Q1. A company is migrating a legacy application to Amazon EC2 instances. The application uses a user name and password that are stored in the source code to connect to a MySQL database. The company will migrate the database to an Amazon RDS for MySQL DB instance. As part of the migration, the company needs to implement a secure way to store and automatically rotate the database credentials. Which solution will meet these requirements?
A) Store the database credentials in environment variables in an Amazon Machine Image (AMI). Rotate the credentials by replacing the AMI.
B) Store the database credentials in AWS Systems Manager Parameter Store. Configure Parameter Store to automatically rotate the credentials.
C) Store the database credentials in environment variables on the EC2 instances. Rotate the credentials by relaunching the EC2 instances.
D) Store the database credentials in AWS Secrets Manager. Configure Secrets Manager to automatically rotate the credentials
Answer - D – AWS Secrets Manager helps protect the credentials that are needed to access databases, applications, services, and other IT resources. With Secrets Manager, you can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets by making a Secrets Manager API call, eliminating the need to hardcode sensitive information in plaintext. Secrets Manager offers secret rotation.
Q2. A developer is adding sign-up and sign-in functionality to an application. The application must make an API call to a custom analytics solution to log user sign-in events. Which combination of actions should the developer perform to meet these requirements? (Select TWO.)
A) Use Amazon Cognito to provide the sign-up and sign-in functionality.
B) Use AWS Identity and Access Management (IAM) to provide the sign-up and sign-in functionality.
C) Configure an AWS Config rule to make the API call when a user is authenticated.
D) Invoke an Amazon API Gateway method to make the API call when a user is authenticated.
E) Invoke an AWS Lambda function to make the API call when a user is authenticated.
Answer - A, E – Amazon Cognito adds user sign-up, sign-in, and access control to web and mobile applications. You can also create an AWS Lambda function to make an API call to a custom analytics solution and then invoke that function by using an Amazon Cognito post-authentication trigger.
Q3. A developer is building a new application that transforms text files to .pdf files. A separate application writes the text files to a source Amazon S3 bucket. The new application must read the files as they arrive in Amazon S3 and must convert the files to .pdf files by using an AWS Lambda function. The developer has written an IAM policy to allow access to Amazon S3 and Amazon CloudWatch Logs.
What should the developer do to ensure that the Lambda function has the correct permissions?
A) Create a Lambda execution role by using AWS Identity and Access Management (IAM). Attach the IAM policy to the role. Assign the Lambda execution role to the Lambda function.
B) Create a Lambda execution user by using AWS Identity and Access Management (IAM). Attach the IAM policy to the user. Assign the Lambda execution user to the Lambda function.
C) Create a Lambda execution role by using AWS Identity and Access Management (IAM). Attach the IAM policy to the role. Store the IAM role as an environment variable in the Lambda function.
D) Create a Lambda execution user by using AWS Identity and Access Management (IAM). Attach the IAM policy to the user. Store the IAM user credentials as environment variables in the Lambda function.
Answer - A – An AWS Lambda function's execution role grants the Lambda function permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when a function is invoked.
Q4. A developer is testing an application locally and has deployed the application to an AWS Lambda function. To avoid exceeding the deployment package size quota, the developer did not include the dependencies in the deployment file. When the developer tests the application remotely, the Lambda function does not run because of missing dependencies.
Which solution will resolve this issue?
A) Use the Lambda console editor to update the code and include the missing dependencies.
B) Create an additional .zip file that contains the missing dependencies. Include the .zip file in the original Lambda deployment package.
C) Add references to the missing dependencies in the Lambda function's environment variables.
D) Create a layer that contains the missing dependencies. Attach the layer to the Lambda function.
Answer - D – You can configure an AWS Lambda function to pull in additional code and content in the form of layers. A layer is a .zip file archive that contains libraries, a custom runtime, or other dependencies. With layers, you can use libraries in a Lambda function without needing to include the libraries in a deployment package.
Q5. A developer is working on an online game based on a popular movie, which may have a few users in its first few weeks of release. However, it is expected to grow and reach millions of concurrent users, with terabytes or more of new data generated per day. The database must seamlessly handle hundreds of thousands of reads and writes per second.
Which of the following would be the MOST ideal data store to choose for this application?
A) Amazon DynamoDB
B) Amazon S3
C) Amazon RDS
D) Amazon Redshift
Answer - Amazon DynamoDB is well-suited for these kinds of workloads. As a developer, you can start with a small amount of provisioned throughput and gradually increase it as your application becomes more popular. DynamoDB scales seamlessly to handle very large amounts of data and very large numbers of users.
Q6. For application deployments, a company is using CloudFormation templates, which are regularly updated to map the latest AMI IDs. A developer was assigned to automate the process since the current set up takes a lot of time to execute on a regular basis.
Which of the following is the MOST suitable solution that the developer should implement to satisfy this requirement?
A) Set up your Systems Manager State Manager to store the latest AMI IDs and integrate it with your CloudFormation template. Call the update-stack API in CloudFormation whenever you decide to update the EC2 instances in your CloudFormation template
B) Set up CloudFormation with Systems Manager Parameter Store to retrieve the latest AMI IDs for your template. Whenever you decide to update the EC2 instances, call the update-stack API in CloudFormation in your CloudFormation template.
C) Integrate AWS Service Catalog with AWS Config to automatically fetch the latest AMI and use it for succeeding deployments
D) Integrate CloudFormation with AWS Service Catalog to fetch the latest AMI IDs and automatically use them for succeeding deployments
Answer - Set up your Systems Manager State Manager to store the latest AMI IDs and integrate it with your CloudFormation template. Call the update-stack API in CloudFormation whenever you decide to update the EC2 instances in your CloudFormation template
Q7. A developer is working on an application that stores highly confidential data in a database. The developer must use AWS Key Management Service (AWS KMS) with envelope encryption to protect the data. How should the developer configure the data encryption to meet these requirements?
A) Encrypt the data by using a KMS key. Store the encrypted data in the database.
B) Encrypt the data by using a generated data key. Store the encrypted data in the database.
C) Encrypt the data by using a generated data key. Store the encrypted data and the data key ID in the database.
D) Encrypt the data by using a generated data key. Store the encrypted data and the encrypted data key in the database.
Answer - Envelope encryption is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key. You must store the encrypted form of the data key so that you can use the data key to decrypt the encrypted data in the database.
Q8. A developer is planning to add a global secondary index in a DynamoDB table. This will allow the application to query a specific index that can span all of the data in the base table, across all partitions.
Which of the following should the developer consider when using this type of index?
A) Queries or scans on this index consume capacity units from the index, not from the base table.
B) Queries on this index support eventual consistency only.
C) When you query this index, you can choose either eventual consistency or strong consistency.
D) Queries or scans on this index consume read capacity units from the base table
E) For each partition key value, the total size of all indexed items must be 10 GB or less.
Answer - A, B
Q9. The infrastructure of an application is designed such that a producer sends data to a consumer via HTTPS. The consumer may sometimes take a while to process the messages, which can result in unexpected timeouts and cause newer messages not to be acknowledged immediately. To resolve this issue, a developer decided to introduce an Amazon SQS standard queue into the system. However, duplicate messages are still not being handled properly.
What should the developer do to ensure that messages are durably delivered and to prevent duplicate messages? (Select TWO.)
A) Using a delay queue
B) Configure the producer to set deduplication IDs for the messages
C) Increasing the timeout period for acknowledgment responses
D) Create a FIFO queue as a replacement for the standard queue
E) Increasing the number of consumers polling from your standard queue
Answer -
Configure the producer to set deduplication IDs for the messages
Create a FIFO queue as a replacement for the standard queue
Q10. A company has an application hosted in an On-Demand EC2 instance in your VPC. The developer has been instructed to create a shell script that fetches the instance's associated public and private IP addresses.
What should the developer do to complete this task?
A) Get the public and private IP addresses from Amazon CloudWatch
B) Get the public and private IP addresses from the instance user data service using the http://169.254.169.254/latest/userdata/
endpoint
C) Get the public and private IP addresses from the instance metadata service using the http://169.254.169.254/latest/meta-data/
endpoint.
D) Get the public and private IP addresses from AWS CloudTrail
Answer - Get the public and private IP addresses from the instance metadata service using the http://169.254.169.254/latest/meta-data/ endpoint.