$0.00
Amazon DOP-C02 Dumps

Amazon DOP-C02 Exam Dumps

AWS Certified DevOps Engineer - Professional

Total Questions : 449
Update Date : July 16, 2026
PDF + Test Engine
$65 $95
Test Engine
$55 $85
PDF Only
$45 $75



Last Week DOP-C02 Exam Results

152

Customers Passed Amazon DOP-C02 Exam

97%

Average Score In Real DOP-C02 Exam

98%

Questions came from our DOP-C02 dumps.



Choosing the Right Path for Your DOP-C02 Exam Preparation

Welcome to PassExamHub's comprehensive study guide for the AWS Certified DevOps Engineer - Professional exam. Our DOP-C02 dumps is designed to equip you with the knowledge and resources you need to confidently prepare for and succeed in the DOP-C02 certification exam.

What Our Amazon DOP-C02 Study Material Offers

PassExamHub's DOP-C02 dumps PDF is carefully crafted to provide you with a comprehensive and effective learning experience. Our study material includes:

In-depth Content: Our study guide covers all the key concepts, topics, and skills you need to master for the DOP-C02 exam. Each topic is explained in a clear and concise manner, making it easy to understand even the most complex concepts.
Online Test Engine: Test your knowledge and build your confidence with a wide range of practice questions that simulate the actual exam format. Our test engine cover every exam objective and provide detailed explanations for both correct and incorrect answers.
Exam Strategies: Get valuable insights into exam-taking strategies, time management, and how to approach different types of questions.
Real-world Scenarios: Gain practical insights into applying your knowledge in real-world scenarios, ensuring you're well-prepared to tackle challenges in your professional career.

Why Choose PassExamHub?

Expertise: Our DOP-C02 exam questions answers are developed by experienced Amazon certified professionals who have a deep understanding of the exam objectives and industry best practices.
Comprehensive Coverage: We leave no stone unturned in covering every topic and skill that could appear on the DOP-C02 exam, ensuring you're fully prepared.
Engaging Learning: Our content is presented in a user-friendly and engaging format, making your study sessions enjoyable and effective.
Proven Success: Countless students have used our study materials to achieve their DOP-C02 certifications and advance their careers.
Start Your Journey Today!

Embark on your journey to AWS Certified DevOps Engineer - Professional success with PassExamHub. Our study material is your trusted companion in preparing for the DOP-C02 exam and unlocking exciting career opportunities.

Amazon DOP-C02 Sample Question Answers

Question # 1

A company has started using AWS across several teams. Each team has multiple accountsand unique security profiles. The company manages the accounts in an organization inAWS Organizations. Each account has its own configuration and security controls.The company's DevOps team wants to use preventive and detective controls to govern allaccounts. The DevOps team needs to ensure the security of accounts now and in thefuture as the company creates new accounts in the organization.Which solution will meet these requirements?

A. Use Organizations to create OUs that have appropriate SCPs attached for each team.Place each team in the appropriate OUs to apply security controls. Create any new teamaccounts in the appropriate OUs
B. Create an AWS Control Tower landing zone. Configure OUs and appropriate controls inAWS Control Tower for the existing teams. Configure trusted access for AWS ControlTower. Enroll the existing accounts in the appropriate OUs that match the appropriatesecurity policies for each team. Use AWS Control Tower to provision any new accounts.
C. Create AWS CloudFormation stack sets in the organization's management account.Configure a stack set that deploys AWS Config with configuration rules and remediationactions for all controls to each account in the organization. Update the stack sets to deployto new accounts as the accounts are created. 
D. Configure AWS Config to manage the AWS Config rules across all AWS accounts in theorganization. Deploy conformance packs that provide AWS Config rules and remediationactions across the organization. 



Question # 2

A company that uses electronic patient health records runs a fleet of Amazon EC2instances with an Amazon Linux operating system. The company must continuously ensurethat the EC2 instances are running operating system patches and application patches thatare in compliance with current privacy regulations. The company uses a custom repositoryto store application patches.A DevOps engineer needs to automate the deployment of operating system patches andapplication patches. The DevOps engineer wants to use both the default operating systempatch repository and the custom patch repository.Which solution will meet these requirements with the LEAST effort?

A. Use AWS Systems Manager to create a new custom patch baseline that includes thedefault operating system repository and the custom repository. Run the AWSRunPatchBaseline document by using the Run command to verify and install patches. Usethe BaselineOverride API to configure the new custom patch baseline
B. Use AWS Direct Connect to integrate the custom repository with the EC2 instances. UseAmazon EventBridge events to deploy the patches
C. Use the yum-config-manager command to add the custom repository to the/etc/yum.repos.d configuration. Run the yum-config-manager-enable command to activatethe new repository
D. Use AWS Systems Manager to create a patch baseline for the default operating systemrepository and a second patch baseline for the custom repository. Run the AWSRunPatchBaseline document by using the Run command to verify and install patches. Usethe BaselineOverride API to configure the default patch baseline and the custom patchbaseline. 



Question # 3

A large enterprise is deploying a web application on AWS. The application runs on AmazonEC2 instances behind an Application Load Balancer. The instances run in an Auto Scalinggroup across multiple Availability Zones. The application stores data in an Amazon RDS forOracle DB instance and Amazon DynamoDB. There are separate environments tordevelopment testing and production.What is the MOST secure and flexible way to obtain password credentials duringdeployment?

A. Retrieve an access key from an AWS Systems Manager securestring parameter toaccess AWS services. Retrieve the database credentials from a Systems ManagerSecureString parameter
B. Launch the EC2 instances with an EC2 1AM role to access AWS services Retrieve thedatabase credentials from AWS Secrets Manager. 
C. Retrieve an access key from an AWS Systems Manager plaintext parameter to accessAWS services. Retrieve the database credentials from a Systems Manager SecureStringparameter. 
D. Launch the EC2 instances with an EC2 1AM role to access AWS services Store thedatabase passwords in an encrypted config file with the application artifacts. 



Question # 4

A company manages a web application that runs on Amazon EC2 instances behind anApplication Load Balancer (ALB). The EC2 instances run in an Auto Scaling group acrossmultiple Availability Zones. The application uses an Amazon RDS for MySQL DB instanceto store the data. The company has configured Amazon Route 53 with an alias record thatpoints to the ALB.A new company guideline requires a geographically isolated disaster recovery (DR> sitewith an RTO of 4 hours and an RPO of 15 minutes.Which DR strategy will meet these requirements with the LEAST change to the applicationstack?

A. Launch a replica environment of everything except Amazon RDS in a differentAvailability Zone Create an RDS read replica in the new Availability Zone: and configurethe new stack to point to the local RDS DB instance. Add the new stack to the Route 53record set by using a hearth check to configure a failover routing policy. 
B. Launch a replica environment of everything except Amazon RDS in a different AWS.Region Create an RDS read replica in the new Region and configure the new stack to pointto the local RDS DB instance. Add the new stack to the Route 53 record set by using ahealth check to configure a latency routing policy.
C. Launch a replica environment of everything except Amazon RDS ma different AWSRegion. In the event of an outage copy and restore the latest RDS snapshot from theprimary. Region to the DR Region Adjust the Route 53 record set to point to the ALB in theDR Region.
D. Launch a replica environment of everything except Amazon RDS in a different AWSRegion. Create an RDS read replica in the new Region and configure the new environmentto point to the local RDS DB instance. Add the new stack to the Route 53 record set byusing a health check to configure a failover routing policy. In the event of an outagepromote the read replica to primary.



Question # 5

A company uses an Amazon API Gateway regional REST API to host its application API.The REST API has a custom domain. The REST API's default endpoint is deactivated.The company's internal teams consume the API. The company wants to use mutual TLSbetween the API and the internal teams as an additional layer of authentication.Which combination of steps will meet these requirements? (Select TWO.)

A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA).Provision a client certificate that is signed by the private CA.
B. Provision a client certificate that is signed by a public certificate authority (CA). Importthe certificate into AWS Certificate Manager (ACM).
C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the APIGateway mutual TLS to use the client certificate that is stored in the S3 bucket as the truststore.
D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configurethe API Gateway mutual TLS to use the private key that is stored in the S3 bucket as thetrust store.
E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket.Configure the API Gateway mutual TLS to use the private CA certificate that is stored in theS3 bucket as the trust store.



Question # 6

A space exploration company receives telemetry data from multiple satellites. Smallpackets of data are received through Amazon API Gateway and are placed directly into anAmazon Simple Queue Service (Amazon SQS) standard queue. A custom application issubscribed to the queue and transforms the data into a standard format.Because of inconsistencies in the data that the satellites produce, the application isoccasionally unable to transform the data. In these cases, the messages remain in theSQS queue. A DevOps engineer must develop a solution that retains the failed messagesand makes them available to scientists for review and future processing.Which solution will meet these requirements?

A. Configure AWS Lambda to poll the SQS queue and invoke a Lambda function to checkwhether the queue messages are valid. If validation fails, send a copy of the data that is notvalid to an Amazon S3 bucket so that the scientists can review and correct the data. Whenthe data is corrected, amend the message in the SQS queue by using a replay Lambdafunction with the corrected data.
B. Convert the SQS standard queue to an SQS FIFO queue. Configure AWS Lambda topoll the SQS queue every 10 minutes by using an Amazon EventBridge schedule. Invokethe Lambda function to identify any messages with a SentTimestamp value that is olderthan 5 minutes, push the data to the same location as the application's output location, andremove the messages from the queue.
C. Create an SQS dead-letter queue. Modify the existing queue by including a redrivepolicy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN tothe ARN of the newly created queue. Instruct the scientists to use the dead-letter queue toreview the data that is not valid. Reprocess this data at a later time.
D. Configure API Gateway to send messages to different SQS virtual queues that arenamed for each of the satellites. Update the application to use a new virtual queue for anydata that it cannot transform, and send the message to the new virtual queue. Instruct thescientists to use the virtual queue to review the data that is not valid. Reprocess this data ata later time. 



Question # 7

A company requires its internal business teams to launch resources through pre-approvedAWS CloudFormation templates only. The security team requires automated monitoringwhen resources drift from their expected state.Which strategy should be used to meet these requirements?

A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use CloudFormation drift detection to detect when resources have drifted from theirexpected state. 
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only.Use AWS Config rules to detect when resources have drifted from their expected state. 
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a launch constraint. Use AWS Config rules to detect when resources havedrifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforcethe use of a template constraint. Use Amazon EventBridge notifications to detect whenresources have drifted from their expected state. 



Question # 8

A company must encrypt all AMIs that the company shares across accounts. A DevOpsengineer has access to a source account where an unencrypted custom AMI has beenbuilt. The DevOps engineer also has access to a target account where an Amazon EC2Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer mustshare the AMI with the target account.The company has created an AWS Key Management Service (AWS KMS) key in thesource account.Which additional steps should the DevOps engineer perform to meet the requirements?(Choose three.)

A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMSkey in the copy action. 
B. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify thedefault Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.
C. In the source account, create a KMS grant that delegates permissions to the AutoScaling group service-linked role in the target account.
D. In the source account, modify the key policy to give the target account permissions tocreate a grant. In the target account, create a KMS grant that delegates permissions to theAuto Scaling group service-linked role.
E. In the source account, share the unencrypted AMI with the target account. 
F. In the source account, share the encrypted AMI with the target account. 



Question # 9

A company's DevOps team manages a set of AWS accounts that are in an organization inAWS OrganizationsThe company needs a solution that ensures that all Amazon EC2 instances use approvedAMIs that the DevOps team manages. The solution also must remediate the usage of AMIsthat are not approved The individual account administrators must not be able to remove therestriction to use approved AMIs.Which solution will meet these requirements?

A. Use AWS CloudFormation StackSets to deploy an Amazon EventBridge rule to eachaccount. Configure the rule to react to AWS CloudTrail events for Amazon EC2 and tosend a notification to an Amazon Simple Notification Service (Amazon SNS) topic.Subscribe the DevOps team to the SNS topic 
B. Use AWS CloudFormation StackSets to deploy the approved-amis-by-id AWS Configmanaged rule to each account. Configure the rule with the list of approved AMIs. Configurethe rule to run the the AWS-StopEC2lnstance AWS Systems Manager Automation runbookfor the noncompliant EC2 instances.
C. Create an AWS Lambda function that processes AWS CloudTrail events for AmazonEC2 Configure the Lambda function to send a notification to an Amazon Simple NotificationService (Amazon SNS) topic. Subscribe the DevOps team to the SNS topic. Deploy theLambda function in each account in the organization Create an Amazon EventBridge rulein each account Configure the EventBridge rules to react to AWS CloudTrail events forAmazon EC2 and to invoke the Lambda function. 
D. Enable AWS Config across the organization Create a conformance pack that uses theapproved -amis-by-id AWS Config managed rule with the list of approved AMIs. Deploy theconformance pack across the organization. Configure the rule to run the AWSStopEC2lnstance AWS Systems Manager Automation runbook for the noncompliant EC2instances. 



Question # 10

A DevOps engineer updates an AWS CloudFormation stack to add a nested stack thatincludes several Amazon EC2 instances. When the DevOps engineer attempts to deploythe updated stack, the nested stack fails to deploy. What should the DevOps engineer doto determine the cause of the failure?

A. Use the CloudFormation detect root cause capability for the failed stack to analyze thefailure and return the event that is the most likely cause for the failure. 
B. Query failed stacks by specifying the root stack as the ParentId property. Examine theStackStatusReason property for all returned stacks to determine the reason the nestedstack failed to deploy.  
C. Activate AWS Systems Manager for the AWS account where the application runs. Usethe AWS Systems Manager Automation AWSSupport-TroubleshootCFNCustomResourcerunbook to determine the reason the nested stack failed to deploy.
D. Configure the CloudFormation template to publish logs to Amazon CloudWatch. Viewthe CloudFormation logs for the failed stack in the CloudWatch console to determine thereason the nested stack failed to deploy. 



Question # 11

A global company manages multiple AWS accounts by using AWS Control Tower. Thecompany hosts internal applications and public applications.Each application team in the company has its own AWS account for application hosting.The accounts are consolidated in an organization in AWS Organizations. One of the AWSControl Tower member accounts serves as a centralized DevOps account with CI/CDpipelines that application teams use to deploy applications to their respective target AWSaccounts. An 1AM role for deployment exists in the centralized DevOps account.An application team is attempting to deploy its application to an Amazon ElasticKubernetes Service (Amazon EKS) cluster in an application AWS account. An 1AM role fordeployment exists in the application AWS account. The deployment is through an AWSCodeBuild project that is set up in the centralized DevOps account. The CodeBuild projectuses an 1AM service role for CodeBuild. The deployment is failing with an Unauthorizederror during attempts to connect to the cross-account EKS cluster from CodeBuild.Which solution will resolve this error?

A. Configure the application account's deployment 1AM role to have a trust relationshipwith the centralized DevOps account. Configure the trust relationship to allow thests:AssumeRole action. Configure the application account's deployment 1AM role to havethe required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap tomap the role to the appropriate system permissions
B. Configure the centralized DevOps account's deployment I AM role to have a trustrelationship with the application account. Configure the trust relationship to allow thests:AssumeRole action. Configure the centralized DevOps account's deployment 1AM roleto allow the required access to CodeBuild. 
C. Configure the centralized DevOps account's deployment 1AM role to have a trustrelationship with the application account. Configure the trust relationship to allow thests:AssumeRoleWithSAML action. Configure the centralized DevOps account's deployment1AM role to allow the required access to CodeBuild. 
D. Configure the application account's deployment 1AM role to have a trust relationshipwith the AWS Control Tower management account. Configure the trust relationship to allowthe sts:AssumeRole action. Configure the application account's deployment 1AM role tohave the required access to the EKS cluster. Configure the EKS cluster aws-authConfigMap to map the role to the appropriate system permissions.



Question # 12

A company uses Amazon Elastic Container Service (Amazon ECS) with an Amazon EC2launch type. The company requires all log data to be centralized on Amazon CloudWatch.The company's ECS tasks include a LogConfiguration object that specifies a value ofawslogs for the log driver name.The company's ECS tasks failed to deploy. An error message indicates that a missingpermission causes the failure. The company confirmed that the IAM role used to launchcontainer instances includes the logs:CreateLogGroup, logs:CreateLogStream, andlogs:PutLogEvents permissions.Which solution will fix the problem?

A. Add an IAM trust policy to the IAM role that establishes Amazon ECS as a trustedservice
B. Add the logs:PutDestination permission to the policy applied to the IAM role. 
C. Remove the logs:CreateLogStream permission from the policy applied to the IAM role. 
D. Add an IAM trust policy to the IAM role that establishes CloudWatch as a trustedservice



Question # 13

A company uses AWS WAF to protect its cloud infrastructure. A DevOps engineer needs togive an operations team the ability to analyze log messages from AWS WAR. Theoperations team needs to be able to create alarms for specific patterns in the log output.Which solution will meet these requirements with the LEAST operational overhead?

A. Create an Amazon CloudWatch Logs log group. Configure the appropriate AWS WAFweb ACL to send log messages to the log group. Instruct the operations team to createCloudWatch metric filters. 
B. Create an Amazon OpenSearch Service cluster and appropriate indexes. Configure anAmazon Kinesis Data Firehose delivery stream to stream log data to the indexes. UseOpenSearch Dashboards to create filters and widgets
C. Create an Amazon S3 bucket for the log output. Configure AWS WAF to send logoutputs to the S3 bucket. Instruct the operations team to create AWS Lambda functionsthat detect each desired log message pattern. Configure the Lambda functions to publish toan Amazon Simple Notification Service (Amazon SNS) topic
D. Create an Amazon S3 bucket for the log output. Configure AWS WAF to send logoutputs to the S3 bucket. Use Amazon Athena to create an external table definition that fitsthe log message pattern. Instruct the operations team to write SOL queries and to createAmazon CloudWatch metric filters for the Athena queries. 



Question # 14

A cloud team uses AWS Organizations and AWS IAM Identity Center to manage acompany's AWS accounts. The company recently established a research team. Theresearch team requires the ability to fully manage the resources in its account. Theresearch team must not be able to create IAM users.The cloud team creates a Research Administrator permission set in IAM Identity Center forthe research team. The permission set has the AdministratorAccess AWS managed policyattached. The cloud team must ensure that no one on the research team can create IAMusers.Which solution will meet these requirements?

A. Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to theResearch Administrator permission set. 
B. Create an IAM policy that allows all actions except the iam:CreateUser action. Use theIAM policy to set the permissions boundary for the Research Administrator permission set. 
C. Create an SCP that denies the iam:CreateUser action. Attach the SCP to the researchteam's AWS account.
D. Create an AWS Lambda function that deletes IAM users. Create an AmazonEventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke theLambda function. 



Question # 15

A company is migrating its container-based workloads to an AWS Organizations multiaccount environment. The environment consists of application workload accounts that thecompany uses to deploy and run the containerized workloads. The company has alsoprovisioned a shared services account tor shared workloads in the organization.The company must follow strict compliance regulations. All container images must receivesecurity scanning before they are deployed to any environment. Images can be consumedby downstream deployment mechanisms after the images pass a scan with no criticalvulnerabilities. Pre-scan and post-scan images must be isolated from one another so that adeployment can never use pre-scan images.A DevOps engineer needs to create a strategy to centralize this process.Which combination of steps will meet these requirements with the LEAST administrativeoverhead? (Select TWO.)

A. Create Amazon Elastic Container Registry (Amazon ECR) repositories in the sharedservices account: one repository for each pre-scan image and one repository for each postscan image. Configure Amazon ECR image scanning to run on new image pushes to thepre-scan repositories. Use resource-based policies to grant the organization write accessto the pre-scan repositories and read access to the post-scan repositories.
B. Create pre-scan Amazon Elastic Container Registry (Amazon ECR) repositories in eachaccount that publishes container images. Create repositories for post-scan images in theshared services account. Configure Amazon ECR image scanning to run on new imagepushes to the pre-scan repositories. Use resource-based policies to grant the organizationread access to the post-scan repositories.
C. Configure image replication for each image from the image's pre-scan repository to theimage's post-scan repository. 
D. Create a pipeline in AWS CodePipeline for each pre-scan repository. Create a sourcestage that runs when new images are pushed to the pre-scan repositories. Create a stagethat uses AWS CodeBuild as the action provider. Write a buildspec.yaml definition thatdetermines the image scanning status and pushes images without critical vulnerabilities lothe post-scan repositories. 
E. Create an AWS Lambda function. Create an Amazon EventBridge rule that reacts toimage scanning completed events and invokes the Lambda function. Write function codethat determines the image scanning status and pushes images without criticalvulnerabilities to the post-scan repositories. 



Question # 16

A company is developing code and wants to use semantic versioning. The company'sDevOps team needs to create a pipeline for compiling the code. The team also needs tomanage versions of the compiled code. If the code uses any open source libraries, thelibraries must also be cached in the build process. Which solution will meet theserequirements?

A. Create an AWS CodeArtifact repository and associate the upstream repositories. Createan AWS CodeBuild project that builds the semantic version of the code artifacts. Configurethe project to authenticate and connect to the CodeArtifact repository and publish theartifact to the repository
B. Use AWS CodeDeploy to upload the generated semantic version of the artifact to anAmazon Elastic File System (Amazon EFS) file system.
C. Use an AWS CodeBuild project to build the code and to publish the generated semanticversion of the artifact to AWS Artifact. Configure build caching in the CodeBuild project. 
D. Create a new AWS CodeArtifact repository. Create an AWS Lambda function that pullsopen source packages from the internet and publishes the packages to the repository.Configure AWS CodeDeploy to build semantic versions of the code and publish theversions to the repository.



Question # 17

A DevOps engineer needs to configure an AWS CodePipeline pipeline that publishescontainer images to an Amazon Elastic Container Registry (Amazon ECR) repository. Thepipeline must wait for the previous run to finish and must run when new Git tags arepushed to a Git repository that is connected to AWS CodeConnections. An existingdeployment pipeline needs to run in response to the publication of new container images.Which solution will meet these requirements?

A. Configure a CodePipeline V2 type pipeline that uses QUEUED mode. Add a trigger filterto the pipeline definition that includes all tags. Configure an Amazon EventBridge rule thatmatches container image pushes to start the existing deployment pipeline.
B. Configure a CodePipeline V2 type pipeline that uses SUPERSEDED mode. Add atrigger filter to the pipeline definition that includes all branches. Configure an AmazonEventBridge rule that matches container image pushes to start the existing deploymentpipeline.
C. Configure a CodePipeline V1 type pipeline that uses SUPERSEDED mode. Add atrigger filter to the pipeline definition that includes all tags. Add a stage at the end of thepipeline to invoke the existing deployment pipeline
D. Configure a CodePipeline V1 type pipeline that uses QUEUED mode. Add a trigger filterto the pipeline definition that includes all branches. Add a stage at the end of the pipeline toinvoke the existing deployment pipeline.



Question # 18

A company runs a microservices application on Amazon Elastic Kubernetes Service(Amazon EKS). Users recently reported significant delays while accessing an accountsummary feature, particularly during peak business hours.A DevOps engineer used Amazon CloudWatch metrics and logs to troubleshoot the issue.The logs indicated normal CPU and memory utilization on the EKS nodes. The DevOpsengineer was not able to identify where the delays occurred within the microservicesarchitecture.The DevOps engineer needs to increase the observability of the application to pinpointwhere the delays are occurring.Which solution will meet these requirements?

A. Deploy the AWS X-Ray daemon as a DaemonSet in the EKS cluster. Use the X-RaySDK to instrument the application code. Redeploy the application. 
B. Enable CloudWatch Container Insights for the EKS cluster. Use the Container Insightsdata to diagnose the delays. 
C. Create alarms based on the existing CloudWatch metrics. Set up an Amazon SimpleNotification Service (Amazon SNS) topic to send email alerts. 
D. Increase the timeout settings in the application code for network operations to allowmore time for operations to finish.



Question # 19

A company hired a penetration tester to simulate an internal security breach The testerperformed port scans on the company's Amazon EC2 instances. The company's securitymeasures did not detect the port scans.The company needs a solution that automatically provides notification when port scans areperformed on EC2 instances. The company creates and subscribes to an Amazon SimpleNotification Service (Amazon SNS) topic.What should the company do next to meet the requirement?

A. Ensure that Amazon GuardDuty is enabled Create an Amazon CloudWatch alarm fordetected EC2 and port scan findings. Connect the alarm to the SNS topic.
B. Ensure that Amazon Inspector is enabled Create an Amazon EventBridge event fordetected network reachability findings that indicate port scans Connect the event to theSNS topic. 
C. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event fordetected CVEs that cause open port vulnerabilities. Connect the event to the SNS topic 
D. Ensure that AWS CloudTrail is enabled Create an AWS Lambda function to analyze theCloudTrail logs for unusual amounts of traffic from an IP address range Connect theLambda function to the SNS topic. 



Question # 20

A company wants to use AWS Systems Manager documents to bootstrap physical laptopsfor developers The bootstrap code Is stored in GitHub A DevOps engineer has alreadycreated a Systems Manager activation, installed the Systems Manager agent with theregistration code, and installed an activation ID on all the laptops.Which set of steps should be taken next?

A. Configure the Systems Manager document to use the AWS-RunShellScnpt command tocopy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with asourceType of S3 
B. Configure the Systems Manager document to use the aws-configurePackage plugin withan install action and point to the Git repository
C. Configure the Systems Manager document to use the aws-downloadContent plugin witha sourceType of GitHub and sourcelnfo with the repository details.
D. Configure the Systems Manager document to use the aws:softwarelnventory plugin andrun the script from the Git repository 



Question # 21

A company is migrating its web application to AWS. The application uses WebSocketconnections for real-time updates and requires sticky sessions.A DevOps engineer must implement a highly available architecture for the application. Theapplication must be accessible to users worldwide with the least possible latency.Which solution will meet these requirements with the LEAST operational overhead?

A. Deploy an Application Load Balancer (ALB). Deploy another ALB in a different AWSRegion. Enable cross-zone load balancing and sticky sessions on the ALBs. Integrate theALBs with Amazon Route 53 latency-based routing. 
B. Deploy a Network Load Balancer (NLB). Deploy another NLB in a different AWS Region.Enable cross-zone load balancing and sticky sessions on the NLBs. Integrate the NLBswith Amazon Route 53 geolocation routing. 
C. Deploy a Network Load Balancer (NLB) with cross-zone load balancing enabled.Configure the NLB with IP-based targets in multiple Availability Zones. Use AmazonCloudFront for global content delivery. Implement sticky sessions by using source IPaddress preservation on the NLB
D. Deploy an Application Load Balancer (ALB) for HTTP traffic. Deploy a Network LoadBalancer (NLB) in each of the company's AWS Regions for WebSocket connections.Enable sticky sessions on the ALB. Configure the ALB to forward requests to the NLB. 



Question # 22

A company uses an organization in AWS Organizations with all features enabled tomanage a fleet of AWS accounts. The company expects to create many new accounts foran upcoming project.The company wants to ensure that the new accounts will not have default VPCs and thatusers can develop only in specific AWS Regions. The company must monitor the newaccounts for compliance with the Center for Internet Security (CIS) AWS FoundationsBenchmark framework.Which combination of solutions will meet these requirements with the LEAST operationaleffort? (Select TWO.)

A. Activate AWS Control Tower. Configure AWS Control Tower to disable internetaccessible subnets. Set the maximum number of private subnets to zero. Configure Regiondenies, and ensure that users can access only the specified Regions.
B. Activate AWS Control Tower. Install Customizations for AWS Control Tower (CfCT).Develop a custom AWS CloudFormation template to delete default VPCs. ConfigureRegion denies, and ensure that users can access only the specified Regions.
C. Write an SCP that denies access to all Regions except the specified Regions. Create anAWS Lambda function that assumes an IAM role by using the Organizations default servicerole in each member account to identify and delete default VPCs. Create an AmazonEventBridge rule that invokes the Lambda function when the company creates a new AWSaccount.
D. Activate AWS Security Hub at the organization level. Select the CIS AWS FoundationsBenchmark framework, and apply the framework to the organization. 
E. Activate the CIS AWS Foundations Benchmark framework on the Control Library panelin AWS Control Tower. 



Question # 23

A company has an on-premises application that is written in Go. A DevOps engineer mustmove the application to AWS. The company's development team wants to enableblue/green deployments and perform A/B testing.Which solution will meet these requirements?

A. Deploy the application on an Amazon EC2 instance, and create an AMI of the instance.Use the AMI to create an automatic scaling launch configuration that is used in an AutoScaling group. Use Elastic Load Balancing to distribute traffic. When changes are made tothe application, a new AMI will be created, which will initiate an EC2 instance refresh.
B. Use Amazon Lightsail to deploy the application. Store the application in a zipped formatin an Amazon S3 bucket. Use this zipped version to deploy new versions of the applicationto Lightsail. Use Lightsail deployment options to manage the deployment.
C. Use AWS CodeArtifact to store the application code. Use AWS CodeDeploy to deploythe application to a fleet of Amazon EC2 instances. Use Elastic Load Balancing todistribute the traffic to the EC2 instances. When making changes to the application, uploada new version to CodeArtifact and create a new CodeDeploy deployment.
D. Use AWS Elastic Beanstalk to host the application. Store a zipped version of theapplication in Amazon S3. Use that location to deploy new versions of the application. UseElastic Beanstalk to manage the deployment options. 



Question # 24

A company runs a fleet of Amazon EC2 instances in a VPC. The company's employeesremotely access the EC2 instances by using the Remote Desktop Protocol (RDP). Thecompany wants to collect metrics about how many RDP sessions the employees initiateevery day. Which combination of steps will meet this requirement? (Select THREE.)

A. Create an Amazon EventBridge rule that reacts to EC2 Instance State-changeNotification events. 
B. Create an Amazon CloudWatch Logs log group. Specify the log group as a target for theEventBridge rule. 
C. Create a flow log in VPC Flow Logs. 
D. Create an Amazon CloudWatch Logs log group. Specify the log group as a destinationfor the flow log. 
E. Create a log group metric filter. 
F. Create a log group subscription filter. Use EventBridge as the destination. 



Question # 25

A company is building a new pipeline by using AWS CodePipeline and AWS CodeBuild ina build account. The pipeline consists of two stages. The first stage is a CodeBuild job tobuild and package an AWS Lambda function. The second stage consists of deploymentactions that operate on two different AWS accounts a development environment accountand a production environment account. The deployment stages use the AWS Cloud Formation action that CodePipeline invokes to deploy the infrastructure that the Lambda functionrequires.A DevOps engineer creates the CodePipeline pipeline and configures the pipeline toencrypt build artifacts by using the AWS Key Management Service (AWS KMS) AWSmanaged key for Amazon S3 (the aws/s3 key). The artifacts are stored in an S3 bucketWhen the pipeline runs, the Cloud Formation actions fail with an access denied error.Which combination of actions must the DevOps engineer perform to resolve this error?(Select TWO.)

A. Create an S3 bucket in each AWS account for the artifacts Allow the pipeline to write tothe S3 buckets. Create a CodePipeline S3 action to copy the artifacts to the S3 bucket ineach AWS account Update the CloudFormation actions to reference the artifacts S3 bucketin the production account.
B. Create a customer managed KMS key Configure the KMS key policy to allow the IAMroles used by the CloudFormation action to perform decrypt operations Modify the pipelineto use the customer managed KMS key to encrypt artifacts.
C. Create an AWS managed KMS key Configure the KMS key policy to allow thedevelopment account and the production account to perform decrypt operations. Modify thepipeline to use the KMS key to encrypt artifacts.
D. In the development account and in the production account create an IAM role forCodePipeline. Configure the roles with permissions to perform CloudFormation operationsand with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In theCodePipeline account configure the CodePipeline CloudFormation action to use the roles. 
E. In the development account and in the production account create an IAM role forCodePipeline Configure the roles with permissions to perform CloudFormationoperationsand with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In theCodePipelme account modify the artifacts S3 bucket policy to allow the roles accessConfigure the CodePipeline CloudFormation action to use the roles. 



Question # 26

A company is using AWS Organizations to create separate AWS accounts for each of itsdepartments The company needs to automate the following tasks• Update the Linux AMIs with new patches periodically and generate a golden image• Install a new version to Chef agents in the golden image, is available• Provide the newly generated AMIs to the department's accountsWhich solution meets these requirements with the LEAST management overhead'?

A. Write a script to launch an Amazon EC2 instance from the previous golden image Applythe patch updates Install the new version of the Chef agent, generate a new golden image,and then modify the AMI permissions to share only the new image with the department'saccounts. 
B. Use Amazon EC2 Image Builder to create an image pipeline that consists of the baseLinux AMI and components to install the Chef agent Use AWS Resource Access Managerto share EC2 Image Builder images with the department's accounts
C. Use an AWS Systems Manager Automation runbook to update the Linux AMI by usingthe previous image Provide the URL for the script that will update the Chef agent Use AWSOrganizations to replace the previous golden image in the department's accounts. 
D. Use Amazon EC2 Image Builder to create an image pipeline that consists of the baseLinux AMI and components to install the Chef agent Create a parameter in AWS SystemsManager Parameter Store to store the new AMI ID that can be referenced by thedepartment's accounts



Question # 27

A DevOps engineer has created an AWS CloudFormation template that deploys anapplication on Amazon EC2 instances The EC2 instances run Amazon Linux Theapplication is deployed to the EC2 instances by using shell scripts that contain user data.The EC2 instances have an 1AM instance profile that has an 1AM role with theAmazonSSMManagedlnstanceCore managed policy attachedThe DevOps engineer has modified the user data in the CloudFormation template to installa new version of the application. The engineer has also applied the stack update. However,the application was not updated on the running EC2 instances. The engineer needs toensure that the changes to the application are installed on the running EC2 instances.Which combination of steps will meet these requirements? (Select TWO.)

A. Configure the user data content to use the Multipurpose Internet Mail Extensions(MIME) multipart format. Set the scripts-user parameter to always in the text/cloud-configsection. 
B. Refactor the user data commands to use the cfn-init helper script. Update the user datato install and configure the cfn-hup and cfn-mit helper scripts to monitor and apply themetadata changes
C. Configure an EC2 launch template for the EC2 instances. Create a new EC2 AutoScaling group. Associate the Auto Scaling group with the EC2 launch template Use theAutoScalingScheduledAction update policy for the Auto Scaling group.
D. Refactor the user data commands to use an AWS Systems Manager document (SSMdocument). Add an AWS CLI command in the user data to use Systems Manager RunCommand to apply the SSM document to the EC2 instances
E. Refactor the user data command to use an AWS Systems Manager document (SSMdocument) Use Systems Manager State Manager to create an association between theSSM document and the EC2 instances. 



Question # 28

A company uses an organization in AWS Organizations to manage its AWS accounts. Thecompany's automation account contains a CI/CD pipeline that creates and configures newAWS accounts.The company has a group of internal service teams that provide services to accounts in theorganization. The service teams operate out of a set of services accounts. The serviceteams want to receive an AWS CloudTrail event in their services accounts when theCreateAccount API call creates a new account.How should the company share this CloudTrail event with the service accounts?

A. Create an Amazon EventBridge rule in the automation account to send account creationevents to the default event bus in the services accounts. Update the default event bus inthe services accounts to allow events from the automation account. 
B. Create a custom Amazon EventBridge event bus in the services accounts. Update thecustom event bus to allow events from the automation account. Create an EventBridge rulein the services account that directly listens to CloudTrail events from the automationaccount.
C. Create a custom Amazon EventBridge event bus in the automation account and theservices accounts. Create an EventBridge rule and policy that connects the custom eventbuses that are in the automation account and the services accounts. 
D. Create a custom Amazon EventBridge event bus in the automation account. Create anEventBridge rule and policy that connects the custom event bus to the default event busesin the services accounts. 



Question # 29

A DevOps engineer uses AWS WAF to manage web ACLs across an AWS account. TheDevOps engineer must ensure that AWS WAF is enabled for all Application LoadBalancers (ALBs) in the account. The DevOps engineer uses an AWS CloudFormationtemplate to deploy an individual ALB and AWS WAF as part of each application stack'sdeployment process. If AWS WAF is removed from the ALB after the ALB is deployed,AWS WAF must be added to the ALB automatically.Which solution will meet these requirements with the MOST operational efficiency?

A. Enable AWS Config. Add the alb-waf-enabled managed rule. Create an AWS SystemsManager Automation document to add AWS WAF to an ALB. Edit the rule to automaticallyremediate. Select the Systems Manager Automation document as the remediation action.
B. Enable AWS Config. Add the alb-waf-enabled managed rule. Create an AmazonEventBridge rule to send all AWS Config ConfigurationItemChangeNotification notificationtypes to an AWS Lambda function. Configure the Lambda function to call the AWS Configstart-resource-evaluation API in detective mode.
C. Configure an Amazon EventBridge rule to periodically call an AWS Lambda function thatcalls the detect-stack-drift API on the CloudFormation template. Configure the Lambdafunction to modify the ALB attributes with waf.fail_open.enabled set to true if theAWS::WAFv2::WebACLAssociation resource shows a status of drifted.
D. Configure an Amazon EventBridge rule to periodically call an AWS Lambda function thatcalls the detect-stack-drift API on the CloudFormation template. Configure the Lambdafunction to delete and redeploy the CloudFormation stack if theAWS::WAFv2::WebACLAssociation resource shows a status of drifted.



Question # 30

A company is using AWS CodePipeline to deploy an application. According to a newguideline, a member of the company's security team must sign off on any applicationchanges before the changes are deployed into production. The approval must be recordedand retained.Which combination of actions will meet these requirements? (Select TWO.)

A. Configure CodePipeline to write actions to Amazon CloudWatch Logs. 
B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of eachpipeline stage.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3. 
D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval.Create a policy that gives the security team access to manage CodePipeline customactions. 
E. Create a CodePipeline manual approval action before the deployment step. Create apolicy that grants the security team access to approve manual approval stages.



Question # 31

A company has an organization in AWS Organizations for its multi-account environment. ADevOps engineer is developing an AWS CodeArtifact based strategy for applicationpackage management across the organization. Each application team at the company hasits own account in the organization. Each application team also has limited access to acentralized shared services account.Each application team needs full access to download, publish, and grant access to its ownpackages. Some common library packages that the application teams use must also beshared with the entire organization.Which combination of steps will meet these requirements with the LEAST administrativeoverhead? (Select THREE.)

A. Create a domain in each application team's account. Grant each application team'saccount lull read access and write access to the application team's domain 
B. Create a domain in the shared services account Grant the organization read access andCreateRepository access.
C. Create a repository in each application team's account. Grant each application team'saccount lull read access and write access to its own repository. 
D. Create a repository in the shared services account. Grant the organization read accessto the repository in the shared services account. Set the repository as the upstreamrepository in each application team's repository. 
E. For teams that require shared packages, create resource-based policies that allow readaccess to the repository from other application teams' accounts. 
F. Set the other application teams' repositories as upstream repositories. 



Question # 32

A company has developed a static website hosted on an Amazon S3 bucket. The websiteis deployed using AWS CloudFormation. The CloudFormation template defines an S3bucket and a custom resource that copies content into the bucket from a source location.The company has decided that it needs to move the website to a new location, so theexisting CloudFormation stack must be deleted and re-created. However, CloudFormationreports that the stack could not be deleted cleanly.What is the MOST likely cause and how can the DevOps engineer mitigate this problem forthis and future versions of the website?

A. Deletion has failed because the S3 bucket has an active website configuration. Modifythe Cloud Formation template to remove the WebsiteConfiguration properly from the S3bucket resource.
B. Deletion has failed because the S3 bucket is not empty. Modify the custom resource'sAWS Lambda function code to recursively empty the bucket when RequestType is Delete. 
C. Deletion has failed because the custom resource does not define a deletion policy. Adda DeletionPolicy property to the custom resource definition with a value ofRemoveOnDeletion. 
D. Deletion has failed because the S3 bucket is not empty. Modify the S3 bucket resourcein the CloudFormation template to add a DeletionPolicy property with a value of Empty.



Question # 33

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host itsmachine learning (ML) application. As the ML model and the container image grow, podstartup time has increased to several minutes. The DevOps engineer created anEventBridge rule that triggers Systems Manager automation to prefetch container imagesfrom ECR. Node groups and the cluster have tags configured.What should the DevOps engineer do next to meet the requirements?

A. Create an IAM role allowing EventBridge to use Systems Manager to run commands inthe control plane nodes. Create a State Manager association using control plane nodetags.
B. Create an IAM role allowing EventBridge to use Systems Manager to run commands inthe worker nodes. Create a State Manager association using the nodes’ machine size. 
C. Create an IAM role allowing EventBridge to use Systems Manager to run commands inthe worker nodes. Create a State Manager association using the nodes’ tags to prefetchcontainer images. 
D. Create an IAM role allowing EventBridge to use Systems Manager to run commands inthe control plane nodes. Create a State Manager association using the nodes’ tags



Question # 34

AnyCompany is using AWS Organizations to create and manage multiple AWS accountsAnyCompany recently acquired a smaller company, Example Corp. During the acquisitionprocess, Example Corp's single AWS account joined AnyCompany's management accountthrough an Organizations invitation. AnyCompany moved the new member account underan OU that is dedicated to Example Corp.AnyCompany's DevOps eng•neer has an IAM user that assumes a role that is namedOrganizationAccountAccessRole to access member accounts. This role is configured witha full access policy When the DevOps engineer tries to use the AWS Management Consoleto assume the role in Example Corp's new member account, the DevOps engineerreceives the following error message "Invalid information in one or more fields. Check yourinformation or contact your administrator."Which solution will give the DevOps engineer access to the new member account?

A. In the management account, grant the DevOps engineer's IAM user permission toassume the OrganzatlonAccountAccessR01e IAM role in the new member account. 
B. In the management account, create a new SCR In the SCP, grant the DevOpsengineer's IAM user full access to all resources in the new member account. Attach theSCP to the OU that contains the new member account, 
C. In the new member account, create a new IAM role that is namedOrganizationAccountAccessRole. Attach the AdmInistratorAccess AVVS managed policy tothe role. In the role's trust policy, grant the management account permission to assume therole.
D. In the new member account edit the trust policy for the Organ zationAccountAccessRoleIAM role. Grant the management account permission to assume the role. 



Question # 35

A DevOps engineer wants to find a solution to migrate an application from on premises toAWS The application is running on Linux and needs to run on specific versions of ApacheTomcat HAProxy and Varnish Cache to function properly. The application's operatingsystem-level parameters require tuning The solution must include a way to automate thedeployment of new application versions. The infrastructure should be scalable and faultyservers should be replaced automatically.Which solution should the DevOps engineer use?

A. Upload the application as a Docker image that contains all the necessary software toAmazon ECR Create an Amazon ECS cluster using an AWS Fargate launch type and anAuto Scaling group. Create an AWS CodePipeline pipeline that uses Amazon ECR as asource and Amazon ECS as a deployment provider 
B. Upload the application code to an AWS CodeCommit repository with a savedconfiguration file to configure and install the software Create an AWS Elastic Beanstalkweb server tier and a load balanced-type environment that uses the Tomcat solution stackCreate an AWS CodePipeline pipeline that uses CodeCommit as a source and ElasticBeanstalk as a deployment provider
C. Upload the application code to an AWS CodeCommit repository with a set ofebextensions files to configure and install the software. Create an AWS Elastic Beanstalkworker tier environment that uses the Tomcat solution stack Create an AWS CodePipelinepipeline that uses CodeCommit as a source and Elastic Beanstalk as a deploymentprovider
D. Upload the application code to an AWS CodeCommit repository with an appspec.yml fileto configure and install the necessary software. Create an AWS CodeDeploy deploymentgroup associated with an Amazon EC2 Auto Scaling group Create an AWS CodePipelinepipeline that uses CodeCommit as a source and CodeDeploy as a deployment provider 



Question # 36

A company is building a serverless application that uses AWS Lambda functions to processdata.A BeginResponse Lambda function initializes data in response to specific applicationevents. The company needs to ensure that a large number of Lambda functions areinvoked after the BeginResponse Lambda function runs. Each Lambda function must beinvoked in parallel and depends on only the outputs of the BeginResponse Lambdafunction. Each Lambda function has retry logic for invocation and must be able to fine-tuneconcurrency without losing data.Which solution will meet these requirements with the MOST operational efficiency?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Modify theBeginResponse Lambda function to publish to the SNS topic before the BeginResponseLambda function finishes running. Subscribe all Lambda functions that need to invoke afterthe BeginResponse Lambda function runs to the SNS topic. Subscribe any new Lambdafunctions to the SNS topic.
B. Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambdafunction that needs to run after the BeginResponse Lambda function runs. Subscribe eachLambda function to its own SQS queue. Create an Amazon Simple Notification Service(Amazon SNS) topic. Subscribe each SQS queue to the SNS topic. Modify theBeginResponse function to publish to the SNS topic when it finishes running. 
C. Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambdafunction that needs to run after the BeginResponse Lambda function runs. Subscribe theLambda function to the SQS queue. Create an Amazon Simple Notification Service(Amazon SNS) topic for each SQS queue. Subscribe the SQS queues to the SNS topics.Modify the BeginResponse function to publish to the SNS topics when the function finishesrunning.
D. Create an AWS Step Functions Standard Workflow. Configure states in the workflow toinvoke the Lambda functions sequentially. Create an Amazon Simple Notification Service(Amazon SNS) topic. Modify the BeginResponse Lambda function to publish to the SNStopic before the Lambda function finishes running. Create a new Lambda function that issubscribed to the SNS topic and that invokes the Step Functions workflow



Question # 37

A company needs to adopt a multi-account strategy to deploy its applications and theassociated CI/CD infrastructure. The company has created an organization in AWSOrganizations that has all features enabled. The company has configured AWS ControlTower and has set up a landing zone.The company needs to use AWS Control Tower controls (guardrails) in all AWS accountsin the organization. The company must create the accounts for a multi-environmentapplication and must ensure that all accounts are configured to an initial baseline.Which solution will meet these requirements with the LEAST operational overhead?

A. Create an AWS Control Tower Account Factory Customization (AFC) blueprint that usesthe baseline configuration. Use AWS Control Tower Account Factory to provision adedicated AWS account for each environment and a CI/CD account by using the blueprint. 
B. Use AWS Control Tower Account Factory to provision a dedicated AWS account foreach environment and a CI/CD account. Use AWS CloudFormation StackSets to apply thebaseline configuration to the new accounts
C. Use Organizations to provision a multi-environment AWS account and a CI/CD account.In the Organizations management account, create an AWS Lambda function that assumesthe Organizations access role to apply the baseline configuration to the new accounts.
D. Use Organizations to provision a dedicated AWS account for each environment, anaudit account, and a CI/CD account. Use AWS CloudFormation StackSets to apply thebaseline configuration to the new accounts.



Question # 38

A company built its serverless infrastructure on AWS. The infrastructure consists of anAmazon API Gateway REST API, multiple AWS Lambda functions, and AmazonEventBridge.The company wants to be aware of any new supply chain attacks that the company'sCI/CD pipelines do not catch. The company needs a solution to detect malicious activity inthe deployed applicationWhich solution meets these requirements?

A. Enable AWS WAF for the API Gateway REST API. Configure an AWS WAF ACL. Addthe known bad inputs managed rule group.
B. Enable Amazon GuardDuty. Enable Lambda Protection. Use EventBridge for eventnotifications.
C. Deploy AWS CloudFormation Guard in the CI/CD pipelines. Write rules to catch thesupply chain attacks. 
D. Create a firewall in AWS Network Firewall. Configure a policy. Add the managed rule forthe Emerging Threats rule group. 



Question # 39

A company has developed a web application that conducts seasonal sales on publicholidays. The web application is deployed on AWS and uses AWS services for storage,database, computing, and encryption. During seasonal sales, the company expects highnetwork traffic from many users. The company must receive insights regarding anyunexpected behavior during the sale. A DevOps team wants to review the insights upondetecting anomalous behaviors during the sale. The DevOps team wants to receiverecommended actions to resolve the anomalous behaviors. The recommendations must beprovided on the provisioned infrastructure to address issues that might occur in the future.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select TWO.)

A. Enable Amazon DevOps Guru in the AWS account. Determine the coverage for DevOpsGuru for all supported AWS resources in the account. Use the DevOps Guru dashboard tofind the analysis, recommendations, and related metrics. 
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure AmazonDevOps Guru to send notifications about important events to the company when anomaliesare identified. 
C. Create an Amazon S3 bucket. Store Amazon CloudWatch logs, AWS CloudTrail data,and AWS Config data in the S3 bucket. Use Amazon Athena to generate insights on thedata. Create a dashboard by using Amazon QuickSight. 
D. Configure email message reports for an Amazon QuickSight dashboard. Schedule andsend the email reports to the company
E. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure AmazonAthena to send query results about important events to the company when anomalies areidentified. 



Question # 40

A DevOps team deploys an ECS app behind an ALB using CodeDeploy with all-at-oncestrategy. Recent deployment increased response times, requiring rollback. The team wantsa deployment strategy to monitor new versions before full traffic shift and rollback quickly ifissues occur.Which steps meet these requirements? (Select TWO.)

A. Use CodeDeployDefault.ECSCanary10Percent5Minutes deployment configuration. 
B. Use CodeDeployDefault.ECSLinear10PercentEvery3Minutes deployment configuration. 
C. Create a CloudWatch alarm on ALB UnHealthyHostCount and associate it with thedeployment group for rollback.
D. Create a CloudWatch alarm on ALB TargetResponseTime and associate it with thedeployment group for rollback. 
E. Create a CloudWatch alarm on ALB TargetConnectionErrorCount and associate it withthe deployment group for rollback.



Question # 41

A company is migrating from its on-premises data center to AWS. The company currentlyuses a custom on-premises CI/CD pipeline solution to build and package software.The company wants its software packages and dependent public repositories to beavailable in AWS CodeArtifact to facilitate the creation of application-specific pipelines.Which combination of steps should the company take to update the CI/CD pipeline solutionand to configure CodeArtifact with the LEAST operational overhead? (Select TWO.)

A. Update the CI/CD pipeline to create a VM image that contains newly packaged softwareUse AWS Import/Export to make the VM image available as anAmazon EC2 AMI. Launchthe AMI with an attached 1AM instance profile that allows CodeArtifact actions. Use AWSCLI commands to publish the packages to a CodeArtifact repository. 
B. Create an AWS Identity and Access Management Roles Anywhere trust anchor Createan 1AM role that allows CodeArtifact actions and that has a trust relationship on the trustanchor. Update the on-premises CI/CD pipeline to assume the new 1AM role and topublish the packages to CodeArtifact.
C. Create a new Amazon S3 bucket. Generate a presigned URL that allows the PutObjectrequest. Update the on-premises CI/CD pipeline to use thepresigned URL to publish thepackages from the on-premises location to the S3 bucket. Create an AWS Lambda functionthat runs when packages are created in the bucket through a put command Configure theLambda function to publish the packages to CodeArtifact 
D. For each public repository, create a CodeArtifact repository that is configured with anexternal connection Configure the dependent repositories as upstream public repositories
E. Create a CodeArtifact repository that is configured with a set of external connections tothe public repositories. Configure the external connections to be downstream of therepository 



Question # 42

A company’s web app runs on EC2 with a relational database. The company wants highlyavailable multi-Region architecture with latency-based routing for global customers.Which solution meets these requirements?

A. ALB in each Region with Auto Scaling groups; Aurora global database with readreplicas; Route 53 latency-based routing to ALBs.
B. ALB in each Region with Auto Scaling groups; RDS primary in one Region with readreplicas in others; Route 53 failover routing to ALBs. 
C. Elastic Beanstalk with ALB in each Region; Aurora global database with read replicas;CloudFront with custom origins for ALBs; Route 53 latency-based routing to CloudFront. 
D. Elastic Beanstalk with ALB in each Region; RDS primary in one Region with readreplicas; CloudFront with custom origins for ALBs; Route 53 failover routing to CloudFront. 



Question # 43

A company runs a microservices application on Amazon EKS. Users report delaysaccessing an account summary feature during peak hours. CloudWatch metrics and logsshow normal CPU and memory utilization on EKS nodes. The DevOps engineer cannotidentify where delays occur within the microservices.Which solution will meet these requirements?

A. Deploy the AWS X-Ray daemon as a DaemonSet in the EKS cluster. Use the X-RaySDK to instrument the application code. Redeploy the application. 
B. Enable CloudWatch Container Insights for the EKS cluster. Use the Container Insightsdata to diagnose delays. 
C. Create alarms based on existing CloudWatch metrics. Set up SNS email alerts. 
D. Increase the timeout settings in the application code for network operations. 



Question # 44

A company has many AWS accounts. During AWS account creation the company usesautomation to create an Amazon CloudWatch Logs log group in every AWS Region thatthe company operates in. The automaton configures new resources in the accounts topublish logs to the provisioned log groups in their Region.The company has created a logging account to centralize the logging from all the otheraccounts. A DevOps engineer needs to aggregate the log groups from all the accounts toan existing Amazon S3 bucket in the logging account.Which solution will meet these requirements in the MOST operationally efficient manner?

A. In the logging account create a CloudWatch Logs destination with a destination policy.For each new account subscribe the CloudWatch Logs log groups to the. DestinationConfigure a single Amazon Kinesis data stream and a single Amazon Kinesis DataFirehose delivery stream to deliver the logs from the CloudWatch Logs destination to theS3 bucket. 
B. In the logging account create a CloudWatch Logs destination with a destination policyfor each Region. For each new account subscribe the CloudWatch Logs log groups to thedestination. Configure a single Amazon Kinesis data stream and a single Amazon KinesisData Firehose delivery stream to deliver the logs from all the CloudWatch Logsdestinations to the S3 bucket.
C. In the logging account create a CloudWatch Logs destination with a destination policyfor each Region. For each new account subscribe the CloudWatch Logs log groups to thedestination Configure an Amazon Kinesis data stream and an Amazon Kinesis DataFirehose delivery stream for each Region to deliver the logs from the CloudWatch Logsdestinations to the S3 bucket. 
D. In the logging account create a CloudWatch Logs destination with a destination policy.For each new account subscribe the CloudWatch Logs log groups to the destination.Configure a single Amazon Kinesis data stream to deliver the logs from the CloudWatchLogs destination to the S3 bucket. 



Question # 45

A company's organization in AWS Organizations has a single OU. The company runsAmazon EC2 instances in the OU accounts. The company needs to limit the use of eachEC2 instance's credentials to the specific EC2 instance that the credential is assigned to. ADevOps engineer must configure security for the EC2 instances.Which solution will meet these requirements?

A. Create an SCP that specifies the VPC CIDR block. Configure the SCP to check whetherthe value of the aws:VpcSourcelp condition key is in the specified block. In the same SCPcheck, check whether the values of the aws:EC2lnstanceSourcePrivatelPv4 andaws:SourceVpc condition keys are the same. Deny access if either condition is false. Applythe SCP to the OU.
B. Create an SCP that checks whether the values of the aws:EC2lnstanceSourceVPC andaws:SourceVpc condition keys are the same. Deny access if the values are not the same.In the same SCP check, check whether the values of theaws:EC2lnstanceSourcePrivatelPv4 and awsVpcSourcelp condition keys are the same.Deny access if the values are not the same. Apply the SCP to the OU. 
C. Create an SCP that includes a list of acceptable VPC values and checks whether the value of the aws:SourceVpc condition key is in the list. In the same SCP check, define a list of acceptable IP address values and check whether the value of the aws:VpcSourcelp condition key is in the list. Deny access if either condition is false. Apply the SCP to each account in the organization
D. Create an SCP that checks whether the values of the aws:EC2lnstanceSourceVPC andaws:VpcSourcelp condition keys are the same. Deny access if the values are not the same.In the same SCP check, check whether the values of theaws:EC2lnstanceSourcePrivatolPv4 and aws:SourceVpc condition keys are the same.Deny access if the values are not the same. Apply the SCP to each account in theorganization.