An e-commerce company uses AWS CloudFormation to implement Infrastructure as Code for the entire organization.
Maintaining resources as stacks with CloudFormation has greatly reduced the management effort needed to manage and maintain the resources.
However, a few teams have been complaining of failing stack updates owing to out-of-band fixes running on the stack resources.
Which of the following is the best solution that can help in keeping the CloudFormation stack and its resources in sync with each other? Use Drift Detection feature of CloudFormation Use CloudFormation in Elastic Beanstalk environment to reduce direct changes to CloudFormation resources Use Tag feature of CloudFormation to monitor the changes happening on specific resources Use Change Sets feature of CloudFormation.
A company is using a Border Gateway Protocol (BGP) based AWS VPN connection to connect from its on-premises data center to Amazon EC2 instances in the company’s account.
The development team can access an EC2 instance in subnet A but is unable to access an EC2 instance in subnet B in the same VPC.
Which logs can be used to verify whether the traffic is reaching subnet B? VPC Flow Logs Subnet logs VPN logs BGP logs.
You are an administrator for a video-on-demand web application where content creators upload videos directly into S3.
Recent support requests from customers state that uploading video files near 500GB size causes the website to break.
After doing some investigation you find the following error: 'Your proposed upload exceeds the maximum allowed size'.
What must you do to solve this error? You need to use multi-part upload for large files The maximum file size is 5 GB Your IAM permissions are incorrect You need to place a service limit request increase with AWS.
The development team at a HealthCare company has deployed EC2 instances in AWS Account A.
These instances need to access patient data with Personally Identifiable Information (PII) on multiple S3 buckets in another AWS Account B.
As a Developer Associate, which of the following solutions would you recommend for the given use-case? Create an IAM role with S3 access in Account B and set Account A as a trusted entity. Create another role (instance profile) in Account A and attach it to the EC2 instances in Account A and add an inline policy to this role to assume the role from Account B Create an IAM role (instance profile) in Account A and set Account B as a trusted entity. Attach this role to the EC2 instances in Account A and add an inline policy to this role to access S3 data from Account B Copy the underlying AMI for the EC2 instances from Account A into Account B. Launch EC2 instances in Account B using this AMI and then access the PII data on Amazon S3 in Account B Add a bucket policy to all the Amazon S3 buckets in Account B to allow access from EC2 instances in Account A.
A company has created an Amazon S3 bucket that holds customer data.
The team lead has just enabled access logging to this bucket.
The bucket size has grown substantially after starting access logging. Since no new files have been added to the bucket, the perplexed team lead is looking for an answer.
Which of the following reasons explains this behavior? S3 access logging is pointing to the same bucket and is responsible for the substantial growth of bucket size Erroneous Bucket policies for batch uploads can sometimes be responsible for the exponential growth of S3 Bucket size A DDOS attack on your S3 bucket can potentially blow up the size of data in the bucket if the bucket security is compromised during the attack Object Encryption has been enabled and each object is stored twice as part of this configuration.
You have created a continuous delivery service model with automated steps using AWS CodePipeline.
Your pipeline uses your code, maintained in a CodeCommit repository, AWS CodeBuild, and AWS Elastic Beanstalk to automatically deploy your code every time there is a code change.
However, the deployment to Elastic Beanstalk is taking a very long time due to resolving dependencies on all of your 100 target EC2 instances.
Which of the following actions should you take to improve performance with limited code changes? Bundle the dependencies in the source code during the build stage of CodeBuild Bundle the dependencies in the source code in CodeCommit Store the dependencies in S3, to be used while deploying to Beanstalk Create a custom platform for Elastic Beanstalk.
The Development team at a media company is working on securing their databases.
Which of the following AWS database engines can be configured with IAM Database Authentication? (Select two) RDS MySQL RDS PostGreSQL RDS Oracle Aurora RDS Sequel Server.
Your team lead has asked you to learn AWS CloudFormation to create a collection of related AWS resources and provision them in an orderly fashion. You decide to provide AWS-specific parameter types to catch invalid values.
When specifying parameters which of the following is not a valid Parameter type? DependentParameter String CommaDelimitedList AWS::EC2::KeyPair::KeyName.
A startup has been experimenting with DynamoDB in its new test environment.
The development team has discovered that some of the write operations have been overwriting existing items that have the specified primary key.
This has messed up their data, leading to data discrepancies.
Which DynamoDB write option should be selected to prevent this kind of overwriting? Conditional writes Batch writes Atomic Counters Use Scan operation.
The development team at a multi-national retail company wants to support trusted third-party authenticated users from the supplier organizations to create and update records in specific DynamoDB tables in the company's AWS account.
As a Developer Associate, which of the following solutions would you suggest for the given use-case? Use Cognito Identity pools to enable trusted third-party authenticated users to access DynamoDB Use Cognito User pools to enable trusted third-party authenticated users to access DynamoDB Create a new IAM user in the company's AWS account for each of the third-party authenticated users from the supplier organizations. The users can then use the IAM user credentials to access DynamoDB Create a new IAM group in the company's AWS account for each of the third-party authenticated users from the supplier organizations. The users can then use the IAM group credentials to access DynamoDB.
The app development team at a social gaming mobile app wants to simplify the user sign up process for the app.
The team is looking for a fully managed scalable solution for user management in anticipation of the rapid growth that the app foresees.
As a Developer Associate, which of the following solutions would you suggest so that it requires the LEAST amount of development effort? Use Cognito User pools to facilitate sign up and user management for the mobile app Use Cognito Identity pools to facilitate sign up and user management for the mobile app Create a custom solution with EC2 and DynamoDB to facilitate sign up and user management for the mobile app Create a custom solution with Lambda and DynamoDB to facilitate sign up and user management for the mobile app.
A CRM application is hosted on Amazon EC2 instances with the database tier using DynamoDB.
The customers have raised privacy and security concerns regarding sending and receiving data across the public internet.
As a developer associate, which of the following would you suggest as an optimal solution for providing communication between EC2 instances and DynamoDB without using the public internet? Configure VPC endpoints for DynamoDB that will provide required internal access without using public internet The firm can use a virtual private network (VPN) to route all DynamoDB network traffic through their own corporate network infrastructure Create a NAT Gateway to provide the necessary communication channel between EC2 instances and DynamoDB Create an Internet Gateway to provide the necessary communication channel between EC2 instances and DynamoDB.
As a Senior Developer, you are tasked with creating several API Gateway powered APIs along with your team of developers.
The developers are working on the API in the development environment, but they find the changes made to the APIs are not reflected when the API is called.
As a Developer Associate, which of the following solutions would you recommend for this use-case? Redeploy the API to an existing stage or to a new stage Developers need IAM permissions on API execution component of API Gateway Enable Lambda authorizer to access API Use Stage Variables for development state of API .
A developer in your company was just promoted to Team Lead and will be in charge of code deployment on EC2 instances via AWS CodeCommit and AWS CodeDeploy.
Per the new requirements, the deployment process should be able to change permissions for deployed files as well as verify the deployment success.
Which of the following actions should the new Developer take? Define an appspec.yml file in the root directory Define a buildspec.yml file in the root directory Define a buildspec.yml file in the codebuild/ directory Define an appspec.yml file in the codebuild/ directory.
An Accounting firm extensively uses Amazon EBS volumes for persistent storage of application data of Amazon EC2 instances.
The volumes are encrypted to protect the critical data of the clients.
As part of managing the security credentials, the project manager has come across a policy snippet that looks like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow for use of this Key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/UserRole"
},
"Action": [
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "Allow for EC2 Use",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/UserRole"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "ec2.us-west-2.amazonaws.com"
}
}
]
} The first statement provides a specified IAM principal the ability to generate a data key and decrypt that data key from the CMK when necessary The first statement provides the security group the ability to generate a data key and decrypt that data key from the CMK when necessary The second statement in this policy provides the security group (mentioned in the first statement of the policy), the ability to create, list, and revoke grants for Amazon EC2 The second statement in the policy mentions that all the resources stated in the first statement can take the specified role which will provide the ability to create, list, and revoke grants for Amazon EC2.
|
