A company is implementing an application on Amazon EC2 instances. The application needs to
process incoming transactions. When the application detects a transaction that is not valid, the
application must send a chat message to the company's support team. To send the message, the
application needs to retrieve the access token to authenticate by using the chat API.
A developer needs to implement a solution to store the access token. The access token must be
encrypted at rest and in transit. The access token must also be accessible from other AWS accounts.
Which solution will meet these requirements with the LEAST management overhead?
C
Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-
accounts/
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html
A company is running Amazon EC2 instances in multiple AWS accounts. A developer needs to
implement an application that collects all the lifecycle events of the EC2 instances. The application
needs to store the lifecycle events in a single Amazon Simple Queue Service (Amazon SQS) queue in
the company's main AWS account for further processing.
Which solution will meet these requirements?
D
Explanation:
Amazon EC2 instances can send the state-change notification events to Amazon EventBridge.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html
Amazon EventBridge can send and receive events between event buses in AWS accounts.
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html
An application is using Amazon Cognito user pools and identity pools for secure access. A developer
wants to integrate the user-specific file upload and download features in the application with
Amazon S3. The developer must ensure that the files are saved and retrieved in a secure manner and
that users can access only their own files. The file sizes range from 3 KB to 300 MB.
Which option will meet these requirements with the HIGHEST level of security?
D
Explanation:
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html
A company is building a scalable data management solution by using AWS services to improve the
speed and agility of development. The solution will ingest large volumes of data from various sources
and will process this data through multiple business rules and transformations.
The solution requires business rules to run in sequence and to handle reprocessing of data if errors
occur when the business rules run. The company needs the solution to be scalable and to require the
least possible maintenance.
Which AWS service should the company use to manage and automate the orchestration of the data
flows to meet these requirements?
B
Explanation:
https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html
A developer has created an AWS Lambda function that is written in Python. The Lambda function
reads data from objects in Amazon S3 and writes data to an Amazon DynamoDB table. The function is
successfully invoked from an S3 event notification when an object is created. However, the function
fails when it attempts to write to the DynamoDB table.
What is the MOST likely cause of this issue?
C
Explanation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_lambda-access-dynamodb.html
A developer is creating an AWS CloudFormation template to deploy Amazon EC2 instances across
multiple AWS accounts. The developer must choose the EC2 instances from a list of approved
instance types.
How can the developer incorporate the list of approved instance types in the CloudFormation
template?
D
Explanation:
In the CloudFormation template, the developer should create a parameter with the list of approved
EC2 instance types as AllowedValues. This way, users can select the instance type they want to use
when launching the CloudFormation stack, but only from the approved list.
A developer has an application that makes batch requests directly to Amazon DynamoDB by using
the BatchGetItem low-level API operation. The responses frequently return values in the
UnprocessedKeys element.
Which actions should the developer take to increase the resiliency of the application when the batch
response includes values in UnprocessedKeys? (Choose two.)
B, C
Explanation:
The UnprocessedKeys element indicates that the BatchGetItem operation did not process all of the
requested items in the current response. This can happen if the response size limit is exceeded or if
the table’s provisioned throughput is exceeded. To handle this situation, the developer should retry
the batch operation with exponential backoff and randomized delay to avoid throttling errors and
reduce the load on the table. The developer should also use an AWS SDK to make the requests, as
the SDKs automatically retry requests that return UnprocessedKeys.
Reference:
[BatchGetItem - Amazon DynamoDB]
[Working with Queries and Scans - Amazon DynamoDB]
[Best Practices for Handling DynamoDB Throttling Errors]
A company is running a custom application on a set of on-premises Linux servers that are accessed
using Amazon API Gateway. AWS X-Ray tracing has been enabled on the API test stage.
How can a developer enable X-Ray tracing on the on-premises servers with the LEAST amount of
configuration?
B
Explanation:
The X-Ray daemon is a software that collects trace data from the X-Ray SDK and relays it to the X-Ray
service. The X-Ray daemon can run on any platform that supports Go, including Linux, Windows, and
macOS. The developer can install and run the X-Ray daemon on the on-premises servers to capture
and relay the data to the X-Ray service with minimal configuration. The X-Ray SDK is used to
instrument the application code, not to capture and relay data. The Lambda function solutions are
more complex and require additional configuration.
Reference:
[AWS X-Ray concepts - AWS X-Ray]
[Setting up AWS X-Ray - AWS X-Ray]
A company wants to share information with a third party. The third party has an HTTP API endpoint
that the company can use to share the information. The company has the required API key to access
the HTTP API.
The company needs a way to manage the API key by using code. The integration of the API key with
the application code cannot affect application performance.
Which solution will meet these requirements MOST securely?
A
Explanation:
AWS Secrets Manager is a service that helps securely store, rotate, and manage secrets such as API
keys, passwords, and tokens. The developer can store the API credentials in AWS Secrets Manager
and retrieve them at runtime by using the AWS SDK. This solution will meet the requirements of
security, code management, and performance. Storing the API credentials in a local code variable or
an S3 object is not secure, as it exposes the credentials to unauthorized access or leakage. Storing the
API credentials in a DynamoDB table is also not secure, as it requires additional encryption and
access control measures. Moreover, retrieving the credentials from S3 or DynamoDB may affect
application performance due to network latency.
Reference:
[What Is AWS Secrets Manager? - AWS Secrets Manager]
[Retrieving a Secret - AWS Secrets Manager]
A developer is deploying a new application to Amazon Elastic Container Service (Amazon ECS). The
developer needs to securely store and retrieve different types of variables. These variables include
authentication information for a remote API, the URL for the API, and credentials. The authentication
information and API URL must be available to all current and future deployed versions of the
application across development, testing, and production environments.
How should the developer retrieve the variables with the FEWEST application changes?
A
Explanation:
AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for
configuration data management and secrets management. The developer can update the application
to retrieve the variables from Parameter Store by using the AWS SDK or the AWS CLI. The developer
can use unique paths in Parameter Store for each variable in each environment, such as /dev/api-url,
/test/api-url, and /prod/api-url. The developer can also store the credentials in AWS Secrets
Manager, which is integrated with Parameter Store and provides additional features such as
automatic rotation and encryption.
Reference:
[What Is AWS Systems Manager? - AWS Systems Manager]
[Parameter Store - AWS Systems Manager]
[What Is AWS Secrets Manager? - AWS Secrets Manager]
A company is migrating legacy internal applications to AWS. Leadership wants to rewrite the internal
employee directory to use native AWS services. A developer needs to create a solution for storing
employee contact details and high-resolution photos for use with the new application.
Which solution will enable the search and retrieval of each employee's individual details and high-
resolution photos using AWS APIs?
B
Explanation:
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent
performance with seamless scalability. The developer can store each employee’s contact information
in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an
object storage service that offers industry-leading scalability, data availability, security, and
performance. The developer can use AWS APIs to search and retrieve the employee details and
photos from DynamoDB and S3.
Reference:
[Amazon DynamoDB]
[Amazon Simple Storage Service (S3)]
A developer is creating an application that will give users the ability to store photos from their
cellphones in the cloud. The application needs to support tens of thousands of users. The application
uses an Amazon API Gateway REST API that is integrated with AWS Lambda functions to process the
photos. The application stores details about the photos in Amazon DynamoDB.
Users need to create an account to access the application. In the application, users must be able to
upload photos and retrieve previously uploaded photos. The photos will range in size from 300 KB to
5 MB.
Which solution will meet these requirements with the LEAST operational overhead?
B
Explanation:
Amazon Cognito user pools is a service that provides a secure user directory that scales to hundreds
of millions of users. The developer can use Amazon Cognito user pools to manage user accounts and
create an Amazon Cognito user pool authorizer in API Gateway to control access to the API. The
developer can use the Lambda function to store the photos in Amazon S3, which is a highly scalable,
durable, and secure object storage service. The developer can store the object’s S3 key as part of the
photo details in the DynamoDB table, which is a fast and flexible NoSQL database service. The
developer can retrieve previously uploaded photos by querying DynamoDB for the S3 key and
fetching the photos from S3. This solution will meet the requirements with the least operational
overhead.
Reference:
[Amazon Cognito User Pools]
[Use Amazon Cognito User Pools - Amazon API Gateway]
[Amazon Simple Storage Service (S3)]
[Amazon DynamoDB]
A company receives food orders from multiple partners. The company has a microservices
application that uses Amazon API Gateway APIs with AWS Lambda integration. Each partner sends
orders by calling a customized API that is exposed through API Gateway. The API call invokes a shared
Lambda function to process the orders.
Partners need to be notified after the Lambda function processes the orders. Each partner must
receive updates for only the partner's own orders. The company wants to add new partners in the
future with the fewest code changes possible.
Which solution will meet these requirements in the MOST scalable way?
C
Explanation:
Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables
pub/sub communication between distributed systems. The developer can create an SNS topic and
configure the Lambda function to publish messages with specific attributes to the topic. The
developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the
topic subscriptions. This way, each partner will receive updates for only their own orders based on
the message attributes. This solution will meet the requirements in the most scalable way and allow
adding new partners in the future with minimal code changes.
Reference:
[Amazon Simple Notification Service (SNS)]
[Filtering Messages with Attributes - Amazon Simple Notification Service]
A financial company must store original customer records for 10 years for legal reasons. A complete
record contains personally identifiable information (PII). According to local regulations, PII is
available to only certain people in the company and must not be shared with third parties. The
company needs to make the records available to third-party organizations for statistical analysis
without sharing the PII.
A developer wants to store the original immutable record in Amazon S3. Depending on who accesses
the S3 document, the document should be returned as is or with all the PII removed. The developer
has written an AWS Lambda function to remove the PII from the document. The function is named
removePii.
What should the developer do so that the company can meet the PII requirements while maintaining
only one copy of the document?
C
Explanation:
S3 Object Lambda allows you to add your own code to process data retrieved from S3 before
returning it to an application. You can use an AWS Lambda function to modify the data, such as
removing PII, redacting confidential information, or resizing images. You can create an S3 Object
Lambda access point and associate it with your Lambda function. Then, you can use the access point
to request objects from S3 and get the modified data back. This way, you can maintain only one copy
of the original document in S3 and apply different transformations depending on who accesses it.
Reference:
Using AWS Lambda with Amazon S3
A developer is deploying an AWS Lambda function The developer wants the ability to return to older
versions of the function quickly and seamlessly.
How can the developer achieve this goal with the LEAST operational overhead?
B
Explanation:
A function alias is a pointer to a specific Lambda function version. You can use aliases to create
different environments for your function, such as development, testing, and production. You can also
use aliases to perform blue/green deployments by shifting traffic between two versions of your
function gradually. This way, you can easily roll back to a previous version if something goes wrong,
without having to redeploy your code or change your configuration. Reference:
AWS Lambda
function aliases