A company wants to use AWS CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions. Developers will need to deploy multiple versions of the same application.
Which solution ensures resources are deployed in accordance with company policy?

1. A. Create AWS Trusted Advisor checks to find and remediate unapproved CloudFormation StackSets.
2. B. Create a Cloud Formation drift detection operation to find and remediate unapproved CloudFormation StackSets.
3. C. Create CloudFormation StackSets with approved CloudFormation templates.
4. D. Create AWS Service Catalog products with approved CloudFormation templates.

Correct Answer: D
service catalog uses stacksets and can enforce tag and restrict resources AWS Customer case with tag enforcement https://aws.amazon.com/ko/blogs/apn/enforce-centralized-tag-compliance-using-aws-service-catalog-amazon-dynamodb-aws-lambda- and-amazon-cloudwatch-events/ And Youtube video showing how to restrict resources per user with portfolio https://www.youtube.com/watch?v=LzvhTcqqyog

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml die for an AWS CodeBuild project and provide recommendations. The buildspec. yaml file is configured as follows:

What changes should be recommended to comply with AWS security best practices? (Select THREE.)

1. A. Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.
2. B. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable.
3. C. Store the db_password as a SecureString value in AWS Systems Manager Parameter Store and then remove the db_password from the environment variables.
4. D. Move the environment variables to the 'db.-deploy-bucket ‘Amazon S3 bucket, add a prebuild stage to download then export the variables.
5. E. Use AWS Systems Manager run command versus sec and ssh commands directly to the instance.

Correct Answer: BCE
B. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable. C. Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables. E. Use AWS Systems Manager run command versus scp and ssh commands directly to the instance.

A company builds a container image in an AWS CodeBuild project by running Docker commands. After the container image is built, the CodeBuild project uploads the container image to an Amazon S3 bucket. The CodeBuild project has an 1AM service role that has permissions to access the S3 bucket.
A DevOps engineer needs to replace the S3 bucket with an Amazon Elastic Container Registry (Amazon ECR) repository to store the container images. The DevOps engineer creates an ECR private image repository in the same AWS Region of the CodeBuild project. The DevOps engineer adjusts the 1AM service role with the permissions that are necessary to work with the new ECR repository. The DevOps engineer also places new repository information into the docker build command and the docker push command that are used in the buildspec.yml file.
When the CodeBuild project runs a build job, the job fails when the job tries to access the ECR repository.
Which solution will resolve the issue of failed access to the ECR repository?

1. A. Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get- login-password AWS CLI command to obtain an authentication toke
2. B. Update the docker login command to use the authentication token to access the ECR repository.
3. C. Add an environment variable of type SECRETS_MANAGER to the CodeBuild projec
4. D. In the environment variable, include the ARN of the CodeBuild project's lAM service rol
5. E. Update the buildspec.yml file to use the new environment variable to log in with the docker login command to access the ECR repository.
6. F. Update the ECR repository to be a public image repositor
7. G. Add an ECR repository policy that allows the 1AM service role to have access.
8. H. Update the buildspec.yml file to use the AWS CLI to assume the 1AM service role for ECR operation
9. I. Add an ECR repository policy that allows the 1AM service role to have access.

Correct Answer: A
(A) When Docker communicates with an Amazon Elastic Container Registry (ECR) repository, it requires authentication. You can authenticate your Docker client to the Amazon ECR registry with the help of the AWS CLI (Command Line Interface). Specifically, you can use the "aws ecr get-login-password" command to get an authorization token and then use Docker's "docker login" command with that token to authenticate to the registry. You would need to perform these steps in your buildspec.yml file before attempting to push or pull images from/to the ECR repository.

A company has migrated its container-based applications to Amazon EKS and want to establish automated email notifications. The notifications sent to each email address are for specific activities related to EKS components. The solution will include Amazon SNS topics and an AWS Lambda function to evaluate incoming log events and publish messages to the correct SNS topic.
Which logging solution will support these requirements?

1. A. Enable Amazon CloudWatch Logs to log the EKS component
2. B. Create a CloudWatch subscription filter for each component with Lambda as the subscription feed destination.
3. C. Enable Amazon CloudWatch Logs to log the EKS component
4. D. Create CloudWatch Logs Insights queries linked to Amazon EventBridge events that invoke Lambda.
5. E. Enable Amazon S3 logging for the EKS component
6. F. Configure an Amazon CloudWatch subscription filter for each component with Lambda as the subscription feed destination.
7. G. Enable Amazon S3 logging for the EKS component
8. H. Configure S3 PUT Object event notifications with AWS Lambda as the destination.

Correct Answer: A
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#La mbdaFunctionExample https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

A company has an application that runs on Amazon EC2 instances that are in an Auto Scaling group. When the application starts up. the application needs to process data from an Amazon S3 bucket before the application can start to serve requests.
The size of the data that is stored in the S3 bucket is growing. When the Auto Scaling group adds new instances, the application now takes several minutes to download and process the data before the application can serve requests. The company must reduce the time that elapses before new EC2 instances are ready to serve requests.
Which solution is the MOST cost-effective way to reduce the application startup time?

1. A. Configure a warm pool for the Auto Scaling group with warmed EC2 instances in the Stopped stat
2. B. Configure an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling grou
3. C. Modify the application to complete the lifecycle hook when the application is ready to serve requests.
4. D. Increase the maximum instance count of the Auto Scaling grou
5. E. Configure an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling grou
6. F. Modify the application to complete the lifecycle hook when the application is ready to serve requests.
7. G. Configure a warm pool for the Auto Scaling group with warmed EC2 instances in the Running stat
8. H. Configure an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling grou
9. I. Modify the application to complete the lifecycle hook when the application is ready to serve requests.
10. J. Increase the maximum instance count of the Auto Scaling grou
11. K. Configure an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook on the Auto Scaling grou
12. L. Modify the application to complete the lifecycle hook and to place the new instance in the Standby state when the application is ready to serve requests.

Correct Answer: A
Option A is the most cost-effective solution. By configuring a warm pool of EC2 instances in the Stopped state, the company can reduce the time it takes for new instances to be ready to serve requests. When the Auto Scaling group launches a new instance, it can attach the stopped EC2 instance from the warm pool. The instance can then be started up immediately, rather than having to wait for the data to be downloaded and processed. This reduces the overall startup time for the application.