Free AWS DevOps Engineer Exam Questions DOP-C02

AWS Certified DevOps Engineer - Professional (DOP-C02) Exam Questions

The exam has the following content domains	Weighting %
Domain 1: SDLC Automation	22% of scored content
Domain 2: Configuration Management and IaC	17% of scored content
Domain 3: Resilient Cloud Solutions	15% of scored content
Domain 4: Monitoring and Logging	15% of scored content
Domain 5: Incident and Event Response	14% of scored content
Domain 6: Security and Compliance	17% of scored content

1 / 76

1. Your organization has deployed several applications across different AWS services, including Amazon EC2, AWS Lambda, and Amazon ECS. You've been tasked with setting up a centralized log management solution to ingest, store, and analyze logs from all these sources in real time.

Which AWS service combination is most appropriate for centralized real-time log ingestion and analysis?

A) Amazon CloudWatch Logs for ingestion and Amazon Elasticsearch Service for analysis.

B) AWS CloudTrail for ingestion and Amazon QuickSight for analysis.

C) Amazon Kinesis Data Firehose for ingestion and Amazon S3 for storage, with Amazon Athena for analysis.

D) AWS Direct Connect for ingestion and Amazon Redshift for analysis.

2 / 76

2. A company stores legal documents in an Amazon S3 bucket. These documents come from the AWS Management Console and several applications for which the company lacks access to the source code. The company's legal team interacts with these documents through a web application. The legal team can mark individual documents for legal hold by setting a LegalHold tag to true.

A DevOps engineer must create an automated process to delete all objects that are more than 90 days old and that have not been marked for legal hold.

Which combination of steps should the DevOps engineer take to meet these requirements? (Select TWO.)

A) Create an S3 bucket policy that denies PutObject where "StringNotEquals": { "s3:RequestObjectTag/LegalHold": ["true", "false"] }.

B) Create an S3 Lifecycle policy for the S3 bucket that deletes objects that are older than 90 days.

C) Set an S3 event notification to initiate an AWS Lambda function upon object creation. Configure the Lambda function to add the LegalHold tag with a value of false if the tag is not present in the request.

D) Create an S3 bucket policy that uses the "StringEquals": { "s3:ExistingObjectTag/LegalHold": "true" } condition to deny s3:DeleteObject for all objects that have been marked for legal hold.

E) Create an S3 Lifecycle policy that includes a filter rule for the LegalHold tag with a value equal to false. Configure the S3 Lifecycle policy to delete objects that are older than 90 days.

3 / 76

3. An e-commerce platform has detected unusual login activities on its website, indicating a potential security breach. The security team needs to respond quickly to investigate the incident, mitigate risks, and ensure customer data safety.

What steps should the security team take to effectively respond to this security incident?

A) Trigger an AWS Lambda function using Amazon CloudWatch Events to analyze the login activity logs, block suspicious IPs using AWS WAF, and notify the security team via Amazon SNS.

B) Enable AWS Config rules to monitor for unauthorized access attempts, automatically isolate affected resources using AWS Security Hub findings, and generate incident response playbooks using AWS Systems Manager.

C) Utilize Amazon GuardDuty to continuously monitor for malicious activities, trigger AWS Step Functions workflows for incident response and containment, and send notifications through Amazon EventBridge.

D) Implement AWS CloudTrail to capture API activity logs, create CloudWatch Alarms for specific security events, and leverage AWS Security Hub for centralized security insights and alerts.

4 / 76

4. Your team has developed a web application hosted on AWS, and you've been tasked with monitoring its performance closely. You decide to use Amazon CloudWatch to monitor custom metrics specific to your application's performance. These metrics include the number of active users, response times, and error rates.
How can you publish these custom metrics to Amazon CloudWatch?

A) Use the AWS SDK to send the custom metrics directly to CloudWatch from within your application code.

B) Configure AWS CloudTrail to track these application events and automatically publish them as CloudWatch metrics.

C) Utilize Amazon Kinesis Data Firehose to capture application logs and transform them into CloudWatch metrics.

D) Implement AWS Lambda functions to parse application logs stored in Amazon S3 and publish the extracted metrics to CloudWatch.

5 / 76

5. The organization wants to ensure that all IAM policies created in any account under the Production OU enforce the principle of least privilege by requiring MFA (Multi-Factor Authentication) to perform any actions on AWS resources. How can this requirement be implemented effectively?

A) Use AWS Config to automatically attach an MFA enforcement policy to every IAM user in the Production accounts.

B) Apply an SCP at the Production OU level that denies all actions unless MFA is used.

C) Manually audit and update all IAM policies in the Production accounts to include an MFA condition.

D) Enable AWS IAM Access Analyzer across the organization to identify and remediate policies not enforcing MFA.

6 / 76

6. Michael is a solutions architect tasked with managing the infrastructure as code for a large-scale AWS environment. He uses AWS CloudFormation templates to define the architecture and provisions resources efficiently. However, sometimes CloudFormation deployments fail due to errors in the template or resource limitations.

Which of the following statements is true regarding analyzing failed CloudFormation deployments?

A) AWS CloudFormation provides real-time insights into the status of resource provisioning using AWS Health, allowing Michael to quickly identify failed deployments.

B) Michael can use AWS CloudTrail to audit changes made to CloudFormation stacks and identify the root cause of deployment failures.

C) CloudFormation automatically retries failed resource provisioning attempts with exponential backoff to mitigate transient errors during deployments.

D) AWS CodePipeline integrates seamlessly with CloudFormation to trigger automatic rollbacks in case of deployment failures, ensuring the integrity of the infrastructure.

7 / 76

7. A large financial institution is migrating its on-premises infrastructure to AWS using Infrastructure as Code (IaC) tools. They need to implement a change management process that ensures regulatory compliance, tracks all changes made to the infrastructure, and provides detailed audit logs. Which combination of AWS services can best meet these requirements?

A) AWS CloudFormation and AWS Config

B) AWS CodePipeline and AWS CloudTrail

C) AWS Service Catalog and AWS Systems Manager

D) AWS Control Tower and AWS Security Hub

8 / 76

8. A company manages an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are part of an Amazon EC2 Auto Scaling group. The application deployment process sometimes leads to an inconsistent configuration of the EC2 instances. The inconsistency results from differences when the instances are first launched or from manual changes that are performed on individual instances. The company wants a new process that ensures that all EC2 instances are identical, both at launch and throughout their lifetime.

Which solution will meet these requirements?

A) Create a new AMI that is fully configured to meet company standards for each operating system update. Whenever the application or AMI changes, update the Auto Scaling group's launch configuration. Configure the launch configuration to use the NewestInstance termination policy. Disable all operating system console access on the instances. Use AWS Systems Manager to perform any emergency maintenance on the entire group.

B) Use an AMI that is provided by AWS. Download the latest security patches upon launch by using the instance user data. Configure the Auto Scaling group's launch configuration to use the OldestLaunchConfiguration termination policy. Whenever the application or AMI changes, update the launch configuration. Double the size of the Auto Scaling group. When the group is fully populated, return the group to its original size. Disable all operating system console access on the instances. Use AWS Systems Manager to perform any emergency maintenance on the entire group.

C) Create a new AMI that is fully configured to meet company standards for each operating system update. Configure the Auto Scaling group's launch configuration to use the OldestLaunchConfiguration termination policy. Whenever the application or AMI changes, update the launch configuration. Double the size of the Auto Scaling group. When the group is fully populated, return the group to its original size. Use AWS Config to perform any emergency maintenance on the entire group.

D) Create a new AMI that is fully configured to meet company standards for each operating system update. Configure the Auto Scaling group's launch configuration to use the OldestLaunchConfiguration termination policy. Whenever the application or AMI changes, update the launch configuration. Double the size of the Auto Scaling group. When the group is fully populated, return the group to its original size. Disable all operating system console access on the instances. Use AWS Systems Manager to perform any emergency maintenance on the entire group.

9 / 76

9. Your organization operates multiple AWS accounts for development, testing, and production environments. You need to implement a CI/CD pipeline that can deploy applications across these accounts while maintaining isolation and security. Which deployment pattern would be most suitable for this scenario?

A) Single Pipeline with Cross-Account IAM Roles

B) Multiple Pipelines with Cross-Account IAM Roles

C) Single Pipeline with AWS Organizations Integration

D) Multiple Pipelines with AWS IAM Federation

10 / 76

10. A company runs an application on Amazon EC2 instances that use the latest version of the Amazon Linux 2 AMI. When server administrators apply new security patches, the server administrators manually remove affected instances from service, patch the instances, and place the instances back into service.
A new security policy requires the company to apply security patches within 7 days after patches are released. The company’s security team must verify that all the EC2 instances are compliant with this policy. The patching must occur during a time that has the least impact on users.
Which solution will automate compliance with these requirements?

A) Configure an AWS CodeBuild project to download and apply patches to all the instances over SSH. Use an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to run the CodeBuild project during a maintenance window.

B) Use AWS Systems Manager Patch Manager to create a patch baseline. Create a script on the EC2 instances to use the AWS CLI to pull the latest patches from Patch Manager. Create a cron job to schedule the script to run during a maintenance window.

C) Create a script to apply any available security patches. Create a cron job to schedule the script to run during a maintenance window. Install the script and cron job on the application AMI. Redeploy the application.

D) Enlist all the EC2 instances in an AWS Systems Manager Patch Manager patch group. Use Patch Manager to create a patch baseline. Configure a maintenance window to apply the patch baseline.

11 / 76

11. A Development team wants to set up an AWS CodeCommit repository. Developers should be able push changes to their own branches, but they should not be allowed to push commits or merge pull requests into the master branch. Additionally, whenever a commit or merge occurs into the master branch, the Project Manager needs to receive a notification. Which combination of steps will protect the master branch and send the alert with the shortest delay? (Select TWO.)

A) Attach an AWS IAM policy to the developer IAM group that denies the actions of pushing commits, merging pull requests, and adding files to the master branch

B) Attach a resource policy to the CodeCommit repository that denies members of the IAM developer group the actions of pushing commits, merging pull requests, and adding files to the master branch.

C) Set up a an AWS Lambda function that runs every 15 minutes to check for repository changes and publishes a notification to an Amazon SNS topic.

D) Set up an Amazon CloudWatch Events rule triggered by a CodeCommit Repository State Change event for the master branch and add an Amazon SNS topic as a target.

E) Configure AWS CloudTrail to send log events to Amazon CloudWatch Logs. Define a metric filter to identify repository events. Create a CloudWatch alarm with an Amazon SNS topic as a target.

12 / 76

12. An application you manage needs to dynamically adjust its configuration based on changes in the environment, such as varying load conditions, deployment of new features, or updated compliance policies. This dynamic configuration must be applied without causing downtime or requiring manual intervention.
What approach allows for dynamic reconfiguration of your application in response to environmental changes, ensuring high availability and minimal manual effort?

A) Configure AWS Config rules to automatically trigger AWS Systems Manager Automation documents for reconfiguration tasks.

B) Utilize AWS Lambda to monitor environmental changes through CloudWatch Events and trigger AWS Systems Manager State Manager to apply configuration updates.

C) Use AWS OpsWorks lifecycle events to automatically adjust configurations in response to state changes within your application stacks.

D) Implement manual polling mechanisms in your application code to check for environmental changes and apply configuration updates as needed.

13 / 76

13. A company uses AWS CloudTrail on all its AWS accounts and sends all trails to a centralized Amazon S3 bucket. The company sends specified events to a third-party logging tool by using S3 event notifications and an AWS Lambda function.
The company has hired a security services provider to set up a security operations center. The security services provider wants to receive the CloudTrail logs through an Amazon Simple Queue Service (Amazon SQS) queue. The company must continue to use S3 event notifications and the Lambda function to send events to the third-party logging tool.
What is the MOST operationally efficient way to meet these requirements?

A) Add an additional notification to the S3 bucket for all CreateObject events to send all objects to the SQS queue.

B) Replace the existing S3 event notification destination with an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the Lambda function and the SQS queue to the topic

C) Replace the existing S3 event notification destination with an Amazon Kinesis data stream. Create consumers for the Lambda function and the SQS queue.

D) Configure the trail to send logs to Amazon CloudWatch Logs. Subscribe the SQS queue to the CloudWatch Logs log group.

14 / 76

14. A company hired a third-party development team to build a web-based application. The application runs on Amazon EC2 instances across multiple Availability Zones. The application writes JSON log files locally. Each log entry is a separate JSON object. The log entries include application events and informational entries that contain personally identifiable information (PII) such as phone number and address.

The third-party team wants to access the application logs on the EC2 instances to perform root cause analysis when issues and errors occur. The third-party team needs access to the application data but must not be able to access the PII. The company must grant the third-party team access to view the application log files without providing SSH access directly to the production servers.

Which solution will meet these requirements MOST cost-effectively?

A) Set up a centralized syslog server on EC2 instances to collect all application server logs. Use AWS Batch to schedule a daily job to consume the logs from the syslog server. Ensure that the batch task filters the data to output only application event log entries to an Amazon S3 bucket. Grant the third-party team access to the S3 bucket that contains the logs.

B) Send the application log files from the EC2 instances to Amazon CloudWatch Logs by using the unified CloudWatch agent. Create an AWS Lambda function that receives log entries and writes them to an Amazon OpenSearch Service cluster. Subscribe the Lambda function to the CloudWatch Logs log group with a subscription filter that sends only application events. Share the OpenSearch Dashboards login URL with the third-party team.

C) Send the application log files from the EC2 instances to an Amazon Kinesis Data Firehose delivery stream by using the unified CloudWatch agent. Enable data transformation on the delivery stream with an AWS Lambda function that drops all log entries except the application events. Deliver the delivery stream to an Amazon S3 bucket. Grant the third-party team access to the S3 bucket that contains the logs.

D) Send the application log files from the EC2 instances to Amazon CloudWatch Logs by using the unified CloudWatch agent. Create an AWS Lambda function that receives log entries and writes them to an Amazon S3 bucket. Subscribe the Lambda function to the CloudWatch Logs log group with a subscription filter that sends only application events. Grant the third-party team access to the S3 bucket that contains the logs.

15 / 76

15. A company wants to analyze its application logs in real time to identify trends, detect anomalies, and trigger alerts based on specific patterns. The application logs are stored in CloudWatch Logs, and the company is considering AWS services that can process and analyze these logs in real time.
Which AWS service should the company use for real-time processing and analysis of CloudWatch log data?

A) Configure a CloudWatch Logs subscription to stream data directly to Amazon Redshift for analysis.

B) Use Amazon Kinesis Data Firehose to stream logs from CloudWatch to Amazon S3, and then query the logs with Amazon Athena.

C) Set up a CloudWatch Logs subscription to invoke an AWS Lambda function for real-time log processing and analysis.

D) Stream logs from CloudWatch to Amazon Elasticsearch Service (now known as Amazon OpenSearch Service) for real-time analysis.

16 / 76

16. For a high-security project, you need to ensure that all secrets used in AWS CodePipeline for deployment are encrypted at rest. Which of the following is true regarding the encryption of secrets in AWS CodePipeline?

A) AWS CodePipeline automatically encrypts all secrets using AWS KMS.

B) Secrets in AWS CodePipeline must be manually encrypted by the user before use.

C) AWS CodePipeline support only AES encryption of secrets.

D) Only secrets stored in AWS Secrets Manager and referenced in AWS CodePipeline are encrypted.

17 / 76

17. Your application needs to scale very quickly in response to changes in workload. To achieve this, you decide to monitor application load with high-resolution custom metrics in CloudWatch, allowing for more timely and granular autoscaling decisions.
How can you publish high-resolution custom metrics to CloudWatch to support rapid scaling?

A) Publish custom metrics with a standard resolution and adjust the autoscaling policy to scale based on average trends.

B) Use the PutMetricData API action and specify a granularity of one second for high-resolution metrics.

C) Increase the frequency of metric collection by deploying multiple CloudWatch agents per host.

D) Configure your application to send metrics to Amazon Kinesis, which then aggregates and publishes them to CloudWatch every second.

18 / 76

18. A company's web application is hosted on AWS using Auto Scaling to manage the fleet of EC2 instances based on demand. Recently, there was a spike in traffic that led to instances failing to launch properly, impacting the application's performance.
How can the operations team analyze the incident related to failed instance launches in the Auto Scaling group?

A) Review CloudWatch Metrics for CPU utilization, check Auto Scaling group activity logs in Amazon CloudTrail, analyze EC2 instance system logs in Amazon S3, and enable detailed monitoring for enhanced visibility.

B) Utilize Amazon Inspector for security assessment, configure AWS Config for resource tracking, investigate Auto Scaling group health checks in Amazon CloudWatch, and trigger notifications through Amazon SNS.

C) Monitor Auto Scaling group events in AWS Management Console, set up CloudWatch Alarms for instance launch failures, analyze VPC Flow Logs for network traffic anomalies, and review Auto Scaling lifecycle hooks configuration.

D) Implement AWS X-Ray for distributed tracing, enable AWS Health Dashboard for service insights, conduct performance testing with AWS Device Farm, and use AWS Step Functions for incident response automation.

19 / 76

19. A DevOps Engineer has been asked to automate security compliance for a company. The company has developed custom AWS Config rules to detect non-compliant security configurations. When compliance issues are detected, the company wants issues to be automatically remediated and the Security team to be notified over the internal security message channel. The message board has a REST interface that publishes the body of HTTPS POST requests over the channel.
Which combination of steps would successfully meet these requirements in the MOST cost-effective way? (Select THREE.)

A) Create an Amazon CloudWatch Events rule that publishes configuration item change notifications to an Amazon SNS topic.

B) Create an Amazon CloudWatch Events rule that publishes compliance change notifications to an Amazon SNS topic.

C) Configure AWS Config to publish configuration item change notifications to an Amazon SNS topic.

D) Create an Amazon API Gateway RESTful API with AWS integration to AWS Config. Subscribe the API to the Amazon SNS topic.

E) Subscribe the message channel HTTPS endpoint to the Amazon SNS topic.

F) Write an AWS Lambda function that addresses the non-compliant security configuration. Subscribe the function to the Amazon SNS topic.

20 / 76

20. A healthcare organization hosts a critical patient management system on AWS and needs to ensure high availability and rapid incident response. The IT team wants to leverage AWS Health and other services for proactive monitoring and timely resolution of incidents.

How can the IT team utilize AWS Health and related services for health monitoring and incident response in a healthcare system?

A) Utilize AWS Shield for DDoS protection, enable AWS Artifact for compliance reporting, leverage AWS Security Hub for security insights, trigger incident response playbooks with Amazon EventBridge, and maintain incident response runbooks in AWS OpsWorks.

B) Implement Amazon GuardDuty for threat detection, configure AWS Health API for custom health checks, orchestrate incident response workflows with AWS Step Functions, send notifications through Amazon SNS, and store incident logs in Amazon S3 Glacier for compliance.

C) Monitor system health with Amazon CloudWatch Alarms, integrate AWS Health Dashboard for service status updates, set up AWS Personal Health Dashboard alerts, automate incident response with AWS Systems Manager Automation documents, and conduct post-incident reviews using Amazon QuickSight.

D) Enable AWS Direct Connect for secure connectivity, leverage AWS Trusted Advisor for cost optimization, use AWS Health events for operational insights, trigger incident response actions with AWS Lambda functions, and conduct incident retrospectives using Amazon Athena.

21 / 76

21. Your team has developed a new feature for your application and wants to ensure that this feature does not negatively impact the performance of your existing application. Which type of testing should you perform?

A) Unit Testing

B) Integration Testing

C) Regression Testing

D) Security Testing

22 / 76

22. Mark is a security engineer tasked with designing a robust security architecture for a web application hosted on AWS. The application consists of multiple microservices deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). Mark wants to implement defense in depth by combining various AWS security controls.

Which of the following statements is true regarding combining security controls for defense in depth on AWS?

A) Mark can use AWS WAF (Web Application Firewall) to inspect and filter traffic at the application layer, providing protection against common web exploits.

B) Amazon Detective automatically analyzes VPC flow logs and DNS logs to detect and investigate security threats across the AWS environment.

C) Mark can configure AWS Security Hub to centralize security findings from multiple AWS services, providing a comprehensive view of the security posture.

D) Network ACLs (Access Control Lists) are stateful, allowing Mark to define both inbound and outbound rules to control traffic flow at the subnet level.

23 / 76

23. Your team is tasked with deploying a high-traffic web application globally on AWS, requiring zero downtime during deployments and the ability to perform A/B testing for new features. Which deployment architecture should you use to meet these requirements?

A) Mutable deployments with Amazon EC2 Auto Scaling groups and attaching instances to an Application Load Balancer (ALB).

B) Immutable deployments with AWS Fargate and Amazon CloudFront to distribute different versions of the application based on geographic location.

C) Immutable deployments using Amazon Route 53 weighted routing policies for A/B testing and AWS Lambda for backend services.

D) Immutable deployments using Global Accelerator and Amazon ECS with Blue/Green deployment through AWS CodeDeploy for zero downtime and A/B testing.

24 / 76

24. You are tasked with deploying a web application that expects varying traffic, including unpredictable spikes. The application is containerized, and you want to ensure it scales automatically to meet demand without over-provisioning resources. Additionally, you want to abstract away the need to manage servers or clusters.

What AWS service would best facilitate the deployment and auto-scaling of a containerized web application without the need to manage servers?

A) Amazon EC2 with Auto Scaling groups.

B) AWS Lambda with Amazon API Gateway.

C) Amazon ECS with AWS Fargate launch type.

D) Amazon EKS with EC2 Auto Scaling groups.

25 / 76

25. A development team is designing an application that has a large customer base spread across three AWS Regions. The application will use an Amazon DynamoDB table that must be available in all three Regions to deliver low-latency data access. When the table is updated in one Region, the changes must seamlessly propagate to the other Regions.
How should a DevOps engineer configure the table to meet these requirements with the LEAST operational overhead?

A) Create a DynamoDB table in each of the three Regions. Give each table the same name.

B) Configure three DynamoDB tables in each of the three Regions. Use the AWS SDK for DynamoDB to synchronize data changes among the tables.

C) Configure a multi-Region, multi-active DynamoDB global table that includes the three Regions.

D) Use DynamoDB global tables to configure a primary table in one Region and a read replica in each of the other Regions.

26 / 76

26. A company deployed AWS resources by using an AWS CloudFormation template. The template specified only the properties necessary for the resource creation. The template inherited the default values for the remaining optional properties. To deploy the workload with proper configuration, the company had to reconfigure the default values outside of CloudFormation. The reconfiguration led to configuration inconsistencies.

The company wants to maintain all the settings for the properties through the template. The company wants to identify any changes made outside of CloudFormation and remediate the template back to the original configuration.

Which solution will meet these requirements with the LEAST implementation effort?

A) Update the template to specify resource configuration values for all properties, including default values. Create an AWS Lambda function that detects drift on the existing stack and updates the stack by using the existing template. Use an Amazon EventBridge rule to schedule the Lambda function to run daily.

B) Create an AWS Lambda function that detects drift on the existing stack and updates the stack by using the existing template. Use an Amazon EventBridge rule to schedule the Lambda function to run daily.

C) Update the template to specify resource configuration values for all properties, including default values. Use the cloudformation-stack-drift-detection-check AWS Config rule. Configure the rule’s automatic remediation action to run the AWS-UpdateCloudFormationStack AWS Systems Manager Automation runbook.

D) Use the cloudformation-stack-drift-detection-check AWS Config rule. Configure the rule’s automatic remediation action to run the AWS-UpdateCloudFormationStack AWS Systems Manager Automation runbook.

27 / 76

27. A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. According to the company's security policy, any EC2 instance that is launched must be registered with the company’s auditing service before the EC2 instance can start processing transactions.

Which solution will meet these requirements?

A) Add a lifecycle hook to the Auto Scaling group to put new instances in a Pending:Wait state. Call a custom script on the instance that registers the instance with the auditing service. Complete the lifecycle action with the CONTINUE value or the ABANDON value.

B) Write a bootstrap script in the EC2 instance's user data that registers the instance with the auditing software. Return an error code from the bootstrap script if registration fails.

C) Create an Amazon EventBridge scheduled event that runs every 5 minutes. Set an AWS Lambda function as the target of the event. In that Lambda function, scan the contents of the Auto Scaling group. If any EC2 instances have been launched, register the EC2 instances with the auditing service.

D) Create a rule for Amazon EventBridge events that runs when a new EC2 instance is launched. Set the target to be an AWS Lambda function that calls the auditing service to register the instance.

28 / 76

28. A DevOps team has an application that stores critical company assets in an existing Amazon S3 bucket. The team uses a single AWS Region. A new company policy requires the team to deploy the application to multiple Regions. The assets must always be accessible. Users must use the same endpoint to access the assets. Which combination of steps should the team take to meet these requirements in the MOST operationally
efficient way? (Select THREE.)

A) Use AWS CloudFormation StackSets to create a new S3 bucket that has versioning enabled in each required Region. Copy the assets from the existing S3 bucket to the new S3 buckets. Create an AWS Lambda function to copy files that are added to the new S3 bucket in the primary Region to the additional Regions.

B) Use AWS CloudFormation StackSets to create a new S3 bucket that has versioning enabled in each required Region. Create multiple S3 replication rules on the new S3 bucket in the primary Region to replicate all its contents to the additional Regions. Copy the assets from the existing S3 bucket to the new S3 bucket in the primary Region.

C) Create an Amazon CloudFront distribution. Configure new origins for each S3 bucket. Create an origin group that contains all the newly created origins. Update the default behavior of the distribution to use the new origin group.

D) Create an Amazon CloudFront distribution. Configure new origins for each S3 bucket. Create a Lambda@Edge function to validate the availability of the origin and to route the viewer request to an available nearby origin.

E) Create an Amazon Route 53 alias record. Configure a failover routing policy that uses the newly created S3 buckets as a target.

F) Create an Amazon Route 53 alias record. Configure a simple routing policy that uses the Amazon CloudFront distribution as a target.

29 / 76

29. A DevOps engineer manages several AWS accounts by using AWS Organizations. The DevOps engineer needs to monitor specific service quotas on a daily basis in all the accounts. The DevOps engineer also needs to receive notifications whenever service usage reaches 80% of the quota.

A) Enable trusted access between Service Quotas and Organizations. Create an Amazon CloudWatch alarm for each AWS service that is needed. Enter a threshold of 80% for the quota. Configure the alarm to send a message to an Amazon Simple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state.

B) Create an AWS Lambda function that calls the DescribeTrustedAdvisorCheckResult AWS Support API operation. Configure the Lambda function to open a support case to increase any service quota in which the check is in WARN status. Deploy the Lambda function in every account. Create a daily scheduled event in Amazon EventBridge in a selected governing account to invoke the Lambda function in every account over the EventBridge bus.

C) Enable trusted access between Service Quotas and Organizations. Create an Amazon CloudWatch alarm for each AWS service that is needed. Enter a threshold of 80% for the quota. Configure the alarm to send a message by using Amazon EventBridge when the alarm enters the ALARM state.

D) Create an AWS Lambda function that calls the RefreshTrustedAdvisorCheck and DescribeTrustedAdvisorCheckResult AWS Support API operations. Configure the Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic if any service quota checks are 80% or higher. Deploy the Lambda function in every account. Create a daily scheduled event in Amazon EventBridge in the Organizations management account to invoke the Lambda function in every account over the EventBridge bus.

30 / 76

30. A company is writing a web application. The application includes an Amazon API Gateway API that is integrated with AWS Lambda functions. The Lambda functions store data in an Amazon DynamoDB table. The Lambda functions store session information in an Amazon ElastiCache for Redis cluster.

What should a DevOps engineer do to deploy the application in the MOST operationally efficient manner?

A) Deploy all the infrastructure with an AWS Serverless Application Model (AWS SAM) template.

B) Deploy all the infrastructure with an AWS CloudFormation template. Use custom resources to deploy the API, Lambda functions, and DynamoDB table.

C) Deploy the ElastiCache cluster with an AWS CloudFormation template. Deploy the rest of the application with an AWS Serverless Application Model (AWS SAM) template.

D) Deploy all the infrastructure with an AWS CloudFormation template.

31 / 76

31. You have a global application that uses Amazon DynamoDB as its primary database. The application requires high availability and rapid disaster recovery capabilities across regions to handle region-specific outages without significant data loss or downtime.

Which approach best ensures high availability and disaster recovery for DynamoDB?

A) Implement cross-region replication using AWS Lambda to copy data from one region's DynamoDB table to another.

B) Manually copy DynamoDB table data to another region at scheduled intervals.

C) Regularly export DynamoDB table data to S3 buckets in multiple regions using Data Pipeline.

D) Use DynamoDB Global Tables to replicate data across multiple regions automatically.

32 / 76

32. A financial institution is deploying a new application that requires secure, scalable, and automated database provisioning. They need a way to include the database provisioning process as part of their infrastructure as code strategy. Which combination of AWS services should they use to achieve this?

A) AWS CloudFormation and Amazon RDS

B) AWS Elastic Beanstalk and Amazon DynamoDB

C) AWS OpsWorks and Amazon Aurora

D) Amazon EC2 and Amazon S3

33 / 76

33. John is a DevOps engineer tasked with automating the deployment and management of SSL/TLS certificates for a fleet of Amazon EC2 instances running a web application on AWS. He wants to streamline the process of certificate renewal and ensure continuous data protection.

Which of the following statements is true regarding automating security controls and data protection using AWS Certificates and PKI for EC2 instances?

A) John can use AWS CloudFormation to define infrastructure as code and automatically provision ACM SSL/TLS certificates for the EC2 instances during deployment.

B) AWS Systems Manager Parameter Store integrates with ACM to automate the storage and retrieval of private keys associated with SSL/TLS certificates used by the EC2 instances

C) John can configure AWS Config rules to automatically detect and remediate instances that are running with expired SSL/TLS certificates managed by ACM.

D) AWS Lambda functions can be scheduled to periodically check the expiration dates of SSL/TLS certificates managed by ACM and initiate the renewal process before they expire.

34 / 76

34. A company is designing a cross-region disaster recovery solution for an Amazon RDS PostgreSQL Multi-AZ DB instance. The disaster recovery solution requires an RPO of 4 hours and an RTO of 2 hours.
Which solution meets the requirements in the MOST cost-effective manner?

A) Create an AWS Lambda function that generates a SQL dump file and saves it in an Amazon S3 bucket in another region. Create an Amazon CloudWatch Events scheduled event to trigger the Lambda function every 4 hours. Create an RDS notification event to publish an Amazon SNS message for database availability events. Subscribe a Lambda function to the SNS topic that will launch a new database instance, execute the SQL dump file, and update the connection string for the application.

B) Create an AWS Lambda function that copies the latest automated snapshot to another region. Create an Amazon CloudWatch Events scheduled event to trigger the Lambda function every 4 hours. Create an RDS notification event to publish an Amazon SNS message for database availability events. Subscribe a Lambda function to the SNS topic that will restore the snapshot to a new instance in the disaster recovery region, and update the connection string for the application.

C) Configure a read replica for the database instance in a different region. Create an RDS notification event to publish an Amazon SNS message for database availability events. Create an AWS Lambda function that will promote the read replica and update the connection string for the application. Subscribe the Lambda function to the SNS topic.

D) Create an AWS Lambda function that creates an RDS snapshot and copies it to another region. Create an Amazon CloudWatch Events scheduled event to trigger the Lambda function every 4 hours. Create an RDS notification event to publish an Amazon SNS message for database availability events. Subscribe a Lambda function to the SNS topic that will restore the snapshot to a new instance in the disaster recovery region, and update the connection string for the application.

35 / 76

35. A company is developing Python applications that use AWS CodeCommit, AWS CodeBuild, and AWS CodePipeline. The company needs to incorporate an automatic assessment of the source code to identify potential issues and defects within the code before the code is compiled for use.

Which solution will meet these requirements?

A) Associate a CodeCommit repository with Amazon CodeGuru Profiler. Review any recommendations from pull requests in the console.

B) Configure Amazon CodeGuru Profiler during the prebuild phase of builds in CodeBuild projects. Review any recommendations from the projects in the console.

C) Associate a CodeCommit repository with Amazon CodeGuru Reviewer. Review any recommendations from pull requests in the console.

D) Configure Amazon CodeGuru Reviewer during the prebuild phase of builds in CodeBuild projects. Review any recommendations from the projects in the console.

36 / 76

36. A company allows development teams to create their own development and test environments in the AWS Cloud. The company's security team requires the installation of specific monitoring and security software on all Amazon EC2 instances. Consequently, the DevOps team has created a set of AMIs with the required security and monitoring software pre-installed. The DevOps team wants to implement a system to automate the discovery and termination of any EC2 instance that does not use the required AMIs.

How should the DevOps team implement this system to meet these requirements?

A) Create a set of approved products in AWS Service Catalog that use the approved AMIs. Grant the development users IAM permissions to provision the AWS Service Catalog products.

B) Create an SCP that explicitly denies the ec2:CreateInstance action if the AMI is not an approved AMI. Attach the SCP to an IAM group that is associated with the development users.

C) Use AWS Config rules to detect noncompliant EC2 instances. Set up a remediation action that terminates noncompliant EC2 instances.

D) Create AWS CloudFormation templates that use the approved AMIs. Grant the development users IAM permissions to create CloudFormation stacks from those templates.

37 / 76

37. Emma is a DevOps engineer responsible for managing the deployment pipeline for a web application hosted on AWS. The deployment process involves using AWS CodePipeline to orchestrate the build and deployment stages using AWS CodeBuild and AWS CodeDeploy. Occasionally, deployments fail due to various reasons, and Emma needs to analyze the root cause of these failures efficiently.

Which of the following statements is true regarding analyzing failed deployments in AWS?

A) AWS CodePipeline provides built-in integration with AWS X-Ray to trace failed deployment requests and identify bottlenecks in the deployment process.

B) AWS CodeBuild automatically retries failed build stages up to three times, reducing the need for manual intervention during the deployment process.

C) AWS CodeDeploy generates detailed deployment reports, including information about the status of each deployment step and any errors encountered.

D) Emma can use Amazon CloudWatch synthetic monitoring to simulate user interactions with the web application and identify performance issues that may lead to deployment failures.

38 / 76

38. A company uses AWS Organizations to manage multiple accounts. Each account uses several AWS Regions. The company needs to implement an automated solution to detect when any existing or new Amazon S3 bucket in any account or Region is made public. The solution must respond by blocking public access. The solution also must detect and respond to changes in ACLs and bucket policies.

Which solution will meet these requirements?

A) Create Amazon EventBridge global endpoints with event replication activated in each account. Select a designated security account for a secondary event bus. In the designated security account, configure EventBridge rules on the event bus to detect changes to object ACLs, bucket ACLs, and bucket policies. For each rule, target an AWS Lambda function to remove any public access on misconfigured S3 buckets.

B) Create an organization trail in AWS CloudTrail with the delivery S3 bucket in a designated security account. In the designated security account, configure Amazon EventBridge rules on the event bus to detect changes to object ACLs, bucket ACLs, and bucket policies. For each rule, target an AWS Lambda function to remove any public access on misconfigured S3 buckets.

C) Turn on Amazon EventBridge in all S3 buckets in each account. Configure EventBridge rules on the event bus to detect changes to object ACLs, bucket ACLs, and bucket policies. For each rule, target an AWS Lambda function to remove any public access on misconfigured S3 buckets.

D) Create an AWS Config rule in each account to detect public access in object ACLs, bucket ACLs, and bucket policies. Set up an automated remediation action for the rule. Use an AWS Systems Manager Automation runbook to remove any public access on misconfigured S3 buckets.

39 / 76

39. A web application stores its access logs in an Amazon S3 bucket. The development team wants to automatically process these logs upon arrival to extract meaningful insights, such as visitor trends and error rates. They also want these processed logs to be searchable in real-time.

How should the team configure the AWS environment to automate log processing and enable real-time search?

A) Configure S3 event notifications to trigger an AWS Lambda function that processes the logs and writes the results to a DynamoDB table. Use Amazon Athena to query the data in real-time.

B) Set up S3 event notifications to invoke an AWS Lambda function that parses the logs and then uses the PutLogEvents API to send the processed data directly to CloudWatch Logs.

C) Enable S3 event notifications to trigger an AWS Lambda function that processes the logs and streams the output to Amazon Kinesis Data Firehose, which then delivers the data to Amazon OpenSearch Service.

D) Use S3 Batch Operations to periodically invoke an AWS Lambda function for log processing, and configure the Lambda function to upload the processed logs to an Amazon Redshift cluster for analysis.

40 / 76

40. An application runs a web tier on stateless Amazon EC2 instances behind an Application Load Balancer. The application stores data in an Amazon RDS for MySQL Multi-AZ DB instance. A DevOps engineer is creating a disaster recovery (DR) solution that includes a second AWS Region. The DR solution must have an RTO of less than 2 hours and an RPO of less than 10 minutes.

Which solution will meet these requirements MOST cost-effectively?

A) Use AWS Elastic Beanstalk to deploy the application to a second environment in the DR Region. Create a cross-Region read replica for the database in the DR Region. In case of a disaster, swap the environment URLs in Elastic Beanstalk. Promote the RDS read replica to primary.

B) Maintain up-to-date AMIs for the web tier in the DR Region. Create a cross-Region read replica for the database in the DR Region. In case of a disaster, launch a new stack in the DR Region by using an AWS CloudFormation template. Promote the RDS read replica to primary. Update DNS records to point to the new load balancer.

C) Create an AWS Lambda function to take Amazon Elastic Block Store (Amazon EBS) volume snapshots and RDS snapshots and copy them to the DR Region. Create an Amazon EventBridge event to schedule the Lambda function to run once an hour. In case of disaster, recreate the resources in the DR Region by using the snapshots and the RDS backup. Update DNS records to point to the new load balancer.

D) Clone the web tier in the DR Region. Deploy application updates in each Region. Migrate the database to an Amazon Aurora MySQL global database. Designate the DR Region as the secondary Region for the database. Use Amazon Route 53 health checks to fail over the DNS to the DR Region in case of disaster.

41 / 76

41. An organization has multiple AWS accounts for different environments (development, staging, production). They want to aggregate all access logs in a centralized S3 bucket in their logging account for long-term archiving and occasional analysis.
What steps should be taken to securely collect logs from multiple accounts into a single S3 bucket and facilitate easy analysis?

A) Enable cross-account replication on each S3 bucket and replicate logs to a central S3 bucket in the logging account. Use Amazon Macie for analysis.

B) Configure S3 event notifications in each account to invoke a cross-account AWS Lambda function that copies logs to the centralized S3 bucket. Analyze logs using Amazon QuickSight.

C) Use AWS DataSync to synchronize log files from each account's S3 bucket to the centralized S3 bucket daily. Employ Amazon Athena for ad-hoc analysis.

D) Set up S3 Access Points with appropriate permissions for each account and direct all logs to the centralized bucket. Utilize Amazon Athena for querying and analyzing the logs.

42 / 76

42. A company runs a RESTful web service. The company deploys the API by using Amazon API Gateway. The API uses AWS Lambda custom integration to call the business logic, which is implemented in Lambda functions. Amazon Route 53 is used for DNS.

The company's DevOps team has deployed a new version of the Lambda functions, and the Lambda functions are ready to receive traffic. The DevOps team wants to send 10% of the production traffic to the new Lambda functions for a week before fully converting to the new release. The deployment solution must have no impact on users of the web service.

What is the MOST operationally efficient deployment solution that meets these requirements?

A) Deploy the API to a new stage. Integrate the new stage with the new Lambda functions. Create a custom domain name for the new stage in API Gateway. Use simple distribution to send 10% of API traffic to the new stage and 90% of API traffic to the existing stage.

B) Add a canary release to the existing API production stage. Configure the canary settings to send 10% of the requests to the new Lambda functions and 90% of the requests to the existing Lambda functions.

C) Create a new API for the new release. Create a second domain in Route 53 for the new API. Use a weighted routing policy to send 10% of the traffic to the new release and 90% of the traffic to the existing release.

D) Reconfigure the API Gateway API to use AWS Lambda proxy integration. Configure the Lambda proxy to send 10% of the requests to the new Lambda functions. Send the remainder of the requests to the existing Lambda functions.

43 / 76

43. A company controls the source code for an application in AWS CodeCommit. The company is creating a CI/CD pipeline for the application by using AWS CodePipeline. The pipeline must start automatically when changes occur to the main branch of the CodeCommit repository. Changes occur frequently every day, so the pipeline must be as responsive as possible.
What should a DevOps engineer do to meet these requirements?

A) Configure the pipeline to periodically check the repository’s main branch for changes. Start the pipeline when changes are detected.

B) Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect changes to the repository’s main branch. Configure the pipeline to start in response to the changes

C) Configure the repository to periodically run an AWS Lambda function. Configure the function to check the repository’s main branch and to start the pipeline when the function detects changes.

D) Configure the repository to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when changes occur to the repository’s main branch. Subscribe the pipeline to the SNS topic.

44 / 76

44. A company specializing in legal document processing needs to automate its document handling workflow. The process involves several steps: document upload, format validation, content analysis, data extraction, and finally, storing the extracted data in a database. Due to the complexity and variability of the tasks involved, the solution must be flexible, scalable, and easy to update as processing requirements evolve.
The company wants to ensure that the document processing workflow is resilient and can handle failures in individual steps without losing progress. Which feature should you implement to achieve this requirement?

A) Implement retry policies and error handling in each Lambda function.

B) Use Amazon SNS to send failure notifications and manually restart the workflow.

C) Store intermediate results in Amazon DynamoDB and periodically check for incomplete workflows.

D) Configure AWS Step Functions' Catch and Retry mechanisms for error handling.

45 / 76

45. A healthcare organization needs to ensure compliance with industry regulations and respond effectively to any incidents that may impact patient data privacy. They aim to establish a proactive event response mechanism to maintain regulatory compliance.

How can the healthcare organization establish a proactive incident response strategy for compliance incidents?

A) Implement AWS Config Rules to enforce compliance policies, configure AWS CloudWatch Events for monitoring rule violations, and use AWS Lambda functions for automated remediation actions.

B) Deploy Amazon Macie for sensitive data discovery, set up AWS Security Hub for compliance checks, and integrate Amazon Detective for threat detection and incident investigation.

C) Utilize AWS Audit Manager for continuous compliance assessments, leverage AWS Security Hub for security posture management, and configure Amazon EventBridge for real-time compliance event notifications.

D) Enable AWS Artifact for regulatory documentation, conduct regular AWS Inspector vulnerability assessments, and utilize AWS Shield Advanced for DDoS protection and incident response.

46 / 76

46. A software development team uses AWS CodeBuild and AWS CodePipeline to build and test code before release. The same code branch is built and deployed by two different pipelines. One pipeline builds and deploys the code into a development environment where the developers test the code. The other pipeline builds and deploys the code into a user acceptance testing (UAT) environment. Business users report a defect in the application that runs in the UAT environment. The defect is not present in the development environment that runs the same code version.

Which approach should a DevOps engineer take to ensure that identical build artifacts are deployed across identical environments?

A) Create an AWS Lambda function that validates the build artifacts. Reuse a single build stage that consists of the same CodeBuild project in both pipelines. Add a stage after the build stage to initiate the Lambda function. Use CodeDeploy in the deployment stage of each pipeline to deploy the artifacts to the associated environment.

B) Create an AWS Lambda function that validates the build artifacts. Create one pipeline that builds the source code and publishes the application artifacts to a location on Amazon S3. Set up an S3 event that initiates the Lambda function. Use two other pipelines to retrieve the artifacts from Amazon S3 and deploy them to the different environments by using CodeDeploy.

C) Reuse a single build stage that consists of the same CodeBuild project in both pipelines. Create a different buildspec file for each environment. Add the --buildspec-override parameter to the CodeBuild command to specify the correct buildspec for the environment. Specify the same AWS CloudFormation template in the deployment stage of each pipeline to create the environments.

D) Create an AWS Lambda function that uses the CodeBuild BuildArtifacts API to retrieve and compare the artifacts' SHA-256 checksums across the pipelines and return an error if the artifacts' checksums do not match. Add a stage after the build stage in the UAT pipeline to initiate the Lambda function. Specify the same AWS CloudFormation template in the deployment stage of each pipeline to create the environments.

47 / 76

47. A company needs to deploy a new AWS Serverless Application Model (AWS SAM) application. The SAM application consists of an Amazon API Gateway HTTP API and AWS Lambda functions.

The company has an existing custom service to handle authentication. The existing authentication service is not compatible with existing standards, such as OpenID and SAML. For authentication, the SAM application needs to verify an HTTP header and token that are contained within each request by calling the existing authentication service.

Which authentication mechanism for the SAM application will meet these requirements?

A) Lambda authorizer

B) Amazon Cognito user pool

C) Amazon Cognito identity pool

D) API key for API Gateway

48 / 76

48. You are developing a web application on AWS and want to automate your UI testing to ensure that the user interface works as expected across different browsers and devices. Which combination of AWS service and third-party tool should you consider for automating your UI tests?

A) Amazon EC2 and JUnit

B) AWS CodeBuild and Selenium

C) AWS Lambda and Mocha

D) Amazon S3 and Jasmine

49 / 76

49. A company is migrating more than 100 internal applications to AWS. The applications are independent, but all use similar corporate standard architectures. Key areas of the architectures that vary are:

Some applications have both web and application tiers, while others just have a web tier.
If there is a database, it is MySQL, SQL Server or PostgreSQL. (The company plans to manage all
databases with Amazon RDS.)
Some applications are built on a LAMP stack, while others are built on a .NET stack.
The DevOps team wants to enable each application team to launch the infrastructure to deploy their own application. At the same time, the DevOps team wants to limit each team's ability to launch infrastructure outside of the corporate standard.
Which approach will allow the teams to launch the infrastructure for their applications with the minimum privileges?

A) Create two AWS Service Catalog products: one that creates a two-tier architecture and one that creates a three-tier architecture. Pass in the technology stack and the database technology as parameters. Grant the application teams the rights needed to launch the products.

B) Create two AWS CloudFormation templates: one that creates a two-tier architecture and one that creates a three-tier architecture. Pass in the technology stack and the database technology as parameters. Grant the application teams the rights needed to create the CloudFormation stacks.

C) Create a AWS CloudFormation template that launches an AWS Elastic Beanstalk web server environment application. Pass in the number of tiers, the technology stack, and the database technology as parameters. Grant the application teams the rights needed to create the CloudFormation stacks.

D) Create an AWS Service Catalog product that launches an AWS Elastic Beanstalk web server environment application. Pass in the number of tiers, the technology stack, and the database technology as parameters. Grant the application teams the rights needed to launch the product.

50 / 76

50. You need to ensure that every Amazon EC2 instance launched for a specific application is automatically configured with additional monitoring tools and custom security settings without manual intervention. Which AWS service or feature should you use to automate the configuration of EC2 instances immediately after they are launched?

A) AWS Lambda with Amazon CloudWatch Events

B) Amazon EC2 Auto Scaling Lifecycle Hooks

C) AWS Elastic Beanstalk

D) Amazon EC2 User Data

51 / 76

51. A DevOps engineer used a script that calls the AWS Elastic Beanstalk CLI to launch an Elastic Beanstalk application in development and test environments during initial development.

When the application was ready for release, the production environment required some custom settings. The DevOps engineer added an .ebextensions file to the application source bundle to do the following:

Change several environment variables (log level and other variables)
Change the instance type from t3.small to t3.medium Amazon EC2 instances

The DevOps engineer ran the script with no errors. The new production environment contained the new environment variable values. However, the new environment still ran on t3.small instances instead of the t3.medium instances specified in the .ebextensions file.

What is the root cause of this issue?

A) Default values for the service cannot be overwritten by .ebextensions configuration files.

B) Values that are specified as arguments to the Elastic Beanstalk CLI cannot be overridden by .ebextensions configuration files.

C) The instance type cannot be configured by using .ebextensions configuration files.

D) The user who launched the environment does not have permissions to launch the t3.medium instance type.

52 / 76

52. A DevOps engineer is managing a legacy application on AWS. The application is a monolithic Windows program that runs on a single Amazon EC2 instance. The source code for the application is not available, so the application cannot be modified.
The application has a memory leak and malfunctions when memory utilization on the EC2 instance increases to more than 90%. The DevOps engineer has configured the unified Amazon CloudWatch agent on the EC2 instance to collect the operation system’s memory utilization metrics.
The DevOps engineer needs to implement a solution to prevent the application from malfunctioning.
Which combination of steps will meet these requirements with the MOST operational efficiency? (Select TWO.)

A) Create an Amazon EventBridge (Amazon CloudWatch Events) rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when memory utilization increases to more than 80%.

B) Create a metric filter on memory utilization in Amazon CloudWatch Logs. Create a CloudWatch alarm on the memory utilization filter. Configure the alarm to publish to an Amazon Simple Notification Service (Amazon SNS) topic when the memory utilization increases to more than 80%.

C) Create a CloudWatch alarm on the memory utilization metric. Configure the alarm to publish to an Amazon Simple Notification Service (Amazon SNS) topic when the memory utilization increases to more than 80%.

D) Configure an AWS Lambda function to restart the application by using AWS Systems Manager Run Command. Subscribe the Lambda function to the Amazon Simple Notification Service (Amazon SNS) topic.

E) Configure the EC2 instance to run a script that restarts the application. Subscribe the EC2 instance to the Amazon Simple Notification Service (Amazon SNS) topic.

53 / 76

53. A company is using AWS CodeBuild to build an application. Company policy requires all build artifacts to be encrypted at rest. The company must limit access to the artifacts to IAM users in an operations IAM group that have permission to assume an operations IAM role.
Which solution will meet these requirements?

A) Add a post-build command to the CodeBuild build specification to push build objects to an Amazon S3 bucket. Set a bucket policy that prevents upload to the bucket unless the request includes the x-amzserver-side-encryption header. Add a Deny statement for all actions with a NotPrincipal element that references the operations IAM group.

B) Add a post-build command to the CodeBuild build specification to push build objects to an Amazon S3 bucket. Configure an S3 event notification to invoke an AWS Lambda function to get the object, encrypt the object, and put the object back into the S3 bucket with a tag key of Encrypted and a tag value of True. Set a bucket policy with a Deny statement for all actions with a NotPrincipal element that references the operations IAM group. Include in the policy a Condition element that references the Encrypted tag.

C) Add a post-build command to the CodeBuild build specification to push build objects to an Amazon S3 bucket that has S3 default encryption enabled. Set a bucket policy that contains a Deny statement for all actions with a NotPrincipal element that references the operations IAM role.

D) Add a post-build command to the CodeBuild build specification to call the AWS Key Management Service (AWS KMS) Encrypt API operation and pass the artifact to AWS KMS for encryption with a specified KMS key. Push the encrypted artifact to an Amazon S3 bucket. Set up the operations IAM group as the only user for the specified KMS key.

54 / 76

54. Your organization has critical applications running on EC2 instances, with data stored on EBS volumes. To meet regulatory compliance requirements, you need to implement a backup strategy that includes cross-region replication of backups.
What is the most efficient way to automate cross-region backups of EBS volumes?

A) Use AWS Backup with a backup plan specifying cross-region backup to the target region.

B) Write custom scripts that take snapshots of EBS volumes and copy them to another region.

C) Enable EBS volume replication to another region and take snapshots in the target region.

D) Use Amazon S3 cross-region replication to replicate EBS snapshots stored in S3 buckets.

55 / 76

55. John is a DevOps engineer responsible for monitoring and maintaining the health of a web application hosted on AWS. The application consists of multiple microservices running on Amazon EC2 instances. John wants to ensure that he can monitor the performance of each microservice and detect any issues proactively.

Which of the following statements is true regarding AWS services for monitoring and logging?

A) Amazon X-Ray provides real-time insights into the health of the underlying EC2 instances hosting the microservices.

B) AWS Health provides detailed metrics for each microservice, allowing John to analyze performance bottlenecks.

C) John can use Amazon CloudWatch Logs to collect and monitor logs from the EC2 instances hosting the microservices.

D) John can use Amazon CloudWatch Events to automatically trigger scaling actions based on the CPU utilization of the microservices.

56 / 76

56. You are tasked with architecting a secure web application infrastructure on AWS. The application will consist of an Amazon EC2 instance serving as a web server, an RDS database instance for data persistence, and an S3 bucket for storing static assets. To ensure the infrastructure is reproducible and manageable, you decide to use the AWS Cloud Development Kit (AWS CDK) to define and deploy these resources.
You need to create an Amazon S3 bucket to store the web application's static assets. Which AWS CDK construct should you use to define this resource?

A) new aws_s3.Bucket(this, 'MyAppStaticAssets');

B) new aws_ec2.S3Bucket(this, 'MyAppStaticAssets');

C) new aws_bucket.S3(this, 'MyAppStaticAssets');

D) new S3.Bucket(assets, 'MyAppStaticAssets');

57 / 76

57. A company has a legacy API that runs on a fleet of Amazon EC2 instances behind a public Application Load Balancer (ALB). The ALB has access logging enabled and stores the access logs in Amazon S3. The API is available through the hostname api.example.com. The company uses Amazon Route 53 to manage the hostname.
Developers have rebuilt five of the API endpoints by using a different AWS Lambda function for each endpoint. A DevOps engineer wants to test the new versions of the Lambda functions with a limited number of random customers. To ensure compatibility with an existing log processing service, the test must not affect the ALB access logs.
How should the DevOps engineer perform the test to meet these requirements?

A) Add the five Lambda functions as targets to the existing target group for the EC2 instances. Set the weight in the target group of each Lambda function target to be less than the EC2 instance targets. Amend the default rule on the ALB to enable target group-level stickiness.

B) Create a single target group that includes all the Lambda functions as individual targets. On the ALB, create a new listener rule that includes a host header condition that matches the API endpoint’s hostname. Add the target group to the listener rule. Specify a lower weight for the new target group than the weight of the default rule’s target group.

C) Create a new ALB and a new target group for each Lambda function. Create a new listener rule that includes a host header condition that matches each of the endpoints and forwards traffic to the target groups. Create a new Route 53 alias record with a weight of 10. Update the existing Route 53 record for the api.example.com hostname with a weight of 90.

D) Create a new target group for each Lambda function. On the ALB, create new listener rules that include a path condition that matches each of the different endpoints. Set the rules to be weighted between the Lambda function target group for that endpoint and the instance-based target group.

58 / 76

58. A company with a hybrid cloud strategy needs to stream logs from its on-premises servers to AWS in real time. The goal is to analyze these logs alongside data from their AWS resources for comprehensive monitoring and analysis. The solution must be scalable and capable of handling high volumes of log data.

Which approach would best achieve real-time log streaming from on-premises servers to AWS for analysis?

A) Configure AWS Storage Gateway to transfer logs to Amazon S3, then process them with Amazon EMR.

B) Use AWS DataSync to synchronize logs to Amazon S3 and analyze them using Amazon Athena.

C) Implement Amazon Kinesis Agent on the on-premises servers to send logs directly to Amazon Kinesis Data Streams.

D) Set up an Amazon VPN connection to securely transfer logs to Amazon EC2 instances for processing and analysis.

59 / 76

59. To expose the user authentication functionality via HTTP, you plan to use Amazon API Gateway in front of the Lambda function. How should you define this in the AWS SAM template?

A) Create an AWS::Serverless::HttpApi resource and link it to the Lambda function using the Events property.

B) Define an AWS::APIGateway::RestApi resource and use Swagger or OpenAPI specifications to route requests to the Lambda function.

C) Under the Lambda function's definition, use the Events property to specify an Api event source with the type AWS::Serverless::Api.

D) Directly embed API Gateway configuration details within the Lambda function's Properties section.

60 / 76

60. A business continuity team wants to automate disaster recovery processes for critical workloads running on AWS. In the event of a disaster, the system should automatically failover to a secondary region and restore operations with minimal downtime. How can the business continuity team automate disaster recovery for critical workloads on AWS?

A) Set up Amazon Route 53 health checks for monitoring, configure AWS CloudFormation templates for infrastructure provisioning, use AWS Backup for data recovery, trigger failover with Amazon SNS notifications, and maintain disaster recovery runbooks in Amazon WorkDocs.

B) Monitor application health using Amazon CloudWatch alarms, deploy AWS Global Accelerator for traffic routing, utilize AWS Lambda for failover automation, and store recovery point objectives in Amazon S3 Glacier for compliance.

C) Implement AWS Disaster Recovery Service for automated failover, define cross-region Amazon RDS replicas for data redundancy, orchestrate failover procedures with AWS Step Functions, send incident notifications through Amazon Pinpoint, and document recovery processes in AWS Systems Manager.

D) Enable AWS Site-to-Site VPN for cross-region connectivity, configure Amazon CloudFront for content delivery failover, utilize Amazon S3 Cross-Region Replication for data redundancy, trigger automated failover with AWS Config rules, and maintain disaster recovery playbooks in AWS OpsWorks.

61 / 76

61. You are tasked with deploying a multi-layer web application in AWS. The application consists of a front-end web server layer, an application server layer, and a database backend. You need to ensure that each layer is automatically configured according to its specific requirements and dependencies. Additionally, the database should only be accessible from the application server layer for security reasons.
Which approach best automates the deployment and configuration of this multi-layer application while ensuring the database layer's security?

A) Deploy the entire application on a single Amazon EC2 instance using AWS Systems Manager State Manager to manage the configuration.

B) Use Amazon EC2 Auto Scaling groups for each layer and manually configure the instances upon launch.

C) Use AWS OpsWorks Stacks to create separate stacks for each layer, applying appropriate security groups to each stack to control access.

D) Utilize AWS CloudFormation to deploy the application, manually configuring the security groups post-deployment.

62 / 76

62. A DevOps Engineer wrote an AWS Lambda function, defined it in an AWS CloudFormation template snippet (shown below), and stored it in an Amazon S3 bucket.

The CloudFormation stack has been created and the Lambda function is working as expected. The Engineer has obtained a new version of the function code and wants to ensure that this new version will be executed immediately following the stack update.
Which deployment procedures will accomplish this? (Select THREE.)

A) Update the logical name of the Lambda function in the CloudFormation template from MyLambdaFunctionV1 to MyLambdaFunctionV2, then perform a CloudFormation stack update.

B) Enable versioning on the existing S3 bucket. Upload the new code to the existing S3 bucket. Specify the version ID of the S3 object in the S3ObjectVersion property of the Lambda function in the CloudFormation template, then perform a CloudFormation stack update.

C) Using AWS SAM, issue a sam deploy command to the CloudFormation template to perform a Lambda function version update.

D) Update the S3 bucket property of the Lambda function in the CloudFormation template to point to a different bucket location. Upload the new code to the new S3 bucket location, then perform a CloudFormation stack update.

E) Update the S3Key property of the Lambda function in the CloudFormation template to indicate a different location and name of the .zip file. Upload the new code to the S3 bucket, noting the location and name change of the .zip file, then perform a CloudFormation stack update.

F) Using the serverless framework, issue a serverless deploy function -f MyLambdaFunctionV1 command to perform an update to the existing Lambda function.

63 / 76

63. A company runs an externally facing RESTful web service with thousands of customers. The logic is implemented as a single AWS Lambda function that analyzes a short text document and returns the reading difficulty level. The application includes an Amazon API Gateway API with Lambda custom integration. The current request body has the following format:

{

"text" : "<text to be evaluated>"

}

The company has updated the Lambda function to accept text in different languages. The new version of the Lambda function requires the language of the incoming text as an additional argument. The request body for an updated API will now require a new argument:

{

"language" : "English" | "Spanish" | "French"

"text" : "<text to be evaluated>"

}

The company's DevOps team needs to make the new release available for customers. There must be only one production version of the Lambda function to avoid redundant maintenance issues and duplicate releases of future improvements. Existing customers must be able to migrate to the new version, but customers who cannot immediately make changes on their part must continue to access the service successfully.

Which process should the DevOps team use to deploy the new version?

A) Deploy the new Lambda function. Create a new API that is integrated with the new Lambda function. Deploy the new API. Keep the existing API and Lambda function unchanged.

B) Deploy the new Lambda function. Integrate the existing API with the new Lambda function. Deploy the existing API. Delete the existing Lambda function.

C) Deploy the new Lambda function. Integrate the existing API with the new Lambda function. Deploy the existing API. Create a new API that is integrated with the new Lambda function. Add a mapping template to the integration request of the new API that adds "language" : "English" to the body. Deploy the new API. Delete the existing Lambda function.

D) Deploy the new Lambda function. Create a new API that is integrated with the new Lambda function. Deploy the new API. Integrate the existing API with the new Lambda function. Add a mapping template to the integration request of the existing API that adds "language" : "English" to the body. Deploy the existing API. Delete the existing Lambda function.

64 / 76

64. A company runs a hybrid cloud environment. The company is planning the deployment strategy for an application that will run on Amazon EC2 instances and on-premises servers. The strategy will use AWS CodeDeploy.

What is the MOST secure way for the company to use CodeDeploy with the on-premises servers?

A) 1.Create an IAM user that has CodeDeploy permissions. 2.On the on-premises servers, create a credentials file that includes an access key from the IAM user. 3.Install the CodeDeploy agent on the on-premises servers. 4.Set up a deployment group. 5.Register a list of target instance IDs with the deployment group. 6.Deploy the application by using the deployment group.

B) 1.Create an IAM user that has CodeDeploy permissions. 2.On the on-premises servers, create a credentials file that includes an access key from the IAM user. 3.Install the CodeDeploy agent on the on-premises servers. 4.Create tags for the on-premises servers. 5.Set up a deployment group based on the tags. 6.Deploy the application by using the deployment group.

C) 1.Create an IAM role that has CodeDeploy permissions. 2.Obtain and store a set of AWS Security Token Service (AWS STS) credentials to allow AssumeRole on the servers. 3.Set up a cron job to refresh those credentials regularly. 4.Install the CodeDeploy agent on the on-premises servers. 5.Register the on-premises servers with CodeDeploy. 6.Create tags for the on-premises servers. 7.Set up a deployment group based on the tags. 8.Deploy the application by using the deployment group.

D) 1.Create an IAM role that has CodeDeploy permissions. 2.Obtain and store a set of AWS Security Token Service (AWS STS) credentials to allow AssumeRole on the servers. 3.Set up a cron job to refresh those credentials regularly. 4.Install the CodeDeploy agent on the on-premises servers. 5.Register the on-premises servers with CodeDeploy. 6.Set up a deployment group. 7.Register a list of target instance IDs with the deployment group. 8.Deploy the application by using the deployment group.

65 / 76

65. Your company runs a critical stateful application on AWS, which currently operates in a single region. To improve the disaster recovery posture, you've been tasked with designing a solution that minimizes data loss (RPO) and reduces recovery time (RTO) in case of a regional failure.
What strategy would best achieve a low RPO and RTO for this stateful application?

A) Implement Amazon RDS Multi-AZ with synchronous replication across regions.

B) Use Amazon S3 cross-region replication for data backups and AWS CloudFormation for infrastructure as code.

C) Deploy the application in an Amazon EC2 Auto Scaling group across multiple regions and use Amazon Route 53 health checks for failover.

D) Create a secondary environment in a different region using Amazon RDS with Read Replicas and Route 53 health checks for DNS failover.

66 / 76

66. You are tasked with designing a CI/CD pipeline for a highly scalable and fault-tolerant application architecture on AWS. The application consists of multiple microservices deployed using AWS Fargate and leverages AWS DynamoDB for data storage. Which combination of AWS services would be most suitable for building and deploying this application?

A) AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy

B) AWS CodePipeline, AWS CodeBuild, AWS CloudFormation

C) AWS CodeDeploy, Amazon ECR, AWS Elastic Beanstalk

D) AWS CodePipeline, AWS CodeBuild, Amazon ECR (Elastic Container Registry)

67 / 76

67. Your organization is developing a complex application with multiple dependencies on external libraries and services. You need to ensure that the build process captures specific versions of these dependencies to maintain consistency across development, testing, and production environments. Additionally, you want to automate the scanning of these dependencies for known vulnerabilities before deployment. Which combination of AWS services and features should you use to achieve this?

A) Use AWS CodeBuild along with Amazon ECR lifecycle policies to manage dependencies and scan images for vulnerabilities.

B) Use AWS CodePipeline to orchestrate builds in AWS CodeBuild, utilizing the package-lock.json or yarn.lock file for dependency management, and integrate with Amazon Inspector for vulnerability scanning.

C) Use AWS CodeArtifact to manage dependencies and their versions, integrate AWS CodeBuild for building the application, and utilize AWS Security Hub for vulnerability scanning.

D) Utilize AWS Lambda to manually trigger builds in AWS CodeBuild, enforce dependency versions through manual code reviews, and use Amazon GuardDuty for vulnerability scanning.

68 / 76

68. A company uses Amazon Elastic Container Service (Amazon ECS) to manage Docker containers. The company recently discovered that some of the ECS tasks reached the STOPPED state when an essential container in the task exited. The company wants to receive email notifications whenever an essential container in the task exits.

A DevOps engineer creates a new Amazon Simple Notification Service (Amazon SNS) topic and subscribes the notification email address to the new SNS topic.

What should the DevOps engineer do next to meet the requirements with the LEAST amount of development effort?

A) Within the ECS cluster options, configure a notification with the type as lastStatus and the stoppedReason as "Essential container in task exited". Set the new SNS topic as the target for the notifications.

B) Create an Amazon EventBridge rule. Configure the rule with aws.ecs as a source. Configure details by adding "Essential container in task exited" in the stoppedReason field and by adding "STOPPED" in the lastStatus field. Set the new SNS topic as the target for the notifications.

C) Create an AWS Lambda function to perform a DescribeTasks API call. Get the stoppedReason response element. Configure the Lambda function to publish to the SNS topic if the stoppedReason is "Essential container in task exited".

D) Edit the task definition to set the notifications parameter to true for the essential containers. Add "Essential container in task exited" as the stoppedReason option. Set the new SNS topic as the target for the notifications.

69 / 76

69. A company runs an application on Amazon EC2 instances that are spread across multiple Availability Zones. The application processes messages from an Amazon Simple Queue Service (Amazon SQS) queue. Occasionally, the number of messages increases significantly and causes the application to experience delays in processing the messages.

To address the delays, the company creates an Amazon EC2 Auto Scaling group. The company implements a target tracking scaling policy that is based on average CPU utilization of the Auto Scaling group. However, the company finds that the EC2 instances are not scaling in a timely manner.

Which solution will resolve this issue in the MOST reliable manner?

A) Create a custom metric to calculate the number of messages in the SQS queue divided by the number of active instances. Use this metric to define scaling activity based on an acceptable value.

B) Create an Application Load Balancer (ALB) in front of the Auto Scaling group. Use the ALBRequestCountPerTarget metric as the target metric for the Auto Scaling group.

C) Edit the existing target tracking scaling policy to be based on the NumberOfMessagesReceived metric for the SQS queue rather than the average CPU utilization for the Auto Scaling group.

D) Edit the existing target tracking scaling policy to specify a lower CPU utilization percentage and a lower warm-up period to initiate the scaling.

70 / 76

70. A software company is developing a multi-tier web application that includes a front-end, a back-end API, and a database layer. The development team wants to automate the deployment process in such a way that updates to the front-end and back-end components can be deployed independently. Which combination of AWS services should they use to achieve this goal?

A) AWS CodePipeline to orchestrate separate deployment processes for each component, using AWS CodeBuild for building artifacts and AWS CodeDeploy for deployment.

B) AWS CodeDeploy for the front-end and AWS Elastic Beanstalk for the back-end API.

C) Amazon S3 for hosting the front-end static files and AWS Lambda for the back-end API.

D) AWS CloudFormation to manage the infrastructure as code, with manual triggers for updates to each tier.

71 / 76

71. A DevOps engineer needs to implement a blue/green deployment process for an application on AWS. The DevOps engineer must gradually shift the traffic between the environments. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Amazon EC2 Auto Scaling group. The application stores data on an Amazon RDS Multi-AZ DB instance. Amazon Route 53 provides external DNS.
Which combination of steps should the DevOps engineer take to meet these requirements? (Select THREE.)

A) Create a second Auto Scaling group behind the same ALB.

B) Create a second Auto Scaling group behind a second ALB.

C) In Route 53, create a second alias record that points to the new environment. Use a failover routing policy to choose between the two records.

D) In Route 53, create a second alias record that points to the new environment. Use a weighted routing policy to choose between the two records.

E) Configure the new EC2 instances to use the primary RDS DB instance.

F) Configure the new EC2 instances to use the standby RDS DB instance.

72 / 76

72. An organization is required by compliance regulations to retain all application and infrastructure logs for a period of 7 years. The logs must be stored securely, and the integrity of the logs must be maintained to ensure they are admissible for audit purposes.

Which AWS service combination is most suitable for meeting these long-term secure storage and compliance requirements?

A) Store logs in Amazon CloudWatch Logs and set a retention policy of 7 years.

B) Stream logs to Amazon Kinesis Data Firehose, store them in Amazon S3 with S3 Glacier for long-term archiving, and use S3 Object Lock for immutability.

C) Use AWS DataSync to transfer logs to Amazon EBS volumes encrypted with AWS KMS, and snapshot these volumes to Amazon S3.

D) Directly store logs in Amazon RDS encrypted instances and leverage automated backups for long-term storage.

73 / 76

73. A company is reviewing its AWS account security policies. The company has staff members in different countries and wants to monitor its AWS accounts for unusual behavior that is associated with an IAM identity.
The company wants to send a notification to any staff member for whom unusual activity is detected. The company also wants to send a notification to the user’s team leader. An external messaging platform will send the notifications. The platform requires a target user-id for each recipient.
The company already has an API on AWS that the company can use to return the user-id of the staff member and the team leader from IAM user names. The company manages its AWS accounts by using AWS Organizations.
Which solution will meet these requirements?

A) Designate an account in the organization as the Amazon GuardDuty administrator. Add the company’s AWS accounts as GuardDuty member accounts that are associated with the GuardDuty administrator account. Create an AWS Lambda function to perform the user-id lookup and to send notifications to the external messaging platform. Create an Amazon EventBridge (Amazon CloudWatch Events) rule in the GuardDuty administrator account to match the Impact:IAMUser/AnomalousBehavior notification type and invoke the Lambda function.

B) Designate an account in the organization as the Amazon Detective administrator. Add the company’s AWS accounts as Detective member accounts that are associated with the Detective administrator account. Create an AWS Lambda function to perform the user-id lookup and to send notifications to the external messaging platform. Create an Amazon EventBridge (Amazon CloudWatch Events) rule in the Detective administrator account to match the Impact:IAMUser/AnomalousBehavior notification type and invoke the Lambda function.

C) Designate an account in the organization as the Amazon GuardDuty administrator. Add the company’s AWS accounts as GuardDuty member accounts that are associated with the GuardDuty administrator account. Create an AWS Lambda function to perform the user-id lookup and to send notifications to the external messaging platform. Create an Amazon Simple Notification Service (Amazon SNS) topic in the GuardDuty administrator account to match the Impact:IAMUser/AnomalousBehavior notification type and invoke the Lambda function.

D) Designate an account in the organization as the Amazon Detective administrator. Add the company’s AWS accounts as Detective member accounts that are associated with the Detective administrator account. Create an AWS Lambda function to perform the user-id lookup and to send notifications to the external messaging platform. Create an Amazon Simple Notification Service (Amazon SNS) topic in the Detective administrator account to match the Impact:IAMUser/AnomalousBehavior notification type and invoke the Lambda function.

74 / 76

74. Company ABC has a complex multi-tier application consisting of web servers, application servers, and databases. They want to automate the deployment and scaling of their infrastructure while ensuring high availability and fault tolerance. Additionally, they need to monitor application performance and trigger alerts based on predefined thresholds. Which combination of AWS services and methods would best suit their requirements?

A) AWS CloudFormation and Amazon CloudWatch

B) AWS Lambda and Amazon Cloudtrail

C) Amazon EC2 Auto Scaling and Amazon Route 53

D) AWS Elastic Beanstalk and AWS Config

75 / 76

75. You are architecting a solution for a large enterprise application that needs to be deployed across multiple AWS regions for high availability and disaster recovery. The application consists of several microservices, each packaged into Docker containers. You need to ensure that the Docker images for these microservices are stored securely and are accessible across regions. Which strategy should you employ to manage these Docker container images?

A) Use AWS CodeBuild to create Docker images and store them in a single Amazon S3 bucket with cross-region replication enabled.

B) Use AWS CodeBuild to create Docker images and push them to Amazon Elastic Container Registry (ECR) with cross-region replication enabled.

C) Use AWS Lambda to automatically copy Docker images from one AWS region to another Amazon ECR repository.

D) Store Docker images directly on Amazon EC2 instances and use Amazon Route 53 geolocation routing to manage cross-region traffic.

76 / 76

76. A company runs an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The company uses an AWS CodeDeploy deployment group to manage blue/green deployments of the application. Currently, operators monitor the application logs on the EC2 instances. The operators manually instruct CodeDeploy to roll back if the error rate is too high. A DevOps engineer needs to automate this part of the deployment process.

Which combination of steps should the DevOps engineer take to replace this manual task? (Select TWO.)

A) Configure an Amazon CloudWatch alarm that is invoked when the ALB's HTTPCode_Target_4XX_Count metric exceeds an acceptable threshold.

B) Configure the deployment group to monitor the alarm. If the alarm enters the ALARM state, fail the deployment and automatically roll back the deployment.

C) Create an AWS Lambda function that monitors the alarm and causes the deployment group to roll back the deployment if the alarm enters the ALARM state. Use an Amazon EventBridge scheduled event to invoke the function every hour.

D) Publish an Amazon Simple Notification Service (Amazon SNS) message if the alarm enters the ALARM state. Configure CodeDeploy to monitor the SNS topic and automatically roll back the deployment if CodeDeploy receives an error message.

E) Send the application logs to Amazon CloudWatch Logs. Create a metric filter to monitor error messages in the logs. Initiate an alarm if the error rate is unacceptable.

Your score is

Exit