that breaks down application data transfer into multiple, more specific data points. Using Amazon CloudWatch metrics, pull your Elastic Load Balancing outbound data transfer metrics monthly, and include them with your billing report to show which application is causing higher bandwidth usage.
A Development team is working on a serverless application in AWS. To quickly identify and
remediate potential production issues, the team decides to roll out changes to a small number of
users as a test before the full release. The DevOps Engineer must develop a solution to minimize
downtime and impact. Which of the following solutions should be used to meet the requirements?
(Select TWO.) Create an Application Load Balancer with two target groups. Set up the Application Load Balancer for Amazon API Gateway private integration. Associate one target group to the current version and the other target group to the new version. Configure API Gateway to route 10% of incoming traffic to the new version. As the new version becomes stable, configure API Gateway to send all traffic to the new version and detach the old version from the load balancer. Create an alias for an AWS Lambda function pointing to both the current and new versions. Configure the alias to route 10% of incoming traffic to the new version. As the new version is considered stable, update the alias to route all traffic to the new version. Create a rollover record set in AWS Route 53 pointing to the AWS Lambda endpoints for the old and new versions. Configure Route 53 to route 10% of incoming traffic to the new version. As the new version becomes stable, update the DNS record to route all traffic to the new version. Create an ELB Network Load Balancer with two target groups. Set up the Network Load Balancer for Amazon API Gateway private integration Associate one target group with the current version and the other target group with the new version. Configure the load balancer to route 10% of incoming traffic to the new version. As the new version becomes stable, detach the old version from the load balancer. In Amazon API Gateway, create a canary release deployment by adding canary settings to the stage of a regular deployment. Configure API Gateway to route 10% of the incoming traffic to the canary release. As the canary release is considered stable, promote it to a production release.
When thinking of AWS Elastic Beanstalk, the 'Swap Environment URLs' feature most directly aids in what? Immutable Rolling Deployments Mutable Rolling Deployments Canary Deployments Blue-Green Deployments.
Currently, your deployment process consists of setting your load balancer to point to a
maintenance page, turning off ea web application servers, deploying your code, turning the web
application servers back on, and removing the maintenance page. Working with your development team, you've agreed that performing rolling deployments of your software would provide a better user experience and a more agile deployment process. Which techniques could you use to provide a cost-effective rolling deployment process? Choose 2 answers. Use the Amazon Elastic Cloud Compute (EC2) API to write a service to return a list of servers based on the tags for the application that needs deployment, and use Amazon Simple Queue Service to queue up all servers for a rolling deployment. Re-deploy your application on AWS Elastic Beanstalk, and use Elastic Beanstalk rolling
deployments. Re-deploy your application on an AWS OpsWorks stack, and take advantage of OpsWorks rolling deployments. Re-deploy your application using an AWS CloudFormation template, launch a new CloudFormation stack during each deployment, and then tear down the old stack. Re-deploy your application using an AWS CloudFormation template with Auto Scaling group, and use update policies to provide rolling updates. Using Amazon Simple Workflow Service, create a workflow application that talks to the Amazon EC2 API to deploy your new code in a rolling fashion.
A company must ensure consistent behavior of an application running on Amazon Linux in
its corporate ecosystem before moving into AWS. The company has an existing automated server
build system using VMware. The goal is to demonstrate the functionality of the application and its prerequisites on the new target operating system. The DevOps Engineer needs to use the existing corporate server pipeline and virtualization software to create a server image. The server image will be tested on-premises to resemble the build on Amazon EC2 as closely as possible. How can this be accomplished? Download and integrate the latest ISO of CentOS 7 and execute the application deployment on the resulting server. Launch an Amazon Linux AMI using an AWS OpsWorks deployment agent onto the on-premises infrastructure, then execute the application deployment. Build an EC2 instance with the latest Amazon Linux operating system, and use the AWS
Import/Export service to export the EC2 image to a VMware ISO in Amazon S3. Then import the resulting ISO onto the on-premises system. Download and integrate the latest ISO of Amazon Linux 2 and execute the application deployment on the resulting server. Confirm that operating system testing results are consistent with EC2 operating system behavior.
You want to pass queue messages that are 1GB each. How should you achieve this? Use Kinesis as a buffer stream for message bodies. Store the checkpoint id for the placement in the Kinesis Stream in SQS. Use the Amazon SQS Extended Client Library for Java and Amazon S3 as a storage mechanism for message bodies. Use SQS's support for message partitioning and multi-part uploads on Amazon S3. Use AWS EFS as a shared pool storage medium. Store filesystem pointers to the files on disk in the SQS message bodies.
A web application is being actively developed by multiple development teams within your
organization.
You have created a self-service portal-driven by AWS CloudFormation and the AWS APIs-that allows
testers to select a code branch containing a new feature that they want to test.
The portal will then provision an environment and deploy the right branch of code to it.
Recently you have noticed that a large number of environments contain broken builds.
You want to introduce a set of automated browser tests that are executed on a new environment
before the environment is available to the tester.
This way a tester does not waste time trying to test new features in a broken environment. Select a
suitable way to implement such a feature into the existing self-service portal: Specify your automated tests in the "tests" section of the AWS CloudFormation template.
AWS CloudFormation will then execute the tests on your behalf as part of the environment build. Configure a centralized test server that hosts an automated browser testing framework.
Use an AWS CloudFormation custom resource to notify the centralized test server, via an Amazon SNS topic, that a new environment has been initialized. The centralized test server can then execute the tests before sending the results back to the AWS CloudFormation service. Pass the test scripts to the cfn-init service via the "tests" section of the AWS::CloudFormation::Init metadata. Cfn-init will then execute these tests and return the result to the AWS CloudFormation service. Configure a centralized test server that hosts an automated browser testing framework.
Include an Amazon SES email resource under the outputs section of your AWS CloudFormation template. This we send an email to your centralized test server, informing it that the environment is ready for tests.
root account has created an IAM group and defined the policy as:
"Statement": [
{
"Effect": "Allow"
"Action": ["iam:ChangePassword"],
"Resource": ["arn:aws:iam::123123123123:user/${aws:username}"] },
{
"Effect": "Allow",
"Action": ["iam:GetAccountPasswordPolicy"],
"Resource": ["*"]
}]
What will this policy do? Allow this group to view the password policy of all the users added only to that group Allow all the users of IAM to modify their password Allow an IAM user in this group to view the password policy and modify only his/her password Allow this group to view the password policy of all the IAM users.
You want to set up the CloudTrail Processing Library to log your bucket operations. Which command will build a .jar file from the CloudTrail Processing Library source code? mvn javac mvn -install processor jar install processor build jar -Dgpg.processor mvn clean install -Dgpg.skip=true.
Customers have recently been complaining that your web application has randomly stopped
responding. During a deep dive of your logs, the team has discovered a major bug in your new Java web application. This bug is causing a memory leak that eventually causes the application to crash.
Your web application runs on Amazon EC2 and was built with AWS CloudFormation.
Which techniques should you use to help detect these problems faster, as well as help eliminate the
server's unresponsiveness? Choose 2 answers Update your AWS CloudFormation configuration and enable a CustomResource that uses cfnsignal to detect memory leaks. Update your CloudWatch metric granularity config for all Amazon EC2 memory metrics to support five- second granularity. Create a CloudWatch alarm that triggers an Amazon SNS notification to page your team when the application memory becomes too large. Update your AWS CloudFormation configuration to take advantage of Auto Scaling groups. Configure an Auto Scaling group policy to trigger off your custom CloudWatch metrics. Create a custom CloudWatch metric that you push your JVM memory usage to.
Create a Cloudwatch alarm that triggers an Amazon SNS notification to page your team when the application memory usage becomes too large. Update your AWS CloudFormation configuration to take advantage of CloudWatch metrics Agent. Configure the CloudWatch Metrics Agent to monitor memory usage and trigger an Amazon SNS alarm.
An education company has a Docker-based application running on multiple Amazon EC2
instances in an Amazon ECS cluster. When deploying a new version of the application, the Developer, pushes a new image to a private Docker container registry, and then stops and starts all tasks to ensure that they all have the latest version of the application. The Developer discovers that the new tasks are, occasionally running with an old image.
How can this issue be prevented? After pushing the new image, restart ECS Agent, and then start the tasks. Use "latest" for the Docker image tag in the task definition. Update the digest on the task definition when pushing the new image. Use Amazon ECR for a Docker container registry.
What is the scope of an EBS snapshot? Availability Zone Placement Group Region VPC.
Your organization has decided to implement a third-party configuration management tool
that uses a master server from which nodes pull configuration. You have built a custom base Amazon Machine Image that already has the third-party configuration management agent installed. You want to use the same base AMI in Development, Test and Production environments, each of which has its own master server. How should you configure your Amazon EC2 instances to register with the correct master server on launch? Create a tag for all instances that specifies their environment. When launching instances, provide an Amazon EC2 UserData script that gets this tag by querying the MetaData Service and registers the agent with the master. Use Amazon CloudFormation to describe your environment. Configure an input parameter for the master server hostname/address, and use this parameter within an Amazon EC2 UserData script that registers the agent with the master. Create a script on your third-party configuration management master server that queries the Amazon EC2 API for new instances and registers them with it. Use Amazon Simple Workflow Service to automate the process of registering new instances with your master server. Use an Environment tag in Amazon EC2 to register instances with the correct master server.
Your application is currently running on Amazon EC2 instances behind a load balancer. Your management has decided to use a Blue/Green deployment strategy. How should you implement this for each deployment? Set up Amazon Route 53 health checks to fail over from any Amazon EC2 instance that is currently being deployed to. Using AWS CloudFormation, create a test stack for validating the code, and then deploy the code to each production Amazon EC2 instance. Create a new load balancer with new Amazon EC2 instances, carry out the deployment, and then switch DNS over to the new load balancer using Amazon Route 53 after testing. Launch more Amazon EC2 instances to ensure high availability, de-register each Amazon EC2 instance from the load balancer, upgrade it, and test it, and then register it again with the load balancer.
Which of the following is NOT an advantage of Docker's content addressable storage model? random UUIDs improve filesystem performance improved security guarantees data integrity after push, pull, load, and save operations avoids content ID collisions.
Which is the proper syntax for referencing a variable's value in an Ansible task? ${variable_name} { variable_name } "{{ variable_name }}" @variable_name.
A company has deployed several applications globally. Recently, Security Auditors found
that few Amazon EC2 instances were launched without Amazon EBS disk encryption. The Auditors
have requested a report detailing all EBS volumes that were not encrypted in multiple AWS accounts
and regions. They also want to be notified whenever this occurs in future.
How can this be automated with the LEAST amount of operational overhead? Create an AWS Lambda function to set up an AWS Config rule on all the target accounts. Use AWS Config aggregators to collect data from multiple accounts and regions. Export the aggregated report to an Amazon S3 bucket and use Amazon SNS to deliver the notifications. Set up AWS CloudTrail to deliver all events to an Amazon S3 bucket in a centralized account. Use the S3 event notification feature to invoke an AWS Lambda function to parse AWS CloudTrail logs whenever logs are delivered to the S3 bucket. Publish the output to an Amazon SNS topic using the same Lambda function. Create an AWS CloudFormation template that adds an AWS Config managed rule for EBS encryption. Use a CloudFormation stack set to deploy the template across all accounts and regions. Store consolidated evaluation results from config rules in Amazon S3. Send a notification using Amazon SNS when non-compliant resources are detected. Using AWS CLI, run a script periodically that invokes the aws ec2 describe-volumes query with a JMESPATH query filter. Then, write the output to an Amazon S3 bucket. Set up an S3 event notification to send events using Amazon SNS when new data is written to the S3 bucket.
You work for an insurance company and are responsible for the day-to-day operations of
your company's online quote system used to provide insurance quotes to members of the public.
Your company wants to use the application logs generated by the system to better understand
customer behavior.
Industry, regulations also require that you retain all application logs for the system indefinitely in
order to investigate fraudulent claims in the future.
You have been tasked with designing a log management system with the following requirements:
- All log entries must be retained by the system, even during unplanned instance failure.
- The customer insight team requires immediate access to the logs from
the past seven days.
- The fraud investigation team requires access to all historic logs,
but will wait up to 24 hours before these logs are available.
How would you meet these requirements in a cost-effective manner? Choose 3 answers Configure your application to write logs to the instance's ephemeral disk, because this storage is free and has good write performance. Create a script that moves the logs from the instance to Amazon 53 once an hour. Write a script that is configured to be executed when the instance is stopped or terminated and that will upload any remaining logs on the instance to Amazon S3. Create an Amazon S3 lifecycle configuration to move log files from Amazon S3 to Amazon Glacier after seven days. Configure your application to write logs to the instance's default Amazon EBS boot volume, because this storage already exists. Create a script that moves the logs from the instance to Amazon 53 once an hour. Configure your application to write logs to a separate Amazon EBS volume with the "delete on termination" field set to false. Create a script that moves the logs from the instance to Amazon S3 once an hour. Create a housekeeping script that runs on a T2 micro instance managed by an Auto Scaling group for high availability. The script uses the AWS API to identify any unattached Amazon EBS volumes containing log files. Your housekeeping script will mount the Amazon EBS volume, upload all logs to Amazon S3, and then delete the volume.
A company uses a complex system that consists of networking, IAM policies, and multiple
three- tier applications. Requirements are still being defined for a new system, so the number of AWS
components present in the final design is not known. The DevOps Engineer needs to begin defining
AWS resources using AWS CloudFormation to automate and version-control the new infrastructure.
What is the best practice for using CloudFormation to create new environments? Manually construct the networking layer using Amazon VPC and then define all other resources using CloudFormation. Create a single template to encompass all resources that are required for the system so there is only one template to version-control. Create multiple separate templates for each logical part of the system, use cross-stack references in CloudFormation, and maintain several templates in version control. Create many separate templates for each logical part of the system, and provide the outputs from
one to the next using an Amazon EC2 instance running SDK for granular control.
A publishing company used AWS Elastic Beanstalk, Amazon S3, and Amazon DynamoDB to
develop a web application. The web application has increased dramatically in popularity, resulting in
unpredictable spikes in traffic. A DevOps Engineer has noted that 90% of the requests are duplicate
read requests. How can the Engineer improve the performance of the website? Use Amazon ElastiCache for Redis to cache repeated read requests to DynamoDB and AWS Elemental MediaStore to cache images stored in S3. Use Amazon ElastiCache for Memcached to cache repeated read requests to DynamoDB and Varnish to cache images stored in S3. Use DynamoDB Accelerator to cache repeated read requests to DynamoDB and Amazon
CloudFront to cache images stored in S3. Use DynamoDB Streams to cache repeated read requests to DynamoDB and API Gateway to cache images stored in S3.
You use Amazon CloudWatch as your primary monitoring system for your web application.
After a recent software deployment, your users are getting Intermittent 500 Internal Server Errors when using the web application. You want to create a CloudWatch alarm, and notify an on-call engineer when these occur.
How can you accomplish this using AWS services? Choose 3 answers Deploy your web application as an AWS Elastic Beanstalk application.
Use the default Elastic Beanstalk Cloudwatch metrics to capture 500 Internal Server Errors. Set a CloudWatch alarm on that metric. Install a CloudWatch Logs Agent on your servers to stream web application logs to CloudWatch. Use Amazon Simple Email Service to notify an on-call engineer when a CloudWatch alarm is triggered. Create a CloudWatch Logs group and define metric filters that capture 500 Internal Server Errors. Set a CloudWatch alarm on that metric. Use Amazon Simple Notification Service to notify an on-call engineer when a CloudWatch alarm is triggered. Use AWS Data Pipeline to stream web application logs from your servers to CloudWatch.
When thinking of AWS OpsWorks, which of the following is true? Stacks have many layers, layers have many instances. Instances have many stacks, stacks have many layers. Layers have many stacks, stacks have many instances. Layers have many instances, instances have many stacks.
Your application uses Amazon SQS and Auto Scaling to process background jobs.
The Auto Scaling policy is based on the number of messages in the queue, with a maximum Instance count of 100. Since the application was launched, the group has never scaled above 50. The Auto Scaling group has now scaled to 100, the queue size is increasing, and very few Jobs are being completed. The number of messages being sent to the queue is at normal levels.
What should you do to identify why the queue size is unusually high, and to reduce it? Temporarily increase the Auto Scaling group's desired value to 200. When the queue size has been reduced, reduce it to 50. Analyze the application logs to identify possible reasons for message processing failure and resolve the cause for failures. Create additional Auto Scaling groups, enabling the processing of the queue to be performed in parallel. Analyze CloudTrail logs for Amazon SQS to ensure that the instances' Amazon EC2 role has permission to receive messages from the queue.
To override an allow in an IAM policy, you set the Effect element to ______. Block Stop Deny Allow.
For AWS Auto Scaling, what is the first transition state an existing instance enters after
leaving steady state in Standby mode? Detaching Terminating:Wait Pending EnteringStandby.
What needs to be done in order to remotely access a Docker daemon running on Linux? add certificate authentication to the docker API change the encryption level to TLS enable the TCP socket bind the Docker API to a unix socket.
Some of your EC2 instances are configured to use a Proxy. Can you use Amazon Inspector
for regular assessment of instances behind proxy? Only Windows-based systems are supported as Linux-based systems use custom configurations that are not supported by AWS Agent in the current release. Only Linux-based systems are supported, and AWS agent supports HTTPS proxy on these systems. No, AWS Agent does NOT support proxy environments. Yes, AWS Agent supports proxy environments on both Linux-based and Windows-based systems.
You need to implement A/B deployments for several multi-tier web applications. Each of them has Its Individual infrastructure:
Amazon Elastic Compute Cloud (EC2) front-end servers, Amazon ElastiCache clusters, Amazon Simple Queue Service (SQS) queues, and Amazon Relational Database (RDS) Instances. Which combination of services would give you the ability to control traffic between different deployed versions of your application? (Choose one.) Create one AWS Elastic Beanstalk application and all AWS resources (using configuration files inside the application source bundle) for each web application. New versions would be deployed a-eating Elastic Beanstalk environments and using the Swap URLs feature. Using AWS CloudFormation templates, create one Elastic Beanstalk application and all AWS resources (in the same template) for each web application. New versions would be deployed using AWS CloudFormation templates to create new Elastic Beanstalk environments, and traffic would be balanced between them using weighted Round Robin (WRR) records in Amazon Route53. Using AWS CloudFormation templates, create one Elastic Beanstalk application and all AWS resources (in the same template) for each web application. New versions would be deployed updating a parameter on the CloudFormation template and passing it to the cfn-hup helper daemon, and traffic would be balanced between them using Weighted Round Robin (WRR) records in Amazon Route 53. Create one Elastic Beanstalk application and all AWS resources (using configuration files inside the application source bundle) for each web application. New versions would be deployed updating the Elastic Beanstalk application version for the current Elastic Beanstalk environment.
When logging with Amazon CloudTrail, API call information for services with regional end points is ____. captured and processed in the same region as to which the API call is made and delivered to the region associated with your Amazon S3 bucket captured, processed, and delivered to the region associated with your Amazon S3 bucket captured in the same region as to which the API call is made and processed and delivered to the region associated with your Amazon S3 bucket captured in the region where the end point is located, processed in the region where the CloudTrail trail is configured, and delivered to the region associated with your Amazon S3 bucket.
According to Information Security Policy, changes to the contents of objects inside production Amazon S3 bucket that contain encrypted secrets should only be made by a trusted group of administrators. How should a DevOps Engineer create real-time, automated checks to meet this requirement? Create an AWS Lambda function that is triggered by Amazon S3 data events for object changes and that also checks the IAM user's membership in an administrator's IAM role. Create a periodic AWS Config rule to query Amazon S3 Logs for changes and to check the IAM user's membership in an administrator's IAM role. Create a metrics filter for Amazon CloudWatch logs to check for Amazon S3 bucket-level permission changes and to check the IAM user's membership in an administrator's IAM role. Create a periodic AWS Config rule to query AWS CloudTrail logs for changes to the Amazon S3 bucket-level permissions and to check the IAM user's membership in an administrator's IAM role.
Which of these is not an intrinsic function in AWS CloudFormation? Fn::Split Fn::FindInMap Fn::Select Fn::GetAZs.
You have been given a business requirement to retain log files for your application for 10 years. You need to regularly retrieve the most recent logs for troubleshooting. Your logging system must be cost-effective, given the large volume of logs. What technique should you use to meet these requirements? Store your log in Amazon CloudWatch Logs. Store your logs in Amazon Glacier. Store your logs in Amazon S3, and use lifecycle policies to archive to Amazon Glacier. Store your logs in HDFS on an Amazon EMR cluster. Store your logs on Amazon EBS, and use Amazon EBS snapshots to archive them.
What is the expected behavior if Ansible is called with `ansible-playbook -i localhost playbook.yml'? Ansible will attempt to read the inventory file named `localhost' Ansible will run the plays locally. Ansible will run the playbook on the host named `localhost' Ansible won't run, this is invalid command line syntax.
What is server immutability? Not updating a server after creation. The ability to change server counts. Updating a server after creation. The inability to change server counts.
As part of your continuous deployment process, your application undergoes an I/O load performance test before it is deployed to production using new AMIs. The application uses one Amazon Elastic Block Store (EBS) PIOPS volume per instance and requires consistent I/O performance. Which of the following must be carried out to ensure that I/O load performance tests yield the
correct results in a repeatable manner? Ensure that the I/O block sizes for the test are randomly selected. Ensure that the Amazon EBS volumes have been pre-warmed by reading all the blocks before the test. Ensure that snapshots of the Amazon EBS volumes are created as a backup. Ensure that the Amazon EBS volume is encrypted. Ensure that the Amazon EBS volume has been pre-warmed by creating a snapshot of the volume before the test.
You're responsible for a popular file sharing application that uses Elastic Load Balancing to
distribute traffic to an Amazon EC2 application tier deployed in an Auto Scaling group that runs across multiple Availability Zones. You currently record the number of user file transfers to a log file on the application server, and then write data points from the logs to an Amazon RDS MySQL instance. You aren't happy with how your application scales, and want to implement a new scaling policy based on the average number of user file transfers in a 10-minute period instead of average CPU utilization in the last five minutes. What steps should you take to ensure that your application tier scales based on this new policy?
Choose 2 answers Create a new CloudWatch alarm based on the Elastic Load Balancing "RequestCount" metric that triggers an Auto Scaling action to scale the application tier. Create a new CloudWatch alarm based on a custom metric streaming from the Amazon RDS MySQL instance that triggers an Auto Scaling action to scale the application tier. Create a new CloudWatch alarm based on a custom metric published from file transfer logs streaming to CloudWatch that triggers an Auto Scaling action to scale the application tier. Create a new Auto Scaling launch configuration that includes an Amazon EC2 user data script that installs a CloudWatch Logs Agent on newly launched instances in the application tier. The agent will be configured to stream the file transfers log tile to CloudWatch. Create a new Auto Scaling launch configuration for the application tier that scales based on an Auto Scaling policy that reads the file transfer log data from the Amazon RIDS MySQL instance. Create a new Auto Scaling launch configuration that includes an Amazon EC2 user data script that installs an Amazon RDS Logs Agent on newly launched instances in the application tier. The agent will be configured to stream the file transfer data points to the Auto Scaling group.
You have a code repository that uses Amazon S3 as a data store. During a recent audit of your security controls, some concerns were raised about maintaining the integrity of the data in the Amazon S3 bucket. Another concern was raised around securely deploying code from Amazon S3 to applications running on Amazon EC2 in a virtual private cloud.
What are some measures that you can implement to mitigate these concerns? Choose 2 answers. Add an Amazon S3 bucket policy with a condition statement to allow access only from Amazon EC2 instances with RFC 1918 IP addresses and enable bucket versioning. Add an Amazon S3 bucket policy with a condition statement that requires multi-factor authentication in order to delete objects and enable bucket versioning. Use a configuration management service to deploy AWS Identity and Access Management user credentials to the Amazon EC2 instances. Use these credentials to securely access the Amazon S3 bucket when deploying code. Create an Amazon Identity and Access Management role with authorization to access the Amazon 53 bucket, and launch all of your application's Amazon EC2 instances with this role. Use AWS Data Pipeline to lifecycle the data in your Amazon S3 bucket to Amazon Glacier on a weekly basis. Use AWS Data Pipeline with multi-factor authentication to securely deploy code from the Amazon .5.3 bucket to your Amazon EC2 instances.
Your application consists of 10% writes and 90% reads. You currently service all requests through a Route53 Alias Record directed towards an AWS ELB, which sits in front of an EC2 Auto Scaling Group. Your system is getting very expensive when there are large traffic spikes during certain news events, during which many more people request to read similar data all at the same time. What is the simplest and cheapest way to reduce costs and scale with spikes like this? Create an S3 bucket and asynchronously replicate common requests responses into S3 objects. When a request comes in for a precomputed response, redirect to AWS S3. Create another ELB and Auto Scaling Group layer mounted on top of the other system, adding a tier to the system. Serve most read requests out of the top layer. Create a CloudFront Distribution and direct Route53 to the Distribution.
Use the ELB as an Origin and specify Cache Behaviours to proxy cache requests which can be served late. Create a Memcached cluster in AWS ElastiCache. Create cache logic to serve requests which can be served late from the in-memory cache for increased performance.
An application has microservices spread across different AWS accounts and is integrated
with an on- premises legacy system for some of its functionality. Because of the segmented
architecture and missing logs, every time the application experiences issues, it is taking too long to gather the logs to identify the issues. A DevOps Engineer must fix the log aggregation process and provide a way to centrally analyze the logs.
Which is the MOST efficient and cost-effective solution? Collect system logs and application logs by using the Amazon CloudWatch Logs agent. Use the Amazon S3 API to export on-premises logs, and store the logs in an S3 bucket in a central account. Build an Amazon EMR cluster to reduce the logs and derive the root cause. Collect system logs and application logs by using the Amazon CloudWatch Logs agent. Use the Amazon S3 API to import on-premises logs. Store all logs in S3 buckets in individual accounts. Use Amazon Macie to write a query to search for the required specific event-related data point. Collect system logs and application logs using the Amazon CloudWatch Logs agent. Install the CloudWatch Logs agent on the on-premises servers. Transfer all logs from AWS to the on- premises data center. Use an Amazon Elasticsearch Logstash Kibana stack to analyze logs on premises. Collect system logs and application logs by using the Amazon CloudWatch Logs agent. Install a CloudWatch Logs agent for on-premises resources. Store all logs in an S3 bucket in a central account. Set up an Amazon S3 trigger and an AWS Lambda function to analyze incoming logs and automatically identify anomalies. Use Amazon Athena to run ad hoc queries on the logs in the central account.
You need to deploy a new application version to production. Because the deployment is
high-risk, you need to roll the new version out to users over a number of hours, to make sure
everything is working correctly. You need to be able to control the proportion of users seeing the new version of the application down to the percentage point. You use ELB and EC2 with Auto Scaling Groups and custom AMIs with your code pre-installed assigned to Launch Configurations. There are no database-level changes during your deployment.
You have been told you cannot spend too much money, so you must not increase the number of EC2 instances much at all during the deployment, but you also need to be able to switch back to the original version of code quickly if something goes wrong. What is the best way to meet these requirements? Create a second ELB, Auto Scaling Launch Configuration, and Auto Scaling Group using the Launch Configuration. Create AMIs with all code pre-installed. Assign the new AMI to the second Auto Scaling Launch Configuration. Use Route53 Weighted Round Robin Records to adjust the proportion of traffic hitting the two ELBs. Use the Blue-Green deployment method to enable the fastest possible rollback if needed. Create a full second stack of instances and cut the DNS over to the new stack of instances, and change the DNS back if a rollback is needed. Create AMIs with all code pre-installed. Assign the new AMI to the Auto Scaling Launch Configuration, to replace the old one. Gradually terminate instances running the old code (launched with the old Launch Configuration) and allow the new AMIs to boot to adjust the traffic balance to the new code. On rollback, reverse the process by doing the same thing, but changing the AMI on the Launch Config back to the original code. Migrate to use AWS Elastic Beanstalk. Use the established and well-tested Rolling Deploymentsetting AWS provides on the new Application Environment, publishing a zip bundle of the new codeand adjusting the wait period to spread the deployment over time. Re-deploy the old code bundle to rollback if needed.
When building a Docker image, you are searching through a persistent data volume's logs to
provide parameters for the next build. You execute the following command. Which of the operations will cause a failure of the Docker RUNcommand? RUN cat ./data/log/*.error | grep service_status | grep ERROR the first grep command any one of them the second grep command the cat command.
For AWS Auto Scaling, what is the first transition state a new instance enters after leaving
steady state when scaling out due to increased load? EnteringStandby Pending Terminating:Wait Detaching.
If Erin has three clusters of server types that are all managed by Ansible and she needs to
provision each cluster so that they are configured with their appropriate NTP server addresses.
What is the best method Erin should use in Ansible for managing this? Write a task that scans the network in the target hosts' region for the NTP server, register the resulting address so that the next task can write the NTP configuration. Break down the hosts by region in the Ansible inventory file and assign an inventory group variable the NTP address value for the respective region. The playbook can contain just the single play referencing the NTP variable from the inventory. Create a playbook for each different region and store the NTP address in a variable in the play in the event the NTP server changes. Create three plays, each one has the hosts for their respective regions and set the NTP server address in each task.
On which local address does the Docker DNS server listen? 127.0.0.1 127.0.0.111 127.0.0.254 127.0.0.11.
A company is using AWS for an application. The Development team must automate its
deployments. The team has set up an AWS CodePipeline to deploy the application to Amazon EC2 instances by using AWS CodeDeploy after it has been built using the AWS CodeBuild service. The team would like to add automated testing to the pipeline to confirm that the application is healthy before deploying it to the next stage of the pipeline using the same code. The team requires a manual approval action before the application is deployed, even if the test is successful. The testing and approval must be accomplished at the lowest costs, using the simplest management solution.
Which solution will meet these requirements? Add a manual approval action after the last deploy action of the pipeline. Use Amazon SNS to inform the team of the stage being triggered. Next, add a test action using CodeBuild to do the required tests. At the end of the pipeline, add a deploy action to deploy the application to the next stage. Add a test action after the last deploy action of the pipeline. Configure the action to use CodeBuild to perform the required tests. If these tests are successful, mark the action as successful. Add a manual approval action that uses Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage. Create a new pipeline that uses a source action that gets the code from the same repository as the first pipeline. Add a deploy action to deploy the code to a test environment. Use a test action using AWS Lambda to test the deployment. Add a manual approval action by using Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage. Add a test action after the last deployment action. Use a Jenkins server on Amazon EC2 to do the required tests and mark the action as successful if the tests pass. Create a manual approval action that uses Amazon SQS to notify the team and add a deploy action to deploy the application to the next stage.
You have been tasked with deploying a solution for your company that will store images,
which the marketing department will use for its campaigns. Employees are able to upload images via a web interface, and once uploaded, each image must be resized and watermarked with the company logo. Image resize and watermark is not time-sensitive and can be completed days after upload if required.
How should you design this solution in the most highly available and cost-effective way? Configure your web application to upload images to the Amazon Elastic Transcoder service. Use the Amazon Elastic Transcoder watermark feature to add the company logo as a watermark on your images and then to upload the final images into an Amazon S3 bucket. Configure your web application to upload images to Amazon S3, and send the Amazon S3 bucket URI to an Amazon SQS queue.
Create an Auto Scaling group and configure it to use Spot instances, specifying a price you are willing to pay. Configure the instances in this Auto Scaling group to poll the SQS queue for new images and then resize and watermark the image before uploading the final images into Amazon S3. Configure your web application to upload images to Amazon S3, and send the S3 object URI to an Amazon SQS queue. Create an Auto Scaling launch configuration that uses Spot instances, specifying a price you are willing to pay.
Configure the instances in this Auto Scaling group to poll the Amazon SQS queue for new images and then resize and watermark the image before uploading the new images into Amazon S3 and deleting the message from the Amazon SQS queue. Configure your web application to upload images to the local storage of the web server. Create a cronjob to execute a script daily that scans this directory for new files and then uses the Amazon EC2 Service API to launch 10 new Amazon EC2 instances, which will resize and watermark the images daily.
A large enterprise is deploying a web application on AWS. The application runs on Amazon
EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Oracle DB instance and Amazon DynamoDB. There are separate environments for development, testing, and production. What is the MOST secure and flexible way to obtain password credentials during deployment? Retrieve an access key from an AWS Systems Manager SecureString parameter to access AWS services. Retrieve the database credentials from a Systems Manager SecureString parameter. Launch the EC2 instances with an EC2 IAM role to access AWS services. Retrieve the database credentials from AWS Secrets Manager. Retrieve an access key from an AWS Systems Manager plaintext parameter to access AWS services. Retrieve the database credentials from a Systems Manager SecureString parameter. Launch the EC2 instances with an EC2 IAM role to access AWS services. Store the database passwords in an encrypted config file with the application artifacts.
When deploying to a Docker swarm, which section of the docker-compose file defines
configuration related to the deployment and running of services? services build deploy args.
You manage a web advertising platform on a single AWS account. This platform produces
real- time ad-click data that you store as objects in an Amazon S3 bucket called "dick-data." Your advertising partners want to use Amazon Elastic MapReduce in their own AWS accounts to do analytics on the ad-click data. They' ve asked for immediate access to the ad-dick data so that they can run analytics. Which two choices are required to facilitate secure access to this data? Choose 2 answers. Create a cross-account TAM role with a trust policy that contains partner AWS account IDs and a unique external ID. Create a new IAM group for AWS Data Pipeline users with a trust policy that contains partner AWS account IDs. Configure an Amazon S3 bucket policy for the "click-data" bucket that allows Read-Only access to the objects, and associate this policy with an IAM role. Configure the Amazon S3 bucket access control list to allow access to the partners Amazon Elastic MapReduce cluster. Configure AWS Data Pipeline in the partner AWS accounts to use the web Identity Federation API to access data in the "click-data" bucket. Configure AWS Data Pipeline to transfer the data from the ''click-data" bucket to the partner's Amazon Elastic MapReduce cluster.
There are a number of ways to purchase compute capacity on AWS. Which orders the price
per compute or memory unit from LOW to HIGH (cheapest to most expensive), on average?
NO.255 There are a number of ways to purchase compute capacity on AWS. Which orders the price
per compute or memory unit from LOW to HIGH (cheapest to most expensive), on average?
A. On-Demand
B. Spot
C. Reserved A, B, C C, B, A B, C, A A, C, B.
A company is migrating an application to AWS that runs on a single Amazon EC2 instance.
Because of licensing limitations, the application does not support horizontal scaling. The application will be using Amazon Aurora for its database. How can the DevOps Engineer architect automated healing to automatically recover from EC2 and Aurora failures, in addition to recovering across Availability Zones (AZs), in the MOST cost- effective
manner? Create an EC2 Auto Scaling group with a minimum and maximum instance count of 1, and have it span across AZs. Use a single-node Aurora instance. Create an EC2 instance and enable instance recovery. Create an Aurora database with a read replica in a second AZ, and promote it to a primary database instance if the primary database instance fails. Create an Amazon CloudWatch Events rule to trigger an AWS Lambda function to start a new EC2 instance in an available AZ when the instance status reaches a failure state. Create an Aurora database with a read replica in a second AZ, and promote it to a primary database instance when the
primary database instance fails. Assign an Elastic IP address on the instance. Create a second EC2 instance in a second AZ. Create an Amazon CloudWatch Events rule to trigger an AWS Lambda function to move the Elastic IP address to the second instance when the first instance fails. Use a single-node Aurora instance.
You have an Auto Sealing group of Instances that processes messages from an Amazon
Simple Queue Service (SQS) queue. The group scales on the size of the queue. Processing Involves calling a third-party web service. The web service is complaining about the number of failed and repeated calls it is receiving from you. You have noticed that when the group scales in, instances are being terminated while they are processing.
What cost-effective solution can you use to reduce the number of incomplete process attempts? Create a new Auto Scaling group with minimum and maximum of 2 and instances running web proxy software. Configure the VPC route table to route HTTP traffic to these web proxies. Modify the application running on the instances to enable termination protection while it processes a task and disable it when the processing is complete. Increase the minimum and maximum size for the Auto Scaling group, and change the scaling policies so they scale less dynamically. Modify the application running on the instances to put itself into an Auto Scaling Standby state while it processes a task and return itself to InService when the processing is complete.
Your company has multiple applications running on AWS. Your company wants to develop a tool that notifies on-call teams immediately via email when an alarm is triggered in your environment. You have multiple on-cal teams that work different shifts, and the tool should handle notifying the correct teams at the correct times.
How should you implement this solution? Create an Amazon SNS topic and an Amazon SQS queue. Configure the Amazon SQS queue as a subscriber to the Amazon SNS topic. Configure CloudWatch alarms to notify this topic when an alarm is triggered. Create an Amazon EC2 Auto Scaling group with both minimum and desired Instances configured to 0. Worker nodes in this group spawn when messages are added to the queue. Workers then use Amazon Simple Email Service to send messages to your on call teams. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers. Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to this new topic. Notifications will be sent to on-call users when a CloudWatch alarm is triggered. Create an Amazon SNS topic and configure your on-call team email addresses as subscribers. Create a secondary Amazon SNS topic for alarms and configure your CloudWatch alarms to notify this topic when triggered. Create an HTTP subscriber to this topic that notifies your application via HTTP POST when an alarm is
triggered. Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to the first topic so that on-call engineers receive alerts. Create an Amazon SNS topic for each on-call group, and configure each of these with the team member emails as subscribers.
Create another Amazon SNS topic and configure your CloudWatch alarms to notify this topic when triggered. Create an HTTP subscriber to this topic that notifies your application via HTTP POST when an alarm is triggered. Use the AWS SDK tools to integrate your application with Amazon SNS and send messages to the correct team topic when on shift.
An application is being deployed with two Amazon EC2 Auto Scaling groups, each configured with an Application Load Balancer. The application is deployed to one of the Auto Scaling groups and an Amazon Route 53 alias record is pointed to the Application Load Balancer of the last deployed Auto Scaling group. Deployments alternate between the two Auto Scaling groups. Home security devices are making requests into the application. The Development team notes that new requests are coming into the old stack days after the deployment. The issue is caused by devices that are not observing the Time to Live (TTL) setting on the Amazon Route 53 alias record. What steps should the DevOps Engineer take to address the issue with requests coming to the old stacks, while creating minimal additional resources? Create a fleet of Amazon EC2 instances running HAProxy behind an Application Load Balancer. The HAProxy instances will proxy the requests to one of the existing Auto Scaling groups. After a deployment the HAProxy instances are updated to send requests to the newly deployed Auto Scaling
group. Reduce the application to one Application Load Balancer. Create two target groups named Blue and Green. Create a rule on the Application Load Balancer pointed to a single target group. Add logic to the deployment to update the Application Load Balancer rule to the target group of the newly deployed Auto Scaling group. Move the application to an AWS Elastic Beanstalk application with two environments. Perform new deployments on the non-live environment. After a deployment, perform an Elastic Beanstalk CNAME swap to make the newly deployed environment the live environment. Create an Amazon CloudFront distribution. Set the two existing Application Load Balancers as origins on the distribution. After a deployment, update the CloudFront distribution behavior to send requests to the newly deployed Auto Scaling group.
You are experiencing performance issues writing to a DynamoDB table. Your system tracks
high scores for video games on a marketplace. Your most popular game experiences all of the
performance issues.
What is the most likely problem? DynamoDB's vector clock is out of sync, because of the rapid growth in request for the most popular game. You selected the Game ID or equivalent identifier as the primary partition key for the table. Users of the most popular video game each perform more read and write requests than average. You did not provision enough read or write throughput to the table.
You have been asked to de-risk deployments at your company. Specifically, the CEO is
concerned about outages that occur because of accidental inconsistencies between Staging and Production, which sometimes cause unexpected behaviors in Production even when Staging tests pass. You already use Docker to get high consistency between Staging and Production for the application environment on your EC2 instances. How do you further de-risk the rest of the execution environment, since in AWS, there are many service components you may use beyond EC2 virtual machines? Develop models of your entire cloud system in CloudFormation. Use this model in Staging and Production to achieve greater parity. Use AWS Config to force the Staging and Production stacks to have configuration parity. Any differences will be detected for you so you are aware of risks. Use AMIs to ensure the whole machine, including the kernel of the virual machines, is consistent, since Docker uses Linux Container (LXC) technology, and we need to make sure the container environment is consistent. Use AWS ECS and Docker clustering. This will make sure that the AMIs and machine sizes are the same across both environments.
When logging with Amazon CloudTrail, API call information for services with single end
points is ____. captured in the same region as to which the API call is made and processed and delivered to the region associated with your Amazon S3 bucket captured and processed in the same region as to which the API call is made and delivered to the region associated with your Amazon S3 bucket captured, processed, and delivered to the region associated with your Amazon S3 bucket captured in the region where the end point is located, processed in the region where the
CloudTrail trail is configured, and delivered to the region associated with your Amazon S3 bucket.
How does Amazon RDS multi Availability Zone model work? A second, standby database is deployed and maintained in a different availability zone from
master, using synchronous replication. A second, standby database is deployed and maintained in a different availability zone from
master using asynchronous replication. A second, standby database is deployed and maintained in a different region from master using asynchronous replication. A second, standby database is deployed and maintained in a different region from master using synchronous replication.
A company is using AWS CodeDeploy to automate software deployment. The deployment
must meet these requirements:
- A number of instances must be available to serve traffic during the
deployment. Traffic must be balanced across those instances, and the
instances must automatically heal in the event of failure.
- A new fleet of instances must be launched for deploying a new revision automatically, with no manual provisioning.
- Traffic must be rerouted to the new environment to half of the new instances at a time. The deployment should succeed if traffic is rerouted to at least half of the instances; otherwise, it should fail.
- Before routing traffic to the new fleet of instances, the temporary files generated during the deployment process must be deleted.
- At the end of a successful deployment, the original instances in the deployment group must be deleted immediately to reduce costs.
How can a DevOps Engineer meet these requirements? Use an Application Load Balancer and an in-place deployment. Associate the Auto Scaling group with the deployment group. Use the Automatically copy Auto Scaling group option, and use CodeDeployDefault.OneAtAtime as the deployment configuration. Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the AllowTraffic hook within appspec.yml to delete the temporary files. Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and the Application Load Balancer target group with the deployment group. Use the Automatically option, create a custom deployment configuration with minimum copy Auto Scaling group healthy hosts defined as 50%, and assign the configuration to the deployment group. Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the BeforeBlock Traffic hook within appsec.yml to delete the temporary files. Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and the Application Load Balancer target group with the deployment group. Use the Automatically option, and use CodeDeployDefault HalfAtAtime as the deployment copy Auto Scaling group configuration. Instruct AWS CodeDeploy to terminate the original isntances in the deployment group,
and use the BeforeAllowTraffic hook within appspec.yml to delete the temporary files. Use an Application Load Balancer and an in-place deployment. Associate the Auto Scaling group and Application Load Balancer target group with the deployment group. Use the Automatically copy option, and use CodeDeployDefault AllatOnce as a deployment configuration. Auto Scaling group Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the BlockTraffic hook within appsec.yml to delete the temporary files.
A business has an application that consists of five independent AWS Lambda functions. The
DevOps Engineer has built a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild that builds, tests, packages, and deploys each Lambda function in sequence. The pipeline uses an Amazon CloudWatch Events rule to ensure the pipeline execution starts as quickly as possible after a change is made to the application source code. After working with the pipeline for a few months the DevOps Engineer has noticed the pipeline takes too long to complete.
What should the DevOps Engineer implement to BEST improve the speed of the pipeline? Modify the CodeBuild projects within the pipeline to use a compute type with more available
network throughput. Create a custom CodeBuild execution environment that includes a symmetric multiprocessing configuration to run the builds in parallel. Modify the CodePipeline configuration to execute actions for each Lambda function in parallel by specifying the same runOrder. Modify each CodeBuild project to run within a VPC and use dedicated instances to increase
throughput.
A media customer has several thousand amazon EC2 instances in an AWS account. The
customer is using a Slack channel for team communications and important updates. A DevOps
Engineer was told to send all AWS-scheduled maintenance notifications to the company Slack
channel. Which method should the Engineer use to implement this process in the LEAST amount of steps? Integrate AWS Trusted Advisor with AWS Config. Based on the AWS Config rules created, the AWS Config event can invoke an AWS Lambda function to send notifications to the Slack channel. Integrate AWS Personal Health Dashboard with Amazon CloudWatch Events. Based on the CloudWatch Events created, the event can invoke an AWS Lambda function to send notifications to the Slack channel. Integrate EC2 events with Amazon CloudWatch monitoring. Based on the CloudWatch Alarm created, the alarm can invoke an AWS Lambda function to send EC2 maintenance notifications to the Slack channel. Integrate AWS Support with AWS CloudTrail. Based on the CloudTrail lookup event created, the event can invoke an AWS Lambda function to pass EC2 maintenance notifications to the Slack channel.
Which of the following is an invalid variable name in Ansible? host1st_ref host-first-ref Host1stRef host_first_ref.
A Development team is adding a new country to an e-commerce application. This addition
requires that new application features be added to the shipping component of the application. The
team has not decided if all new features should be added, as some will take approximately six weeks
to build. While the final decision on the shipping component features is being made, other team
members are continuing to work on other features of the application.
Based on this situation, how should the application feature deployments be managed? Add the code updates as commits to the release branch. The team can delay the deployment until all features are ready. Add the code updates as commits to a feature branch. Merge the commits to a release branch as features are ready. Add the code updates as a single commit when a feature is ready. Tag this commit with "newcountry." Create a new repository named "new-country". Commit all the code changes to the new
repository.
As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an
account that's very active can generate a large number of notifications. If you subscribe using email
or SMS, you may end up receiving a large volume of messages. Which of the following should you use to handle notifications programmatically? Amazon Kinesis Firehose Amazon Simple Queue Service (Amazon SQS) Amazon Simple Email Service (Amazon SES) Amazon AppStream.
What is the maximum time messages can be stored in SQS? 14 days one month 4 days 7 days.
After reviewing the last quarter's monthly bills, management has noticed an increase in the
overall bill from Amazon. After researching this increase in cost, you discovered that one of your new services is doing a lot of GET Bucket API calls to Amazon S3 to build a metadata cache of all objects in the applications bucket. Your boss has asked you to come up with a new cost-effective way to help reduce the amount of these new GET Bucket API calls.
What process should you use to help mitigate the cost? Update your Amazon S3 buckets' lifecycle policies to automatically push a list of objects to a new bucket, and use this list to view objects associated with the application's bucket. Create a new DynamoDB table. Use the new DynamoDB table to store all metadata about all objects uploaded to Amazon S3. Any time a new object is uploaded, update the application's internal Amazon S3 object metadata cache from DynamoDB. Using Amazon SNS, create a notification on any new Amazon S3 objects that automatically updates a new DynamoDB table to store all metadata about the new object. Subscribe the application to the Amazon SNS topic to update its internal Amazon S3 object metadata cache from the DynamoDB table. Upload all images to Amazon SQS, set up SQS lifecycles to move all images to Amazon S3, and initiate an Amazon SNS notification to your application to update the application's Internal Amazon S3 object metadata cache. Upload all images to an ElastiCache filecache server. Update your application to now read all file metadata from the ElastiCache filecache server, and configure the ElastiCache policies to push all files to Amazon S3 for long-term storage.
You have enabled Elastic Load Balancing HTTP health checking. After looking at the AWS Management Console, you see that all instances are passing health checks, but your customers are
reporting that your site is not responding. What is the cause? The HTTP health checking system is misreporting due to latency in inter-instance metadata
synchronization. The health check in place is not sufficiently evaluating the application function. The application is returning a positive health check too quickly for the AWS Management Console to respond. Latency in DNS resolution is interfering with Amazon EC2 metadata retrieval.
When thinking of DynamoDB, what are true of Local Secondary Key properties? Either the partition key or the sort key can be different from the table, but not both. Only the sort key can be different from the table. The partition key and sort key can be different from the table. Only the partition key can be different from the table.
You run a large number of applications on Amazon EC2 instances. Each application has
associated metadata, such as cost center, support contact, and application ID. Many applications usually co-exist on each Amazon EC2 instance, so the amount of metadata per instance can range from 10 to 200 items. The customer wants to be able to quickly access this metadata using an API without logging into the instances. Which of the following options will satisfy their requirements? Choose 2 answers Create individual Amazon EC2 tags for each metadata item, and associate them with the Amazon EC2 instances. Access the metadata by using the ec2-describe-instance API call. Create compound Amazon EC2 tags for the metadata items, where multiple items are joined together in individual tags, and associate them with the Amazon EC2 instances.
Access the metadata by using the ec2-describe-tags API call. Create a DynamoDB table to hold the metadata, and associate it with the Amazon EC2 instance IDs running the applications. Access the metadata by querying the database via the DynamoDB API. As part of the Amazon EC2 Instance bootstrapping process, add the metadata to the Amazon EC2 user data. Access the metadata by using the ec2-describe-instance API call. As part of the Amazon EC2 instance bootstrapping process, add the metadata to the Amazon EC2 user data. Access the metadata by accessing its loopback address from a management instance in the same
VPC.
A company is building a solution for storing files containing Personally Identifiable
Information (PII) on AWS.
Requirements state:
- All data must be encrypted at rest and in transit.
- Al data must be replicated in at least two locations that are at
least 500 miles apart.
Which solution meets these requirements? Create primary and secondary Amazon S3 buckets in two separate Availability Zones that are at least 500 miles apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce Amazon S3 SSE-C on all objects uploaded to the bucket. Configure cross- region replication between the two buckets. Create primary and secondary Amazon S3 buckets in two separate AWS Regions that are at least 500 miles apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross- region replication between the two buckets. Create primary and secondary Amazon S3 buckets in two separate AWS Regions that are at least 500 miles apart. Use an IAM role to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce Amazon S3-Managed Keys (SSE-S3) on all objects uploaded to the bucket. Configure cross-region replication between the two buckets. Create primary and secondary Amazon S3 buckets in two separate Availability Zones that are at least 500 miles apart. Use a bucket policy to enforce access to the buckets only through HTTPS. Use a bucket policy to enforce AWS KMS encryption on all objects uploaded to the bucket. Configure cross- region replication between the two buckets. Create a KMS Customer Master Key (CMK) in the primary region for encrypting objects.
Your API requires the ability to stay online during AWS regional failures. Your API does not
store any state, it only aggregates data from other sources - you do not have a database. What is a
simple but effective way to achieve this uptime goal? Use a CloudFront distribution to serve up your API. Even if the region your API is in goes down, the edge locations CloudFront uses will be fine. Use an ELB and a cross-zone ELB deployment to create redundancy across datacenters. Even if a region fails, the other AZ will stay online. Create a Route53 Weighted Round Robin record, and if one region goes down, have that region redirect to the other region. Create a Route53 Latency Based Routing Record with Failover and point it to two identical
deployments of your stateless API in two different regions. Make sure both regions use Auto Scaling Groups behind ELBs.
When Ansible's connection state is set to `remote', what method of communication does
Ansible utilize to run commands on the remote target host? SSH RSH PSExec API call to Ansible client on host.
You meet once per month with your operations team to review the past month's data. During the meeting, you realize that 3 weeks ago, your monitoring system which pings over HTTP
from outside AWS recorded a large spike in latency on your 3-tier web service API.
You use DynamoDB for the database layer, ELB, EBS, and EC2 for the business logic tier, and SQS, ELB, and EC2 for the presentation layer.
Which of the following techniques will NOT help you figure out what happened? Check your CloudTrail log history around the spike's time for any API calls that caused slowness. Review CloudWatch Metrics graphs to determine which component(s) slowed the system down. Review your ELB access logs in S3 to see if any ELBs in your system saw the latency. Analyze your logs to detect bursts in traffic at that time.
Which of the following tools does not directly support AWS OpsWorks, for monitoring your stacks? AWS Config Amazon CloudWatch Metrics AWS CloudTrail Amazon CloudWatch Logs.
Your CTO has asked you to make sure that you know what all users of your AWS account are
doing to change resources at all times. She wants a report of who is doing what over time, reported
to her once per week, for as broad a resource type group as possible. How should you do this? Create a global AWS CloudTrail Trail. Configure a script to aggregate the log data delivered to S3 once per week and deliver this to the CTO. Use CloudWatch Events Rules with an SNS topic subscribed to all AWS API calls. Subscribe the CTO to an email type delivery on this SNS Topic. Use AWS IAM credential reports to deliver a CSV of all uses of IAM User Tokens over time to the CTO. Use AWS Config with an SNS subscription on a Lambda, and insert these changes over time into a DynamoDB table. Generate reports based on the contents of this table.
You are hosting multiple environments in multiple regions and would like to use Amazon
Inspector for regular security assessments on your AWS resources across all regions. Which
statement about Amazon Inspector's operation across regions is true? Amazon Inspector is a global service that is not region-bound. You can include AWS resources from multiple regions in the same assessment target. Amazon Inspector is hosted within AWS regions behind a public endpoint. All regions are isolated from each other, and the telemetry and findings for all assessments performed within a region remain in that region and are not distributed by the service to other Amazon Inspector locations. Amazon Inspector is hosted in each supported region. Telemetry data and findings are shared across regions to provide complete assessment reports. Amazon Inspector is hosted in each supported region separately. You have to create assessment targets using the same name and tags in each region and Amazon Inspector will run against each assessment target in each region.
By default, Amazon CloudTrail logs ____ actions defined by the CloudTrail ____ APIs. bucket-level; RESTful object-level; RESTful object-level; SDK bucket-level; SDK.
You need your CI to build AMIs with code pre-installed on the images on every new code
push. You need to do this as cheaply as possible. How do you do this? Bid on spot instances just above the asking price as soon as new commits come in, perform all instance configuration and setup, then create an AMI based on the spot instance. Have the CI launch a new on-demand EC2 instance when new commits come in, perform all instance configuration and setup, then create an AMI based on the on-demand instance. Purchase a Light Utilization Reserved Instance to save money on the continuous integration machine. Use these credits whenever your create AMIs on instances. When the CI instance receives commits, attach a new EBS volume to the CI machine. Perform all setup on this EBS volume so you don't need a new EC2 instance to create the AMI.
You are building a deployment system on AWS. You will deploy new code by bootstrapping
instances in a private subnet in a VPC at runtime using UserData scripts pointing to an S3 zip file
object, where your code is stored. An ELB in a public subnet has network interfaces and connectivity
to the instances. Requests from users of the system are routed to the ELB via a Route53 A Record
Alias. You do not use any VPC endpoints. Which is a risk of using this approach? Route53 Alias records do not always update dynamically with ELB network changes after deploys. If the NAT routing for the private subnet fails, deployments fail. Kernel changes to the base AMI may render the code inoperable. The instances cannot be in a private subnet if the ELB is in a public one.
An Application team has three environments for their application: development, preproduction,
and production. The team recently adopted AWS CodePipeline. However, the team has
had several deployments of misconfigured or nonfunctional development code into the production
environment, resulting in user disruption and downtime. The DevOps Engineer must review the
pipeline and add steps to identify problems with the application before it is deployed.
What should the Engineer do to identify functional issues during the deployment process?
(Choose two.) Use Amazon Inspector to add a test action to the pipeline. Use the Amazon Inspector Runtime Behavior Analysis Inspector rules package to check that the deployed code complies with company security standards before deploying it to production. Using AWS CodeBuild to add a test action to the pipeline to replicate common user activities and ensure that the results are as expected before progressing to production deployment. Create an AWS CodeDeploy action in the pipeline with a deployment configuration that
automatically deploys the application code to a limited number of instances. The action then pauses the deployment so that the QA team can review the application functionality. When the review is complete, CodeDeploy resumes and deploys the application to the remaining production Amazon EC2 instances. After the deployment process is complete, run a testing activity on an Amazon EC2 instance in a different region that accesses the application to simulate user behavior if unexpected results occur, the testing activity sends a warning to an Amazon SNS topic. Subscribe to the topic to get updates. Add an AWS CodeDeploy action in the pipeline to deploy the latest version of the development code to pre-production. Add a manual approval action in the pipeline so that the QA team can test and confirm the expected functionality. After the manual approval action, add a second CodeDeploy action that deploys the approved code to the production environment.
Your company currently runs a large multi-tier web application. One component is an API service that all other components of your application rely on to perform read/write operations. This service must have high availability and zero downtime during deployments.
Which technique should you use to provide cost-effective, zero-downtime deployments for this component? Use an AWS CloudFormation template to re-deploy your application behind a load balancer, and launch a new AWS CloudFormation stack during each deployment. Update your load balancer to send traffic to the new stack, and then deploy your software. Leave your old stacks running, and tag their resources with the version for rollback. Re-deploy your application on Elastic Beanstalk. During deployment, create a new version of your application, and create a new environment running that version in Elastic BeanStalk. Finally, take advantage of the Elastic Beanstalk Swap CNAME operation to switch to the new environment. Re-deploy your application behind a load balancer that uses Auto Scaling groups. Create a new identical Auto Scaling group and associate it to your Amazon Route53 zone. Configure Amazon Route53 to auto- weight traffic over to the new Auto Scaling group when all instances are marked as healthy. Re-deploy your application behind a load balancer using an AWS OpsWorks stack and use AWS OpsWorks stack versioning, during deployment create a new version of your application, tell AWS OpsWorks to launch the new version behind your load balancer, and when the new version is launched, terminate the old AWS OpsWorks stack.
You are building an AWS CloudFormation template for a multi-tier web application.
The user data of your Linux web server resource contains a complex script that can take a long time
to run.Which techniques could you use to ensure that these servers are fully configured and running before attaching them to the load balancer? Choose 2 answers Launch your Linux servers from a nested stack that is called from within the load balancer
resource in your AWS CloudFormation template. Add an AWS CloudFormation Wait Condition that depends on the web server resource.
When the UserData script finishes on the web servers, use curl to send a signal the Wait Condition at http://169.254.169.254/waithandle/. Add an AWS CloudFormation wait Condition that depends on the web server resource.
When the UserData script finishes on the web servers, use curl to signal to the Wait Condition presigned URL that they are ready. In your AWS CloudFormation template, position the load balancer resource JSON block directly below your Linux server resource. Add an AWS CloudFormation Wait Condition that depends on the web server resource.
When the UserData script finishes on the web servers, use the command "cfn-signal" to signal that they are ready.
What option below is the geographic limit of an EC2 security group? Security groups are global. They are confined to Placement Groups. They are confined to Regions. They are confined to Availability Zones.
You need to perform ad-hoc analysis on log data, including searching quickly for specific
error codes and reference numbers. Which should you evaluate first? AWS Elasticsearch Service AWS RedShift AWS EMR AWS DynamoDB.
You have been asked to use your departments existing continuous Integration (CI) tool to
test a three-tier web architecture defined In an AWS CloudFormation template.
The tool already supports AWS APIs and can launch new AWS CloudFormation stacks after polling
version control.
The CI tool reports on the success of the AWS CloudFormation stack creation by using the Describe Stacks API to look for the CREATE COMPLETE status.
The architecture tiers defined in the template consist of:
- One load balancer
- Five Amazon EC2 instances running the web application
- One multi-AZ Amazon ROS instance
How would you implement this? Choose 2 answers Define a WaitCondition and a WaitConditionHandle for the output of a UserData command that does sanity checking of the application's post-install state. Define a CustomResource and write a script that runs architecture-level Integration tests through the load balancer to the application and database for the state of multiple tiers. Define a WaitCondition and use a WaitConditionHandle that leverages the AWS SDK to run the DescribeStacks API call until the CREATE COMPLETE status is returned. Define a CustomResource that leverages the AWS SDK to run the DescribeStacks API call until the 'CREATE COMPLETE status is returned. Define a UserDataHandle for the output of a UserData command that does sanity checking of the application's post-install state and runs integration tests on the state of multiple tiers through the load balancer to the application. Define a UserDataHandle for the output of a CustomResource that does sanity checking of the application's post-install state.
A DevOps Engineer must improve the monitoring of a Finance team payments microservice
that handles transactions for an e-commerce platform. The microservice runs on multiple Amazon
EC2 instances. The Finance team would like to know the number of payments per minute, and the
team would like to be notified when this metric falls below a specified threshold.
How can this be cost-effectively automated? Have the Development team log successful transactions to an application log. Set up Logstash on each instance, which sends logs to an Amazon ES cluster. Create a Kibana dashboard for the Finance team that graphs the metric. Have the Development team post the number of successful transactions to Amazon CloudWatch as a custom metric. Create a CloudWatch alarm when the threshold is breached, and use Amazon SNS to notify the Finance team. Have the Development team log successful transactions to an application log. On each instance, set up the Amazon CloudWatch Logs agent to send application logs to CloudWatch Logs. Use an EC2 instance to monitor a metric filter, and send notifications to the Finance team. Have the Development team log successful transactions to an application log. Set up the Amazon CloudWatch agent on each instance. Create a CloudWatch alarm when the threshold is breached, and use Amazon SNS to notify the Finance team.
Your company needs to automate 3 layers of a large cloud deployment. You want to be able
to track this deployment's evolution as it changes over time, and carefully control any alterations.
What is a good way to automate a stack to meet these requirements? Use OpsWorks Stacks with three layers to model the layering in your stack. Use CloudFormation Nested Stack Templates, with three child stacks to represent the three logical layers of your cloud. Use AWS Config to declare a configuration set that AWS should roll out to your cloud. Use Elastic Beanstalk Linked Applications, passing the important DNS entires between layers using the metadata interface.
You run a 2000-engineer organization. You are about to begin using AWS at a large scale for
the first time. You want to integrate with your existing identity management system running on
Microsoft Active Directory, because your organization is a power-user of Active Directory. How
should you manage your AWS identities in the most simple manner? Use a large AWS Directory Service Simple AD. Use a large AWS Directory Service AD Connector. Use an Sync Domain running on AWS Directory Service. Use an AWS Directory Sync Domain running on AWS Lambda.
Your Company wants to perform A/B testing on a new website feature for 20 percent of its
users. The website uses CloudFront for whole site delivery, with some content cached for up to 24 hours. How do you enable this testing for the required proportion of users while minimizing performance impact? Configure the web servers to handle two domain names.
The feature is switched on or off depending on which domain name is used for a request.
Configure a CloudFront origin for each domain name, and configure the CloudFront distribution to use one origin for 20 percent of users and the other origin for the other 80 percent. Configure the CloudFront distribution to forward a cookie specific to this feature.
For requests where the cookie is not set, the web servers set its value to ''on" for 20 percent of responses and "off" for 80 percent. For requests where the cookie is set, the web servers use Its value to determine whether the feature should be on or off for the response. Create a second stack of web servers that host the website with the feature on.
Using Amazon Route53, create two resource record sets with the same name: one with a weighting of "1" and a value of this new stack; the other a weighting of "4" and a value of the existing stack. Use the resource record set's name as the CloudFront distribution's origin. Invalidate all of the CloudFront distribution's cache items that the feature affects. On future requests, the web servers create responses with the feature on for 20 percent of users, and off for 80 percent. The web servers set "Cache-Control: no-cache" on all of these responses.
Which difference between core modules and extra modules is not correct? Extra modules may one day become core modules Core modules are supported by the Ansible team Core modules are shipped by default with Ansible Extra modules have no support.
To monitor API calls against our AWS account by different users and entities, we can use
________ to create a history of calls in bulk for later review, and use ___________ for reacting to
AWS API calls in real-time. AWS CloudTrail; CloudWatch Events AWS Config; AWS Inspector AWS Config; AWS Lambda AWS CloudTrail; AWS Config.
A financial institution provides security-hardened AMIs of Red Hat Enterprise Linux 7.4 and
Windows Server 2016 for its application teams to use in deployments. A DevOps Engineer needs to
implement an automated daily check of each AMI to monitor for the latest CVE. How should the
Engineer implement these checks using Amazon Inspector? Install the Amazon Inspector agent in each AMI. Configure AWS Step Functions to launch an Amazon EC2 instance for each operating system from the hardened AMI, and tag the instance with SecurityCheck: True. Once EC2 instances have booted up, Step Functions will trigger an Amazon Inspector assessment for all instances with the tag SecurityCheck: True. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day. Tag each AMI with SecurityCheck: True. Configure AWS Step Functions to first compose an Amazon Inspector assessment template for all AMIs that have the tag SecurityCheck: True and second to make a call to the Amazon Inspector API action StartAssessmentRun. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day. Tag each AMI with SecurityCheck: True. Implement a scheduled Amazon Inspector assessment to run once each day for all AMIs with the tag SecurityCheck: True. Amazon Inspector should automatically launch an Amazon EC2 instance for each AMI and perform a security assessment. Tag each instance with SecurityCheck: True. Implement a scheduled Amazon Inspector assessment to tun once each day for all instances with the tag SecurityCheck: True. Amazon Inspector should automatically perform an in-place security assessment for each AMI.
What is the proper (best practice) way to begin a playbook? - hosts: all ... ### ---.
When running a playbook on a remote target host you receive a Python error similar to
"[Errno
13] Permission denied: `/home/nick/.ansible/tmp'. What would be the most likely cause of this
problem? The user's home or `.ansible' directory on the Ansible system is not writeable by the user running the play. The specified user does not exist on the remote system. The user running `ansible-playbook' must run it from their own home directory. The user's home or `.ansible' directory on the Ansible remote host is not writeable by the user running the play.
When writing plays, tasks and playbooks, Ansible fully supports which high level language to
describe these? YAML Python XML JSON.
During metric analysis, your team has determined that the company's website is experiencing response times during peak hours that are higher than anticipated. You currently rely on Auto Scaling to make sure that you are scaling your environment during peak windows.
How can you improve your Auto Scaling policy to reduce this high response time? Choose 2 answers. Push custom metrics to CloudWatch to monitor your CPU and network bandwidth from your
servers, which will allow your Auto Scaling policy to have better fine-grain insight. Increase your Auto Scaling group's number of max servers. Create a script that runs and monitors your servers; when it detects an anomaly in load, it posts to an Amazon SNS topic that triggers Elastic Load Balancing to add more servers to the load balancer. Push custom metrics to CloudWatch for your application that include more detailed information about your web application, such as how many requests it is handling and how many are waiting to be processed. Update the CloudWatch metric used for your Auto Scaling policy, and enable sub-minute
granularity to allow auto scaling to trigger faster.
Which of these techniques enables the fastest possible rollback times in the event of a failed
deployment? Rolling; Immutable Rolling; Mutable Canary or A/B Blue-Green.
You have a playbook that includes a task to install a package for a service, put a configuration file for that package on the system and restart the service. The playbook is then run twice in a row. What would you expect Ansible to do on the second run? Remove the old package and config file and reinstall and then restart the service. Take no action on the target host. Check if the package is installed, check if the file matches the source file, if not reinstall it; restart the service. Attempt to reinstall the package, copy the file and restart the service.
Your application Amazon Elastic Compute Cloud (EC2) instances bootstrap by using a master
configuration file that is kept in a version-enabled Amazon Simple Storage Service (S3) bucket.
Which one of the following methods should you use to securely install the current configuration
version onto the instances in a cost-effective way? Create an Amazon DynamoDB table to store the different versions of the configuration file.
Associate AWS Identity and Access Management (IAM) EC2 roles to the Amazon EC2 instances, and reference the DynamoDB table to get the latest file from Amazon Simple Storage Service (S3). Associate an IAM S3 role to the bucket, list the object versions using the Amazon S3 API, and then get the latest object. Associate an IAM EC2 role to the instances, list the object versions using the Amazon S3 API, and then get the latest object. Associate an IAM EC2 role to the instances, and then simply get the object from Amazon S3, because the default is the current version. Store the IAM credentials in the Amazon EC2 user data for each instance, and then simply get the object from S3, because the default is the current version.
A company is using several AWS CloudFormation templates for deploying infrastructure as
code. In most of the deployments, the company uses Amazon EC2 Auto Scaling groups. A DevOps Engineer needs to update the AMIs for the Auto Scaling group in the template if newer AMIs are available.
How can these requirements be met? Manage the AMI mappings in the CloudFormation template. Use Amazon CloudWatch Events for detecting new AMIs and updating the mapping in the template. Reference the map in the launch configuration resource block. Use conditions in the AWS CloudFormation template to check if new AMIs are available and return the AMI ID. Reference the returned AMI ID in the launch configuration resource block. Use an AWS Lambda-backed custom resource in the template to fetch the AMI IDs. Reference the returned AMI ID in the launch configuration resource block. Launch an Amazon EC2 m4 small instance and run a script on it to check for new AMIs. If new AMIs are available, the script should update the launch configuration resource block with the new AMI ID.
Which of these configuration or deployment practices is a security risk for RDS? Storing SQL function code in plaintext Non-Multi-AZ RDS instance Having RDS and EC2 instances exist in the same subnet RDS in a public subnet.
The project you are working on currently uses a single AWS CloudFormation template to
deploy its AWS infrastructure, which supports a multi-tier web application. You have been tasked with organizing the AWS CloudFormation resources so that they can be maintained in the future, and so that different departments such as Networking and Security can review the architecture before it goes to Production.
How should you do this in a way that accommodates each department, using their existing
workflows? Organize the AWS CloudFormation template so that related resources are next to each other in the template, such as VPC subnets and routing rules for Networking and security groups and IAM information for Security. Separate the AWS CloudFormation template into a nested structure that has individual templates for the resources that are to be governed by different departments, and use the outputs from the networking and security stacks for the application template that you control Organize the AWS CloudFormation template so that related resources are next to each other in the template for each department's use, leverage your existing continuous integration tool to constantly deploy changes from all parties to the Production environment, and then run tests for validation. Use a custom application and the AWS SDK to replicate the resources defined in the current AWS CloudFormation template, and use the existing code review system to allow other departments to approve changes before altering the application for future deployments.
You have an asynchronous processing application using an Auto Scaling Group and an SQS
Queue. The Auto Scaling Group scales according to the depth of the job queue. The completion
velocity of the jobs has gone down, the Auto Scaling Group size has maxed out, but the inbound job
velocity did not increase.
What is a possible issue? Some of the new jobs coming in are malformed and unprocessable. The routing tables changed and none of the workers can process events anymore. Someone changed the IAM Role Policy on the instances in the worker group and broke
permissions to access the queue. The scaling metric is not functioning correctly.
The Development team at an online retailer has moved to Business support and want to
take advantage of the AWS Health Dashboard and the AWS Health API to automate remediation
actions for issues with the health of AWS resources. The first use case is to respond to AWS detecting
an IAM access key that is listed on a public code repository site. The automated response will be to
delete the IAM access key and send a notification to the Security team.
How should this be achieved? Create an AWS Lambda function to delete the IAM access key. Send AWS CloudTrail logs to AWS CloudWatch logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions: first, run the Lambda function; second, use Amazon SNS to send a notification to the Security team. Create an AWS Lambda function to delete the IAM access key. Create an AWS Config rule for changes to aws.health and the AWS_RISK_CREDENTIALS_EXPOSED event with two actions: first, run the Lambda function; second, use Amazon SNS to send a notification to the Security team. Use AWS Step Functions to create a function to delete the IAM access key, and then use Amazon SNS to send a notification to the Security team. Create an AWS Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event; set the target of the Personal Health Dashboard rule to Step Functions. Use AWS Step Functions to create a function to delete the IAM access key, and then use Amazon SNS to send a notification to the Security team. Create an Amazon CloudWatch Events rule with an aws.health event source and the AWS_RISK_CREDENTIALS_EXPOSED event, set the target of the CloudWatch Events rule to Step Functions.
An Engineering team manages a Node.js e-commerce application. The current environment
consists of the following components:
- Amazon S3 buckets for storing content
- Amazon EC2 for the front-end web servers
- AWS Lambda for executing image processing
- Amazon DynamoDB for storing session-related data
The team expects a significant increase in traffic to the site. The application should handle the
additional load without interruption. The team ran initial tests by adding new servers to the EC2
front-end to handle the larger load, but the instances took up to 20 minutes to become fully
configured. The team wants to reduce this configuration time.
What changes will the Engineering team need to implement to make the solution the MOST resilient
and highly available while meeting the expected increase in demand? Use AWS OpsWorks to automatically configure each new EC2 instance as it is launched.
Configure the EC2 instances by using an Auto Scaling group behind an Application Load Balancer across multiple Availability Zones. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the Application Load Balancer. Deploy a fleet of EC2 instances, doubling the current capacity, and place them behind an
Application Load Balancer. Increase the Amazon DynamoDB read and write capacity units. Add an alias record that contains the Application Load Balancer endpoint to the existing Amazon Route 53 DNS record that points to the application. Configure Amazon CloudFront and have its origin point to Amazon S3 to host the web application. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the CloudFront DNS name. Use AWS Elastic Beanstalk with a custom AMI including all web components. Deploy the platform by using an Auto Scaling group behind an Application Load Balancer across multiple Availability Zones. Implement Amazon DynamoDB Auto Scaling. Use Amazon Route 53 to point the application DNS record to the Elastic Beanstalk load balancer.
Which major database needs a BYO license? PostgreSQL MariaDB MySQL Oracle.
Which of the following Dockerfile commands cannot be overridden at runtime? VOLUME USER ADD CMD.
A DevOps Engineer discovered a sudden spike in a website's page load times and found that
a recent deployment occurred. A brief diff of the related commit shows that the URL for an external
API call was altered and the connecting port changed from 80 to 443. The external API has been
verified and works outside the application. The application logs show that the connection is now
timing out, resulting in multiple retries and eventual failure of the call.
Which debug steps should the Engineer take to determine the root cause of the issue'? Check the VPC Flow Logs looking for denies originating from Amazon EC2 instances that are part of the web Auto Scaling group. Check the ingress security group rules and routing rules for the VPC. Check the existing egress security group rules and network ACLs for the VPC. Also check the application logs being written to Amazon CloudWatch Logs for debug information. Check the egress security group rules and network ACLs for the VPC. Also check the VPC flow logs looking for accepts originating from the web Auto Scaling group. Check the application logs being written to Amazon CloudWatch Logs for debug information. Check the ingress security group rules and routing rules for the VPC.
A company is building a web and mobile application that uses a serverless architecture
powered by AWS Lambda and Amazon API Gateway. The company wants to fully automate the
backend Lambda deployment based on code that is pushed to the appropriate environment branch
in an AWS CodeCommit repository.
The deployment must have the following:
- Separate environment pipelines for testing and production.
- Automatic deployment that occurs for test environments only.
Which steps should be taken to meet these requirements? Configure a new AWS CodePipeline service. Create a CodeCommit repository for each
environment. Set up CodePipeline to retrieve the source code from the appropriate repository. Set up a deployment step to deploy the Lambda functions with AWS CloudFormation. Create two AWS CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create a CodeCommit repository for each environment. Set up each CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with AWS CloudFormation. Create two AWS CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Set up each CodePipeline to retrieve the source code from the appropriate branch in the repository. Set up the deployment step to deploy the Lambda functions with AWS CloudFormation. Create an AWS CodeBuild configuration for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Push the Lambda function code to an Amazon S3 bucket. Set up the deployment step to deploy the Lambda functions from the S3 bucket.
A DevOps Engineer is implementing a mechanism for canary testing an application on AWS.
The application was recently modified and went through security, unit, and functional testing. The
application needs to be deployed on an AutoScaling group and must use a Classic Load Balancer.
Which design meets the requirement for canary testing? Create a different Classic Load Balancer and Auto Scaling group for blue/green environments. Use Amazon Route 53 and create weighted A records on Classic Load Balancer. Create a single Classic Load Balancer and an Auto Scaling group for blue/green environments. Use Amazon Route 53 and create A records for Classic Load Balancer IPs. Adjust traffic using A records. Create a single Classic Load Balancer and an Auto Scaling group for blue/green environments. Create an Amazon CloudFront distribution with the Classic Load Balancer as the origin. Adjust traffic using CloudFront. Create a different Classic Load Balancer and Auto Scaling group for blue/green environments. Create an Amazon API Gateway with a separate stage for the Classic Load Balancer. Adjust traffic by giving weights to this stage.
Am Amazon EC2 instance with no internet access is running in a Virtual Private Cloud (VPC)
and needs to download an object from a restricted Amazon S3 bucket. When the DevOps Engineer
tries to gain access to the object, an AccessDenied error is received.
What are the possible causes for this error? (Select THREE.) The S3 bucket default encryption is enabled. There is an error in the S3 bucket policy. There is an error in the VPC endpoint policy. The object has been moved to Amazon Glacier. There is an error in the IAM role configuration. S3 versioning is enabled.
When specifying multiple variable names and values for a playbook on the command line,
which of the following is the correct syntax? ansible-playbook playbook.yml -e `host="foo" pkg="bar"' ansible-playbook playbook.yml -e `host: "foo", pkg: "bar"' ansible-playbook playbook.yml -e `host="foo"' -e `pkg="bar"' ansible-playbook playbook.yml --extra-vars "host=foo", "pkg=bar".
You have written a server-side Node.Js application and a web application with an
HTML/JavaScript front end that uses the Angular.js framework. The server-side application connects to an Amazon Redshift cluster, issues queries, and then returns the results to the front end for display. Your user base is very large and distributed, but it is important to keep the cost of running this
application low.
Which deployment strategy is both technically valid and the most cost-effective? Deploy an AWS Elastic Beanstalk application with two environments: one for the Node.js
application and another for the web front end. Launch an Amazon Redshift cluster, and point your application to its Java Database Connectivity (JDBC) endpoint. Deploy an AWS OpsWorks stack with three layers: a static web server layer for your front end, a Node.js app server layer for your server-side application, and a Redshift DB layer for your Amazon Redshift duster. Upload the HTML, CSS, images, and JavaScript for the front end to an Amazon Simple Storage Service (S3) bucket. Create an Amazon CloudFront distribution with this bucket as its origin. Use AWS Elastic Beanstalk to deploy the Node.js application. Launch an Amazon Redshift cluster, and point your application to its JDBC endpoint. Upload the HTML, CSS, images, and JavaScript for the front end, plus the Node.js code for the server-side application, to an Amazon S3 bucket. Create a CloudFront distribution with this bucket as its origin. Launch an Amazon Redshift cluster, and point your application to its JDBC endpoint. Upload the HTML, CSS, images, and JavaScript for the front end to an Amazon S3 bucket. Use AWS Elastic Beanstalk to deploy the Node.js application.
Launch an Amazon Redshift cluster, and point your application to its JDBC endpoint.
When thinking of AWS OpsWorks, which of the following is not an instance type you can
allocate in a stack layer? 24/7 instances Spot instances Time-based instances Load-based instances.
In which Docker Swarm model does the swarm manager distribute a specific number of replica tasks among the nodes based upon the scale you set in the desired state? distributed services scaled services replicated services global services.
What is the order of most-to-least rapidly-scaling (fastest to scale first)?
a) EC2 + ELB + Auto Scaling
b) Lambda
c) RDS B, A, C C, B, A C, A, B A, C, B.
You have a web application that is currently running on a collection of micro instance types
in a single AZ behind a single load balancer. You have an Auto Scaling group configured to scale from 2 to 64 instances. When reviewing your
CloudWatch metrics, you see that sometimes your Auto Scaling group is running 64 micro instances. The web application is reading and writing to a DynamoDB-configured backend and configured with
800 Write Capacity Units and 800 Read Capacity Units.
Your customers are complaining that they are experiencing long load times when viewing your
website. You have investigated the DynamoDB CloudWatch metrics; you are under the provisioned Read and write Capacity Units and there is no throttling.
How do you scale your service to improve the load times and ensure the principles of high
availability? Change your Auto Scaling group configuration to include multiple AZs Change your Auto Scaling group configuration to include multiple AZs, and increase the number of Read Capacity Units in your DynamoDB table by a factor of three, because you will need to be calling DynarnoDB from three AZs. Add a second load balancer to your Auto Scaling group so that you can support more inbound connections per second. Change your Auto Scaling group configuration to use larger instances and include multiple AZ's instead of one.
You have a high security requirement for your AWS accounts. What is the most rapid and
sophisticated setup you can use to react to AWS API calls to your account? Subscription to AWS Config via an SNS Topic. Use a Lambda Function to perform in-flight analysis and reactivity to changes as they occur. Global AWS CloudTrail setup delivering to S3 with an SNS subscription to the deliver notifications, pushing into a Lambda, which inserts records into an ELK stack for analysis. Use a CloudWatch Rule ScheduleExpression to periodically analyze IAM credential logs. Push the deltas for events into an ELK stack and perform ad-hoc analysis there. CloudWatch Events Rules which trigger based on all AWS API calls, submitting all events to an AWS Kinesis Stream for arbitrary downstream analysis.
You are running Amazon CloudTrail on an Amazon S3 bucket and look at your most recent log.
You notice that the entries include the ListThings and CreateThings actions and wonder if your
devices have been hacked. Based on these entries, what service would you be concerned may have
been hacked? Amazon Inspector AWS IoT AWS CodePipeline Amazon Glacier.
Why are more frequent snapshots or EBS Volumes faster? Blocks in EBS Volumes are allocated lazily, since while logically separated from other EBS Volumes, Volumes often share the same physical hardware. Snapshotting the first time forces full block range allocation, so the second snapshot doesn't need to perform the allocation phase and is faster. The snapshots are incremental so that only the blocks on the device that have changed after your last snapshot are saved in the new snapshot. AWS provisions more disk throughput for burst capacity during snapshots if the drive has been pre-warmed by snapshotting and reading all blocks. The drive is pre-warmed, so block access is more rapid for volumes when every block on the device has already been read at least one time.
Your development team wants account-level access to production instances in order to do live debugging of a highly secure environment.
Which of the following should you do? Place the credentials provided by Amazon Elastic Compute Cloud (EC2) into a secure Amazon Sample Storage Service (S3) bucket with encryption enabled. Assign AWS Identity and Access Management (IAM) users to each developer so they can download
the credentials file. Place an internally created private key into a secure S3 bucket with server-side encryption using customer keys and configuration management, create a service account on all the instances using this private key, and assign IAM users to each developer so they can download the file. Place each developer's own public key into a private S3 bucket, use instance profiles and
configuration management to create a user account for each developer on all instances, and place the user's public keys into the appropriate account. Place the credentials provided by Amazon EC2 onto an MFA encrypted USB drive, and physically share it with each developer so that the private key never leaves the office.
Your team is responsible for an AWS Elastic Beanstalk application. The business requires that you move to a continuous deployment model, thus releasing updates to the application multiple times per day with zero downtime.
What should you do to enable this and still be able to roll back to the previous version almost
immediately in an emergency? Enable roiling updates in the Elastic Beanstalk environment and set an appropriate pause time for application startup. Create a second Elastic Beanstalk environment that runs the new application version, and swap the environment CNAMEs Configure the application to poll for a new application version in your code repository; download and install the new version to each running Elastic Beanstalk instance. Create a second Elastic Beanstalk environment with the new application version, and configure the old environment to use the HTTP 301 response code to redirect clients to the new environment.
You currently run your infrastructure on Amazon EC2 instances behind an Auto Scaling
group> All logs for you application are currently written to ephemeral storage.
Recently your company experienced a major bug in code that made it through testing and was
ultimately deployed to your fleet. This bug triggered your Auto Scaling group to scale up and back down before you could successfully retrieve the logs off your server to better assist you in troubleshooting the bug.
Which technique should you use to make sure you are able to review your logs after your instances
have shut down? Configure the ephemeral policies on your Auto Scaling group to back up on terminate. Configure your Auto Scaling policies to create a snapshot of all ephemeral storage on terminate. Install the CloudWatch Logs Agent on your AMI, and configure CloudWatch Logs Agent to stream your logs. Install the CloudWatch monitoring agent on your AMI, and set up new SNS alert for CloudWatch metrics that triggers the CloudWatch monitoring agent to backup all logs on the ephemeral drive. Install the CloudWatch monitoring agent on your AMI, Update your Auto Scaling policy to enable automated CloudWatch Log copy.
You need the absolute highest possible network performance for a cluster computing
application. You already selected homogeneous instance types supporting 10 gigabit enhanced networking, made sure that your workload was network bound, and put the instances in a placement group. What is the last optimization you can make? Use 9001 MTU instead of 1500 for Jumbo Frames, to raise packet body to packet overhead ratios. Segregate the instances into different peered VPCs while keeping them all in a placement group, so each one has its own Internet Gateway. Bake an AMI for the instances and relaunch, so the instances are fresh in the placement group and do not have noisy neighbors. Turn off SYN/ACK on your TCP stack or begin using UDP for higher throughput.
|
